A secure network will include a number of different security controls. In this video, you’ll learn about DNSSEC, out-of-band management, QoS, taps, port mirrors, and more.
In the previous video, we describe some of the DNS security mechanisms that we’ve recently created. Because originally DNS was built with no security features in mind. We’ve added security features through the use of DNSSEC that stands for Domain Name System Security Extensions.
And it adds the ability to confirm the responses that we’re getting from a DNS server. So that we know it really came from that server. So we have origin authentication. And we know that the information that we’re receiving is exactly what that server has sent because we have data integrity.
We’re able to do this by adding public key cryptography. We’re digitally signing the information that’s on these DNS servers. And each record has that sign DNS information as part of the DNS server itself. But we can use our DNS servers as additional security tools for our endpoints.
We know that all of our users have to access the DNS to be able to gain the IP address of the device they’d like to communicate with. So one of the things we can do is tell our DNS server if a user ever tries to visit unknown malicious location, don’t give out the actual IP address of that location instead give a different IP address.
We’ve configured for ourselves. We call this a sinkhole address. This means the user will not be redirected to the malicious site instead they’ll be redirected to a different location. And we can then perform logging and reporting on how many people have been accessing our private sinkhole address. By doing that we can immediately identify stations that may have been infected with malware. And we can stop them before they’re able to communicate back to the central server for that malware infestation.
We can monitor this sinkhole address and any time we see an internal device try to access that address we can assume that device may have been infected by some malware. This prevents any additional exploitation of that device. And then we can perform our own internal mitigation of malware on those specific systems.
This also effectively acts as content filtering. If our DNS has a list of unwanted or suspicious sites our users would not be able to visit those locations because our DNS will not provide them with the proper DNS resolution. IT professionals often take advantage of out-of-band management to work around problems that may be occurring on the network.
For example, if you lose the connectivity to a remote site using the normal network connection you would normally not have access to any of those devices. Fortunately switches, routers, firewalls, servers and other devices often have a separate management interface that you can connect to. Sometimes this is a serial port, sometimes it’s USB or it may be an additional ethernet connection on that device.
We would commonly connect a wired modem or perhaps a wireless cellular modem to these serial connections. Which allow us to dial in or connect around our network into the out-of-band management interface on that device.
In larger environments we might have a centralized console router sometimes you’ll hear this referred to as a comm server. Where you’ll connect to the comm server. And the comm server will then gain you access to all of the other devices on that network that are connected through the out-of-band management interfaces.
There are many different kinds of devices that we’re using on our networks these days. We have laptops and desktops our mobile devices and tablets and our voice over IP systems. For all of these there are different applications that are running. Some of these applications are real time applications some of them are streaming audio or video and some of them are web based applications.
Each one of those applications has a different requirement for access. Some of them require faster response times others require larger amounts of bandwidth transferred. For example, if you’re on the phone and having a voice conversation that is a real-time communication that needs to happen in the immediate time frame. If you’re streaming video, there’s usually a buffer involved. So you might have a little more leeway into how much data you’re transferring through the network at any particular time.
And if you’re using things like a database application it may be interactive. Where if you put input into the application you’re expecting a certain output in a very short period of time. Network administrators are often tasked with setting priorities for these different applications. Voice over IP traffic for example, probably needs to be a higher priority than something like streaming video or an interactive database app.
This means that we would need to configure these applications. So that voice over IP would have a priority over web browsing. No matter how much traffic was transferred over a web browsing connection we would still give our voice over IP calls much higher priority on the network. This means that we would prioritize the applications based on response times, bandwidth, traffic rates and other criteria.
We broadly call this prioritization process quality of service or QoS. This describes the process we would go through to prioritize one application over another. The method of implementing QoS can vary widely depending on the type of equipment you’re using and the type of applications you have in place. Your QoS functionality may be in the switches you’re using, it may be associated with routers. Or it may be something that’s in your next generation firewall.
One of the challenges we have with IPv4 is that it was built before there was a huge emphasis in security on the network. Well, that changed with the implementation of IPv6. During the IPv6 process we put a lot of different configuration settings inside the protocol itself that will assist with security on our network. We already know that there are a lot more IPv6 addresses that we can have when compared to IPv4.
So it’s much more difficult to perform a complete port scan or interface scan when we’re working with IPv6 addresses. Many of the security tools that we’re using like port scanners and vulnerability scanners have already been updated to take advantage of IPv6. Because there’s so many IP addresses available with IPv6, we’ve effectively removed the need to perform port address translation or outbound network address translation on our network. Without having that in place, we can simplify the communications process.
Network address translation is it a security feature and in many environments it was simply used to minimize the number of public IP addresses that would be required. Another nice advantage of removing certain protocols from the network means that those protocols can’t be a security risk. For example, with IPv6 we removed the Address Resolution Protocol or ARP. And without any ARP there can’t be any ARP spoofing.
But this doesn’t necessarily mean that IPv6 is any more or less secure than IPv4. It simply changes the security that we’re using on our network. For example, Neighbor Cache Exhaustion can use IPv6 protocols to fill up the neighbor cache. And therefore make a system unable to communicate with other devices on the network.
Network administrators have always taken advantage of taps and port mirrors to be able to properly manage the network. But these are also a security concern, especially if an unauthorized third party happens to add a tap to your network. These physical taps will allow someone to disconnect a link, put the tap in the middle of the link and now they can receive a copy of all of the traffic going over the network.
A port mirror is often a software base tapping mechanism that’s usually built into a switch. You’ll sometimes hear this referred to as port redirection or in the case of a Cisco switch it’s referred to as a SPAN or switched port analyzer. Although there are some limitations in using these port mirrors they do become very useful in places where no other option is available.
Here’s an example of a physical tap that you would plug into the network. This is a DS3 tap. So you can see there are two devices there’s an equipment or DTE side, for data terminal equipment. And a network side or DCE, data communications equipment. On one side is transmit and the other side is receive and it’s reversed in the other direction.
To install the tap we would interrupt this flow and put the tap in the middle of the connection. The same thing for the data that’s coming through the other way. A copy of this information is then sent to other interfaces on this particular tap. And that’s where we would plug-in our monitoring tools to be able to see all of the traffic going between these two devices on the network.
To help provide additional security on the network. You might take advantage of a monitoring service. This is an organization that might constantly monitor the security on your network. They might perform ongoing security checks. So you would always know if all of your systems have been updated to the latest version of patches. And there might be a series of experts at the SOC. Or the security operations center who can constantly monitor the security posture of your network.
These organizations are often performing constant monitoring of the traffic going in and out of your network. And they can identify if there are any increase in threats or anybody who’s trying to attack certain parts of your network. And since they’re constantly watching the network they can react very quickly to any problems that might be occurring.
This is usually a 24 by 7 organization. So they can take care of problems that are occurring during the nighttime hours when you may not necessarily have any staff on site. And if you’re concerned about compliance you can rely on these experts to make sure that you maintain your HIPAA compliance, your PCI DSS compliance and any other compliance requirements.
Another useful security technique is constantly monitoring the files on our system. And if anybody modifies a file that should not be modified you can be informed automatically. This is file integrity monitoring or FIM. This commonly monitors files that would never change things like your operating system files. If something is changing parts of your operating system it’s a good bet that is some type of malicious software.
A type of on demand file integrity monitoring can be done with Windows with the SFC utility. That stands for system file checker, which will go through all of your system files and make sure that none of those files have been modified. A type of real-time file integrity monitoring can be found in Linux with the tripwire application. And there are a number of other host-based IPS solutions that include different levels of file integrity monitoring.