There are many different ways to layer security in the enterprise. In this video, you’ll learn about Active Directory’s Group Policy feature, VPN connectivity, data loss prevention, and more.
<< Previous Video: Physical Security Next: Wireless Security >>
In it security, there are a number of technologies you can use to help keep your data safe. In this video, we’ll look at some of these logical security concepts. If you work in an environment that uses Microsoft Windows, then you’re probably using Microsoft’s Active Directory technology. This provides a centralized database where you can manage all of your systems and all of your users, all from one location.
To use Active Directory, a user has to log into the network. And when they log in, you can have Active Directory run log in scripts for that user. These scripts very commonly might map a network drive for a user, but you can also use these log in scripts to check an antivirus signature and make sure that it’s up to date, or verify that the applications that a person is using are all at the latest version.
Perhaps one of the most important features of Active Directory is the ability to set group policies on individual workstations. This allows you to set policies that would limit what a person is able to do, or require a person to provide a certain level of security access on their system. For example, with Group Policy, you can require that passwords have a certain length and certain complexity associated with them. Or your particular log in may have logged in restrictions, so you can log in between 8:00 in the morning and 8:00 in the evening, but it may not allow you to log in and have access to resources during off hours.
If you were to look at a company’s Active Directory database, you would see that it’s commonly separated into what we call OUs, or organizational units. These organizational units are very commonly associated with the organizational units we use outside of computing. For example, you might have the marketing department or the shipping and receiving department. Or perhaps, in your organization, you have different locations, and within those locations are separate organizational units.
The Active Directory database is very flexible, so it’s very common to take the structures that we use out in the real world and duplicate those in Active Directory. In most organizations, we like for users to be able to store information on centralized servers. This allows us to manage and backup those devices and ensure that none of our data is lost. It’s very common in Active Directory to assign a home directory to a user so that they can store all of their information on that centralized directory.
During log in, for example, you can be assigned a network share on the server1 directory under users/professormesser, so that I can store all of my files in that one place. To ensure that users don’t store information on their local machines, it’s very common to assign group policies that would redirect a folder. So instead of a user storing information on the Documents folder on their local computer, it would redirect that Documents folder to a folder that’s on server1. That way, no matter where the user logs in, they’ll have access to their data on that centralized server.
Our devices are increasingly mobile, and it’s very common for people to have a mobile phone that they’ll use to access resources in the company. The challenge, of course, is making sure that the user has access to that data, but that the company also has a way to protect that data. One way to accomplish this is through the use of mobile device management, or MDM.
A mobile device manager is commonly used if a company is providing a mobile device for the users or if the users are bringing their own mobile devices and using them for work. This is commonly called BYOD, for bring your own device. The mobile device manager is then able to integrate with that mobile device to provide additional security. For example, the security administrator may set a policy that says, while you’re using your phone at work, you’re not able to use the camera. But as soon as that phone leaves the facility, the camera operates normally.
You also have to think about how you’re going to separate data inside of these devices. Some mobile device managers will control the entire mobile device, so both the company’s data and the user’s data are all managed by the MDM. More modern mobile device managers tend to set a different partition for the data so you can maintain your own personal data on the device and have a separate set of security policies for your company data. And you can also use the MDM to make sure that certain access policies are followed. You may want to require that everyone have a lock screen and a set of pass phrases or pins that are used to gain access to the mobile device.
You also have to think how you’re going to secure all of the different switch ports that may be inside of your organization. There’s, of course, switch ports in your conference room. You can connect to switch ports that are at your desk. And of course, there are ports that are open inside of your data center and your wiring closets. You can’t always be in these locations to watch everyone who may be connecting to the network, but you can configure your switch with port security. This would prevent somebody from unplugging an existing device and plugging in their own device to a switch interface. And then you can have the switch either create an alert or completely block that interface so that no data would be transferred.
This monitoring port security is done by looking at the source MAC address that sending information from that interface. If the switch is expecting one particular MAC address and a different MAC address is transmitting, then it knows that it should alert or disable that interface. Most switches allow different configurations for different physical interfaces. There may be some interfaces where there are many MAC addresses communicating and other interfaces that should never change the MAC address, and the network administrator can make the configuration options inside of the switch to provide the proper level of security.
This is a process that’s very often done automatically. The network administrator would configure a maximum number of source MAC addresses on an interface. So that a network administrator may decide that there should only be five different MAC addresses communicating through a particular port, and it’ll configure that interface on the switch. At this point, the switches watching the MAC addresses come through, and every time there is a unique MAC address, it keeps track of how many have come through that particular interface.
As soon as the switch sees the sixth unique source MAC address communicating through that interface, port security would then activate, and the result would be the configuration set by the network administrator. An alert could be sent to the network administrator, the port could be disabled, or both of those things could happen when the port security activates.
Another type of security based on the MAC address, or the media access control address, is MAC level filtering. For example, it’s common to see MAC filtering inside of switches and wireless access points. This allows the network administrator to assign particular MAC addresses that would either be allowed or filtered from the network. This allows the network administrator to keep a list of allowed MAC addresses on this network. And if your particular MAC address is not in the list, then your device doesn’t get any access to the network.
This keeps neighbors out of the network and people who should not be on the network, but it does require additional administration. If there are visitors that need access to the network, than their MAC addresses will also need to be added to the MAC filtering list. Unfortunately, it’s very easy to circumvent this type of filter. You can capture packets on your network to find all of the MAC addresses that may already be communicating, and then most network adapter cards will allow you to configure your own MAC address inside of that network adapter.
This would override the burned in MAC address with a MAC address of your choosing. So you’re effectively spoofing a MAC address that already exists on the network, thereby circumventing the filter. It’s for this reason that we often refer to MAC filtering as security through obscurity. Although it may seem like something that does provide security, if you know the method that you use to provide the security, you can easily circumvent it.
A type of security that is much more difficult to circumvent is one that requires that you have a particular object. So very commonly, laptops and other devices may have a slot in those devices where the user can slide a smart card, and only after providing the smart card, and perhaps some additional authentication, do you gain access to the network. Usually these smart cards have a digital certificate so that you can cryptographically tie the smart card to a particular individual.
This is a type of authentication that’s commonly used with multi-factor authentication. That means you’re not using one single type of authentication. You’ll be using a card, which may be something you have, along with a password or pin number, which is something you would know. Smart cards make it easy for an organization to manage access to the network based on a certificate that’s on that smart card. If you work for the federal government, you may be assigned a smart card that is a PIV card. This is a personal identity verification card. And the Department of Defense in the United States uses a CAC card. This is a common access card.
Some organizations will take the certificate, and instead of putting it on a smart card, they’ll put it on the local storage drive of a laptop or they’ll have it on a USB key, and you would reference that certificate when you log in. This is something that’s commonly done with 802.1x authentication or an authentication method that’s able to look at the certificates that may be stored on that local storage device.
We all know how important it is to make sure that our devices are watching for viruses and malware, so there’s almost always some type of antivirus and anti-malware client that’s running on our local computers. This also means though that we must keep all of these signatures updated all the time. And if you have a large number of devices on your network, then you have to think about the process that’s being used to provide these updates.
You might have all of your devices gather those updates directly across the internet, or you may have a centralized server inside of your organization and all of the updates come from this local device. Your security administrator then has to be able to track all of these systems and know that they have the latest version of antivirus and anti-malware, and that they’re running the latest signatures. For large organizations, there’s usually some type of enterprise management, where these updates can be tracked, updates can be pushed down to a device, and the system administrator can create reports that show how many systems are protected on your network.
Layer on top of that challenge that we’ve become much more mobile, and we have to be sure that laptops and other mobile devices are protected from viruses and malware, as well. Many devices will include their own firewall software. We commonly refer to this as a personal firewall or a host-based firewall. This is a software-based firewall that allows you to make configuration changes to protect the data that’s being stored on that particular device. This is a technology that’s commonly included with most operating systems. So if you’re running Windows, Mac OS, or Linux, then you’re also running a personal firewall.
Since this firewall is running on your operating system, it also knows what applications are running on your operating system, and it can allow or deny access to those applications through your network interface. If you’re running Microsoft Windows, for example, then you’re using Windows Firewall, or what is now called Windows Defender Firewall, and you can allow or blocked traffic by port number or by application.
Most organizations will also have a network-based firewall that’s commonly at the ingress or egress point of the network. This means that all traffic going out to the internet and coming in from the internet will have to traverse this network-based firewall. This allows the security administrator to define what is allowed and not allowed based on port number, or on the most modern firewalls, based on the applications that are flowing across the network.
There are also firewalls like this one that can create a VPN tunnel between firewalls. So you can have a firewall at two locations, create an encrypted tunnel between them, and now anything you send across that network will be protected. Some firewalls can also proxy traffic, so users inside of your network would send a request to the firewall. The firewall would then make that request on your behalf out to the internet, receive the response, make sure the response is valid, and then send the response down to the user.
And because these network based firewalls are positioned at the ingress egress point of the network, usually connected to the internet, they can often be configured as a layer three device. This means that the firewall will usually provide the routing and the network address translation between the inside of your network and the outside.
When you’re logging into a system and providing that authentication, there’s usually a unique identifier assigned to your particular log in. In Windows, this identifier is a SID, or a Security Identifier, but it’s very common for most operating systems to assign some type of identifier to a user account, and that identifier is used for security processes. When user’s logging in, they’re providing some type of credential. This is some type of information that will associate a person with a user account on that system.
This might be a password, a smart card, a personal identification number, or anything that can tie this person to that particular account. Once the user logs in, their account is usually associated with a larger profile. This profile might have their full name, might have their contact information. It may include some groups that they are a member of and anything else that might describe that particular user.
It’s common to see attackers use some type of brute force process to be able to identify a password. They may be trying to interactively log onto a device with a username and a password, or they may have the password file, and offline, they’re trying to run through every possible iteration to determine what your password might be. We generally want passwords to be complex, which means it would be very difficult to guess what that password happens to be. And we also want the passwords to be constantly refreshed. It’s very common to have passwords updated every 15 days, every 30 days, or every 60 days. This would reduce the scope of someone infiltrating your system, if someone’s password happened to get out.
Although we would hope that most people would use a strong password, we know that reports, such as the one from SplashData that’s done every year, shows us what the most popular passwords are. And number one on the list is very commonly 123456. The second most popular password is password. The number third most popular password is 12335, and so on. This is why your system administrator wants a password with some complexity, rather than a password that’s 12345678.
There are a number of challenges associated with passwords, which is why many system administrators include additional factors of authentication. These multi-factor authentications might be something you are– that would be something biometric, such as a fingerprint– it would be something you have– for instance, a smart card or a mobile phone– it might be something you know– like a password– it could be some where you are– where you’re performing some type of GPS check– or it may be something you do, like a signature.
These authentication factors are usually combined together, and you’re using multiples of these factors to be able to authenticate into a system. Some implementations of multi-factor authentication may have a cost associated with them. For example, you may be handing out a physical hardware token, and users are using those tokens as their log in process up something they have.
Some pseudo-random number generators are hardware devices that you would put on a key chain, and those hardware devices are something you have, and those numbers would be used during the log in process. We’re commonly seeing these token generators being created in software. So this is one from my mobile phone that obviously doesn’t have much of a cost associated with it, assuming that I’m already using my mobile phone and have it with me during the authentication process.
Both hardware and software-based token generators rely on these pseudo-random number generators. We call it pseudo-random because it looks like this is a random set of numbers, and it would certainly be difficult for someone to try to guess if they were trying to authenticate into your account. But the reality is that not only does your mobile device know what this number is, but the authentication system on the other end also knows what number this happens to be, which is why we call this pseudo-random.
It’s very common for these numbers to update every 30 seconds, so that it would be difficult to capture this information on your phone and then try to use it at some other time. This token generator is running as software as an app on your mobile phone, and there’s usually no cost associated with that. And because you’re using your phone to provide the software token, you don’t need another piece of hardware that you would carry around and potentially lose.
The files that you would store on your local device and on a file server have particular permissions associated with them. Those permissions would dictate who’s able to view the file, who can modify the file, and who’s able to administer that particular file. If you’re running Windows, you’re probably storing these files in a file system called NTFS. NTFS provides much more flexibility with providing permissions. If you’re accustomed to using the file allocation table as your file system, you’ll find much more flexibility with NTFS. This allows the owner of a file to lock down the access to the file and provide very granular access controls of exactly who would be able to view that file or modify the information that’s in that file.
Another important consideration when working on these systems is who has access to what type of data. It’s very common for user permissions to be limited to only what a user might have, but in some organizations, you may find that some users have more than the necessary number of permissions. In fact, many organizations have a large number of people with administrative rights that probably should not have that level of permissions.
It’s very common for security administrators to run frequent audits so they can make sure that all of the users have the correct permissions. If you’re someone who works remotely or outside of your building, then you’ve probably connected to your network using a VPN or a virtual private network. This allows you to encrypt all of the data that’s going between you and the VPN concentrator that’s on the other end of that connection. This concentrator is usually a hardware device, and it’s designed for encrypting and decrypting information from not only you, but anyone else who needs access from a remote location.
This may be a high-end system that has specialized cryptographic hardware, or it may be a normal server, where all of the encryption and decryption is done in the software of that device. You’ll find that VPN software is built into many operating systems, but it’s also common to use third-party applications to provide access to specialized VPNs. This is a very common configuration for a VPN. You would have your corporate network with all of your corporate resources inside of it. There’s a VPN concentrator that’s connecting to your corporate network, and that VPN concentrator’s connecting to the internet.
You would then have your laptop at a remote location, like a hotel or a coffee shop, and you would start up the VPN software on your laptop. That VPN software would connect to your VPN concentrator. Usually there is an authentication process. And once that encrypted tunnel is built, all of the communication between your laptop and that VPN concentrator will all be encrypted.
Once that information is received by the concentrator, it will decrypt that traffic and provide it to the rest of the corporate network. Once these devices need to send information back to your laptop, the process is reversed. That data’s is sent to the VPN concentrator, the VPN concentrator then encrypts that data, sends it to your laptop, and your local VPN software will then decrypt that data.
Many organizations deal with sensitive information. If it’s an e-commerce site, they may store credit card information. If it’s a hospital, there may be health care information. And of course, a security administrator wants to limit exactly what type of information is transferred across the network. To be able to manage this, they very commonly used a DLP solution. That stands for data loss prevention.
It’s common to use DLP software and hardware to be able to monitor exactly what traffic is being transferred across the network and what type of information may be attached inside of your emails. This can be especially useful if there’s an attacker that’s on the inside of your network and they’re trying to transfer this information to the outside. A DLP solution would be able to protect against this type of data leakage.
As you can imagine, there are many different ways to transfer data, to attach files to emails, and to be able to transfer information from one device to another. Many organizations will look for these data transfers to occur across their firewalls, across dedicated DLP solutions, and across DLP software that may be running on people’s workstations. If you’re controlling what type of traffic is being sent across the network, then you’re probably using an access control list, or an ACL. It’s also common to use ACLs to identify certain types of traffic, so you would know what traffic should I perform a network address translation on, or what traffic should be configured with particular quality of service.
We commonly use ACLs inside of switches and routers, but there are other devices that can use ACLs, as well. And we would usually configure an ACL to look at incoming traffic, outgoing traffic, or both. Common criteria that you would use on an ACL is to identify traffic based on source IP address, destination IP address, whether it’s a TCP or UDP port number, or perhaps you’re looking for a particular kind of protocol, such as ICMP. If your network traffic then matches that criteria within the ACL, you can then determine whether that traffic will be denied or whether the traffic will be permitted.
We continue to use email extensively, and because of that, it’s a very vulnerable security vector. If bad guys want to get inside of your network, they will very commonly used email as a way in. To be able to restrict this type of email communication, you want to involve an email filter. This would be able to identify and stop any email that may be inbound to your users that contain unsolicited messages or things that should not be sent to that end user.
Some organizations will have a centralized mail gateway at their location, although it’s becoming increasingly common to have all of this filtering occur in the cloud. These email filters can block more than just spam. They can look for executables that might have known vulnerabilities inside of them. They may be able to identify when a phishing attempt is taking place. Or anything else that may be unwanted or may have some type of suspicious attachment, all of this can be blocked at the email gateway.
If an attacker manages to get their software installed on your computer, then they effectively have access to your entire system. That’s why it’s so important to know exactly where your software’s coming from before you perform that installation. You want to know exactly the source of the software, and even if you don’t have access to the raw source code, at least you can trust the person who’s providing that software to you.
A trusted source of software maybe your own developers that are inside of your organization, or maybe it’s a well-known publisher, such as Microsoft. You know exactly where that software’s coming from. Very commonly, there might be a digitally signed application, so you know not only did that software come from Microsoft, but it has not been changed since Microsoft packaged that software up for installation.
Untrusted sources are the places you might expect. It would be applications that come from third-party websites, it might be links that you receive in an email, or there may be software that is automatically downloading to your system when you happen to visit a website. That’s a very good sign that you would not want to install that piece of software.
There’s an important concept in IT called least privilege. This means that a user’s account would be limited to exactly what’s needed to perform their particular job function. You would never provide more privileges to a user than they would possibly need. This means that every account should be configured to provide just the right set of privileges to perform their particular functions. Applications will not have additional privileges associated with them, and the users would only be able to do exactly what’s expected for their job.
This is why we don’t assign administrator permissions to every user that’s on the network. If there is some software that happens to run maliciously on that system, they would have administrator access to everything else. By limiting the scope or having least privilege on that system, malware would also be limited to what it would be able to do on that particular system.