Network Defense MindMap (3 of 4) | CISSP Domain 4

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major topics related to network defense in domain 4 to understand how they interrelate and to guide your studies this is the third of four videos for domain 4 I've included links to the other mindmap videos in the description below these mindmap videos are one part of our complete cisp Master [Music] Class it's incredibly rare to come across a system nowadays that isn't connected to a network and to the largest Hive

of villainy and scum in the world the internet there is huge value in interconnecting our servers laptops mobile devices SmartWatches light bulbs coffee machines cars and nuclear reactors there's also huge risk in this mind map we are going to talk through some of the major tools and techniques we can use to protect our networks an important concept we use use throughout security and definitely need to apply to protecting our networks is defense in depth we want multiple layers of controls such that if one control fails our crown jewels our most valuable assets are not exposed

defense in depth means that at each layer of Defense we need a combination of preventive detective and corrective controls at a minimum for example instead of just having a firewall between the super sketchy internet and all our systems including those that are internet facing like our web servers mail servers and FTP servers we could Implement some Network segmentation and move the web mail and FTP servers into a dedicated Network segment a DMZ demilitarized zone and we could further Implement a screened subnet architecture with the addition of a second firewall and we could even make sure

our second firewall is from a completely different firewall vendor and moving beyond preventative controls we could Implement IDs intuition detection systems to provide a detective capability or even an IPS inion prevention system to provide both detective and corrective capabilities there are lots of options for implementing defense in depth and as usual all this cool expensive technology needs to be balanced against the value of the assets you are protecting controls must be coste effective let's get into the details of these controls that I just blitzed through Network segmentation also referred to as partitioning is the idea

that we break our networks up into pieces segments partitions and then we can control the flow of traffic between these segments we can create different segments and apply differing levels of controls to these segments one segment Could Be Our Guest Network that we just allow out to the internet and we have very limited controls in place another segment could contain our backend high value databases and we have extensive controls in place to prevent detect and any unauthorized access to the segment the largest segmentation is going to be between the an organization's internal Network and the

internet you ideally want a clearly defined boundary between your internal Network and the public facing side of your network and then control the flow traffic between these two segments typically with a firewall which we'll get into a moment on my soap box here you should never use the concept of an internal trusted Network you must always assume that the baddies are inside your network there is no trusted Network zero trust DMZ stands for demilitarized zone DMZ are a network segment where we put our Bastion hosts our systems that are intentionally accessible by the public over

the Internet systems like web servers mail servers and FTP servers we fully expect these publicly facing systems will be attacked and if they are compromised and they are within the DMZ then the attacker does not have a foothold within our internal Network we severely restrict any traffic that can come from the DMZ into our internal Network the DMZ Network segment is essentially just connected out to the internet Bastion hosts as I just mentioned are computers servers that are specifically configured to withstand attacks Bastion hosts are typically a public facing server like a web server a

proxy is a server located between two devices a proxy acts as an intermediary such that all traffic between the devices must pass through the proxy this allows the proxy to read filter and control the communications and even hide the devices behind the proxy Nat and hat are examples of proxies nat Network address translation is a method of remapping swapping an IP address to another by modifying the IP header of packets when they pass to a proxy typically remapping from an internal unrootable IP address to a publicly rotable it IP address when a packet passes from

inside the network out onto the internet and the proxy would remap any returning responses changing the destination IP address on returning packets from the IP address of the proxy to some internal systems IP address and Pat port address translation is exactly the same idea except instead of changing IP addresses the port number is remapped okay now on to one of the most fundamental Tools in network security firewalls at the most basic level the job of a firewall is to control the flow of traffic between Network segments for instance controlling what traffic from out on the

sketchy internet is allowed through to the internal Network firewalls have evolved significantly over the years and become a lot smarter about how they inspect traffic and make decisions on what traffic they allow through we'll start with the oldest simplest types of firewalls packet filtering firewalls packet filtering firewalls only inspect packet headers looking at the source and destination IP addresses and ports against a set of rules typically defined find in an ACL Access Control list packet filtering firewalls are not very smart but they are extremely efficient and can make decisions very quickly meaning they have very

low latency they don't slow down the flow of traffic much stateful packet filtering firewalls still only look at a packet's header but they're a little more intelligent at that they maintain a state table a little bit of memory that keeps a history of recent traffic through the firewall here's how the state table can be useful when systems want to establish say a TCP connection they must go through the TCP three-way handshake of sin synac act the stateful packet filtering firewall the stateful packet filtering firewall will record that these two systems have completed the handshake and

established a connection and then if either system wants to send a packet to the other the firewall will likely allow it because the firewall already knows they have established connection but if another system where to send a TCP packet out of the blue the firewall is likely to block it because it has no memory of this system establishing a connection to simplify if a stateful packet filtering firewall sees a packet going out it will allow the reply to come back in because it remembers the outgoing packet in its state table packet filtering and stateful packet

filtering firewalls both operate at layer three the network layer circuit proxy firewalls operated layer five the session layer circuit proxies therefore understand what is happening at the session layer and will allow a circuit a session to be established if it complies with predefined rules and all the way at the top of the OSI model we have what are known as application firewalls which operate at layer 7 the application layer this means that application firewalls can do deep packet inspection they can inspect anything in the packet header and reassemble a series of packets to inspect the

contents of the data that is being sent in the packets for instance application firewalls can scan a file being sent to look for viruses application firewalls are very intelligent and can make very sophisticated decisions however all this intelligence comes at the cost of speed they are the slowest type of firewall and cause the highest latency most modern firewalls offer the capabilities of all of the firewall types we just discussed they can make quick and simple Decisions by just looking at a packet header and if necessary they can apply much more thorough analysis by inspecting the

contents of a packet so you get the benefits of both speed and intelligence where you want it moving on for firewalls we'll now talk about the major networking monitoring tools we use ipss and ids's and we'll start with some simple definitions IDs intrusion detection systems are designed to inspect Network traffic packets to detect potentially suspicious activity and if an IDs detects something suspicious it will raise an alarm I p ps intrusion prevention systems do exactly the same same thing as ids's attempt to detect suspicious activity but then go a very important step further if they

detect something suspicious they can potentially block suspicious traffic hence preventing an attack from occurring ids's can work in combination with say a firewall to block traffic but ipss can detect and block traffic on their own there are two major locations where we can put ids's and ipss host base means the IDs or IPS is installed on a specific host typically a high value server and the IDS or IPS is monitoring just the host is installed on if you want to monitor multiple hosts then you need a host-based IDs or IPS installed on each host a

network-based IDs or IPS is connected to a network segment and monitors all the traffic within that Network segment there are a couple of ways that a network-based IDs or IPS can be connected to a network segment one method is in line which means that all the traffic coming in and out of the network segment must pass through the IDS or IPS ipss are often installed inline and the advantage of inline is that if the IPS detects something some traffic that it doesn't like it can easily block the traffic as all the traffic must passed through

the IPS the major downside of inline is it's another single point of failure the major downside of inline is it is another point of failure if the inline IDs or IPS system goes down or fails secure then all the traffic will be blocked causing the denial of service the other method of connecting an IDs or IPS to a network segment is to connect it to a switch and then configure the specific switch Port that the IDS or IPS is connected to to be a mere span or my favorite name a promiscuous Port by default a

switch will only forward packets to the intended system thus by default the IDS or IPS wouldn't see most of the traffic transiting the switch setting a port to mirror span or promiscuous means that all the packets going through the switch will be copied and sent to the IDS or IPS so that it can monitor everything it is more common to install an IDs in this configuration now let's talk about the two major methods that IDs or IPS systems can use to look for suspicious activity pattern matching means the IDS or IPS has been programmed to

look for a specific pattern for example a specific type of network attack and it will alert or block if that pattern is detected the advantage of pattern matching systems is they can be fast and efficient but the downside is they can only detect what they have been programmed to detect the way a pattern matching IDs or IPS is told to look for a specific pattern is often referred to as a signature analysis you can think of a signature as a unique fingerprint or a specific type of network attack therefore the IDS or IPS system can

have specific patterns or signatures programmed into it to look for the things like bite sequences in network traffic or known malicious instruction sequences anomaly based detection is a different approach that does not rely on signatures it is meant to address the weakness that pattern matching systems can only detect what they've been programmed to detect with anomaly based detection the IDS or IPS system learns what noral looks like it establishes a Baseline and then the system can look for behaviors that fall outside the accepted model of behavior behaviors that are anomalous there are four major ways

anomalies can be detected stateful matching means the IDS or IPS looks for anomalies in the context of a stream of traffic the IDS or IPS maintains a state table and can for instance detect if a system starts sending TCP packets to another system that hasn't established a session with it in statistical anomaly based detection the IDS or IPS Compares traffic to typical known or predicted traffic profiles to look statistically the significant anomalies from the norm protocol anomaly BAS based detection is where anomalies can be detected based on the network protocols being used for instance certain

protocols can be defined as allowed and all others will be an anomally an organization might allow only SFTP secure FTP and if FTP or especially tftp trivial FTP traffic is detected that is an anomaly and finally traffic based anomaly identifies anomalies in expected pattern and behavior of network traffic transmitted within a session IDs and IPS systems can also use white lists or black lists as a means of detecting suspicious traffic by the way a much better name for a white list is an allow list is a list of IP addresses that a system is allowed

to connect to and all other IPS are blocked and a better name for Blacklist is a deny list it is a list of IP address that a system is not allowed to connect to access is denied and all other IPS are allowed an IDs or IPS can be programmed to inspect traffic based on these allow and deny lists the final method that I'll discuss that IPS or ids's can use to detect suspicious traffic is sandboxes sandboxes provide a safe area to run untrusted code and then observe what the code is doing for example attempting to

install some ransomware perh apps an IDs or IPS system could detect that an executable file is being transmitted the IDS or IPS could then take a copy of the executable and run it in a sandbox to see what the code does and if it does something nefarious then the idsr IPS can alert and potentially even block the file from being sent to the intended victim system a really cool way to detect an attacker on a network is to use honeypots or honey Nets a Honeypot is a system that looks as close as possible to a

real system like a file server or a print server or a database or an industrial control system however the Honeypot is not a real system that is meant to be used by employees or clients of the organization rather the Honeypot is carefully monitored and if someone is trying to connect to and use the Honeypot system that is a very good indicator that you may have a threat actor in your network that is exploring and looking for systems to compromise a Honeypot is a single system and a honey net is a whole network segment of Honey

pots honey pots and honey nuts are a good way of detecting advanced persistent threats and the final inspection method that I'll talk about is ingress and egress monitoring monitoring the traffic that is coming into a network Ingress from say the internet or the traffic that is leaving a network egress it is not uncommon for organizations to detect that they've had a breach by watching a traffic that is leaving egressing their network if traffic is going to a known bad IP address that is a good indication that some malware has somehow infected a company system and

the malware is calling home harm you can never secure a network if the endpoints the laptops mobile phones iPads Alexa devices IP security cameras etas are not secure as I discussed in the fourth video of domain 3 it is critical to secure to harden endpoint devices by ensuring they are correctly configured patched and have strong authentication and so forth all right and that is an overview of network defense within domain 4 covering the most critical Concepts you need to know for the exam these mindmap videos are just meant to be a review tool want to

see what our real full in-depth cisp training videos look like you can check them out here at desert.com slcp videos this link here it's also in the description [Music] below