s3.amazonaws.com/production/assets/logo-9f88ae6c9c3871690e33280fcf557f33.png) Network Segmentation and Firewalls (ICMP) (1:30)## Learning Objectives_After the lesson, students will be able to:_* List and describe advantages of Network Segmentation* List different types of Network Separation* Describe Network Access Control* Describe the function of Firewall* List and describe types of Firewalls* List advantages of VPN—_Before the lesson, briefly review_* Good understanding of TCP/IP model* Concept of packet switching* Basic Network concepts## Network Segmentation Overview (0:10)Network Segmentation is the act of dividing the network into subnetworks.In traditional Networks, All the hosts were in a single network. This isn’t always necessary because there is no reason for one host to ‘trust’ another host.
This provided an advantage to the attacker to directly connect to attack any system over the network. The idea of diving the Network into smaller networks isn’t new. Advantages of segmenting the network into subnets include better performance and security. Think about any Network as a problem to be solved for achieving better performance and security. It’s very obvious to divide any big problem into small problems, It’s same with Networks. If you have multiple small networks instead of one single large network, it’s much easier to manage networks. There are multiple advantages to Network Segmentation.
jpg)### Advantages (0:10)#### Reduced congestion* As the network is divided into smaller networks, each network has less host. Which means less traffic over the network and better performance#### Improved Security* Any Broadcast over the network will be limited to the local network.* Any Breached system will only be contained in the Local network.* Easy deployment and management of Firewall over smaller networks add up to better security#### Network Problems* Any network failure will be contained into the local network without affecting any other network.#### Better Access Control* Allow users to access only specific resource of the network#### Improved Monitoring* Smaller network provides an opportunity to log events and monitor traffic better._ There are two main types of any Network Segmentation, Logical and Physical Separation_## Physical Separation (0:05)In Physical separation, the network is divided with physical hardware like routers, switches etc. Physical separation provides reliable and secure links for real-time traffic. There is a real cost for physical separation (hardware cost).
Physical separation also provides extra security over the network. In a company, when it’s requirement to have a highly secure line, Physical separation is the answer. Router, Switch etc are dedicated over the network._ Physical – Using separate cabling and Layer-2 access switches.
_### Advantages* Better Security* Dedicated Hardware* No overlay* Better Performance## Logical Separation(VLAN) (0:05)Logical separation is dividing the network into virtual subnets. There is no physical separation of the network but there are VLANs(Virtual Local Area Networks). These VLANs are created by applying tags to network packets and handling these tags in networking systems. This created virtual appearance of networks but in reality, there is only a single network.
VLANs allow network administrators to group hosts together even the hosts are connected directly to the network. Economically the VLANs are better options as compared to physical separation. There are some security trade-offs in Logical separation as the data actually flow through same router and switches, In a way, if any router or switch gets compromised, all networks over that physical line are compromised too. Subnets and VLANs are two ideas that go as an inseparable unit. A VLAN is a broadcast space inside a switched network. Gadgets inside a VLAN can speak with each other without a Layer-3 switch or router._ VLANs – Using the VLAN protocol that can be implemented on the same physical infrastructure_### Advantages* Better Security* Network Management* Easy Scalability* More Flexible## Network Access Control(0:10)The goal of NAC (Network Access Control) is to unify endpoint security technologies like antivirus, intrusion prevention etc, user or system authentication and network security enforcement under the banner of computer security.
NAC is a computer networking solution that uses defined a set of protocols to implement a security policy describing, how to secure access to network nodes by devices in the initial step to access the network. Network Access Control as the name applies do exactly what is suggested, Control access to the network with policies including pre-admission endpoint security policy checks and post-admission controls.### ExampleNAC define requirements to any computer trying to connect to the network. Let’s say you are the administrator of any network. You can basically define set of rules, any computer must follow to connect to the network like the computer can only be permitted to access the network unless it has anti-virus protection, all system updated etc. Once the policy is met, the computer is able to access the network resources and internet.### Goals of NAC* Policy Enforcement* Role-based controls user,device,applications etc* Minimizing non-zero-day-attacks* Authorization, Authentication, and Accounting of network connections* Identity and access management### Pre-admission and Post-admissionThere are two main designs in NAC, based on how to enforce policies. Pre-admission means the inspection of host/computer before it joins the network.
So host has to meet the policy standards. Post-admission NAC makes enforcement decisions based on user actions after the users are connected to the network.— ## You Do: Things to Remember (5 minutes / :05)
Two mains types of network separation?
> Logical and Physical
In case of military use, when a highly secure network is required. What type of separation is suitable?
> Physical Separation as it provides dedicated hardware and routes over the network.
What is VLANs?
> VLANs stand for Virtual Local Area Network.
What is the role of NAC?
> NAC (Network Access Control) as name suggest provides a mean to control the access to the network depending upon the applied policies.
What is Pre-admission in NAC?
> Pre-admission means the check of enforced policies before giving access to any host/computer to network.
—## Firewall Overview (0:5)Firewall is a network security device that controls and monitors incoming and outgoing network traffic based on predetermined security rules. Think of Firewall as a security guard of your network. Given a specific set of instruction Firewall can protect the network from the variety of attacks. The firewall usually categorized as network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and Host-based firewalls run on single host/computer. There have been multiple generations of Firewalls described below:!Firewall(https://upload.
wikimedia.org/wikipedia/commons/5/5b/Firewall.png)### Generations of Firewalls (0:10)#### First GenerationThe first generation also known as packet filters was introduced in 1988.
Packet Filters look at network addresses and ports of packets to determine if they must bed dropped or allowed. You can program custom filters to deny or accept incoming packets over the network.#### Second GenerationThe second generation is known as “stateful” filters originally called circuit-level gateways.
These firewalls perform first-generation work but also retain the packets until enough information is gathered to make a judgment about the state of the packet, whether the packer starts new connection, a part of an existing connection or not a part of any connection. The second generation still uses the static rules but can also contain rules based on packet states.#### Third GenerationThird Generation is the application layer firewalls.
The benefit of application layer filtering is that it can understand certain applications and protocols like FTP, HTTP, DNS etc. As these firewalls work on the application layer, firewalls are able to detect if an unwanted application or service is trying to bypass firewall using a hidden protocol over allowed ports.#### Next Generation Firewalls(NGFW)NGFW is the current generation of firewalls.
All these NGFW do is the deeper inspection of packets over the application stack known as deep packet inspection. These firewalls can bed extended to include Intrusion prevention system, Intrusion Detection system, etc.### Types of Firewalls(0:10)Firewalls are generally categorized as network-based and host-based firewalls.#### Network Layer or Packet FiltersNetwork layer firewall also known as packet filters works at the low level of TCP/IP protocol stack. Packer filters only allow packets to pass through the firewall if they match the established rule set. These rules are defined by administrator depending upon the security requirements._There are sub-categories to Network Layer firewalls: Stateful and Stateless Firewalls_* StatefulStateful firewalls retain the information about the active sessions and use that “state information” to inspect packets.
State of any packet can depend upon the variety of variables like Source, destination address, protocol etc. If any packet does not match an existing connection, the packet gets evaluated according to the rules set defined.* StatelessStateless firewalls don’t retain any information about the state of the packet so does require less memory.
Stateless firewalls can result in faster for simple filters that require less time to filter than to look up a session.### Application LayerApplication Layer firewalls work at the application level of the TCP/IP packet. These firewalls can inspect all the packets traveling from one application to another.
Over application layer, the firewall rules can be set according to the specific protocol, port, etc. On examining all packets for improper content, firewalls can confine or avert inside spread of PC worms and Trojans. The extra investigation criteria can add additional inactivity to the sending of packets to their destinations.### Access Restrictions (ACL) (0:05)Access restrictions as the name suggest means denying specific users from network access. This can be achieved by ACL(Access Control List). Access control list contains the list of ACE(Access Control Entries). ACE is the trustee identify with specific permission like allow, deny etc.
Routers and Switches devices can provide ACL rules to be applied. Rules can be defined upon port numbers or IP address. There is debate upon the idea of having ACL rules for network domains as TCP, UDP, ICMP headers do not contain the domain name. In simple words, ACL is the list defining who has access to what and who has not.
### Network Address Translations (NAT) (0:05)Network address translation is a method of remapping one IP address into another IP address. Usually, a firewall assigns a public address to a computer inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use for both economy and security purposes. In large Networks, some servers may act as Web servers and require access from the internet. These servers require public IP addresses on the firewall, allowing the public to access the servers only through the IP address. This also provides a additional security as firewall act as an intermediary between the server and outside. Additional rules can be added like allowing specific ports to the public.
#### Exercise* Everyone will type the “what is my IP” on google.* Check the IP and match that result with other students.* Type ipconfig(windows)/ifconfig(Linux) in command prompt/ terminalYou can see that the even though everyone has different local IP addresses. Google shows the same IP address to everyone.
So there is only 1 public IP assign by ISP to your company/school. This means 1 public IP is mapped to multiple different Private IP’s### VPN Summary (0:05)VPN stands for Virtual Private Network. VPN extends a private network over the public network. As the name suggests VPN the Virtual Network over the physical network. VPN’s can extend over the internet connecting multiple hosts all over the internet. VPN provides the means to communicate over the corporate intranet while host located outside the office. Large companies like Google, IBM are spread globally as separated by geographically. Building physical private network would be near to impossible.
This problem can be solved by VPN. The company can create company intranet over the public internet using VPN. VPN is created by establishing a virtual point-to-point encrypted connection through the use of dedicated connections. Virtual tunneling protocol and traffic encryption is the key to VPN’s.
Traditional VPN’s are characterized by a point-to-point topology and they do not support broadcast domains or Microsoft services like NetBIOS etc. There are new variants of VPN’s like VPLS Virtual Private LAN service and Layer 2 Tunneling Protocols(L2TP)#### Advantages (0:05)* Enhanced Security* Remote control* Share files* Online Anonymity* Bypass ISP Filters* Change IP address* Better Performance* Reduce costs— ## You Do: Things to Remember (5 minutes / :05)
Two main types of firewall?
> Network-based and host-based firewalls
What is the difference between stateful and stateless firewalls
> Stateful firewall stores the information about the state of the packet and can define security rules depend upon the states unlike stateless firewalls
Current Generation of Firewalls?
> Next Generation Firewalls
What is NAT
> Mapping 1 IP address to multiple IP addresses
VPLS stands for?
> Virtual Private LAN services
—## DiscussionDiscuss the different types of firewalls and how do firewalls can be bypassed by attackers over the network.## Conclusion (5 min / :05)- Recap topic(s) covered in today’s lesson## Additional Readings* Network Segmentation(https://en.wikipedia.org/wiki/Network_segmentation)* Network Access Control(http://www.tomsitpro.com/articles/network-access-control-solutions,2-916.html)* Firewall(https://www.sans.org/reading-room/whitepapers/firewalls/achieving-defense-in-depth-internal-firewalls-797)* Network Address Translation(https://en.wikipedia.org/wiki/Network_address_translation)* VPN(https://www.infosec.gov.hk/english/technical/files/vpn.pdf)