• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Securing the LAN-to-WAN domain–Internet ingress/egress point
  • Mitigating risk with intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
  • Contrasting intrusion detection and intrusion prevention strategies
  • Review of automated network scanning and vulnerability assessment tools and their use
  • Data protection strategies and their value to the organization

Network Security,
Firewalls, and VPNs

Network Security Tools and Techniques

Network Security Tools and Techniques
Vulnerability Assessment Scanners
Vulnerability scanning is essential for ensuring network security. Broadly, scanners are of two types, network and Web application scanners. Network scanners probe a network for a variety of widely known vulnerabilities, while Web application scanners scan hosted Web applications. Let's examine some scanners in detail. Click each scanner to read about it.
  • Nmap and Zenmap
  • Nessus
  • Retina
  • SAINT
The following are the features of Network mapper (Nmap) and Zenmap:
  • Nmap runs at the command line.
  • Zenmap is the graphical user interface (GUI) to Nmap.
  • Nmap was originally intended as a network mapping utility.
  • Nmap and Zenmap enable port scanning and host detection.
  • They help in identifying access points to a network.
  • They are highly configurable.
  • They are open source.
Click here to view the scans of Zenmap inteface.
  • The following are features of OpenVAS:
  • It is open source and free to use.
  • It is a framework of tools and services.
  • It uses the Greenbone Security Assistant Web interface.
The following are the features of Nessus 1:
  • It is UNIX-based.
  • It is network centric with Web-based consoles and a central server.
  • It offers a comprehensive set of tools.
  • It is a useful tool for larger networks.
1 Nessus is a Registered Trademark of Tenable Network Security, Inc.
The following are the features of Retina:
  • It is a proprietary vulnerability scanner.
  • It deep-scans a network, scanning for known issues that have not been patched in existing applications.
  • It also scans for open ports.
  • Its output report indicates network vulnerabilities and the state of the environment.
  • It supports an easy-to-understand, graphically intensive format.
The following are the features of System Administrator's Integrated Network Tool (SAINT):
  • It is a commercial vulnerability assessment tool.
  • It is UNIX-based.
Network Analysis
Jack Hocker is a network administrator. He needs to find out the vulnerabilities and attacks the company’s network could face and suggest possible resolutions. To do so, he needs to conduct network analysis.

Let’s look at the steps Jack follows to perform network analysis. Position the mouse pointer over each step to learn more. Next, click the ACTIVITY button to attempt a simple activity related to network analysis.
1. Create a baseline of the network.
2. Capture data at specific points on the network.
3. Analyze the captured data, compare it with the baseline, and review logs.
4. Use the results of the analysis.
Jack creates a baseline using Nmap or Zenmap to list network devices and see which services the devices run, as well as what operating system and application versions are installed. Jack’s understanding of the network architecture helps him identify data capture points. He focuses on inbound and outbound traffic. He intends to monitor the data around the demilitarized zone (DMZ) and inside the perimeter firewall. When analyzing logs, Jack attempts to detect known attack patterns and deviations from normal behavior. This helps him in reducing large volumes of audit data to small volumes of pertinent data. Jack uses the results of the analysis to investigate and resolve issues, such as stop unnecessary services or close open ports that present a vulnerability. He updates the baseline. If an incident occurs in the future, these results would help Jack in building signatures into the IDS or IPS to prevent further losses.
Purpose of Network Security Tools
What kind of network security tools can we use? What purpose do they serve? These are questions that you need to consider when selecting a network security tool.

Think about answers to the following questions. Then, click each question to reveal its answer. After looking at the answers, click the ACTIVITY button to attempt a simple activity related to network analysis tools.
  • What is the purpose of data loss or data leak prevention tools?
  • What are the essentials of ingress and egress filtering?
  • How do border routers help in protecting the LAN-to-WAN domain?
  • What are some of the common network security and analysis tools?
Data loss or data leak prevention tools help in detecting and blocking sensitive data from exiting a network. They also enforce policies across file shares, databases, and e-mail systems. There are two basic types of tools:
  • Perimeter-based: These tools stop data leakage before data leaves the network.
  • Client-based: These tools stop data leakage at the client end.
Companies often monitor their e-mail systems for data leakage protection (DLP). DLP monitoring looks for large files being sent by e-mail outside the organization and can also scan e-mail messages for sensitive information, such as account numbers and Social Security numbers.
Ingress filtering excludes or rejects all data packets that have an internal host address. It drops data packets with nonroutable Internet protocol (IP) addresses. Egress filtering stops packets that have noncompany source addresses from leaving the internal network.
Border or boundary routers function at the network perimeter in the DMZ. They accept traffic from the Internet, filter unapproved traffic, and pass approved traffic to firewalls. They also protect the internal network against IP address spoofing and directed IP broadcasts.
Some network security and analysis tools are as follows:
  • Packet capture tools: These tools enable you to record data that travels across the network. They can limit the data captured to data with specific connection characteristics, such as to or from a specific system. Packet capture tools generate a large volume of data in a short period; therefore, it is not feasible to keep packet capture data for an extended period.
  • IDS: It monitors internal hosts or networks for suspicious traffic and alerts administrators when such traffic is detected.
  • Data collector: It records data on each network connection passing through the monitored devices. The data collected through a data collector includes the source, destination, and volume of data.
IDS vs. IPS
We have discussed how firewalls and routers help in monitoring a network. But, can they catch all kinds of intruders? The answer is no. To catch other intruders, we need IDS and IPS. Let's review the difference between an IPS and an IDS.

IPS

  • It monitors internal hosts or networks, watching for symptoms of compromise or intrusion.
  • It acts as the first layer of proactive defense.
  • It detects attempts to attack or intrudes before attacks are successful.
  • On detecting an intruder, an IPS responds by stopping an attack from proceeding. Some IPS provide basic data loss or leak prevention capabilities.

IDS

  • It monitors internal hosts or networks after an attack has occurred.
  • It reacts to events that the IPS misses.
  • It seeks symptoms of compromise or intrusion.
  • On detecting an intruder, an IDS sends commands to the firewall to break the connection, blocks an IP address, and blocks a port or protocol.

HIDS or NIDS Solutions
Host-based IDS (HIDS) or network-based IDS (NIDS) solutions might present problems for an organization in terms of resource consumption and encrypted transport examination. In such cases, tuning the HIDS or NIDS or training the employees in using the HIDS or NIDS can help in striking a balance between security and resource consumption, avoiding network bottlenecks, and preventing a decrease in end-user productivity. Let's look deeper into this.

After reading about these solutions, click the ACTIVITY button to attempt a simple activity related to HIDS and NIDS.
An HIDS is used in addition to antivirus software. An HIDS is installed on every system on a network rather than as a node on the network; therefore, it cannot create an accurate network picture or coordinate events that occur across the network. A NIDS is installed at various points on a network, which can detect and coordinate the response of attacks that occur across the network.

Although HIDS and NIDS are important countermeasures against outside attacks, they have a few disadvantages:
  • They require an intense tuning or training period.
  • They can create a false sense of security.
  • Sometimes, they consume so many resources that the system is unable to perform its primary job.
  • A NIDS might experience difficulty handling encrypted network traffic.
For more details, click the RESOURCES icon.

Resources

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

You have been working as a technology associate in the information systems department at Corporation Techs for a while now. You are going to Las Vegas for the weekend, and you are excited about the trip. While you are thinking about the trip in the break room, your manager comes in and says a big task has been planned for you. Hiding your feelings, you smile and ask, “What’s the big task?” Click the image of the manager to get instructions.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
I have received a report about an intrusion attempt and a scan of the preliminary analysis of the Web server host. I have sent you the saved Zenmap scan. I want you to analyze the scan, identify services that were detected on the system, research the use of each service, and detail out a plan for removing unnecessary services. Create a report detailing your plan and support your conclusions. You can go to Meeting Room 1 and consult your coworkers who have experience of working with Zenmap.

All the best!

Contributing Factors
From where do you think you can gather information for this task? Let's find out by clicking the Contributing Factors. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Attend a Meeting
Read E-Mail
Research the internet

Select the icon from the top to receive additional
information related to the situation

Click each person to review the inputs.


Paul
Alice
Hey, buddy! I believe you are about to identify unnecessary services from a saved vulnerability scan. Some services you could consider removing are File Transfer Protocol (FTP), peer-to-peer (P2P) file-sharing service, and Simple Mail Transfer Protocol (SMTP) used by the Web forms application.
Let me remind you that not all services are necessary on every server. Leaving some services enabled provides a possible attack point. You can use the Help system in the tool and the Internet to determine which services are unnecessary. Just search for unnecessary network services and read some of the articles by well-known organizations. You also may need to analyze Zenmap scans taken over a period of time to fine-tune which services are required on our network.

Hi,

As discussed, click the link below to look at the scan of the Zenmap interface with services listed in the left pane of the document.

Zenmap Scan

Hope you'll do a good job!
Click the following link to learn more.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks you have completed are already checked on the list.

Tasks

  • Analyze the saved Nmap or Zenmap scan of a Web server host.
  • Identify services that were detected on the system.
  • Research the use of each service.
  • Determine which services are unnecessary.
  • Create a report detailing your plan and support your conclusions.
At the end of this lesson, you should be able to:
  • Assess the features and functions of common vulnerability assessment tools.
  • Review the network analysis process.
  • Learn about the purpose of data loss prevention tools.
  • Examine the use of an intrusion detection system (IDS) and an intrusion prevention system (IPS).
In this lesson, you will cover the features of vulnerability assessment scanners. You will compare intrusion detection and intrusion prevention strategies. You will also look at the steps involved in network analysis. In addition, you will explore data protection strategies and their value to an organization.