5-Network Defenses - UTPA Faculty Web

homuskratNetworking and Communications

Nov 20, 2013 (4 years and 7 months ago)


Network Defenses

Dr. John P. Abraham




A common mistake in network security

Attempt to patch vulnerabilities in a weak network
that was poorly conceived and implemented from
the start

Securing a network begins with the design of
the network and includes secure network

Crafting a Secure Network

Security through design

Subnetting, VLAN, DMZ, etc.

Security through network technologies

NAT, NAC, etc.

Network Security Devices

Firewall, proxy server, honeypot, NIDS, etc.

Intrusion Prevention Systems

Security+ Guide to Network Security Fundamentals, Third Edition

Security through Network Design


IP addresses are actually two addresses: one part
is a network address and one part is a host address

Classful addressing

The split between the network and host portions
of the IP address originally was set on the
boundaries between the bytes


subnet addressing

Allows an IP address to be split anywhere

Networks can essentially be divided into three
parts: network, subnet, and host



Isolates organizational groups

Decreased network traffic

Improved troubleshooting

Improved utilization of addresses

Minimal impact on external routers

Better organization

VLAN (virtual LAN)

Scattered individual units under same
organizational unit can be grouped together
(logical grouping rather than physical

In most network environments, networks are
divided or segmented by using switches

A VLAN allows scattered users to be logically
grouped together even though they may be
attached to different switches

Can reduce network traffic and provide a degree
of security similar to subnetting:

VLANs can be isolated so that sensitive data is
transmitted only to members of the VLAN

Convergence technologies (VOIP,
video, etc) vulnerability

Phones affected as OS is attacked

VOIP protocols have very little security

Lack of encryption for voip packages

Spam calls

Demilitarized Zone (DMZ)

Devices that provides service to outside users
are isolated, such as email and web servers.

If penetrated, confined to that server rather
than the LAN itself.

DMZ example

Network Address Translation (NAT)

NAT hides the private IP addresses assigned to
individual machines. A single or pool of public IPs are
used for public visibility.

Available private IP, and

The NAT device removes the senders private IP from
the packet and replaces it with an alias. The NAT
device then keeps a table of it and the process is
reversed when a packet arrives.

A variation is port address translation. Each packet is
given the same IP address but a different port number.

Security+ Guide to Network Security Fundamentals, Third Edition

Security through Network

Network Address Translation (NAT)

Hides the IP addresses of network devices from

Private addresses

IP addresses not assigned to any specific user or

Function as regular IP addresses on an internal

routable addresses


Security+ Guide to Network Security Fundamentals, Third Edition

Security through Network
Technologies (continued)

NAT removes the private IP address from the
sender’s packet

And replaces it with an alias IP address

When a packet is returned to NAT, the process
is reversed

An attacker who captures the packet on the
Internet cannot determine the actual IP
address of the sender


Security+ Guide to Network Security Fundamentals, Third Edition

Security through Network
Technologies (continued)


Network Access Control (NAC)

A special quarantined network area where
new devices or guests are allowed to connect
to. Only after passing required security checks
they are allowed to connect to the LAN.


network admission control


Network Access protection


Unified access control

Trusted computing group

trusted network

Security+ Guide to Network Security Fundamentals, Third Edition

Applying Network Security Devices

Devices include:


Proxy servers


Network intrusion detection systems

Host and network intrusion prevention systems

Protocol analyzers

Internet content filters

Integrated network security hardware



Filtering data packets

a gatekeeper to the

Rule based

Allow, block, prompt.

Stateful packet filtering

Packet is not allowed to pass to a client, unless the
client requested it from the server.

Example packet filtering rules

See table 5
6 p 167

Source address = any

Destitation address = internal ip

Port =80

Proxy Server

Intercepts internal user requests and
processes that request on behalf of the user.
It hides the IP address of the client system
inside the secure network

When a request for webpage is made the
client actually contacts the proxy server, which
checks to see if that page exists in the cache


Intended to trap attackers.

A honeypot is a computer located in a DMZ
that is loaded with software and data files that
appear to be the real thing.

Deflect attention

Early warnings of new attacks

Examine attacker techniques

Network Intrusion Detection Systems

Watches for attempts to penetrate a network.

Table 5
9 p.171

NIDs looks for suspicious patterns.