Advanced network design
Since the Covid-19 pandemic began to transform the workplace in 2020, there has been a major effect on the way employees access their enterprise's desktop and company data. Enterprises have been forced to accept that the modern workplace will contain a high number of remote working employees. Many enterprises expect a significant proportion of staff to continue with this flexible way of working due to the benefits of work/life balance. What was previously considered the exception, where some workers were able to remotely access the workplace or connect from a temporary location such as a hotel or airport transit lounge, will likely now become the new normal.
There are significant risks in extending the network perimeter to these remote workers, and it is important that all access is secure and identities are verified.
Remote access
This is the term used when accessing systems remotely. We may need to access a desktop to configure settings for a remote worker or configure a network appliance ruleset. In some cases, it may be necessary to assist a remote worker by sharing their desktop. We will compare the main types of remote access in this section.
VPN
A VPN service provides you with a secure, encrypted tunnel when you need to connect across untrusted networks. External threat actors cannot access the tunnel and gain access to your enterprise data.
A VPN can be used for securing remote workers and can also be used to connect sites across untrusted networks.
Enterprise solutions include Microsoft Direct Access, Cisco AnyConnect, and OpenVPN (there are many more). Figure 1.16 shows a popular VPN client, OpenVPN Connect:
Many enterprises will ensure their employees' mobile devices are enabled with an always-on VPN client. This ensures that when employees are working outside the corporate network, they will automatically connect over a secure connection, whenever the device is powered on. It is important that all traffic is routed through the VPN connection using a full-tunnel configuration. Figure 1.17 shows a full-tunnel configuration:
When the VPN interface is configured with the default gateway configuration, as shown in Figure 1.17, all traffic is routed through the company network, ensuring security policies are enforced.
IPsec
IP Security (IPsec) is a suite of protocols deployed in most vendor implementations of IPv4 and is a requirement for IP version 6 (IPv6). When configured, it will protect against replay attacks and ensure the integrity and confidentiality of the data.
Authentication headers (AHs) provide authentication, integrity, and protection against replay attacks.
Encapsulating Security Payload (ESP) provides authentication, integrity, and confidentiality for your data.
When using Transport mode, encryption occurs at the internet layer, protecting all of the layers above the network layer. It is used internally only.
Tunnel mode can be used to create site-to-site VPNs between trusted networks and to connect a host device across an untrusted network. In the following screenshot, we can see that Tunnel mode creates a new IP header:
While IPsec is typically used to protect communications outside the enterprise, it can also be used internally when VLANs cannot offer adequate protection. This is when Transport mode would be appropriate.
SSH
SSH is a standard internet security protocol documented in RFCs 4251, 4253, and 4254. The SSH protocol is a protocol for secure remote login and other secure network services over an insecure network. It is recommended to use SSH in place of Telnet. (Telnet was the main protocol for remote configuration, but it is not encrypted.)
The SSH protocol is typically used across enterprise networks for the following:
- Providing secure access for users and automated processes
- Secure file transfers
- Issuing remote commands
- For admins or technicians to manage network infrastructure
A technician could administer a network switch remotely, without needing to connect a direct cable into the device. The following screenshot offers an overview of the use of SSH:
SSH has wide support across many hardware vendor platforms and operating systems, including Microsoft (it now comes as an optional feature that can be installed on Windows 10), Linux distributions, and Apple's macOS and iOS.
Tip
Make sure you are using SSH 2.0 as earlier implementations use a poor cryptographic suite.
Remote Desktop Protocol
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to the desktop of a remote computer. An RDP client application must be installed to launch a connection, and the remote computer must run RDP server software. RDP has wide support, and software exists for non-Microsoft operating systems, including Linux, Unix, macOS, iOS, Android, and other operating systems. While RDP servers are built into most Windows operating systems (Home editions of Windows desktop editions are an exception), it is also possible to install RDP server services for Unix and macOS X. The default listening port is TCP 3389
and User Datagram Protocol (UDP) port 3389
. It is important to consider the security implications of enabling RDP services, as this will give a remote user access to the full range of tools and utilities for remote configuration.
Tip
Remember that this connects to a desktop, so it will not be a choice when administering networking hardware appliances.
Virtual Network Computing
Virtual Network Computing (VNC) is used for desktop sharing, as opposed to remote control only. It is platform-independent and can be used across many different operating systems. While it is a commercial product and must be licensed for business use, there is a free edition for non-commercial use.
Reverse proxy
A reverse proxy is commonly used when accessing large websites from a public network. Reverse proxies can cache static content (much like a forward proxy), which reduces the load on your web application servers. Reverse proxies can also be used as an extra security layer, allowing for additional analysis of the incoming traffic. The following screenshot shows a client accessing a web application through a reverse proxy:
HAProxy and Squid are open source software implementations used by large internet websites. They will decrypt the incoming HTTPS traffic and apply security rules.
Network authentication methods
It is important to authenticate access onto enterprise networks. The modern approach is to start out with the Zero Trust model, which means that no devices are trusted by default. To gain access to a network segment, authentication credentials or some other verification will be required before access is granted. In the past, the priority was always about protecting our systems from threats outside our network. This traffic moving between the internet and our perimeter network is referred to as North-South traffic. Traffic moving within our internal network segments is referred to as East-West traffic. Due to increased instances of mobility and remote workers accessing multiple networks and Information systems, it is this East-West traffic that must also be secured. We will now take a look at the options to secure access to the network.
802.1x
802.1X is an Ethernet standard using port access protocol for protecting networks via authentication. It was originally intended for use with Ethernet 802.3 switched networks but has become a useful addition to many different network types, including Wi-Fi and VPN. A connecting host or device is authenticated via 802.1X for network access—if authentication is successful, the port is opened; otherwise, it remains closed.
There are three basic pieces to 802.1X authentication, as outlined here:
- Supplicant: A software client running on the host
- Authenticator: The VPN or switch port
- Authentication server: An Authentication Authorization Accounting (AAA) service, usually a radius server such as Microsoft Network Policy Server (NPS)
There are many options when it comes to authenticating the supplicant (client device). In the first instance, we have rudimentary (for that, read insecure) methods of authentication.
Password Authentication Protocol (PAP) does not secure the authentication request.
Challenge-Handshake Authentication Protocol (CHAP) is an improvement over PAP as it supports mutual authentication and uses MD5 hashing to encrypt the challenge.
As CHAP is dependent on MD5, your networks are at risk from pass-the-hash exploits.
Extensible Authentication Protocol (EAP) is a framework of protocols, allowing for the secure transmission of the supplicant's authentication request. It allows the authentication channel to be encrypted using TLS. The following diagram shows the required components for a client to authenticate onto the wireless network:
EAP-TLS provides certificate-based mutual authentication of the client onto the network. This requires certificates to be deployed on the supplicant and the AAA server, although it is worth mentioning that devices could be provisioned with Secure Certificate Enrollment Protocol (SCEP) if you are using a mobile device management (MDM) tool.
EAP-Tunneled TLS (EAP-TTLS) is an extension of EAP-TLS. This can be used for mutual authentication, or certificates can be deployed just on the AAA server.
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) was developed by Cisco. This uses something called a Protected Access Credential (PAC), which can be managed dynamically by the AAA server.
Lightweight Extensible Authentication Protocol (LEAP) is an EAP authentication type, again developed by Cisco. It is used on Wi-Fi networks and uses Wireless Equivalent Privacy (WEP) keys for mutual authentication. It is no longer considered secure.
Protected Extensible Authentication Protocol (PEAP) allows for authentication using passwords, certificates, or smartcards. The authentication traffic between PEAP clients and an authentication server is encrypted using TLS but requires only server-side certificates. PEAP was developed by a consortium of Microsoft, Cisco, and RSA Security.
Placement of hardware and applications
It is important to recognize that many different types of devices may need to be supported on an enterprise network. Some systems may have embedded processing logic that is legacy and vulnerable, or maybe regulatory compliance means certain processes must be isolated from regular business networks. In the following section, we will look at these use case scenarios.
System on a chip
A system on a chip (SoC) consolidates multiple computer components onto a single, integrated chip (IC). Components will typically include a graphical processing unit (GPU), a CPU, and system random-access memory (RAM).
As an SoC integrates hardware and software, it is designed to draw less power than traditional multi-chip solutions. The Snapdragon processor used in Microsoft Surface X tablets has eight cores plus GPU.
Examples of this SoC technology can also be found in many IoT devices, building automation systems, and Wi-Fi routers. Raspberry Pi is a good example of this technology, costing as little as $5 per device. We can see a typical SoC in the following figure:
It is important to consider the security implications of using SoC technology. Due to the low cost and nature of embedded logic common to these devices, vulnerabilities are common and can be difficult to mitigate without replacing the device.
In 2018, the NSA was attacked and suffered a significant data breach due to an unauthorized Raspberry Pi device connected to the agency's network. To read more about this published incident, see this link: https://tinyurl.com/nasapihack.
Heating, ventilation, and air conditioning controllers
Heating, ventilation, and air conditioning (HVAC) is a critical function; sensitive equipment must be placed in an environment that is optimized for temperature and humidity. The monitoring and adjustment for this function need to protect and should be accessed over a segmented/protected network zone. Typical protocols used to communicate and manage these systems use formats such as Modbus, Siemens, and BACnet (there are many others). Modbus does not provide any security, meaning that if these industrial networks were breached, it would be relatively easy to cause outages and disruption on them.
Sensors
Sensors are sophisticated devices that are frequently used to automate the collection of information in automated or industrial environments. A sensor converts the physical parameter (for example, temperature, blood pressure, humidity, and speed) into a signal that can be measured electrically. Examples would include magnetic field sensors, ultrasonic sensors, temperature sensors, flow sensors, and photoelectric sensors, to name but a few. It is essential that the calibration of this equipment and messages sent or received is accurate and controlled. HVAC, engineering production lines, and medical equipment providers are just some of the environments that depend on this technology. The following figure shows a typical monitoring sensor:
Physical access control systems
A physical access control system (PACS) can be used to grant access to employees and contractors who work at or visit a site by electronically authenticating their Personal Identity Verification (PIV) credentials.
Examples could include mantraps (now referred to as access control vestibules), radio-frequency identification (RFID) card readers, and biometric identification systems.
Audiovisual systems
Audiovisual (A/V) technology systems can be comprised of an assortment of hardware that includes conference telephones, video cameras, interactive whiteboards, digital signage, computers, smartphones, tablets, wireless connectivity, and more. Examples could be video screens distributed throughout a building to broadcast information to employees.
Closed-circuit television systems
A closed-circuit television (CCTV) system is an important feature for both security and safety on a physical site. In many cases, it is a requirement to meet the needs of regulatory compliance. It is important to safeguard access to CCTV camera feeds and the networks that connect them. Many cameras will now be IP cameras, meaning they can be added directly to Ethernet or Wi-Fi networks. If they are not secured, hackers will discover their location, and you may find that camera IP addresses and locations will be posted onto internet search engines. One such search engine is https://www.shodan.io.
The following screenshot shows a listing of unsecured IP cameras worldwide (there are over 4 million):
It is important to place this type of equipment onto segmented networks and change default credentials.
Critical infrastructure
Critical infrastructure is a term to describe assets that are essential for the functioning of a society and economy.
In the US, a new government agency was founded in 2018, offering guidance and helping to build secure and resilient infrastructure: the Cybersecurity and Infrastructure Security Agency (CISA).
CISA lists 16 sectors that are considered of such importance to the US that their incapacitation or destruction would have a major negative effect on security, national economic security, national public health, or safety. You can view which sectors these are in the following list:
- Chemical sector
- Commercial facilities sector
- Communications sector
- Critical manufacturing sector
- Dams sector
- Defense industrial base sector
- Emergency services sector
- Energy sector
- Financial services sector
- Food and agriculture sector
- Government facilities sector
- Healthcare and public health sector
- IT sector
- Nuclear reactors, materials, and waste sector
- Transportation systems sector
- Water and wastewater systems sector
The European Commission (EC) has launched its own program to reduce the vulnerabilities of critical infrastructures: the European Program for Critical Infrastructure Protection (EPCIP).
Supervisory control and data acquisition
Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allow industrial organizations to do the following:
- Regulate industrial processes locally or at remote locations
- Display, gather, and process real-time data
- Allow interaction with devices such as pumps, motors, and sensors through human-machine interface (HMI) software
- Populate events into a log file
SCADA systems are crucial for any organization with an industrial capacity. SCADA allows organizations to maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtime. SCADA has been used in industrial, scientific, and medical environments since the adoption of computers in the 1950s. Some of the equipment was not always designed with security in mind.
The basic SCADA architecture features programmable logic controllers (PLCs) or remote terminal units (RTUs). PLCs and RTUs are microcomputers that communicate with an array of objects such as factory machines, HMIs, sensors, and end devices and then carry the information from those objects to computers with SCADA software deployed. The SCADA software processes, distributes, and displays the data, helping operators and other employees analyze the data and make important decisions.
SCADA networks monitor and manage legacy/vulnerable industrial control networks, often using monolithic protocols. They are therefore an easy target to attack; it is vital that guidance is taken and controls put in place to mitigate the risks. In December 2015, 30 Ukrainian electrical substations were turned off by hackers. This left around 230,000 homes without power for several hours. Critical infrastructure tools, tactics, and protocols are documented by MITRE (see the following link: https://tinyurl.com/mitreics). For more information on the Ukrainian power grid attack, please go to this link: https://tinyurl.com/icspowerattack.
NetFlow
NetFlow was originally developed on Cisco networking equipment to log traffic. It allows network engineers to gain an understanding of bandwidth usage and types of traffic flow. It now has wide support and is supported on many other kinds of networking equipment, including Juniper, Nokia, Huawei, and Nortel (there are many more). It is not intended to replace protocols such as Simple Network Management Protocol (SNMP). It is useful to establish a baseline and see anomalies on a network. Cisco supports this protocol on most network equipment.
NetFlow consists of three main elements, as outlined here:
- Flow exporter: This passes the logs to the collector.
- Flow collector: This is where the logged data is stored.
- Analysis application: Analyzes received data and reports on the collected data.
Devices that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—this is normally a server that does the actual traffic analysis. We can see an overview of the NetFlow process in the following screenshot:
Not all network vendors support NetFlow, but there is an alternative that is also designed for higher-speed networks.
sFlow
The sFlow protocol (short for sampled flow) is an alternative industry standard for data packets in computer networks. Unlike NetFlow, this is not a proprietary protocol. Its participants include Hewlett-Packard (HP), Brocade, Alcatel-Lucent, Extreme Networks, Hitachi, and more. This only logs a percentage of the traffic, which is referred to as sampling. sFlow is used on high-speed networks (gigabit-per-second speeds, and higher).
Data flow diagram
A data flow diagram (DFD) is essential for understanding the flow of information across networks, which may mean interacting with customers, partners, and internal systems. In the following diagram, we can the flow of transactions between different information systems:
It is important to see the movement of network traffic between the different information systems in order to place the appropriate security controls in the correct location.
Secure configuration and baselining of networking and security components
It is vitally important that all networking equipment meets a measurable security baseline. For mission-critical switches, DOD uses secure technical implementation guides (STIGs); there are over 50 security requirements in the Cisco IOS Switch STIG. We can see typical configuration items in the following screenshot:
There are configuration guides for many network appliances as well as for operating systems and applications.
Software-defined networking
Software-defined networking (SDN) technology is a well-established approach to network management and has been in existence for over 10 years (established around 2011).
It has really come about due to a movement to large, centralized data centers and the virtualization of computer systems. The move to cloud computing has also been a big driver toward the adoption of SDN.
There are many components to move to a true SDN model, and the components shown in Figure 1.28 are important parts.
SDN has been designed to address the fact that traditional networks are often decentralized and overly complex— think of all those vendor solutions (Cisco, Juniper, HP, Foundry, and so on) with their own hardware and software solutions. SDN allows for a more dynamic, configurable approach. Where the hardware switch (or virtual switch) becomes the data plane and is separated from the management or control plane, application programming interfaces (APIs) allow for dynamic updates to be controlled by business applications and services.
The following screenshot shows a depiction of SDN:
Network function virtualization (NFV) takes the place of dedicated hardware with virtualized software. This means that network services such as firewalls, switches, and routers may now be deployed as software in the data center.
Open SDN
SDN is based upon a set of open standards, allowing for simplified network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.
OpenFlow was the first standard interface for separating network control and data planes.
Open Network Operating System (ONOS) is a popular open source SDN controller.
Hybrid SDN
Many enterprise networks still have a significant investment in traditional network infrastructure. While they move toward the goal of SDN, they need to transition and support both technologies. They will need to support a hybrid model.
SDN overlay
This basically moves traffic across physical networking infrastructure. If you compare Multiprotocol Label Switching (MPLS) links switching customers' VLAN tagged traffic across a wide-area network (WAN), then this is a similar concept.
The following diagram shows an SDN overlay model:
We're now at the end of this section, and you should have gained an understanding of some challenges that are presented by an enterprise network. Hybrid networks bring fresh challenges all the time and requirements for remote access. Zero Trust networks mean we must ensure all network access is authenticated and authorized. Challenges have arisen from the widespread adoption of cloud and virtualization, meaning the adoption of new technologies is increasing in our data centers. We must be able to monitor and respond to increasing network demands across the enterprise.