Contact us anytime to know more β Amit A., Founder & COO CISIN
Understanding Network Device Types
Know the components of a network to build and defend it effectively. Here are some of the most commonly used network devices.
- Hubs are used to connect multiple local area networks (LAN). A seat also acts as a repeater, amplifying signals that have become weak from traveling long distances on cables. Hubs do not perform packet filtering or addressing functions - instead, working at the Physical Layer level.
- Switches have more intelligence than hubs. Regulators are used to connect LANs; they read packet headers before processing each packet as necessary. Switches also can detect their destination by reading their hardware address and sending it directly there.
- Routers are devices used to help packets reach their destinations by creating an efficient pathway through a sea of network devices. Once packages arrive at their goals, routers separate and analyze each frame individually before assigning an IP address - placing themselves usually at the Network Layer of the OSI model.
- Bridges connect two or more hosts or network segments and serve to store and forward frames between them using Media Access Control (MAC), which is a hardware-based address system. Bridges only operate at the Physical Layer and Data Link Layer of the OSI Model.
- Gateways typically operate between the Transport and Session Layers of an OSI Model, serving protocols and standards found within them.
Know Network defenses
Your network can be secured using appropriate devices and solutions, with some of the more widely-used being:
- Firewall- Firewalls are one of the first lines of defense in any network, isolating it from other networks. Firewalls can operate independently or be integrated into other devices like routers and servers; hardware and software solutions exist for firewalls; some even come as appliances that act as central hubs between two networks.
- Intrusion detection systems (IDS) - IDSs help improve cybersecurity by quickly detecting hackers or malicious software within networks, so you can remove it to avoid breaches and record any necessary information about this incident to defend against future intrusion attempts. An IDS can provide valuable protection against attacks more cost-effectively than repairing damage and dealing with legal matters later.
- Intrusion Prevention System (IPS) -An intrusion prevention system (IPS) is a network security solution that detects intruders and prevents known attacks from being launched against them. Intrusion prevention systems combine firewalls and intrusion detection systems. As intrusion prevention systems may be expensive to implement, businesses should carefully evaluate their IT risks before investing in one; certain IPSs may not provide robust or fast protection, making them unsuitable if speed is essential.
- Network Access Control (NAC)- Involves restricting network resources to devices that meet your security policy, and some NAC solutions even automatically fix nodes that don't comply before access can be granted. NAC solutions are particularly beneficial in environments that allow tight control over user environments like enterprises and government agencies; their effectiveness decreases in environments with multiple users and devices like education or healthcare settings.Web filters block users' browsers from loading certain pages on particular websites. Web filters can be utilized by individuals, families, institutions, and enterprises alike.
- Proxy servers- Mediate between client software and other servers, acting as intermediaries to relay requests made from client computers to third-party servers. When receiving such a request (such as visiting a website), the proxy server receives it and evaluates it before responding. These intermediary services are widely used within organizations for traffic filtering, performance improvement, and security enhancement.Anti-DDoS devices can quickly identify distributed denial-of-service attacks (DDoS), absorb traffic, and identify their sources.
- Load balancers- Are devices that direct computers toward specific servers in a network based on factors like processor usage, connections, or server performance. Organizations use load balancers to reduce the chances of server overloading while increasing bandwidth utilization by optimizing network usage for each computer on their network.
- Spam filters- Detect unwanted emails and stop them from reaching users' inboxes. Spam filters use organizational policies or patterns as criteria to evaluate emails that may contain spam. More sophisticated filters utilize heuristics techniques for detecting spam by looking at word patterns and word frequencies in each message sent through their filters to firewall rules.
Segregate Your Network
Network security segmentation refers to breaking a network into functional or logical units called zones, with different technical requirements and purposes for each zone.
You could have separate sales, technical support, service providers and research zones needing particular equipment and support systems. Various means exist for segmenting networks into zones; routers and switches may be used, or virtual local area networks (VLANs) are created on switching devices by configuring ports to act like separate networks for industrial automation.
Segmentation mitigates the damage a compromise could do within a particular zone by breaking up one target into multiple segments, providing attackers with two possible strategies for an attack: treat each element like its own network or compromise one to try to jump over it; neither option is particularly appealing.
An attacker must breach each segment individually, which requires much work. This approach increases their risk of detection. Moving from one compromised zone to another becomes very challenging.
With proper network segment design, network traffic between segments should be limited. Exceptions exist, such as communicating with domain servers to allow central account management - however, this limited traffic can still easily be identified and classified.
Segmentation can help with data classification and protection. Segmentation organizes the information within databases for easy classification and protection purposes.
Air gaps are an extreme form of segmentation: multiple systems don't connect directly to any network.
While this reduces utility for many procedures, air-gapped servers for backups often provide the ideal solution. They can prevent malware infections on other computers in your network.
Virtualization can be an effective way of segmenting your network. Doing this with virtual systems is often simpler than doing so with physical ones - for example, imagine running a simple virtual machine on your computer that you can configure entirely independently of it all and will not share folders, drives, or clipboards with the workstation at large.
Types And Segments Of Network Segments
The following categories can be used to classify network segments:
- Public Networks Public networks, like the Internet, are accessible to all. Many trivial data must be encrypted on such networks, and weak security controls exist.
- Semi-private networks sit between public and private networks. A semi-private network may carry confidential data under certain regulations, providing it meets specific conditions.
- Private Networks are organizations that handle personal data. Anyone may own one; depending on its size and geographic dispersal, it may connect to its network through the Internet or other public systems.
- A Demilitarized Zone (DMZ) is a secure region at the edge of any private or public network that another firewall may separate. Organizations often use DMZs to place servers open to public access; you can block access by isolating specific servers within it - you can still access these through your network. Still, other users need access to additional network resources.
- Software Defined Networking (SDN), an emerging trend, can help administrators easily segment and secure networks by virtualizing all aspects of an organization's infrastructure and placing virtualized security equipment wherever desired. An SDN simplifies network segmentation, while administrators can set security equipment virtually wherever desired.
How To Place Security Devices
As part of your network segregation plan, when designing the devices to use, the first step should be deciding where to place them.
Firewalls are one of the most accessible devices to set up: place one at every network zone junction. Firewalls should protect each segment of your network - activation, and configuration should take no time for modern routers and switches with firewall functionality.
Anti-DDoS devices should also be placed along its perimeter to prevent potential DDoS attacks from impacting any network; placing web filter proxy servers behind a firewall when facing public networks is recommended.
Consider your network configuration when determining where to place other devices.
For instance, load balancers must be present if we are running clustered web servers in a DMZ, similarly, if we host database clusters in private segments of our network. Likewise, port mirroring can be deployed where needed, usually by mirroring ports across switches so traffic from one network segment gets copied over into another component; copying all network traffic could potentially go directly to an IDS/IPS as long as collectors and sensors exist on every segment otherwise they won't detect activity!
There has yet to be a consensus recommendation for the placement of network aggregation switches, which combine multiple bandwidth streams.
Aggregation switches can also help increase bandwidth from or to clustered networks.
Use Network Address Translation
Network Address Translation (NAT) is an efficient solution to overcome IPv4 address limitations for organizations.
NAT allows organizations to overcome this deficit by translating internal addresses of an organization into public networks like the Internet, providing multiple computers access via one IP address simultaneously to these public networks or any other IP networks.
NAT is used with firewalls to add a further layer of security to an organization's network.
Hosts inside the protected network typically can communicate freely with all other hosts; systems outside must use NAT boxes to access internal networks; in addition, NAT allows an organization to reduce IP addresses which helps ward off attackers who might try targeting specific hosts.
Do Not Turn Off Personal Firewalls
Software-based personal firewalls can be installed on each computer in a network and work similarly to larger border ones - filtering certain packets out to stop them from reaching or leaving your system.
Individuals often question the need for personal firewalls when corporate networks already employ extensive dedicated firewalls to block potentially hazardous traffic from reaching internal computers.
Internal attacks, which are just as prevalent and frequently unique from attacks from the Internet, cannot be stopped by a personal firewall alone; viruses are usually responsible for exploiting private networks.
Instead of turning off individual firewalls in your organization, consider configuring one standard firewall according to your needs, then export these settings for all firewalls in use throughout your organization.
Read More: Utilizing Software Defined Networking (SDN) to Enhance Network Performance
Use Centralized Log Analysis And Immediate Log Analysis
Search for anomalies and record suspicious computer events as part of best practices to help reconstruct what transpired during an attack, so you can improve threat detection and block future ones more rapidly.
Remember that attackers will do everything possible to avoid detection - using computers as sacrifices, running various actions on them, and monitoring results to see how your system operates and which thresholds need to be maintained to prevent alerts.
Use Web Domain Allowlisting To All Domains
Allowlisting helps in two ways. First, it limits the attack surface. Users become less vulnerable if they cannot access untrusted websites - an effective solution to stop initial access through the Internet.
Second, allowing listing limits hackers' options after they have compromised a system; hackers must either switch communication protocols, compromise an upstream router or attempt a direct attack against allowing listing systems to communicate. Web filters can also help implement domain allow listing while providing a web access policy and monitoring sites.
Direct Internet Access Through A Proxy Server
All outbound web access should go through an authentication server where access can be managed and monitored or through a proxy that verifies it is human and not an unknown program.
Though setting this up may take some work, once configured, it should be easy to maintain; the user base won't be negatively impacted, and resistance won't arise from such architecture; operational safety increases with just one device that can easily be monitored.
Use Honeypots
Honeypots are separate systems designed to appear attractive targets but serve as traps for attackers.
You could, for example, set up a fake database resembling financial systems. Honeypots help two critical objectives. Since honeypots do not represent natural systems, they will never be accessed by legitimate users, so detailed monitoring and logs can be set up that provide evidence when an attacker breaches into one.
Honeynets are an extension of honeypots; they're artificial networks designed to look appealing.
Some organizations even create fake wireless access points as an effective strategy against them.
Protect Your Network From Insider Threats
Prevention and detection strategies must be employed to counter an insider threat effectively.
Implementing and enforcing the principle of least privilege is integral in managing access and controlling access rights; giving users only what is required for their jobs will improve data security by restricting accidental or intentional access to sensitive data. Other preventative measures include system hardening, anti-sniffing network protections, and robust authentication techniques while monitoring users and networks, as well as using network and host-based intrusion-detection systems are effective strategies based on anomalies, behaviors, or heuristics for detection strategies detecting threats on any level.
End users must also be instructed on addressing potential security threats, such as phishing emails or attachments, without breaking security policies.
Failure of users to abide by such guidelines without training may pose severe security threats that cannot be mitigated without proper instruction and support.
Monitor Basic Network Protocols
Baselining protocols include wired and wireless networks; data for your baseline can be collected from routers/switches, firewalls, wireless APs, or similar sources.
Use VPNs
Virtual Private Networks (VPNs) provide secure connections to private networks over public networks, like the Internet.
VPNs can securely connect LANs over this connection; their remote end appears local. Installing VPN software or special hardware onto workstations and servers to create one requires special installation procedures such as Layer-2 Tunneling Protocol, IPsec, or Point-to-Point Tunneling Protocol tunneling protocols, which encrypt their data to enhance security but reduce speed compared with everyday network environments.
Use Multiple Vendors
As part of your efforts to stay protected against malware, installing antimalware on all your computers and your network and firewall is vital.
When selecting software vendors at each site, diversification is also crucial. Each vendor employs identical algorithms for detecting malware in its products, meaning if your firewall, network, and workstation antimalware all come from vendor A, anything missed by one will also be missed by both others.
Assign one vendor (A) to provide firewall antimalware solutions, network protection from vendor B and individual computer protection from vendor C. This approach minimizes the chances of any product missing a particular piece of malware, rather than each vendor using different detection algorithms potentially missing something important.
Use Your Intrusion Detection System Properly
A network security strategy can benefit from an IDS. Please take advantage of the two ways your IDS can detect potentially malicious activity to get the most out of it.
- Anomaly Detection - Most systems maintain an activity baseline on their networks and sensitive hosts. An IDS will record this baseline and check for any abnormal activity. It will send an alert if something strange happens, like a spike in traffic that could be a sign of ransomware or SQL injection. This allows the administrator to analyze the situation and take immediate action.
- Maluse detection - The IDS compares activities to attack signatures. Attack signatures are characteristic features standard for a particular attack or pattern. They can detect attacks even when they do not generate any action against your baseline.
Automated Response To Attacks When Appropriate
Many network devices and solutions can be set up to take automatic action when an alert is triggered.
This reduces the response time dramatically. You can configure the following steps:
- Block IP Address: An IDS or firewall may block the IP address of the attacker. This is a compelling option against spam and denial-of-service attacks. Some attackers may spoof their IP address to cause the wrong address to be blocked.
- Terminate Connections: Routers or firewalls can be configured to target RESET TCP packets to the attacker to disrupt any connections an intruder may maintain with the compromised system.
- Get more information: You can also collect information by watching intruders over time. You can make your defense more robust by analyzing the data you collect. In particular, you can: Find the initial point of access.
- Determine how the attackers spread: Learn how to reverse-engineer each piece of malicious code you discover. Clean up any affected systems, and fix the vulnerability that initially allowed access.
- Determine the malicious software used: Did administrative accounts get used? Was the software used outside of regular business hours or in a different way? Determine what systems you can put in place for detecting similar incidents.
Protect Your Network Equipment
Security personnel should regularly patrol the building to ensure that sensitive data and equipment do not leave.
Only authorized individuals must gain direct access to network equipment.
Network Infrastructure With A Focus On Security
As part of designing an ICS, a Defense-in-Depth Security Architecture is recommended that divides network traffic into zones and restricts communication between them to predefined traffic only - providing reliable communication within zones while limiting any scope breaches.
A defense-in-depth architecture design involves three steps.
Step 1: Network segmentation
The network is segmented into logical or physical zones with similar security needs to address any threats that threaten an ICS system.
By breaking up the network into zones of this kind, each device will take responsibility for only its portion rather than all aspects of ICS operations simultaneously.
Step 2: Define Zone-To-Zone Interactions
Once you have identified which traffic must pass between security zones, industrial firewalls can filter unauthorized traffic to block.
A good practice would be to block all but necessary traffic between zones; deep packet inspection by industrial firewalls allows more precise filtering of industrial protocols than traditional firewalls do; many even feature transparent mode for effortless integration into existing networks without changing their IP scheme.
As part of best practice when connecting ICS networks to enterprise IT networks, the Internet, or the Internet itself, creating a Demilitarized Zone (DMZ) using an industrial firewall is highly recommended.
A DMZ eliminates direct connections between secure ICS networks and enterprise networks while permitting both to access data servers; by eliminating direct links between them, the risk of unauthorized traffic entering different zones is significantly decreased.
Step 3: Secure Remote Access For Industrial Networks
Industry automation firms increasingly rely on remote sites for maintenance or monitoring purposes, which increases the chance that someone with malicious intent gains entry to their network.
Virtual private networks (VPNs) are highly recommended for networks requiring remote sites to remain continuously connected to an ICS, as these provide secure encryption techniques such as IPsec, OpenVPN, or PPTP that prevent unauthenticated users from gaining entry to the network. VPNs offer three main benefits. First, data transmission is encrypted, while sending and receiving devices must authenticate themselves, as authenticating only verified devices can pass along data.
Second, by mandating authentication and encryption procedures, you can ensure the data's integrity.
Conclusion
Security can be a complex endeavor. Industrial networks face constant threats; system operators can protect them using Defense-in-depth architecture.
A good network design should include devices with advanced security features described by IEC-62443 standards, awareness of any threats that might affect it, and knowledge about best practices for designing and maintaining networks. Finally, continuous monitoring ensures any security risks will be diminished substantially.
