An Introduction to Learning About Network Security

INDEX

Before You Begin
Security Terms
ISO/OSI Model and the TCP/IP Model
Networking Basics
Network Protocols
Network Security Tools
Antivirus Protection
Securing the Operating System
MISC links

Before You Begin

This guide is not meant to be all encompassing. It is a reference to give someone who is interested in network security, but does not know where to start, some guidance of how to begin learning about the vast field of network security and where to look for information. The important thing to keep in mind is stay focused and learn little by little. It is easy to become intimidated when looking at the big picture and all that it entails. Focus on each section and gradually increase your knowledge base. There are many courses you can take to become familiar with the basics of network security. SANS Institute has many tracks dealing with the different areas of network security. Track 1 is their Basic Security Essentials and the CISSP 10 Domains and will give you an great indepth look into the world of network secuity. More information can be found at www.sans.org by clicking on track 1 for any of the conferences. For further reading on different areas of network secuity try the SANS reading room www.sans.org/rr/ it is a great reference to have. Remember that defense in depth is the key to good network security.

Back To Top

Security Terms

When learning about network security, there are many terms that you will hear and it is important to become familiar with them. Many of the following areas listed below will use much of the terminology and having a unstanding of the terminology is important. Here is a great link to get you up to speed quick www.sans.org/resources/glossary.php

Back To Top

ISO/OSI Model and the TCP/IP Model

Another key element to be familiar with is the ISO/OSI seven layer model as well as the Department of Defense (DOD) TCP/IP five layer model which describes the process of how information/data gets from one system to another. It does this by defining interconnecting layers thru which the information travels. You will hear folks refer to a network device, maybe a switch, and they may describe the switch as being a layer two and/or Layer three device. They are refering to the ability of the switch to interact with data at that particular layer of the model. Here are a some good references which describe the ISO/OSI model:


ISO/OSI Model for Dummies.
Applying the OSI Seven Layer Network Model to Information Security.
Understanding Security Using the OSI Model.

The following table is provided for quick reference between the two and how they relate.

TCP/IP
OSI
Application
Application
Presentation
Session
Transport
Transport
Internet
Network
Datalink
Datalink
Physical
Physical

Back To Top

Networking Basics

A network is connected by many different devices. All providing different services and used to give different types of systems, in different locations or the same location, the ability to communicate. It is important to familiarize yourself with the major devices that allow communication. It also would be good to study the different network topologies and understand how they work.

Network Devices

  • routers
  • hubs
  • bridges
  • switches
  • repeaters

Useful Links for Network Devices

Networking Basics
Quick and Dirty: Hubs, Switches, and Routers
Hubs, Switches, and Routers A Hands-on How-to
Chapter 5: Traffic Regulators
Network Primer
Chapter 3: Hardware
Cisco Network Topologies and LAN Design

Network Topologies

  • Star
  • Ring
  • Bus
  • FDDI

Useful Links for Network Topologies

Chapter 5: Topology
Network Topology
Cisco Network Topologies and LAN Design

Back To Top

Network Protocols

All of the systems and devices on a network communicate via some type of protocol. There are numerous types of protocols and all with different purposes. There are some primary protocols that you need to become very familar with how they work and how they are implemented.

Network Protocols

  • TCP
  • UDP
  • ICMP
  • ARP

Useful Links for Network Protocols

Monitoring The ARP Protocol On Local Area Networks
Digging Deeper Into TCP/IP
RFC 768: User Datagram Protocol
RFC 793: Transmission Control Protocol
RFC 792: Internet Control Message Protocol
RFC 826: An Ethernet Address Resolution Protocol
RFC 903: A Reverse Address Resolution Protocol
ARP, Address Resolution Protocol
ICMP Types and Their RFC References
SANS TCP/IP and TCPdump Reference Guide

Viewing Network Protocols

If you really want to get a feel for what network traffic looks like in action, there are plenty of packet sniffers that are easy to use. It may look confusing at first, but after a while it will all start to make sense. Take what you learned in this area and start having fun looking at packets. Here are some good tools and their links.

Ethereal
TCPdump
WinDump
Snort

Back To Top

Network Security Tools

There are many different tools that can be used to help secure a network as well as monitor it for malicious activity. There is no "one size fits all" solution that can be applied to all networks. As such it is important to be familiar with the different types of tools that are available. The decision about which is best to use should be based on what your protecting and what you can afford. This should then be compared to what the total cost of ownership will be. Here are some of the different tools you should become familiar with:

Network Based Firewalls

  • Stateful Inspection
  • Packet filter
  • Proxy

Useful Links for Network Based Firewalls

Firewall White Paper - What different types of firewalls are there?
SANS Reading Room: Firewalls & Perimeter Protection
Firewalls and Security
Firewalls: Friend or Foe?

Host Based Firewalls

  • Software Based
  • Hardware Based

Useful Links for Host Based Firewalls

Personal Firewalls
SANS Reading Room: Firewalls & Perimeter Protection
Firewalls and Security

Network Based IDS's

  • Anomaly Based
  • Signature Based

Useful Links for Network Based IDS's

What is network based intrusion detection?
What is knowledge-based intrusion detection?
What is behavior-based intrusion detection?

Host Based IDS's

  • Application Specific
  • Monitoring of Logs, processes and files

Useful Links for Host Based IDS's

What is host-based intrusion detection?
Setting up a simple inexpensive ($39.95) host intrusion detection system.
Firewalls and Security

Useful Links for IDS's in General

Intrusion Detection FAQ
Understanding Intrusion Detection Systems
The History and Evolution of Intrusion Detection
A Wide Selection of IDS Papers and Information

Access Control Lists

Useful Links for Access Control Lists

Semester 3 - Chapter 6-Access Control Lists
An Access Control Architecture for Programmable Routers
Introduction to Router Filters

Back To Top

Antivirus Protection

This one is getting its own category. Antivirus is NOT just for security folks, it is crucial to the daily operations of a network all the way down to a user at home on their personal PC. However, it is very overlooked and if it is used it is usually not cared for in the manner in which it should be. Look at the latest, widespread, outbreak of MyDoom for proof of this. This is a sad state, especially considering the price of antivirus software is very affordable. Understanding what to do to protect yourself is critical and part of that comes from keeping your antivirus up to date and using defense in depth. As a security professional, you are going to have to have a basic understanding of what the malicioius code does in order to really protect your network.

All of the tools above can assist you in this endeavor if you know what the latest virus/worm is configured to do. You can't just rely on an antivirus product that scans your email. What if a user visits a malcious web page or checks their hotmail account? You are bypassing your antivirus scan. Having antivirus clients on all workstations is a requirement these days. The overhead for managing this has become very low. Most vendors have an enterprise version that can push the client to systems out as well as check for updates and push them out as well. You can schedule scans, schedule when to do updates, report any virus detections on your network to a central server or send a notification by email. The possiblities are endless and once configured it requires very little effort. You can also tailor your perimeter security devices to block certain extensions that are used in spreading of viruses and worms such as .bat, .cmd, .com, exe, .eml, .hta, .pif, .scr etc. There are many extensions than can be used. Simplying blocking these types of files will help protect your network from a zero day worm or virus.

Useful Links for Antivirus Software and Vendors

Symantec
Computer Associates
Internet Security Alliance
Kaspersky Labs
McAfee
Panda Security
SoftWin SRL
Trend Micro

Back To Top

Securing the Operating System

Every operating system has different capabilities and are used to fit different needs. As such, the security for the operating system has to be tailored to fit your environment. Don't fret, because many groups have already developed guides to securing the operating system. As such you can build on their work and simply ajust the recommendations to fit your specific needs. There are also many sites dedicated to reporting vulnerabilities for operating systems. One of the most important things to remember is to stay current on the patches for your operating system and for your applications that you are using. The following list of links will point you to where you can get more information in specific areas.

For all operating systems:

SANS Bookstore: Seven Pack of SANS Press Technical Guides
SecuriTeam.com's focus on different Operating Systems and security related issues.
National Security Agency Security Recommendation Guides
FreeBSD Security How-To
The Center for Internet Security

For Windows 2000/NT/XP:

National Security Agency Security Recommendation Guides
Welcome to NSA/CSS INFOSEC

For Linux:

Welcome to NSA/CSS INFOSEC: Security Enhanced Linux
A Question and Answer website about Linux
All the latest of Linux Security
Linux Security HOWTO
Bastille Linux
Securing Linux

For Solaris:

Solaris Security Guide
Secure Solaris Setup
Platforms/OSs - Sun Solaris
Solaris Security

Vulnerability/Incident Websites

The CERT® Coordination Center (CERT/CC)
U.S. Department of Energy CIAC
Forum of Incident Response and Security Teams
US-CERT
A community of Security Professionals
Security Issues
Keeping Track of Bugs

Back To Top

MISC links

NIST Computer Security Division and CSRC home page
SANS Global Information Assurance Certification (GIAC)
SANS INFOSEC Reading Room
SANS Information and Computer Security Resources
COTSE Security/Bugs/Exploits News
Internet Security Policy: A Technical Guide.
Security Policy Resources
Federal Agency Security Practices (FASP)

Back To Top