With today's complex network architecture and constantly growing networks, protecting data and maintaining confidentiality play a very important role. Complex networks consist of network traffic flowing between enterprise networks, data center networks and, of course, the cloud as well. A secure network helps us to protect against data loss, cyber-attacks and unauthorized access, thus providing a better user experience. Network security technologies equip multiple platforms with the ability to deal with the exact protection requirements.
A firewall is a network security appliance that accepts or rejects traffic flow based on configured rules and preconfigured policies. Placement of a firewall totally depends on the network architecture, which includes protection for network perimeters, subnets, and zones. Perimeter firewalls are always placed on a network's edge to filter packets entering the network. Perimeter firewalls are the first layer of security, and if malicious traffic has managed to bypass, host-based firewalls provide another layer of protection by allowing or denying packets coming into the end host device. This is called the multilayer security approach. Multiple firewalls can be set up to design a highly secure environment.
Firewalls are often deployed in other parts of the network to provide proper segmentation and data protection within enterprise infrastructure, on access layers and also in data centers.
Firewalls can be further classified as the following:
- Simple packet filtering
- Application proxy
- Stateful inspection firewalls
- Next-Generation Firewall
A traditional firewall provides functions such as Packet Address Translation (PAT), Network Address Translation (NAT), and Virtual Private Network (VPN). The basic characteristic of a traditional firewall is that it works according to the rules. For example, a user from subnet (10.10.10.0/24) wants to access Google DNS 8.8.8.8 on a UDP port 53.
A typical firewall rule will look like this:
Source IP | Destination IP | Protocol | Port | Action |
|
| UDP |
| Permit |
However, Next-Generation Firewall works based on application and user-aware policies. Application-level control allows you to set policies depending on the user and the application.
For example, you can block peer-to-peer (P2P) downloads completely or disable Facebook chat without even blocking Facebook.
We will discuss firewalls in detail in upcoming chapters. The following diagram reflects zones and connectivity, which shows how firewall zones connect to multiple businesses:
- Demilitarized zone (DMZ): Internet-facing applications are located in DMZ. Other services on other zones remain inaccessible to the internet. The most common services placed in DMZ include email services, FTP servers, and web servers.
- Inside zone: The inside zone is known as the trusted zone to users. Applications in that area are considered highly secure. In the trusted area, security is maintained by denying all traffic from less trusted zones in any given firewall by default.
- Cloud and internet zone: Let's not focus on naming these. They are standard segments we see on an enterprise network. These zones are considered to be below security zones.
There is a high chance that attacks may enter a network. Intrusion prevention system (IPS) / Intrusion detection system (IDS) is a proactive measure to detect and identify suspicious or undesirable activities that indicate intrusion. In IDS, deployment can be online or offline, and the basic idea is to redirect traffic you wish to monitor. There are multiple methods like switch port SPAN or fiber optic TAP solution, which can be used to redirect traffic. Pattern matching is used to detect known attacks by their signature and anomalies. Based on the activity, monitoring alerts can be set up to notify the network administrator.
As the following diagram shows, SPAN port is configured on a switch in order to redirect traffic to the IDS sensor. An actual SPAN port creates a copy of data flowing for a specific interface and redirects it to another port on the switch:
IPS offers proactive detection and prevention against unwanted network traffic. In an inline placement of IPS, all the traffic will travel via IPS devices. Based on the rules, actions can then be taken. When a signature is detected on an IPS device it can be used for resetting, blocking, and denying connections, as well as logging, monitoring, and alarming. A system admin can also define a policy-based approach with defined policy violation rules and actions to keep in mind when well-known signatures are released. Actions should be defined by the system admin.
The following diagram shows a topology for inline setup of IPS. All the traffic travels through IPS devices for traffic inspection. This is a bit different to doing a port SPAN, since all data goes through an IPS box. Consequently, you should be aware of what type of data has to be inspected:
There are a number of different attack types that can be prevented using an IPS, including:
- Denial of Service
- Distributed Denial of Service
- Exploits
- Worms
- Viruses
Multitier topology gives you flexibility to segment resources based on role and access policies. In a typical three-layer application, architecture that has web, app, and DB servers can be distributed based on location. Since web/app zone is something always exposed to end users, Demilitarized Zone (DMZ) IP space is always public. Subnet and database servers should not be directly accessible, hence why we should always allocate private IP space from RFC 1918.
This offers gradual access to control, based on IPs and resource locations. When designing a network, you can introduce a multi-layer firewall approach. In a multiple layer design approach, the basic idea is to isolate resources from each other, considering the fact that if one layer is compromised then others are not impacted.
Cross-premises IPsec tunneling provides you with a way to establish secure connections between two networks and multiple on-premises sites, or other virtual networks in Azure/AWS. This can secure data transfer by encrypting your data via the IPsec encryption using the IPsec framework. Virtual networks in AWS are called VPC and, in Azure, VNET.
Distributed Denial of Service: A Denial-of-Service (DoS) attack or Distributed Denial-of-Service (DDoS) attack is an attempt to make a network resource out of service to its targeted users.
The real-world target would be online services such as e-commerce and the gaming industry, preventing the shop from doing any business by making front resources unavailable for end users. Just think about a situation during big billion-day sales hours if someone launches a DDOS attack and makes your e-commerce portal shut down.
The two most basic types of DDoS attacks are as follows:
- WAN attacks: WAN DDoS attacks utilize available bandwidth on physical links with a high volume of packets with bigger payloads, or a high volume of packets with smaller payloads. Bigger payload network resources such as router or firewalls will process packets and consume all the bandwidth. With smaller payload network resources like routers, firewalls will try to process all the packets. However, due to limited CPU, cycle hardware resources won't be able to process genuine packets from end users and can fail under the load.
For example, let's assume you have a 10 Mbps WAN link and during attack BW, utilization is just 5 Mbps. However, a number of small packets can reach one million packets per second. In this case, assume that your network gear has no CPU cycle to process all tiny packets
Another example would be if someone launched a DDOS attack using a large ICMP packet. This can choke your bandwidth and leave no space for the rest of the application.
- The most common form of bandwidth attack is a packet-flooding attack, in which a large number of legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a targeted or aimed destination. Such attacks become more difficult to detect if attackers use techniques such as spoofing source addresses.
- Application attacks: These DDoS attacks use the expected behavior of protocols such as TCP and HTTP. Application attacks are disruptive but small and silent in nature and extremely hard to detect since they use expected behavior. Application-layer attacks are easy to generate and require fewer packets with a small payload to achieve out of services for targeted applications. Application attacks are focused on web-application layers. For a small HTTP request, the actual server has to execute a lot of resources on the web server to fetch the content or resources. Every such server resource will have limited CPU and memory and can be easily targeted. In this example, I am not considering cloud-based web applications, where you have elasticity features enabled and with growth in the number of requests, server resources are automatically created to accommodate such requests.
Let us understand more about this with the help of an example:
- HTTP Floods: These are simple attacks in nature that try to access the same web page again and again in an automated fashion. They typically use the same range of IP addresses. Based on the trend, as this is being originated from the same source, the source pool can be blocked to mitigate attacks.
- Randomized HTTP Floods: These are complex attacks that use a large pool of IP addresses from multiple locations and randomize the URLs. Since these kind of attacks originate from multiple locations, it is not easy to block the source IP. However, the rate limit can be fixed on server resources.
To simplify, DDoS is a form of attack where multiple compromised networks/hosts are used to target a single system. This is like a zombie attack and it is very tough to identify genuine users. Once infected, the internet-connected devices become part of a botnet army, driving malicious traffic toward a given target.
