CCSP Domain 3 - Network Defense MindMap
Download a FREE Printable PDF of all the CCSP MindMaps!
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. We are going to go through a review of the major topics related to network defense in Domain 3, to understand how they interrelate, and to guide your studies.
This is the sixth of seven videos for Domain 3. I have included links to the other MindMap videos in the description below. These MindMaps are a wee part of our complete CCSP MasterClass.
Network Defense
It is incredibly rare to come across a system nowadays that isn’t connected to a network and to the largest hive of villainy and scum in the world–the Internet.
There is huge value in interconnecting our servers, laptops, mobile devices, smart watches, light bulbs, coffee machines, cars, and nuclear reactors.
There is also a huge amount of risk.
In this MindMap we are going to talk about some of the major tools and techniques we can use to protect our networks.
Defense in Depth
An important concept we use throughout security, and definitely need to apply to protecting networks, is defense in depth.
We want multiple layers of controls such that if one control fails, our crown jewels–our valuable assets–are not exposed.
Defense in depth means that at each layer of defense we need a combination of preventive, detective and corrective controls at a minimum.
Zero Trust
Another important concept: you must always assume that the baddies are inside your network. There is no trusted network, thus: zero trust.
Zero trust is a security model that assumes no user, device, or network—whether inside or outside the organization—should be trusted by default. Instead, it requires continuous verification of identity and access rights before granting access to resources. This approach emphasizes strict access controls, least privilege principles, and continuous monitoring to minimize the risk of unauthorized access, even from within the network. This model is designed to protect against modern threats by treating every access attempt as potentially risky.
Trust nothing–verify everything.
Firewalls
Ok now on to one of the most fundamental tools in network security: firewalls. At the most basic level, the job of a firewall is to control the flow of traffic between network segments. For instance, controlling which traffic from out on the sketchy Internet is allowed through to the internal network.
Types
Firewalls have evolved significantly over the years and become a lot smarter about how they inspect traffic and make decisions on what traffic to allow through.
Packet Filtering
We’ll start with the oldest simplest types of firewalls: packet filtering firewalls. Packet filtering firewalls only inspect packet headers looking at the source and destination IP addresses as well as ports. These firewalls check against a set of rules typically defined in an access control list (ACL). Packet filtering firewalls are not very smart, but they are extremely efficient and can make decisions very quickly, meaning they have very low latency–they don’t slow down the flow of traffic much.
Stateful Packet Filtering
Stateful packet filtering firewalls still only look at a packet’s header, but they are a little more intelligent in that they maintain a state table–a little bit of memory that keeps a history of recent traffic through the firewall.
Here’s how the state table can be useful: when systems want to establish, say, a TCP connection, they must go through the TCP three-way handshake process of SYN, SYN / ACK, ACK.
The stateful packet filtering firewall will record that these two systems have completed the handshake and established a connection, and then if either system wants to send a packet to the other, the firewall will likely allow it because the firewall knows they have established a connection. But if another system were to send a TCP packet out of the blue the firewall is likely to block it because it has no memory of this system establishing a connection.
To simplify: if a stateful packet filtering firewall sees a packet going out it will allow the reply to come back in, because it remembers the outgoing packet in its state table. Packet filtering and stateful packet filtering firewalls both operate at layer 3, the network layer.
Application
And all the way at the top of the OSI model we have application firewalls ,which operate at Layer 7, the application layer. This means that application firewalls can do deep packet inspection, they can inspect anything in the packet header and reassemble a series of packets to inspect the contents of the data that is being sent in the packets. For instance, application firewalls can scan a file being sent to look for viruses.
Application firewalls are very intelligent and can make very sophisticated decisions. However, all this intelligence comes at the cost of speed. They are the slowest type of firewall, and cause the highest latency.
Most modern firewalls offer the capabilities of all the firewall types we just discussed. They can make quick and simple decisions by just looking at a packet header and if necessary, they can apply much more thorough analysis by inspecting the contents of packets. So you get the benefits of speed and intelligence where you want it.
Firewalls in the Cloud
In the cloud, we can put firewalls in a variety of locations.
Virtual
Virtual firewalls are software-based firewalls that are relatively cheap and easy to deploy. We use them extensively in the cloud, allowing us to filter the traffic on our networks at a granular level.
Physical
Physical firewalls are pieces of hardware that we use to filter and block traffic on our networks. The fact that they are physical makes them more expensive and difficult to deploy, but they are still extensively used in the cloud by the cloud service providers.
Microsegmentation
Microsegmentation is the practice of dividing networks into small segments. The low cost and flexibility of virtualized infrastructure allows us to segment our networks at a more granular level.
Geofencing
Geofencing is the concept of using location to be able to restrict access. For example, if all of your employees are from the frozen wastes of Canada, then you could limit logins to an internal system to people that are logging in from Canada.
Inspection
Moving on from firewalls and geofencing, we’ll now talk about the major network monitoring tools we use: IDS and IPS systems.
IDS
We’ll start with some simple definitions. IDSs–intrusion detection systems – are designed to inspect network traffic–packets–to detect potentially suspicious activity. If an IDS detects something suspicious it will raise an alarm.
IPS
IPSs–Intrusion Prevention Systems–do exactly the same thing as an IDS–attempt to detect suspicious activity, but then go an important step further–if they detect something suspicious they can block the suspicious traffic–hence preventing an attack from occurring.
IDSs can work in combination with say a firewall to block traffic, but IPSs can detect and block traffic on their own.
IDS/IPS Location
There are two major locations where we can put IDSs and IPSs
Host Based
Host-based means the IDS or IPS is installed on a specific host, typically a high-value server, and the IDS or IPS is monitoring just the host it is installed on. If you want to monitor multiple hosts then you need a host-based IDS or IPS system on each host.
Network Based
A network-based IDS or IPS is connected to a network segment and monitors all the traffic within that network segment.
Placement in the Cloud
There are a ton of different places where you can put IDS/IPS sensors in the cloud. You can attach an IDS to a mirror port on a virtual switch, or place an IPS inline at the major ingress/egress point of your network, or an IDS sensor inside your DMZ network segment, or an IDS capability built into hypervisors, or IDSs installed on various virtual machines. The list goes on and on. And it gets even more complicated if you want a single pane of glass view that includes monitoring your on-premise environment and your various cloud services.
What it ultimately boils down to, is you need to think carefully about where you need IDS monitoring and possibly IPS enforcement capabilities and then you will have to architect a solution that will give you the requisite capabilities.
IDS / IPS Detection Methods
Now let’s talk about the two major methods that IDS or IPS systems can use to look for suspicious activity.
Pattern
Pattern matching means the IDS or IPS has been programmed to look for a specific pattern, for example a specific type of network attack, and will alert or block if that pattern is detected. The advantage of pattern matching systems is they can be fast and efficient, but the downside is they can only detect what they have been programmed to detect.
Signature analysis
The way a pattern matching IDS or IPS is told to look for a specific pattern is often referred to as signature analysis.
You can think of a signature as a unique fingerprint for a specific type of network attack. Therefore, the IDS or IPS system can have specific patterns or signatures programmed into it to look for things like byte sequences in network traffic or known malicious instruction sequences.
Anomaly
Anomaly-based detection is a different approach that doesn’t rely on signatures and is meant to address the weakness that pattern matching systems can only detect what they have been programmed to detect.
With anomaly-based detection, the IDS or IPS learns what normal looks like (it establishes a baseline) and then the system can look for behaviors that fall outside the accepted model of behavior–behaviors that are anomalous.
Stateful matching
There are four major ways anomalies can be detected. Stateful matching means the IDS or IPS looks for anomalies in the context of a stream of traffic. The IDS or IPS maintains a state table and can, for instance, detect if a system starts sending TCP packets to another system that it hasn’t established a session with.
Statistical
In statistical anomaly-based detection the IDS or IPS compares traffic to typical, known, or predicted traffic profiles to look for statistically significant anomalies from the norm.
Protocol
Protocol anomaly-based detection is where anomalies can be detected based on network protocols being used. For instance, certain protocols can be defined as allowed, and all others will be an anomaly. An organization might allow only SFTP. traffic. If FTP or especially TFTP traffic is detected, it’s an anomaly.
Traffic
Finally, traffic anomaly-based detection identifies anomalies in the expected pattern and behavior of network traffic transmitted within a session.
White & Black Lists
IDS and IPS systems can use white lists or black lists as a means of detecting suspicious traffic. A better name for white list is an allow list–it is a list of IPs that a system is allowed to connect to and all other IPs are blocked.
A better name for black list is a deny list–it is a list of IPs that a system is not allowed to connect to. Access to these IPs is denied, and all other IPs are allowed.
An IDS or an IPS can be programmed to inspect traffic based on these allow or deny lists.
Sandbox
The final method that I’ll discuss that IPS or IDS can use to detect suspicious traffic is sandboxes. Sandboxes provide a safe area to run untrusted code and then observe what the code is doing–it may be attempting to install ransomware.
An IDS or an IPS system could detect that an executable file is being transmitted. The IDS or IPS could then take a copy of the executable and run it in a sandbox to see what the code does and if it is something nefarious then the IDS or IPS can alert and potentially even block the file from being sent to the intended victim’s system.
Honeypots & honeynets
A really cool way to detect an attacker on a network is to use honeypots or honeynets. A honeypot is a system that looks as close as possible to a real system–like a file server, or print server, or database, or industrial control system–however the honey pot is not a real system that is meant to be used by employees or clients of the organization.
Instead, the honeypot is carefully monitored and if someone is trying to connect to and use the honeypot system, it’s a very good indicator that you may have a threat actor in your network that is exploring and looking for systems to compromise. A honeypot is a single system, and a honeynet is a whole network of honeypots.
Honeypots and honeypots are a good way of detecting advanced persistent threats.
Ingress vs. Egress
The final inspection method that I’ll talk about is ingress and egress monitoring. Monitoring the traffic that is coming into a network (ingress), or the traffic that is leaving a network (egress).
It’s not uncommon for organizations to detect that they’ve had a breach by watching the traffic that is leaving–egressing–their network. If traffic is going out to a known bad IP address, then that’s a good indication that some malware has somehow infected a company system and the malware is calling home.
Endpoint Security
You can never have a secure network if the endpoints–the laptops, mobile phones, iPads, Alexa devices, IP Security cameras, etc.–are not secure. It is critical to secure endpoint devices by ensuring they are correctly configured, patched, have strong authentication, and so forth.
That’s all for our overview of network defense within Domain 3, covering the most important concepts you need to know for the exam.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!
