General Network Security: From Segmentation to Zero Trust

Computer networks are one of the most fundamental aspects of IT infrastructure. Additionally, network structure and functioning are significantly complex, making network security an essential and demanding task.

A good starting point is to discuss how networks can be organized to promote security. But, to thoroughly examine network security, it’s possible to divide its many concepts into network perimeter and interior security solutions, with the Zero Trust framework as a final and antithetic topic.

Network Segmentation and Screened Subnets

All the different machines that comprise IT infrastructure are organized into networks. Companies often have multiple of those, so it’s necessary to define their elements and perimeter according to their organizational roles and the sensitivity of their processes and information. Network segmentation is the technical process dedicated to this task.

Each node in a network has an IP address, including standard machines and network appliances, such as switches and routers. So, a network is set by distributing a range of IP addresses to networks, defining the maximum number of hosts, the switch and other devices that’ll manage internal traffic, and a router that’ll provide the gateway and traffic to and from different networks.

A typical networking layout includes segments or subnets that form the internal network and a screened subnet, which acts as an intermediary between the internal subnets and the outside cyberspace. Public-facing services like web and email have their servers in a screened subnet. They handle external requests and, if necessary, query internal, more sensitive systems, such as databases.

Simple diagram illustrating a simple network segmentation, with an internal network (enterprise LAN) and a screened subnet (aka DMZ) containing web and mail servers. Extracted from: https://www.techtarget.com/searchsecurity/definition/DMZ.

Additional subtypes of networks are intranet and extranet. Intranets contain web services that should be accessed only internally, whereas extranets provide externally accessible services to partners and clients. Virtual Local Area Networks (VLANs) are a subtype of network that connects devices in a broadcast domain regardless of their physical connection. Using a VLAN allows the creation of multiple broadcast subdomains inside a single LAN.

Network segmentation must be done carefully when using IPv4 addresses since they are so few (actually, they’ve already run out). IPv6 addresses, on the other hand, are significantly more numerous since they use hexadecimal numbers as their number system, providing 128-bit addresses instead of IPv4’s 32-bit.

Another problem when using IPv4 is the need to disguise private addresses as a single public address. Network Address Translation (NAT) is a mechanism that implements this concept and will continue to be used until IPv6 is more extensively adopted. During this transition, networks use a type of NAT that translates IPv4 and IPv6 addresses (Protocol Translation, known as NAT-PT).

Internet Connection Sharing (ICS) is a Windows service that shares the Internet through one machine, implementing NAT as a mechanism. Extracted from: https://www.networxsecurity.org/members-area/glossary/i/ics.html.

After establishing layouts comes choosing, configuring, and placing the security hardware and software responsible for perimeter and internal security. It’s important to note that I’ve made this type of categorization aiming more at an easy grasp of concepts instead of a precise technical description. So, those technologies, frameworks, protocols, and methodologies may have implications beyond simple perimeter or internal security. For example, firewalls control north-south (internal networks and the outside world) and east-west traffic (between internal assets).

We’ll start by discussing perimeter security solutions, encompassing routers, firewalls, proxies, and VPNs.

Routers and Firewalls

Fundamentally, routers are devices that define the broadcast range of a subnet, i.e., its perimeter. They provide the gateway through all inbound and outbound traffic passes and the best path the messages can take to another network or the Internet. Those paths are determined by a table that is constantly updated following different protocols, such as Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), and Routing Information Protocol (RIP).

Due to its location, they can also perform simple traffic filtering according to rules defined in access control lists (ACLs). These contain information on authorized protocols, source and destination IP addresses, and ports. Attackers may create IP packets with false IP addresses to impersonate an authorized host (IP spoofing), which can bypass a router’s ACLs. As a countermeasure, routers can be configured to deny access to private IP addresses and adopt robust authentication protocols.

On the other hand, firewalls perform traffic filtering with much more refined control. They work at the network level, but more recent versions can be application-aware.

Firewalls can be stateless or stateful. Stateless firewalls execute control similar to ACLs, with a list of rules regulating traffic filtering. There are two fundamental principles behind this list:

1. The order of the rule set is essential. Rules at the top of the list are followed first. So, if there are two conflicting rules, the first of the list has priority over the second.
2. When there is no rule regulating a specific traffic, the firewall blocks it. This is the implicit deny rule.

Stateful firewalls monitor specific connections, checking their pattern and general activity and blocking them in case of rule violation. Compared with their stateless counterparts, those firewalls provide more fine-tuned control but at reduced speed, which can hamper their performance in systems with more significant traffic volumes.

Next-Generation Firewalls (NGFW) go beyond the network layer and incorporate Web Application Firewall (WAF) functionalities. They can perform deep packet inspection, integrating application protocols into their traffic control rules. They can be bypassed by using encrypted protocols (e.g., HTTPS), so it’s important to configure them with mechanisms that allow for better traffic visibility.

Since firewalls have a fundamental role in filtering traffic, one of their central locations is between the screened subnet and the outside world. But it’s common to also place them between the screened subnet and the internal network because servers located on the former network frequently query or make requests to servers on the latter. Such a dynamic reveals a broader firewall security role, protecting traffic to and from the outside and between internal systems.

Proxies

Proxies, like firewalls, are a go-between for internal systems and the Internet. But, unlike firewalls, they perform various tasks like caching pages, content filtering, privacy, and load-balancing.

Proxies can cache frequently requested web pages, which increases performance by reducing response latency. Another benefit is content filtering since they can limit access only to authorized and already cached pages. This decreases the chance of accessing malicious pages and regulates NSFW website access.

Load-balancing is another fundamental role performed by proxies. It’s a common practice to set two or more servers for the same service, like web or email, to maintain availability in highly demanding contexts (e.g., e-commerce). The requests for each machine must be distributed appropriately to not over-encumber one while the others remain almost idle. The load-balancing problem will be discussed in a future post about resilience in cybersecurity.

The two main types of proxies are defined by their relation to the client-server model. Forward proxies are close to client machines, controlling their requests, filtering content, and providing adequate privacy by acting as a public-facing system. Reverse proxies, on the other hand, provide support for servers. They cache pages, execute load balancing, and filter potentially malicious requests since no one can directly access the server.

Forward proxy diagram. Extracted from: https://irshitmukherjee55.hashnode.dev/forward-proxy-transparent-proxy-and-reverse-proxy.

A transparent proxy (an inline, intercepting, or forced proxy) also caches and manages requests but doesn’t require client/browser configuration. The client doesn’t know that there is a proxy between it and the server since the transparent proxy doesn’t modify the request. Since it doesn’t require prior client configuration, these proxies are frequently used in big corporate environments, which would demand excessive overhead on browsers accessing its services. Those proxies also provide more bandwidth since they manage requests without much modification. Finally, filtering content without much demand makes them excellent for environments such as schools and libraries.

The ideal placement for a proxy is in a screened subnet, behind a firewall, and a router (whose ACLs perform content filtering). This configuration facilitates handling requests and secures communications with internal systems.

VPNs

Virtual Private Networks (VPNs) are a technology that allows access to a company’s internal network resources to remote users or other remote networks. VPNs are essential for a business dynamic dominated by remote work done through mobile devices.

VPN Concentrators aggregate and manage all VPN connections (client-to-site and site-to-site). For confidentiality, traffic filtering, and authentication, VPN concentrators use encryption protocols, ACLs, and RADIUS, respectively.

They may adopt different modes of connection. Full-tunneling encapsulates and encrypts all types of traffic between the internal network and the remote user/network, while split-tunneling does so only to traffic relating to accessing internal resources. Connections to public-facing services like web and mail are not included.

Concentrators may also adopt either IPsec or TLS VPNs. The following post will discuss the particularities of those two types of protocols. It’s only necessary to remember that TLS is more straightforward to implement since its VPN can be established through a web browser. At the same time, IPsec demands software installation on the client machine. This aspect makes TLS VPNs easily applicable to decentralized asset contexts, such as with zero-trust networks.

After finishing the VPN’s description, let’s talk about internal security solutions.

Switches, Bridges, and Port Security

Switches are responsible for controlling traffic inside networks. Most work at layer 2 of the OSI model, dealing with Media Access Control (MAC) addresses and receiving and forwarding frames. Each node connects to the switch via a port in a wired network.

A managed switch can have its configurations tweaked for better traffic management. This involves, for example, establishing a MAC address list of authorized hosts only, though it’s important to note that an attacker can easily spoof a MAC address. So, other controls are implemented together with MAC filtering.

Port security is a layer two control method implemented by switches. It aims to block two or more users from using a single port. So, a secured MAC address is assigned to a secured port, filtering traffic from other MAC addresses. This method protects against unauthorized access and offers total bandwidth for the single machine connected to its designated port.

When port security detects a rule violation, the offending port enters one of three states:

1. Default Shutdown Mode: as the name implies, port security shutdowns the port;
2. Protect Mode: frames from other MACs are blocked;
3. Restrict Mode: generates a syslog and a violation counter alongside frame filtering.

Port security implements different protocols, including the above-mentioned MAC filtering:

• Bridge Protocol Data Units (BPDU): ensures the ideal path for data flows by attributing a priority number to the ports, finding the best route for each request, and blocking alternate routes
• Loop detection: works with BPDU to detect situations when network activity suffers when multiple paths are used by traffic with the same source and same destination. It then cuts redundant paths for improved network performance;
• Dynamic Host Configuration Protocol (DHCP) snooping: blocks rogue DHCP servers by establishing a trusted DHCP server connected to a trusted switch port.

Loops exist because, different from what happens in the network layer, frames don’t have a time-to-live (TTL) counter. So, if their path isn’t adequately controlled, they can be endlessly forwarded, significantly degrading network availability.

Bridged networks are vulnerable to loops since they can connect directly with multiple networks through each other’s switches. Spanning Tree Protocol (STP) and its newer version (Rapid Spanning Tree Protocol [RSTP]) are the methods that control traffic and avoid loops. STP’s attributes state to bridged ports (blocked, listening, learning, forwarding, and administratively disabled), which will determine the path a frame will take until its destination without looping. It can also create new pathways in case of problems with specific connections. BPDUs and loop protection help establish the paths, prioritizing and cutting as necessary.

Viatto’s video on STP is a detailed explanation of how this protocol works.

NIDS and NIPS

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are two central technologies that provide internal security for networks. Both systems monitor and detect possible signs of an attack in real time. But the similarities end here since IPS also can stop an attack on its tracks. A recommended practice is to use both.

Different types of IDS and IPS exist according to their location: at the network or inside the host. When those systems are placed on the network medium, we have network-based IDS (NIDS) and IPS (NIPS). On the other hand, when located inside the host, they are named host-based IDS (HIDS) and IPS (HIPS). Network-based systems inspect packets and emit an alert (in the case of NIPS, also stop the transmission) if a rule violation occurs. Host-based technology analyzes host activity, such as violating file permissions and responding similarly to their network-based counterparts.

NIDS are considered passive systems since they only listen to traffic and emit alerts. They are commonly placed out-of-band of the primary network medium. NIPS, however, are systems in line with the network since they can also block ongoing malicious traffic. So, their alternate names are reactive or in-band systems.

One of the issues encountered by NIDS and NIPS users is the rules they have for their work. Creating those rules is a complex task. Fortunately, vendors have numerous ready-to-go rules that clients can work with.

NIDS and NIPS data analytics is another problem. Simply put, those systems’ job is to analyze traffic data and correctly detect an attack when it’s happening. Depending on the system’s location, the rate of false-positive and false-negative results changes, affecting the cybersecurity team’s workload.

For example, putting an IDS before the external firewall theoretically makes it an early detection system and raises false-positive alerts. Considering that the firewall already filters most potentially malicious traffic, the IDS’s task is to analyze and detect traffic that bypasses the firewall filters. So, placing them behind firewalls and preferentially near routers and switches improves the chances of detecting an attack while reducing the probability of false-positive results.

Detection Methods

IDS and IPS systems may implement different detection methods, each with pros and cons.

Signature-based detection is frequently used in antivirus programs. It scans suspected data and looks for compatibility with malicious code (the signature) stored in a database. This method is relatively easy to use since it doesn’t take much computer power to execute it. However, it’s vulnerable to zero-days as those types of exploits, by definition, weren’t found and analyzed already.

The anomaly-based methodology relies on a baseline of network and systems activity. This baseline is then used as a reference to analyze deviations in those processes and decide whether they are malicious activity. Behavior-based detection is similar but looks through the general behavior of the network and compares it with the expected general activity profile of an attack. Those two methods can detect zero days but also present frequent false-positive results. For this reason, proper calibration and training are necessary, causing higher overhead compared to signature-based methodologies.

Implementing machine-learning algorithms, called heuristic strategies, may improve detection over the anomaly-based technique since the results are more specific and descriptive. Out-of-the-ordinary behaviors are categorized into benign, suspicious, or unknown.

Zero Trust and NAC

All previous discussions in the present post rely on the assumption that there is a trusted network whose perimeter and internal elements must be protected. Issues arise when many organizational assets aren’t inside a clear perimeter, such as cloud services frequently provided by different CSPs. BYOD device policies further contribute to cybersecurity problems regarding AAA processes.

Zero trust is a recently proposed approach to deal with the asset decentralization problem. The main goal is to create a security perimeter around specific resources rather than networks. CASBs, already discussed previously, are one of many solutions behind a zero-trust architecture. Network Access Control (NAC) is another.

NACs work based on an assessment and enforcement methodology, i.e., exam user’s machines and grant access (or not) based on the results. It relies on endpoint baselining, identity verification, monitoring, and containment. There are three main NAC components:

• Access Requestor (AR): the machine that requests access to a resource;
• Policy Decision Point (PDP): the element that executes assessment on the AR and authentication and authorization procedures;
• Policy Enforcement Point (PEP): implements/enforces the access policy determined by the PDP.

Along with authentication and authorization procedures, NAC executes a host health check. It compares the necessary configurations and endpoint security measures in place with baseline requirements. If the requesting host complies with the minimum baseline, access is granted.

Diagram of NAC’s processes. PAP and PIP are not discussed in this post for simplicity’s sake. A future post will dissect them thoroughly.

NAC may be placed on the network in four ways: inline, out-of-band, switch-based, and endpoint-based. Inline NAC is positioned between an AP and a distribution switch. Switch-based is similar to inline NAC, but the procedures are executed inside the switch. Out-of-band NAC is not in direct and constant contact with network flow, providing their services as hosts contact them online. Endpoint-based NAC demands the use of agent software on the end-user’s machines.

Agent or agentless solutions further specify how NAC operations will happen. The first involves installing a client program on the machine, residing on the host machine, or being dissolvable, i.e., immediately deleted after performing their tasks (aka portal-based agents). Agentless solutions encompass NAC checks executed through code embedded in another application, such as an Active Directory domain controller.

Agentless solutions are quicker and easily implemented but provide fewer functionalities when compared to agent-based solutions. Best security practices involve applying both methods, with agentless acting as backup.

There’ll be a future post that’ll discuss zero trust in a more detailed manner. But it’s important to understand that a recommended architecture involves applying both models, with network segmentation as a post-admission security measure.