Skip to main content
Engineering LibreTexts

7.3: Networking Security Concepts

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

    \( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)

    ( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)

    \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

    \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)

    \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

    \( \newcommand{\Span}{\mathrm{span}}\)

    \( \newcommand{\id}{\mathrm{id}}\)

    \( \newcommand{\Span}{\mathrm{span}}\)

    \( \newcommand{\kernel}{\mathrm{null}\,}\)

    \( \newcommand{\range}{\mathrm{range}\,}\)

    \( \newcommand{\RealPart}{\mathrm{Re}}\)

    \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)

    \( \newcommand{\Argument}{\mathrm{Arg}}\)

    \( \newcommand{\norm}[1]{\| #1 \|}\)

    \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)

    \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    \( \newcommand{\vectorA}[1]{\vec{#1}}      % arrow\)

    \( \newcommand{\vectorAt}[1]{\vec{\text{#1}}}      % arrow\)

    \( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vectorC}[1]{\textbf{#1}} \)

    \( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)

    \( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)

    \( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)

    \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)

    \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)

    There are many aspects to network security and this chapter will directly address many of these concepts. However,  the  rest  of the  book may address  security aspects  that  may be  outside  the  realm  of  network security. At its core network security can be divided into two main areas of study and that being network hardware and network software or protocols.   Network hardware includes the physical devices and their inherent software that allows them to function on the network.  Network software or protocols include the standard  methods  of  communication  that  the  network  hardware  uses  to  transfer  and  share  data  across networks.

    Network Security Hardware

    The most fundamental level of security can and should be done through the use of security features that are found with certain network hardware devices.  Since many devices operate at different levels of the OSI or TCP/IP models a layered security approach allows for greater defense and protection.  In turn this would entail an attacker to compromise multiple network devices significantly decreasing their chances for success before the attack is discovered. We will continue with an overview of some of the more popular devices
    and their capabilities.

    Advanced  switches  also  support  Virtual  Local  Area  Network  (VLANs)  which  offer  additional network with physical port security. With the proper type of switch and configuration these devices offer the first line of defense with respect to security leading up to the next network device

    • Switches
      As of the last few years switches have replaced the obsolete hub device as the standard network device for  connecting  computers,  printers,  Voice  over  IP  (VoIP)  and  other  end  devices.  Hubs operated at Layer 1 – Physical Layer of the OSI model which meant that it just repeated all frames to all attached network devices.  This not only increases unnecessary traffic but  from a security standpoint allows for attackers to install software such as a protocol analyzer and capture packets that are sent through the network.

      Switches as do hubs also connect multiple devices but once the network becomes stable meaning computers  and  end  devices  are  plugged  into  certain  switch  ports  the  switch  learns  through  a switching table or mac address table where each device is connected.  Switches operate at Layer 2 – Data Link Layer of the OSI so used Media Access Control (MAC) addresses to only forward frames to the end device through the specific port that device is connected to.  Network monitoring is still necessary but this helps minimize data floating around the network that can be vulnerable to attackers.

    • Routers
      Routers operate at Layer 3 – Network Layer of the OSI model and its purpose is to “route” packets across different computer networks. Routers view destination information in the packets it receives then consults with the routing table to send the packet to the next network towards the final destination. In doing so, routers have a built-in security function to filter specific types of network traffic going to specific networks.

      Routers are very complex devices with many configuration features and in many small type networks is the main security appliance for the entire organization. Routers come in various sizes and robustness depending on how much bandwidth and traffic they are designed to handle as well as the ability to configure Access Control Lists (ACLs) to determine rules for packet propagation through the network. Misconfiguration of ACLs could block certain network traffic and, in some cases, can cause the entire network to come to a screeching halt.

      Routers typically have their own operating system with a powerful central processing unit, random access memory as well as storage capabilities. Traditionally routers were wired devices but with the recent rapid mobile evolution wireless routers are now the dominant device used for households and small businesses.  Router administrator passwords and security patches must be properly configured and maintained for them to be effective and protected again attackers.

    • Firewalls
      Network Firewalls are devices designed to protect an entire network by inspecting packets and either allow or deny their entry. Hardware firewalls are usually located outside the internal network and is the first line of defense from the outside. The packets are filtered by the firewall in one of two ways. The first is the “stateless packet filtering” method which looks at incoming packets and permits or denies it based on conditions that have been pre-defined by the network or security administrator. “Stateful packet filtering” is the second method which keeps a record of the connection between an internal computer and an external device and decides based on the connection as well as certain specific conditions.

      The firewall has four different options it can “allow” the packet by letting it pass and continue on the network or it can “drop” the packet to prevent and not send any response to the sender. The firewall can “reject” the packet which prevents and also informs the sender and finally it can “ask” for user intervention the next course of action. There are also traditional rule-based firewalls as well more modern application-based firewalls also known as “next-generation firewalls” (NGFW)since they have more “intelligent” capabilities.

    • Intrusion Detection Systems
      An intrusion detection system (IDS) is a device that can detect an attack as it occurs. IDS systems can use various different methods for monitoring and detection of attacks but it essentially involves real-time monitoring and examination of network traffic, activity, behaviors and transactions in order to detect any security related anomalies. The IDS device can be installed either on a local host or on the network and they use one of the four following methods:
      • Anomaly-based monitoring is designed for detecting statistical anomalies. Normally a baseline is established over a certain amount of time so whenever there is a significant deviation from this baseline an alarm or flag course be raised. This method is very fast but can lead to false positives if there are real non-security related spikes in the network activity. Additionally, anomaly-based monitoring requires high processing on the system so adequate hardware resources needs to be dedicated.
      • Signature-based monitoring looks at the network traffic and activities for well- known patterns such as antivirus scanning. One of the weaknesses of signature-based monitoring is that the signatures needs to be constantly updated leading to heavy network usage. If the signatures are too specific they may miss certain intrusions; whereas, if they are too general they will cause many false positives.
      • Behavior-based monitoring is a compromise of anomaly-based and signature-based monitoring by being adaptive and proactive instead of reactive. It analyzes the behavior of processes and programs on a system and alerts the user of any abnormal activity. One of the advantages is that is can help detect new attacks rather quickly even if there no new signature or definition exists.
      • Heuristic monitoring is the last method which uses a totally different approach. Instead of comparing actions as is done with anomaly-based and signature based or comparing behaviors as is done by behavior-based it use experience-based techniques. The question it attempts to answer is “if this action can be harmful to the system.” It them monitors for events such as port scanning and protocol captures which are potentially dangerous and alerts them accordingly.
    • Intrusion Prevention Systems
      An Instruction Prevention System (IDS) as it implies not only monitors and alerts for malicious activities as does the IDS but it also can attempt to stop the attack.  IDS systems are usually connected directly to certain network hardware devices or hosts where they can more quickly respond by blocking ports or packets deemed as dangerous in addition to reporting it back to the central monitoring system. Most IPS systems employ certain levels of intelligence so that they can provide a higher degree of accuracy regarding and speed in response to potential attacks.

    • Unified Threat Management Security Appliance (UTM)
      Since there are many different types of network security hardware devices such as firewalls, Internet content filters, web security gateways, IDS and IPS devices managing them all can be very complex.  A Unified Threat Management (UTM) security device combines several security functions and can offer an array of security functions including:
      • Antivirus and Antispyware
      • Antispam and Anti-Phishing
      • Bandwidth optimization
      • Content filtering
      • Encryption
      • Firewall
      • Intrusion Detection and Prevention
      • Web filtering

    The Unified Threat Management device has also been referred to as the All-in-One Network Security Appliance.

    7.3: Networking Security Concepts is shared under a not declared license and was authored, remixed, and/or curated by LibreTexts.

    • Was this article helpful?