Chapter 7 - 08 - Discuss Other Network Security Controls_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Ne...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network Understand Different Types of Security Protocols Proxy Servers and their Benefits Discuss Fundamentals of VPN Discuss Security Benefits - o and its importance in Network of Network Segmentation - {,‘. ’ Security o Understand Different Types @ \ Discuss Other Network Security of Firewalls and their Role Controls Understand Different Types Discuss Importance of Load of IDS/IPS and their Role E‘ Balancing in Network Security Understand Different Types Understand Various of Honeypots Antivirus/Anti-malware Software Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited. Discuss Other Network Security Controls The objective of this section is to explain the various essential network security solutions. It describes the security solutions such as user behavior analytics (UBA), network access control (NAC), web content filter, unified threat management (UTM), and security orchestration, automation, and response (SOAR). Module 07 Page 969 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls User Behavior Analytics (UBA) @ UBA is the process of tracking user behavior to detect malicious attacks, potential threats, and financial fraud It provides advanced threat detection in an < ||.4] organization to monitor specific behavioral characteristics of employees UBA technologies are designed to identify variations in traffic patterns caused by user behaviors which can be either disgruntled employees or malicious attackers Copyright © by | L. All Rights Reserved. Reproduction Is Strictly Prohibited User Behavior Analytics (UBA) UBA is the process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds. It provides advanced threat detection in an organization to monitor specific behavioral characteristics of the employees. UBA technologies are designed to identify any unusual variations in traffic patterns caused by users, who can be either disgruntled employees or malicious attackers. UBA is used as a defense mechanism to address anomalous user behavior to overcome the most complicated issues faced by security professionals today. The employees working in a company access different websites, tools, and applications. All their activities are logged and monitored. While these applications are running, there is a possibility of an intruder gaining access to the IT system and stealing credentials without the knowledge of the user. When an intruder (external attacker or an insider) stays on the company’s network as a legitimate user, UBA distinguishes this unusual behavior of the account by comparing the behavior baselines of both the user and the attacker; it then issues an alert on its database and highlights the risk scores. When an alert is issued, a notification is sent to the user’s personal device for confirmation. In case the user does not confirm this activity, it is considered a major security breach. Through UBA, the user’s account can be disabled by the security teams depending on the severity of the incident and the risk level. Module 07 Page 970 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Why User Behavior Analytics is Effective? 1 2 3 4 |S — e — [ 1 ) Detects malicious Identifies possible risk Analyzes different Monitors geo-location insiders and outsiders events in the IT patterns of human for each login attempt at an early stage infrastructure behavior and large volumes of user’s data S 6 { 8 Detects malicious Monitors privileged Provides insights to Produces results soon behavior and reduces accounts and provides security teams after deployment risk real time alerts for suspicious behavior Copyright © by EC-L: I. All Rights Reserved. Reproductionis Strictly Prohibited. Why User Behavior Analytics is Effective? Detects malicious insiders and outsiders at an early stage Identifies possible risk events in the IT infrastructure Analyzes different patterns of human behavior and large volumes of user data Monitors geo-location for each login attempt Detects malicious behavior and reduces risk Monitors privileged accounts and issues real-time alerts for suspicious behavior insights to security teams Provides insights to security teams Produces results soon after deployment Module 07 Page 971 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls UBA/UEBA Tools [ | Q Exabeam Advanced Analytics https://www.exabeam.com Q User Behavior Analytics (UBA)/User and Entity Behavior (UEBA) Tools 20 D @’ ") | LogRhythm UEBA collect user activity details https://logrhythm.com from multiple sources and use artificial intelligence and machine learning f Dtex Systems https://dtexsystems.com (A1/ML) algorithms to perform user behavior analysis to prevent and l\ * Gurucul Risk Analytics (GRA) detect various threats before the fraud is N e—— » | e https://gurucul. perpetrated (l) Securonix UEBA https://www.securonix.com UBA/UEBA Tools User Behavior Analytics (UBA)/User and Entity Behavior (UEBA) Tools collect user activity details from multiple sources and use artificial intelligence and machine learning algorithms to perform user behavior analysis to prevent and detect various threats before the fraud is perpetrated User accounts are not the only entities in UEBA; entities also include system accounts such as virtual servers, workstations, |oT, and OT devices connected to the network. Listed below are some of the important UBA/UEBA tools: Exabeam Advanced Analytics (https://www.exabeam.com) LogRhythm UEBA (https://logrhythm.com) Dtex Systems (https.//dtexsystems.com) Gurucul Risk Analytics (GRA) (https://gurucul.com) Securonix UEBA (https://www.securonix.com) Module 07 Page 972 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Network Access Control (NAC) O Network access control, also known as the network admission control (NAC) are appliances or solutions that attempt to protect the network by restricting the connection of an end user to a network on the basis of a security policy O The preinstalled software agent might inspect several items before admitting the device and might restrict where the device might be connected Examples of NAC @ What does NAC do? ForeScout CounterACT hittps://www.forescout.com @ Authentication of users connected to network resources ExtremeControl @ Identification of devices, platforms, and operating systems https://www.extremenetworks.com > Trustwave's NAC @ Defining a connection point of network devices ) https://www.trustwave.com @ Development and application of security policies Cisco NAC Appliance https.//www.cisco.com Copyright © by E I. All Rights Reserved. Reproductions Strictly Prohibited Network Access Control (NAC) Network access control (NAC), also known as network administration control, restricts the availability of a network to the end user depending on the security policy. It mainly restricts systems without antivirus and intrusion prevention software from accessing the network. NAC allows a user to create policies for each user or systems and define policies for networks in terms of the IP addresses. The preinstalled software agent might inspect several items before admitting the device and might restrict where the device might be connected. = NAC implements detection programs using the following points: o It searches for an antivirus program and examines whether it has been updated or not. o It checks if the end system has a configured firewall or intrusion prevention software. o It searches for any viruses on the network and checks if the operating system has been updated or not. = NAC performs the following actions: o It evaluates unauthorized users, devices, or behaviors in the network. It provides access to authorized users and other entities. o It helps in identifying users and devices on a network. It also determines whether these users and devices are secure or not. o It examines the system integration with the network according to the security policies of the organization. Module 07 Page 973 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls NAC helps in maintaining security policies for an increased control of the network. An organization must look into the threats to its network while considering the cost of implementing NAC. Organizations need to have plans to rectify the faults in the policies while implementing NAC. They should consider the following points: = Do the NAC policies authenticate users? = How well has the NAC been implemented? = Has the NAC been properly integrated with the device? * Does the NAC tool check if the end user is blocked? Organizations need to consider the following resources while implementing NAC: * Network infrastructure: Incorporate network access control policies within the network infrastructure = Security: Managing the infrastructure = Human resources: Reporting the network policies to the employees in an organization = Operations: Management of response, procedures, and actions = Management: Decide the priority of the policies, effect of the policies on the organization, and managing the budget issues Examples of NAC: » ForeScout CounterACT (https://www.forescout.com) = ExtremeControl (https://www.extremenetworks.com) » Trustwave's NAC (https://www.trustwave.com) = Cisco NAC Appliance (https://www.cisco.com) Module 07 Page 974 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Web Content Filter QO The content filter is either a software or a hardware that blocks browsing of harmful websites and..... undesirable content on the world wide web (WWW) Q It prevents the network from malware, phishing, and pharming attacks Q 1t filters content based on keywords, URLs, and contextual analysis Q 1t provides additional protection other than traditional network firewalls and antivirus software Internet ‘:fin-nl BE BN Client Side Internet Filtering Web Content Filter Web content filters block deceptive web pages or emails. They protect the network from malware and other systems that are unreceptive and interfering. A content filter allows the organization to block certain websites. Organizations can implement different types of internet filtering such as: = Browser-based filters = E-mail filters = (Client-side filters = Content-limited filters = Network-based filtering = Search engine filters Internet Internet Internet ‘ Firewall ‘ Firewall ‘ Firewall / om (sé.,m., 7 H H Figure 7.126: Client-side Internet filtering, gateway level content filtering, and end-to-end content filtering Module 07 Page 975 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls In the process of content filtering, a web content filter compares each character string on the website in order to screen it. Most of the organizations filter pornographic or violence related websites. Content filtering can protect a network from all kinds of malware codes or other attacks that can make massive changes in the system and network. Advantages of Web Content Filters They can control the productivity: It is often difficult to manage employee activities in a large organization. The internet content filter can assist an organization from restricting the employees from using any social networking sites or any illegitimate sites. Security professionals can block the sites that are not related to work and thereby increase the efficiency and productivity of the organization. They provide a high-level of protection: Internet content filters normally provide protection from malware programs and software. They restrict all kinds of liability issues: Content filtering software can prevent users from sharing files and other documents outside the organization. They are highly flexible: Web content filters enable the organization to decide on the sites that need to be blocked. They also provide the organization with the ability to change the site blocking setting at any time. They increases the speed of the internet connection: The use of web content filtering allows the organization to control the bandwidth consumption of the internet connection by blocking sites. This in turn increases the speed of the internet connection. Module 07 Page 976 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Examples of Web Content Filters OpenDNS OpenDNSfiltersthe web contentand prevents access to RS unsafe orinappropriate websiteson your network NetSentron https://www.netsentron.com Barracuda Web Security and OpenDNS Filtering https://www.barracuda.com A This site is blocked due to content filtering. Check Point URL Filtering https://www.checkpoint.com ».com Sorry, »00M has boen blockid by your retwork adminktrator. FortiGuard Web Filtering » Report an incormect block Service https://www.fortiguard.com 16 Adut Themes, Ungeria/Dibini, Nudity, Pornogrsphry, Sesualty » Dagnostic o ContentProtect Professional Tarms | Privacy Poscy | Contact https://www.contentwatch.com https://www.opendns. com I. All Rights Reserved. Reproduction Is Strictly Prohibited. Examples of Web Content Filters = OpenDNS Source: https://www.opendns.com OpenDNS filters the web content and prevents access to unsafe or inappropriate websites on your network. It enables you to quickly block content using three predefined web filtering levels. You can also customize the web categories to filter or allow access only to the websites you specify. A This site is blocked due to content filtering. L.com Sorry,.com has been biocked by your network administrator. » Report an incorrect block 1 in: Adult Themes, Lingerie/Bikinl, Nudity, Pornography, Sexuality » Diagnostic Info Terms | Privacy Policy | Contact Figure 7.127: Screenshot of OpenDNS Module 07 Page 977 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Some of the additional web content filters are listed below: = NetSentron (https://www.netsentron.com) Barracuda Web Security and Filtering (https://www.barracuda.com) Check Point URL Filtering (https://www.checkpoint.com) FortiGuard Web Filtering Service (https.//www.fortiguard.com) ContentProtect Professional (https.//www.contentwatch.com) Module 07 Page 978 Certified Cybersecurity Technician Copyright © by EG-Gouncil Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Unified Threat Management (UTIM) » Unified threat management (UTM) is a network security management solution which allows an administrator to monitor and manage an organization’s network security through a centralized management console » It provides firewall, intrusion detection, anti-malware, spam filter, load balancing, content filtering, data loss prevention, and virtual private network (VPN) capabilities using a single UTM appliance Load Balancer * / \' o Network Firewall © UTM Content Filter Solutions ® Anti-virus and Anti-spam ® Virtual Private network (VPN) « g * IDS/IPS Copyright O by £ | All Rights Reserved. Reproduction is Strictly Prohibited. Unified Threat Management (UTIM) Unified threat management (UTM) is a security management method that enables the security professional to evaluate and examine security related applications and other components through a single console. UTM helps in minimizing the complexity of the network by protecting users from blended threats. It provides firewall, intrusion detection, anti-malware, spam filter, load balancing, content filtering, data loss prevention, and virtual private network (VPN) capabilities using a single UTM appliance. \ Load Balancer i Network Firewall Content Filter Anti-virusand Anti-spam Virtual Private network (VPN) \ / IDS/IPS Figure 7.128: Unified Threat Management (UTM) Advantages of UTM: * Low cost: It reduces the cost of buying multiple devices as a UTM requires a single console that can manage the whole network. * Low maintenance cost: As only a single console is used, it requires little maintenance. Module 07 Page 979 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Easy installation and management: UTM involves the use of only a single console that requires minimum wiring and other installation requirements. Fully integrated: UTM is a complete console that incorporates every feature required for protecting a network. Disadvantages of UTM: Less specialization: Since a UTM is a single console managing the whole security of the network, there are chances of it missing out certain features required for maintaining the security. However, this can be avoided by using dedicated devices for each feature. Single point-of-failure: UTM involves the use of a single console with all features included in it. Failure of one feature can affect the performance of other features and consequently the working of the UTM console as a whole. Possible performance constraints: A single console in UTM performs various tasks at the same time. There are chances that all the tasks or features do not get the CPU time adequately. This situation may lead to many attacks on the system. Module 07 Page 980 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Examples of UTM Appliances o »’V ° It provides complete network security with advanced features : Endian UTM | like web filtering, email filtering, firewall, hotspot, and o WatchGuard Firebox UTM intrusion prevention with deep-packet inspection, etc. https://www.watchguard.com (O} Bimmtiy Sophos UTM e https://www.sophos.com b B | Fortinet UTM e https://www.fortinet.com Y | Check Point UTM | https://www.checkpoint.com - -o ’ [\ |. SonicWall UTM Ve g Bl - https.//www.sonicguard.com https://www.endian.com -~ s | i Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited, Examples of UTM Appliances * Endian UTM Source: https://www.endian.com Endian UTM provides complete network security with advanced features like web filtering, email filtering, firewall, hotspot (captive portal), and intrusion prevention with deep-packet inspection, etc. It also provides network segregation to keep your internal networks safe and secure. Module 07 Page 981 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Logoat BR rep B¢ endian firewall community Frowal Dashboard Dashboard Network configuration Dashboard Settings Event notfications Shon $#R0gY U (B r < Caruratn © 10 Oamer Algon Drake Generated container 1476404643 04 Actwiry Cusdance [} Reports ARvon Drake Mo 2 o1 weh MR regardng legal Empikcatons. Watng 3 Sear Bk from theem W Dvent Opened Investigate Playbook123 901 am Lt cowmed By Alaron Drane on 222017, 901434 e [omet oot rom dvmd at omare ady o8 MI2INLNAMe Widpets Notes & paloalto BRORN DN Qanrms 1213 Cal Wih PR reqarding legal impicatons Watng 93 haar Back from tem Figure 7.133 Screenshot of Splunk Phantom Some of the additional SOAR solutions are listed below: CRITICALSTART (https://www.criticalstart.com) Exabeam Fusion XDR (https://www.exabeam.com) Cortex XSOAR (https.//www.paloaltonetworks.com) McAfee ePO (https://www.mcafee.com) IBM Security SOAR (https://www.ibm.com) Module 07 Page 993 Certified Cybersecurity Technician Copyright © by EC-Council