Chapter 7 - 08 - Discuss Other Network Security Controls_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Module Flow

Discuss Essential Network Understand Different Types of
Security Protocols Proxy Servers and their Benefits

Discuss Fundamentals of VPN
Discuss Security Benefits -
o and its importance in Network
of Network Segmentation - {,‘.
’ Security

o
Understand Different Types @ \ Discuss Other Network Security
of Firewalls and their Role Controls

Understand Different Types Discuss Importance of Load
of IDS/IPS and their Role E‘ Balancing in Network Security

Understand Different Types Understand Various
of Honeypots Antivirus/Anti-malware Software

Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited.

Discuss Other Network Security Controls
The objective of this section is to explain the various essential network security solutions. It
describes the security solutions such as user behavior analytics (UBA), network access control
(NAC), web content filter, unified threat management (UTM), and security orchestration,
automation, and response (SOAR).

Module 07 Page 969 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

User Behavior Analytics (UBA)

@ UBA is the process of tracking user behavior to detect
malicious attacks, potential threats, and financial
fraud

It provides advanced threat detection in an <
||.4] organization to monitor specific behavioral
characteristics of employees

UBA technologies are designed to identify variations
in traffic patterns caused by user behaviors which can
be either disgruntled employees or malicious
attackers

Copyright © by | L. All Rights Reserved. Reproduction Is Strictly Prohibited

User Behavior Analytics (UBA)
UBA is the process of tracking user behavior to detect malicious attacks, potential threats, and
financial frauds. It provides advanced threat detection in an organization to monitor specific
behavioral characteristics of the employees. UBA technologies are designed to identify any
unusual variations in traffic patterns caused by users, who can be either disgruntled employees
or malicious attackers. UBA is used as a defense mechanism to address anomalous user
behavior to overcome the most complicated issues faced by security professionals today.
The employees working in a company access different websites, tools, and applications. All
their activities are logged and monitored. While these applications are running, there is a
possibility of an intruder gaining access to the IT system and stealing credentials without the
knowledge of the user. When an intruder (external attacker or an insider) stays on the
company’s network as a legitimate user, UBA distinguishes this unusual behavior of the account
by comparing the behavior baselines of both the user and the attacker; it then issues an alert
on its database and highlights the risk scores. When an alert is issued, a notification is sent to
the user’s personal device for confirmation. In case the user does not confirm this activity, it is
considered a major security breach. Through UBA, the user’s account can be disabled by the
security teams depending on the severity of the incident and the risk level.

Module 07 Page 970 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Why User Behavior Analytics is Effective?

1 2 3 4
|S — e — [ 1 )
Detects malicious Identifies possible risk Analyzes different Monitors geo-location
insiders and outsiders events in the IT patterns of human for each login attempt
at an early stage infrastructure behavior and large
volumes of user’s data

S 6 { 8
Detects malicious Monitors privileged Provides insights to Produces results soon
behavior and reduces accounts and provides security teams after deployment
risk real time alerts for
suspicious behavior

Copyright © by EC-L: I. All Rights Reserved. Reproductionis Strictly Prohibited.

Why User Behavior Analytics is Effective?
Detects malicious insiders and outsiders at an early stage
Identifies possible risk events in the IT infrastructure
Analyzes different patterns of human behavior and large volumes of user data
Monitors geo-location for each login attempt
Detects malicious behavior and reduces risk
Monitors privileged accounts and issues real-time alerts for suspicious behavior insights
to security teams

Provides insights to security teams

Produces results soon after deployment

Module 07 Page 971 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

UBA/UEBA Tools
[
|
Q Exabeam Advanced Analytics
https://www.exabeam.com
Q User Behavior Analytics
(UBA)/User and Entity
Behavior (UEBA) Tools
20 D @’ ") | LogRhythm UEBA
collect user activity details https://logrhythm.com
from multiple sources and
use artificial intelligence
and machine learning f Dtex Systems
https://dtexsystems.com
(A1/ML) algorithms to
perform user behavior
analysis to prevent and
l\ * Gurucul Risk Analytics (GRA)
detect various threats
before the fraud is N
e——
» |
e
https://gurucul.

perpetrated
(l) Securonix UEBA
https://www.securonix.com

UBA/UEBA Tools
User Behavior Analytics (UBA)/User and Entity Behavior (UEBA) Tools collect user activity
details from multiple sources and use artificial intelligence and machine learning algorithms to
perform user behavior analysis to prevent and detect various threats before the fraud is
perpetrated User accounts are not the only entities in UEBA; entities also include system
accounts such as virtual servers, workstations, |oT, and OT devices connected to the network.

Listed below are some of the important UBA/UEBA tools:

Exabeam Advanced Analytics (https://www.exabeam.com)
LogRhythm UEBA (https://logrhythm.com)
Dtex Systems (https.//dtexsystems.com)
Gurucul Risk Analytics (GRA) (https://gurucul.com)
Securonix UEBA (https://www.securonix.com)

Module 07 Page 972 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Network Access Control (NAC)
O Network access control, also known as the network admission
control (NAC) are appliances or solutions that attempt to
protect the network by restricting the connection of an end
user to a network on the basis of a security policy
O The preinstalled software agent might inspect several items
before admitting the device and might restrict where the device
might be connected

Examples of NAC
@ What does NAC do?
ForeScout CounterACT
hittps://www.forescout.com
@ Authentication of users connected to network resources
ExtremeControl
@ Identification of devices, platforms, and operating systems https://www.extremenetworks.com

> Trustwave's NAC
@ Defining a connection point of network devices ) https://www.trustwave.com

@ Development and application of security policies Cisco NAC Appliance
https.//www.cisco.com

Copyright © by E I. All Rights Reserved. Reproductions Strictly Prohibited

Network Access Control (NAC)
Network access control (NAC), also known as network administration control, restricts the
availability of a network to the end user depending on the security policy. It mainly restricts
systems without antivirus and intrusion prevention software from accessing the network. NAC
allows a user to create policies for each user or systems and define policies for networks in
terms of the IP addresses. The preinstalled software agent might inspect several items before
admitting the device and might restrict where the device might be connected.
= NAC implements detection programs using the following points:
o It searches for an antivirus program and examines whether it has been updated or
not.

o It checks if the end system has a configured firewall or intrusion prevention
software.
o It searches for any viruses on the network and checks if the operating system has
been updated or not.
= NAC performs the following actions:
o It evaluates unauthorized users, devices, or behaviors in the network. It provides
access to authorized users and other entities.

o It helps in identifying users and devices on a network. It also determines whether
these users and devices are secure or not.
o It examines the system integration with the network according to the security
policies of the organization.

Module 07 Page 973 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

NAC helps in maintaining security policies for an increased control of the network. An
organization must look into the threats to its network while considering the cost of
implementing NAC. Organizations need to have plans to rectify the faults in the policies while
implementing NAC. They should consider the following points:
= Do the NAC policies authenticate users?
= How well has the NAC been implemented?
= Has the NAC been properly integrated with the device?

* Does the NAC tool check if the end user is blocked?
Organizations need to consider the following resources while implementing NAC:
* Network infrastructure: Incorporate network access control policies within the network
infrastructure
= Security: Managing the infrastructure

= Human resources: Reporting the network policies to the employees in an organization

= Operations: Management of response, procedures, and actions
= Management: Decide the priority of the policies, effect of the policies on the
organization, and managing the budget issues
Examples of NAC:
» ForeScout CounterACT (https://www.forescout.com)
= ExtremeControl (https://www.extremenetworks.com)

» Trustwave's NAC (https://www.trustwave.com)
= Cisco NAC Appliance (https://www.cisco.com)

Module 07 Page 974 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Web Content Filter
QO The content filter is either a software or a hardware that blocks browsing of harmful websites and..... undesirable content on the world wide web (WWW)
Q It prevents the network from malware, phishing, and pharming attacks
Q 1t filters content based on keywords, URLs, and contextual analysis

Q 1t provides additional protection other than traditional network firewalls and antivirus software

Internet

‘:fin-nl

BE BN
Client Side Internet Filtering

Web Content Filter

Web content filters block deceptive web pages or emails. They protect the network from
malware and other systems that are unreceptive and interfering. A content filter allows the
organization to block certain websites. Organizations can implement different types of internet
filtering such as:
= Browser-based filters
= E-mail filters
= (Client-side filters
= Content-limited filters
= Network-based filtering
= Search engine filters

Internet Internet Internet

‘ Firewall ‘ Firewall ‘ Firewall

/ om (sé.,m., 7
H H

Figure 7.126: Client-side Internet filtering, gateway level content filtering, and end-to-end content filtering

Module 07 Page 975 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

In the process of content filtering, a web content filter compares each character string on the
website in order to screen it. Most of the organizations filter pornographic or violence related
websites. Content filtering can protect a network from all kinds of malware codes or other
attacks that can make massive changes in the system and network.
Advantages of Web Content Filters
They can control the productivity:
It is often difficult to manage employee activities in a large organization. The internet
content filter can assist an organization from restricting the employees from using any
social networking sites or any illegitimate sites. Security professionals can block the sites
that are not related to work and thereby increase the efficiency and productivity of the
organization.

They provide a high-level of protection:

Internet content filters normally provide protection from malware programs and
software.
They restrict all kinds of liability issues:
Content filtering software can prevent users from sharing files and other documents
outside the organization.
They are highly flexible:
Web content filters enable the organization to decide on the sites that need to be
blocked. They also provide the organization with the ability to change the site blocking
setting at any time.

They increases the speed of the internet connection:

The use of web content filtering allows the organization to control the bandwidth
consumption of the internet connection by blocking sites. This in turn increases the
speed of the internet connection.

Module 07 Page 976 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Examples of Web Content Filters
OpenDNS OpenDNSfiltersthe web contentand prevents access to
RS unsafe orinappropriate websiteson your network NetSentron
https://www.netsentron.com

Barracuda Web Security and
OpenDNS Filtering
https://www.barracuda.com

A This site is blocked due to content filtering. Check Point URL Filtering
https://www.checkpoint.com
».com

Sorry, »00M has boen blockid by your retwork adminktrator. FortiGuard Web Filtering
» Report an incormect block Service
https://www.fortiguard.com
16 Adut Themes, Ungeria/Dibini, Nudity, Pornogrsphry, Sesualty

» Dagnostic o

ContentProtect Professional
Tarms | Privacy Poscy | Contact
https://www.contentwatch.com
https://www.opendns. com

I. All Rights Reserved. Reproduction Is Strictly Prohibited.

Examples of Web Content Filters
= OpenDNS

Source: https://www.opendns.com
OpenDNS filters the web content and prevents access to unsafe or inappropriate
websites on your network. It enables you to quickly block content using three
predefined web filtering levels. You can also customize the web categories to filter or
allow access only to the websites you specify.

A This site is blocked due to content filtering.

L.com

Sorry,.com has been biocked by your network administrator.

» Report an incorrect block

1 in: Adult Themes, Lingerie/Bikinl, Nudity, Pornography, Sexuality

» Diagnostic Info

Terms | Privacy Policy | Contact

Figure 7.127: Screenshot of OpenDNS

Module 07 Page 977 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Some of the additional web content filters are listed below:

= NetSentron (https://www.netsentron.com)
Barracuda Web Security and Filtering (https://www.barracuda.com)
Check Point URL Filtering (https://www.checkpoint.com)
FortiGuard Web Filtering Service (https.//www.fortiguard.com)
ContentProtect Professional (https.//www.contentwatch.com)

Module 07 Page 978 Certified Cybersecurity Technician Copyright © by EG-Gouncil
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Unified Threat Management (UTIM)
» Unified threat management (UTM) is a network security management solution which allows an administrator
to monitor and manage an organization’s network security through a centralized management console
» It provides firewall, intrusion detection, anti-malware, spam filter, load balancing, content filtering, data loss
prevention, and virtual private network (VPN) capabilities using a single UTM appliance

Load Balancer * / \' o Network Firewall

©
UTM
Content Filter Solutions ® Anti-virus and Anti-spam

®
Virtual Private network (VPN) « g * IDS/IPS

Copyright O by £ | All Rights Reserved. Reproduction is Strictly Prohibited.

Unified Threat Management (UTIM)
Unified threat management (UTM) is a security management method that enables the security
professional to evaluate and examine security related applications and other components
through a single console. UTM helps in minimizing the complexity of the network by protecting
users from blended threats. It provides firewall, intrusion detection, anti-malware, spam filter,
load balancing, content filtering, data loss prevention, and virtual private network (VPN)
capabilities using a single UTM appliance.

\
Load Balancer i Network Firewall

Content Filter Anti-virusand Anti-spam

Virtual Private network (VPN) \ / IDS/IPS

Figure 7.128: Unified Threat Management (UTM)

Advantages of UTM:
* Low cost: It reduces the cost of buying multiple devices as a UTM requires a single
console that can manage the whole network.
* Low maintenance cost: As only a single console is used, it requires little maintenance.

Module 07 Page 979 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Easy installation and management: UTM involves the use of only a single console that
requires minimum wiring and other installation requirements.
Fully integrated: UTM is a complete console that incorporates every feature required
for protecting a network.
Disadvantages of UTM:

Less specialization: Since a UTM is a single console managing the whole security of the
network, there are chances of it missing out certain features required for maintaining
the security. However, this can be avoided by using dedicated devices for each feature.
Single point-of-failure: UTM involves the use of a single console with all features
included in it. Failure of one feature can affect the performance of other features and
consequently the working of the UTM console as a whole.
Possible performance constraints: A single console in UTM performs various tasks at
the same time. There are chances that all the tasks or features do not get the CPU time
adequately. This situation may lead to many attacks on the system.

Module 07 Page 980 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Examples of UTM Appliances
o

»’V °

It provides complete network security with advanced features :
Endian UTM | like web filtering, email filtering, firewall, hotspot, and o WatchGuard Firebox UTM
intrusion prevention with deep-packet inspection, etc. https://www.watchguard.com

(O} Bimmtiy Sophos UTM
e https://www.sophos.com

b B | Fortinet UTM
e https://www.fortinet.com

Y | Check Point UTM
| https://www.checkpoint.com

-
-o ’ [\ |.
SonicWall UTM
Ve g Bl - https.//www.sonicguard.com
https://www.endian.com -~ s | i

Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited,

Examples of UTM Appliances
* Endian UTM

Source: https://www.endian.com
Endian UTM provides complete network security with advanced features like web
filtering, email filtering, firewall, hotspot (captive portal), and intrusion prevention with
deep-packet inspection, etc. It also provides network segregation to keep your internal
networks safe and secure.

Module 07 Page 981 Certified Cybersecurity Technician Copyright © by EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Logoat BR rep B¢

endian firewall
community
Frowal

Dashboard Dashboard
Network configuration Dashboard Settings
Event notfications Shon $#R0gY

U (B r

< Caruratn © 10
Oamer Algon Drake
Generated container 1476404643 04

Actwiry Cusdance [} Reports

ARvon Drake

Mo 2 o1 weh MR regardng legal Empikcatons. Watng
3 Sear Bk from theem

W Dvent Opened
Investigate Playbook123 901 am Lt cowmed By Alaron Drane on
222017, 901434 e
[omet oot rom dvmd at omare ady o8
MI2INLNAMe

Widpets Notes

& paloalto
BRORN
DN
Qanrms

1213 Cal Wih PR reqarding legal impicatons Watng
93 haar Back from tem

Figure 7.133 Screenshot of Splunk Phantom

Some of the additional SOAR solutions are listed below:

CRITICALSTART (https://www.criticalstart.com)
Exabeam Fusion XDR (https://www.exabeam.com)

Cortex XSOAR (https.//www.paloaltonetworks.com)
McAfee ePO (https://www.mcafee.com)
IBM Security SOAR (https://www.ibm.com)

Module 07 Page 993 Certified Cybersecurity Technician Copyright © by EC-Council