Network Security
Comprehensive Network Security: Protecting Organizations with Modern Defense Strategies
Network Security in the past, for many organizations, meant “We have a firewall, right?” Unfortunately, in the last decade attackers have gotten much more sophisticated and attacks are more monetizable than ever. All organizations, of all sizes, are getting breached. All organizations need to be aware of Network Security and how it works to stop attackers before they get into the network and also minimizes the impact after a successful intrusion occurs.
Next Generation Firewall
Next-generation firewalls offer advanced features like traffic decryption and intrusion prevention, but many organizations struggle to fully utilize them. Crossconnect provides solutions to optimize these capabilities from leading vendors.
Identity Services
Network Access Control (NAC) secures networks by authenticating devices with protocols like 802.1X, acting as a digital lock to prevent unauthorized access. Solutions like Cisco ISE, Aruba Clearpass, and Portnox are crucial for modern network security.
Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) unifies SD-WAN, VPN, and security functions into a cloud platform, simplifying network management and enforcing consistent security. It supports Zero Trust principles and reduces costs with scalable cloud-based security services.
Penetration Test
In-depth penetration testing to identify and prioritize security vulnerabilities, validate controls, and meet compliance standards. Our detailed reports and remediation services ensure your organization understands and addresses critical threats effectively.
Threat Modeling
Our threat modeling service identifies, scores, and prioritizes security risks to guide effective cybersecurity investments. This process creates a clear, actionable roadmap to mitigate threats.
Foundational Principles of Security
These foundational security principles are the basis of all other security principles and the security controls (e.g. firewalls) that we use to enforce them. The foundational security principles that all other security principals flow from is the CIA Triad:
Confidentiality:
Data must be kept confidential (i.e. secret) and not known to persons that do not have a “need to know”
Integrity:
Data and systems must be kept in their correct state and cannot be manipulated or altered by persons that do not have authorization to do so
Availability:
Data and systems are available to the authorized users that need to access them to do their jobs
These foundational security principles are the basis of all other security principles and the security controls (e.g. firewalls) that we use to enforce them.
Defense In Depth
The security principle of “Defense in Depth” flows from all three of the above principles. Defense in Depth means that we should not have a single layer of security controls protecting data and services. With a single layer of defense, it only takes subverting a single security control (e.g. a single network firewall) in order to successfully exploit the targeted resource or data.
Using the Defense in Depth concept, we attempt to ensure that all organizational resources and data are protected by overlapping controls so a single vulnerability or failed security control does not cause an attack to be successful.
What is network security?
Understanding Network Security: Key Principles and Essential Controls
Network Security is the practice of implementing security controls (e.g. network firewalls) in the network layer in order to enforce these foundational principles of security and the many security sub-principles that flow from them.
Cyber security has many domains and Network Security is just one of them. Network Security also can be broken into many different security principles and security controls.
Some of the security controls we use in Network Security are Network Firewalling, Network Segmentation, Application Firewalling (WAF), Intrusion Prevention, Traffic Analysis and Correlation, Web Proxy / URL Filtering, SSL Decryption, Network Access Control (NAC), Host Based IDS/IPS, Host Based Firewalling, SASE, DNS Security, Multifactor Authentication (MFA), and many more.
Network Firewalling
Networks that are made to facilitate the movement of data between legitimate users and resources can also be used by attackers. This is where Network Firewalls come in.
Network Firewalls are a type of multi-protocol firewall. Network Firewalls must be able to secure many different applications and protocols. Due to this, their configuration can be quite complex. A firewall is a “generalist” – they will not be as good at some tasks as they are at others. This is why even with Network Firewalls in use we still need to have Application Firewalls (WAF) for more specialized use cases. Also, these other firewalls are needed for correct implementation of the Defense in Depth principle.
One of the primary security sub-principles we implement with Network Firewalls in “Allow by exception, Deny by default”. This concept means that we only allow traffic through the Network Firewall that has been explicitly allowed. The reason for this is that allowing network traffic that has not been explicitly allowed and authorized gives attackers more avenues of attack.In the past, a Network Firewall configuration was simple. Allow anything from the inside of the network to the outside (often the internet) and only allow the traffic from the internet to the internal network that is absolutely required. This approach is no longer feasible. The reality is that attackers are often going to gain a foothold into inside systems no matter how much diligence is used. Not every user can be stopped from clicking on “that link” no matter how much effort goes into it. It is still important to try and stop the initial attack but diligence must be used to detect and stop further phases of the attack. Due to this, the “Allow by exception, Deny by default” principle must be used on Network Firewalls in both directions.
So you have a firewall?
Maximizing a Firewall’s Potential Beyond Basic Configuration
Having a Network Firewall (Palo Alto, Cisco Firepower, Fortinet, etc.) is only the first step. More must be done.
Modern Network Firewalls have more security controls in them than they have ever had. Most organizations do not employ most of the controls available in their modern firewalls to secure their networks. These features are being paid for, but not used. This is often because more advanced features, often the ones the influential to choosing a specific brand, require new skillsets and considerably more time and effort to deploy.
The firewall you have today can likely implement most, if not all, of these controls and you should make sure they are enabled, maintained, and monitored for threat and attacker visibility: Application Identification, User Identification, Device Identification, URL/Web Filtering, Intrusion Prevention (IPS), Anti-Virus Scanning, Anti-Spyware Blocking, File Sandboxing, File Type Blocking, Intelligence Feedlist Blocking, DNS Security, and many more.
The firewall you have today can likely implement most, if not all, of these controls and you should make sure they are enabled, maintained, and monitored for threat and attacker visibility: Application Identification, User Identification, Device Identification, URL/Web Filtering, Intrusion Prevention (IPS), Anti-Virus Scanning, Anti-Spyware Blocking, File Sandboxing, File Type Blocking, Intelligence Feedlist Blocking, DNS Security, and many more.
Moreover, SSL Decryption must be deployed in order to make many of the features above work correctly. Decryption is no longer a “nice to have” feature. In one recent ransomware attack that Crossconnect was involved in the clean-up of, the firewall IPS system picked up no traffic over a 3 day period during which the threat actor was actively in the systems. This is because, like all other traffic, attackers are using encryption now too. In that customer’s situation, failing to decrypt user traffic was the difference between having a working IPS and a non-functional IPS, the latter of which allowed the threat actor to bypass virtually all the firewall controls.
All firewall configurations have room for improvement – most have quite a lot of room for improvement. Crossconnect has a program to drive ongoing firewall adoption
Want to adopt all the common features? Our Core Security Adoption might be right for you.
These additional controls provide a layer of Defense In Depth in the firewall, but there are other things that need to be considered as well.
ZTNA and Network Segmentation
Zero Trust and Network Segmentation: Redefining Network Security Boundaries
In the past, networks were segmented into “Inside” and “Outside” and not much else. Large networks added the concept of a “DMZ” to that and called it a day. This worked when all of threats were on the “Outside”, the “Inside” was largely trusted, and the “DMZ” was the main area of attack. That is not the case anymore.
In modern networks, no area of the network can be truly “trusted” anymore. This is where the concept of Zero Trust Network Access (ZTNA) came from.
Network Segmentation is a means of reducing access to the network. Network Segmentation can be done by Switches, Firewalls, SASE systems and many other controls but the goal is always the same: reduce access to just what is needed. Zero Trust Network Access adds additional tools to implement this in a very fine-grained way such as User and Device authentication and identification.
In the end, the purpose of Network Segmentation and ZTNA are the same. Both are trying to limit access to network users and devices to just what is needed and nothing more. Aim for trying to employ the principle of “Allow by exception, Deny by default”.
Network Access Control (NAC) / Identity Services
Network Access Control: Securing Access with Identity Verification
Network Access Control (or NAC) is a system by which users and devices are authenticated and identified before be letting into the networks. These networks could be Wired Ethernet, Wireless Ethernet, VPN or others. The goal is always the same with NAC: Don’t let people or devices in to the network until they have been authenticated and identified as legitimate users.
Network Access Control solutions are made by many vendors such as Cisco ISE, Aruba Clearpass, Portnox, and others. These tools allow for authenticating and identifying legitimate network users. These tools can also send security control configurations (e.g. ACLs) to the network access device (e.g. Switch or Wireless AP) to control what the user is able to access.
In modern networks, NAC is essential. You wouldn’t leave your house without locking the front door and NAC is the lock on the front door of networks today.
Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE): Modernizing WAN Security with Cloud Integration
SASE (pronounced “sassy”) is a new way of protecting and optimizing Wide Area Network (WAN) services.
SASE can be thought of as a cloud-based SD-WAN, VPN, and Firewall architecture that marries WAN services with Security Services. All sites and remote users connect through the SASE system. The SASE system then employs many of the same concepts found in on-premises network firewalls and other security controls to this network traffic to enforce the security principle of “Allow by exception, Deny by default”. This is an upgrade to old WAN networks where the VPN and WAN were largely “Trusted” and once into the network a user could get anywhere they wanted in the organization. Also, SASE is often a big part of ZTNA strategies in modern networks.
DNS Security
DNS Security: A Quick Win for Enhanced Internet Protection
Perhaps the largest possible gain in internet security in the least amount of time possible is implementing a DNS security product. DNS security is the process of blocking malicious or unwanted domain names before resolution by end hosts. Cisco Umbrella dominates this market, providing an easy bolt-on security solution, as well as a proxy/filtering solution for new or “semi-trusted” domain names.
Multifactor Authentication (MFA)
Multifactor Authentication (MFA): A Critical Layer of Defense
Passwords are regularly stolen in a variety of methods, but perhaps the most serious one Crossconnect has witnessed has been the ‘golden ticket’ attack. This attack exploits weaknesses in the Kerberos protocol, which is used to access Active Directory, allowing an attacker to bypass normal authentication methods.
Having recently spent six weeks helping a customer recover from this devastating attack, it is very noteworthy that in this customer’s scenario, the entire attack could have been prevented by MFA. By requiring a token or acknowledgement of a push notification, most of the attacker’s attempts would have been foiled, greatly minimizing the damage, and at minimal cost to the customer, had it been deployed in advance.
MFA can protect servers, VPN connections, administrator logins for firewalls, switches, and more. Moreover, it’s a relatively inexpensive product and is fairly easy to implement.
Crossconnect supports and sells Cisco Duo and Microsoft Authenticator, but has familiarity with interworking with Okta and other major MFA brands.
So What’s next?
Explore Foundational Security Principles With Our Comprehensive Risk Assessment
Another security principle that flows from the foundational security principles: Risk Assessment.
It may not be exciting, but it is important because it can give us a vision and roadmap for where we to go next. Vision in Cyber Security is often lacking in many organizations. Which security controls are needed? Which ones are not? This all comes from Risk Assessment.
Risk Assessment is the process of mapping out current threats and risks and what will be done to mitigate them, transfer them (i.e. Cyber Insurance), or in some cases accept them. Once risks are mapped out, a core plan of what needs to be done is created. Risk Assessment doesn’t have to be formal or long and drawn out – it really depends on the needs of the organization. All organizations have finite budgets and ‘throwing things at the wall and seeing what sticks’ is ineffective and money-wasting.
Cyber Security is a journey, not an destination. It is not a race and there is no finish line. That said, the most important thing to do is “get on the journey”. To do that, take the first step. Crossconnect has expert architects and engineers that can help navigate that journey. Crossconnect can perform a thorough risk assessment for your organization, help you build a vision plan of where to go, and walk down that path with your organization every step of the way.