Professional Documents
Culture Documents
Adobe Scan Oct 11, 2023
Adobe Scan Oct 11, 2023
PT
E R ,12
NETWORK CONTROLS
INTRODUCTION
of various network devices USed in or.
description
communications, the security features in the
gives a brief
Thischaptertheir Usesin dataexercisedto ensure proper security governance
ganisations, controlsto be communication gadgets, communication
devices and the the that can be put in plog
chapter also deals withnormal security controls
The media andthe the hardware devices but also in tho
and
channels
enhance them not onlyin methodologies.
and waysto channels, protocols and is always hande:
communication complicated subject, which
security is a consistsof the policies ond
12.1.0 Network experienced professionals. It utilizationof netwot
well-trained and and ettective
by implementation to ensure proper of a computer networ
their modification, or denial
gadget to prevent misuse, various computer Networks, devices
resources. Before going into the look at some of the most commony
and let us have a brief
and security issues, various organisations and banks:
equipments used in
deployed network
Hubs
Modems
Routers
Switches
Bridges n'
does
Multiplexers it
hardware gadgets,days.This
12.1.1 Though the list above enumerates the modern
gadget moy ho
comprehensively cover all the network gadgets Usedin
only an illustrative list. Besides, some network equipment or
the features of one or more other equipments as well.
170
CH. 12: NETWORK CONTROLS 171
12.1.2
Hubs
gdevicethat.serves as common termination point for multiple nodes
Ahub
isa
relaysignalssalong the appropriate paths. It is a physical connectivity
can
thotnumber of computer systems. It provides an easy way to
handling shitt-
and reconnections. There are also some intelligent hubs
fora
the machines
containthe built-in intelligence to communicate network management
ingof
that
ioformationto a software package.
12.1.3Modems
Modems
modulate the digital signal that acomputer system handles, into
onalog signalthata telecommunication line handles, at the sending end
Sothat
the data can be transmitted, and perform the reverse function at the
receiving end by demodulating the signal from analog to digital while the
computer.
dota enters the
12.1.4.1Routers
Boiers ore intelligent network devices connecting ifferent networks together,
which use the software-contigured network address to make decisions on
forwarding the data packets to aspecific destination. Routers normally oper
ote at the network layers and are among the most used network gadgets in
ony organisation, typically in most banks. Routers configuration has amajor
security significance. Some routers come with the capability to Use session
encryption between specified routers. Such a capability prevents the unau
thorised snooping by men in the middle and ensures connectivity between
two sites with secure routes.
12.1.4.2 Routing tables (information on routing the data across network) are
always confidential information and routing mechanism and the connected
design should be kept as aclassified information for use within the network
gement department strictly on aneed to know basis only. With such great
dependence
dble CBS,the
on network almost all banking products including the indispens
ubiquitous ATMs and the omnipresent internetbanking, routers
conhi gurationenormous
al ossumed and backup redundancy
for routers,and
significance
for router availability have
banks should ensure proper network
Occess controls to protect router information.
12.sessihe 1on.4.3encryption
Afeature that is being built into some routers isthe ability to use
between specified routers. Because traffictravelling across
Iime) ntetornetsnoopcan bearound,
seen by people in the middle who have the resources (and
these are advantageous for providing connectivity
betwe n two sites, such that there can be secure routes.
SECURITY cONTROLS
MODULE B : IT
172
12.1.5.1 Switches
Switches ore basically hubs but with intelligence, providing dedicates.
each user. With such capobility. it is easier
mission chonnels for destination by using the hardware
to forward dota to its packets. Thus we can
can block MAC (Medio
dota
data
Control) address in the
to one segment or one PCin o
itself from occess by any
LAN or mgke one
ofher User.
segment or one
12.1.5.2 From security perspective, configuration ofsswitches issvery
v inpt
transr ie
P
Application
Presentation
Session
Transport
Network
Data - Link
Physical
Seven Layers of OSI Model
Security in all these seven layers are built as per the features of the
12.2.3 physical layer, it isthe physical security of the equipment,
rinstance,
For in
layer. of cabling used and upkeep and maintenance of cables and
thecobles, type
cat
that matters. In the data-link layer, the security will be physical
connectivity it. In networks and transport layers, it is the routers and
above
ond one step which should be configuredto ensure security.
switches that sits on these layers program
presentation and then in the application layers,it isthe software
Inthe
off-the-shelf applications like MS Ofice or customized ones developed
innd access
organisations) that should take care of security like ensuring
for the
privileges, implementation of various policies like password
control, access
Access policy and conformance to standards etc.
policy, Interact
seven layered approach disCUSsed above, the TCP/IP
12.2.4 As against theProtocol/Internet Protocol) has only four layers as below:
(ransmission Control
Application
Transport
IP/Internet
Data Link
istaken
transmission, securityin communication
12.2.5 Typically in a TCP/IP seven layer model
Core of in these above layers. Though the OSl approach of TCP//P protocol
hos been under Use for a number of years, of late it is the
hat has become very popular and being referred often.
12.3.1 1P SECURITY transmits IP packets and
that
1Pihenceaso eachConnectionless and stateless protocol transfer unit associated with
basic
which is essentiallya independent entity. Earlierthere
packet
Was no
datagram,
switched network, istreated as an order of packets in the earlier
protection and there was no
security
CONTROLS
MODUE B:ITSECURITY
174
version 4 publishedin1981.IPV6ploce. was
subsequently
version oflP anchitecture has since been
and IP Security
basically an
in
Internt Protocol suite a group o
ntrodu
12.3.2IPSecis communication and ensuring securily proloc
based
for securing lP encrypting eachlP packetin a
IPouthenticating communicatiocnontro's
ond security scheme operating at the internet \oyer
Sec is an end-to-end
above. Itcan be used in
ses on
between
the orstock
IPsuitea poir
proBecting
of hosts (host-to-host), between a pair of securily daBgaew
illustrated
security gateway and host
(netvork-to-network), or
Internet
between
security
a
systems in widespread use, Such
host). Some other TransportLoyer Security (TLS), and |Secure Shell
(networkto
Socket Layers (SSL), TCP//P mode stated above. IP Sec
opplication
erate in the trofficlayers the protecs
upper across anIP network. Proper use of the features enhance:on
of
organisation.
the network security in any host-to-host security,it does not provide
provides
12.3.3 Though IP Secapplication-to-applicationsecurity. It increases proloco
er-to-usersecurity nor time andlatency, as sender and the receiver boh
processing overheads and
perfom cryptographic operations.
12.4 VLANS
12.4.1VLAN environment too), security shoud
security (and in WAN
In allcases of LAN infrastructure and provided for in software to.Ih
be in-built in the hardwarerelevant to study briefly about VLANS. Virtual Locod
thiscontext, it would be common set of requirements
agroup of hosts with a
Area Network (VLAN) is attached to the same broadcast domon
they were
which communicate as if location. Though a VLAN has the same attibu
regardless of their physical it allows for end stotion to be grouped togelti
LAN membershiy
asa normal and physical same network switch physically. AVLAN
relocatingdevie
locoted on the
even if not
through software instead of physically
con be configured react
quiclh
or connections. and netvon
using VLANs, one can control traffic patternschangesin
12.4.2 By to
to adapt VLANs ore creoyN
to relocotions. VLANs provide the flexibility
administration. in
routers
AN
simplified
requirements and allow for traditionally ,provided
andnetworkrmanagemen
by
provide the segmentation services ond
signiticonttole
MPLS/
Data Centre Internet
Remote
System
Rernote6
System
Remote
System 2 MPLS
Remote
System s
Remote Remote
System 3
System4
communication ac oesndinoWinsdoerur
preferred
NT etc, telnet access sometimes is not a
shel (SSH) started to be used.
12.6.11 The term Telnet sometimes also refers to the client side
run on almost on any computer system. Loosely, Telnet also
ing a connection with the Telnet protocol, either with meansline
command
with a programmatic intertace with aremote server, when text
phrase telnet to the server.. etc.
ebo ksstociireussnhte. he
12.6.12 In all these cases, it would be pertinent to note that
built into the application whenever a Telnet access is provided. securMosityt is t
opers do not permit Telnet access other than a front-end menu and devel
interface. Fromsecurity perspective, Telnet access is rarely given and
restricted by system managers. dis ShiCgrehn
12.6.13 While accessing aserver throughtheevarious protocols as
above, sometimes applications allocate logical pots for datg mentioned
in which case the developers should be trained to ensure proper and transmis ion,
usage of such logical ports assigning other numbers forthesservices.An secure
white box testing team should be able to detect any improper or deliberotal,
misleading assignment of port numbers, which will serve as a serious securi
eticient
lacuna paving the way for unauthorized access to the databose.
12.6.14 TCP/IP is a suite of protocols and perhaps the most widely used in
communications these days. It is the backbone ot the internet today, com.
prised of two protocols, TCP and IP. The Internet Protocol (IP), is the networ
layer of the Internet which routes the data packets to its destination, though
providing no guarantee for delivery. Transmission Control Protocol (TCP) rurs
on top of lP providing a connection oriented service between the sender and
the receiver, guaranteeing the delivery ensuring that the packets are delivered
in sequence using mechanisms like sequence numbers, acknowledgements
3-way handshakes and timers.
12.6.15 TCP/IP was not built originally for security, (for that matter, e
Internet itselt was not built for secure communication when it was original
Used by the US army, more for intra-defence department communication.
the years to come and with Internet almost being built on TCP/IP protocok
it has now become more of a problem. The widespread Use and availabilty
of the TCP/AP protocol suite has exposed its weaknesses. There are quite
o
protocos
fewwell-known
commonly used vulnerabilities
of
along with TCP/IPboth
and of some
(suchTCP/IP
as DNS)itself,as detailed below:
CH. 12: NETWORK CONTROLS 183
TCP"SYN attacks
colleodSYN
flooding,ittakes advantage of three-way handshake in TCP
seqUence numbers when a computer receives the SYNrequest from a
Abko
Hth mustkeep track of the earlier partially opened connection ond if it
which
there
besn't
isno 'sync' breaches security.
IPSpoofing is an
attack where an attacker pretends to be sending
126.17
IP oddress other than its own. The |P layer assumes that the
from an IP
oddress on any packet it receives is the some IP address as the
thattactuallysent the packet-it does no authentication. Many higher
protocols and applications also make this assumption, so it seems that
9stem
andreport activity.
octivity
12710 Intrusion prevention systems are considered extensions of intrusion
systems because they both monitor network troffic and/or system
detection malicious activity. The main differences are, unlike intrusion de-
for
activities
systems, intrusion prevention systems are placed in-line and are able
tection prevent/block intrusions that are detected. More specifically, IPS
actively
o such actions as sending an alarm, dropping the malicious packets,
Contoke connection and/or blocking the traffic from the offending IP
resettingthhe
can also correct Cyclic Redundancy Check (CRC) errors,
address. An IPS
unfrogment packet streams, prevent TCP sequencing issues, and clean up
and network layer options.
unwanted transport
12.8 FIREWALLS
are access Control devices for the network and can assist in
12.8.1Firewalls from external attacks. There
internal network
orotecting an organisation's products
security existing between the internal network
fore, they are border Wherever the server is allowed to be accessed
ond the external network. firewalls
outside, such connection will be allowed by firewalls. Hence traffic.
from software, which should permit all web
moy not protect the web server any insider attacker, since all internalusers
Similarly, firewalls maynot protect
ore already in the internal network. packet
application layer firewalls and
firewalls:
I2.8.2 There are two types of depending upon the security policy of the or
used
hitering firewalls. Each is reguirement based on factors like confidentiality,
gonisation and the specific firewalls also called proxy firewalls which are
Cmcality etc. Application layer System like Windows NT or Unix. Firewalls
ionedabove the Operating related policy defines how
the
traffic
rules iie. the done as per specitic permission
configurations
from one network is sent to another. In the absence of
packets or denies the traffic. Here, the
to allowthe the should not have any
traffic, firewallwell drops from attack and
firewall itself should be protected
firewall is depicted in the
diagram below:
vulnerabilities. Typical function of a
CONTROLS
186 ODULEBT SECURITY
A study of
28.6.1 firewalls will never be complete without
fhetechnicalitiesin a demilitarized zone
commonly called DMZ.understanding
It is essen
iallya computer host or small network inserted as a"neutral zone" between
organisation'sprivate network and the outside public network. It
outside usersfrom
the
prevents
getting direct access to aserver that has the organisation's
ADMZ is an optional and more secure approach to a firewll and
dota. server as well.
fectively acts as a proxy
12.8.6.22ina DMZ contiguration, a separate computer receives requests from
withinthhe private network for access to Web sites or other companies
USers
occessible on the public network. The DMZ host then initiates sessions for
requests on the public network. Users of the public network outside the
hese ny can access only the DMZ host. The DMZ may typically also have
's Web pages so these could be served to the outside wortd.
the company DMZ provides access to no other company data. In the event
However, the
outside User penetrated|the DMZ host's security, the Web pages might
thatan
no other company information would be exposed.
be corrupted but
12.8.6.3 Typically in a bank, especially a Core Banking Data Centre contcirs
(often oracle database),
the main data centre running the prime database provide the connectivity
there are a number of application servers whichATM, Internet in the case
an
from a user-level system (like a bank branch,servers). In this environment, a
functional
of e-banking, mail server or other (i.e. Internet cloud) and a data
coming from Internet Banking user
doata packet in the intranet cannot be treated
its own bank branch
packet coming from has to be
same manner. The former is prone to carry malware and
nne critical database. In such a scenario,
risked' or checked before enterina the
ne role of demilitarized zone assumes
enormoUs signiticance.
ICompa
ayers ofny'shardware security strategy, with just from one single The UTM
With UTMs,
and software. be monitored and configured.
console, all the
security solutions can
188 MODULE B:IT SECURITY CONTROLS
the form.
pletely Automated Public Turing test to tell Computers and
This is a type of challenge-response test used to ensure that Humans Acor
generated by a person. The process usually involves one computer
asking a user to complete a simple test i.e. type the picture like
res0orse
characters in the screen which the computer has generated. The alpha numerc
are some of the examples, which the user will look at and enter in the
These are normally case sensitive and the user has to caretully note
foloir
the character is upper case or lower. wrete
1 2
H8FSe C u riT?
In the examples given above, the words are:
1. |BFSeCuriTy
2. MGUs5Rgod
12.9.3 There are many improvements in CAPTCHA, being adopted re
days. Since repeated data entry and multiple. thousands of access throt
ROBOTs is becoming a bigger attack to network fora remoteaccess ol
entry, improved CATCHAs are being deployed these days. Onesuch COmmO
improvement is a CATPCHA with Maths i.e. a captcha which will give
very simple mathematical question like "2 + 3 =" and you have to tyoe
answer as 5 in the space provided, so that the system will understandthot
human being is accessing the application and not a
12.9.4 In short, CAPTCHA is a machine.premisethot
software
would be impossible tor a computer control
to read built on the
the images and do dataen
Thus the user authentication is confirmed that it is a human being
accessing and not acomnputer system or other mechanical device.
CH. 12 : NETWORK
CONTROLS 189
129.5
SIEM
29.5.1
As part of network security ond network controls, a concept that is
200puloris
nTeOSinglybecoming popularis.Security
SEM).Thisis atermfor.software productsInformation
and services andEvent
and
Manageme
gets its name since
Combination of SIM i.e. Security Information
mainly includeandgathering
sa Event Management. The features of SIEM Management
euriy SEM i.e.
on the network, analyzing and presenting such information from
doto mainly
identity and.access management, vulnerability management, policy
network,
ompliance tools etc.
12.9.5.2 Typically SIIEM products have the capabilities of alerting and no-
hcations, retaining the historical data and assisting in such data retrieval
There are many SIEM products including a few from
nd log management. etc.
dobal companies like HP IBM
129.5.3 According to a lecture on 28 Feb 2015 delivered by Shri G Pad
mangbhan, Executive Director, RBI "Today, tools like Security Incident and
ent Management (SIEM), Network Behaviour Anomaly Detection (NBAD),
visibility
Dato Leakage Prevention (DLP), etc are available which provides deep approach
intooperations and quickly detect a security breach. Besides, one having
tools and
being increasingly adopted by banks- apart from procuringusing analytics. We
rdles-is following the age-old and time tested method of Analytics. While
hove all read about the advantages of Big Data and Big Data
and customer behaviour
7s is more often Used for business development tor mapping
oralysis and customer preferences, there is scope of usingisthis
there an exception or
general customer behaviour patterns and whenever
n outlier, the computer system could trigger a warning."
SpeechesView.aspx?ld=945, retrieved
orce: https://rbi.org.in/scripts/BS
on 17 Nov 15)
12.9.6 Net neutrality
related to the security admin-
12.9.6.1 Though net neutrality is not directly
bearing on the security features of the
stration in a network, it has on the principlethat Internet Service Providers
a direct
nelwork. Nett neutrality is based
Internet without discrimination based on the
should treat all data on the
been considerable amount
content,
d site, platform, application etc. There have
and why all data should be
treatdebates open
on why the Internet should be
ed equally. concept of net neutrality
since
12.heyonly9teel.6.2that objectto the content
Some service providers right to ensure free traffic of that service
they should have the particular content providers (or
which has been provided bythe
CONTROLS
190 MODULE B: IT SECURITY