Modern network security technologies: what you need to know about it_PART 1

Modern network security technologies: what you need to know_PART 1

Corporate networks, which are currently deployed in most Russian companies, are distinguished by their huge size. Hundreds, and in some cases thousands of devices, including those with Internet access, are connected to them. But, alas, the leading suppliers of protective equipment left the Russian market. That is, the hardware and software that was previously provided by Cisco, McAfee, Fortinet, Splunk, Palo Alto Networks, Trend Micro, Tenable is still working, but no updates are being received. Dell, F5, Citrix, HP, Microsoft, IBM, VMware, as well as many other manufacturers of IT equipment and related software have also stopped their work on the Russian market. In view of this, the issue of protecting local networks from data leakage, hacker attacks and other unauthorized access arose before the department of system security of corporations.

Measures to ensure information security today are prescribed in the relevant decree. And more than half a million companies belonging to small and medium-sized businesses are obliged to follow it. Due to this, they will not provide themselves with the proper level of protection, but at least in time they will know that their corporate networks have been hacked. So how to comply with the requirements of this decree? How do you know if your company's network has been hacked? Here it is necessary to use a number of complex solutions in the field of network security, which are relevant in the current realities. Now let's focus on the main points.

Attack signatures for IDS, IPS and NGFW

In any corporate network, there will be quite a few devices that are vulnerable to vulnerabilities. Most of them are related to the use of mail systems, Internet sites. To protect the company from attacks, information security specialists use a device of such classes as IDS / IPS, NGFW, WAF. They work on the basis of certain signatures that are able to detect network attacks. These same signatures are constantly updated, allowing corporate networks to withstand ever-changing threats. That is, this extension is able to identify hacker attacks in incoming traffic, as well as protect the most vulnerable devices connected to the network and not having the necessary patches. In addition, we must not forget that in any corporate network there will be enough devices where it will not be possible to update the firmware. We are talking about sensors in networks with automated process control systems, video cameras, IoT devices.

According to the data from the s CVE database, about 50 new vulnerabilities appear on average every day. And IT-specialists of the company need to learn about them somehow. Only in this way will they be able to identify them and take a series of actions to prevent an attack. And the main problem is that the necessary patches will not yet be available — manufacturers just can't keep up with them. Moreover, foreign suppliers of expertise and signatures for the Russian market are currently unavailable.

Today there are quite a lot of free bases built on free engines. But, as practice shows, they do not provide the required quality of vulnerability detection and do not provide full access to technical support. Also, a number of tests have shown that even the most advanced open-source Snort and Suricata engines today are able to analyze only traffic at a speed of no more than 1 Gbps. If this indicator is higher, all enabled signatures will simply stop working and will not see attacks. But the traffic of most large corporate networks is much higher. And today the creators of free engines cannot provide their support.

To provide quality protection against attacks, the supplier must have at its disposal a large and expensive laboratory of researchers and so-called "white hats" hackers. They will develop attack detection signatures literally in real time, instantly responding to emerging new vulnerabilities. Alas, today in Russia there are very, very few such solutions.

So what can be done in practice to ensure a sufficiently high level of protection for their corporate networks? The optimal solution — an integrated approach that involves control over:

  1. Employee actions.
  2. Application layer.

It's also a good idea to backtrack DNS requests as well as answers to them. Let's consider these points in more detail.

Control over the actions of employees

Modern users have received a fairly high level of freedom of action on the network. They roam freely on the Internet, operate under different IP addresses. But for you, as representatives of network security of a particular company, it is important to understand exactly who is hidden under the IP-address that connects to your network. Only in this way will you be able to notice deviations from the usual work, which may indicate an attack.

The work of modern information security specialists is greatly complicated by the fact that attackers often use standard accounts of your own employees, as well as all those utilities that are used in everyday work, to act within the network. How do they do it? They simply steal the personal pages of employees or pick up their passwords, thereby gaining access to personal profiles. That is, for the system they will look like ordinary employees.

Can they be identified? You can, if you know the typical activity of your real employee and monitor it, immediately reacting to atypical behavior. In principle, this is not difficult, because the employee performs the same type of actions every day. He knows where and what to take, where to transfer, how to process. Unlike him, the actions of a hacker will not be coordinated and clear. He initially needs to study how the system works, what applications this or that employee uses, and much more. That is, as soon as you notice anomalies in the work of an employee (using other applications, logging into third-party systems, etc.), you may notice that something is going wrong. Another such control over user actions is called profiling. This technology is implemented in modern NTA (network traffic analysis) and NDR (network detection and response).

The network security system that you build for your company should clearly distribute which employee owns which traffic. It was called the identity firewall. The system will match the IP address and port in the packet header with the corresponding employee's account. Thanks to this, you can not only check the actions of some people, but also limit their capabilities using the principle of least privilege.

Perhaps, all this looks a little complicated and confusing, but, in practice, everything is much simpler. So, for example, if you notice that an assistant manager is currently busy setting up routers, you will surely understand that someone from outside is acting under his account, because these works are not included in his job duties. This is exactly what we had in mind when we talked about the atypical actions of the staff.

The identity firewall system is able to collect data about the IP address and the corresponding employee account from a fairly large number of sources. This is done on the basis of:

  • Active Directory authentication logs;
  • analysis of Kerberos authentication network requests to Active Directory;
  • VPN gateway logs;
  • mail service logs, etc.

Specialists themselves determine the functionality of the identity firewall, prescribing the appropriate rules by username or by the whole group. The data of the latter can be obtained from LDAP servers.

That is, profiling the work of employees involves identifying anomalies in their work. Every incident — this is an occasion to conduct an additional check and establish whether someone third-party is working from your employee's computer. That is, both accounts and users of the utility can be quite legitimate, but in the end it turns out that a hacker attack has been made on your network. Various techniques are used to accomplish this task.

I would like to note right away that in some cases an attack can be carried out using fileless malicious code. Only a highly qualified specialist is able to identify a threat of this level. Therefore, it will not be superfluous to periodically turn to experts for help in analyzing the events that your security system collects. With sufficient knowledge and practical skills, the analyst immediately identifies the source of the threat. There is no such specialist in sight? Then you can use special automated applications, the algorithms of which are based on the actions of world-class experts.

Application Layer Control

Deep packet inspection (DPI), NGFW, and NTA/NDR have long been used by security professionals to determine which employees are using which applications at work. It is also important to organize so that the identification of applications in traffic is carried out regardless of which port is used in the work. So, most of the devices that perform these tasks in automatic mode work exclusively on standard ports. So, HTTP is checked classically on port 80, SMTP — by 25. Attackers are well aware of this fact, which allows them to effectively bypass the established protection. As a result, computers in your corporate network may receive programs for remote control, traffic tunneling, cryptominers, as well as any other software that is not allowed to be used on such networks.

That is why, when organizing a corporate network security system, it is very important to determine directly from the traffic which application is transmitting data. But, alas, today this solution is no longer used in the Russian Federation, as it requires an active subscription to application detection signatures. And they are updated literally every day. So what to do in this situation? Alternatively, you can use the product of Russian development – PT Network Attack Discovery. Its functionality includes listening to user traffic and recording it in real time. This defines both the employees working on the network and the applications they are currently using. Thanks to this, in the event that an incident occurs, it will be easy to figure out who was to blame. This work should be carried out in real time, as attackers often change IP-addresses, which can make it difficult to identify them.

This application also has an advanced version— PT NAD. This engine literally parses each network connection into its smallest components down to the application layer. Today, thanks to it, you can find out more than 1200 parameters directly from the product interface. Moreover, based on these characteristics, you can create your own discovery rules that take into account the specifics of your corporate network.

It is also very important to understand at the time of the incident analysis which IP address corresponded to the DNS name in the past. To do this, you need to view DNS queries and their responses, making a note to yourself. This information will subsequently greatly facilitate the work of analysts in identifying the causes of the incident.

Summing up

The topic of network security is very broad and versatile. This also includes threat hunting, traffic recording and event correlation, and checking for malicious files. It is also important to understand how to work with encrypted connections, to understand the issue of indicators of compromise. You can read about all this and much more here.

But after all, not only devices connected to the corporate network are subject to attacks, but also personal computers and laptops of ordinary users. What to do in this case to provide yourself with an additional layer of protection when working on the network? We recommend connecting mobile proxies from the MobileProxy.Space service to work. Detailed information about this product, its functionality and tariffs can be found here. By replacing your real IP-address with the technical characteristics of the server itself, not only protection against hacker attacks and any unauthorized access is provided, but also absolute confidentiality of actions, effective bypass of regional blocking, the ability to work in multi-threaded mode (multi-accounting), etc.

Have more questions? Take a look at the FAQ block or contact technical support for advice.

Share this article: