Network security

Data Traffic & Network Security

Dimitar Kostadinov
February 23, 2015 by
Dimitar Kostadinov

Introduction

Last year – dubbed "the Year of the Hack" – saw numerous major cyber attacks against prominent corporations, including JP Morgan bank and Sony Pictures Entertainment. And after Target in 2013, another retailer, Home Depot, suffered a data breach with more than 56 million credit cards stolen. The consequences of these incidents can be devastating in terms of reputation damage and lawsuits that have been filed, charging negligent IT security control. Hackers exposed lots of poorly protected systems, and we should ask ourselves: What's wrong here? It seems likely that data traffic security and network security have not kept abreast with the technological innovation. This article attempts to gain insight into some of the current issues related to the subject matter, such as proper data encryption, network segmentation, traffic originating from mobile devices, etc.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

  1. Network Segmentation & Data Encryption
  2. Regulatory guidelines that ensure a general standard of compliance focus on traffic encryption for that data that traverse external or public networks, whereas local, inner-core networks are protected by means of logical network segmentation. Isolation of sensitive data on specific internal network repositories and cryptographic segmentation are common security standards today for many institutions that operate with loads of private and confidential information, e.g., banks and hospitals.

    Network segmentation is possible through technologies like firewalls and routing subnets. On the other hand, the encryption process for data in motion utilizes a large number of forms of encryption ranging from Web-based/HTTPS encryption to SSL-based VPNs.

    1. Enhanced Security with Proper Network Segmentation
      a) Unauthorized network access can be limited through network segmentation or security "zoning". This mitigation technique will withhold the propagation of a threat, for instance, malicious actors attempting to move across the network. At the same time, segregating the network properly will enable access to those persons who are authorized. Firewalls and VLANs have a function that can partition the network into multiple zones.

    Multiple layers of control within the network – IT security corporations are more and more interested in dealing with network segmentation errors. But security is not the only problem with configuring proper network segmentation. Beware that while adding more security layers can impede access by cybercriminals, it can also have a negative impact on business dealings if the configuration is not user-friendly enough. Hence, we are obligated to take into consideration other key benefits associated with well-segmented networks, namely, "the ability to contain network problems, improve performance, and reduce congestion."

    Diagram 1

    "Example of Network Segmentation (Part 1)"

    Diagram 2

    "Example of Network Segmentation (Part 2)"

    VLAN Network Segmentation and Security

    Network segmentation with virtual local area networks (VLANs) breaks a network into a number of isolated, smaller networks within the data center. Each of these networks operates as a separate logical broadcast domain. A proper VLAN segmentation can hinder significantly threat actors from accessing the system surface, and simultaneously diminishes their packet-sniffing capabilities. Furthermore, VLANs authorize legitimate users to access only those servers and devices related to their duties.

    VLANs have a positive unloading effect on network performance because the massive broadcast domains are divided into easily-manoeuvrable small parts. VLANs provide organizational flexibility, allowing administrators to group segmented mini-networks based on categories such as function, application, and project team. Lastly, VLANs can give secure but convenient user mobility to users assigned to a particular VLAN, since they can remain connected to that VLAN irrespective of location.

    What do the critics say about VLANs?

    VLANs are unable to enforce reliable control of privileged information because they simply isolate network traffic. It is deemed that they cannot inspect this traffic for threats. Moreover, along with other traditional tools, e.g., internal firewalls, VLANs can be a point of failure as far as security, flexibility, and management is concerned. That is because: "they necessitate physically changing the network topology to create or modify a secure domain; firewall rules to control user access incur time-consuming work-around fixes for authorized users; and security measures such as encrypting internal traffic isn't always possible."

    Next-Generation Networks

    Software Defined Networking (SDN), Network virtualization (NV), and Network Functions Virtualization (NFV) present an advanced software-based approach to IT virtualization of entire network architecture. A citation from this document illustrates in a few words the basic characteristics of these cutting-edge technologies:

    "The main advantage of Software Defined Networking (SDN) is that network control is separated from the forwarding plane and allows for a flexible management of the network resources. Network virtualization (NV) brings virtualization concepts to the network, similar to cloud computing, which was enabled by virtualization of servers. Network Function Virtualization (NFV) focuses on virtualization of software - based network functions. Classical examples include virtualization of home gateways, firewalls, set top boxes, deep packet inspection components, IMS components, and monitoring probes. Instead of installing and managing dedicated hardware boxes for these functions, they are instead implemented as software components and deployed on commodity hardware infrastructures, in most cases operated by a network operator and referred to as telco clouds."

    Software Defined Networking (SDN)

    In October 2013, the Open Networking Foundation (ONF) issued a research report in which two potential security challenges related to SDN were addressed:

    1. The centralized controller as a "potential single point of attack and failure."
    2. The southbound interface between the controller and data-forwarding devices is "vulnerable to threats that could degrade the availability, performance and integrity of the network."

    Measures within the SDN's architecture:

    1. Secure the access to the Controller— protecting the Controller means protecting your SDN;
    2. Create a trusted network environment between the SDN Controller, the applications, the devices, which will protect the communications throughout the network;
    3. Enforce a robust policy framework to constantly check on the proper functioning of the SDN Controller;
    4. Enforce Remediation + Forensics procedures when necessary (i.e., recovery mechanisms, reporting, and analysis).

    Security outside the architecture can be embedded either in servers, storage and other computing apparatuses.

    Network Functions Virtualization (NFV)

    There are two basic security threats for NFVs:

    1) A combination of all generic visualization threats;

    2) Threats specific to the network function software.

    However, virtualization gives some complementary security by eliminating or mitigating several kinds of threats typical for the network function software with the help of new elements like centralized security management and hypervisor introspection.

    For improving the NFV's security, Andreas Lemke advises users to utilize the following two-pronged combination:

    • "Reducing generic virtualization threats as much as possible by securing the virtualization platform
    • Eliminating as many network function-specific threats as possible by applying NFV-enabled security mechanisms, such as hypervisor-based protection"

    1. Drafting a stringent security policy on what is to be transferred from zone to zone is the next step.

    Accidental access of third parties to your network must be restricted to cases when it is absolutely needed and areas where there is no other information beyond what is required. A zone that contains highly sensitive data should be isolated as much as possible from the rest of the network, but it should not pose an undue burden on the overall data traffic.

    Tag zones differently depending on the type of data they contain. With regard to the previous point, be sure that a sensitive type of information is not within the reach of an unauthorized third party.

    Define "good faith", innocuous communication paths and block suspicious data traffic.

    Building an enormous matrix of segregated zones may entail drafting a policy for traffic management between zones. Due to security changes over time, frequent changes in the policy have to be made as well so that the policy in question can respond to the present security dynamics of this new network environment.

    There are standards that can provide guidance on how to set up efficient separation of data within the network. The Payment Card Industry Data Security Standard (PCI-DSS) is such, and in this case sensitive information like payment card data should be isolated from the rest of the network.

    Case Study: Target Data Breach

    As some of the recent data breaches have shown, improper network segmentation can result in exposure of your data to system outages or theft. Stolen third-party credentials can be further exploited for getting a foothold in entire networks. That was the case with the infamous Target data leakage in December 2013.

    According to Jody Brazil, founder of the security vendor FireMon, Target failed to secure in a proper fashion the access of third parties to their payment systems. A main lapse seems to be the fact that they did not segment the network to ensure that sensitive cardholder data was separated from what outsiders can access – which is a noncompliance in itself with a ubiquitous security practice pursuant to the aforementioned PCI-DSS.

    Finally, Brazil concludes that despite the sophisticated nature of the malware used to intercept and steal payment card data from the company's Point-of-sale (POS) systems, the attacker would have been stopped at the installation phase if Target had followed network segmentation procedures in the first place.

    2. Enhanced Security with Proper Encryption

     

    The classical security architecture counts on establishment of a trusted internal network guarded by firewalls. Thus, applications in the safe zone are deemed totally trustworthy. Security analysts bring these assumptions into question. As if the old maxima "Hope for the best and prepare for (assume) the worst" is better justified in terms of real-deal proactive security measures like encryption, especially for preservation of sensitive data.

    A survey conducted by Spiceworks, a professional network for IT specialists, ascertains that 76% of the IT managers use at least two forms of encryption to ensure that the data traffic of their enterprises is secure. Astonishingly, one out of three admits that he is forced to use three or more kinds of encryption or VPNs for data in motion. It seems clear that this might be a security problem, since these managers cannot reach some form of consensus concerning the promulgation of a uniform and consistent encryption policy, which would encompass all network segments and applications under its belt. Consequently, all gaps and inconsistencies in data traffic security are an aftermath of the existent fragmented environment.

    Corporations encounter difficulties with encryption management chiefly because of the fragmentation, which has a performance impact on firewalls and network devices. The direct effect of these issues is felt in the form of deployment of less than ideal data traffic security to compensate for shortcomings existing in network systems and firewalls – a dangerous trade-off that IT managers are bound to do. The following statistic reflects on the aforementioned subject: "45% of the respondents said encryption is too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption is turned on."

    Presumably, the coordination of extremely fragmented, fractured means of data encryption and segmentation is often an arduous chore. Is it abstaining from encrypting a viable alternative? Highly unlikely. Nevertheless, more than half of the surveyed organizations confirm that concerns about performance quality preclude them from opting for this multiple encryption.

    II. Mobile Data Traffic and Network Security

    The mobile unencrypted traffic from apps is growing each month. At the moment 49% of all app traffic is unencrypted, which means that it is vulnerable to snooping and injection cyber attacks. These pose a significant threat to the normal functioning of day-to-day business operations.

    Interestingly, outsiders finding a loophole in the corporate network is not as frequent of a security nuisance as unsuspecting employees opening a door to a malicious cyber attack. Most users (72%) do not feel uncomfortable (at least at the beginning) with sharing sensitive information in their apps, such as credit card details and passwords.

    Diagram 3

    Source:
    http://commons.wikimedia.org/wiki/File:Consumerization_Report_-_Chart_3.jpg (by Cgarlati).

    Bring Your Own Device (BYOD)

    Many people in Western countries have up to five Internet-connectable devices and 300 identities across a great number of online shopping portals and social media – an ongoing tendency that ushers in the bring your own device (BYOD) revolution. From a business point of view, there is a monetary as well as reputational risk associated with not being able to protect the data trusted to them because of the increasing adoption of personal devices in the workplace. And from a data transfer perspective, the equation gets even more complicated when cloud-based platforms allow employees to access business information regardless of geographic location. Besides proper employee management (that could be an IT security training of personnel), identity control based on staff movement restrictions across virtual, cloud and physical environment is vital for complying with the current standards in terms of efficiency and security.

    The silo style of mobility

    Mobile-device management and enterprise-mobility management have been developed by enterprises to manage devices like tablets and smartphones. Under the standard approach, these two systems integrate with a VPN server, for instance, to set up an encrypted data connection to the company. The silo-based nature of all mobile devices, however, localize the perimeter protection to the company's boundaries. Consequently, if an employee has credentials on his mobile device, a malicious actor can obtain and leverage them to gain unfettered access to internal networks. And we all know that personal devices typically do not possess antivirus/antimalware software and often share information with untrustworthy apps. The security threat stems from the fact that all internal networks of the corporation continue to be considered "safe" and "trusted" (See Diagram 4). As a result, enterprises often use insufficient controls to segment data traffic and secure or isolate internal applications containing sensitive servers.

    Diagram 4

    Conclusion

    The Spiceworks survey reported that improving network security was put on the priority agenda for the IT sector in 2015. Allocating funds to network security projects for this years is envisaged by approximately two-thirds of all enterprises participating in the interview. We can only hope that these measures will not come as "too little, too late". And while the investment in the reconstruction of outdated network architectures and data traffic mechanisms is important, we should not forget to adjust our personal perception to these changes.

    Reference List

    Boone, A. (2015). Network Security Trends and Outlook. Retrieved on 15/02/2015 from https://www.sdxcentral.com/articles/contributed/network-security-trends-and-outlook-2015/2015/01/

    Boone, A. (2015). 2015 Predictions: Mobile security set for change in 2015. Retrieved on 15/02/2015 from http://www.rcrwireless.com/20150109/opinion/2015-predictions-mobile-security-set-for-change-in-2015-tag10

    Certes (2015). Solving the data traffic encryption tangle. Retrieved on 15/02/2015 from http://certesnetworks.com/blog/solving-the-data-traffic-encryption-tangle/

    Cryptozone. Network Segmentation. Retrieved on 15/02/2015 from http://www.cryptzone.com/solutions/network-segmentation

    Forsyth, L. (2012). Poor data security can cause lasting damage to your enterprise. Retrieved on 15/02/2015 from http://www.theguardian.com/media-network/media-network-blog/2012/dec/13/internet-data-security-enterprise

    Harrison, R. (2014). Network Segmentation Key To Good Network Hygiene. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-key-to-good-network-hygiene/a/d-id/1269687

    McGillicuddy, S. (2014). SDN security issues: How secure is the SDN stack? Retrieved on 15/02/2015 from http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is-the-SDN-stack

    Natarajan, P. (2014). Rock-solid Data Traffic Security in a Virtualized Network World. Retrieved on 15/02/2015 from www.ciena.com/connect/blog/Rock-solid-Data-Traffic-Security-in-a-Virtualized-Network-World.html

    Open Networking Foundation (2013). SDN Security Considerations in the Data Center. Retrieved on 15/02/2015 from https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf

    Olzak, T. (2012). VLAN Network Segmentation and Security- Chapter 5. Retrieved on 15/02/2015 from /vlan-network-chapter-5/

    Palo Alto Networks. Zero Trust Approach To Network Segmentation. Retrieved on 15/02/2015 from https://www.paloaltonetworks.com/solutions/initiative/network-segmentation.html

    Philbin (2014). Mobile Data Trends Report shows nearly half of app traffic now unencrypted. Retrieved on 15/02/2015 from https://www.wandera.com/blog/mobile-data-trends-report-shows-nearly-half-of-app-traffic-now-unencrypted/

    Reichenberg, N. (2014). Improving Security via Proper Network Segmentation. Retrieved on 15/02/2015 from http://www.securityweek.com/improving-security-proper-network-segmentation

    SDNCentral. SDN Security Challenges in SDN Environments. Retrieved on 15/02/2015 from https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-defined-networks/

    TrendMicro (2013). Catch Evasive Threats That Hide Behind Real Network Traffic. Retrieved on 15/02/2015 from www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-network-detection-evasion-methods.pdf

    Vijayan, J. (2014). Target breach happened because of a basic network segmentation error. Retrieved on 15/02/2015 from http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html

    Diagram 1 and 2 are based on graphs in:

    Learn Network Security Fundamentals

    Learn Network Security Fundamentals

    Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

    Raza, K. (2015). Network Segmentation & SD-WAN. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-and-sd-wan/a/d-id/1318634

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.