Cybersecurity professionals are continuously working to stay at least one step ahead of hackers and protect their organizations from new and emerging cyberattacks and threats. Different types of hackers compromise organizations and user accounts with different motives, such as for fun or just to prove a point to others within the community, while more organized groups of hackers typically work together for financial gain. The age of ransomware shook the world as no one was ready for such a type of threat that affected many organizations and continues to be a major one. The idea of encrypting data and asking for a ransom was a good approach to easily gain money and cryptocurrencies from victims.
While many cybersecurity professionals warn victims to not pay the ransom as there’s no guarantee of retrieving their data, many organizations have given in and paid the ransom with the hope that good faith will prevail and their most valuable asset – data – will be available once more. While no single system is perfectly secured against cyberattacks and threats, network security professionals use best practices and technologies on their network to reduce the risk of cyberattacks and protect their assets from hackers. Without network security solutions, organizations are simply left open to potential attacks from hackers around the world.
In this chapter, you will learn about common techniques used by network security professionals to improve the security posture of their network infrastructure and reduce the risk of a cyberattack. You will learn about network hardening techniques and their benefits, wireless security solutions and how they are used to mitigate wireless attacks, how to securely access your network using popular remote access methods, and various physical security practices within organizations.
In this chapter, we will cover the following topics:
Let’s dive in!
Cyberattacks occur all the time; each day, there are many reports of unknown cyberattacks that have been discovered by various security organizations and security researchers around the world. However, many organizations do not realize their systems and networks have been compromised by a threat actor until months after the attack has occurred. The longer an organization takes to discover its systems and networks have been breached, the more time the hacker has to dig deeper into the network and install multiple backdoors while going undetected. Hence, implementing network hardening techniques reduces the risk of being compromised while improving the security of the network.
Implementing network security best practices helps network professionals ensure their network infrastructure, such as its network devices and security appliances, are properly secured against hackers, cyberattacks, and threats. While networking devices are designed to forward frames and packets to their destinations, network devices such as switches and routers have an operating system. If a hacker gains access to an organization’s network and discovers an outdated version of an operating system on a router or switch, the hacker can use an exploit to compromise the vulnerable operating system and take control of the device. This allows the hacker to redirect traffic or mirror users’ traffic.
Additionally, if the hacker can find a vulnerability within a security appliance such as an organization’s firewall, the hacker can attempt to exploit it and gain control of the device. If the firewall is compromised, the hacker can insert, modify, and delete rules on the firewall to permit malicious or suspicious traffic to enter and leave the organization’s network undetected.
The following are best practices for improving the security posture of your network infrastructure:
Additionally, firewall rules are used to filter traffic between networks that are directly connected to the firewall appliance. These firewall rules are created by security professionals using various criteria such as source IP address, destination IP address, source port number, destination port number, network protocol type, transport layer protocol type, application layer type, and so on. It’s recommended that these rules are organized so that more specific firewall rules are placed at the top of the list while less specific and general firewalls are placed beneath. An example of a specific firewall rule is a security professional who wants to restrict HTTP traffic from a PC on the internal network to a destination web server on the internet. Here, a general firewall rule would restrict all traffic from one network to another.
Having completed this section, you have learned about some common techniques and best practices that are used to improve the security posture and harden a network infrastructure within an organization. Next, you will discover best practices for securing a wireless network.
Wireless networking allows users to connect their wireless, mobile devices to an access point to access the resources on a wired network and vice versa. There are many advantages to implementing a wireless network infrastructure within homes and organizations, with the most obvious benefit being that wireless networking reduces the number of physical cables needed to allow clients to access the network. It’s as simple as installing one or more access points so that they’re physically connected to a network switch and configuring the wireless settings with each access point to broadcast a Service Set Identifier (SSID) and network details.
While wireless networking supports mobility, allowing users to roam around the vicinity of a wireless network, many threats and wireless-based attacks are commonly used by hackers to compromise the security of an access point, which compromises the wireless network and its users. For instance, since an access point uses radio frequencies emitted from antennas to transmit Wireless Local Area Network (WLAN) frames, a threat actor does not need physical access to the access point – they simply need to be within range of the wireless signal generated from the access point to launch an attack against it. Furthermore, if a threat actor were to gain unauthorized access to the wireless network, non-tech-savvy people would not think about frequently checking their network for any unauthorized users and devices.
Many organizations and home users are not always aware that their networks and systems have been compromised by a hacker until it’s too late. At this point, the hacker can gain control over critical systems and Internet of Things (IoT) devices and create multiple backdoors into the network. For instance, imagine that a hacker has compromised a home wireless network and can identify and compromise a home security monitoring system that’s connected to the same network. The hacker can either choose to monitor the victims’ activities or disable their security monitoring solution. Hence, it’s important to secure wireless networks using best practices to reduce the risk of a potential cyberattack and various threats.
Typically, when setting up a wireless network for a home, office, or organization, it’s important to consider the SSID or the network name. Many organizations commonly configure their SSIDs using the name of their company, thus providing the convenience for employees to easily discover and connect to their wireless network. However, this convenience also helps a hacker who’s within the vicinity to easily find the company and its wireless network. Hence, setting the SSID as the name of your organization makes your wireless network a target.
Furthermore, many businesses commonly use the default SSID that’s configured on the access point by the vendor. For instance, vendors commonly pre-configure their access points with an SSID that contains the name of the vendor and device model. A hacker can use this information to research any known security vulnerabilities of a specific device and attempt to exploit its security weaknesses.
The following screenshot shows the common user interface of a Cisco Linksys E1000 access point:
Figure 16.1 – Access point wireless settings
As shown in the preceding screenshot, when logged into an access point, selecting Wireless | Basic Wireless Settings will allow you to configure the network mode, SSID, and channel on the device. The access point is using the default SSID that’s pre-configured by the vendor before it’s shipped. It’s recommended to change the default SSID and set a network name that does not identify your specific network or organization. This technique does not prevent but deters a threat actor.
Important note
Do not use Wi-Fi Protected Setup (WPS) as there are many unresolved security vulnerabilities.
Additionally, the SSID Broadcast feature allows you to configure the access point to advertise the SSID to all wireless clients within the vicinity. By default, the SSID Broadcast feature is enabled, which makes it easier to discover the wireless network. However, disabling this feature will allow the access point to still advertise its presence without including the SSID within the WLAN frames, which means wireless clients will not detect the SSID within their list of nearby available wireless networks. From a cybersecurity perspective, a seasoned hacker can discover a hidden wireless network within a few minutes or less. Therefore, disabling the SSID Broadcast feature will not prevent a hacker from discovering the hidden wireless network and launching wireless-based attacks.
Whether you’re implementing a wireless network within a home or an organization, you should always set strong, complex passwords to reduce the likelihood of a hacker being able to retrieve those passwords and gain access to your network. I’ve seen many organizations configure weak and guessable passwords during my career and while it might be surprising to aspiring network professionals, it’s quite a common and bad practice within many industries. While some companies think their wireless networks are safe because a password or passphrase prevents a hacker from accessing the network, they need to consider the complexity of the password or passphrase.
The following are some guidelines to help improve the complexity of a password or passphrase:
If you’re having difficulties creating unique complex passwords, consider using an online password generator. The following are a few examples:
The following screenshot shows an example of a password that meets the criteria that were chosen within the password generator:
Figure 16.2 – Complex password
The Pre-Shared Key (PSK) field within the wireless security settings on an access point allows network professionals to configure a password or passphrase as the PSK value. This PSK is used with the data encryption algorithm to encrypt the data as it is sent over the wireless network.
The following screenshot shows the wireless security window of a Cisco Linksys E1000:
Figure 16.3 – Wireless security window
As shown in the preceding screenshot, the WPA2 Personal wireless security standard was selected, and a complex password was configured as the PSK value. Keep in mind that the wireless security feature is disabled by default on access points; network professionals shouldn’t use default configurations as it can lead to a potential cyberattack.
Older access points support the WPA2 wireless security standard, while newer access points support WPA3, the latest version. If you’re configuring your access point to use the WPA3 wireless security standard, ensure your wireless clients also support WPA3. If you’re connecting wireless clients that use WPA2 to an access point that’s configured with WPA3, the access point will scale down from WPA3 to WPA2, which allows the wireless clients to establish a connection. Hence, the wireless network will not benefit from the improvements of WPA3 in this situation.
MAC filtering is a common security feature of access points that allows a network professional to configure either a whitelist or blacklist of MAC addresses. For instance, the whitelist contains a set of MAC addresses from wireless clients that are permitted to connect to the wireless network; all other devices will be denied automatically. On the other hand, the blacklist contains the MAC addresses that are not allowed to access the wireless network. Creating the whitelist (permit) or blacklist (prevent) helps network professionals add an extra layer of security to their wireless network.
If a hacker can retrieve the password or passphrase of the wireless network, the hacker will not be able to connect to the wireless network if their device’s MAC address is restricted when MAC filtering is active.
The following screenshot shows the user interface of the MAC filtering feature on a Cisco Linksys E1000:
Figure 16.4 – MAC filtering user interface
As shown in the preceding screenshot, the MAC filtering feature is enabled, and it’s configured to permit the set of MAC addresses within the list. Therefore, network professionals need to ensure the MAC addresses of authorized devices are included within the list of permitted addresses.
While MAC filtering is an additional layer of security on wireless networks, a seasoned hacker can determine the MAC address of any wireless clients that are associated with an access point. While MAC filtering can be bypassed, it is still considered to be a layer of security on a wireless network.
Without antennas on an access point, it simply won’t be able to transmit radio frequency signals to nearby wireless clients. The type, placement, and power levels on these wireless antennas affect the coverage of the wireless signals that are generated from the access point. For instance, some access points contain internal antennas while others support external detachable antennas. The main difference between antenna implementation is quite obvious – that is, the internal antennas can’t be removed or changed by the user, while the external antennas usually can be removed. Additionally, access points with external antennas are known to provide better coverage compared to those with internal antennas.
The following figure shows the detachable antennas of an access point:
Figure 16.5 – Detachable antennas
As shown in the preceding figure, these are omnidirectional antennas, which are designed to transmit radio frequencies in all directions at the same time. The omnidirectional antennas are common on access points as they provide excellent coverage for office spaces within buildings and homes.
Sometimes, network professionals implement a wireless network to bridge two buildings over a large distance, ranging from a few meters to kilometers in distance. Using parabolic antennas, network professionals can implement one antenna on the rooftop of each building while ensuring there’s a line of sight between them to create a point-to-point connection.
The following diagram shows a visual representation of using parabolic antennas between buildings:
Figure 16.6 – Parabolic antennas
As shown in the preceding diagram, parabolic antennas have a dish-like shape, which allows the antennas to radiate the radio frequencies in a specific direction compared to omnidirectional antennas. Network professionals can achieve distances over a few kilometers using parabolic antennas, provided there are good weather conditions and a line of sight between the source and destinations. If one parabolic antenna is misaligned, the throughput, latency, and connection quality will be greatly affected. Fortunately, vendors who sell commercial parabolic antennas usually provide an application that allows network professionals to test the signal quality between parabolic antennas and measure the throughput between sites.
The yagi antennas are another type of directional antenna that is used in wireless networking. This type of antenna is one of the more popular directional antennas due to its size and portability compared to large parabolic antennas.
The following figure is of a yagi antenna:
Figure 16.7 – Yagi antenna
The access point provides sufficient power to each antenna. Some access points allow network professionals to reduce the power levels on the antennas to reduce the coverage of the wireless signal within the vicinity. As an aspiring network professional, you’ve probably been thinking, why reduce the coverage area? Isn’t the goal to ensure there is sufficient coverage to allow all authorized users to access the network? Simply put, network professionals need to ensure their wireless networks provide sufficient coverage to all their authorized users within the vicinity, such as their office spaces within a building. However, these wireless signals can penetrate the wall of the building and spread to public spaces such as the neighboring buildings and the people who are walking along the street.
A hacker can be sitting at a coffee shop across the street and detect your organization’s wireless network because the signal is strong enough to travel outside the compound. Reducing the power levels on the antennas via the user interface of the access point will reduce the range/coverage of the wireless signal, thus reducing the likelihood of a hacker being able to detect the wireless network from a long distance. However, it’s important to understand that reducing the power levels will reduce the coverage area, and authorized users may be affected.
Geofencing is a feature within some mobile operating systems, laptops, and applications that leverages the Global Positioning System (GPS) and even Radio Frequency Identification (RFID) on mobile devices to define a geographical boundary within the real world. IT professionals can configure a company-owned mobile device with geofencing to trigger a set of rules when the device either enters or leaves the building (geographic boundary). For instance, many geofencing applications use Google Maps/Earth to define the boundaries using a satellite view of the area, while other applications allow you to define the longitude and latitude positions on a web-based map.
Organizations can take advantage of geofencing on company-owned devices. For example, if a device is within an authorized geofence virtual barrier, various features and applications will be readily available for the user of the device. If the user carries the device outside the virtual barrier, an automated restriction will be applied to various features and applications on the mobile device.
Captive portals are commonly used within hotels and coffee shops to provide a web page that lists the terms and conditions for using the wireless network. Captive portals are commonly used for marketing purposes and provide login pages for users. For instance, when connecting to the free Wi-Fi at a local shop, you’ll be presented with a captive portal before you are granted access to the internet. On the captive portal, you will see the terms and conditions, along with some essential marketing advertisements. Once you’ve accepted the agreement, you’ll be able to access the network. Captive portals are also used within hotels, providing a web portal to allow authorized guests to authenticate themselves before accessing the internet.
Implementing client isolation allows network professionals to logically place specific wireless clients into an isolated network, preventing any communication between the isolated client and other devices that are associated with the access point. Imagine if an organization allowed guest devices and company-owned IoT devices to be connected to the same wireless network, allocate IP addresses from the same subnet, and directly communicate with each other. If a guest connects a malware-infected mobile device to the company’s wireless network, the malware can attempt to exploit the security vulnerabilities found on the IoT devices on the same wireless network.
One recommendation would be to improve the security posture of the IoT devices that are on the network. However, IoT devices do not run the same type of operating systems as traditional computers and servers – they run specialized firmware that is strictly created by the vendor of the device. Additionally, IoT devices depend on their vendor to provide regular firmware updates to resolve any bugs and security issues that may arise. However, not all vendors focus on developing updates for the firmware of their devices after the device is manufactured or even after a couple of years. For instance, Android OS is one of the most popular mobile operating systems within the mobile industry. The company, Android, has set its mark on providing operating system updates for 2 to 3 years after the launch and security updates up to 5 years after launch.
It’s recommended to set up wireless client isolation, such as creating a guest wireless network for all guest devices to join the network. The guest wireless network only provides access to the internet and restricts access to any internal networks. Many organizations that provide complimentary Wi-Fi access to their customers often create a guest wireless network to allow their visitors and customers to access the internet while restricting their access to the corporate network and resources. Additionally, network professionals can create another wireless network that’s isolated for all company-owned IoT devices. Therefore, all IoT devices are on one network, the guest devices are connected to another, and employees are connected to a third wireless network.
The Extensible Authentication Protocol (EAP) is a framework that’s commonly used on IEEE 802.11 wireless networks; it defines how systems are authenticated onto the network. There are different variations of EAP that are commonly used on wireless networks that use Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2).
The following are the different variations of EAP:
Next, you will discover various installation considerations that can improve the performance of a wireless network.
Before implementing a wireless network within an organization, it is important to perform a wireless LAN survey to determine the number of access points needed and the placement of these devices within the building or company. Typically, a network professional will use a laptop computer with a wireless monitoring application such as InSSIDer to monitor the wireless signal strength, an access point that’s preferred by the company, a floor plan of the building, an electrical extension cord, and writing materials.
The network professional will connect the access point to a power outlet and leave it on the floor, then use the wireless monitoring application while walking further away from the access point to observe the wireless signal strength and mark the areas on the floor plan where the signal is weaker. Then, it connects the access point to an area where the signal is weak or absent to continue performing the site survey. This process is repeated until the network professional has covered the entire floor plan, indicating the placement of all access points and their coverage areas. This allows the network professional to determine the number of access points needed to provide maximum coverage and their placement within the building or compound.
The following figure shows a typical scale from a wireless monitoring application:
Figure 16.8 – Wireless signal scale
As shown in the preceding figure, this scale helps network professionals easily determine whether their mobile device, such as a laptop or smartphone, is too far away from the access point, or whether the wireless signal is too weak. Therefore, you want to ensure all the wireless clients on the network have amazing to very good signal. There might be a few clients who will experience okay signals on their mobile devices, but you need to remember that as devices move further away from the closest access point, the signal will become weaker.
Tip
There are many free Wi-Fi analyzer applications that all perform the same core functions: measure signal strength and operating channels and identify nearby wireless networks.
The following screenshot shows a WiFi Analyzer application detecting nearby wireless networks and their operating channels:
Figure 16.9 – WiFi Analyzer
As shown in the preceding screenshot, the WiFi Analyzer application can show the number of wireless networks found within the vicinity, their signal strength based on the location of the device running the wireless monitoring application, and the operating channels of each wireless network. Network professionals should ensure their wireless networks are not using any channels that overlap with other nearby access points.
A Virtual Private Network (VPN) provides a secure channel for communication over an unsecure network such as the internet. VPNs allow organizations to interconnect their remote offices securely without the need for a managed solution such as a Wide Area Network (WAN) from a regional Internet Service Provider (ISP). Many organizations around the world prefer a WAN because the service provider is responsible for establishing, maintaining, and troubleshooting any issues with the service to the customer. However, managed services from service providers cost money and not all organizations have the financial resources for such services. An alternative, cost-efficient solution is to implement a VPN to interconnect remote branch offices around the world. Many enterprise routers and firewall appliances support VPN technologies and allow network professionals to implement both site-to-site and client-to-site VPNs without spending a lot of money on managed services.
Important note
The client-to-site VPN was previously known as a remote access VPN.
VPNs use a set of technologies such as authentication protocols, data encryption algorithms, and integrity-checking algorithms to ensure a secure, encrypted tunnel is established to provide confidentiality, integrity, and authenticity. A site-to-site VPN allows organizations to interconnect their remote offices using a secure and free method over the internet. To set up a site-to-site VPN, the following resources are needed at each remote branch office:
The following diagram shows a site-to-site VPN interconnecting two office locations:
Figure 16.10 – Site-to-site VPN
As shown in the preceding diagram, two branch offices are both interconnected using a site-to-site VPN. Additionally, a firewall is placed on the internet edge at each location and is assigned a static, public IP address on both devices. If the IP address on each device changes, the VPN tunnel will be broken. Furthermore, if a user at the remote branch wants to access a service at the head office, the user’s traffic will be sent from their computer to the firewall; then, it’s sent through the VPN tunnel directly to the firewall at the head office. While the traffic is passing through the VPN tunnel, it is encrypted to prevent any unauthorized users and devices from seeing the data. Once the firewall at the head office receives the message, it’s decrypted and forwarded to the destination server on the network.
Important note
The device that is providing the VPN service, such as a firewall, is referred to as a VPN concentrator.
When using a site-to-site VPN, internal users are not aware that their messages are being encrypted and decrypted as they’re being sent between remote offices. This is because the data encryption and decryption process takes place on the branch firewalls and not on their computers. Site-to-site VPNs have many benefits, such as cost savings and security, but the disadvantage is that network professionals are responsible for configuring, maintaining, and resolving any issues with the VPN service between remote branches.
Important note
There are free, open source firewalls that allow network and security professionals to implement site-to-site and remote access VPNs such as pfSense (https://www.pfsense.org/).
Client-to-site VPNs are more common in organizations that support teleworkers and remote working. As its name suggests, a remote access VPN is a type of VPN solution that allows a remote worker to securely connect and access resources on the corporate network. Remote workers can securely connect from the comfort of their homes, hotels, coffee shops, or anywhere with an internet connection. The VPN ensures all data between the teleworker’s computer and the corporate network is encrypted to provide confidentiality and data security.
The following diagram shows a client-to-site VPN:
Figure 16.11 – Remote access VPN
When using a client-to-site VPN, a VPN client is installed on the teleworker’s computers, and a VPN firewall is configured on the corporate network to access inbound VPN connections and apply policies to the authorized users. When the user wants to access resources on the corporate network, the user launches the VPN client and enters their user credentials, such as a username and password, to authenticate to the VPN firewall on the company’s network. This type of VPN establishes a secure tunnel between the user’s computer and the firewall over the internet.
The following screenshot shows the simplified user interface of the Cisco AnyConnect Secure Mobility Client on a user’s computer:
Figure 16.12 – VPN client user interface
Typically, VPN clients allow a user to select a pre-configured profile that contains the details needed to establish a connection to the firewall over the internet. The user simply needs to enter their credentials and connect.
Network professionals can configure client-to-site VPNs to operate in one of the following modes on the user’s device:
A clientless VPN is a type of VPN solution that does not require a VPN client on the teleworker’s computer. This type of VPN allows the teleworker to log in via a web portal using a standard web browser to access the company’s resources. A clientless VPN provides data encryption using TLS over an HTTPS connection between the client’s web browser and the firewall. This type of VPN is suitable for providing users with quick and easy access to resources that can be embedded into a web portal.
As an aspiring network professional, you will need to remotely connect and access systems over your network. Various in-band management methods allow an IT professional to securely access a system over a network, some of which are as follows:
But what if the internet service is down or portions of the internal network within an organization are unavailable? How will network professionals connect to their network devices and security appliances for troubleshooting? Implementing out-of-band management allows network professionals to access devices when a network connection is unavailable. On many networking devices, there are USB, serial, or console interfaces, which allow network professionals to physically access the management interface of the device. Additionally, some network devices allow network professionals to connect an internet modem directly to a management port on the device, allowing remote access to the device.
Having completed this section, you have discovered the importance and concepts of VPN and remote connectivity methods. In the next section, you will explore physical security.
As an aspiring network professional, it’s important to understand the role physical security plays within organizations and the various techniques that are used to protect assets from malicious activities. Without physical security, anyone can simply walk into restricted areas within a company and access systems, or steal and even tamper with assets. Organizations must implement various detection and prevention controls within their compound to reduce the risk of a physical threat.
Important note
Detection methods are simply deterrents and do not prevent a physical threat from occurring, while prevention methods allow security professionals to implement a type of preventative control to stop the threat from occurring.
The following are common detection methods:
The following are common prevention methods:
The following are some common asset disposal methods:
Having completed this section, you have learned about various techniques and methods that can be used to improve physical security within an organization. Now, let’s summarize this chapter.
In this chapter, you learned about popular and common network security solutions and strategies that are used within organizations to prevent and mitigate various types of cyberattacks and threats. Most importantly, they are used to improve the security posture of the network infrastructure. You also learned about network hardening techniques, wireless security solutions, remote access methods and technologies, and how physical security plays an important role within many organizations.
I hope this chapter has been informative for you and is helpful in your journey toward learning networking and becoming a network professional. In the next chapter, Chapter 17, Network Troubleshooting, you will focus on performing network troubleshooting to resolve issues that are common on modern networks.
The following is a short list of review questions to help reinforce your learning and help you identify areas that may require some improvement:
A. Router guard
B. DHCP snooping
C. Port security
D. Root guard
A. Dynamic ARP inspection
B. Router guard
C. MAC snooping
D. Root guard
A. Disable the SSID broadcast
B. Implement AES encryption
C. Implement MAC filtering
D. All of the above
A. Turn off the access point when it’s not in use
B. Reduce the power levels on the antennas
C. Decrease the bandwidth on the wireless network
D. Increase the power levels on the antennas
A. Remove the application from the mobile device when it’s not in use
B. Turn on the GPS on the device
C. Implement WPA3 on the wireless network
D. Implement geofencing
A. Client-to-site VPN
B. Remote desktop connection
C. Clientless VPN
D. Site-to-site VPN
A. Telnet
B. SSH
C. HTTPS
D. RDP
A. Biometrics
B. Cameras
C. Locks
D. All of the above
A. Smart locker
B. CCTV
C. Access control vestibule
D. None of the above
A. WPA2
B. WPA3
C. WPS
D. All of the above
To learn more about the topics that were covered in this chapter, check out the following links:
18.222.111.134