Information security overview: network defence

Ruslan Rakhmetov, Security Vision

Figure 1 - Information security tools and interconnections

In the final part of our review, we will focus on information protection tools that are not only related to endpoint protection, but also to network protection. Infrastructure solutions are usually the first to be purchased to protect companies, but despite this many have their own features that are interesting for large organisations that already use dozens of solutions. Also solutions from the fourth block of the review are often familiar to ordinary users of the Internet and computers in general.

Fig. 2 - Virtual Private Network (VPN) - virtual private network

Technologies that allow you to provide one or more network connections over another network, such as the Internet. VPN-services are client-server applications: a special application on a mobile device, laptop server allows you to establish a direct tunnelled connection to the server. The server itself can be located inside the corporate perimeter, outside it or even in another country. Depending on the purpose of services can also be divided into those that are necessary for intranet and Internet connections, or for remote access to various objects in the network.

Since traffic is redirected through a separate node, it is worth paying attention to its security, as well as to the means of cryptographic protection of traffic for especially important connections. From the perspective of the average user, it's also worth paying attention to security when using VPN services - if the VPN server is untrusted, it allows attackers to get a copy of your traffic and the data you're transmitting.

OBJECTIVES:

- Create secure remote access to the corporate network

- Routing traffic through special servers

- Securely connect to services over another connection

Fig. 3 - Web Application Firewall (WAF) - protecting web applications

Unlike classic firewalls and next-generation firewalls (which we discussed in the last part of this review), these network traffic filtering tools are specifically targeted at web applications and their users. The solution is typically deployed at the edge of the perimeter, between the protected service and its users on the outside. This allows for increased protection specifically at the application level, as well as inspection of SSL/TLS traffic.

Usually, solutions for protecting web applications are closely related to filtering (see below) and analysing the requests that have already been filtered. WAF is capable of hiding the real address of the attacked application from attackers, and when unauthorised access is attempted, it can close vulnerabilities with temporary ‘stubs’ using DAST/IAST technologies. Machine learning technologies and databases constantly updated by analysts in the cloud are also used to analyse traffic.

OBJECTIVES:

- Building perimeter defence for a web resource

- Hiding the real IP address and increasing security

- Analyse requests and protect against intrusion

Fig. 4 - Anti - Distributed Denial of Service (a-DDoS)- application request filtering

Anti-DDoS services help to secure critical customer resources at the application and network levels using behavioural analysis methods. At the same time, the software product itself is deployed not at the perimeter of the company's network (as in the example above), but on global traffic routes around the world.

Thanks to this architecture, such services are often used in subscription mode and do not impose burdens on the company's resources. Filtering takes place at the backbone nodes, and suspicious requests and potential bot attacks are effectively thwarted before the traffic reaches the web application.

OBJECTIVES:

- Monitoring and filtering requests to web services

- Reducing the load on the service and increasing its availability for users

- Realisation of protection without the need to use additional hardware

Fig. 5 - Container Security (CS) - containerisation security

Container security uses technologies that typically consist of three components. The management console is the central server-side control that allows the solution to be embedded in the development pipeline, integrated with SIEM, checking images in repositories and conveniently managing the scanning of deployed containers. By using the agent part of the system inside containers, protection can be further enhanced as AV/EDR systems do. The third component, the data cloud, combines and correlates up-to-date development threat data from providers as well as its own data The scanning agent monitors the runtime activity of containers and hosts and secures them.

OBJECTIVES:

- Enhance security within containers

- Repository analysis and centralised management

- Solving common IS/IT tasks and tasks in the DevSecOps cycle

Figure 6 - Sandbox - isolating the environment (sandbox)

Sandbox is a complex of protection against targeted attacks, which is a specialised detection tool - an isolated virtual environment. Technologically, a sandbox is a copy of the operating system (or part of it) or a container with a prepared environment. To attackers and malware, a sandbox looks and behaves like a real system under attack, but in reality, special monitoring tools track any activity that could harm the computer or server.

Sandboxing technologies are used by some antivirus and EDR system vendors, and are themselves inspired by containerisation technology because it is the most efficient and fastest way to perform reputation assessment, heuristic analysis and threat detection.

OBJECTIVES:

- Isolating potential malicious activity

- Analyse file behaviour and detect zero-day threats

- Application in other product classes

Figure 7 - Asset Management (AM)

Implementing infrastructure protection often requires preparation by taking an inventory of assets (workstations, servers, network equipment, users and software). Approaches to inventory are always different, but because the result of asset analysis can be applied in different industries, specialised automated software tools have emerged. Some tools use client-server architecture, collecting the main useful data with the help of agents on the workstation, but there are also tools that use for this purpose multiple integrations and agentless approach: network scanning and application of scripts. In doing so, asset management software results in a complete picture of a company's IT landscape.

The inventory results and reports are used by IT specialists to organise the life cycle of objects in the infrastructure (upgrades, failures, etc.), by IS specialists to analyse incidents and vulnerable firmware and software, as well as by risk analysts and auditors (for example, as part of the categorisation of objects according to the 187-FZ on CII).

OBJECTIVES:

- Digitalisation of the definition of the IT landscape

- Collecting data on assets to improve their security

- Implement organisational measures for risk assessment and regulatory compliance