Understanding Network Security Architecture and Protocols

Posted on Jun 13, 2025 in Computers

Vocabulary

Network Architecture

Security Perimeter: First line of protection, includes firewalls, proxies, and Intrusion Detection Systems (IDS).

Network Partitioning: Segmenting networks into isolated domains of trust.

Dual-Homed Hosts: Having two network interface cards (NICs), each on a separate network.

Bastion Host: Gateway between trusted and untrusted networks that gives limited authorized access to untrusted hosts.

Demilitarized Zone (DMZ): Isolated subnet that allows an organization to give external hosts limited access to public resources without granting them access to the internal network.

Network Taps: A simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis, security, or general network management.

Scanners: Discovery, compliance, and vulnerability scanning.

Scanning Tools: Nessus – Vulnerability, NMap – Discovery, NetFlow – Proves and collects records and activities.

Network Protocols: Fast, not secure access is the driving force behind the design of most protocols; many do not provide authentication, and security is often provided by directory services and/or servers. Security is applied after the network is accessed.

Engineering Lifecycle: Key system engineering technical processes – Requirements Definition, Requirement Analysis, Architectural Design, Implementation, Integration, Verification, Validation, Transition.

Security Architecture: High-level and detailed processes, concepts, and standards used to design and monitor systems and networks.

A security practitioner identifies the key issues and concerns that the lifecycle must address. Once these issues are agreed upon, they can design the system.

Enterprise Security Architecture: The primary purpose is to establish a strategic design of security infrastructure across the entire organization, focusing on the design and implementation of common security services and the enforcement of security zones of control.

Security Zone of Control: An area or grouping within which a defined set of security policies and measures are applied to achieve a specific level of security. Zones are used to group together those entities with similar security requirements and levels of risk, ensuring each zone is adequately segregated from another zone.

Common Security Services

  1. Boundary Control Services: Concerned with how and whether the information is allowed to flow from one set of systems to another or from one state to another, including firewalls, border routers, and proxies.
  2. Access Control Services: Focus on identification, authentication, and authorization of subject entities, including IAM, user authentication, and SSO.
  3. Integrity Services: Focus on the maintenance of high-integrity systems and data through automated checking and detection, including anti-virus, whitelisting, and intrusion prevention systems.

Security Architecture Concepts

Reference Monitor: Orange Book concept that refers to an abstract machine that mediates all access to objects by subjects, an auditable access control mechanism that must always be invoked.

Trusted Computer Base: The collection of all hardware, software, and firmware within a system that contains all elements responsible for supporting security policy and isolation of objects, defined by the Orange Book.

Processor States: Processors have at least two states that can be used to distinguish between more and less privileged instructions:

  • Supervisor State (Kernel Mode): Processor operating at the highest privilege level, allows the process running to access all resources and execute privileged and non-privileged instructions.
  • Problem State (User Mode): Processor limits access to system data and hardware granted to the process.

Access to the supervisor state is limited only to core OS functions that are abstracted from end-user interaction.

Layering: Organization of programming into separate functional components, with each layer having an interface only to the layer above and below it. This is used to control interactions between different execution demands with privilege levels and can slow down an attack.

Process Isolation: Used to prevent individual processes from interacting with each other even when they are in the same ring, done through distinct memory address spaces for each process with encapsulation of processes and objects, similar to separation of duties.

Data Hiding: Maintains activities at different security levels to separate these levels from each other, assisting in preventing data at one security level from being seen by other processes at different levels, like seeing ****** when typing in a password.

Security Models

A security model formally defines a security policy, focusing on defining allowed interactions between subjects and objects at a moment in time, conceptual and theoretical, architecture primitives.

State Machine Models: Capture the current security posture of an Automated Information System (AIS). It stores the status of an entity at a point in time; events trigger changes in the state of an entity. The AIS secure state only changes when triggered by an event or time. When stated, it checks the secure state and ensures it will stay secure every time it is accessed and that the access was in accordance with policy.

(Multilevel) Lattice Models: A mechanism for enforcing one-way information flow to ensure confidentiality. Subjects are assigned clearances, objects or data are assigned classifications, and security labels are attached to each object. Systems check the clearance of users to determine access.

Non-Interference Models: The idea that actions at one level or domain should not influence another level or domain. Ensures high-level actions do not determine what low-level users can see, maintaining activity at different levels and ensuring complete separation between levels to minimize leaks.

(One-Level) Matrix-Based Models: Organizes subjects and objects into a two-dimensional access control matrix. The matrix represents what capabilities subjects need to access objects along with their appropriate access level (read, write, execute) and does not describe the relationship between subjects, such as if one subject gave another subject access rights.

Information Flow Models

Used to determine if information is being properly protected throughout a process, generally used to identify potentially covert channels and unintended information flow between compartments, e.g., an alert pop-up when a file is copied or sent by someone without rights.

Bell-LaPadula Model (Confidentiality Model): Provides security while maintaining data sensitivity. This state machine model ensures confidentiality of automated IS, using mandatory access control. Labels objects with classifications and subjects with clearances; the reference monitor compares the levels of classification with the level of clearance and only allows access if equal to or higher than the object. A need-to-know decision must be made as specified by the system owner.

Two types:

  • Simple Security (Read Property): A subject of lower clearance cannot read an object of higher classification, but a subject can read down.
  • The * Property (Write Property): A high-level subject cannot send messages to a lower-level object.

Biba Integrity Model: Ensures integrity and complements the Bell-LaPadula model, assigning integrity levels to subjects and objects based on the premise that higher levels of integrity are more trusted than lower ones. Access is controlled so objects or subjects cannot have lower integrity as a result of read-write operations.

  • Simple Integrity Property (Read): A subject may have read access to an object only if the security level of the subject is lower or equal.
  • Integrity * Property (Write): A subject may have write access to an object only if the security level is equal to or greater than the object.

No information can be passed by a subject to an object at a higher security level. No read down and no write up.

Clark-Wilson Integrity Model: Used for change controls in transaction systems like account balance, addresses three goals of integrity: no changes by unauthorized subjects, no unauthorized changes by authorized subjects, and maintenance of internal and external consistency. Establishes a system of subject-program-object bindings such that subjects do not have direct access but must go through a certified program like SAP ERP as a reference monitor.

Security Product Evaluation Methods and Criteria

Standardized methods for ensuring that security products satisfy functional and assurance requirements of organizations, e.g., TCSEC (Orange Book), Trusted Network Interpretation (TNI), Red Book, IT Security Evaluation Criteria (ITSEC), Common Criteria (ISO 15408).

Common Criteria (ISO 15408): Evaluation performed on information security products as well as systems, providing evaluation criteria that can be used to evaluate requirements of different products with different functions.

  • Target of Evaluation (TOE): System we want to evaluate.
  • Protection Profile (PP): Identifies a common set of functional and assurance requirements relevant to a specific user for a specific purpose.
  • Security Target (ST): Specific functional and assurance requirements.

The evaluation process attempts to establish confidence levels for a product’s security capabilities.

Security Assurance Requirements (SARs): Examines measures taken during design, development, and testing phases of a product to ensure it has the claimed security capabilities.

Evaluation Assurance Level (EAL): A numerical rating for depth/rigor of evaluation (7 Levels):

  • EAL1: Functionally Tested
  • EAL2: Structurally Tested
  • EAL3: Methodically Tested and Checked
  • EAL4: Methodically Designed, Tested, and Reviewed
  • EAL5: Semi-Formally Designed and Tested
  • EAL6: Semi-Formally Verified Design and Tested
  • EAL7: Formally Verified Design and Tested

Physical Security

The goal is to deter and, if you cannot do that, then delay, detect, assess, and respond.

Threats include natural/environmental threats like floods and tornadoes, utility systems threats like electrical and communications, malicious threats/human-made threats/political threats like vandalism, arson, theft, riots, and accidental threats done by insiders inadvertently.

Sites include location (rural vs urban) and full or partial ownership of a building, construction, and planning using Crime Prevention through Environmental Design (CPTED), which is used by architects, city planners, and security professionals as a crime reduction technique, e.g., using a single clearly identifiable point of entry, having large thorn bushes along the fence to discourage intrusion.

Procedural controls include guard posts, escorting visitors, managing deliveries, security zones, and restricted work areas.

Infrastructure support includes fire prevention and detection systems and boundary protection like fences and vehicle gateways, needing keys, doors, access control, CCTV, physical intrusion detection systems, and portable device security.

OSI Communication Model

  1. Physical Layer
    1. Analogue and Digital Communications
    2. Network topologies like bus, tree, star, and mesh
    3. Cabling and wireless transmission
  2. Data Link Layer
    1. Ethernet hubs, repeaters, bridges, and switches
    2. VLAN and Wireless LAN
  3. Network Layer (IP)
    1. IP is unreliable and does not guarantee packets arrive error-free or in the correct layer; reliability is left to higher layers.
    2. IPv4 had problems because we ran out of addresses, routing tables have grown too large, no direct security support, and traffic priority is poor.
    3. IPv6 was created to solve that with more address space based on prefixes rather than address classes, support for encapsulation with built-in authentication.
    4. IPSec is the suite of protocols for IP, which is mandatory in IPv6.
    5. Firewalls: Software or hardware that filters incoming traffic and blocks it or allows it to pass through based on rules done based on address and port.
    6. Proxy Server: Mediates communications between untrusted endpoints and trusted endpoints.
    7. Secure Shell (SSH): Allows users to log in to a remote computer over an encrypted tunnel, preventing session hijacking.
    8. VPN: Encrypted tunnel between two hosts that allows them to securely communicate over an untrusted network. It’s like you are on the network when connected.
    9. Tunneling: VPN is used to point-to-point tunneling protocol running over other protocols to create the tunnel; L2TP is layer two for dial-up connections, and RADIUS is the protocol for SSO.
    10. SSL/TLS: Traditional VPNs don’t work with proxy servers, so they use SSL at the presentation layer to create the tunnel. It does not require VPN software and is in the browser.
  4. Transport Layer
    1. Links the session layer to the network layer.
    2. Performs packetization and reassembly.
    3. Establishes connections with TCP, UDP, etc.
    4. Port numbers used.
    5. TCP Attacks include:
      1. Man-In-the-Middle attacks where an attacker sniffs or intercepts and replaces them with their own.
      2. DOS and DDOS.
      3. Session Hijacking: Unauthorized insertion of packets into the data stream.
        1. IP Spoofing: Inserting packets with fake sender and guessed sequence number.
      4. Port Scanning:
        1. FIN and SYN scanning.
  5. Session Layer
    1. Responsible for creating, managing, and tearing down sessions between peer hosts.
      1. Models include Simplex, Half Duplex, and Full Duplex.
    2. Directory Services such as DNS provide the location of websites and are popular targets of attack.
      1. By manipulating DNS, you can divert, intercept, or prevent end-user communication.
      2. DNS has weak authentication and does not enforce data consistency.
      3. DNS is recursive, so if a client doesn’t know a host, it goes up one level at a time until it finds it.
      4. Dynamic DNS is the protocol that defines extensions to the DNS and enables them to accept update requests dynamically.
    3. Other protocols include DHCP, FTP, HTTP, and SMTP.
    4. DNS Attacks Include:
      1. Spoofing is where an attacker attempts to poison a DNS server cache.
  6. Presentation Layer
    1. Character code translation, compression, encryption, and decryption.
    2. Transport Layer Security (TLS) is based on SSL and provides secure authentication for a host on the internet.
      1. Implemented between transport layer and the application layer in the TCP/IP model.
  7. Application Layer
    1. The application’s portal to network-based services.
    2. When an application transmits or receives data over a network, it uses the services from this layer.

Security Architecture Design Components

  1. Processors, Memory and Storage, Input/Output Devices, OS, Software, Middleware, Embedded Systems, Client Platforms, Server Platforms, Database, Distributed Systems, Industrial Control Systems, Cryptography, Cloud Computing.

Security Capabilities of Information Systems

  1. Access control mechanisms, secure memory management, cryptographic protections, intrusion prevention systems, audit and monitoring controls.

Security Frameworks

  1. Sherwood Applies Business Security Architecture (SABSA)
    1. Security Architecture Framework that considers perspectives from different stakeholders and different levels of abstraction.
  2. The Orange Book
    1. Department of Defense Trusted Computer System Evaluation Criteria, December 1985.
  3. ISO IEC 17799:2005
    1. Details individual controls for implementation.
  4. ISO/IEC 27002:2013
    1. Information technology — Security techniques — Code of practice for information security controls.
  5. ISO/IEC 27003:2010
    1. Information technology — Security techniques — Information security management system implementation guidance.
  6. ISO/IEC 27005:2011
    1. Information technology — Security techniques — Information security risk management.
  7. NIST SP 800-14
    1. Generally Accepted Principles and Practices for Securing Information Technology Systems.

Attackers Methodology

To infiltrate the system, they use the attack tree model, and the goal is:

  • Target Acquisition
  • Target Analysis
  • Target Access
  • Target Appropriation
  • Sustain Control

Tactical Spectrum

Offensive, Proactive Defense: Intelligence and metrics employed to intercede or avoid attacks; Active Defense: Responding to attack with offense; Static Defense: Preparation to be attacked; Reactive Defense: Devised in response to attack; Inactive Defense: Operations continue.