Network Security Technologies
Knowledge of various network security technologies greatly aid in Network Forensic Investigations. This article outlines some network security technologies that one should be aware of to be able to conduct forensic investigations. This will help investigators to understand what are the various sources of evidence when there is an attack alert. We will discuss various technologies that are often deployed in well instrumented enterprise networks to monitor and detect attacks.
Routers and Firewalls
As we can see in the definition, routers are used to route the traffic from one network to another. It is the most common device to have in enterprise networks and it often contains many features that are of interest to a security professional. Stateful packet filtering is one of them. Home routers are often used a firewall too on the network level as most routers come with basic firewall features. However, enterprises use separate devices as firewalls with more advanced features.
The most basic feature of a firewall is to do packet filtering based on a predefined ruleset. For example, let us assume that a rule has been defined to block any incoming traffic on port 3389. Any firewall will be able to do this as specified in the firewall rules. Modern firewalls can do much more than just packet filtering. They are often termed as Next Generation Firewalls and come with additional features such as VPN, Intrusion Prevention Systems, Intrusion Detection Systems, Anti Virus, Web Application Firewalls and more. Often, the goal of these modern firewalls is to effectively monitor the content within the packets and determine whether to allow the packets or not.
Intrusion Detection and Prevention Systems
Intrusion Detection Systems(IDS) and Intrusion Prevention Systems(IPS) are the most commonly seen technologies used by cyber defense teams in enterprise environments. Most of the network traffic is logged into these devices even when it is ignored by firewalls. IDS/IPS operate at network level as well as host level. Network Intrusion Detection/Prevention Systems (NIDS/NIPS) are of our interest in this case. The two major ways these devices detect or prevent attacks is by using signatures and doing behavioural analysis on the traffic. While there are many commercial IDS/IPS solutions available in the market, Snort and Bro are the two most commonly used enterprise grade free solutions.
Web traffic constitutes the major share of an enterprise’s network traffic. Employees browsing activities in an enterprise environment almost always get recorded in web proxies. So, Web proxies can be a goldmine for investigators. Following are some of the key features of Web proxies.
URI filtering is used to filter web requested from users in real-time based on predefined rules. It can be whitelist, blacklist or based on keywords. We may often see websites such as Facebook, YouTube and many other not so appropriate websites being blocked by organizations.
Content filtering is normally used to prevent client side attacks. They scan web objects for malicious content such as malware. Content filtering can also be used as a Data Leak Prevention tool as it scans for outbound web traffic and spots any instances that are seemingly exfiltrating confidential data.
Caching is a technique used to reduce the use of bandwidth and speed up performance for end users. When a web page is accessed, the proxy keeps a copy of the web page and it serves it to the user when the same request is made by the client in the near future.
Many enterprises are using another platform, which is commonly known as Browser Isolation. Browser isolation technology aims to provide a way to isolate a user’s online browsing activity away from their local networks. This means the browsing you think you are doing on your computer will actually be being done on another machine entirely. One of the ways this is achieved is by streaming content from the remote machine to the local machine seamlessly thus giving a feel that the browsing is actually being done on the local computer. This can also be helpful when downloading documents from the internet. The browser isolation framework will first download the files and transfer them to the local machine after the analysis. Client side attacks such as Cross Site Scripting can also be prevented when using browser isolation frameworks.
- Network Forensics by Sheriff Davidoff, Jonathan Ham – https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718