SANS Ad

First Things First

An Introduction to Learning About Network Security

Before You Begin

This guide is not meant to be all encompassing. It is a reference to give someone who is interested in network security, but does not know where to start, some guidance of how to begin learning about the vast field of network security and where to look for information. The important thing to keep in mind is stay focused and learn little by little. It is easy to become intimidated when looking at the big picture and all that it entails. Focus on each section and gradually increase your knowledge base. There are many courses you can take to become familiar with the basics of network security. SANS Institute has many tracks dealing with the different areas of network security. Track 1 is their Basic Security Essentials and the CISSP 10 Domains and will give you an great indepth look into the world of network secuity. More information can be found at www.sans.org by clicking on track 1 for any of the conferences. For further reading on different areas of network secuity try the SANS reading room www.sans.org/rr/ it is a great reference to have. Remember that defense in depth is the key to good network security.

Security Terms

When learning about network security, there are many terms that you will hear and it is important to become familiar with them. Many of the following areas listed below will use much of the terminology and having a unstanding of the terminology is important. Here is a great link to get you up to speed quick www.sans.org/resources/glossary.php

ISO/OSI Model and the TCP/IP Model

Another key element to be familiar with is the ISO/OSI seven layer model as well as the Department of Defense (DOD) TCP/IP five layer model which describes the process of how information/data gets from one system to another. It does this by defining interconnecting layers thru which the information travels. You will hear folks refer to a network device, maybe a switch, and they may describe the switch as being a layer two and/or Layer three device. They are refering to the ability of the switch to interact with data at that particular layer of the model. Here are a some good references which describe the ISO/OSI model:
ISO/OSI and TCP/IP Model
ISO/OSI Model for Dummies.
Applying the OSI Seven Layer Network Model to Information Security.
Understanding Security Using the OSI Model.

The following table is provided for quick reference between the two and how they relate.

TCP/IP
OSI
Application
Application
Presentation
Session
Transport
Transport
Internet
Network
Datalink
Datalink
Physical
Physical

Networking Basics

A network is connected by many different devices. All providing different services and used to give different types of systems, in different locations or the same location, the ability to communicate. It is important to familiarize yourself with the major devices that allow communication. It also would be good to study the different network topologies and understand how they work.

Network Devices
  • routers
  • hubs
  • bridges
  • switches
  • repeaters


    • Useful Links for Network Devices
    Networking Basics
    Quick and Dirty: Hubs, Switches, and Routers
    Hubs, Switches, and Routers A Hands-on How-to
    Chapter 5: Traffic Regulators
    Network Primer
    Chapter 3: Hardware
    Cisco Network Topologies and LAN Design

    Network Topologies
  • Star
  • Ring
  • Bus
  • FDDI


    • Useful Links for Network Topologies
    Chapter 5: Topology
    Network Topology
    Cisco Network Topologies and LAN Design

    Network Protocols

    All of the systems and devices on a network communicate via some type of protocol. There are numerous types of protocols and all with different purposes. There are some primary protocols that you need to become very familar with how they work and how they are implemented.

    Network Protocols
  • TCP
  • UDP
  • ICMP
  • ARP


    • Useful Links for Network Protocols
    Monitoring The ARP Protocol On Local Area Networks
    Digging Deeper Into TCP/IP
    RFC 768: User Datagram Protocol
    RFC 793: Transmission Control Protocol
    RFC 792: Internet Control Message Protocol
    RFC 826: An Ethernet Address Resolution Protocol
    RFC 903: A Reverse Address Resolution Protocol
    ARP, Address Resolution Protocol
    ICMP Types and Their RFC References
    SANS TCP/IP and TCPdump Reference Guide

    Viewing Network Protocols If you really want to get a feel for what network traffic looks like in action, there are plenty of packet sniffers that are easy to use. It may look confusing at first, but after a while it will all start to make sense. Take what you learned in this area and start having fun looking at packets. Here are some good tools and their links.
    Ethereal
    TCPdump
    WinDump
    Snort

    Network Security Tools

    There are many different tools that can be used to help secure a network as well as monitor it for malicious activity. There is no "one size fits all" solution that can be applied to all networks. As such it is important to be familiar with the different types of tools that are available. The decision about which is best to use should be based on what your protecting and what you can afford. This should then be compared to what the total cost of ownership will be. Here are some of the different tools you should become familiar with:

    Network Security Tools
  • Network Based Firewalls

    • -Stateful Inspection
    -Packet filter
    -Proxy
    Useful Links for Network Based Firewalls
    Firewall White Paper - What different types of firewalls are there?
    SANS Reading Room: Firewalls & Perimeter Protection
    Firewalls and Security
    Firewalls: Friend or Foe?

  • Host Based Firewalls

    • -Software Based
    -Hardware Based
    Useful Links for Host Based Firewalls
    Personal Firewalls
    SANS Reading Room: Firewalls & Perimeter Protection
    Firewalls and Security

  • Network Based IDS's

    • -Anomaly Based
    -Signature Based
    Useful Links for Network Based IDS's
    What is network based intrusion detection?
    What is knowledge-based intrusion detection?
    What is behavior-based intrusion detection?


  • Host Based IDS's

    • -Application Specific
    -Monitoring of Logs, processes and files
    Useful Links for Host Based IDS's
    What is host-based intrusion detection?
    Setting up a simple inexpensive ($39.95) host intrusion detection system.
    Firewalls and Security

    Useful Links for IDS's in General
    Intrusion Detection FAQ
    Understanding Intrusion Detection Systems
    The History and Evolution of Intrusion Detection
    A Wide Selection of IDS Papers and Information


  • Access Control Lists

    • Useful Links for Access Control Lists
    Semester 3 - Chapter 6-Access Control Lists
    An Access Control Architecture for Programmable Routers
    Introduction to Router Filters

    Antivirus Protection

    This one is getting its own category. Antivirus is NOT just for security folks, it is crucial to the daily operations of a network all the way down to a user at home on their personal PC. However, it is very overlooked and if it is used it is usually not cared for in the manner in which it should be. Look at the latest, widespread, outbreak of MyDoom for proof of this. This is a sad state, especially considering the price of antivirus software is very affordable. Understanding what to do to protect yourself is critical and part of that comes from keeping your antivirus up to date and using defense in depth. As a security professional, you are going to have to have a basic understanding of what the malicioius code does in order to really protect your network.

    All of the tools above can assist you in this endeavor if you know what the latest virus/worm is configured to do. You can't just rely on an antivirus product that scans your email. What if a user visits a malcious web page or checks their hotmail account? You are bypassing your antivirus scan. Having antivirus clients on all workstations is a requirement these days. The overhead for managing this has become very low. Most vendors have an enterprise version that can push the client to systems out as well as check for updates and push them out as well. You can schedule scans, schedule when to do updates, report any virus detections on your network to a central server or send a notification by email. The possiblities are endless and once configured it requires very little effort. You can also tailor your perimeter security devices to block certain extensions that are used in spreading of viruses and worms such as .bat, .cmd, .com, exe, .eml, .hta, .pif, .scr etc. There are many extensions than can be used. Simplying blocking these types of files will help protect your network from a zero day worm or virus.

    Useful Links for Antivirus Software and Vendors
    Symantec
    Computer Associates
    Internet Security Alliance
    Kaspersky Labs
    McAfee
    Panda Security
    SoftWin SRL
    Trend Micro

    Securing the Operating System

    Every operating system has different capabilities and are used to fit different needs. As such, the security for the operating system has to be tailored to fit your environment. Don't fret, because many groups have already developed guides to securing the operating system. As such you can build on their work and simply ajust the recommendations to fit your specific needs. There are also many sites dedicated to reporting vulnerabilities for operating systems. One of the most important things to remember is to stay current on the patches for your operating system and for your applications that you are using. The following list of links will point you to where you can get more information in specific areas.

    For all operating systems:
    SANS Bookstore: Seven Pack of SANS Press Technical Guides
    SecuriTeam.com's focus on different Operating Systems and security related issues.
    National Security Agency Security Recommendation Guides
    FreeBSD Security How-To
    The Center for Internet Security

    For Windows 2000/NT/XP:
    National Security Agency Security Recommendation Guides
    Welcome to NSA/CSS INFOSEC

    For Linux:
    Welcome to NSA/CSS INFOSEC: Security Enhanced Linux
    A Question and Answer website about Linux
    All the latest of Linux Security
    Linux Security HOWTO
    Bastille Linux
    Securing Linux

    For Solaris:
    Solaris Security Guide
    Secure Solaris Setup
    Platforms/OSs - Sun Solaris
    Solaris Security

    Vulnerability/Incident Websites
    The CERTŪ Coordination Center (CERT/CC)
    U.S. Department of Energy CIAC
    Forum of Incident Response and Security Teams
    US-CERT
    A community of Security Professionals
    Security Issues
    Keeping Track of Bugs


    MISC links

    NIST Computer Security Division and CSRC home page
    SANS Global Information Assurance Certification (GIAC)
    SANS INFOSEC Reading Room
    SANS Information and Computer Security Resources
    COTSE Security/Bugs/Exploits News
    Internet Security Policy: A Technical Guide.
    Security Policy Resources
    Federal Agency Security Practices (FASP)