Services

 Load balancer

A device that acts as a reverse proxy to distribute network and application traffic across multiple proxies. Load balancers are a key requirement for providing high availability (HA).

 Intrusion detection system (IDS)/network intrusion detection system (NIDS)/wireless intrusion detection system (WIDS)

An intrusion detection system (IDS) is a system that detects threat that are happening.

A network intrusion detection system (NIDS) is a system that monitors and detects threats on the network. They are placed in strategic locations on the network in order to see the network traffic that needs monitoring. The device does not need to be placed inline to be effective, using port mirroring and spanning on a switch can be used to send the traffic to the device.

A wireless intrusion detection system is a device that monitors wifi networks to detect unauthorized access points.

 Intrusion prevention system (IPS)/network intrusion prevention system (NIPS)/wireless intrusion prevention system (WIPS)

An intrusion prevention system (IPS) is a system that detects and prevents threats from happening

A network intrusion prevention system (NIDS) is a system that monitors and prevents threats from occurring on the network. The device, in order to prevent traffic, needs to be placed inline directly behind the firewall.

A wireless intrusion prevention system is a device that monitors wifi networks to detect unauthorized access points and automatically takes actions to prevent the threat.

 Web application firewall (WAF)

A WAF works on the web application level, which inspects HTTP/HTTPS traffic for anomalies. A WAF can prevent many different types of attacks:

• SQL Injection
• XSS
• CSRF
• Malicious File Execution
• Broken Authentication

 Network access control (NAC)

A NAC checks devices connecting to the network to ensure they are compliant to the security policy. This usually includes making sure the device has anti-virus, is up-to-date on security patches, and a firewall installed and enabled.

 Virtual private network (VPN)

A VPN provides a secure, encrypted tunnel across an untrusted network like the internet. A VPN can be used by end-users to connect to enterprise networks or connect sites.

 Domain Name System Security Extensions (DNSSEC)

DNSSEC authenticates DNS responses by using digital signatures based on public key cryptography. Without DNSSEC computers are vulnerable to DNS poisoning which is when malicious additions are added to the DNS server cache or client cache.

 Firewall/unified threat management (UTM)/next-generation firewall (NGFW)

A UTM appliance offers many security functions including firewall, IDS, IPS, deep packet inspection (DPI), data loss prevention (DLP), anti-virus, WAF, SIEM, etc.

A firewall blocks unwanted traffic from entering the network. A network firewall protects the network and is usually placed at the ingress point in the network. A software firewall usually run on a host operating system to protect endpoints. Virtual firewalls are virtual hosts that run on a hypervisor. A firewall has a rule-set that will allow or deny traffic.

A first generation firewall uses static packet filtering. The rule set is usually based on host IP addresses and ports.

A second generation firewall uses stateful inspection of the traffic. They monitor TCP streams and dynamically open ports.

A next generation firewall offer additional capabilities by implementing VPNs, anti-virus protection, some can even provide DLP and IPS protection.

 Network address translation (NAT) gateway

Network Area Translation (NAT) is a technique that provides internet access to private networks without having to assign public IP4 addresses to the private hosts. The gateway provides the route to the internet, and will have a public IP4 address that will be associated to all the private hosts in the private network. Becasue the private network is hidden from the internet, connections cannot be initiated from the outside, they can only be initiated from the inside through the gateway.

 Internet gateway

An internet gateway connects two different networks that use different protocols for communication. A very common internet gateway is a router.

 Forward/transparent proxy

A forward proxy routes traffic between the client and the server, usually external to the network. The proxy can regulate traffic to enforce security policies such as masking IP addresses, forcing secure protocols, and blocking unknown traffic.

A transparent proxy is able to intercept connections between clients and servers without being visible. Requests on the client will still be formed as if there is not proxy in place.

 Reverse proxy

A reverse proxy accepts client requests, forwards them to the server, then returns the results of the server to the client. The reverse proxy acts as a gateway between the clients and servers and can provide security policies to protect the servers.

 Distributed denial-of-service (DDoS) protection

One technique that is used to protect against DDoS attacks is called a Black Hole also known as a sinkhole. A rule is automatically triggered when a certain threshold is met that will drop all traffic. Once the attack is identified and the malicious traffic can be blocked the route is put back up in place.

 Routers

Routers connect different networks together. Routers contain a routing table that provides route for each network. Routers in dynamic routing setup can use different protocols to find routes in the network.

• Routing Information Protocol (RIP) is a simple ands easy protocol that is not considered a secure routing protocol.
• Enhanced Interior Gateway Routing Protocol (EIGRP) is used in CISCO networks.
• Open Shortest Path First (OSPF) allows for routers top communicate securely and transfer data through link-state advertisements (LSA). There is no hop limit on OSPF.
• Border Gateway Protocol (BGP) is used between internet service providers and can also be used to send routing updates to enterprises. BGP can be used so that only approved routers can exchange data with each other.

 Mail security

An organization should be using a spam filter in order to protect employees from email threats. A spam filter will filter incoming SMTP traffic as well as query Spamhaus block List to verify blocked domain names and IP addresses.

 Application programming interface (API) gateway/Extensible Markup Language (XML) gateway

APIs provide a means for two programs to communicate and share data. APIs are sometimes insecure and allow sensitive data to leave the enterprise. Common threats include SQL Injection, denial-of-service, and broken authentication. Common secure practices are to secure the connection over HTTPS, content security to mitigate injection attacks, and using an API key to use the service.

 Traffic mirroring

  Switched port analyzer (SPAN) ports

A SPAN port is a specified port in a switch or router where mirrored traffic is sent in CISCO devices.

  Port mirroring

Port mirroring is when a network device such as a switch or a router sends a copy of network packets to a port. The traffic is then sent to network equipment that provide monitoring solutions such as IDS or APM.

  Virtual private cloud (VPC)

This is a feature in cloud deployments to mirror traffic in the cloud.

  Network tap

A network tap is a device that is installed inline of a network connection and sends a copy of the traffic to a second interface.

 Sensors

  Security information and event management (SIEM)

A SIEM is a centralized location to send security related logs. The SIEM will then normalize and correlate the logs which will then alert on anomalous and malicious activity.

  File integrity monitoring (FIM)

FIM will alert on modification of key system files or any other file that is selected.

  Simple Network Management Protocol (SNMP) traps

SNMP traps are an SNMP message containing alerts or other problems

  NetFlow

NetFlow allows you to log network traffic. It is used to view bandwidth traffic and types of traffic flow. This information can be used to see anomalies and set baselines.

  Data loss prevention (DLP)

DLP sets policies around exfiltration of data from a network. This prevents employees or attackers from exfiltrating sensitive data.

  Antivirus

Antivirus detects and prevents malicious code or programs from running on a system.

Segmentation

 Microsegmentation

Microsegmentation creates zones in data centers or cloud environments to isolate workloads from one another to provide greater security. This inhibits lateral movement in the network.

 Local area network (LAN)/virtual local area network (VLAN)

A LAN is a network in once physical location. A LAN's single defining characteristic is that it connects devices that are in a single, limited area.

A VLAN is a network that exists on the same physical network but acts as if split between separate networks.

 Jump box

A jump box allows an administrator to securely connect to a remote environment. In some cases specific tools are needed in the administration of the remote environemnt such as a SCADA system, a jump box will have the specialized tools to manage these systems.

 Screened subnet

A screened subnet can also be referred to as a DMZ. A DMZ is a subnet that is firewalled off from the internal network in order to host externally accessible services such as a web application. This protects the internal network from any attacks that may come in from the external network. Only traffic that is needed to support the services hosted in the DMZ are allowed into the internal network.

 Data zones

A data zones are a way to store different types of data that have different requirements. More secure data can be stored in a data zone with more rigid requirements. Storing data in different data zones help alleviate the burden of managing policies for all data.

 Staging environments

A staging environment is a test environment to test out updates and patches before releasing them into production. If a patch affects a service it is better to test it out in a test environment before releasing it to production.

 Guest environments

A guest network allows an organization to provide internet to guests without giving access to internal systems. A guest network is separated from the internal network thus providing a layer of security.

 VPC/virtual network (VNET)

Virtual Private Cloud peering or virtual network allows you to connect multiple workloads within a cloud service provider. It allows the traffic to traverse directly between workloads rather than routed to the edge of the network and back in to another VPC.

 Availability zone

Availability zones are isolated segments within a region of a cloud service provider.

 NAC lists

Network Access Control lists grants network access to certain devices based on specific criteria. The criteria are specified by the policy set up by the NAC solution.

 Policies/security groups

Users can be separated into different security groups that have the level of access needed to perform their job function.

 Regions

A region is a group of data centers deployed within a proximity connected through a dedicated low latency network.

 Access control lists (ACLs)

ACLs act as a white-list to provide access to different resources like network access. Firewall rules can even be considered ACLs.

 Peer-to-peer

A peer-to-peer network distributes the computing tasks between the computers connected to the network, each node can act as a server for the other nodes allowing for shared access to resources such as files.

 Air gap

A computer that is air gapped is not connected to the internet. This is a segmentation technique for computers that run critical services such as in a nuclear power plant.

Deperimeterization/zero trust

Zero trust is a security model that eliminates trust in protected networks. In theory, a zero trust network would be able to be secure in an untrusted network (the Internet).

 Cloud

Cloud apps are becoming more and more popular. Because of this, companies are hosting services in a variety of locations and it becomes difficult to implement trusted networks across multiple locations.

 Remote work

More and more workers are working remotely from home, which is an untrusted network. Zero trust principles can help protect the company.

 Mobile

Mobile phones are used to access services that a company may provide. Mobile phones themselves are usually unmanged by the company and pose a significant risk.

 Outsourcing and contracting

Most companies use some form of outsourcing or contractors, which can pose a significant security risk. The target breach was caused by an HVAC contractor having access to trusted networks.

 Wireless/radio frequency (RF) networks

Wi-Fi networks should be considered untrusted networks.

Merging of networks from various organizations

 Peering

Peering connects workloads within a single cloud provider. The advantage is that traffic is not routed to the edge of the cloud providers network and then back in.

 Cloud to on premises

 Data sensitivity levels

 Mergers and acquisitions

 Cross-domain

 Federation

 Directory services

Software-defined networking (SDN)

SDN is an approach to move away from vendor specific protocols on networking equipment. By using APIs, dynamic updates can be applied to physical and virtual networking equipment by applications and services.

 Open SDN

Open SDN is the open standard that provides the instructions.

 Hybrid SDN

As companies move from traditional networking to SDN, they will need to have a hybrid environment using both solutions.

 SDN overlay

SDN overlay moves traffic across physical networking infrastructure.