The routing table of a router stores the following information:

• Directly connected routes – These routes come from the active router interfaces. Routers add a directly connected route when an interface is configured with an IP address and is activated.
• Remote routes – These are remote networks connected to other routers. Routes to these networks can either be statically configured or dynamically learned through dynamic routing protocols.

Specifically, a routing table is a data file in RAM that is used to store route information about directly connected and remote networks. The routing table contains network or next hop associations.

These associations tell a router that a particular destination can be optimally reached by sending the packet to a specific router that represents the next hop on the way to the final destination. The next hop association can also be the outgoing or exit interface to the next destination.

The destination network entries in the routing table can be added in several ways:

• Local Route interfaces – These are added when an interface is configured and active. This entry is only displayed in IOS 15 or newer for IPv4 routes, and all IOS releases for IPv6 routes.
• Directly connected interfaces – These are added to the routing table when an interface is configured and active.
• Static routes – These are added when a route is manually configured and the exit interface is active.
• Dynamic routing protocol – This is added when routing protocols that dynamically learn about the network, such as EIGRP or OSPF, are implemented and networks are identified.

Dynamic routing protocols exchange network reachability information between routers and dynamically adapt to network changes.

Each routing protocol uses routing algorithms to determine the best paths between different segments in the network, and updates routing tables with these paths.
Dynamic routing protocols have been used in networks since the late 1980s. One of the first routing protocols was RIP. RIPv1 was released in 1988. As networks evolved and became more complex, new routing protocols emerged.

The RIP protocol was updated to RIPv2 to accommodate growth in the network environment. However, RIPv2 still does not scale to the larger network implementations of today.

To address the needs of larger networks, two advanced routing protocols were developed: Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS). Cisco developed the Interior Gateway Routing Protocol (IGRP) and Enhanced IGRP (EIGRP), which also scales well in larger network implementations.

IP was designed as a Layer 3 connectionless protocol. It provides the necessary functions to deliver a packet from a source host to a destination host over an interconnected system of networks. The protocol was not designed to track and manage the flow of packets. These functions, if required, are performed primarily by TCP at Layer 4.

IP makes no effort to validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. In addition, threat actors can tamper with the other fields in the IP header to carry out their attacks. Therefore, it is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers.

In this article, I want to look at common network security monitoring tools in cybersecurity. Follow me as we look at this together in this article.
Common tools that are used for network security monitoring include:

• Network protocol analyzers such as Wireshark and Tcpdump
• NetFlow
• Security Information and Event Management Systems (SIEM)

It is also common for security analysts to rely on log files and Simple Network Management Protocol (SNMP) for network behaviour discovery.

Practically all systems generate log files to record and communicate their operations. By closely monitoring log files, a security analyst can gather extremely valuable information.

SNMP allows analysts to request and receive information about the operation of network devices. It is another good tool for monitoring the behaviour of a network.
Security analysts must be familiar with all of these tools.

This information includes the source and destination device IP information, the time of the communication, and the amount of data transferred. NetFlow does not capture the actual content on the flow. NetFlow functionality is often compared to a telephone bill. The bill identifies the destination number, the time and the duration of the call. However, it does not display the content of the telephone conversation.

For example, Cisco Stealthwatch collects NetFlow statistics to perform advanced functions including:

• Flow stitching – It groups individual entries into flows.
• Flow deduplication – It filters duplicate incoming entries from multiple NetFlow clients.
• NAT stitching – It simplifies flows with NAT entries.

There is a Cisco Stealthwatch channel on YouTube that provides many details about Stealthwatch and its uses.

Network security analysts must quickly and accurately assess the significance of any security event and answer the following critical questions:

• Who is associated with this event?
• Does the user have access to other sensitive resources?
• Does this event represent a potential compliance issue?
• Does the user have access to intellectual property or sensitive information?
• Is the user authorized to access that resource?

To help answer these questions, security analysts use:

• Security Information Event Management (SIEM)
• Security orchestration, automation, and response (SOAR)

• Elasticsearch – Document-oriented full-text search engine
• Logstash – Pipeline processing system that connects “inputs” to “outputs” with optional “filters” in-between
• Kibana – Browser-based analytics and search dashboard for Elasticsearch

Search the internet to learn more about Elastic. co and its suite of products.

“All networks are targets” is a common adage used to describe the current landscape of network security. Therefore, to mitigate threats, all networks must be secured and protected. This article will look at network security topology in Cybersecurity.

This requires a defence-in-depth approach. It requires using proven methods and a security infrastructure consisting of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and endpoint security software.

These methods and technologies are used to introduce automated monitoring to the network, create security alerts, or automatically block offensive devices when something goes wrong.

An important part of the job of the cybersecurity analyst is to review all alerts generated by network devices and determine their validity of the alerts. Was that file that was downloaded by user X really malware?

Is that website that was visited by user Y really malicious? Is the printer on the third floor really compromised because it is trying to connect to a server that is out on the internet? These are questions that are commonly asked by security analysts daily. It is their job to determine the correct answers.

The day-to-day operation of a network consists of common patterns of traffic flow, bandwidth usage, and resource access. Together, these patterns identify normal network behaviour. Security analysts must be intimately familiar with normal network behaviour because abnormal network behaviour typically indicates a problem.

To determine normal network behaviour, network monitoring must be implemented. Various tools are used to help discover normal network behaviour including IDS, packet analyzers, SNMP, NetFlow, and others.

Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices:

• Network taps, sometimes known as test access points (TAPs)
• Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring.

The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 that connects to an IDS.

The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port. Alternatively, a source VLAN can be specified in which all ports in the source VLAN become sources of SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both.

Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.

• Overwhelming Quantity of Traffic – The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.
• Maliciously Formatted Packets – The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

Mirai is malware that targeted IoT devices that are configured with default login information. Closed-circuit television (CCTV) cameras made up the majority of Mirai’s targets. Using a brute force dictionary attack, Mirai ran through a list of default usernames and passwords that were widely known on the internet.

• root/default
• root/1111
• root/54321
• admin/admin1234
• admin1/password
• guest/12345
• tech/tech
• support/support

After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these devices. These utilities were used to turn the devices into bots that could be remotely controlled as part of a botnet. The botnet was then used as part of a distributed denial of service (DDoS) attack.

In September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS attack known until that time. With peak traffic of over 1 Tb/s, it took down the hosting services of a France-based web hosting company.

In October 2016 the services of Dyn, a domain name service (DNS) provider, were attacked, causing internet outages for millions of users in the United States and Europe.

Note: In December 2017, three American threat actors pleaded guilty to conspiring to “conduct DDoS attacks against websites and web hosting companies located in the United States and abroad.” The three felons face up to 10 years in prison and $250,000 in fines.

The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack.

For example, a threat actor enters input that is larger than expected by the application running on a server. The application accepts a large amount of input and stores it in memory. The result is that it may consume the associated memory buffer and potentially overwrite adjacent memory, eventually corrupting the system and causing it to crash.

An early example of using malformed packets was the Ping of Death. In this legacy attack, the threat actor sent a ping of death, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.

Buffer overflow attacks are continually evolving. For instance, remote denial of service attack vulnerability was recently discovered in Microsoft Windows 10. Specifically, a threat actor created malicious code to access out-of-scope memory.

When this code is accessed by the Windows AHCACHE.SYS process, attempts to trigger a system crash, denying service to the user. Search the Internet on the “TALOS-2016-0191 blog” to go to the Cisco Talos threat intelligence website and read a description of such an attack.

Note: It is estimated that one-third of malicious attacks are the result of buffer overflows.

Reconnaissance is information gathering. It is analogous to a thief surveying a neighbourhood by going door-to-door pretending to sell something.

What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras.

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.

Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

• Trust exploitations
• Port redirections
• Man-in-the-middle attacks
• Buffer overflow attacks

The Social-Engineer Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. It is a set of menu-based tools that help launch social engineering attacks. The SET is for educational purposes only. It is freely available on the internet.

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Threat actors have also created various hacking tools. These tools are explicitly written for nefarious reasons. Cybersecurity personnel must also know how to use these tools when performing network penetration tests.

Explore the categories of common network penetration testing tools. Notice how some tools are used by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are continually being developed.

Note: Many of these tools are UNIX or Linux based; therefore, a security professional should have a strong UNIX and Linux background.

• Non-blind spoofing – The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.
• Blind spoofing – The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC address.

1. The victim unknowingly visits a web page that has been compromised by malware.
2. The compromised web page redirects the user, often through many compromised servers, to a site containing malicious code.
3. The user visits this site with malicious code and their computer becomes infected. This is known as a drive-by download. When the user visits the site, an exploit kit scans the software running on the victim’s computer including the OS, Java, or Flash player looking for an exploit in the software. The exploit kit is often a PHP script and provides the attacker with a management console to manage the attack.
4. After identifying a vulnerable software package running on the victim’s computer, the exploit kit contacts the exploit kit server to download code that can use the vulnerability to run malicious code on the victim’s computer.
5. After the victim’s computer has been compromised, it connects to the malware server and downloads a payload. This could be malware or a file download service that downloads other malware.
6. The final malware package is run on the victim’s computer.

Independent of the type of attack being used, the main goal of the threat actor is to ensure the victim’s web browser ends up on the threat actor’s web page, which then serves out the malicious exploit to the victim.

Some malicious sites take advantage of vulnerable plugins or browser vulnerabilities to compromise the client’s system. Larger networks rely on IDSs to scan downloaded files for malware. If detected, the IDS issues an alert and records the event to log files for later analysis.

Server connection logs can often reveal information about the type of scan or attack. The different types of connection status codes are listed here:

• Informational 1xx – This is a provisional response, consisting only of the Status-Line and optional headers. It is terminated by an empty line. There are no required headers for this class of status codes. Servers MUST NOT send a 1xx response to an HTTP/1.0 client except under experimental conditions.
• Successful 2xx – The client’s request was successfully received, understood, and accepted.
• Redirection 3xx – Further action must be taken by the user agent to fulfil the request. A client SHOULD detect infinite redirection loops because these loops generate network traffic for each redirection.
• Client Error 4xx – For cases in which the client seems to have erred. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the situation, and if it is temporary. User agents SHOULD display any included entity to the user.
• Server Error 5xx – For cases where the server is aware that it has erred, or it cannot perform the request. Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and if it is temporary. User agents SHOULD display any included entity to the user.

To defend against web-based attacks, the following countermeasures should be used:

• Always update the OS and browsers with current patches and updates.
• Use a web proxy like Cisco Cloud Web Security or Cisco Web Security Appliance to block malicious sites.
• Use the best security practices from the Open Web Application Security Project (OWASP) when developing web applications.
• Educate end-users by showing them how to avoid web-based attacks.

The OWASP Top 10 Web Application Security Risks is designed to help organizations create secure web applications. It is a useful list of potential vulnerabilities that are commonly exploited by threat actors.

• Use a web proxy to block malicious sites.
• Because attackers often change the source HTML of the iFrame in a compromised website, make sure web developers do not use iFrames. This will isolate any content from third-party websites and make modified pages easier to find.
• Use a service such as Cisco Umbrella to prevent users from navigating to websites that are known to be malicious.
• Make sure the end-user understands what an iFrame is. Threat actors often use this method in web-based attacks.

HTTP 302 Cushioning
Another type of HTTP attack is the HTTP 302 cushioning attack. Threat actors use the 302 Found HTTP response status code to direct the user’s web browser to a new location. Threat actors often use legitimate HTTP functions such as HTTP redirects to carry out their attacks. HTTP allows servers to redirect a client’s HTTP request to a different server.

HTTP redirection is used, for example, when web content has moved to a different URL or domain name. This allows old URLs and bookmarks to continue to function. Therefore, security analysts should understand how a function such as HTTP redirection works and how it can be used during attacks.

When the response from the server is a 302 Found status, it also provides the URL in the location field. The browser believes that the new location is the URL provided in the header. The browser is invited to request this new URL. This redirect function can be used multiple times until the browser finally lands on the page that contains the exploit. The redirects may be difficult to detect due to the fact that legitimate redirects frequently occur on the network.

These are some ways to prevent or reduce HTTP 302 cushioning attacks:

• Use a web proxy to block malicious sites.
• Use a service such as Cisco Umbrella to prevent users from navigating to websites that are known to be malicious.
• Make sure the end user understands how the browser is redirected through a series of HTTP 302 redirections.

Domain Shadowing
When a threat actor wishes to create a domain shadowing attack, the threat actor must first compromise a domain. Then, the threat actor must create multiple subdomains of that domain to be used for the attacks.

Hijacked domain registration logins are then used to create the many subdomains needed. After these subdomains have been created, attackers can use them as they wish, even if they are found to be malicious domains. They can simply make more from the parent domain. The following sequence is typically used by threat actors:

1. A website becomes compromised.
2. HTTP 302 cushioning is used to send the browser to malicious websites.
3. Domain shadowing is used to direct the browser to a compromised server.
4. An exploit kit landing page is accessed.
5. Malware downloads from the exploit kit landing page.

These are some ways to prevent or reduce domain shadowing attacks:

• Secure all domain owner accounts. Use strong passwords and use two-factor authentication to secure these powerful accounts.
• Use a web proxy to block malicious sites.
• Use a service such as Cisco Umbrella to prevent users from navigating to web sites that are known to be malicious.
• Make sure that domain owners validate their registration accounts and look for any subdomains that they have not authorized.

The following are examples of email threats:

• Attachment-based attacks – Threat actors embed malicious content in business files such as an email from the IT department. Legitimate users open malicious content. Malware is used in broad attacks often targeting a specific business vertical to seem legitimate, enticing users working in that vertical to open attachments or click embedded links.
• Email spoofing – Threat actors create email messages with a forged sender address that is meant to fool the recipient into providing money or sensitive information. For example, a bank sends you an email asking you to update your credentials. When this email displays the identical bank logo as mail you have previously opened that was legitimate, it has a higher chance of being opened, having attachments opened and links clicked. The spoofed email may even ask you to verify your credentials so that the bank is assured that you are you, exposing your login information.
• Spam email – Threat actors send an unsolicited email containing advertisements or malicious files. This type of email is sent most often to solicit a response, telling the threat actor that the email is valid and a user has opened the spam.
• Open mail relay server – Threat actors take advantage of enterprise servers that are misconfigured as open mail relays to send large volumes of spam or malware to unsuspecting users. The open mail relay is an SMTP server that allows anybody on the internet to send mail. Because anyone can use the server, they are vulnerable to spammers and worms. Very large volumes of spam can be sent by using an open mail relay. It is important that corporate email servers are never set up as an open relay. This will considerably reduce the number of unsolicited emails.
• Homoglyphs – Threat actors can use text characters that are very similar or even identical to legitimate text characters. For example, it can be difficult to distinguish between an O (upper case letter O) and a 0 (number zero) or a l (lower case “L”) and a 1 (number one). These can be used in phishing emails to make them look very convincing. In DNS, these characters are very different from the real thing. When the DNS record is searched, a completely different URL is found when the link with the homoglyph is used in the search.

Just like any other service that is listening to a port for incoming connections, SMTP servers also may have vulnerabilities. Always keep SMTP software up to date with security and software patches and updates.

To further prevent threat actors from completing their task of fooling the end-user, implement countermeasures. Use a security appliance specific to email such as the Cisco Email Security Appliance.

This will help to detect and block many known types of threats such as phishing, spam, and malware. Also, educate the end-user. When attacks make it by the security measures in place, and they will sometimes, the end-user is the last line of defence. Teach them how to recognize spam, phishing attempts, suspicious links and URLs, homoglyphs, and never open suspicious attachments.

• Stored (persistent) – This is permanently stored on the infected server and is received by all visitors to the infected page.
• Reflected (non-persistent) – This only requires that the malicious script is located in a link and visitors must click the infected link to become infected.

These are some ways to prevent or reduce XSS attacks:

• Be sure that web application developers are aware of XSS vulnerabilities and how to avoid them.
• Use an IPS implementation to detect and prevent malicious scripts.
• Use a web proxy to block malicious sites.
• Use a service such as Cisco Umbrella to prevent users from navigating to websites that are known to be malicious.
• As with all other security measures, be sure to educate end-users. Teach them to identify phishing attacks and notify infosec personnel when they are suspicious of anything security-related.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be delighted to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

CRMNUGGETS  is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

• Assets – Anything of value to an organization that must be protected including servers, infrastructure devices, end devices, and the greatest asset, data.
• Vulnerabilities – A weakness in a system or its design that could be exploited by a threat actor.
• Threats – Any potential danger to an asset.

Threat identification provides an organization with a list of likely threats for a particular environment. When identifying threats, it is important to ask several questions:

• What are the possible vulnerabilities of a system?
• Who may want to exploit those vulnerabilities to access specific information assets?
• What are the consequences if system vulnerabilities are exploited and assets are lost?

The threat identification for an e-banking system would include:

• Internal system compromise – The attacker uses the exposed e-banking servers to break into an internal bank system.
• Stolen customer data – An attacker steals the personal and financial data of bank customers from the customer database.
• Phony transactions from an external server – An attacker alters the code of the e-banking application and makes transactions by impersonating a legitimate user.
• Phony transactions using a stolen customer PIN or smart card – An attacker steals the identity of a customer and completes malicious transactions from the compromised account.
• Insider attack on the system – A bank employee finds a flaw in the system from which to mount an attack.
• Data input errors – A user inputs incorrect data or makes incorrect transaction requests.
• Data centre destruction – A cataclysmic event severely damages or destroys the data centre.

Identifying vulnerabilities on a network requires an understanding of the important applications that are used, as well as the different vulnerabilities of that application and hardware. This can require a significant amount of research on the part of the network administrator.

• Edge router – The first line of defence is known as an edge router (R1 in the figure). The edge router has a set of rules specifying which traffic it allows or denies. It passes all connections that are intended for the internal LAN to the firewall.
• Firewall – The second line of defence is the firewall. The firewall is a checkpoint device that performs additional filtering and tracks the state of the connections. It denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network while enabling internal users to establish two-way connections to the untrusted networks. It can also perform user authentication (authentication proxy) to grant external remote users access to internal network resources.
• Internal router – Another line of defence is the internal router (R2 in the figure). It can apply final filtering rules on the traffic before it is forwarded to it’s destination.

Routers and firewalls are not the only devices that are used in a defence-in-depth approach. Other security devices include Intrusion Prevention Systems (IPS), Advanced Malware Protection (AMP), web and email content security systems, identity services, network access controls and more.
In the layered defence-in-depth security approach, the different layers work together to create a security architecture in which the failure of one safeguard does not affect the effectiveness of the other safeguards.

A comprehensive security policy has a number of benefits, including the following:

• Demonstrates an organization’s commitment to security
• Sets the rules for expected behavior
• Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
• Defines the legal consequences of violations
• Gives security staff the backing of management

Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.

The table lists policies that may be included in a security policy.

• Specify the goals of the BYOD program.
• Identify which employees can bring their own devices.
• Identify which devices will be supported.
• Identify the level of access employees are granted when using personal devices.
• Describe the rights to access and activities permitted to security personnel on the device.
• Identify which regulations must be adhered to when using employee devices.
• Identify safeguards to put in place if a device is compromised.

The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.

As shown in the figure, the CIA triad consists of three components of information security:

• Confidentiality – Only authorized individuals, entities, or processes can access sensitive information.
• Integrity – This refers to the protection of data from unauthorized alteration.
• Availability – Authorized users must have uninterrupted access to the network resources and data that they require.

Network data can be encrypted (made unreadable to unauthorized users) using various cryptography applications. The conversation between two IP phone users can be encrypted. The files on a computer can also be encrypted. These are just a few examples. Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted.

Zero trust is a comprehensive approach to securing all access across networks, applications, and environments. This approach helps secure access from users, end-user devices, APIs, IoT, microservices, containers, and more. It protects an organization’s workforce, workloads, and workplace.

The principle of a zero-trust approach is, “never trust, always verify.” Assume zero trusts any time someone or something requests access to assets. A zero-trust security framework helps to prevent unauthorized access, contain breaches, and reduce the risk of an attacker’s lateral movement through a network.

Traditionally, the network perimeter, or edge, was the boundary between inside and outside, or trusted and untrusted. In a Zero trust approach, any place at which an access control decision is required should be considered a perimeter.

This means that although a user or other entity may have successfully passed access control previously, they are not trusted to access another area or resource until they are authenticated. In some cases, users may be required to authenticate multiple times and in different ways, to gain access to different layers of the network.

The three pillars of zero trust are workforce, workloads, and workplace.
Click on the buttons to learn more about the pillars of zero trust.

• Data Integrity – Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message-digest algorithm is still widely in use, however, it is inherently insecure and creates vulnerabilities in a network. The use of MD5 should be avoided.
• Origin Authentication – Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).
• Data Confidentiality – Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.
• Data Non-Repudiation – Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted.

The example in the figure summarizes the mathematical process. A cryptographic hash function should have the following properties:

• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for any given x.
• H(x) is one way and not reversible.
• H(x) is collision-free, meaning that two different input values will result in different hash values.

If a hash function is hard to invert, it is considered a one-way hash. Hard to invert means that given a hash value of h, it is computationally infeasible to find an input for x such that h=H(x).

There are four well-known hash functions:

• MD5 with 128-bit digest – Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available. It is recommended that SHA-2 or SHA-3 be used instead.
• SHA-1 – Developed by the U.S. National Security Agency (NSA) in 1995. It is very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
• SHA-2 – Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever possible.
• SHA-3 – SHA-3 is the newest hashing algorithm and was introduced by NIST as an alternative and eventual replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and should be used whenever possible.

While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor. There is no unique identifying information from the sender in the hashing procedure. This means that anyone can compute a hash for any data, as long as they have the correct hash function.
 
For example, when the message traverses the network, a potential attacker could intercept the message, change it, recalculate the hash, and append it to the message. The receiving device will only validate against whatever hash is appended.
 
Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data. To provide integrity and origin authentication, something more is required.
 
Note: Hashing algorithms only protect against accidental changes and does not protect the data from changes deliberately made by a threat actor.

Examples of protocols that use asymmetric key algorithms include:

• Internet Key Exchange (IKE) – This is a fundamental component of IPsec VPNs.
• Secure Socket Layer (SSL) – This is now implemented as IETF standard Transport Layer Security (TLS).
• Secure Shell (SSH) – This protocol provides a secure remote access connection to network devices.
• Pretty Good Privacy (PGP) – This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.

Asymmetric algorithms are substantially slower than symmetric algorithms. Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described in the table.

• Data is exchanged using an IPsec VPN
• SSH data is exchanged

To help illustrate how DH operates, refer to the figure.

• DH Group 1: 768 bits
• DH Group 2: 1024 bits
• DH Group 5: 1536 bits
• DH Group 14: 2048 bits
• DH Group 15: 3072 bits
• DH Group 16: 4096 bits

Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.

Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.

The next figure shows how the elements of the PKI interoperate:

• In this example, Bob has received his digital certificate from the CA. This certificate is used whenever Bob communicates with other parties.
• Bob communicates with Alice.
• When Alice receives Bob’s digital certificate, she communicates with the trusted CA to validate Bob’s identity.

• Certificate Revocation List (CRL) – A list of revoked certificate serial numbers that have been invalidated because they expired. PKI entities regularly poll the CRL repository to receive the current CRL.
• Online Certificate Status Protocol (OCSP) – An internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate. Revocation information is immediately pushed to an online database.

Host-based firewalls may use a set of predefined policies, or profiles, to control packets entering and leaving a computer. They also may have rules that can be directly modified or created to control access based on addresses, protocols, and ports. Host-based firewall applications can also be configured to issue alerts to users if suspicious behaviour is detected.
They can then offer the user the ability to allow an offending application to run or to be prevented from running in the future.

Whether installed completely on the host or distributed, host-based firewalls are an important layer of network security along with network-based firewalls. Here are some examples of host-based firewalls:

• Windows Defender Firewall – First included with Windows XP, Windows Firewall (now Windows Defender Firewall) uses a profile-based approach to firewall functionality. Access to public networks is assigned the restrictive Public firewall profile. The Private profile is for computers that are isolated from the internet by other security devices, such as a home router with firewall functionality. The Domain profile is the third available profile. It is chosen for connections to a trusted network, such as a business network that is assumed to have an adequate security infrastructure. Windows Firewall has logging functionality and can be centrally managed with customized group security policies from a management server such as System Center 2012 Configuration Manager.
• iptables – This is an application that allows Linux system administrators to configure network access rules that are part of the Linux kernel Netfilter modules.
• nftables – The successor to iptables, nftables is a Linux firewall application that uses a simple virtual machine in the Linux kernel. Code is executed within the virtual machine that inspects network packets and implements decision rules regarding packet acceptance and forwarding.
• TCP Wrappers – This is a rule-based access control and logging system for Linux. Packet filtering is based on IP addresses and network services.

A host-based intrusion detection system (HIDS) is designed to protect hosts against known and unknown malware.

A HIDS can perform detailed monitoring and report on the system configuration and application activity. It can provide log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. A HIDS will frequently include a management server endpoint, as shown in the figure.

A HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall functionality. A HIDS not only detects malware but also can prevent it from executing if it should reach a host. Because the HIDS software must run directly on the host, it is considered an agent-based system.

It can be said that host-based security systems function as both detection and prevention systems because they prevent known attacks and detect unknown potential attacks.

A HIDS uses both proactive and reactive strategies. A HIDS can prevent intrusion because it uses signatures to detect known malware and prevent it from infecting a system. However, this strategy is only good against known threats. Signatures are not effective against new, or zero-day, threats.

In addition, some malware families exhibit polymorphism. This means that variations of a type, or family, of malware, may be created by attackers that will evade signature-based detections by changing aspects of the malware signature just enough so that it will not be detected. An additional set of strategies are used to detect the possibility of successful intrusions by malware that evades signature detection:

• Anomaly-based – Host system behaviour is compared to a learned baseline model of normal behaviour. Significant deviations from the baseline are interpreted as the result of some sort of intrusion. If an intrusion is detected, the HIDS can log details of the intrusion, send alerts to security management systems, and take action to prevent the attack. The measured baseline is derived from both user and system behaviour. Because many things other than malware can cause system behaviour to change, anomaly detection can create many erroneous results which can increase the workload for security personnel and also lower the credibility of the system.

• Policy-based – Normal system behaviour is described by rules, or the violation of rules, that are predefined. Violation of these policies will result in action by the HIDS. The HIDS may attempt to shut down software processes that have violated the rules and can log these events and alert personnel to violations. Most HIDS software comes with a set of predefined rules. With some systems, administrators can create custom policies that can be distributed to hosts from a central policy management system.