1 hour agoSrinivas Goud Thadakapally week 3 discussionCOLL.docx

1 hour ago
Srinivas Goud Thadakapally
week 3 discussion
COLLAPSE
Top of Form
Separation in a network is essential, of course. It would be more
annoyed with that much knowledgeability and security features
if it were only about security. However, it makes this network
much more flexible, and in some ways makes it more secure. It
reduces the potential for internal and external attacks on the
same network and makes it harder for someone to take over the
network. Furthermore, this separation keeps our data away from
third parties. Separation of access is essential in a network, for
example, to ensure that a user cannot access the whole network.
It is common for specific applications and software installations
on the personal computer to operate in the background. In this
regard, it is possible to customize the software operating mode
to make the software operation hidden to not be visible to the
user. No one server or group of servers is going to have to
withstand many other servers. The first line of defense in any IT
environment is resource partitioning to enable critical
infrastructure to handle all requests without overloading the
primary server (Jaeger et al., 2016).
Separation is basically the process of using multiple processes
with some type of separation for Process separation of access to
objects and data. Separation (or transient segregation) can occur
in both physical and logical network segments. The trick with
security is to keep it away from the IT infrastructure. For
example, a firewall is still strictly considered a technical
security tool because it is not supposed to affect business
activities. it is possible to separate administrative control,
physical systems, and data between those with different roles

within the organization. The behavior within the network is like
partitioning an IT environment into discrete services, although
some elements of this concept have not been adopted in Active
Directory–in particular, policies and modules. A system
administrator can move control of the administrative control of
physical systems or systems within the network to a different
server. However, when implementing security controls on
deployments, it becomes essential to understand the scale at
which the resources need to be distributed. Simply put,
separation makes IT more secure (Liu et al., 2019).
References
Jaeger, B., Kraft, R., Luhn, S., Selzer, A., & Waldmann, U.
(2016, August). Access Control and Data Separation Metrics in
Cloud Infrastructures. In 2016 11th International Conference on
Availability, Reliability, and Security (ARES) (pp. 205-210).
IEEE.
Liu, W., Zhang, K., Tu, B., & Lin, K. (2019, August). HyperPS:
A Hypervisor Monitoring Approach Based on Privilege
Separation. In 2019 IEEE 21st International Conference on
High-Performance Computing and Communications; IEEE 17th
International Conference on Smart City; IEEE 5th International
Conference on Data Science and Systems
(HPCC/SmartCity/DSS) (pp. 981-988). IEEE.
Bottom of Form
13 hours ago
BIPIN NEUPANE
Week3_Discussion
COLLAPSE

Top of Form
Before we look into how separation within a network is
facilitated, let’s look at two broader things – network
segmentation and separation. Network segmentation includes
the breaking down of the entire network structure into separate
bits and pieces that allow individual levels of security control.
On the other hand, network separation means using various
access controls and security measures to allow/disallow
connections among the segmented smaller networks.
If we look at it technically, we all know that we have firewalls
installed on our personal as well as corporate computers and
other devices. Similarly, servers hosting the internet at the
worksite also do have the software and hardware level firewalls
installed that offer added security. This firewall helps separate
custom separation and offers network separation. Separation
layers help keep the intruders away as well as promote safety
and limit the control of access and network movement over the
corporate network environment. The reduction of network
attacks and removal of unwanted access helps mute the risk of
system failures and security breaches.
Segmentation and separation not only limit attackers from
moving one sub-network to another using firewall separation
but also limit the scope of the security breach and buys
additional time for the corporate to deploy countermeasures, so
the rest of the network is not accessed (Metivier, 2017).
Another technical control is that by implementing the least
privilege policy, access can be given to employees only for
essential roles (Metivier, 2017). It helps prevent attacks from
insiders also. Additionally, events are logged, internal
connections (regardless of whether they were permitted) are
monitored, and suspicious behavior is attacked using firewalls.
Also, with the reduction of unwanted access and traffic, the
performance of network systems can be boosted (Metivier,
2017). With the introduction of IPv6, there are even better ways
to implement the network separation with the ‘Quarantine
Model’ that helps fit network nodes to individual network

segments and deploy different security policies on each sub-
network. Therefore, even as technology grows, adapted, and
updated versions of network segmentation can always be
achieved to arrive at the optimum security measures (Suzuki &
Kondo, 2005).
In my experience, a company that allows the network
connection to 7000 employees will have a challenging time
managing the security and firewall without segmentation and
separation. Only then management, diagnosis, individual
security measures can be implemented for the most optimum
protection and access sought by the company. Optimum network
separation helps motivate the practices of zero access by
default, least privilege policy, among many others, and helps
maintain security structure and rules to prevent security access,
monitoring, and unwanted access to computers, internal
systems, and private databases. Therefore, although there are a
few concerns such as operation costs, antispoofing concerns,
and concerns of encryption management with various models
such as the quarantine model, it is safe to say that network
separation is an exceptional technical control (Suzuki & Kondo,
2005).
References
Metivier, B. (2017). The Security Benefits of Network
Segmentation. https://www.tylercybersecurity.com/blog/the-
security-benefits-of-network-segmentation
Suzuki, S., & Kondo, S. (2005). Dynamic Network Separation
for IPv6 Network Security
Enhancement. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&
arnumber=1619969
Bottom of Form

1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 3
Separation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• Using a firewall to separate network assets from
intruders is the most familiar approach in cyber
security
• Networks and systems associated with national
infrastructure assets tend to be too complex for
firewalls to be effective
All rights Reserved
C
h
a
p
te
r 3

–
S
e
p
a
ra
tio
n
Introduction
3
• Three new approaches to the use of firewalls are
necessary to achieve optimal separation
– Network-based separation
– Internal separation
– Tailored separation
All rights Reserved
C
h
a
p
te
r 3

–
S
e
p
a
ra
tio
n
Introduction
4
Fig. 3.1 – Firewalls in simple and
complex networks
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p

a
ra
tio
n
5
• Separation is a technique that accomplishes one of
the following
– Adversary separation
– Component distribution
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio

n
What Is Separation?
6
• A working taxonomy of separation techniques: Three
primary factors involved in the use of separation
– The source of the threat
– The target of the security control
– The approach used in the security control
(See figure 3.2)
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra

tio
n
What Is Separation?
7
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.2 – Taxonomy of separation
techniques

8
• Separation is commonly achieved using an access
control mechanism with requisite authentication and
identity management
• An access policy identifies desired allowances for
users requesting to perform actions on system
entities
• Two approaches
– Distributed responsibility
– Centralized control
– (Both will be required)
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra

tio
n
Functional Separation?
9
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.3 – Distributed versus centralized
mediation

10
• Firewalls are placed between a system or enterprise
and an un-trusted network (say, the Internet)
• Two possibilities arise
– Coverage: The firewall might not cover all paths
– Accuracy: The firewall may be forced to allow access that
inadvertently opens access to other protected assets
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Infrastructure Firewalls

11
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.4 – Wide area firewall
aggregation and local area firewall
segregation
12
• Increased wireless connectivity is a major challenge

to national infrastructure security
• Network service providers offer advantages to
centralized security
– Vantage point: Network service providers can see a lot
– Operations: Network providers have operational capacity
to keep security software current
– Investment: Network service providers have the financial
wherewithal and motivation to invest in security
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Infrastructure Firewalls

13
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.5 – Carrier-centric network-based
firewall
14
• Network-based firewall concept includes device for
throttling distributed denial of service (DDOS) attacks

• Called a DDOS filter
• Modern DDOS attacks take into account a more
advanced filtering system
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
DDOS Filtering
15
All rights Reserved

C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.6 – DDOS filtering of inbound
attacks on target assets
16
• SCADA – Supervisory control and data acquisition
• SCADA systems – A set of software, computer, and
networks that provide remote coordination of
control system for tangible infrastructures
• Structure includes the following
– Human-machine interface (HMI)
– Master terminal unit (MTU)

– Remote terminal unit (RTU)
– Field control systems
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
SCADA Separation Architecture
17
All rights Reserved

C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.7 – Recommended SCADA system
firewall architecture
18
• Why not simply unplug a system’s external
connections? (Called air gapping)
• As systems and networks grow more complex, it
becomes more likely that unknown or unauthorized
external connections will arise
• Basic principles for truly air-gapped networks:
– Clear policy

All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.8 – Bridging an isolated network
via a dual-homing user
20
• Hard to defend against a determined insider
• Threats may also come from trusted partners
• Background checks are a start
• Techniques for countering insider attack
– Internal firewalls

– Deceptive honey pots
– Enforcement of data markings
– Data leakage protection (DLP) systems
• Segregation of duties offers another layer of
protection
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Insider Separation
21

All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.9 – Decomposing work functions
for segregation of duty
22
• Involves the distribution, replication, decomposition,
or segregation of national assets
– Distribution: creating functionality using multiple
cooperating components that work together as distributed
system

– Replication: copying assets across components so if one
asset is broken, the copy will be available
– Decomposition: breaking complex assets into individual
components so an isolated compromise won’t bring down
asset
– Segregation: separation of assets through special access
controls, data markings, and policy enforcement
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Asset Separation

23
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.10 – Reducing DDOS risk through
CDN-hosted content
24
• Typically, mandatory access controls and audit trail
hooks were embedded into the underlying operating
system kernel

a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.11 – Using MLS logical separation
to protect assets
26
• Internet separation: Certain assets simply shouldn’t
be accessible from the Internet
• Network-based firewalls: These should be managed
by a centralized group
• DDOS protection: All assets should have protection in
place before an attack
• Internal separation: Critical national infrastructure
settings need an incentive to implement internal
separation policy

• Tailoring requirements: Vendors should be
incentivized to build tailored systems such as firewalls
for special SCADA environments
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Separation Program

1 hour agoSrinivas Goud Thadakapally week 3 discussionCOLL.docx

Recommended

Recommended

More Related Content

Similar to 1 hour agoSrinivas Goud Thadakapally week 3 discussionCOLL.docx

Similar to 1 hour agoSrinivas Goud Thadakapally week 3 discussionCOLL.docx (20)

More from croftsshanon

More from croftsshanon (20)

Recently uploaded

Recently uploaded (20)

1 hour agoSrinivas Goud Thadakapally week 3 discussionCOLL.docx