This document provides an overview of networking and security concepts including the OSI model, functions of common network devices like routers, switches, firewalls and IDS/IPS systems. It describes technologies like NAT, VPNs, encryption, file integrity monitoring and SIEM. It also includes brief introductions to Linux, the CCNA and a case study on site-to-site VPN deployment considerations.

1. Finto Thomas
Created 18 Nov 2011
Reviewed : Mar 2015
Ver 3.0
Network & security Startup
Before we enter to LAB
1

2. Agenda
 OSI Model Overview
 Function of network & security devices
 Routers / Switches
 Firewall
 Proxy firewall
 State full firewall
 Packet filter firewall
 IDS /IPS
 Web Application Firewall – WAF
 File Integrity manager – FIM
 Anti Spam / MTA / Email Gateway (MX)
 Encryption - VPN
 File & Whole Disk Encryption
 Vulnerability Vs Risk
 Security Event & Incident Management - SIEM
 Network Cheat Sheet
 Linux overview
 CASE STUDY
2

3. Open Systems Interconnection model (OSI model)
Application 7
Presentation 6
Session 5
Transport 4
Network 3
Data Link 2
Physical 1
DATA
Format
Logical
Connection
TCP /UDP /
ICMP
IP / IPX /
SNA
MAC
bit
DATA
Segment
Packet
Frames
bit
Layers Function DATA UNIT
Why ISO – OSI Model
To be in standardized
communication between
multivendor devices in
networked scenarios, else
we have to strict to purchase
always one vendor products
to communicate each other
!!!
3

4.  Application (7) – is provide end-user interface & process Everything at this layer is
application-specific. This layer provides application services for file transfers, e-mail, and
other network software services. Telnet and FTP are applications that exist entirely in the
application level. Tiered application architectures are part of this layer.
 Presentation (6) - provides independence from differences in data representation, which
format we save the content and processing while accessing the from file system. . It is
sometimes called the syntax layer.
 Session (5) - , manages and terminates connections between applications and between
hosts The session layer sets up, coordinates, and terminates conversations, exchanges, and
dialogues between the applications at each end machines. It deals with session and
connection coordination.
 Transport (4) - This layer provides transparent transfer of data between end systems, or
hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete
data transfer. By define the traffic TCP/ UDP. And for PING using ICMP protocol.
 Network (3) - provides routing technologies, creating logical paths, known as virtual circuits,
for transmitting data from node to node. Routing and forwarding are functions of this layer, as
well as addressing, internetworking, error handling, congestion control and packet
sequencing. By define routing & routed protocols. Routed protocol are IP , IPX and IBM’s
SNA. Routing protocal are OSPF, EIGRP.. etc (Routers & layer 3 Switches)
 Data link (2) - At this layer, data packets are encoded and decoded into bits. It furnishes
transmission protocol knowledge and management and handles errors in the physical layer,
flow control and frame synchronization. The data link layer is divided into two sub layers: The
Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub
layer controls how a computer on the network gains access to the data and permission to
transmit it. The LLC layer controls frame synchronization, flow control and error checking.
(Switches)
 Physical (1) - This layer conveys the bit stream - electrical impulse, light or radio signal --
GoldenRulesofNetwork&
Security
4

5. Function of network & security devices
In present Network infrastructure we can meet multiple types of devices, each
devices have its own functions,
Routers - Layer 3 Routing device working routed Protocols like IP, IPX. If there
is two different subnet machine must need a router to communicate between
those. Also known as Packet filter Firewall because it can block or allow
traffic on packet based (IP based). (Cisco IOS, 7500, Juniper JUNOS)
Switches – Layer 2 Switching devices for switching the path between hosts with
MAC on same subnet. If we have only two machine we can setup direct
connection, but if have more then two we bring Switches or HUB to
interconnects.(Cisco IOS, Juniper , Nortel). There are Two kind –
Manageable & non Manageable Switches for VLAN creation.
Note : Layer 3 switches are capable with routing function.
HUB – Layer 1 device older version for interconnect multiple machine in same
subnet, with single broadcast & Collision domain, which was over come in
Switches. (Dlink, Netgear)
State full Firewall – Layer 7 Device for Gate way function to allow or deny the
network traffic passing though this device based on IP address or/and TCP/
UDP port. And its keep a state table of each session passing through this FW,
so when a return packet came will match to this table to allow to inside
back.(Juniper Screen OS, Cisco PIX /ASA, Microsoft ISA, Check point, Cross
beam, Nokia, Sonicwall)
Load Balancers (LB) - Load balancers used for Network or Server based
5

6.  Computers are working on all Layers, so its can show all natures of any network security
device, still we are going for specific appliance because of performance and reliability.
 When a packet passing through L2 Switch always its modify the MAC address of Source
and Destination.
 When a packet passing through Router its always change MAC address and may IP for
NATing
 When a packet pass through IPS, its will alter the MAC. IP address according to device
deployment mode
 When a packet pass through Firewall , will change MAC. IP address & port number can
change according to deployment – NAT & PAT.
 NAT - IP Address Translation can we achieved in different way according to architecture
of network customers needed. Routers & Firewalls can perform these actions. One to
One is Static NAT, Group of Private IPs to one or more IP translations known as PAT
(Port address translation.)
 MIP & VIP - Statically mapped Public IP’s known as MIP (Mapped IP). Group based
(Server Forms ) to limited Public knowm VIP.
Client PC Switch -L2 Router – L3 IDS/IPS Firewall
6

7. IDS/ IPS –all Layer 7, can report or block significant traffic/code on specific ports,
Example – firewall can block/allow entire traffic through port http (80), IPS can
block content based filtering on (Suspicious) traffic and genuine packets still
allow to inside through HTTP port.
Host based IDS/IPS can install over a OS to protect the specific machine
(Proventia for Windows, Endpoint security.)
Network based IDS/IPS using to monitor the traffic over a network. Draw back is
only can block (Inline protection) the traffic if the packet passing through the
appliance. Example, if need to monitor a traffic on single switch can only do
Detection, but between two switch / Router /firewall can put in inline protection
mode to block suspicious traffic.
An IDS can only configure as Detection only mode but IPS can be both Detection
(Promiscuous) or Prevention mode (Inline).
Note : Please refer next page Diagram to understand better.
 ISS have two line of product Proventia (IPS) and real sensor (IDS), Proventia
have Software version for Linux & windows serves and Desktop along with
Appliance (HW + customized OS + Application) GX series.
 Other vendors are Cisco’s IDM, Juniper IDM, Soucrefire (Snort IDS), McAfee’s
Intrushield
7
IDS or IPS

8. Promiscuous / TAP
mode: Here we can
only put the agent in
Detection mode only
even its IPS support
Inline mode: Here
we can put the
agent in Detection /
Prevention mode
according to device
capability or design
wise.
PIC -1
PIC - 2
8

9. Web Application Firewall
9
A web application firewall (WAF) is an appliance, server
plugin, or filter that applies a set of rules to an HTTP
conversation. Generally, these rules cover common
attacks such as cross-site scripting (XSS) and SQL
injection. By customizing the rules to your application,
many attacks can be identified and blocked ; Wiki-OWASP
 ADC – Application Defense Center (Research-Driven Security Policies)
 Threat Radar
 Drop in deployment
 Four Mode of Implementations
 OWASP_Best_Practices:_Use_of_Web_Application
_Firewalls
Cont.

10. 10
Imperva–
SecureSphere

11. File Integrity Manager - FIM
11
File integrity monitoring (FIM) is an internal control or
process that performs the act of validating the integrity of
operating system and application software files using a
verification method between the current file state and the
known, good baseline. This comparison method often
involves calculating a known cryptographic checksum of the
file's original baseline and comparing with the calculated
checksum of the current state of the file.[1] Other file
attributes can also be used to monitor integrity.[2]
Generally, the act of performing file integrity monitoring is
automated using internal controls such as an application or
process. Such monitoring can be performed randomly, at a
defined polling interval, or in real-time.
 Regulatory requirement

12.  Proxy – work on upper layer (7,6 5 & 4 layers). Its also known as
Application firewall or Proxy firewall. where both ends of a connection
are forced to conduct the session through the proxy. turns a two-party
session into a four-party session, with the middle process emulating
the two real hosts. So firewall proxy servers centralize all activity for
an application into a single server for SMTP (Emails), HTTP
(Internets), etc.. Below picture is an example of forward Proxy.
(Blucoat, Websense, Iron Port)
 Note :A reverse proxy taking requests from the Internet and
forwarding them to servers in an internal network. So Serve identity is
safe, LB and SSL will doing by these reverse proxies.
PIC – 3
12
Proxy Server

13. Web & Mail | Anti Spam Traffic flow
PIC - 4
Web traffic (http & https) will choose Proxy server route by PROXY setting on
web browser. If there is no PROXY setting will take the default routing route
available on machine.
Note : To see Routes & Default Route on machine use command ‘route print’ Or
‘netstat –r’.13

14. Email Gateway & Anti Spam
 mail transfer agent (MTA) or mail relay is software that transfers
electronic mail messages from one computer to another using a client–
server application architecture (MS exchange server Or Lotus Domino
Server). An MTA implements both the client (sending) and server
(receiving) portions of the Simple Mail Transfer Protocol.
 The terms mail server, mail exchanger, and MX host may also refer to
a computer performing the MTA function. The Domain Name System
(DNS) associates a mail server to a domain with mail exchanger (MX)
resource records containing the domain name of a host providing MTA
services
 Anti Spam & anti virus appliances will use at gate way level to reduce
the SPAM coming inside. (Proventia Mail scanner, Iron port )
14
PIC - 5

15.  Encryption is the process of transforming data into an unintelligible
form to prevent the unauthorized use of the data. To read an
encrypted file, you must have access to a secret key or password that
enables you to decrypt it. Unencrypted data is called plain text;
encrypted data is called cipher text. A cipher is an encryption-
decryption algorithm.
 User ID & Password | Documents & mails - Certificates
 Desktop / removable disk Encryption - PGP
 VPN - Site to Site , Client access & SSL - HTTPS & Cisco / Juniper VPN
client
Encryption
15
PIC – 6

16. VPN
 A virtual private network (VPN) is a network that uses primarily public
telecommunication infrastructure, such as the Internet, to provide remote offices
or traveling users access to a central organizational network.
 VPNs typically require remote users of the network to be authenticated, and often
secure data with encryption technologies to prevent disclosure of private
information to unauthorized parties.
 VPNs may serve any network functionality that is found on any network, such as
sharing of data and access to network resources, printers, databases, websites,
etc. A VPN user typically experiences the central network in a manner that is
identical to being connected directly to the central network. VPN technology via
the public Internet has replaced the need to requisition and maintain expensive
dedicated leased-line telecommunication circuits once typical in wide-area
network installations.
• Between Offices (Sites) using Site to
Site VPN (IPSec), other name is
LAN to LAN Tunnel.
• Remote single users using ‘Client
VPN’ or ‘Remote User VPN ‘ (Exp
BHPB- Cisco VPN, SSB – Juniper)
IPSec framework.
• SSL VPN is different than IPSec,
used on WEB based VPNs – HTTPS
and citrix VPN (SSB citrix
connection)
• SOCKS is again a different frame
work for Secure communications.
16
PIC - 7

17. File & Whole disk Encryption
17

18. Threat Vs Vulnerability Vs Risk
 The term “vulnerability” refers to the security flaws (Weakness ) in a system
that allow an attack to be successful.
 Threat is the frequency of potentially adverse events.
 Risk = Threat * Vulnerability * Asset Value
Scenario 1: forgot the Car key in side the Car is an Vulnerability, threat here is
where we put the car & key, in City or Village, ie how potential on vulnerability.
Asser value is what kind car we using Maruti or Ferrari  .
Scenario 2:Think we left server / laptop unlocked in home or office
 a vulnerability assessment is the process of identifying and quantifying
vulnerabilities in an environment. It is an in-depth evaluation of your posture,
indicating weaknesses as well as providing the appropriate mitigation
procedures required to either eliminate those weaknesses or reduce them to
an acceptable level of risk.
 On the other hand, a pen test simulates the actions of an external and/or
internal attacker that aims to breach the security of the organization. Using
many tools and techniques, the penetration tester attempts to exploit critical
systems and gain access to sensitive data. Depending on the scope, a pen
test can expand beyond the network to include social engineering attacks or
physical security tests. (White Box, Gray Box, Black Box) (Back Track 5 - OS)18

19. SIEM
19
 Event & Log Collection to a centralized console
 Normalize the event
 Correlate the events
 Identify the suspected activity
 Link to the VA reports
 Report and visibility to the security.

20. 20
CCNA Cheat Sheet - Network Overview

21. Linux Overview
21
 Everything in Linux is a file including the hardware and even the directories.
 # : Denotes the super(root) user
 $ : Denotes the normal user
 No capital letters on linux commands / file names . And all are case
sensitive.
 /root: Denotes the super user’s directory
 /home: Denotes the normal user’s directory.
 Up arrow key: To redisplay the last executed command. The Down arrow
key can be used to print the next command used after using the Up arrow
key previously.
 cd : The cd command can be used trickily in the following ways:
 cd : To switch to the home user
 cd * : To change directory to the first file in the directory (only if the first file is a
directory)
 cd .. : To move back a folder
 cd - : To return to the last directory you were in
 Files starting with a dot (.) are a hidden file.
 To view hidden files: ls -a
 ls: The ls command can be use trickily in the following ways:
 ls *.* : To view a list of all the files with extensions only.
 Pwd : to show the present location we stand

22. Thank you
Case Study :
•Why need Site to Site VPN instead more
secure and reliable Leased line ?
•Why Firewall not placed directly from
internet and link terminations
•How Failover Works
•Why need VLANs
•Where and all can placed IDS or IPS
22 PIC- 8