This guide is not meant to be all encompassing. It is a reference to give someone who is interested in network security, but does not know where to start, some guidance of how to begin learning about the vast field of network security and where to look for information. The important thing to keep in mind is stay focused and learn little by little. It is easy to become intimidated when looking at the big picture and all that it entails. Focus on each section and gradually increase your knowledge base. There are many courses you can take to become familiar with the basics of network security. SANS Institute has many tracks dealing with the different areas of network security. Track 1 is their Basic Security Essentials and the CISSP 10 Domains and will give you an great indepth look into the world of network secuity. More information can be found at www.sans.org by clicking on track 1 for any of the conferences. For further reading on different areas of network secuity try the SANS reading room www.sans.org/rr/ it is a great reference to have. Remember that defense in depth is the key to good network security.
When learning about network security, there are many terms that you will hear and it is important to become familiar with them. Many of the following areas listed below will use much of the terminology and having a unstanding of the terminology is important. Here is a great link to get you up to speed quick www.sans.org/resources/glossary.php
Another key element to be familiar with is the ISO/OSI seven layer model as well as the Department of Defense (DOD) TCP/IP five layer model which describes the process of how information/data gets from one system to another. It does this by defining interconnecting layers thru which the information travels. You will hear folks refer to a network device, maybe a switch, and they may describe the switch as being a layer two and/or Layer three device. They are refering to the ability of the switch to interact with data at that particular layer of the model. Here are a some good references which describe the ISO/OSI model:
ISO/OSI and TCP/IP Model
ISO/OSI Model for Dummies.
Applying the OSI Seven Layer Network Model to Information Security.
Understanding Security Using the OSI Model.
The following table is provided for quick reference between the two and how they relate.
TCP/IP OSI Application Application Presentation Session Transport Transport Internet Network Datalink Datalink Physical Physical
A network is connected by many different devices. All providing different services and used to give different types of systems, in different locations or the same location, the ability to communicate. It is important to familiarize yourself with the major devices that allow communication. It also would be good to study the different network topologies and understand how they work.
Useful Links for Network DevicesNetworking Basics
Quick and Dirty: Hubs, Switches, and Routers
Hubs, Switches, and Routers A Hands-on How-to
Chapter 5: Traffic Regulators
Chapter 3: Hardware
Cisco Network Topologies and LAN Design
Useful Links for Network Topologies
All of the systems and devices on a network communicate via some type of protocol. There are numerous types of protocols and all with different purposes. There are some primary protocols that you need to become very familar with how they work and how they are implemented.
Useful Links for Network ProtocolsMonitoring The ARP Protocol On Local Area Networks
Digging Deeper Into TCP/IP
RFC 768: User Datagram Protocol
RFC 793: Transmission Control Protocol
RFC 792: Internet Control Message Protocol
RFC 826: An Ethernet Address Resolution Protocol
RFC 903: A Reverse Address Resolution Protocol
ARP, Address Resolution Protocol
ICMP Types and Their RFC References
SANS TCP/IP and TCPdump Reference Guide
Viewing Network Protocols
If you really want to get a feel for what network traffic looks like in action, there are plenty of packet sniffers that are easy to use. It may look confusing at first, but after a while it will all start to make sense. Take what you learned in this area and start having fun looking at packets. Here are some good tools and their links.
There are many different tools that can be used to help secure a network as well as monitor it for malicious activity. There is no "one size fits all" solution that can be applied to all networks. As such it is important to be familiar with the different types of tools that are available. The decision about which is best to use should be based on what your protecting and what you can afford. This should then be compared to what the total cost of ownership will be. Here are some of the different tools you should become familiar with:
Network Based Firewalls
- Stateful Inspection
- Packet filter
Useful Links for Network Based FirewallsFirewall White Paper - What different types of firewalls are there?
SANS Reading Room: Firewalls & Perimeter Protection
Firewalls and Security
Firewalls: Friend or Foe?
Host Based Firewalls
- Software Based
- Hardware Based
Useful Links for Host Based Firewalls
Network Based IDS's
- Anomaly Based
- Signature Based
Useful Links for Network Based IDS'sWhat is network based intrusion detection?
What is knowledge-based intrusion detection?
What is behavior-based intrusion detection?
Host Based IDS's
- Application Specific
- Monitoring of Logs, processes and files
Useful Links for Host Based IDS'sWhat is host-based intrusion detection?
Setting up a simple inexpensive ($39.95) host intrusion detection system.
Firewalls and Security
Useful Links for IDS's in GeneralIntrusion Detection FAQ
Understanding Intrusion Detection Systems
The History and Evolution of Intrusion Detection
A Wide Selection of IDS Papers and Information
Access Control Lists
Useful Links for Access Control Lists
This one is getting its own category. Antivirus is NOT just for security folks, it is crucial to the daily operations of a network all the way down to a user at home on their personal PC. However, it is very overlooked and if it is used it is usually not cared for in the manner in which it should be. Look at the latest, widespread, outbreak of MyDoom for proof of this. This is a sad state, especially considering the price of antivirus software is very affordable. Understanding what to do to protect yourself is critical and part of that comes from keeping your antivirus up to date and using defense in depth. As a security professional, you are going to have to have a basic understanding of what the malicioius code does in order to really protect your network.
All of the tools above can assist you in this endeavor if you know what the latest virus/worm is configured to do. You can't just rely on an antivirus product that scans your email. What if a user visits a malcious web page or checks their hotmail account? You are bypassing your antivirus scan. Having antivirus clients on all workstations is a requirement these days. The overhead for managing this has become very low. Most vendors have an enterprise version that can push the client to systems out as well as check for updates and push them out as well. You can schedule scans, schedule when to do updates, report any virus detections on your network to a central server or send a notification by email. The possiblities are endless and once configured it requires very little effort. You can also tailor your perimeter security devices to block certain extensions that are used in spreading of viruses and worms such as .bat, .cmd, .com, exe, .eml, .hta, .pif, .scr etc. There are many extensions than can be used. Simplying blocking these types of files will help protect your network from a zero day worm or virus.
Useful Links for Antivirus Software and Vendors
Every operating system has different capabilities and are used to fit different needs. As such, the security for the operating system has to be tailored to fit your environment. Don't fret, because many groups have already developed guides to securing the operating system. As such you can build on their work and simply ajust the recommendations to fit your specific needs. There are also many sites dedicated to reporting vulnerabilities for operating systems. One of the most important things to remember is to stay current on the patches for your operating system and for your applications that you are using. The following list of links will point you to where you can get more information in specific areas.
For all operating systems:SANS Bookstore: Seven Pack of SANS Press Technical Guides
SecuriTeam.com's focus on different Operating Systems and security related issues.
National Security Agency Security Recommendation Guides
FreeBSD Security How-To
The Center for Internet Security
For Windows 2000/NT/XP:
For Linux:Welcome to NSA/CSS INFOSEC: Security Enhanced Linux
A Question and Answer website about Linux
All the latest of Linux Security
Linux Security HOWTO
NIST Computer Security Division and CSRC home page
SANS Global Information Assurance Certification (GIAC)
SANS INFOSEC Reading Room
SANS Information and Computer Security Resources
COTSE Security/Bugs/Exploits News
Internet Security Policy: A Technical Guide.
Security Policy Resources
Federal Agency Security Practices (FASP)