This module focuses on proactive defense strategies and mitigation techniques for network security threats. Students will learn about comprehensive security policies, defense-in-depth approaches, security tools and platforms, and the Cisco Network Foundation Protection (NFP) framework for systematic network protection.
📋 Overview
🔑 Key Terms
CIA Triad
Confidentiality, Integrity, and Availability - the three fundamental components of information security.
Defense-in-Depth
Layered security approach using multiple defensive mechanisms to protect network assets.
NFP Framework
Network Foundation Protection - Cisco's comprehensive guidelines for protecting network infrastructure.
Control Plane
Responsible for routing data correctly using device-generated packets for network operation.
Management Plane
Responsible for managing network elements using protocols like SSH, SNMP, and TACACS+.
Data Plane
Responsible for forwarding user-generated packets between end devices through the network.
Defending the Network
CIA Triad
Information Security Foundation
- Confidentiality: Ensuring information is accessible only to authorized individuals
- Integrity: Maintaining accuracy and completeness of information
- Availability: Ensuring information and resources are accessible when needed
Network Security Best Practices
- Develop a written security policy for the organization
- Educate employees about social engineering risks
- Control physical access to systems
- Use strong passwords and change them regularly
- Encrypt and password-protect sensitive data
- Implement security hardware and software (firewalls, IPS, VPN, antivirus)
- Perform regular backups and test backup files
- Shut down unnecessary services and ports
- Keep patches up-to-date to prevent buffer overflow attacks
- Perform regular security audits and network testing
Security Organizations and Certifications
| Organization | Focus |
|---|---|
| SANS | Security training and certification |
| GIAC | Information security certifications |
| ISC2 | CISSP and other security certifications |
| EC-Council | Ethical hacking and security certifications |
| ISACA | IT governance and risk management |
🔒 Network Security Policies
Living Document
Security Policy Characteristics
Security policies are "living documents" that must be regularly updated as technology, business requirements, and employee needs change.
ISO/IEC 27002 Security Domains
The 14 network security domains specified by ISO/IEC 27002 organize information security into manageable categories:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security in business continuity
- Compliance
Essential Security Policies
Identification and Authentication
Defines how users are identified and verified before accessing network resources.
Password Policies
Establishes requirements for password complexity, length, and change frequency.
Acceptable Use Policy
Defines appropriate and inappropriate uses of network resources and equipment.
Remote Access Policy
Governs how external users can securely access internal network resources.
Network Maintenance Policy
Outlines procedures for maintaining network security during system updates and changes.
Incident Handling Procedures
Defines response procedures for security incidents and breaches.
🔒 Security Tools and Platforms
Defense Analogies
Security Onion vs Security Artichoke
Security Onion: Traditional layered defense where attackers must peel away each layer sequentially.
Security Artichoke: Modern borderless networks where attackers can remove individual "leaves" without peeling all layers.
Penetration Testing Tool Categories
| Category | Purpose | Examples |
|---|---|---|
| Password Crackers | Test password strength | John the Ripper, Hashcat |
| Wireless Hacking Tools | Test wireless security | Aircrack-ng, Kismet, NetStumbler |
| Network Scanning Tools | Probe for open ports | Nmap, SuperScan, Angry IP Scanner |
| Packet Crafting Tools | Test firewall robustness | Hping, Scapy, Netcat |
| Packet Sniffers | Capture and analyze traffic | Wireshark, Tcpdump, Ettercap |
| Vulnerability Scanners | Identify system vulnerabilities | Nessus, OpenVAS, SAINT |
Data Security Platforms (DSP)
FireEye Helix
Cloud-based security operations platform providing event management, network behavior analytics, advanced threat detection, and SOAR capabilities.
Cisco SecureX
Integrated platform with strong Cisco Secure portfolio integration, providing unified visibility, automation, and stronger defenses across network, endpoints, cloud, and applications.
Threat Intelligence
Cisco Talos Intelligence Group
One of the largest commercial threat intelligence teams, providing comprehensive protection against active threats and maintaining security rules for Snort.org, ClamAV, and SpamCop.
Mitigating Common Attacks
Malware Mitigation
Antivirus Software
Most widely deployed security product. Requires regular updates and should be part of formal network security policy. Host-based protection that detects and eliminates viruses.
Perimeter Defense
Network security devices identify known malware based on indicators of compromise, removing files before they enter the network.
Worm Attack Response Phases
| Phase | Action |
|---|---|
| 1. Containment | Limit spread using network segmentation and ACLs |
| 2. Inoculation | Patch all uninfected systems to prevent further spread |
| 3. Quarantine | Identify and isolate infected machines |
| 4. Treatment | Disinfect systems and patch vulnerabilities |
Attack-Specific Mitigation Strategies
Reconnaissance Attacks
- Implement authentication for proper access
- Use encryption to render packet sniffing useless
- Deploy anti-sniffer tools
- Implement switched infrastructure
- Use firewalls and IPS systems
Access Attacks
- Enforce strong password policies
- Apply principle of minimum trust
- Implement cryptography and encryption
- Keep OS and application patches current
- Use multifactor authentication (MFA)
DoS Attacks
- Monitor network utilization continuously
- Implement network behavior analysis
- Use antispoofing technologies
- Deploy port security and DHCP snooping
- Implement IP Source Guard and DAI
Social Engineering
- Educate employees about risks
- Develop identity validation strategies
- Implement multifactor authentication
- Create security-aware culture
- Regular security awareness training
Cisco Network Foundation Protection Framework
The NFP framework provides comprehensive guidelines for protecting network infrastructure by dividing routers and switches into three functional planes:
Control Plane
Function: Routes data correctly using device-generated packets
Security Features:
- Routing protocol authentication
- Control Plane Policing (CoPP)
- AutoSecure
Management Plane
Function: Manages network elements using various protocols
Security Features:
- Login and password policies
- Legal notification displays
- Data confidentiality protection
- Role-based access control (RBAC)
- Action authorization
- Management access reporting
Data Plane
Function: Forwards user packets between end devices
Security Features:
- Access Control Lists (ACLs)
- Antispoofing mechanisms
- Layer 2 security features
- Port security
- DHCP snooping
- Dynamic ARP Inspection (DAI)
- IP Source Guard (IPSG)
CoPP
Control Plane Policing
CoPP treats the control plane as a separate entity with its own ingress and egress ports, allowing administrators to establish rules that prevent unnecessary traffic from overwhelming the route processor.
RBAC
Role-Based Access Control
RBAC restricts user access based on job functions. Roles are created with specific permissions, and users are assigned to roles. Cisco IOS implements RBAC through role-based CLI access with different "views" defining available commands.
✅ Quick Checks
- What are the three components of the CIA Triad?
Confidentiality, Integrity, and Availability. - What are the three functional planes in the NFP framework?
Control plane, Management plane, and Data plane (Forwarding plane). - What are the four phases of worm attack response?
Containment, Inoculation, Quarantine, and Treatment. - Which NFP plane would typically use out-of-band (OOB) access?
Management plane. - What is the difference between Security Onion and Security Artichoke analogies?
Security Onion requires peeling layers sequentially, while Security Artichoke allows attackers to remove individual "leaves" without peeling all layers.
📝 Summary
- Network security is built on the CIA Triad: Confidentiality, Integrity, and Availability
- Defense-in-depth provides layered security using multiple protective mechanisms
- Security policies are living documents that must be regularly updated
- ISO/IEC 27002 defines 14 security domains for comprehensive coverage
- Penetration testing tools help validate network security across multiple categories
- Data Security Platforms integrate traditionally separate security tools
- Attack mitigation requires specific strategies for different attack types
- The NFP framework divides network devices into three functional planes
- Each NFP plane has specific security features and protection mechanisms
- Continuous monitoring and regular security audits are essential
References
- Module 3: Mitigating Threats - Introduction (Ch. 3.0)
- Defending the Network (Ch. 3.1)
- Network Security Policies (Ch. 3.2)
- Security Tools, Platforms, and Services (Ch. 3.3)
- Mitigating Common Network Attacks (Ch. 3.4)
- Cisco Network Foundation Protection Framework (Ch. 3.5)
- ISO/IEC 27002 Security Standards
- Cisco Talos Intelligence Group