Cyber Basics: Designing A Network 

This blog post will attempt to make sense of a concept that is ubiquitous in cyber vernacular but whose exact meaning remains obscure to many people: computer networks.

Today essentially every organization – large or small – relies on computers to communicate, store information, and conduct any number of ordinary business functions. In a bid to make those operations more efficient, most enterprises will connect two or more computers to each other so users can collaborate and share files, resources, and tools. A network, therefore, is simply two or more computers that are connected wirelessly or with a cable so that they can communicate with each other. A household network, for example, will likely have a wired router connecting to the outside internet and then a wireless connection to smartphones, laptops, and maybe a printer. This kind of network is thus arranged so that all of a household’s devices are connected with each other and to the wider internet.

Of course, a typical enterprise’s network is significantly larger and more complex than two or three devices talking to each other. A mid-sized widget manufacturer would not only need personal computers for its employees but also computerized industrial controls for its machinery, a database for its customer and employee information, security features, and web applications like an email service and website. The systematic organization of all of these devices and the flow of data through them is called network architecture.

 

nsar_blog (1)

A Basic Network Topology (without security features)

 

So what does all this have to do with cybersecurity? The components of a network and their layout largely determine how difficult it is for an unauthorized individual to hack – or access the data – within the devices on your network. Hackers will tend to take the path of least resistance to reach what they want and use similar general techniques to get there: footprinting, backdoor access, social engineering – or some combination of the three.

Fortunately, a skilled technician can leverage the architecture of a network to make it more secure from these kinds of attacks. There are a couple different ways to do this, and it is useful to explain them in the context of the various things on an enterprise’s network that need protecting. Take, for instance, our mid-size widget manufacturer. How can the network be constructed and arranged so that those three components are as secure as possible? The answer is a mixture of hardware, software, and organization.

Data traversing the internet makes its way into our manufacturer’s local network from an internet service provider and through the first component of our network – the router (or gateway). The router is a piece of hardware that regulates the data coming in and out of a network. It is a crucial component in network security as it is the front gate of your local network.

Immediately behind the router is a firewall, our first dedicated security feature. A firewall is typically a small box with software built into it that can be configured to filter out certain kinds of traffic. For example, its rules can be altered to allow trusted connections from the internet but not unknown or unexpected ones.

Just beyond the firewall is the heart of the network: the core switch. Analogous to a traffic signal at a major intersection, the core switch filters and redirects to the appropriate destination all data traffic transiting the network. For example, an employee trying to fetch data from one of the network’s other computers might click on a folder on his desktop, and behind the scenes the request is being directed through the switch to the appropriate computer before the requested data is directed back through the switch to the requesting employee. Depending on the scale and complexity of a network, there may also be subordinate switches serving different areas.

Just off the core switch are two important security features: an intrusion detection system and, more often than not, a honeypot. Intrusion detection systems (IDS) or intrusion protection systems (IPS) work by recognizing the unique signatures of various kinds of known malware. (Some advanced models can even operate using advanced mathematics, searching for anomalous behavior in network traffic and don’t need to search for signatures.) They can further be configured to block certain file types or certain keywords found in the network’s traffic. Think of them as the kidneys or liver of a network, filtering out harmful traffic and preventing it from harming the wider system. Honeypots are a bit different in that they are set up as mock devices that appear to a hacker to be a trove of valuable data. In reality, the honeypot has no valuable data and will either redirect the hacker somewhere else or isolate him within the local network to learn more about his tactics.

 

nsar_blog_part2 (1)

A Basic Network Topology (with security features)

 

The final feature of our widget manufacturer’s network isn’t a piece of hardware but rather a manner of arranging its different components. Segmentation is a network architecture practice wherein more valuable parts of a network are isolated with a secondary and sometimes even a tertiary more restrictive, firewall or some other mechanism. Consider a home, for example. You can bolt your front door shut, but a burglar can maybe break through a window and still gain access to your house. While he might steal your television, he can’t take the jewelry locked in a safe upstairs. A network can be organized in the same way. By compartmentalizing certain devices, a hacker might be able to gain access to the network, but your most important data will still be safe. We can see this with our network’s database servers. The information stored there is more sensitive, so it’s been segmented off from the larger network with a second firewall with more restrictive rules for transiting it.

Notice, finally, that in the case of our manufacturer (and most similarly-sized enterprises), the network is physically segmented not only for security reasons but simply for the reason that the company operates one facility in one place and another elsewhere. Notice that both segments have their own complement of network features organic to their respective locations. That is to say, both have their own routers, switches, and security features. Since a network in Atlanta cannot be physically connected to one in Kentucky with a wire, the two local networks, while both part of the larger company network, are physically separated by the internet. To allow for secure communication between the two locations, our manufacturer utilizes a VPN tunnel, which encrypts the data moving through the internet between the two locations.

Perhaps the most important element of a network, heretofore not mentioned, is not a program or a piece of machinery but the human beings who utilize and manage the network. Take, once more, the house example: the locked front door, padlocked fence, and security system are meaningless if one of the residents loses their keys, forgets to turn on the security system, or unsuspectingly invites a nefarious neighbor inside for lemonade.

A properly constructed and organized network, however, will be able to defend against the vast majority of routine threats and is a crucial starting point for any home or enterprise cybersecurity strategy.