Network Performance and Security
eBook - ePub

Network Performance and Security

Testing and Analyzing Using Open Source and Low-Cost Tools

  1. 380 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Network Performance and Security

Testing and Analyzing Using Open Source and Low-Cost Tools

About this book

Network Performance Security: Testing and Analyzing Using Open Source and Low-Cost Tools gives mid-level IT engineers the practical tips and tricks they need to use the best open source or low cost tools available to harden their IT infrastructure. The book details how to use the tools and how to interpret them. Network Performance Security: Testing and Analyzing Using Open Source and Low-Cost Tools begins with an overview of best practices for testing security and performance across devices and the network. It then shows how to document assets—such as servers, switches, hypervisor hosts, routers, and firewalls—using publicly available tools for network inventory.The book explores security zoning the network, with an emphasis on isolated entry points for various classes of access. It shows how to use open source tools to test network configurations for malware attacks, DDoS, botnet, rootkit and worm attacks, and concludes with tactics on how to prepare and execute a mediation schedule of the who, what, where, when, and how, when an attack hits.Network security is a requirement for any modern IT infrastructure. Using Network Performance Security: Testing and Analyzing Using Open Source and Low-Cost Tools makes the network stronger by using a layered approach of practical advice and good testing practices.- Offers coherent, consistent guidance for those tasked with securing the network within an organization and ensuring that it is appropriately tested- Focuses on practical, real world implementation and testing- Employs a vetted "security testing by example" style to demonstrate best practices and minimize false positive testing- Gives practical advice for securing BYOD devices on the network, how to test and defend against internal threats, and how to continuously validate a firewall device, software, and configuration- Provides analysis in addition to step by step methodologies

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Network Performance and Security by Chris Chapman in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2016
Print ISBN
9780128035849
eBook ISBN
9780128036013
Topic
Computer Science
Subtopic
Computer Networking
Index
Computer Science
Chapter 1

Introduction to practical security and performance testing

Abstract

I will introduce the reader to some basic security concepts including types of attacks, best practices including description. Then network security devices and their subfunctions will be introduced. Finally, the user will understand what perception user experience is, how it is measured, the difference between soft and hard errors, and how users formulate quality of experience.

Keywords

attack
DDoS
malware
penetration testing
volumetric attack
quality of experience (QoE)
perceptual user experience
firewall
IPS/IDS
proxy server
botnet
cross site scripting attack (XSS)
worm
virus
trojan horse attack
zero-day attack
SQL injection attack
hard QoE errors
soft QoE errors
This book is intended to help you practically implement real-world security and optimize performance in your network. Network security and performance is becoming one of the major challenges to the modern information technology (IT) infrastructure. Practical, layered implementation of security policies is critical to the continued function of the organization. I think not a week goes by where we do not hear about data theft, hacking, or loss of sensitive data. If you dig deeper into what actually happens with security breaches, what you read in the news is only a small fraction of the true global threat of inadequate or poorly executed security. One thing that we all hear when an article or a news item is released is excessive amounts of buzz words around security, with little content about how it may have been prevented. The truth is, security mitigation is still in its infant stages, following a very predictable pattern of maturity like other network-based technologies. Performance is another critical part of a well-performing network. Everyone knows they need it, but to test it and measure it is not only a science, but also an art.
I assume that the reader of this book has a desire to learn about practical security techniques, but does not have a degree in cyber security. I assume as a prerequisite to implementing the concepts in this book, the reader has a basic understanding of IT implementation, has a mid level experience with Windows and Active directory, and has had some experience with Linux. Furthermore, my intent in this book is to minimize theory and maximize real-world, practical examples of how you can use readily available open source tools that are free, or relatively low cost, to help harden your network to attacks and test your network for key performance roadblocks before and during deployment in a production network. In fact, the major portion of theory that I will cover is in this chapter, and the focus of that information will be on giving you a baseline understanding in practical deployment and applications of security and performance. I also assume noting, and will take you through execution of best practices.

A Baseline Understanding of Security Concepts

What is an attack? It is an attempt to gather information about your organization or an attempt to disrupt the normal working operations of your company (both may be considered malicious and generally criminal). Attacks have all the aspects of regular crime, just oriented toward digital resources, namely your network and its data. A threat uses some inefficiency, bug, hole, or condition in the network for some specific objective. The threat risk to your network is generally in proportion to the value or impact of the data in your network, or the disruption of your services no longer functioning. Let me give a few examples to clarify this point. If your company processed a high volume of credit card transactions (say you were an e-commerce business) then the data stored in your network (credit card numbers, customer data, etc.) is a high target value for theft because the relative reward for the criminals is high. (For example, credit card theft in 2014 was as high as $8.6B [source: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014].) Or, if your business handles very sensitive data, such as patient medical record (which generally have the patient-specific government issued IDs such as social security numbers attached), you are a prime target. In either case, the value of data in your network warrants the investment and risk of stealing it. Say, you are a key logistics shipping company, the value to the attacker may be to disrupt your business, causing wider economic impact (classic pattern for state-sponsored cyber terrorism [example: http://securityaffairs.co/wordpress/18294/security/fireeye-nation-state-driven-cyber-attacks.html]). On the other hand, if you host a personal information blog, it is unlikely that cyber crime will be an issue. To put it bluntly, it is not worth the effort for the attackers. The one variable in all of this is the people who attack network “because they can.” They tend to use open source exploit tools, and tend to be individuals or very small groups, but can be anywhere on the Internet. We have to be aware of the relative value of our data, and plan security appropriately.
There are many ways of attacking a network, let us spend a few moments and cover some of the basics of security and performance. If we divide attacks into their classification, we can see the spread of class of attacks growing over time. What types of attacks may you experience in the production network?

DDoS Attack

DDoS, or distributed denial of service, attacks are an attack class with the intent to disrupt some element of your network by utilizing some flaw in a protocols stack (eg, on a firewall), or a poorly written security policy. The distributivenes comes into play because these attacks can first affect devices such as personal computer (PC) or mobile device on the Internet, and then at a coordinated time, can attack the intended target. An example would be a TCP SYN flood, where many attempted, but partial, TCP connections are opened with the attempt to crash a service on the target. DDoS attacks may also be blended with other exploits in multistage attacks for some multistage purpose.

Botnet/Worm/Virus Attack

A botnet is a code that first attempts to install its self within the trusted portion of your network, though combined and blended attacks may spread to other resources across your network. A botnet has two possible objectives. First, spread as far and as fast as it can within the target domain and then at a specified time, bring down elements in the network (like PCs). Second, a botnet can quietly sit in the network, collect data, and “phone home” back to a predefined collection site over well-known protocols. This is considered a scrapping attack because data are collected from behind your firewall and sent over known-good protocols such as HTTP/HTTP(S) back home.

Trojan Horse

A trojan horse is a type of attack that embeds the malicious code in some other software that seems harmless. The intent is to get the user to download, install, and run the innocent software, which then will case the code to infect the local resource. Another great example of this is infected content that is downloaded off of P2P networks such as Bittorent; the user runs the content and the malicious code is installed.

Zero-Day Attack

A zero-day attack is a traffic pattern of interest that in general has no matching patterns in malware or attack detection elements in the network. All new attacks are characterized initially as zero-day attacks.

Keyloggers

A keylogger is a code that is installed by malware and sets on a device that has keyboard input (like a PC) and records keystrokes. The hope of the keylogger is that it will capture user login credentials, credit card number, government ID numbers, which can later be sold or used. Keylogger can be deployed by botnets, or themselves be deployed. Variants of keyloggers will look at other inputs and records. For example, variant code may listen to your built-in microphone or record video from the integrated camera (or just take periodic snapshots).

SQL Injection Attack

Chances are you have an SQL database somewhere in your network. Attackers know this and know by its very nature that the database holds valuable data, or at the least is a choke point in the workflow of your business. An SQL injection attack uses malformed SQL queries to perform one of two possible functions. First, the simplest attack is to crash some or part of the database server. This has the obvious effect of stopping business workflows. Second, an SQL attack may be used to selectively knock down part of the SQL server, exposing the tables of data for illicit data mining.

Cross-Site Scripting Attack (XSS Attack)

The modern platform for application is the web. What this means is that the sophistication of what is served and processed has greatly increased. The web has moved from a simple text-based system to a full application API. A cross-site scripting attack takes advantage of this sophistication by attempting to modify the middle ware of the web application. For example, it may insert JavaScript inside of code to bypass a login, capture data, and phone home or become purely malicious. This class of attack is a good example of how attackers desire malicious code to be undetected for as long as possible, especially when the exploit is attempting to collect data.

Phishing Attack

A phishing attack can come in many forms, but generally focus on web content modification and emails. The idea behind a phishing attack is to look legitimate, attempt the target to give sensitive data, and capture/sell the data for profit or use it for malicious means.

Rootkit

A rootkit is a special type of worm that can embed its self deeply into the operating system (thus the “Root”) such that it can take over the system involuntarily. Rootkits can be very difficult to remove and detect.

Firmware Virus

A firmware virus will attempt to reflash elements that have firmware, such as your hard drive or PC EFI. This is related to the rootkit family of attacks and in some cases can physically destroy equipment. For example, a virus inserted in a hard drive firmware can destroy the lower layer formatting of the drive, or corrupt TRIM setting to accessibly use SSD memory cells to failure. On a server, EFI virus could increase CPU core voltage and turn off fans to cause death by heat.

Hijack Attack/Ransomware

This class of attack attempts to take a legitimate active session and insert or redirect data to a collector. For example, imagine an e-commerce session, where users shipping and credit card information is captured. This class of attack is sometimes called a “Man in the Middle” attack. In the case of Ransomware, the attack will shut down the device functions and make the user pay, sometimes even a small amount, to “unlock” their PC. Attackers know that if a user pays, say $5, to “recover” their gear, it may not be worth reporting. This, multiplied by millions, can be big business.

Spoof/Evasion Attack

In this class of attack, the attacker intentionally rewrites Ipv4, UDP, and TCP fields to try to hide from firewall rules. For example, if I take an attack and use IPv4 fragmentation, I might be able to hide the attack from the firewall policy rules, because as the attacker, I hope the firewall pattern matching code does not cover this condition.

Buffer Overflow Attack

Typically, network application, protocol stacks, buffers, and queues expect data request in a structured format. A buffer overflow attack will attempt to intentionally send malformed or excessive data to “crash” some or part of the application, firewall, or any network element in between. Sometimes, this is called a knockdown attack.

Password Attack

This kind of attack uses automation to break a password by many iterations. There are three types of approaches: Brute-force, dictionary, and hybrid attempts. This is always a roll of the dice, but in some cases, especially with a dictionary technique, attackers know users have poor password selection habits, and will try clusters of known combinations first.

Penetration Attacks

A penetration attack is more complicated than other types of attacks, because it tends to be multistage, distributed, and orchestrated. These types of attacks can be the most damaging, because generally they require a level of sophistication and resources to achieve their target. Many security breaches you might hear about in the news are sophisticated penetration attacks, especially if there is a large volume of data theft. Penetration attacks are like high stakes poker. It requires skills, patience, strategy, and stages, but has very large payouts if successful.

Malware

Malware is a generic class of attack that may refer to distributed as trojans, worms, botnets via applications, websites, or emails. Malware is the most prodigious form of attacks, with Q4 millions of variants flowing through the Internet annually. It should be noted tha...

Table of contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Chapter 1: Introduction to practical security and performance testing
  7. Chapter 2: Getting organized with initial audit of the network
  8. Chapter 3: Locking down the infrastructure: Internet, Wi-Fi, wired, VPN, WAN, and the core
  9. Chapter 4: Locking down and optimizing the windows client
  10. Chapter 5: Server patterns
  11. Chapter 6: Testing for security flaws using penetration testing
  12. Chapter 7: Using Wireshark and TCP dump to visualize traffic
  13. Chapter 8: Using SNORT
  14. Chapter 9: Live traffic analytics using “Security Onion”
  15. Chapter 10: Traffic performance testing in the network
  16. Chapter 11: Build your own network elements
  17. Chapter 12: Request for proposal and proof of concept example usecases
  18. Subject Index