About Network Security Threats
Before describing specific network security strategies, it can be convenient to go through a high-level classification of security threats, as listed below. Subsequently, by delving into the nature of a number of the most common attacks, it will be easier to understand how the respective countermeasures work and should be deployed.
The most common types of attacks tend to fall into a few main categories:
- Layer 2 Attacks: These attacks leverage vulnerabilities of the data link layer, also known as Layer 2, of the OSI networking model. Some Layer 2 protocols are not particularly robust (such as ARP) and hence are very frequently used as attack vectors (that is, means to perform higher-level attacks).
For example, ARP poisoning attacks can be used to hijack a connection in one direction, or in both, to glean information from the traffic (hence they also fall into the category of man-in-the-middle (MitM) attacks). This kind of low-level attack vector can then be used to discover and exploit potential higher-level vulnerabilities.
Other Layer 2 attacks are DHCP spoofing attacks (which use the DHCP protocol to impersonate a single host or even poison multiple hosts’ address assignments), or MAC flooding attacks (which can be leveraged to cause potential traffic leaks and/or denial of service (DoS)).
Layer 2 attacks typically occur only within the same broadcast domain/local subnet and hence can be contained by using appropriate fine-grained network segmentation techniques (e.g., granular VLANs). Outright prevention instead requires more specific technologies, as described in the following.
- Layer 3 and Higher Attacks: These attacks target vulnerabilities of the OSI network layer (also known as Layer 3) and higher layers (Layer 4-7). They typically leverage weaknesses in the IP protocol, ICMP protocol, or similar and at Layer 4 and higher they target the TCP or UDP ports and protocol behavior.
The most well-known and simple attack is called port scanning, in which a worm or other malicious piece of software rapidly scans all open Layer 4 ports reachable in the network to find a vulnerable one that would allow it to spread to another device. In this category other serious attacks are: TCP SYN floods, ICMP ping of death, IP address spoofing, DNS attacks, etc.
These attacks too can be somewhat contained by using appropriate segregation and filtering technologies, as well as by adopting protocol hardening schemes. A major help also comes from network analytics technologies, which allow the network admin to actively oversee the traffic, discover anomalies and promptly react to attacks.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks: These types of attacks seek to leverage any vulnerability of any network layer to produce a very severe impact on one or more services, to the point of degrading them so much that they would fail. DDoS attacks are typically performed by a large number of entities (for instance, a botnet of compromised hosts) to multiply the aggregate impact by a potentially huge (and often devastating) factor. They can sometimes be pure Layer 3 attacks (as in the case of smurf attacks, which leverage broadcast ICMP messages to trigger a bombardment of ICMP responses toward an attacked device) or they can be performed in conjunction with a Layer 3 attack such as IP address spoofing.
- Unauthorized Access: This type of sneaky vulnerability allows malicious (as well as non-malicious) users to gain access to restricted resources through a valid but unchecked entry point or through a so-called backdoor.
Other types of attacks exist, and can be addressed with dedicated security services (like firewalling and intrusion prevention).This guide is not meant to be a comprehensive treatise on all of them.
Due to the holistic nature of network security, even the most advanced services have to be based on a solid security foundation, which is going to be described in the subsequent sections.