Home > Articles

Network Components

  • Print
  • + Share This
This chapter is from the book

Enforcement Tools

Data controls include encryption, data loss prevention, and information rights management. Most enterprises implement enforcement tools to prevent sensitive information from leaving the network. These tools include security information and event management (SIEM) systems, data loss prevention (DLP) systems, network access control (NAC), gateways, and other hardware devices. This section covers these technologies and tools.

SIEM

Audit controls such as security information and event management (SIEM) systems provide the technological means to show compliance and refine security controls. SIEM tools collect, correlate, and display data feeds that support response activities. SIEMs are the main element in compliance regulations such as SOX, GLBA, PCI, FISMA, and HIPAA. SIEM output is also proactively to detect emerging threats and improve overall security by defining events of interest (EOI) and resulting actions. The purpose of SIEM is to turn a large amount of data into knowledge that can be acted upon. SIEMs are generally part of the overall security operations center (SOC) and have three basic functions:

  • Centrally managing security events

  • Correlating and normalizing events for context and alerting

  • Reporting on data gathered from various applications

Just one IDS sensor or log data source can generate more than 100,000 events each day.

Aggregation is the process by which SIEM systems combine similar events to reduce event volume. Log management aggregates data from many network sources and consolidates the data so that crucial events are not missed. By default, events are usually aggregated based on the source IP, destination IP, and event ID. The purpose of aggregation is to reduce the event data load and improve efficiency. Conversely, if aggregation is incorrectly configured, important information could be lost. Confidence in this aggregated data is enhanced through techniques such as correlation, automated data filtering, and deduplication within the SIEM. Event aggregation alone is not enough to provide useful information in an expeditious manner. A common best practice is to use a correlation engine to automate threat detection and log analysis. The main goal of correlation is to build EOIs that can be flagged by other criteria or that allow for the creation of incident identification. To create EOIs, the correlation engine uses data that was aggregated by the following techniques:

  • Pattern matching

  • Anomaly detection

  • Boolean logic

  • A combination of Boolean logic and context-relevant data

Finding the correct balance in correlation rules is often difficult. Correlation rules that try to catch all possible attacks generate too many alerts and can produce too many false positive alerts.

The SIEM facilitates and automates alert triage to notify analysts of immediate issues. Alerts can be sent via email but are most often sent to a dashboard. SIEM systems generate a large volume of alerts and notifications, so they also provide data visualization tools. From a business perspective, reporting and alerting provide verification of continuous monitoring, auditing, and compliance. Event deduplication improves confidence in aggregated data, data throughput, and storage capacity.

Event deduplication is also important because it provides the capability to audit and collect forensic data. The centralized log management and storage of SIEM systems provide validation for regulatory compliance storage or retention requirements. Regarding forensic data and regulatory compliance, WORM (write once, read many) drives keep log data protected so that evidence cannot be altered. WORM drives permanently protect administrative data. This security measure should be implemented when an administrator with access to logs is under investigation or when an organization needs to meet for regulatory compliance (such as Payment Card Industry Data Security Standard [PCI DSS] Requirement 10).

Some SIEM systems are good at ingesting and querying flow data both in real time and retrospectively. However, with real-time analysis, significant issues are associated with time, including time synchronization, time stamping, and report time lag. For example, if the report takes 45 minutes to run, the analyst is already this far behind real time without taking into consideration the amount of time needed to read and analyze the results.

When designing a SIEM system, the volume of data generated for a single incident must be considered. SIEM systems must aggregate, correlate, and report output from devices such as firewalls, intrusion detection/prevention (IDS/IPS), access controls, and myriad network devices. Answering questions about how much data to log from critical system is important when deciding to use a SIEM system. SIEMs have a high acquisition and maintenance cost. If the daily events number in the millions per day and events are gathered from network devices, endpoints, servers, identity and access control systems, and application servers, a SIEM might be cost-effective. For smaller daily event occurrences, free or more cost-effective tools should be considered.

DLP

Data loss is a problem that all organizations face, but it can be especially challenging for global organizations that store a large volume of PII in different legal jurisdictions. Privacy issues differ by country, region, and state. Naturally, organizations implement data loss prevention tools as a way to prevent data loss. Data loss prevention (DLP) is a way of detecting and preventing confidential data from being exfiltrated physically or logically from an organization by accident or on purpose. DLP systems are basically designed to detect and prevent unauthorized use and transmission of confidential information, based on one of the three states of data: in use, in motion, or at rest. DLP systems offer a way to enforce data security policies by providing centralized management for detecting and preventing the unauthorized use and transmission of data that the organization deems confidential. A well-designed DLP strategy allows control over sensitive data, reduces the cost of data breaches, and achieves greater insight into organizational data use. International organizations should ensure that they are in compliance with local privacy regulations before implementing DLP tools and processes.

Protection of data in use is considered to be an endpoint solution. In this case, the application is run on end user workstations or servers in the organization. Endpoint systems also can monitor and control access to physical devices such as mobile devices and tablets. Protection of data in transit is considered to be a network solution, and either a hardware or software solution is installed near the network perimeter to monitor and flag policy violations. Protection of data at rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored.

When evaluating DLP solutions, key content-filtering capabilities to look for are high performance, scalability, and the capability to accurately scan nearly anything. High performance is necessary to keep the end user from experiencing lag time and delays. The solution must readily scale as both the volume of traffic and bandwidth needs increase. The tool should also be capable of accurately scanning nearly anything.

Using an endpoint solution, here are some examples of when a user can be alerted to security policy violations, to keep sensitive information from leaving the user’s desktop:

  • Inadvertently emailing a confidential internal document to external recipients

  • Forwarding an email with sensitive information to unauthorized recipients inside or outside the organization

  • Sending attachments such as spreadsheets with PII to an external personal email account

  • Accidentally selecting Reply All and emailing a sensitive document to unauthorized recipients

USB flash drives, iPods, and other portable storage devices are pervasive in the workplace and pose a real threat. They can introduce viruses or malicious code to the network and can store sensitive corporate information. Sensitive information is often stored on thumb and external hard drives, which then are lost or stolen. DLP solutions allow policies for USB blocking. This could be a policy to block the copy of any network information to removable media or a policy to block the use of unapproved USB devices.

Many organizations store sensitive data in the cloud. DLP solutions have expanded from email and local devices to include corporate data stored in the cloud. The organization must know how the cloud is being utilized before making decisions on a DLP solution:

  • What files are being shared outside the organization

  • What files contain sensitive data

  • What abnormal events indicate a threat or compromise

DLP can help with the following issues in cloud implementations:

  • Data migration control

  • Data protection

  • Data leakage

Some deployed cloud services include Office 365, Salesforce, and Box. When implementing DLP policies in the cloud, different policies apply for different cloud services. Some are merely general cloud policies. For example, a general policy centers on device access control. A specific policy for Box, for example, centers on file sharing.

DLP solutions are most successful in private or virtual private clouds. When using a public cloud, DLP solutions might not offer much value because of the lack of control; using an agent-based approach is a better solution. For example, if your DLP solution requires agents or certificates to be installed in cloud applications such as Dropbox or Google Drive, the application will interpret the agent as a man-in-the-middle attack and will not work properly. Best practices for mitigating threats related to data leakage in the cloud include active data monitoring, encryption, policy-based access controls, and centralized administration.

NAC

One the most effective ways to protect the network from malicious hosts is to use network access control (NAC). NAC offers a method of enforcement that helps ensure that computers are properly configured. NAC systems are available as software packages or dedicated NAC appliances, although most are dedicated appliances that include both hardware and software. Some of the main uses for NAC follow:

  • Guest network services

  • Endpoint baselining

  • Identity-aware networking

  • Monitoring and containment

The premise behind NAC is to secure the environment by examining the user’s machine and then grant (or not grant) access based on the results. NAC is based on assessment and enforcement. For example, if the user’s computer patches are not up to date and no desktop firewall software is installed, you can decide whether to limit access to network resources. Any host machine that does not comply with your defined policy could be relegated to a remediation server or put on a guest VLAN. The basic components of NAC products follow:

  • Access requestor (AR): The AR is the device that requests access. Assessment of the device can be self-performed or delegated to another system.

  • Policy decision point (PDP): The PDP is the system that assigns a policy based on the assessment. The PDP determines what access should be granted and can be the NAC’s product-management system.

  • Policy enforcement point (PEP): The PEP is the device that enforces the policy. This device can be a switch, firewall, or router.

NAC systems can be integrated into the network in four ways:

  • Inline: Exists as an appliance in the line, usually between the access and the distribution switches

  • Out of band: Intervenes and performs an assessment as hosts come online, and then grants appropriate access

  • Switch-based: Works similarly to inline NAC, except that enforcement occurs on the switch itself

  • Host- or endpoint-based: Relies on an installed host agent to assess and enforce access policy

NAC implementations require design considerations such as an agent or agentless integration. For example, out-of-band designs might or might not use agents, and they can use 802.1X, VLAN steering, or IP subnets. In a NAC system that uses agents, devices are enrolled in the NAC system and an agent is installed on the device. The agent reports back to a NAC policy server. Agents provide detailed information about connected devices to enforce policies. An agent might permanently reside on end devices or it might be dissolvable. If the agent is dissolvable, it provides one-time authentication and then disappears after reporting information to the NAC. Because agents can be spoofed by malware, the organization needs to be vigilant about proper malware protection or should use an agentless NAC solution.

Agents perform more granular health checks on endpoints to ensure a greater level of compliance. When the health check is on a computer or laptop, it is often called a host health check. Health checks monitor availability and performance for proper hardware and application functionality.

Agentless solutions are mainly implemented through embedded code within an Active Directory domain controller. The NAC code verifies that the end device complies with the access policy when a user joins the domain, logs onto, or logs out of the domain. Active Directory scans cannot be scheduled, and the device is scanned only during these three actions. Another instance in which an agentless solution is deployed is through an intrusion prevention system.

Agentless solutions offer less functionality and require fewer resources. A good solution for large, diverse networks, or one in which BYOD is prevalent, is to combine both agent and agentless functionality, but use the agentless solution as a fallback. This is because agents often do not work with all devices and operating systems. An alternative might be to use a downloadable, dissolvable agent; however, some device incompatibility might still arise.

In addition to providing the capability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers business benefits. These include compliance, a better security posture, and operational cost management.

Gateways

Gateways perform many functions. At its simplest definition, a router is a gateway because it connects two different networks. Other types of gateways include mail, media, and API gateways. This section covers mail and media gateways.

Mail

Although the percentage of spam has been steadily decreasing in the past few years because of better legislative enforcement and improved products, spam is still an enormous problem for corporations. Cisco tracked spam using opt-in customer telemetry and reported that spam email accounts for 65 percent of all sent emails. Spam filters can consist of various filtering technologies, including content, header, blacklist, rule-based, permission, and challenge-response filters. Spam-filtering solutions can be deployed in a number of ways. The most common implementations use an onsite appliance such as a gateway, software installed on each individual device, and hosted or cloud-based vendor solutions.

Email security gateways prevent malicious emails from reaching their destinations. Spam-filtering products work by checking email messages when they arrive. The messages are then either directed to the user’s mailbox or quarantined based on a score value. When the spam score exceeds a certain threshold, the email is sent to the junk folder. In addition to the keyword-scanning methods, which include scoring systems for emails based on multiple criteria, spam filter appliances allow for checksum technology that tracks the number of times a particular message has appeared. They also conduct message authenticity checking, which uses multiple algorithms to verify the authenticity of a message. In addition, the appliance might perform file-type attachment blocking and scanning using the built-in antivirus protection.

Besides spam filtering functions, email gateways can include additional client security controls such as email encryption, advanced content filtering, and DLP capabilities. These capabilities help protect the confidentiality and integrity of emails in transit, enforce regulatory compliance, and protect against data loss.

Media

Media gateways came about as a result of the convergence of telecommunications and data communications. Media gateways act as a bridge between different transmission technologies and add services to end-user connections. At the most basic level, a media gateway is a device that converts data from one format to another. One of the main functions of a media gateway is to convert between different transmission and coding techniques. Examples include a circuit switch, an IP gateway, and a channel bank. Media gateways work at the connectivity layer, serving as a crossing point between different networks where the desired transmission technology can be selected. For example, the media gateway might terminate channels from a circuit-switched network and stream media from a packet-switched network in an IP network. Data input such as audio and video are handled simultaneously.

In businesses, media gateways are used to convert analog communications to VoIP communications. When used in VoIP conversions, they have three main components:

  • Media gateway

  • Media gateway controller or softswitch

  • Signaling gateway

One of the best examples of a media gateway in use is getting broadband cable to phones and laptops. Cable providers such as Dish, Comcast, and Cox use media gateways to distribute content to subscribers throughout their households. Content distribution occurs through a gateway that converts the incoming broadband signal and delivers voice, video, and data services such as high definition and wireless codecs to consumer IP-connected devices.

  • + Share This
  • 🔖 Save To Your Account

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020