Your network has layers—seven of them, actually (application, presentation, session, transport, network, data link and physical). Each layer requires specific security measures for the overall
network to be secure, and while it’s not a piece of cake, it is manageable. To help, we’ve compiled this guide to the essential security you need at each layer of your
network.
1. Notarization and Signature at the Physical Layer
Today’s physical layer consists of wired and wireless infrastructure. Penetrating wired infrastructure usually requires accessing and physically wiring into cables. Earlier efforts to
access electrical emanations from simple coaxial cable have been thwarted through the use of twisted pair cabling which significantly limits the ability of invaders to compromise cables,
especially fiberoptic ones.
Many wireless security options have made life more difficult for those who would attempt to access your data wirelessly, yet many still fail to use any of them, leaving their wireless networks open to anyone with a laptop, tablet, or cellphone.
2. Assurance and Availability at the Data Link Layer
The data link is accomplished through the use of a network interface card (NIC) attached to the physical network cabling or wireless infrastructure. One of the jobs each NIC must perform is to find the NIC that it is sending data to. To accomplish this, each and every NIC has its own completely unique identifier called a Media Access Control (MAC) address. The NIC at the point of origin uses the Address Resolutions Protocol (ARP) to find the destination NIC by converting an Internet Protocol (IP) address to the corresponding physical network address.
It is possible for someone with direct access to the local area network to fool an originating NIC into thinking that it is the destination NIC. It can then steal the data while still allowing it to pass through to the actual destination NIC so nobody is the wiser. Not the easiest point of network compromise, but still possible.
3. Confidentiality at the Network Layer
If the MAC address of the destination NIC isn’t found on the local network, the data is sent to a router at the Network layer. The router understands IP addresses and makes decisions as to where to send the data based on a table that indicates which MAC addresses exist on other IP networks. Attackers have developed many ways of invading routers to intercept data and addressing information, giving them access to a wide variety of resources that they can then corrupt, copy, or otherwise damage. Most of these methods are far more effective on routers running older versions of their operating software. The best defense includes banning remote access tools such as telnet and assuring that software on all routers is always kept fully updated.
4. Data Integrity at the Transport Layer
TCP/IP is the Transport Control Protocol running over Internet Protocol. TCP was designed to get data from one place to another and assure that it is in good order when it gets there. This requires extensive error checking and data loss prevention. This leans heavily on a process called “handshaking” in which the origin and destination hosts confirm and reconfirm transmission and receipt.
While there are many ways in which an attacker can attempt to compromise TCP, there are just as many ways to prevent such attacks. The most well-known way is the implementation of a firewall to protect hosts inside the network from attacks outside the network. Anti-malware scanners are also implemented at this layer to recognize and prevent recognized virus, worms, and other signatures from penetrating the network.
5. Non-Repudiation at the Session Layer
The Session layer is responsible for setting up and taking down the connection between hosts. It is possible for an attacker to gain access during the initial acquisition of a session connection by “hijacking” the session. It is also possible for them to achieve a “man-in-the-middle” connection in the middle of a session from which they can monitor and intercept the data flowing between the two hosts, or launch a Directed Denial of Service (DDoS) attack in which huge volumes of requests are made which cause a host or an entire network to crash due to traffic overload.
Several types of protection are available for the Session layer, including Secure Sockets Layer (SSL) which was designed specifically to protect web traffic under the hypertext transport protocol (HTTP), Secure Shell, Kerberos, and IPSEC which is widely used to protect virtual private networks (VPN).
The most important protection begins at that unsung topmost level where people are involved. Management that assures the creation, use, and updating of strong passwords inhibits Session layer invasion significantly. Regular inspections to remove passwords written on post-it notes affixed to user’s monitors should also be instituted to get started. Two-factor or multi-factor authentication which requires the use of a code provided by a digital device is also advised in environments that are otherwise difficult to manage.
6. Access Control at the Presentation Layer
The most important step in protecting the Presentation layer is to make sure that all updates and patches are regularly applied. Nothing proves the dangers of a “set-it-and-forget-it” mentality like failure to patch and update operating systems and applications.
7. Authentication at the Application Layer
Applications are routinely attacked by viruses, trojans, worms, and other forms of malware. It is critical to keep all anti-malware software fully updated and all signature files current. Hackers are inventing new exploits at all times, so all application software must be kept updated and protected at all times.
All too often damage is caused when a user with significant access rights leaves their computer logged into the network and signed into key applications, including financial applications. A thief gains access to the computer by breaking into the office physically. Nothing stands between them and the transfer of data, or dollars, through that open computer connection. People and physical plant vulnerabilities are among the most popular data and network exploits.
8. Bonus Layer: People, Policies and Procedures
Above the Application layer is the “User Layer.” To be thorough, we might want to call this the “People, Policy, and Procedures” layer. The recent rash of “phishing” attacks, which rose by 250% in 2017, often leading to Ransomware, occur at this level, using “social engineering” tactics to trick users into taking actions that lead to network and data compromise.
In its simplest form, a “phishing” attack comes in an email that looks very much like it comes from a reliable, trustworthy sender. The email requests that the user click on a link or open a document. Doing so opens the door to the introduction of viruses, worms, and other malware that wreak all manner of havoc on the network. Having been invited in through the click, they get past every security measure implemented at every level of the network and either steal or corrupt data. In a ransomware attack, the data is encrypted by the attacker who requires that a financial ransom averaging more than $100,000 per incident, be paid before the data may be decrypted. Named attacks like “CryptoWall” raked in $325 Million in recent years. “Petya” and “NotPetya” netted $1.2 Billion, with “WannaCry” extracting $4 Billion from its victims.
The only way to prevent or reduce the effectiveness of “phishing” attacks and ransomware is highly effective training of the users to increase their alertness to the signs that an email is not from the sender indicated and may indeed be an attempt to attack.
The only other defense against ransomware is an aggressive data backup strategy and schedule which assures that data encrypted by an attacker can be restored to the network without having to pay the ransom.
Here are five questions to ask your VoIP vendor about secure communications.
Do you have a Mitel or ShoreTel phone system? We are the #1 Mitel Partner of the Year for five out of eight years and can advise you on the best solution for you.
Looking for more information on security? Visit our Info Gallery.
As CEO of Packet Fusion, Matt sets the tone and vision for our company and our customers. His 20+ years in telephony gives him a deep understanding of unified communications and collaboration technology. He is an engaging presenter and has a knack for breaking down the often over complicated VoIP technologies into plain and simple English. Outside of PFI, Matt’s happy place is on the golf course or on a bike ride with his daughters.