Network Security Assessment Basics

# CHAPTER 12

Network Security Assessment Basics #

1. Introduction #

While web applications and wireless networks are the outer walls of a fortress, the internal network is the treasure room. Once an attacker breaches the perimeter, their goal is to map the internal network, bypass internal firewalls, and move laterally from server to server until they find the Domain Controller or the core database. To stop them, defenders must deploy robust internal architecture. In this chapter, we will explore the core concepts of Network Security Assessments. We will dissect the operation of Firewalls, Intrusion Detection Systems (IDS), and the fundamental necessity of Network Segmentation, learning how to audit a network not just from the outside, but from the inside.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Understand the function of Firewalls (Stateful vs. Stateless).

• Differentiate between IDS (Intrusion Detection) and IPS (Intrusion Prevention).

• Understand the concept and importance of Network Segmentation (VLANs).

• Define "Lateral Movement" in a post-breach scenario.

• Utilize packet analysis tools (Wireshark) to inspect network traffic.

3. Beginner-Friendly Explanation #

Imagine an ancient castle.

• The Firewall: The drawbridge and the guard at the front gate. The guard has a list: "Only merchants can enter. No soldiers." The guard enforces the rules.

• The IDS (Intrusion Detection System): A lookout in a high tower. If they see someone sneaking over the wall, they blow a loud horn to alert the guards. They *detect* the problem.

• The IPS (Intrusion Prevention System): A lookout who also has a bow and arrow. If they see someone sneaking over the wall, they shoot them instantly. They *prevent* the problem.

• Network Segmentation: Inside the castle, there are many locked doors. If a spy gets into the kitchen, they cannot just walk into the king's bedroom. They are trapped in the kitchen.

A penetration tester's job is to see if the guard's list is flawed, if the lookout is asleep, and if the interior doors are actually locked.

4. Firewalls and Network Segmentation #

A flat network is a network where every computer can talk to every other computer. If a receptionist clicks a phishing email and their computer gets infected with ransomware, a flat network allows that ransomware to spread instantly to the CEO's laptop and the company's master database.

The Defense: Segmentation (VLANs) Networks must be sliced into isolated zones (Virtual LANs) separated by internal firewalls.

• Zone 1 (Guest Wi-Fi): Can only talk to the internet.

• Zone 2 (Employee Laptops): Can talk to the internet and the email server.

• Zone 3 (Databases): Can ONLY talk to the Web Servers. *Never* the internet. *Never* employee laptops.

5. IDS and IPS Evasion #

When a penetration tester runs an aggressive nmap scan, the IDS will instantly flag it as "Malicious Scanning Activity." Advanced testers use Evasion Techniques to bypass the IDS:

• Fragmentation: Breaking the attack packets into tiny pieces so the IDS cannot read the full attack signature.

• Decoys: Using nmap -D to spoof the source IP address, making the scan look like it is coming from 10 different computers simultaneously, confusing the IDS.

• Encryption: Routing the attack through an encrypted VPN or SSH tunnel so the IDS only sees encrypted gibberish.

6. Mini Project: Analyze Packets Using Wireshark #

To truly understand a network, you must see the data flowing across the wire. Wireshark is the industry standard packet analyzer.

Step-by-Step Walkthrough:

1. 1. Open Wireshark on your Kali Linux machine.

1. 2. Select your active network interface (e.g., eth0) and click the blue "Start Capturing" shark fin icon.

1. 3. Open a web browser and go to a non-secure website (e.g., http://neverssl.com).

1. 4. Go back to Wireshark and click the red "Stop" button.

1. 5. In the display filter bar at the top, type http and press Enter.

1. 6. Right-click one of the HTTP packets and select Follow -> TCP Stream.

1. 7. *The Result:* You will see the exact, raw text of the website data that was transmitted. If this was a login page on an unencrypted HTTP site, you would be looking at the user's password in plain text.

7. Real-World Scenarios #

A retail company suffered a massive breach of their Point-of-Sale (PoS) cash registers. The hackers did not attack the cash registers directly. They breached the company's HVAC (Heating and Air Conditioning) vendor. The vendor had remote access to the company's network to monitor the air conditioning. Because the company had a "flat network," the hackers used the HVAC system's access to pivot laterally, bypassing all external firewalls, and walked straight over to the cash registers to steal credit card data. Proper Network Segmentation (putting the HVAC systems on a completely isolated VLAN) would have stopped the breach instantly.

8. Best Practices #

• Egress Filtering: Companies spend millions blocking incoming traffic (Ingress). They often forget to block outgoing traffic (Egress). If a server is compromised, the malware needs to "call home" to the hacker's Command and Control (C2) server. If your firewall has strict Egress Filtering (e.g., "The database server is absolutely never allowed to initiate an outgoing connection to the internet"), the malware is trapped and cannot steal the data.

9. Security Recommendations #

• Zero Trust Architecture: The modern evolution of network security. The core philosophy is "Never Trust, Always Verify." Even if a computer is physically inside the corporate office plugged into the wall, it is treated as hostile. It must cryptographically prove its identity and health status before it is allowed to access any internal corporate resources.

10. Troubleshooting Tips #

• Wireshark Permissions: If you open Wireshark on Linux and cannot see any network interfaces to capture, it is because packet capturing requires root privileges. You must launch the program using sudo wireshark to grant it the necessary permissions to read the raw network card data.

11. Exercises #

1. 1. Explain the architectural difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS).

1. 2. Why is Egress Filtering critical for preventing data exfiltration during a ransomware attack?

12. FAQs #

Q: Can Wireshark decrypt HTTPS traffic? A: No. If it could, the internet would be fundamentally broken. Wireshark will capture the HTTPS packets, but the payload will be unreadable ciphertext. To decrypt it, you must possess the server's private SSL/TLS key, which penetration testers do not have (unless provided in a White-box test).

13. Interview Questions #

• Q: Describe the concept of Network Segmentation via VLANs. How does segmentation prevent Lateral Movement during a post-exploitation scenario?

• Q: Contrast the operational philosophies of Perimeter-Based Security (the "Castle-and-Moat" model) with Zero Trust Architecture. Why is the industry moving aggressively toward Zero Trust?

14. Summary #

In Chapter 12, we breached the perimeter and analyzed the internal battlefield. We decoded the functions of Firewalls, IDS, and IPS, understanding that network defense relies on layered, defense-in-depth strategies. We highlighted the catastrophic dangers of "flat networks," cementing Network Segmentation (VLANs) as the primary defense against lateral movement. By utilizing Wireshark, we gained the ability to physically observe data traveling across the wire, reinforcing the necessity of encrypted protocols. Finally, we explored the modern paradigm of Zero Trust, recognizing that the era of blindly trusting internal network traffic is officially over.

15. Next Chapter Recommendation #

We have secured the code and the network, but the weakest link remains human behavior. How do we secure the keys to the kingdom? Proceed to Chapter 13: Secure Password Practices and Hashing.