Unit IV : Network Protection : Access Control Concepts, AAA usage and operation, Threat

Intelligence : Information Sources, Threat Intelligence Services, Endpoint Protection :

Antimalware Protection, Host-based Intrusion Prevention, Application Security.

What is network access control (NAC)?

Network access control (NAC) is the process of restricting unauthorized users and devices
from gaining access to a corporate or private network.
Network access control (NAC), also known as network admission control, is the process
of restricting unauthorized users and devices from gaining access to a corporate or private
network. NAC ensures that only users who are authenticated and devices that are
authorized and compliant with security policies can enter the network.

As endpoints proliferate across an organization—typically driven by bring-your-own-

device (BYOD) policies and an expansion in the use of Internet-of-Things (IoT) devices—
more control is needed. Even the largest IT organizations do not have the resources to
manually configure all the devices in use. The automated features of a NAC solution are a
sizable benefit, reducing the time and associated costs with authenticating and authorizing
users and determining that their devices are compliant.
 Further, cyber criminals are well aware of this increase in endpoint usage and continue to
design and launch sophisticated campaigns that exploit any vulnerabilities in corporate
networks. With more endpoints, the attack surface increases, which means more
opportunities for fraudsters to gain access. NAC solutions can be configured to detect any
unusual or suspicious network activity and respond with immediate action, such as isolating
the device from the network to prevent the potential spread of the attack.

What Are The Advantages of Network Access Control?

Network access control comes with a number of benefits for organizations:

1. Control the users entering the corporate network

2. Control access to the applications and resources users aim to access
3. Allow contractors, partners, and guests to enter the network as needed but restrict their
access
4. Segment employees into groups based on their job function and build role-based access
policies
5. Protect against cyberattacks by putting in place systems and controls that detect unusual or
suspicious activity
6. Automate incident response
7. Generate reports and insights on attempted access across the organization

What Are The Common Use Cases For Network Access Control?

Bring your own device (BYOD)

With the rise of work-from-home policies, employees are increasingly relying on their
personal devices to complete work-related tasks. BYOD, the policy of permitting employees
to perform work using the devices they own, increases efficiency and reduces overall cost.
Employees are likely more productive on devices of their choosing rather than those
provided by the company.

NAC policies can be extended to BYOD to ensure that both the device and its owner are
authenticated and authorized to enter the network.

Internet-of-Things (IoT) devices

Security cameras, check-in kiosks, and building sensors are just a few examples of IoT
devices. Although IoT devices extend an organization's network, they also expand its
attack surface. Further, IoT devices may go unmonitored or in sleep mode for long periods
of time. NAC can reduce risk to these endpoints by applying defined profiling measures and
enforcing access policies for different categories of IoT devices.

Network access for non-employees

NAC is also helpful for granting temporary access to non-employees, such as contractors,
consultants, and partners. NAC can allow access to such users so they can connect to the
network seamlessly without having to engage the IT team. Of course, the policies for non-
employees have to be different from those of regular employees.
What Are The Capabilities Of Network Access Control?

Policy life-cycle management

NAC enforces policies for all users and devices across the organization and adjusts these
policies as people, endpoints, and the business change.

Profiling and visibility

NAC authenticates, authorizes, and profiles users and devices. It also denies access to
unauthorized users and devices.

Guest networking access

NAC enables an organization to manage and authenticate temporary users and devices
through a self-service portal.

Security posture check

It evaluates and classifies security-policy compliance by user, device, location, operating

system, and other criteria.

Incidence response

NAC reduces the number of cyber threats by creating and enforcing policies that block
suspicious activity and isolate devices without the intervention of IT resources.

Bi-directional integration

NAC can integrate with other security point products and network solutions through the
open/RESTful application programming interface (API).
What Is The Importance Of Network Access Control?

Improved security

Because NAC provides oversight of all devices in use across the organization, it enhances
security while authenticating users and devices the moment they enter the network. The
ability to monitor network activity and immediately take action against unauthorized or
unusual behavior means that malware threats and other cyberattacks are reduced.

Saves costs

The automated tracking and protection of devices at scale translates into cost savings for
organizations because fewer IT resources are needed. Further, blocking unauthorized
access or a suspected malware attack prevents companies from suffering financial losses
that may result if those activities are not thwarted.

Automation

As the number and variety of devices organizations use continue to increase, organizations
cannot manually verify users and their endpoints' security policies as they attempt to enter
the network. The automation features of NAC offer tremendous efficiency to the process of
authenticating users and devices and authorizing access.

Enhanced IT axperiences

With seamless access, user experience is frictionless when connecting to the network. That
there are controls in place working in the background gives users confidence that their IT
experience is protected without any effort on their part.

Ease of control

The visibility features of NAC effectively serve as a 24/7 inventory of all the endpoints
authorized by the organization. This is helpful not only when IT needs to determine which
endpoints or users have been granted access to the network but also for life-cycle
management, when devices must be phased out or replaced.
What Are The Types of Network Access Control?

Pre-admission

Pre-admission network access control occurs before access is granted. A user attempting
to enter the network makes a request to enter. A pre-admission network control considers
the request and provides access if the device or user can authenticate their identity.

Post-admission

Post-admission network access control is the process of granting authorization to an

authenticated device or user attempting to enter a new or different area of the network to
which they have not been granted authorization. To receive authorization, a user or device
must verify their identity again.

What Is Authentication, Authorization, And

Accounting (AAA)?
Authentication, authorization, and accounting (AAA) is a security framework that controls
access to computer resources, enforces policies, and audits usage. AAA and its combined
processes play a major role in network management and cybersecurity by screening users
and keeping track of their activity while they are connected.

Authentication

Authentication involves a user providing information about who they are. Users
present login credentials that affirm they are who they claim. As an identity and access
management (IAM) tool, a AAA server compares a user’s credentials with its database of
stored credentials by checking if the username, password, and other authentication tools
align with that specific user.

The three types of authentication include something you know, like a password, something
you have, like a Universal Serial Bus (USB) key; and something you are, such as your
fingerprint or other biometrics.

Authorization
Authorization follows authentication. During authorization, a user can be granted privileges
to access certain areas of a network or system. The areas and sets of permissions granted
a user are stored in a database along with the user’s identity. The user’s privileges can be
changed by an administrator. Authorization is different from authentication in that
authentication only checks a user’s identity, whereas authorization dictates what the user is
allowed to do.

For example, a member of the IT team may not have the privileges necessary to change the
access passwords for a company-wide virtual private network (VPN). However, the network
administrator may choose to give the member access privileges, enabling them to alter the
VPN passwords of individual users. In this manner, the team member will be authorized to
access an area they were previously barred from.

Accounting

Accounting keeps track of user activity while users are logged in to a network by tracking
information such as how long they were logged in, the data they sent or received, their
Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the
different services they accessed.

Accounting may be used to analyze user trends, audit user activity, and provide more
accurate billing. This can be done by leveraging the data collected during the user’s access.
For example, if the system charges users by the hour, the time logs generated by the
accounting system can report how long the user was logged in to the router and inside the
system, and then charge them accordingly.

Why Is The AAA Framework Important In Network Security?

AAA is a crucial part of network security because it limits who has access to a system and
keeps track of their activity. In this way, bad actors can be kept out, and a presumably good
actor that abuses their privileges can have their activity tracked, which gives administrators
valuable intelligence about their activities.

There are two main types of AAA for networking: network access and device administration.

Network access

Network access involves blocking, granting, or limiting access based on the credentials of a
user. AAA verifies the identity of a device or user by comparing the information presented or
entered against a database of approved credentials. If the information matches, access to
the network is granted.

Device administration

Device administration involves the control of access to sessions, network device consoles,
secure shell (SSH), and more. This type of access is different from network access because
it does not limit who is allowed into the network but rather which devices they can have
access to.

AAA Benefits

Using the AAA in information technology and computer security

operations provides numerous advantages to an enterprise:

 Improves Network Security: The framework requires all users

and devices to undergo credential-based authentication before
receiving network access and enforces the principle of least
privilege, preventing malicious or negligent-based behavior that
could cause data theft, deletion, or compromise.
 Centralizes Protocol Management: The security model gives
system administrators a single source of truth and helps
standardize protocols for AAA access control across the whole
organization.
 Allows Granular Control and Flexibility: Deploying an AAA
system lets network-security teams and administrators enforce
detailed rules about network resources users can access along
with their functional limitations.
 Provides Scalable Access Management: Standardizing network
access protocols using AAA functionality gives IT teams the
capacity to manage new devices, users, and resources added to a
network—even as they quickly grow.
 Enables Information-Based Decision Making: Logging activity
and session information allow administrators to make user-
resource authorization, capacity planning, and resource
adjustments based on collected data rather than gut feelings.
Authentication, Authorization, and Accounting with Zero Trust

As many organizations adopt a Zero Trust model for cybersecurity, they

can use AAA cybersecurity protocols for network access. For instance,
security teams can enforce network segmentation; a central Zero Trust
principle that divides an enterprise network into subsections to provide
security layers and isolate incidents. Security teams can apply AAA
processing to various network segments that demand authentication and
authorization at each point.

Zero Trust also assumes the organization practices the principle of least
privilege, where users only have just enough data and application
access to do their jobs. Deploying AAA methods gives administrators the
granular control, enforcement, and monitoring needed to apply minimal
network privileges to each respective user.

AAA Protocols

Software providers of network security and access control platforms use

three main types of network protocols in their solutions—all of which are
open standards and utilize the AAA framework:

 Remote Authentication Dial-In User Service

(RADIUS): Performs AAA using a client/server model specifically
for remote network access. For this protocol, authentication and
authorization happen simultaneously once the Network Access
Server (NAS) receives and accepts the request by the user.
 Terminal Access Controller Access-Control System Plus
(TACACS+): Like RADIUS, it uses a client/server model for remote
access but separates the authentication and authorization
processes. TACACS+ gives admins more security by requiring a
separate key from the client for authorization.
 Diameter: Evolved version of RADIUS, which considers modern-
day networking needs. It supports the framework for mobile
devices, Long-Term Evolution (LTE) networks, and multimedia
networks such as streaming websites or Voice over Internet
Protocol (VoIP) applications.
 AAA and IAM

AAA and Identity and Access Management (IAM) solutions go hand-in-

hand in their objectives—maintaining, enforcing, and tracking access
control. IAM refers to the technology and organizational policies that
verify a user's identity for network access, control which company
resources and data they can access, and log their activity for auditing
and compliance purposes.

By default, IAM technology uses the AAA as a baseline for constructing

the right software features and modules that fit within the framework. For
example, multi-factor authentication (MFA) is a type of IAM solution. It
provides more secure authentication through another factor, such as a
keycard in addition to a username and password—appeasing step one
of the AAA process.

Similarly, Privileged Access Management (PAM) tools are examples of

IAM that maintain AAA model security. PAM solutions, however, focus
on the authorization component—establishing policies for securing
sensitive data by adopting and enforcing the principle of least privilege.

What is Threat Intelligence?

Threat Intelligence is evidence-based information about cyber attacks that cyber
security experts organize and analyze. This information may include:

 Mechanisms of an attack
 How to identify that an attack is happening
 Ways different types of attacks might affect the business
 Action-oriented advice about how to defend against attacks

Many forms of cyber attacks are common today, including zero-day exploits, malware,
phishing, man-in-the-middle attacks, and denial of service attacks. Different ways of
attacking computer systems and networks constantly evolve as cybercriminals find new
vulnerabilities to exploit. Cyber Threat Intelligence (CTI) helps organizations stay
informed about new threats so that they can protect themselves. Cyber security experts
organize, analyze, and refine the information they gather about attacks to learn from
and use it to protect businesses better.
 Threat intelligence (or security intelligence) also helps stop or mitigate an attack that is
in progress. The more an IT team understands about an attack, the better they will be
able to make an informed decision about how to combat it.

What are the types of Threat Intelligence?

There are different types of threat intelligence, from high-level, and non-technical
information to technical details about specific attacks. Here are a few different kinds of
threat intelligence:

 Strategic: Strategic threat intelligence is high-level information that puts the threat in
context. It is non-technical information that an organization could present to a board of
directors. An example of strategic threat intelligence is the risk analysis of how a business
decision might make the organization vulnerable to cyber attacks.
 Tactical: Tactical threat intelligence includes the details of how threats are being carried
out and defended against, including attack vectors, tools, and infrastructures attackers are
using, types of businesses or technologies that are targeted, and avoidance strategies. It
also helps an organization understand how likely they are to be a target for different types
of attacks. Cybersecurity experts use tactical information to make informed decisions
about security controls and managing defenses.
 Operational: Operational threat intelligence is information that an IT department can use
as part of active threat management to take action against a specific attack. It is
information about the intent behind the attack, as well as the nature and timing of the
attack. Ideally, this information is gathered directly from the attackers, which makes it
difficult to obtain.
 Technical: Technical threat intelligence is specific evidence that an attack is happening or
indicators of compromise (IOCs). Some threat intelligence tools use artificial intelligence
to scan for these indicators, which might include email content from phishing campaigns,
IP addresses of C2 infrastructures, or artifacts from known malware samples.

What does Threat Intelligence do?

Threat intelligence and cyber threat tools help organizations understand the risks of
different types of attacks, and how best to defend against them. Cyber threat
intelligence also helps mitigate attacks that are already happening. An organization’s IT
department may gather its own threat intelligence, or they may rely on a threat
intelligence service to gather information and advise on best security practices.
Organizations that employ software defined networking (SDN) can use threat
intelligence to quickly reconfigure their network to defend against specific types of cyber
attacks.

Why is Threat Intelligence important?

Threat intelligence allows organizations to be proactive instead of reactive when it
comes to cyber attacks. Without understanding security vulnerabilities, threat indicators,
and how threats are carried out, it is impossible to defend against cyber attacks
effectively. Threat intelligence can prevent and contain attacks faster, potentially saving
 businesses hundreds of thousands of dollars. Threat intelligence can
augment enterprise security controls at every level, including network security.

What are the common indicators of

compromise?
Security personnel can often find indications that an attack is happening or has
happened if they are looking in the right places for unusual behavior. Artificial
intelligence can help tremendously with this effort. Some commons IOCs include:

 Unusual privileged user account activity: Attackers often try to gain higher account
privileges or move from a compromised account to another account that has higher
privileges.
 Login anomalies: After-hours logins that attempt to access unauthorized files, logins in
quick succession to the same account from different IPs around the world, and failed
logins from user accounts that do not exist are all good indicators that something is amiss.
 Increases in database read volume: Seeing a large increase in database read volume
could indicate that someone is extracting an unusually large amount of data, such as all of
the credit card numbers in a database.
 Unusual domain name system (DNS) requests: Large spikes in DNS requests from a
specific host and patterns of DNS requests to external hosts are both red flags because
they could mean someone from outside the organization is sending command and control
traffic.
 Large numbers of requests for the same file: A large part of cybercriminal activity
involves repeated attacks, which can indicate that someone is searching for a
vulnerability. Seeing 500 requests for the same file could indicate that someone is trying
different ways to find a weakness.
 Unexplained configuration or system file changes: While it is difficult to find a credit
card harvesting tool, it is easier to find system file changes that happen from the tool
being installed.

What are the available Threat Intelligence

tools?
A variety of threat intelligence tools are for sale or available at no cost through the open-
source community. They all have slightly different approaches to threat intelligence
gathering:

 Malware disassemblers: These tools reverse engineer malware to learn how it works
and help security engineers decide how to defend against future, similar attacks.
 Security information and event management (SIEM) tools: SIEM tools allow security
teams to monitor the network in real-time, gathering information about unusual behavior
and suspicious traffic.
 Network traffic analysis tools: Network traffic analysis tools collect network information
and record network activity to provide information that makes detecting an intrusion
easier.
 Threat intelligence communities and resource collections: Freely accessible websites
that aggregate known indicators of compromise and community-generated data about
threats can be a valuable source of threat intelligence. Some of these communities
support collaborative research and provide actionable advice on how to prevent or combat
threats.

Threat intelligence can come from a variety of sources, including:

 Internal sources: These include network logs, past cyber incidents, and
security landscape.
 External sources: These include:
o Open-source feeds: These are typically free or low-cost, and are managed
by online communities.
o Commercial feeds: These are products that businesses need to procure from
third-party providers.
o Threat intelligence-sharing communities: These are communities that
share threat intelligence.
o Subscription-based intelligence feeds: These provide insights from industry
experts, research organizations, and government agencies.
o Spamhaus: This is one of the largest providers of threat intelligence feeds
and blacklists/blocklists for email and internet service providers.
o FraudGuard: This service collects and analyzes real-time internet traffic.
o GreyNoise: This service collects and analyzes data on Internet-wide scanning
activity.
o HoneyDB: This service provides real time data of honeypot activity.
 Threat intelligence is information that describes existing or potential threats to
systems and users. It can take many forms, including written reports,
observations of IP addresses, domains, and file hashes.

Endpoint protection
Endpoint protection is a cybersecurity approach that protects devices from
malicious software and cyberattacks. It's important because devices like
laptops, tablets, and mobile phones can be used to access corporate
networks and resources, which can create attack paths for security threats.
Endpoint protection uses a variety of technologies and practices, including:
 Endpoint protection platforms (EPPs)
These solutions scan files for threats as they enter a network, and can also
investigate and remediate security incidents.
 Antivirus (AV) software
This is a common endpoint protection solution that scans files for known
malware signatures.
 Network-level restrictions
Organizations can restrict access to the network based on a device's security
policy compliance.
 Software installation
Organizations can install software directly on endpoints to monitor and
protect them.
Some endpoint protection platforms include: SentinelOne Singularity Platform,
CrowdStrike Falcon, Microsoft Defender for Endpoint, Trellix Endpoint
Security Suite, and Sophos Intercept X
Why is Endpoint Protection
important?
The transition to remote and hybrid work models has transformed businesses’
IT infrastructures, moving corporate endpoints outside the enterprise network
and its perimeter-based defenses. As endpoints become organizations’ first
line of defense against cyber attacks, they require endpoint security solutions
to identify and block these threats before they pose a risk to the company.

Endpoints are the target of many cyberattacks, and, with shifts in corporate IT
infrastructure, are becoming more vulnerable to attack. Increased support for
remote work moves corporate endpoints outside of the enterprise network and
its protections. Bring your own device (BYOD) policies allow employee-owned
devices to connect to the enterprise network and access sensitive corporate
data.

Endpoint protection has always been important for defense in depth, but the
blurring of the enterprise network perimeter due to remote work and BYOD
policies has made it even more important. Endpoints are companies’ first line
of defense against cyber threats and a major source of cyber risk.

How Does It Work?

Endpoint protection works via a combination of network and device-level
defenses. At the network level, the organization may restrict access to the
enterprise network based on a device’s compliance with corporate security
policies and least privilege. By blocking insecure devices from accessing the
corporate network and sensitive resources, the organization restricts its attack
surface and enforces its security policies.

Organizations may also install software directly on an endpoint to monitor and

protect it. This includes both standalone solutions and ones that use an agent
 installed on the device to allow it to be centrally monitored, controlled, and
protected. This allows an organization to monitor and protect devices that may
not always be connected directly to the enterprise network.

Types of Endpoint Protection

The modern enterprise has a variety of different endpoints that face a wide
range of potential cyber threats. Endpoint protection solutions come in several
different forms, including:

 Endpoint Detection and Response (EDR)

 Endpoint Protection Platform (EPP)

 Mobile Threat Defense (MTD)

 Advanced Threat Protection (ATP)

The right choice of an endpoint security solution depends on the endpoint in

question and the company’s unique needs. For example, as remote work and
BYOD become more common, mobile devices are a greater focus of
cybercriminals, and MTD is a more vital endpoint protection solution.

Endpoint Protection Features

(Components)
An endpoint protection solution should offer comprehensive protection to the
endpoint and to the corporate network. Some essential features of an
endpoint security solution include the following:

 Anti-Malware: Endpoint protection solutions should detect and prevent

infections by viruses, worms, and other malware.
 Behavioral Analytics: Ransomware and other malware variants have unique
behaviors that make them detectable without the use of signatures. By
monitoring these behaviors, endpoint protection solutions can detect and
respond to zero-day attacks.

 Compliance: The ability to enforce compliance with enterprise security

policies is increasingly important with the growth of remote work and BYOD.
Endpoint solutions should evaluate devices and only allow connections to the
corporate network if they are compliant with corporate policy.

 Data Encryption: Encryption is the most effective way to protect data against
unauthorized access and potential breach. Endpoint security solutions should
offer full disk encryption (FDE) and support encryption of removable media.

 Firewall and Application Control: Network segmentation is essential for

managing access and cybersecurity risk. Firewall and application control
functionality enables network segmentation and blocking of traffic based on
security policy and application-specific rules.

 Sandbox Inspection: Endpoints can be infected with malware via various

means such as phishing, vulnerability exploitation, and more. Endpoint
security solutions should extract and inspect files in a sandboxed environment
to identify and block malicious content from reaching an endpoint.

 Secure Remote Access: Secure remote access is essential for employees

working under a remote or hybrid model. Endpoint security solutions should
incorporate a virtual private network (VPN) client or other secure remote
access solution.

 URL Filtering: Malicious links are a commonly-used technique in phishing

attacks, and inappropriate web usage on corporate devices impedes
productivity and puts the company at risk. URL filtering helps prevent these
threats by blocking malicious and inappropriate websites.