Network security and Protocols Assignment
VerifiedAdded on  2021/08/10
|26
|4317
|64
AI Summary
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Amey U. Parulkar, UWL
MSc Cyber Security
Network security and Protocols
Exploring DNS/DHCP, IPSec/TLS and UTM/SIEM
MSc Cyber Security
Network security and Protocols
Exploring DNS/DHCP, IPSec/TLS and UTM/SIEM
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
DHCP and DNS
DHCP and DNS: An Introduction
What is DHCP?
DHCP commonly known as the Dynamic Host Configuration Protocol is used in the networks
to essentially assign IP address and IP related information to network devices. This can vary
from network devices such as servers or personal computers to handheld devices such as
mobile phones. It can also prove useful in TCP/IP level services such as automatic software
upgrades.
DHCP vs DNS: What are they, What’s their Differences by John [2018] Image Credit: FS Community
DHCP Server – The job of an DHCP server would be to automatically assign IP addresses to client
devices. Ideally it must be a dynamic IP address being assign to clients by the servers in case of large
networks. These dynamic IP addresses have a timeline to expire and get re-assigned dynamically
again as a different unique IP address for next session.
DHCP Client – The clients are usually devices that requires connectivity to a network such as mobile,
PC, or IoT endpoint. These devices are pre-configured to handle DHCP
DHCP Relaying – relaying is useful in an environment when the DHCP servers are centralized and not
individually assigned to subnets. For this, a router is usually used as a relaying device that is used as a
bridge between server and multiple clients broadcasting messages. The router listens to these
messages and then forward them to server/client. [1,2]
What is DNS?
Domain name system (DNS) is used to translate hostname into IP addresses and vice-versa.
The concept is like a yellow page’s directory where each user’s name is assigned a unique
telephone number or address. DNS is useful for converting IP addresses (that may be
difficult to remember for human mind) to user-friendly domain names.[3] Below is the
diagrammatic representation of how DNS works:
DHCP and DNS: An Introduction
What is DHCP?
DHCP commonly known as the Dynamic Host Configuration Protocol is used in the networks
to essentially assign IP address and IP related information to network devices. This can vary
from network devices such as servers or personal computers to handheld devices such as
mobile phones. It can also prove useful in TCP/IP level services such as automatic software
upgrades.
DHCP vs DNS: What are they, What’s their Differences by John [2018] Image Credit: FS Community
DHCP Server – The job of an DHCP server would be to automatically assign IP addresses to client
devices. Ideally it must be a dynamic IP address being assign to clients by the servers in case of large
networks. These dynamic IP addresses have a timeline to expire and get re-assigned dynamically
again as a different unique IP address for next session.
DHCP Client – The clients are usually devices that requires connectivity to a network such as mobile,
PC, or IoT endpoint. These devices are pre-configured to handle DHCP
DHCP Relaying – relaying is useful in an environment when the DHCP servers are centralized and not
individually assigned to subnets. For this, a router is usually used as a relaying device that is used as a
bridge between server and multiple clients broadcasting messages. The router listens to these
messages and then forward them to server/client. [1,2]
What is DNS?
Domain name system (DNS) is used to translate hostname into IP addresses and vice-versa.
The concept is like a yellow page’s directory where each user’s name is assigned a unique
telephone number or address. DNS is useful for converting IP addresses (that may be
difficult to remember for human mind) to user-friendly domain names.[3] Below is the
diagrammatic representation of how DNS works:
The history of DNS Vulnerabilities and the cloud by Prizmant, Daniel [2020] Image Credit: FS
Community
Vulnerabilities & Consequences: DNS and DHCP
DNS Vulnerabilities
DNS is vulnerable to a multitude of attack types. Most commonly they target a specific DNS
function such as cache, recursive or authoritative). The main objective is to derail
businesses, perform data corruption, and steal data or ALL! Hackers or attackers mostly
prey on these vulnerabilities in the form of DNS attacks which is broadly categorized in 4
main types: [5]
Community
Vulnerabilities & Consequences: DNS and DHCP
DNS Vulnerabilities
DNS is vulnerable to a multitude of attack types. Most commonly they target a specific DNS
function such as cache, recursive or authoritative). The main objective is to derail
businesses, perform data corruption, and steal data or ALL! Hackers or attackers mostly
prey on these vulnerabilities in the form of DNS attacks which is broadly categorized in 4
main types: [5]
Fig:1 DNS Vulnerability Categories
The above categories can be further extrapolated into various types of attacks that makes
DNS more vulnerable as a protocol. Below section would highlight each of the above four
categories and the types of attacks that it encompasses making DNS vulnerable to each one
of them.
Volumetric Attacks
Volumetric attacks are a result of flooding DNS servers with direct requests resulting into
exhaustion of resources such as cache, recursion or authoritative functions using a spoofed
IP address. [7]
Volumetric DoS attacks:
When a DNS server is
overwhelmed by a sudden
surge of DNS requests
from either one or multiple
sources which results in a
service unavailability or
degradation
Exploits:
Exploiting flaws or bugs in
existing DNS protocol or on
an operating system
running DNS services
Stealth/Slow Drip DoS
attacks:
Using slow response to a
particular DNS query
thereby causing a
capacity exhaustion which
leads to a service
degradation eventually.
Protocol Abuse:
DNS can be exploited in a
way that was not
oroginally intended which
results in phishing and
exfiltration
The above categories can be further extrapolated into various types of attacks that makes
DNS more vulnerable as a protocol. Below section would highlight each of the above four
categories and the types of attacks that it encompasses making DNS vulnerable to each one
of them.
Volumetric Attacks
Volumetric attacks are a result of flooding DNS servers with direct requests resulting into
exhaustion of resources such as cache, recursion or authoritative functions using a spoofed
IP address. [7]
Volumetric DoS attacks:
When a DNS server is
overwhelmed by a sudden
surge of DNS requests
from either one or multiple
sources which results in a
service unavailability or
degradation
Exploits:
Exploiting flaws or bugs in
existing DNS protocol or on
an operating system
running DNS services
Stealth/Slow Drip DoS
attacks:
Using slow response to a
particular DNS query
thereby causing a
capacity exhaustion which
leads to a service
degradation eventually.
Protocol Abuse:
DNS can be exploited in a
way that was not
oroginally intended which
results in phishing and
exfiltration
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Fig 2: Volumetric Attacks
Exploits
These are nothing but a vulnerability in the DNS protocol which the attackers take
advantage of to infiltrate the network. [8]
Fig 3: Exploits
Stealth/Slow Drip DoS Attacks
The main objective of these types of attacks is to slow down or tax the resources of the
recursive server in turn slowing the overall performance. These attacks also referred to as
Random subdomain attacks [9]
Direct DNS DoS Attack
One way of exploiting
DNS wouldbe to
saturate the
cache,recursive and
authoritative
functions. This can be
achieved using a
spoofed IP address.
DNS Amplification (DDoS)
The target fo these
attacks are DNS
servers that can be
accessed without any
restrictions. They can
be used as source to
flood the target using
DNS response using a
spoofed source
address that is acting
as the target's
address, which as a
result receives it's
own response.
To cause more
ammplicafication, the
request contains
multiple zoe requests.
Bogus Domain Attack
A bogus domani is a
domain that does not
exist. The purpose is
to cripple the DNS
server by consuming
maximum resources
there by not allowing
genuine queries to be
processed.
This is also known as
NXDOMAIN attack.
DNS Reflection Attack
This attack targets
infrastrucure such as
firewalls or
authoritative servers
to exhaust the
bandwidth of the
network by using
multiple resolver
servers available on
internet.
This attack is usually
combined with
amplification attacks
to maximise the
impact.
Zero-Day Vulnerability
These attacks largely
target any recently
released software
with some security
holes for which no
patches are yet
available.
DNS-based exploits
Any shortcomings or
flaws observed in
DNS protocol or
services or an
operating system
running on DNS
services is exploited
for negative impact.
Protocol Anomalies
Intentional malformed
DNS queries are sent
to crash the targeted
service
DNS Rebinding
Combination of
javascript ad IP
Subner discovery is
order to attack local
network IP devices
through browser.
This attack is usually
used for discovery of
unsafe devices
(mainly IoT) on the
network and for data
exfiltration.
Exploits
These are nothing but a vulnerability in the DNS protocol which the attackers take
advantage of to infiltrate the network. [8]
Fig 3: Exploits
Stealth/Slow Drip DoS Attacks
The main objective of these types of attacks is to slow down or tax the resources of the
recursive server in turn slowing the overall performance. These attacks also referred to as
Random subdomain attacks [9]
Direct DNS DoS Attack
One way of exploiting
DNS wouldbe to
saturate the
cache,recursive and
authoritative
functions. This can be
achieved using a
spoofed IP address.
DNS Amplification (DDoS)
The target fo these
attacks are DNS
servers that can be
accessed without any
restrictions. They can
be used as source to
flood the target using
DNS response using a
spoofed source
address that is acting
as the target's
address, which as a
result receives it's
own response.
To cause more
ammplicafication, the
request contains
multiple zoe requests.
Bogus Domain Attack
A bogus domani is a
domain that does not
exist. The purpose is
to cripple the DNS
server by consuming
maximum resources
there by not allowing
genuine queries to be
processed.
This is also known as
NXDOMAIN attack.
DNS Reflection Attack
This attack targets
infrastrucure such as
firewalls or
authoritative servers
to exhaust the
bandwidth of the
network by using
multiple resolver
servers available on
internet.
This attack is usually
combined with
amplification attacks
to maximise the
impact.
Zero-Day Vulnerability
These attacks largely
target any recently
released software
with some security
holes for which no
patches are yet
available.
DNS-based exploits
Any shortcomings or
flaws observed in
DNS protocol or
services or an
operating system
running on DNS
services is exploited
for negative impact.
Protocol Anomalies
Intentional malformed
DNS queries are sent
to crash the targeted
service
DNS Rebinding
Combination of
javascript ad IP
Subner discovery is
order to attack local
network IP devices
through browser.
This attack is usually
used for discovery of
unsafe devices
(mainly IoT) on the
network and for data
exfiltration.
Fig 4: Stealth/Slow Drip Attacks
Protocol Abuse
The usage of any malware, phishing/pharming, or spam tools to abuse the DNA protocol is
essentially referred as protocol abuse. [10]
Fig 5: Protocol Abuse
DHCP Vulnerabilities
DHCP transactions do not have a built-in authentication mechanism which make them
vulnerable by default. Attackers can exploit this weakness at the protocol layer or by
Sloth Domain Attack
As the name suggests,
the queries are routed to
attackers authoritative
domain which responds
very slowly just before
timeout so as to cause a
congestion at victim's
recursive server
Phamtom Domain Attack
This attack would send
subdomains from DNS
resolvers for which
domain server is not
available, this results in
cache saturation at
server capacity level.
Pseudo-Random
Subdomain Attack
(PRSD)
Random query name as
a subdomain of victims
domain is the modus
operandi fo this attack.
This results in saturation
of authoritative server
capacity.
This attack uses either
open relay DNS or DNS
recursive farm at ISP in
order to also exhaust
resources of servers
waiting for answers from
the authoritative server.
DNS Tunneling
The DNS
protocol is used
to encapsulate
other protocols
or data in order
to remotely
control malware
or/and the
exfiltration of
data.
DNS Cache
Poisoning
Attacks
introducing data
into a DNS
resolver’s cache,
causing the
name server to
return an
incorrect IP
address for
further requests,
diverting traffic
to the attacker’s
computer.
DNS Hijacking -
Pharming
Hosted on local
computer,
malware alters
TCP/IP
configurations to
point to a
malicious DNS
server, causing
traffic to be
redirected to a
phishing
website.
DNS Hijacking -
Phishing
DNS records are
modified at the
registrar level
(after the
compromission
of
administrator’s
credentials) and
users are
redirected to
malicious
website since
using valid
domains.
Subdomain
Hijacking
Attack aiming to
reuse an
existing DNS
entry (generally
a CNAME)
associated to a
public cloud
resource that
has been
suppressed.
Domain
Squatting
Attack using
registered
domain names
with a typo in
order to get
capture or
redirect
legitimate traffic
to another web
site.
Protocol Abuse
The usage of any malware, phishing/pharming, or spam tools to abuse the DNA protocol is
essentially referred as protocol abuse. [10]
Fig 5: Protocol Abuse
DHCP Vulnerabilities
DHCP transactions do not have a built-in authentication mechanism which make them
vulnerable by default. Attackers can exploit this weakness at the protocol layer or by
Sloth Domain Attack
As the name suggests,
the queries are routed to
attackers authoritative
domain which responds
very slowly just before
timeout so as to cause a
congestion at victim's
recursive server
Phamtom Domain Attack
This attack would send
subdomains from DNS
resolvers for which
domain server is not
available, this results in
cache saturation at
server capacity level.
Pseudo-Random
Subdomain Attack
(PRSD)
Random query name as
a subdomain of victims
domain is the modus
operandi fo this attack.
This results in saturation
of authoritative server
capacity.
This attack uses either
open relay DNS or DNS
recursive farm at ISP in
order to also exhaust
resources of servers
waiting for answers from
the authoritative server.
DNS Tunneling
The DNS
protocol is used
to encapsulate
other protocols
or data in order
to remotely
control malware
or/and the
exfiltration of
data.
DNS Cache
Poisoning
Attacks
introducing data
into a DNS
resolver’s cache,
causing the
name server to
return an
incorrect IP
address for
further requests,
diverting traffic
to the attacker’s
computer.
DNS Hijacking -
Pharming
Hosted on local
computer,
malware alters
TCP/IP
configurations to
point to a
malicious DNS
server, causing
traffic to be
redirected to a
phishing
website.
DNS Hijacking -
Phishing
DNS records are
modified at the
registrar level
(after the
compromission
of
administrator’s
credentials) and
users are
redirected to
malicious
website since
using valid
domains.
Subdomain
Hijacking
Attack aiming to
reuse an
existing DNS
entry (generally
a CNAME)
associated to a
public cloud
resource that
has been
suppressed.
Domain
Squatting
Attack using
registered
domain names
with a typo in
order to get
capture or
redirect
legitimate traffic
to another web
site.
exploiting the layer 2 vulnerabilities associated with DHCP traffic. [13] This section would
discuss some of the most common vulnerabilities in DHCP.
Fig 6: DHCP Vulnerabilities
DHCP Starvation Attack
This is a Denial-of-Service attack where the bad guys would send manipulated DHCP
requests to server there by securing all available IPs leaving the genuine clients with no IP
assigned. Also, attackers can influence user by sending fake DHCP request/response to
connect to their machine instead of a valid DHCP server. [12]
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
DHCP Exhaustion Attack
DHCP
Exhaustion
Malicious
DHCP
Client
DHCP
Rouge
Server
DHCP
Spoofing
DHCP
Starvation
discuss some of the most common vulnerabilities in DHCP.
Fig 6: DHCP Vulnerabilities
DHCP Starvation Attack
This is a Denial-of-Service attack where the bad guys would send manipulated DHCP
requests to server there by securing all available IPs leaving the genuine clients with no IP
assigned. Also, attackers can influence user by sending fake DHCP request/response to
connect to their machine instead of a valid DHCP server. [12]
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
DHCP Exhaustion Attack
DHCP
Exhaustion
Malicious
DHCP
Client
DHCP
Rouge
Server
DHCP
Spoofing
DHCP
Starvation
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
As the name suggests, this attack concentrates on exhausting the pool of IP addresses that
the DHCP server holds. As the DHCP server cannot differentiate between a genuine client or
a spoofed one, it will hand out the entire set of available IP addresses there by leaving no IP
addresses for legitimate client to access. [11]
DHCP Starvation attack with DHCP Rogue server by Lucideus [2018] Image Credit: medium.com
DHCP Rouge Server Attack
In this type of attack, a malicious user acts as a DHCP server which is not monitored by the
administrator. This server responds to all DHCP requests with a fake IP address. When
clients connect to the network, not just the original DHCP server but the rogue server will
also receive the request which is responded by both servers. In case of rogue server, it
provides clients with incorrect information such as default gateway, wrong DNS sever/IP
address. Also, when the rogue server imitates as a default gateway, it can suck all the
network traffic and manipulate packets by stealing information such as passwords etc.
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
Malicious DHCP Client
the DHCP server holds. As the DHCP server cannot differentiate between a genuine client or
a spoofed one, it will hand out the entire set of available IP addresses there by leaving no IP
addresses for legitimate client to access. [11]
DHCP Starvation attack with DHCP Rogue server by Lucideus [2018] Image Credit: medium.com
DHCP Rouge Server Attack
In this type of attack, a malicious user acts as a DHCP server which is not monitored by the
administrator. This server responds to all DHCP requests with a fake IP address. When
clients connect to the network, not just the original DHCP server but the rogue server will
also receive the request which is responded by both servers. In case of rogue server, it
provides clients with incorrect information such as default gateway, wrong DNS sever/IP
address. Also, when the rogue server imitates as a default gateway, it can suck all the
network traffic and manipulate packets by stealing information such as passwords etc.
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
Malicious DHCP Client
A client gaining unauthorized access to a network while using its network services without
being authorized is referred to as a malicious client. A malicious client is extremely
dangerous as it could invoke a starvation or a rogue server attack as well.
Ineffectiveness of induced DHCP starvation attack by Tripathi, Nikhil [2018] Image Credit:
researchgate
DHCP Spoofing
As the name suggests, DHCP spoofing imitates a source MAC and IP address to make
malicious traffic to be originating from a genuine DHCP server or client, while the traffic is
being generated by the bad guys. [13]
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
being authorized is referred to as a malicious client. A malicious client is extremely
dangerous as it could invoke a starvation or a rogue server attack as well.
Ineffectiveness of induced DHCP starvation attack by Tripathi, Nikhil [2018] Image Credit:
researchgate
DHCP Spoofing
As the name suggests, DHCP spoofing imitates a source MAC and IP address to make
malicious traffic to be originating from a genuine DHCP server or client, while the traffic is
being generated by the bad guys. [13]
DHCP Part2| DHCP Vulnerabilities by Dawson, David [2018] Image Credit: packetorbit
Mitigation Techniques: DNS and DHCP
The above-mentioned vulnerabilities regarding DHCP, and DNS are extremely dangerous
and can bring down any network device or devices or whole network in a matter of minutes.
However, there are mitigation techniques, if followed, can help reduce the risk of the
network device or overall networks being vulnerable to such attacks.
DNS Mitigation Techniques
Can be detected via payload or traffic analysis
Payload analysis will observe the DNS requests/responses by
looking at the size of request versus response.
Traffic analysis will delve into the volume aspect such as number
of requests, geographic location , domain history etc.
Tools such as "Zscaler", "TunnelGuard" and "Splunk"can be useful
for detection.
Setting strong rules on firewall for inbound and outbound traffic
based on detection can mitigate further DNS tunneling
DNS Tunneling - Mitigation
Use DNS security extensions (DNSSEC) to address threats against
DNS.
Look for any anamoly observed in teh DNS traffic by active
monitoring using tools.
Due to its vulnerable nature, keep DNS pacthed to the latest level
Implement strong password policies on network devices
Make use of HTTPS indicators to prove the legitimacy of the site
being accessed.
DNS Cache Poisoning -
Mitigation
Avoid links and attachments from unknown senders
Only access secured links that begins with HTTPS
Do not access the sites taht looks suspicious
If it is too good to be true, then it is a scam. stay away from such
deals.
Choose the correct ISP and change default settings of home
raouter.
DNS Hijacking - Pharming -
Mitigation
Educate employees via training and mock phishing scenarios.
Install SPAM filter to detect virus etc.
Deploy web filter to block malicious websites.
Encrypt all sensitive information.
Disable HTML email messages.
DNS Hijacking - Phishing
Review access to domain name registrars
Review DNS roles and responsibilities
Update all registration information
Use roles for domain registration information
Don't use personal email addresses
Credential Updates - Change the passwords
Subdomain Hijacking
Register your brand name with TMCH -trademark clearinghouse.
Use ICANN - trademark registry exchange service to ensure
unauthorized registrations are blocked.
Install SSL certificates to depict your site as real site.
Include sender policy framework to use secure email gateways
and software to detect the mismatched headers and envelope
sender addresses.
Domain Squatting
The above-mentioned vulnerabilities regarding DHCP, and DNS are extremely dangerous
and can bring down any network device or devices or whole network in a matter of minutes.
However, there are mitigation techniques, if followed, can help reduce the risk of the
network device or overall networks being vulnerable to such attacks.
DNS Mitigation Techniques
Can be detected via payload or traffic analysis
Payload analysis will observe the DNS requests/responses by
looking at the size of request versus response.
Traffic analysis will delve into the volume aspect such as number
of requests, geographic location , domain history etc.
Tools such as "Zscaler", "TunnelGuard" and "Splunk"can be useful
for detection.
Setting strong rules on firewall for inbound and outbound traffic
based on detection can mitigate further DNS tunneling
DNS Tunneling - Mitigation
Use DNS security extensions (DNSSEC) to address threats against
DNS.
Look for any anamoly observed in teh DNS traffic by active
monitoring using tools.
Due to its vulnerable nature, keep DNS pacthed to the latest level
Implement strong password policies on network devices
Make use of HTTPS indicators to prove the legitimacy of the site
being accessed.
DNS Cache Poisoning -
Mitigation
Avoid links and attachments from unknown senders
Only access secured links that begins with HTTPS
Do not access the sites taht looks suspicious
If it is too good to be true, then it is a scam. stay away from such
deals.
Choose the correct ISP and change default settings of home
raouter.
DNS Hijacking - Pharming -
Mitigation
Educate employees via training and mock phishing scenarios.
Install SPAM filter to detect virus etc.
Deploy web filter to block malicious websites.
Encrypt all sensitive information.
Disable HTML email messages.
DNS Hijacking - Phishing
Review access to domain name registrars
Review DNS roles and responsibilities
Update all registration information
Use roles for domain registration information
Don't use personal email addresses
Credential Updates - Change the passwords
Subdomain Hijacking
Register your brand name with TMCH -trademark clearinghouse.
Use ICANN - trademark registry exchange service to ensure
unauthorized registrations are blocked.
Install SSL certificates to depict your site as real site.
Include sender policy framework to use secure email gateways
and software to detect the mismatched headers and envelope
sender addresses.
Domain Squatting
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
DHCP Mitigation Techniques
Enable Port security.
DHCP snooping binding must be enforced.
Use HTTPS instead of HTTP.
Use SFTP instead of FTP.
Use SSH instead of telnet.
Use Firewall.
Malicious DHCP
Client - Mitigation
To mitigate a rogue DHCP server attack, set the connection
between the interface and the rogue server as untrusted. That
action will block all ingress DHCP server messages from that
interface.
DHCP snooping can be useful mitigation technique as well.
DHCP Rogue Server -
Mitigation
DHCP Spoofing can be mitigated by using a technique called as
DHCP Snooping.
It does so by copying DHCP messages to control plane and uses
the information in packets to create anti-spoofing filters.
These filters bind a clients MAC address to its DHCP-assigned
based IP address and uses it to filter spoofed DHCP messages.
DHCP Spoofing -
Mitigation
Execute the mac-address max-mac-count command to set the
MAC learning limit.
Disable unknown frame forwarding when the MAC learning limit is
reached.
To prevent a DHCP starvation attack that uses DHCP requests
encapsulated with the same source MAC address, you can enable
MAC address check on the DHCP server.
DHCP Starvation -
Mitigation
Enable Port security.
DHCP snooping binding must be enforced.
Use HTTPS instead of HTTP.
Use SFTP instead of FTP.
Use SSH instead of telnet.
Use Firewall.
Malicious DHCP
Client - Mitigation
To mitigate a rogue DHCP server attack, set the connection
between the interface and the rogue server as untrusted. That
action will block all ingress DHCP server messages from that
interface.
DHCP snooping can be useful mitigation technique as well.
DHCP Rogue Server -
Mitigation
DHCP Spoofing can be mitigated by using a technique called as
DHCP Snooping.
It does so by copying DHCP messages to control plane and uses
the information in packets to create anti-spoofing filters.
These filters bind a clients MAC address to its DHCP-assigned
based IP address and uses it to filter spoofed DHCP messages.
DHCP Spoofing -
Mitigation
Execute the mac-address max-mac-count command to set the
MAC learning limit.
Disable unknown frame forwarding when the MAC learning limit is
reached.
To prevent a DHCP starvation attack that uses DHCP requests
encapsulated with the same source MAC address, you can enable
MAC address check on the DHCP server.
DHCP Starvation -
Mitigation
IPSec and SSL/TLS
Advantages of IPSec and SSL/TLS – A Comparison
IPSec
It is a protocol essentially used to communicate between two network devices or
communication endpoints. Encryption of data including authentication, integrity and
protection is supported by IPSec. For example, we can use this protocol between two routers
or between a router and a host or between a firewall and a host etc.
IPSec Advantages
Network Layer
Security
IPSec is transparent to
applications.
End user need not bother
about its configuration.
No impact on layers
above network layer as
IPSec at Network layer.
IPSec allows monitoring
of all network traffic.
It is recommended to
have IPSec based VPN for
network protection.
Confidentiality
An advantage of IPSec is
it offers confidentiality.
IPSec uses public key to
ensure safe data
transfer.
Keys help to verify that
data has come from
correct host.
Due to this, it is
impossible forge data
packets.
Zero
dependability
on Application
IPSec is implemented at
network layer and hence
independent of the
applications used.
IPSec requires
modification at OS level
and hence IPSec-based
VPNs have no issues for
ype of applications.
Network Support
IPSec can be
implemented to any
network irrespective of
it's size.
A network rangin from
local LAN toWAN such as
internet can use IPSec for
security.
Authentication
IPSec does
authentication by placing
digital signatures on
each dta packets.
Any 3rd party
interference can be
protected here.
Contents inside packets
cannot be modified
without detection, which
makes IPSec more
secured.
Advantages of IPSec and SSL/TLS – A Comparison
IPSec
It is a protocol essentially used to communicate between two network devices or
communication endpoints. Encryption of data including authentication, integrity and
protection is supported by IPSec. For example, we can use this protocol between two routers
or between a router and a host or between a firewall and a host etc.
IPSec Advantages
Network Layer
Security
IPSec is transparent to
applications.
End user need not bother
about its configuration.
No impact on layers
above network layer as
IPSec at Network layer.
IPSec allows monitoring
of all network traffic.
It is recommended to
have IPSec based VPN for
network protection.
Confidentiality
An advantage of IPSec is
it offers confidentiality.
IPSec uses public key to
ensure safe data
transfer.
Keys help to verify that
data has come from
correct host.
Due to this, it is
impossible forge data
packets.
Zero
dependability
on Application
IPSec is implemented at
network layer and hence
independent of the
applications used.
IPSec requires
modification at OS level
and hence IPSec-based
VPNs have no issues for
ype of applications.
Network Support
IPSec can be
implemented to any
network irrespective of
it's size.
A network rangin from
local LAN toWAN such as
internet can use IPSec for
security.
Authentication
IPSec does
authentication by placing
digital signatures on
each dta packets.
Any 3rd party
interference can be
protected here.
Contents inside packets
cannot be modified
without detection, which
makes IPSec more
secured.
IPSec Disadvantages
CPU Overhead
Security can be a boon
with IPSec' encryption,
but constant encryption
and decryption causes
high CPU processing
power utilization as a
disadvantage.
This could be more
devastating if data
packet is small in size
and hence more
encrypt/decrypte and
hence more CPU
overhead.
Due to these large
overheads, network
performance will be
diminished.
Algorithms
Turns out, the security
algorithms used in IPSec
are not strong enough.
Due to this, the security
is at a greater level of
risk.
Latest algorithms
however do prevent
these vulnerabilities.
Compatibility
Not all software
developers follow the
IPSec procedures.
This results in
compatibility issues with
several softwares.
Also, IPSec does not
have any compatibility
standard.
Access Range
Due to wide access
range, IPSec can provide
priviledges to devices in
network that are not
part of the list.
Example, If one device is
infected, all others
would be infected too.
Hence, unless we have
added security
measures, an IPSec
based network is always
vulnerable to cyber
attacks.
Firewall
Restrictions
Users cannot access
internet due to firewall
restrictions.
This can be rectified
only by contacting the
network administrator.
CPU Overhead
Security can be a boon
with IPSec' encryption,
but constant encryption
and decryption causes
high CPU processing
power utilization as a
disadvantage.
This could be more
devastating if data
packet is small in size
and hence more
encrypt/decrypte and
hence more CPU
overhead.
Due to these large
overheads, network
performance will be
diminished.
Algorithms
Turns out, the security
algorithms used in IPSec
are not strong enough.
Due to this, the security
is at a greater level of
risk.
Latest algorithms
however do prevent
these vulnerabilities.
Compatibility
Not all software
developers follow the
IPSec procedures.
This results in
compatibility issues with
several softwares.
Also, IPSec does not
have any compatibility
standard.
Access Range
Due to wide access
range, IPSec can provide
priviledges to devices in
network that are not
part of the list.
Example, If one device is
infected, all others
would be infected too.
Hence, unless we have
added security
measures, an IPSec
based network is always
vulnerable to cyber
attacks.
Firewall
Restrictions
Users cannot access
internet due to firewall
restrictions.
This can be rectified
only by contacting the
network administrator.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SSL/TLS
This protocol is consumed at the transport layer of the OSI model. It is intended to provide a
secure connection between client and server over web. All packet data is encrypted end-to-
end to make this communication more secure and difficult to attack. As an example,
SSL/TLS is used to have a secure communication between a google chrome and a web
server.
SSL/TLS Advantages
Improves Security
Communication between server and client is an encrypted connection.
Makes it harder for MITM types attacks.
It is an advantage to use SSL/LS communication for traffic data associated with
credit cards.
Instills Trust
As the communication is end-to-end encrypted, it makes it more trustworhty to
visit the websites.
A website using SSL/TLS certainly enhances confidance of users visting that site.
Especially websites that cater to fianacial transactions such as banks/shopping
websites etc.
Also, an SSL/TLS certificate is mandetory for customer to make purchase via
credit card.
Easy Deployment
During early days, SSL certificates were purchased from a certificate authority for
a limited time period.
Installation of this SSL certificate would provide the secure connection for
visitors.
Nowadays, companies such as "Lets Encrypt" provide these SSL certificates for
free which can be directly deployed to server.
Ability to user HTTP/2
This is a second major update to the HTTP protocol.
new updated version uses improvements such as header compression, fully
multiplexed etc.
None of the browsers currently support HTTP/2 unnencrypted.
hence, using SSL certificate, you can take advantage of HTTP/2 benefits provided
the server supports it.
Data Integrity
SSL/TLS ensures that none of the data is lost on its way and reaches its
destination safely.
This protocol is consumed at the transport layer of the OSI model. It is intended to provide a
secure connection between client and server over web. All packet data is encrypted end-to-
end to make this communication more secure and difficult to attack. As an example,
SSL/TLS is used to have a secure communication between a google chrome and a web
server.
SSL/TLS Advantages
Improves Security
Communication between server and client is an encrypted connection.
Makes it harder for MITM types attacks.
It is an advantage to use SSL/LS communication for traffic data associated with
credit cards.
Instills Trust
As the communication is end-to-end encrypted, it makes it more trustworhty to
visit the websites.
A website using SSL/TLS certainly enhances confidance of users visting that site.
Especially websites that cater to fianacial transactions such as banks/shopping
websites etc.
Also, an SSL/TLS certificate is mandetory for customer to make purchase via
credit card.
Easy Deployment
During early days, SSL certificates were purchased from a certificate authority for
a limited time period.
Installation of this SSL certificate would provide the secure connection for
visitors.
Nowadays, companies such as "Lets Encrypt" provide these SSL certificates for
free which can be directly deployed to server.
Ability to user HTTP/2
This is a second major update to the HTTP protocol.
new updated version uses improvements such as header compression, fully
multiplexed etc.
None of the browsers currently support HTTP/2 unnencrypted.
hence, using SSL certificate, you can take advantage of HTTP/2 benefits provided
the server supports it.
Data Integrity
SSL/TLS ensures that none of the data is lost on its way and reaches its
destination safely.
SSL/TLS Disadvantages
High Latency
In comparison to other encryption techniques, SSL/TLS has higher
latency
Whenever TLS is used, an additonal latecy will be added to the site's
traffic.MiM Attacks
Although it is extremely hard to penetrate the encryption for SSL/TLS, but
it is not impossible.
Some versions of TLS are still vulnerable to MiM attacks.
SSL/TLS is also susceptible to other forms of cyber attacks such as
DROWN/POODLE.
Platform Support
Another disadvantage of new version of TLS 1.3 is supporting limited
platforms.
Major OS providers such as Microsoft are having issues with
implementation process.Implementation Cost
Implementing SSL/TLS certificates involves a certain costs, although few
sites now are providing it for free due to competition.
The amount to be paid depends on the number of domains and
subdomain
Network Complexity
Another major disadvantage of SSL/TLS is the complexity in network
architecture.
A network topolocy can become complex leading to more fail overs.
High Latency
In comparison to other encryption techniques, SSL/TLS has higher
latency
Whenever TLS is used, an additonal latecy will be added to the site's
traffic.MiM Attacks
Although it is extremely hard to penetrate the encryption for SSL/TLS, but
it is not impossible.
Some versions of TLS are still vulnerable to MiM attacks.
SSL/TLS is also susceptible to other forms of cyber attacks such as
DROWN/POODLE.
Platform Support
Another disadvantage of new version of TLS 1.3 is supporting limited
platforms.
Major OS providers such as Microsoft are having issues with
implementation process.Implementation Cost
Implementing SSL/TLS certificates involves a certain costs, although few
sites now are providing it for free due to competition.
The amount to be paid depends on the number of domains and
subdomain
Network Complexity
Another major disadvantage of SSL/TLS is the complexity in network
architecture.
A network topolocy can become complex leading to more fail overs.
Scenarios – IPSec and SSL/TLS
IPsec Scenarios
Some of the scenarios that fits best with IPSec are mentioned below.
o Configure IPSec on Cisco Routers
Configuration on Cisco devices involves four stages:
ï‚· Configure Crypto lists: Configure the access control list on router for a rule that
traffic is subjected to IPSec processing.
ï‚· Configure transform sets: A peer connection must be offered by the set protocols
and algorithms only during IPSec SAs negotiation.
ï‚· Apply Crypto Maps: Traffic leaving interface must be subjected to IPSec kernel for
encapsulation.
Apart from above scenario, few scenarios are listed below which would best fit the situation:
o Configuring IPSec-Protected GRE tunnel
o Configuring Tunnel mode IPSec
o Configuring IPSec on Windows 2000/XP
[30,31]
SSL/TLS Scenarios
Although, there are a lot of real-life use cases in terms of securing network and devices
using SSL/TLS. Below mentioned are some of the situations/scenarios where this protocol fits
best.
o TLS/SSL Certificates: Ensuring network security by installing the SSL/TLS
certificates for end-to-end encrypted communication.
o Network Access: Provide access to devices which are pre-authorized and
authenticated. Such as VPNs/Network devices/Mobile Devices/Mac or Windows login.
o IoT (Internet of Things): Ensuring only trusted IoT devices can connect to your
network.
o Email Encryption (S/MIME): Ensure all IP is encrypted during transmission and
when mail resides on server.
o Single Sign-On
[28,29]
IPsec Scenarios
Some of the scenarios that fits best with IPSec are mentioned below.
o Configure IPSec on Cisco Routers
Configuration on Cisco devices involves four stages:
ï‚· Configure Crypto lists: Configure the access control list on router for a rule that
traffic is subjected to IPSec processing.
ï‚· Configure transform sets: A peer connection must be offered by the set protocols
and algorithms only during IPSec SAs negotiation.
ï‚· Apply Crypto Maps: Traffic leaving interface must be subjected to IPSec kernel for
encapsulation.
Apart from above scenario, few scenarios are listed below which would best fit the situation:
o Configuring IPSec-Protected GRE tunnel
o Configuring Tunnel mode IPSec
o Configuring IPSec on Windows 2000/XP
[30,31]
SSL/TLS Scenarios
Although, there are a lot of real-life use cases in terms of securing network and devices
using SSL/TLS. Below mentioned are some of the situations/scenarios where this protocol fits
best.
o TLS/SSL Certificates: Ensuring network security by installing the SSL/TLS
certificates for end-to-end encrypted communication.
o Network Access: Provide access to devices which are pre-authorized and
authenticated. Such as VPNs/Network devices/Mobile Devices/Mac or Windows login.
o IoT (Internet of Things): Ensuring only trusted IoT devices can connect to your
network.
o Email Encryption (S/MIME): Ensure all IP is encrypted during transmission and
when mail resides on server.
o Single Sign-On
[28,29]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
UTM (Unified Threat Management) vs SIEM (Security Information and Event
Management)
UTM (Unified Threat Management)
UTM acts as a single source that can protect not just users, devices but the whole network
from security threats by providing multiple security features and services. This includes
many functions such as anti-virus, anti-spam, content filtering and spam filtering essentially
including security, performance, management and compliance capabilities into a single
installation. This makes it quite simple for administrators in managing networks.
UTM scans all network traffic and not just for a single device or a single server thereby
blocking significantly malicious traffic. UTM is quite popular among small and medium sized
businesses which can handle information security with a single system instead of multiple
ones.
Threats such as malware, phishing/social engineering, virus/worms/trojans, hackers and DoS
(Denial of service) are the ones that any organization must be aware and beware of as each
of these threats require a different kind of technology to resolve making things more
complicated. This is simplified by one word – UTM! [32]
Unified Threat Management by Rosencrance, Linda [2020] Image Credit: DRYPISIAK/GETTY IMAGES
SIEM (Security Information and Event Management)
In today’s world, IT systems are not secured enough and prone to attacks that are difficult
to pre-empt. We need a software that can improve the security awareness of the network
environment by amalgamating security information management (SIM) and security event
management (SEM) which is called a SIEM (Security Information and Event Management).
This solution can make use of otherwise useless data by implementing some rules and
correlations converting boring log entries or events from security systems into interesting
actionable items. This could be useful for security teams to detect any threats in near real-
time, thereby managing incident response, creating dashboards and reporting, Also,
performing deep dive investigation on past events. It can also be helpful in auditing for
compliance purposes.[34]
Management)
UTM (Unified Threat Management)
UTM acts as a single source that can protect not just users, devices but the whole network
from security threats by providing multiple security features and services. This includes
many functions such as anti-virus, anti-spam, content filtering and spam filtering essentially
including security, performance, management and compliance capabilities into a single
installation. This makes it quite simple for administrators in managing networks.
UTM scans all network traffic and not just for a single device or a single server thereby
blocking significantly malicious traffic. UTM is quite popular among small and medium sized
businesses which can handle information security with a single system instead of multiple
ones.
Threats such as malware, phishing/social engineering, virus/worms/trojans, hackers and DoS
(Denial of service) are the ones that any organization must be aware and beware of as each
of these threats require a different kind of technology to resolve making things more
complicated. This is simplified by one word – UTM! [32]
Unified Threat Management by Rosencrance, Linda [2020] Image Credit: DRYPISIAK/GETTY IMAGES
SIEM (Security Information and Event Management)
In today’s world, IT systems are not secured enough and prone to attacks that are difficult
to pre-empt. We need a software that can improve the security awareness of the network
environment by amalgamating security information management (SIM) and security event
management (SEM) which is called a SIEM (Security Information and Event Management).
This solution can make use of otherwise useless data by implementing some rules and
correlations converting boring log entries or events from security systems into interesting
actionable items. This could be useful for security teams to detect any threats in near real-
time, thereby managing incident response, creating dashboards and reporting, Also,
performing deep dive investigation on past events. It can also be helpful in auditing for
compliance purposes.[34]
Which three problems does SIEM solve by Anon [2021] Image Credit: comodo.com
UTM vs SIEM – Features, Technologies, Goals
UTM
Features
Deep packet Inspection (DPI) Firewall
The classification of layer 7 network traffic is performed using DPI engine. The function of
the DPI engine is to inspect each packet to accurately identify application in use. DPI firewall
also supports hierarchical filtering such as network and hosts for organizations to manage
and apply security policies at company/department or individual level. [36]
Application Control
Firewalls that provide reliable control at application level for their content and user control is
extremely important. By identifying a reliable application, we can take an informed decision
about not only which application is allowed but by whom and under what circumstances. For
instance, Skype chat may be allowed companywide, but video calls are limited to sales and
marketing only. [36]
UTM Firewall features overview by Allied Telesis [2016] Image Credit: Allied Telesis Inc.
Web Control
UTM vs SIEM – Features, Technologies, Goals
UTM
Features
Deep packet Inspection (DPI) Firewall
The classification of layer 7 network traffic is performed using DPI engine. The function of
the DPI engine is to inspect each packet to accurately identify application in use. DPI firewall
also supports hierarchical filtering such as network and hosts for organizations to manage
and apply security policies at company/department or individual level. [36]
Application Control
Firewalls that provide reliable control at application level for their content and user control is
extremely important. By identifying a reliable application, we can take an informed decision
about not only which application is allowed but by whom and under what circumstances. For
instance, Skype chat may be allowed companywide, but video calls are limited to sales and
marketing only. [36]
UTM Firewall features overview by Allied Telesis [2016] Image Credit: Allied Telesis Inc.
Web Control
UTM solution can be used to allow or block website access in real-time. Once we categorize
a website, the result is cache in the firewall any request thereafter would be processed
according to the policy in place.[36]
UTM Firewall features overview by Allied Telesis [2016] Image Credit: Allied Telesis Inc.
URL Filtering
Apart from web filtering, URL filtering is useful in categorizing any website access to be
allowed (whitelisted) or blocked (blacklisted). It is useful feature in preventing any access to
malicious websites before even they are processed within the network. [32]
Malware Protection
In order to protect against most dangerous cyberthreats, a high-performance anti-malware
technology is required under the UTM umbrella. This feature will observe any threat patterns
with heuristic analysis preventing any type of attacks including zero-day attacks along with
other attacks via which could be web-borne or server-side malware.[35]
Antivirus
Malicious content such as viruses, Trojans, worms, spyware or adware must be prevented
with a first line of defense in the form of an antivirus. Apart from blocking threats from
inbound traffic, antivirus also helps preventing any compromised hosts or malicious user
from launching any attacks further. [36]
Secure remote VPN access
UTM firewalls have secure remote access capability which makes it useful for employees to
work irrespective of their physical locations. VPN using SSL creates a secure tunnel over the
vulnerable internet by encrypting traffic and compatible with the security policies of almost
all network installations. This makes them a very good option for users to connect to their
corporate network irrespective of locations.
A site-to-site IPSec VPN can securely connect multiple branches to a central office saving
cost of lease lines that are quite expensive thereby providing users with the same access
across corporate network. [35,36]
a website, the result is cache in the firewall any request thereafter would be processed
according to the policy in place.[36]
UTM Firewall features overview by Allied Telesis [2016] Image Credit: Allied Telesis Inc.
URL Filtering
Apart from web filtering, URL filtering is useful in categorizing any website access to be
allowed (whitelisted) or blocked (blacklisted). It is useful feature in preventing any access to
malicious websites before even they are processed within the network. [32]
Malware Protection
In order to protect against most dangerous cyberthreats, a high-performance anti-malware
technology is required under the UTM umbrella. This feature will observe any threat patterns
with heuristic analysis preventing any type of attacks including zero-day attacks along with
other attacks via which could be web-borne or server-side malware.[35]
Antivirus
Malicious content such as viruses, Trojans, worms, spyware or adware must be prevented
with a first line of defense in the form of an antivirus. Apart from blocking threats from
inbound traffic, antivirus also helps preventing any compromised hosts or malicious user
from launching any attacks further. [36]
Secure remote VPN access
UTM firewalls have secure remote access capability which makes it useful for employees to
work irrespective of their physical locations. VPN using SSL creates a secure tunnel over the
vulnerable internet by encrypting traffic and compatible with the security policies of almost
all network installations. This makes them a very good option for users to connect to their
corporate network irrespective of locations.
A site-to-site IPSec VPN can securely connect multiple branches to a central office saving
cost of lease lines that are quite expensive thereby providing users with the same access
across corporate network. [35,36]
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
UTM Firewall features overview by Allied Telesis [2016] Image Credit: Allied Telesis Inc.
Technologies
Today, UTM solutions are implemented across many networks using various technologies
provided by many organizations in the market. Some of these are listed below: [35]
Sophos XG Firewall
NextGen UTM Firewalls
Fortinet UTM
WatchGuard’s Firebox UTM
Barracuda F-Series CloudGen Firewall
Stormshield Network Security
Zyxel ZyWall Security
Untangle NG firewall
Rohde & Schwarz Gateprotect
Technologies
Today, UTM solutions are implemented across many networks using various technologies
provided by many organizations in the market. Some of these are listed below: [35]
Sophos XG Firewall
NextGen UTM Firewalls
Fortinet UTM
WatchGuard’s Firebox UTM
Barracuda F-Series CloudGen Firewall
Stormshield Network Security
Zyxel ZyWall Security
Untangle NG firewall
Rohde & Schwarz Gateprotect
Goals
The goal of Unified Threat Management (UTM) is to execute multitude of security features
using a single service or device on the whole network, protecting the individuals from any
and every threat in a simplistic way. [35]
SIEM
Features
Unlimited scalability in BIG data infrastructure
Modern SIEM solutions do support a parallelized architecture which is active continuously
with no performance loss. SIEM solution in big data can provide an experience that spikes
up to petabyte level with unlimited scalability, storage log retention and number of users.
[39]
Log & Data collection in Real-Time
Log data from multiple IT devices including servers, security devices etc. can be ingested
into a SIEM solution. This can be mapped from information collected from these logs. SIEM
will manage and control the security of entire network and hence it important to select the
correct devices that generate logs to be sent to SIEM. This would provide premium insights
about the network health. Real-time collection is extremely important to detect malicious
activity thereby reducing the overall MTTR. [38]
Threat Intelligence & Log Correlation
Log from individual devices is nothing but junk when it comes to SIEM. Sifting through raw
log data to interpret an alert if practically impossible and hence comes in correlation of logs
to detect any patterns emerging for SIEM to send real-time alerts to security team to take
appropriate action. This allows the analysts to take action quickly thereby reducing MTTD &
MTTR (Mean Time To Detect and Respond). [38]
The goal of Unified Threat Management (UTM) is to execute multitude of security features
using a single service or device on the whole network, protecting the individuals from any
and every threat in a simplistic way. [35]
SIEM
Features
Unlimited scalability in BIG data infrastructure
Modern SIEM solutions do support a parallelized architecture which is active continuously
with no performance loss. SIEM solution in big data can provide an experience that spikes
up to petabyte level with unlimited scalability, storage log retention and number of users.
[39]
Log & Data collection in Real-Time
Log data from multiple IT devices including servers, security devices etc. can be ingested
into a SIEM solution. This can be mapped from information collected from these logs. SIEM
will manage and control the security of entire network and hence it important to select the
correct devices that generate logs to be sent to SIEM. This would provide premium insights
about the network health. Real-time collection is extremely important to detect malicious
activity thereby reducing the overall MTTR. [38]
Threat Intelligence & Log Correlation
Log from individual devices is nothing but junk when it comes to SIEM. Sifting through raw
log data to interpret an alert if practically impossible and hence comes in correlation of logs
to detect any patterns emerging for SIEM to send real-time alerts to security team to take
appropriate action. This allows the analysts to take action quickly thereby reducing MTTD &
MTTR (Mean Time To Detect and Respond). [38]
Alerting and Notification in Real-Time
The two most important features of SIEM are alerting and notification. Triggered events can
be configured based on the patterns from log data during collection and correlation phase.
Any threat detection can be forwarded to security team for investigation and remediation.
[38]
Prioritization, Analytics & AI
Once we have an alert triggered, a priority can be assigned based on the internal policies or
alert rules for any threats that occur. Prioritization is an important feature to focus on the
most important threat. SIEM can generate alerts/events in hundreds or sometime in
thousands for security team to investigate and act quickly. However, with the advent of
artificial intelligence and machine learning, SIEM can improve on the prioritization using
heuristic analysis and identify indicators of compromise quickly. [38]
Reporting & Dashboards
While alerts are a way to quickly detect any threats looming in a network, reports and
dashboards are used to provide a meaningful information according to business needs
which could be useful in forecasting business decision based on data observed. Executive
level reporting can explicitly help in achieving this goal.[38]
Technologies
Some of the top SIEM technologies and solutions that are currently available are mentioned
below:
Datadog Security Monitoring
ManageEngine EventLog Analyzer
Splunk Enterprise Security
LogRhythm NextGen SIEM Platform
AT&T Cybersecurity AlienVault Unified Security Management
RSA NetWitness
The two most important features of SIEM are alerting and notification. Triggered events can
be configured based on the patterns from log data during collection and correlation phase.
Any threat detection can be forwarded to security team for investigation and remediation.
[38]
Prioritization, Analytics & AI
Once we have an alert triggered, a priority can be assigned based on the internal policies or
alert rules for any threats that occur. Prioritization is an important feature to focus on the
most important threat. SIEM can generate alerts/events in hundreds or sometime in
thousands for security team to investigate and act quickly. However, with the advent of
artificial intelligence and machine learning, SIEM can improve on the prioritization using
heuristic analysis and identify indicators of compromise quickly. [38]
Reporting & Dashboards
While alerts are a way to quickly detect any threats looming in a network, reports and
dashboards are used to provide a meaningful information according to business needs
which could be useful in forecasting business decision based on data observed. Executive
level reporting can explicitly help in achieving this goal.[38]
Technologies
Some of the top SIEM technologies and solutions that are currently available are mentioned
below:
Datadog Security Monitoring
ManageEngine EventLog Analyzer
Splunk Enterprise Security
LogRhythm NextGen SIEM Platform
AT&T Cybersecurity AlienVault Unified Security Management
RSA NetWitness
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IBM QRadar
McAfee Enterprise Security Manager
Goals
The goal of Security Information and Event Management (SIEM) is to provide solution for
monitoring, detecting and alerting of any events in network that may be a security threat. It
paints a detailed view of the security architecture of any IT network. Using this solution, log
data can be correlated, and machine learned to provide important insights for security
professionals to the daily activities within any network.
Use Case – UTM or SIEM for an organization with 500 users.
In an ideal scenario, a hybrid approach would be a best solution. UTM solution would be
useful in implementing features such as secured encrypted VPN, web and content/URL
filtering along with Antivirus and Malware protection for individual employees. This would
help in providing the required IPS (Intrusion Prevention System) from accessing any data
that would affect the overall network performance preemptively.
A SIEM solution on top of it would provide a second layer of protection if somehow UTM
missed on any action. The real-time data that is collected and correlated using SIEM solution
along with AI and ML capability would provide an enriched insight to cybersecurity
professionals which otherwise would be missed by UTM solution. Any attack that may not
have been prevented using UTM would be detected using SIEM solution acting as an IDS
(Intrusion Detection System). Also, prioritization would lead to a quick pathway for
investigation and remediation.
However, from a cost perspective, it could be an expensive affair for the management to
implement both solutions (UTM & SIEM) for a small sized organization with only 500
employees and a smaller network. The best approach in this scenario is to stick with UTM
solution and prevent any attacks from security perspective rather than waiting to detect.
McAfee Enterprise Security Manager
Goals
The goal of Security Information and Event Management (SIEM) is to provide solution for
monitoring, detecting and alerting of any events in network that may be a security threat. It
paints a detailed view of the security architecture of any IT network. Using this solution, log
data can be correlated, and machine learned to provide important insights for security
professionals to the daily activities within any network.
Use Case – UTM or SIEM for an organization with 500 users.
In an ideal scenario, a hybrid approach would be a best solution. UTM solution would be
useful in implementing features such as secured encrypted VPN, web and content/URL
filtering along with Antivirus and Malware protection for individual employees. This would
help in providing the required IPS (Intrusion Prevention System) from accessing any data
that would affect the overall network performance preemptively.
A SIEM solution on top of it would provide a second layer of protection if somehow UTM
missed on any action. The real-time data that is collected and correlated using SIEM solution
along with AI and ML capability would provide an enriched insight to cybersecurity
professionals which otherwise would be missed by UTM solution. Any attack that may not
have been prevented using UTM would be detected using SIEM solution acting as an IDS
(Intrusion Detection System). Also, prioritization would lead to a quick pathway for
investigation and remediation.
However, from a cost perspective, it could be an expensive affair for the management to
implement both solutions (UTM & SIEM) for a small sized organization with only 500
employees and a smaller network. The best approach in this scenario is to stick with UTM
solution and prevent any attacks from security perspective rather than waiting to detect.
References
1. Schneider, Stefanie [2019], Brief Introduction: DHCP and DNS, Available at:
https://www.univention.com/blog-en/brief-introduction/2019/03/brief-introduction-
dhcp-dns/ accessed on 14th June 2021
2. John [2018], DHCP vs DNS: What Are They, What’s Their Differences, Available at:
https://community.fs.com/blog/dhcp-and-dns-difference.html accessed on 14th June
2021
3. Anon [2013], Top Five DNS Security Attack Risks and How to Avoid Them, Available
at: https://www.infoblox.com/wp-content/uploads/2016/04/infoblox-whitepaper-top5-
dns-security-attack-risks-how-to-avoid-them_0.pdf, PP – 6,7 accessed on 14th June
2021
4. Anon [2020], A Diverse DNS Security threat Landscape, Available at:
https://www.efficientip.com/dns-attacks-list/ accessed on 15th June 2021
1. Schneider, Stefanie [2019], Brief Introduction: DHCP and DNS, Available at:
https://www.univention.com/blog-en/brief-introduction/2019/03/brief-introduction-
dhcp-dns/ accessed on 14th June 2021
2. John [2018], DHCP vs DNS: What Are They, What’s Their Differences, Available at:
https://community.fs.com/blog/dhcp-and-dns-difference.html accessed on 14th June
2021
3. Anon [2013], Top Five DNS Security Attack Risks and How to Avoid Them, Available
at: https://www.infoblox.com/wp-content/uploads/2016/04/infoblox-whitepaper-top5-
dns-security-attack-risks-how-to-avoid-them_0.pdf, PP – 6,7 accessed on 14th June
2021
4. Anon [2020], A Diverse DNS Security threat Landscape, Available at:
https://www.efficientip.com/dns-attacks-list/ accessed on 15th June 2021
5. Koi, Moshe et al [2021], Breaking and Fixing DNS Implementations, Available at:
https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-
implementations/ PP. 15-18, accessed on 15th June 2021
6. Anon [2019], Volumetric DDoS Attack, Available at:
https://www.corero.com/resource-hub/volumetric-ddos-attack/ accessed on 15th June
2021
7. Anon [2016], What is a DNS Exploit?, Available at:
https://www.infoblox.com/glossary/dns-exploit/ accessed on 15th June 2021
8. Anon [2016], Top Ten DNS Attacks, Available at: https://www.infoblox.com/wp-
content/uploads/infoblox-ebook-top-ten-dns-attacks.pdf, PP. 3-12, accessed on 15th
June 2021
9. Verisign [2021], Combating DNS Abuse, Available at:
https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml
accessed on 15th June 2021
10. Younes Osama S. [2016], A Secure DHCP Protocol to Mitigate LAN Attacks, Available
at: https://www.scirp.org/journal/paperinformation.aspx?paperid=63134 accessed on
15th June 2021
11. GreyCampus [2015], Ethical Hacking, Available at:
https://www.greycampus.com/opencampus/ethical-hacking/dhcp-poisoning accessed
on 15th June 2021
12. Dawson, David [2018], DHCP Part2|DHCP Vulneratbilities, Available at:
https://www.packetorbit.net/post/dhcp-vulnerabilities accessed on 16th June 2021
13. Taylor, Kelsey [2018], Prevent DNS Tunneling, Available at:
https://www.hitechnectar.com/blogs/prevent-dns-tunneling/ accessed on 16th June
2021
14. Extrahop [2021], DNS Tunneling attacks and how to prevent them, Available at:
https://www.extrahop.com/resources/attacks/dns-tunneling/ accessed on 16th June
2021
15. N-able [2019], How to prevent DNS poisoning, Available at:
https://www.n-able.com/blog/what-is-dns-poisoning accessed on 16th June 2021
16. Atamaniuk, Mary [2020], How to protect against a pharming attack, Available at:
https://clario.co/blog/how-to-avoid-pharming/ accessed on 16th June 2021
17. Lord, Nate [2020], Phishing attack prevention: How to Identify & Avoid phishing
scams in 2019, Available at: https://digitalguardian.com/blog/phishing-attack-
prevention-how-identify-avoid-phishing-scams accessed on 16th June 2021
18. Akamai DNS Team [2019], Protecting your domain names: Taking the first steps,
Available at: https://blogs.akamai.com/2019/02/protecting-your-domain-names-
taking-the-first-steps.html accessed on 16th June 2021
19. Tunggal, Abi Tyas [2020], What is Typosquatting (and how to prevent it), Available
at: https://www.upguard.com/blog/typosquatting accessed on 16th June 2021
20. Anon [2017], Configuring DHCP Starvation attack protection, Available at:
https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-
svcs_cg/content/483572327.htm accessed on 16th June 2021
21. Anon [2021], Preventing DHCP Spoofing on MX series 5G Universal routing platforms,
Available at: https://www.juniper.net/documentation/us/en/software/junos/sampling-
https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-
implementations/ PP. 15-18, accessed on 15th June 2021
6. Anon [2019], Volumetric DDoS Attack, Available at:
https://www.corero.com/resource-hub/volumetric-ddos-attack/ accessed on 15th June
2021
7. Anon [2016], What is a DNS Exploit?, Available at:
https://www.infoblox.com/glossary/dns-exploit/ accessed on 15th June 2021
8. Anon [2016], Top Ten DNS Attacks, Available at: https://www.infoblox.com/wp-
content/uploads/infoblox-ebook-top-ten-dns-attacks.pdf, PP. 3-12, accessed on 15th
June 2021
9. Verisign [2021], Combating DNS Abuse, Available at:
https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml
accessed on 15th June 2021
10. Younes Osama S. [2016], A Secure DHCP Protocol to Mitigate LAN Attacks, Available
at: https://www.scirp.org/journal/paperinformation.aspx?paperid=63134 accessed on
15th June 2021
11. GreyCampus [2015], Ethical Hacking, Available at:
https://www.greycampus.com/opencampus/ethical-hacking/dhcp-poisoning accessed
on 15th June 2021
12. Dawson, David [2018], DHCP Part2|DHCP Vulneratbilities, Available at:
https://www.packetorbit.net/post/dhcp-vulnerabilities accessed on 16th June 2021
13. Taylor, Kelsey [2018], Prevent DNS Tunneling, Available at:
https://www.hitechnectar.com/blogs/prevent-dns-tunneling/ accessed on 16th June
2021
14. Extrahop [2021], DNS Tunneling attacks and how to prevent them, Available at:
https://www.extrahop.com/resources/attacks/dns-tunneling/ accessed on 16th June
2021
15. N-able [2019], How to prevent DNS poisoning, Available at:
https://www.n-able.com/blog/what-is-dns-poisoning accessed on 16th June 2021
16. Atamaniuk, Mary [2020], How to protect against a pharming attack, Available at:
https://clario.co/blog/how-to-avoid-pharming/ accessed on 16th June 2021
17. Lord, Nate [2020], Phishing attack prevention: How to Identify & Avoid phishing
scams in 2019, Available at: https://digitalguardian.com/blog/phishing-attack-
prevention-how-identify-avoid-phishing-scams accessed on 16th June 2021
18. Akamai DNS Team [2019], Protecting your domain names: Taking the first steps,
Available at: https://blogs.akamai.com/2019/02/protecting-your-domain-names-
taking-the-first-steps.html accessed on 16th June 2021
19. Tunggal, Abi Tyas [2020], What is Typosquatting (and how to prevent it), Available
at: https://www.upguard.com/blog/typosquatting accessed on 16th June 2021
20. Anon [2017], Configuring DHCP Starvation attack protection, Available at:
https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-
svcs_cg/content/483572327.htm accessed on 16th June 2021
21. Anon [2021], Preventing DHCP Spoofing on MX series 5G Universal routing platforms,
Available at: https://www.juniper.net/documentation/us/en/software/junos/sampling-
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
forwarding-monitoring/topics/concept/policy-preventing-dhcp-spoofing-on-mx-series-
routers.html accessed on 17th June 2021
22. Infosavvy [2021], Rogue DHCP Server Attack, Available at:
https://info-savvy.com/rogue-dhcp-server-attack/ accessed on 17th June 2021
23. Singh, Shubham [2020], Difference between IPSec and SSL, Available at:
https://www.geeksforgeeks.org/difference-between-ipsec-and-ssl/ accessed on 17th
June 2021
24. George, Sijin [2019], Advantages and Disadvantages of IPSec – A quick view,
Available at: https://bobcares.com/blog/advantages-and-disadvantages-of-ipsec/
accessed on 17th June 2021
25. Roomi, Mishal [2019], 5 Advantages and Disadvantages of IPSec |Limitations &
Benefits of IPSec, Available at: https://www.hitechwhizz.com/2020/08/5-advantages-
and-disadvantages-drawbacks-benefits-of-ipsec.html accessed on 17th June 2021
26. KeyCDN [2018], What is SSL TLS, Available at:
https://www.keycdn.com/support/what-is-ssl-tls accessed on 17th June 2021
27. Roomi, Mishal [2019], 5 Advantages and Disadvantage of TLS| Weaknesses &
Benefits of TLS, Available at: https://www.hitechwhizz.com/2020/08/5-advantages-
and-disadvantages-drawbacks-benefits-of-tls.html accessed on 17th June 2021
28. Anon [2021], Enterprise Use cases, Available at: https://sectigo.com/enterprise-use-
cases accessed on 17th June 2021
29. Rosencrance, Linda [2018], Unified Threat Management (UTM), Available at:
https://searchsecurity.techtarget.com/definition/unified-threat-management-UTM
accessed on 18th June 2021
30. Anon [2021], What is security information and event management (SIEM), Available
at: https://www.mcafee.com/enterprise/en-sg/security-awareness/operations/what-is-
siem.html accessed on 18th June 2021
31. Exabeam [2021], What is SIEM, Available at: https://www.exabeam.com/siem-
guide/what-is-siem/ accessed on 18th June 2021
32. Robb, Drew [2018], Top 10 Unified Threat Management Vendors, Available at:
https://www.esecurityplanet.com/products/unified-threat-management-vendors/
accessed on 18th June 2021
33. Anon [2016], UTM Firewall Features overview, Available at:
https://www.alliedtelesis.com/sites/default/files/utm_features_overview_revg.pdf, PP.
2-7, accessed on 18th June 2021
34. Mandel, Marc von [2018], The Must-have SIEM features for advanced threats,
Available at: https://securityboulevard.com/2018/05/the-must-have-siem-features-
for-advanced-threats/ accessed on 18th June 2021
35. Team, Logsign [2020], Must-have features of a modern SIEM, Available at:
https://www.logsign.com/blog/must-have-features-of-a-modern-siem/ accessed on
18th June 2021
36. Keary, Tim [2021], 10 Best SIEM tools for 2021: Vendors & Solutions Ranked,
Available at: https://www.comparitech.com/net-admin/siem-tools/ accessed on 18th
June 2021
routers.html accessed on 17th June 2021
22. Infosavvy [2021], Rogue DHCP Server Attack, Available at:
https://info-savvy.com/rogue-dhcp-server-attack/ accessed on 17th June 2021
23. Singh, Shubham [2020], Difference between IPSec and SSL, Available at:
https://www.geeksforgeeks.org/difference-between-ipsec-and-ssl/ accessed on 17th
June 2021
24. George, Sijin [2019], Advantages and Disadvantages of IPSec – A quick view,
Available at: https://bobcares.com/blog/advantages-and-disadvantages-of-ipsec/
accessed on 17th June 2021
25. Roomi, Mishal [2019], 5 Advantages and Disadvantages of IPSec |Limitations &
Benefits of IPSec, Available at: https://www.hitechwhizz.com/2020/08/5-advantages-
and-disadvantages-drawbacks-benefits-of-ipsec.html accessed on 17th June 2021
26. KeyCDN [2018], What is SSL TLS, Available at:
https://www.keycdn.com/support/what-is-ssl-tls accessed on 17th June 2021
27. Roomi, Mishal [2019], 5 Advantages and Disadvantage of TLS| Weaknesses &
Benefits of TLS, Available at: https://www.hitechwhizz.com/2020/08/5-advantages-
and-disadvantages-drawbacks-benefits-of-tls.html accessed on 17th June 2021
28. Anon [2021], Enterprise Use cases, Available at: https://sectigo.com/enterprise-use-
cases accessed on 17th June 2021
29. Rosencrance, Linda [2018], Unified Threat Management (UTM), Available at:
https://searchsecurity.techtarget.com/definition/unified-threat-management-UTM
accessed on 18th June 2021
30. Anon [2021], What is security information and event management (SIEM), Available
at: https://www.mcafee.com/enterprise/en-sg/security-awareness/operations/what-is-
siem.html accessed on 18th June 2021
31. Exabeam [2021], What is SIEM, Available at: https://www.exabeam.com/siem-
guide/what-is-siem/ accessed on 18th June 2021
32. Robb, Drew [2018], Top 10 Unified Threat Management Vendors, Available at:
https://www.esecurityplanet.com/products/unified-threat-management-vendors/
accessed on 18th June 2021
33. Anon [2016], UTM Firewall Features overview, Available at:
https://www.alliedtelesis.com/sites/default/files/utm_features_overview_revg.pdf, PP.
2-7, accessed on 18th June 2021
34. Mandel, Marc von [2018], The Must-have SIEM features for advanced threats,
Available at: https://securityboulevard.com/2018/05/the-must-have-siem-features-
for-advanced-threats/ accessed on 18th June 2021
35. Team, Logsign [2020], Must-have features of a modern SIEM, Available at:
https://www.logsign.com/blog/must-have-features-of-a-modern-siem/ accessed on
18th June 2021
36. Keary, Tim [2021], 10 Best SIEM tools for 2021: Vendors & Solutions Ranked,
Available at: https://www.comparitech.com/net-admin/siem-tools/ accessed on 18th
June 2021
1 out of 26
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024  |  Zucol Services PVT LTD  |  All rights reserved.