Network Security in Enterprise
Term Project Report for Advanced Network Security, EL
6393
Prashant Mehta (0428749)
Abstract
The goal of the Enterprise Security is to
ensure the confidentiality, integrity and
availability of its valuable assets. In these
paper key aspects of network security in
enterprise has been presented. To gain
the in-depth of the topic a survey of
enterprise security equipment is
presented with merits and demerits of the
equipment.
Introduction-
The Internet is changing our life in different
ways. Internet plays an important role in the
way we work, live, play, and learns. But
with the Internet’s enormous growth comes
unprecedented exposure of personal data,
critical enterprise resources, government
secrets, and so forth. Every day hackers pose
an increasing threat to these entities with
several different types of attacks.
There are two primary reasons for this
threat. First is the worldwide presence of the
Internet. With millions of devices currently
connected to the Internet, and millions more
on the way, a hacker’s access to vulnerable
devices will continue to increase. Shared
knowledge on the global scale has allowed
the hackers to gain access to enterprise’s
data. Second is the wide presence of easy-
to-use graphical user interface. This easy to
use interface could easily be distributed
widely. Even a click of a mouse button
could execute the attack with just the IP
address of the victim.
Need of Network Security in Enterprise-
Polytechnic Institute of NYU
Network security is an evolutionary process.
True network security comes from the
combination of products and services. With
free flow of information and the high
availability of many resources, the network
security administrator has to understand all
the possible threat that can attack their
networks.
For securing the enterprise assets a series of
network security technologies and products
are strategically deployed throughout the
network. Network Security services are
implemented to guarantee the confidentiality
of sensitive data, and to ensure the
availability and integrity of systems and
data.
Common threats to enterprise environments
include:
Unauthorized Access
Unauthorized access is when an
unauthorized individual gains access to
valuable asset and has the possibility to
tamper with that asset. Access to
information is generally gained while
intercepting some information in transit over
an insecure channel. The other way to access
to information is to exploit an inherent
weakness in a technology. Shared media
networks are particularly susceptible to
eavesdropping because this type of network
transmits packets everywhere.
Table 1 illustrates the common method
applied in gaining unauthorized access.
1
Ways of obtaining Ways to use
unauthorized Unauthorized
access Access
Establishing false Sending email that
identity with false authorizes money
credentials transfers
Physical access to Modification to
network devices establish a better
credit rating
Eavesdropping on Retrieving
shard media confidential records,
networks such as salary for all
employees or
medical histories

Figure-1[1]
Table 1

Data loss Function of Network Security in

Data loss could be the result of theft or
leakage of private and confidential data from
servers, endpoints, while in transit, or as a
result of spyware, malware, key-loggers,
viruses, etc.
Impersonation
Impersonation is the ability to present
credentials as if you are representing some
legitimate person. This includes theft of
personnel identity or fraud on servers and
end users through phishing and E-mail
spam. Another kind of spoofing attack is
replay attack. In this kind of attack the
message is recorded and replayed later to
gain access to the system.
Many vendors have software available
that can capture the packets and then later
replay the packets to gain access.
Architecture of Network Security
Figure-1 represents the architecture of
CISCO SAFE which provides security for
internal and external user. Security
architecture ensures the confidentiality,
integrity and identity of valuable assets.
Enterprise
The security design for the enterprise
network focuses on the following key areas:
Network Foundation Protection (NFP)
• Ensuring the availability and
integrity of the network
infrastructure, protecting the control
and management planes.
Internet Perimeter Protection
• Ensuring safe Internet connectivity
and protecting internal resources and
users from malware, viruses, and
other malicious software.
• Protecting personnel from harmful
and inappropriate content.
• Enforcing E-mail and Web browsing
policies.
Server Farm Protection
• Ensuring the availability and
integrity of centralized applications
and systems.
• Protecting the confidentiality and
privacy of sensitive data.
• Securing the access edges and
enforcing authentication and role-

2
 based access for users residing at the
main site and remote offices.
• Ensuring systems are up-to-date and
in compliance with the enterprise
network security policies.
Secure Mobility
• Providing secure, persistent
connectivity to all mobile employees
Enforcing encryption, authentication,
and role-based access to all mobile
users.
• Delivering consistent protection to
all mobile employees from viruses,
malware, botnets, and other
malicious software.
• Ensuring a persistent enforcement of
enterprise network security policies
to all users and ensuring systems
comply with corporate policies and
have up-to-date security.
• Small enterprise networks are built
with routers, switches, and other
network devices that keep the
applications and services running.
Therefore, properly securing these
network devices is critical for
continued operation.
Requirement of Network Security
Security policies of an enterprise depend
upon the corporate needs and the assets they
are protecting. Generally the following key
elements are considered before designing
the security policies.
Today’s open networking technologies
provide a tremendous opportunity for
corporations to remain competitive.
Corporations have little control over the
information accessed by the user and the
path though which this information is
accessed.
When designing the security policies for the
network a balance should be reached
between ease of accessibility of information
with adequate mechanism of identifying
authorized users, ensuring data integrity, and
confidentiality.
The following elements of network security
must be considered for designing the
network security of an enterprise.
• Identity
• Integrity
• Confidentiality
• Availability
• Audit
Identity
Identity is an important element of security
in enterprise and incorporates both
authentication and authorization.
Authorization specifies the location and the
identity of a user and also the amount of
data user can access. Corporate must
implement enough security parameters so
that intruders are not allowed to have to
access of the valuable assets of the
corporate.
Integrity
Integrity secures the physical and logical
security of the network devices like routers,
switches and firewalls. Any user who has
physical access to the router or switches has
full control of that device and could lead to
compromise of the network security.
Enterprise physical security in the form of
security guard, closed circuit television
camera should be incorporated.
Logical security is implemented by
providing identity mechanism that must
always be satisfied before user is allowed
access to the valuable assets of the
enterprise. Perimeter Security functions
similarly like the firewall restricting the
malicious traffic.
Confidentiality
Confidentiality refers to the privacy of data
flowing from the sender to the receiver. For
providing privacy between sender and
3
receiver, data is normally encrypted and Operational Simple and efficient
then send through the link. In the enterprise, Efficiency configuration,
sensitive information should always be deployment and
encrypted. management of the
infrastructure.
Availability Confidentiality, Security control to
Availability refers to the process of ensuring Integrity, and provide acceptable levels
that all critical resources are available when Availability of confidentiality,
requested. Generally, the enterprise system integrity and availability
should be prone to catastrophic error caused of data.
due to software bugs. Physical security Auditable and Security controls must be
ensures that no tampering has been done Measurable auditable and measurable
with the infrastructure. Logical security Controls to be effective
refers to the rerouting of the traffic and the System-wide Effective security
deterring of the software bugs. Collaboration requires sharing,
and correlation analysis, and correlation
Audit of information from all
Audit is necessary for verifying and system-wide sources.
monitoring of the corporate policy. Periodic Table 2
monitoring and verification can help detect
any unusual behavior and possible Challenges in Implementing Network
intrusions. Auditing should include methods Security
to discover malicious insider activity, Implementing Network Security at the
possible presence of DoS attacks, and service provider level is a difficult task and
overall compliance with the site security incorporates various challenges. Security
policy. policies vary from user to user. Due to this
While creating the data log files for audit variety in security policies there have been
following points should be consider numerous challenge faced by security
• Run the program which can filter the provider.
unusual activity form the audit data. The main goal of security vendor is to
• All the data should not be recorded ensure confidentiality, integrity, and
in the audit file. availability of the information that an
organization considers to be valuable.
Summary of Network Security Therefore the security should be provided
Requirement not just for managed endpoints but also for
unmanaged endpoints. Therefore the
Security Description network and information resources need to
Architecture be protected from endpoints that may be
Pronciple infected.
Defense in Deploy multiple layers of Diverse nature of traffic passes through the
Depth controls to prevent, service provider’s network. Due to this
identify and delay attacks diverse nature of traffic it is challenging to
in order to contain and implement policies to look for certain kind
minimize damage. of traffic or to block certain kind of traffic.
The traffic that might be good for one user
of the service provider might be a network

4
attack for another set of users. Therefore the
traffic classification as malicious is Complete Control
completely based on policies of a corporate. Harden, Strengthen Resiliency, limit Access, and
Another challenging situation faced in isolate devices, users, Traffic, applications and
protocols.
implementing security policies at the
enterprise level is the performance Harden Isolate Enforce
consideration. One of the primary goals of 1.Harden
1 . Isolate 1 . Enforce
an enterprise is to pass its traffic as fast and Devices, Subscribers, Security
accurate as possible. Security Transport,
Systems and Policies
implementation at the router can adversely services and Services
applications. 2 . Migrate
affect the performance of the routers. There
2 . Contain security
is always a tradeoff in implementing 2. Strengthen and protect events
security policies and performance of the Infrastructure
Resiliency,
system. redundancy
3.
Dynamically
In the emerging networking environment, a and fault Respond to
new threat attacks the network every day. tolerance Anomalous
Therefore the biggest challenge for security Event.
provider is to detecting the new threat.

Securing the Enterprise Infrastructure

In the above section we studied different Figure-3[3] Algorithm for Prevention
types of threat encountered in a network
security implementation and also the Figure 2 and figure 3 depict the algorithm
important we learned the functions of followed by the Cisco SAFE Security
network security. In this section we will go algorithm for securing the enterprise.
through the technology used by the security Various key elements of a Framework
provider in protecting from the threats. model are discussed below.
Total Visibility
Security Control Framework Model
Figure-2[2] Algorithm for Detection Total visibility consists of the following
elements: identity, trust, compliance, event
Total Visibility monitoring, and performance monitoring.
Identify, Monitor, collect, detect and Key considerations for total visibility
include the following:
classify users, traffic, applications and
protocols.
• Identifying and classifying users,
Identify Monitor Correlate
traffic, applications, protocols, and
Identify 1 .Monitor, 1 .Collect, usage behavior.
classify performance Correlate • Monitoring and recording activity
and analyze
and assign , behaviors
system-wide
and patterns.
trust levels and • Collecting and correlating data from
events
to compliance
multiple sources to identify trends,
subscriber, with policies 2 .identify,
service and Notify and
and system-wide events.
traffic. 2 .Identify report on • Detecting and identifying anomalous
Anomalous significant traffic and threats.
Traffic. related
events.

5
Complete Control
Complete control consists of hardening
individual devices, increasing the resiliency
of the network, isolating users, systems and
services, security policy enforcement, and
event mitigation. Key considerations for
complete control include the following:
• Hardening IT infrastructure,
including individual devices and
increasing network resiliency
• Limiting access and usage per user,
protocol, service, and application
• Isolating users, services, and
applications
• Protecting against known threats and
exploits
• Dynamically reacting in response to
anomalous events
Technology Used in Implementing
Network Security Policy
Total Visibility
Identify
• Identity-based network solutions
• Authentication, Authorization and
Accounting
• Biometric recognition
• Routing authentication (MD5)
• Secure messaging
• VPN authentication
o Digital certificates
o Pre-shared keys
o User authentication
Identity Based network Solutions
In many older systems, user authentication
is done from a database. In these systems,
the user normally provides their id and
password which is then checked against the
database. If it matches, then oftentimes, an
"access control list" or ACL is checked.
The access control list determines the
authorization privileges for the user.
Authentication, Authorization and
Accounting
Authentication refers to the process when an
entity is authenticated by providing evidence
that it holds a specific digital identity such
as identifier and the corresponding
credentials. Examples of such type of digital
identity are passwords, one-time tokens,
digital certificates.
Authorization function determines whether a
particular entity is authorized to perform a
given activity. Authorization is the next step
after the Authentication. Authorization for a
service or application is limited by a range
of restrictions, for example time-of-day
restrictions, or physical location restrictions,
or restrictions against multiple accesses by
the same entity or user. Examples of basic
types of service included are IP address
filtering, address assignment, route
assignment, Quality of Service/differential
services, bandwidth control/traffic
management, compulsory tunneling to a
specific endpoint, and encryption.
Accounting refers to the collection of
events, such as authentications and
authorization failures, or the consumption of
network resources through DoS attack by
users. Typical information that is gathered in
accounting is the identity of the user or other
entity, the nature of the service delivered,
when the service began, and when it ended,
and if there is a status to report.
Biometric Recognition
It is a technique to identify the person
through its fingerprint or eye iris recognition
system. Another technique used now days is
skin texture analysis that turns the unique
lines, patterns and spots apparent in a
person’s skin into mathematical space.
Biometric authentications are the process of
taking a "piece of you", digitizing it and
6
then using this to authenticate against an
identity directory or database. Typical types
of biometric authentications include finger
scans, digital finger prints, hand scans,
retina scans, digital signature scans and
others. The use of DNA biometrics is
increasingly used in identity verification.
Routing Authentication
MD5 is used for routing authentication in
enterprise networks. It is a widely used
cryptography hash function with a 128-bit
hash value. It is used for integrity protection.
MD5 used a buffer that is made of four
words that are each 32 bits long. These four
words are then mixed with the words of the
input as is shown in figure-3.
Figure-4[4] MD5 Process
VPN AUTHENTICATION
Digital Certificates
Another identity authentication method is
public key infrastructure. An identity is
given a digital certificate by a Certificate
Authority (CA). This certificate is then
presented during the authentication process
to verify an identity. The level of
authentication trust varies for digital
certificates depending on the level of
identity verification done during the identity
registration process as well as the digital
certificate revocation process. Digital
certificates are becoming more important to
authenticate and verify an identity in single
sign on systems, document management
systems and in web services.
Pre Shared Keys.
In this type the user who is to be
authenticated and the end host who is going
to authenticate the user share a common
secret. The process of pre shared secret is
shown in the figure-5
Figure-5 Shared Key Authentication
MONITOR
Anomaly Detection System
An anomaly based System establishes a
performance baseline based on normal
network traffic evaluations. It will then
sample current network traffic activity to
this baseline in order to detect whether or
not it is within baseline parameters. If the
sampled traffic is outside baseline
parameters, an alarm will be triggered.
IDS and IPS
Intrusion detection systems are devices or
application that monitors network and
system activities for malicious activities.
There are various types of Intrusion
detection systems.
Network Intrusion Detection System
It identifies intrusion by analyzing the
network traffic. SNORT is an example of
NIDS and has the ability to perform real-
time traffic analysis and packet logging.
Snort performs protocol analysis, content
7
searching and content matching. It has three
modes sniffer, packet logger, and network
intrusion detection. In sniffer mode, the
program will read network packets and
display them on the console. In packet
logger mode, the program will log packets to
the disk.
Host Based Intrusion Detection System
HIDS identifies intrusion by analyzing
system calls, application logs and other
activities and state. OSSEC is used for
HIDS. It performs functions like log
analysis, integrity check, time based alerting
and active response.
IPS
IPS is an extension of IDS whose function
include detection of intrusion by monitoring
the traffic and system activities. IPS can take
actions as sending an alarm, dropping the
malicious packets, resetting the connection
or blocking the offending IP address.
Syslog
Syslog is a standard for logging protocol
messages. It separates the function of the
software that generates messages from the
system that stores them and the software that
reports and analyzes them. It also provides a
means for devices to notify administrators of
problems or performance.
Syslog can be used for computer system
management and security auditing as well as
generalized informational, analysis, and
debugging messages. Unique property of
this system allows the syslog to be used to
integrate log data from many different types
of systems into a central repository.
Cisco Discovery Protocol
This protocol is implemented in most of the
networking equipment. It is used to share
information about other directly connected
Cisco equipment. It can also be used for On-
demand routing which is a method of
including routing information in CDP
announcements.
NTP Synchronization
OpenNTPD is used for synchronization of
the local clock of a computer with remote
NTP servers. This synchronization leads to
security, ease of use, and performance.
Isolate
Controlling Network Devices Access
An intruder who has access to networking
device can easily reconfigure the device.
Generally networks are accessed through
console ports, virtual terminal ports, and
auxiliary ports. Therefore minimum user
should be authenticated before they can get
access through these ports.
Password based Authentication:
A secret is used by the user to authenticate
itself to the network. But this is also immune
to password guessing attacks, eavesdropping
and cloning.
Cisco use one time password schemes and
RADIUS and/or TACACS+ protocol to
authenticate the user before gaining them
access to network devices. In RADIUS and
TACACS+ protocol the change in password
result in change of only one database.
Cisco Zone Based Policy Firewall
A zone is a group of interfaces that have
similar functions or features. Security Zone
is a group of interfaces to which a policy can
be applied. The basic rules to be considered
when setting up your zone are as follows:
• Traffic from a zone interface to a
non zone interface or from a non
zone interface to a zone interface is
always dropped.
• Traffic between two zone interfaces
is inspected if there is a zone
relationship for each zone and if
there is a configured policy for that
zone pair.
8
 • By default, traffic between two
interfaces is always allowed.
• A zone pair can be configured with a
zone as both the source and
destination zones. An inspect policy
can be configured on this zone pair
to inspect or drop the traffic between
two interfaces in the same zone.
The following figure demonstrates the
concept of zone firewall in Cisco.
Figure-6[5]
The following situations can be interpreted
form the figure-1.
• As the zone pair and policy are
configured in the same zone. Traffic
flows freely between interfaces E0
and E1 because they are members of
the same security zone (Z1).
• If no policies are configured, traffic
will not flow between any other
interfaces. For example, E0 and E2,
E1 and E2, E3 and E1, and E3 and
E2.
• Traffic can flow between E0 or E1
and E2 only when an explicit policy
permitting traffic is configured
between zone Z1 and zone Z2.
• Traffic can never flow between E3
and E0/E1/E2 unless default zones
are enabled.
Out of Band Management
In enterprise out-of-band management
involves the use of a dedicated management
channel for device maintenance. It adds
various features in system management like
monitoring and managing servers and other
network equipment by remote control
regardless of whether the machine is
powered on.
On the other hand, in-band management is
the use of regular data channels to manage
devices. To manage network servers and
routers remotely, security administrators
need network access when problems occur.
VPN Encryption
Enterprise Encryption Gateway is an
encryption device that allows for strong
authentication and encryption for data across
a wireless medium. Using these devices
includes offloading duties from the access
points.
VPN
VPN use cryptographic tunneling protocols
to provide confidentiality by blocking
intercepts and packet sniffing, allowing
sender authentication to block identity
spoofing and provide message integrity.
SSH
It is a network protocol that allows data to
be exchanged using a secure channel
between two networked devices. SSH uses
public key cryptography to authenticate the
remote computer. SSH protocol is used to
implement VPN. Its uses include:
• Secure file transfer
• For using encrypted VPN
• For automated remote monitoring
and management of servers.
• For forwarding or tunneling a port
Access Control
In the enterprise network security a Access
Control List refers to rules that are applied
to port numbers or network available, each
with a list of hosts and/or networks
permitted to use the service. Both individual
servers as well as routers can maintain and
9
implement network ACLs. Access control
lists can generally be configured to control
both inbound and outbound traffic. They
work in a similar fashion as firewall works.
Unicast RPF
URPF is based on the concept that traffic
from known invalid networks should not be
accepted on interfaces from which they
should never have been originated. So in
the router packet are only forwarded if
• Packet is coming from a valid host,
as indicated in the corresponding
entry in the routing table.
• Packet with source address that
could not be reached via the input
interface can be dropped without
disruption to normal use.
Protection form Distributed Denial of
Service Attacks
Distributed Denial of service Attack uses
different attack tools to attack the victim. It
generally uses the master slave model to
initiate the attack.
DDoS attacks take different form like:
• UDP Flood
• ICMP echo request flood
• SYN flood
• Smurf Attack
Various solutions have been suggested for
protection against DDoS attacks. The
solution is implemented in host level and
network level.
Network Security Equipment
To gain the in-depth knowledge of the
network security equipment, different data
are collected from vendors like CISCO and
JUNIPER.
The intrusion prevention system studied for
this paper is CISCO ASA 5500[6] series
family and JUNIPER NETWORK[7] SSG
Family.
CISCO ASA 5500
• Market leader with strong enterprise
presence
• SSL VPN integrated into the ASA
• Complex licensing fees
JUNIPER NETWORK SSG Family
• Lower cost with full functionality
• Complete set of unified threat
management security features
• No VPN integration
Table 3 shown in the next page compares
CISCO ASA 5500 family with JUNIPER
SSG family. In the table we see many
similarities between them, but at the same
time there are significant differences in
services provided and functionality.
Strength and Weakness:
Juniper Network SSG Family
Strengths: Juniper provides the security in
the enterprise with lower expenditure and
the flexibility to add new features when
required. Juniper provides better centralized
management.
Weakness: It lacks the SSL/VPN features.
CISCO ASA Family
Strengths: It provides a integrated
VPN/Firewall Services. This integrated
service provide additional feature in the
segment.
Weakness: CISCO ASA 5500 family lacks
the feature to provide necessary security in
enterprise. It generally requires additional
security module for IPS.
10
Table 3[8] comparison between CISCO
ASA Family and JUNIPER SSG Family

11
 Equipment Juniper Networks SSG Family Cisco ASA 5500
Detection It uses the following technology It uses the following technology
Technology • Stateful Signature • Protocol anomaly detection
Detection • Statistical anomaly detection
• Protocol Anomaly • Application anomaly detection
Detection • Statistical analysis
• Backdoor Detection • Evasion protection
• Traffic Anomaly Detection • Vulnerability-based signature
• IP Spoofing Detection detection
• DoS Detection • Exploit-based signature
• Layer 2 Detection detection
• Network Honeypot • Session normalization and
evasion detection
• On-box event correlation

Zero day Protocol anomaly detection and • Unknown exploit protection

protection same-day coverage for newly • Unknown vulnerability
found vulnerabilities. protection
• Day zero worm protection.
Protocol More than 60 protocol supported Network protocols supported include
supported IP, TCP, UDP, ICMP, NetBIOS/SMB,
MPLS, ARP, IPv6 encapsulated IPv4,
IGMP, IP-in-IP, and GRE.
Security Manage all functionality Firewall, Management of IPS and Firewall uses
Policies and VPN, IPS, routing. different CLI interfaces. Centralized
Management management is a relatively complex
mix of hard to use utilities
Custom Support custom signature Supports custom signature generation
Signature generation
Generation
Web Best-in-class offerings including Extra cost for the function and with
filtering integrated Web Filtering. license fee.
Integrated Not supported Supported with limited functionality
SSL VPN

LAN and LAN and WAN I/O ports Provides limited LAN Hardware
WAN provided support and no WAN support
Connectivity included.

References [5] Cisco IOS and NX-OS Software, Zone

[1] Design Zone for Security, Cisco SAFE,
www.cisco.com
[2] Cisco SAFE: A Design Blueprint for
Enterprise Network.
[3] Cisco SAFE: A Design Blueprint for
Enterprise Network. www.cisco.com
[4] Wikipedia, www.wikiedia.org
based policy firewall.
[6] CISCO ASA 5500 Series Adaptive
Security Appliances, www.cico.com
[7]SSG Series, www.juniper.net
[8] Competitive HotSheet
Juniper Networks SSGs vs Cisco ASA,
juniper Networks.

12
13