Sharpen your Skills at SANS San Francisco Winter 2017. Save $200 thru 10/25.

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Network Security

Featuring 7 Papers as of October 9, 2017

  • Does Network Micro-segmentation Provide Additional Security? STI Graduate Student Research
    by Steve Jaworski - September 15, 2017 

    Network segmentation is a concept of taking a large group of hosts and creating smaller groups of hosts that can communicate with each other without traversing a security control. The smaller groups of hosts each have defined security controls, and groups are independent of each other. Network micro-segmentation takes the smaller group of hosts by configuring controls around individual hosts. The goal of network microsegmentation is to provide more granular security and reduce an attackers capability to easily compromise an entire network. If an attacker is successful in compromising a host, he or she is limited to only the network segment on which the host resides. If the host resides in a micro-segment, then the attacker is restricted to only that host. This paper will discuss what network and network micro-segmentation is, where it applies, any additional layer of security including levels of complexity.


  • IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks STI Graduate Student Research
    by Brandon Peterson - September 12, 2017 

    Most modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment.


  • Basic NGIPS Operation and Management for Intrusion Analysts by Mike Mahurin - August 15, 2017 

    Next Generation Intrusion Prevention Systems (NGIPS) are often referred to as the panacea to modern malware, network intrusion, advanced persistent threat, and application control for complex modern applications. Many vendors position these products in a way that minimizes the value of tuning and intrusion analysis to get the optimum security capability of the solution. This paper will provide a guide for how to maximize the capabilities of these technologies by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.


  • Packet Capture on AWS STI Graduate Student Research
    by Teri Radichel - August 14, 2017 

    Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.


  • Automating Cloud Security to Mitigate Risk Analyst Paper
    by Dave Shackleford - July 20, 2017 

    As cloud computing services evolve, the cloud opens up entirely new ways for potential attacks. This paper explores the potential security challenges enterprises face as they migrate to any kind of cloud setup and offers guidance to ensure a smooth migration to new solutions.


  • Lateral Leadership and Information Security by Stefan Krampe - July 19, 2017 

    In almost every company, a defined hierarchy, job description and organizational chart defines who is in charge of a certain issue. Nevertheless, most employees will recall situations, in which teams without a predefined leader had to collaborate. Being able to navigate these settings effectively is extremely helpful for the information security professional. More often than not, different departments and heterogenous groups have to work together to improve the security posture of a corporation. An open mind, real interest in the ideas of colleagues as well as a reasonable distribution of responsibilities and tasks is needed. Well known principles in information security are actually quite well suited for these circumstances.


  • Network Security Infrastructure and Best Practices: A SANS Survey Analyst Paper
    by Barbara Filkins - May 23, 2017 

    Network infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.