Network Architecture
Chimene Tchokoko Diboma
Name of Institution
Network Architecture
Introduction:
Advancements made in the information and communication technology have changed the way people do business. Information systems and computer networks play the role of utility in modern businesses. No business is imaginable without the implementation of computer networks. Financial institutions such as banks are among the businesses most affected by the exponential penetration of information and communication technologies. Before the advent of internet technologies, banks used to maintain financial records manually. But with the advancements and miniaturizations introduced in computer networking technologies have completely changed the operations of banks from manual to digital. All banking institutions offer a plethora of online banking services. People rely on such services for their financial transactions.
All the services provided via online banking systems are based on the existing infrastructure of the internet. The Internet itself was not designed with much security in mind. Therefore, any service using the underlying network architecture of the internet will be inherently insecure. Banking systems use the internet to transfer and maintain sensitive information records making their infrastructure a potential target of cyber-criminals. Banks deal with the personally identifiable information and compromising such information can be very fruitful for criminals ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"XddV3TpL","properties":{"formattedCitation":"(Martin et al., 2017)","plainCitation":"(Martin et al., 2017)","noteIndex":0},"citationItems":[{"id":2,"uris":["http://zotero.org/users/local/BeyJjeak/items/YJKXQLN3"],"uri":["http://zotero.org/users/local/BeyJjeak/items/YJKXQLN3"],"itemData":{"id":2,"type":"paper-conference","title":"OpenFog security requirements and approaches","container-title":"2017 IEEE Fog World Congress (FWC)","publisher":"IEEE","page":"1-6","ISBN":"1-5386-3666-2","author":[{"family":"Martin","given":"Bridget A."},{"family":"Michaud","given":"Frank"},{"family":"Banks","given":"Don"},{"family":"Mosenia","given":"Arsalan"},{"family":"Zolfonoon","given":"Riaz"},{"family":"Irwan","given":"Susanto"},{"family":"Schrecker","given":"Sven"},{"family":"Zao","given":"John K."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Martin et al., 2017). Criminals and hackers all over the world are trying to make their cyber espionage weapons more sophisticated and difficult to detect. The primary motive of 90% of cyber attacks on financial institutions is to harvest monetary benefits by sabotaging the information technology infrastructure of such financial institutions.
A most important factor in banking services is the trust of the customers. People do use banking systems due to the trust they have in such financial institutions globally. Therefore, the protection of digital records and financial systems from cyber-criminals is the responsibility of the bank. If a bank is going to suffer a data breach, then along with financial implications of that breach there will be severe reputation loss as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"guKf1yFg","properties":{"formattedCitation":"(Jungwirth & La Fratta, 2016)","plainCitation":"(Jungwirth & La Fratta, 2016)","noteIndex":0},"citationItems":[{"id":4,"uris":["http://zotero.org/users/local/BeyJjeak/items/UPJVDHNX"],"uri":["http://zotero.org/users/local/BeyJjeak/items/UPJVDHNX"],"itemData":{"id":4,"type":"paper-conference","title":"OS friendly microprocessor architecture: Hardware level computer security","container-title":"Cyber Sensing 2016","publisher":"International Society for Optics and Photonics","page":"982602","volume":"9826","author":[{"family":"Jungwirth","given":"Patrick"},{"family":"La Fratta","given":"Patrick"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Jungwirth & La Fratta, 2016). Banks use network infrastructure to handle communications and financial actions linked to the internet known as the network infrastructure. The report analyzed the network architecture of a bank to look for possible risks of data loss and their mitigation techniques.
Overview of Network Architecture:
Banks use several information and communication technology components to govern their operations. All the components are collectively known as the network architecture of a particular bank. The details of various components in the network architecture of a bank are given as under. Banks use end computers also known as hosts that are used by the employees. Hosts are typical computers found everywhere. All these computers are connected to the main central computer of the bank known as the server that hosts the database of all financial records of the bank. Communication between the host and server computer is accomplished via internet connectivity ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"JEzl6lnX","properties":{"formattedCitation":"(Mbelli & Dwolatzky, 2016)","plainCitation":"(Mbelli & Dwolatzky, 2016)","noteIndex":0},"citationItems":[{"id":5,"uris":["http://zotero.org/users/local/BeyJjeak/items/ASJVBQSX"],"uri":["http://zotero.org/users/local/BeyJjeak/items/ASJVBQSX"],"itemData":{"id":5,"type":"paper-conference","title":"Cyber security, a threat to cyber banking in South Africa: An approach to network and application security","container-title":"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)","publisher":"IEEE","page":"1-6","ISBN":"1-5090-0946-9","author":[{"family":"Mbelli","given":"Thierry Mbah"},{"family":"Dwolatzky","given":"Barry"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Mbelli & Dwolatzky, 2016). As the internet is a public network and banks cannot afford to use a public network for sensitive financial information transfer, therefore, all banks use specialized components to secure the transactions. Host computer sending any request message to the server is known as the client and the main computer serving the requested information is known as the server. Banks use the client-server paradigm of computer networking.
Message sent from the bank to the server is known as the source message and the message received as a result of the source message is known as the destination message. Different protocols can be used for source and destination messages. Information is transferred in the network in the form of network packets. User datagram also known as UDP protocol is a protocol used for network packet transfer in environments where low latency is required such as domain name resolution services. UDP does not guarantee that the packet sent from the source will reach the destination. It is the simplest network communication protocol. However, as it does not provide guaranteed packet delivery it cannot be used in banking systems. Banks use transmission control protocol (TCP) also known as internet protocol (IP) ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"Au3WeJX9","properties":{"formattedCitation":"(Spiers, Halas, Schimmel, & Provencher, 2015)","plainCitation":"(Spiers, Halas, Schimmel, & Provencher, 2015)","noteIndex":0},"citationItems":[{"id":6,"uris":["http://zotero.org/users/local/BeyJjeak/items/LXCBX6U4"],"uri":["http://zotero.org/users/local/BeyJjeak/items/LXCBX6U4"],"itemData":{"id":6,"type":"book","title":"Secure network cloud architecture","publisher":"Google Patents","author":[{"family":"Spiers","given":"Bradford T."},{"family":"Halas","given":"Miroslav"},{"family":"Schimmel","given":"Richard A."},{"family":"Provencher","given":"Donald P."}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Spiers, Halas, Schimmel, & Provencher, 2015). TCP is a network communication protocol that guarantees the packet delivery to the destination. It uses acknowledgment packets so that source is aware of the fact whether the packet has been transferred successfully or not.
Each computer in the network including the server is identified by a unique numerical address known as the IP address. Ip address is used to send the messages across the network. An IP address in the network serves the same purpose as the physical address of a person. There are two versions of the IP addresses currently available. The first is known as the IPv4 and the second is IPv6. IP version 4 is a 32-bit address that is used to identify a unique computer on the network. Many applications may be running on the computer connected to a network. All of the applications may be using network resources and a single IP address will be shared by the applications ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"VfLN8o4e","properties":{"formattedCitation":"(Hyun, Kim, Hong, & Jeong, 2017)","plainCitation":"(Hyun, Kim, Hong, & Jeong, 2017)","noteIndex":0},"citationItems":[{"id":7,"uris":["http://zotero.org/users/local/BeyJjeak/items/LC46TTC7"],"uri":["http://zotero.org/users/local/BeyJjeak/items/LC46TTC7"],"itemData":{"id":7,"type":"paper-conference","title":"SDN-based network security functions for effective DDoS attack mitigation","container-title":"2017 International Conference on Information and Communication Technology Convergence (ICTC)","publisher":"IEEE","page":"834-839","ISBN":"1-5090-4032-3","author":[{"family":"Hyun","given":"Daeyoung"},{"family":"Kim","given":"Jinyoug"},{"family":"Hong","given":"Dongjin"},{"family":"Jeong","given":"Jaehoon Paul"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Hyun, Kim, Hong, & Jeong, 2017). To differentiate between different applications different ports are used for data transmission. Each application protocol may have a different designated port. For example, the typical web traffic of HTTP protocol uses port number 80. The same port cannot be used by any other application. Email applications use port number 109 or 110 or both in some cases depending on the protocol used for email message transfer. Most the banks use a wired medium such as Ethernet cables for connectivity. However, for intra-branch connectivity wireless network can be used as well.
Bank uses a combination of technologies to protect network architecture from cyber-attacks. The purpose of these technologies is to ensure the confidentiality, integrity, and availability of the information. One such system implemented by the evaluated bank was the intrusion prevention and intrusion detection system. An intrusion detection system is a hardware component that protects the internal network of the bank against unauthorized access. Intrusion prevention system, on the other hand, prevents any attempts to compromise the network traffic. It monitors each and every transmitted packet against predefines set of rules to check malicious characteristics present in the packet. If a packet shows certain characteristics of the malicious packets it will be dropped by the intrusion prevention system. Intrusion prevention system plays its role when a computer with different destination address tries to maneuver a packet destined to some other host in the network.
A hardware-based firewall is used to protect the internal resources from hacking attempts. When an application on the host machine is closed, the corresponding network port opened by that application may remain open potentially turning it into a security hole. Hackers can use port scanning techniques to look for unused open ports in the network and then exploit them for financial benefits or to deliver malicious code to network nodes. A firewall is a crucial component in the network architecture of the bank because it blocks port scanning attempts and various other attack vectors as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"flyrlleE","properties":{"formattedCitation":"(Kate, 2016)","plainCitation":"(Kate, 2016)","noteIndex":0},"citationItems":[{"id":8,"uris":["http://zotero.org/users/local/BeyJjeak/items/WRNCBD4E"],"uri":["http://zotero.org/users/local/BeyJjeak/items/WRNCBD4E"],"itemData":{"id":8,"type":"paper-conference","title":"Introduction to credit networks: security, privacy, and applications","container-title":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","publisher":"ACM","page":"1859-1860","ISBN":"1-4503-4139-X","author":[{"family":"Kate","given":"Aniket"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kate, 2016). IDS and IPS systems are used to aid the functionality of the firewall system as the firewall only consider the traffic from outside of the network Any attack initiated from within the network such as an insider attack can easily bypass the firewall defense system. As all of the communication is done using the network addresses known as the IP addresses banks use network address translation routers to hide internal network addresses. Only a single IP address of the NAT router is used to identify a whole branch of the bank and its network.
Network Attacks:
There are a plethora of attacks against any networked environment. In recent decades computer threats have not only grown in numbers but in the complexity of their operation as well. When a message is transmitted from a source for the destination, the contents of the message can be intercepted and modified in transit. Which is something that cannot be afforded in banking systems? A network attack in which network packets can be captured and modified by unauthorized parties is known as man in the middle attacks. Confidentiality of the information, as well as the integrity of the network packets, is compromised in these attacks. Along with the man in the middle attacks, attackers can use several other methods to sabotage the network of the bank. Cache poisoning attacks are utilized by the attackers to redirect legitimate applications to compromised services. There is no way for the operator to know whether the application is contacting to a legitimate server or a compromised server deployed by the attacker ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"oyjMuHlc","properties":{"formattedCitation":"(White, Fisch, & Pooch, 2017)","plainCitation":"(White, Fisch, & Pooch, 2017)","noteIndex":0},"citationItems":[{"id":9,"uris":["http://zotero.org/users/local/BeyJjeak/items/IH5AEXMR"],"uri":["http://zotero.org/users/local/BeyJjeak/items/IH5AEXMR"],"itemData":{"id":9,"type":"book","title":"Computer system and network security","publisher":"CRC press","ISBN":"1-351-45872-8","author":[{"family":"White","given":"Gregory B."},{"family":"Fisch","given":"Eric A."},{"family":"Pooch","given":"Udo W."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (White, Fisch, & Pooch, 2017). Most of the banks use cache servers to lower the latency and round-trip time of the requests in the network. The cache server can be compromised by the attackers in cache poisoning attacks. Vulnerabilities are the security holes in the installed architecture either software or hardware that are known to the attackers and can be used to exploit the network. Vulnerabilities in the network architecture serve a similar purpose for the attackers as an open window in a locked house for the thief.
Banks utilize the concept of honey pots to trap network attacks such as cache poisoning and exploitation of the security holes. A honeypot is a network device that looks like the network of the bank to the traffic from the outside of the network. A honeypot effectively mimics the network of the bank and deflect the attacks from the original network. Attackers attempt to compromise honeypots and security officers of the bank will learn about the tactics used to compromise the network. The knowledge gained from the attacks in honeypots will be utilized to strengthen the actual system defenses in the long run. Traffic monitoring and analysis tools can help in determining whether a honeypot is trapping the cyberattacks or not. If there are visible anomalies in network traffic being monitored for the honeypot then it is obvious that the attacks are being deflected form original system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"dYHWwsKp","properties":{"formattedCitation":"(Ekberg, 2016)","plainCitation":"(Ekberg, 2016)","noteIndex":0},"citationItems":[{"id":10,"uris":["http://zotero.org/users/local/BeyJjeak/items/JBZHXZ4L"],"uri":["http://zotero.org/users/local/BeyJjeak/items/JBZHXZ4L"],"itemData":{"id":10,"type":"book","title":"Partially virtualizing PCR banks in mobile TPM","publisher":"Google Patents","author":[{"family":"Ekberg","given":"Jan-Erik"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Ekberg, 2016). If no new connections are being observed in the honeypot network, then it may not be functioning as intended and attackers may have visibility into the actual network of the bank. False positives are files or attacks that are blocked by the honeypots or other defense application in the bank while they are benign. If a legitimate activity is blocked by the defense systems of the bank the event is considered to be false positive. When an actual threat is not blocked by the defenses then the event is known as the false negative. A false negative is more dangerous than a false positive event because a missed threat can compromise the entire network of the bank whereas a false positive can be easily whitelisted by the security teams.
Network Traffic Analysis and Results:
Various tools can be used to monitor the network traffic of the banks. Popular network monitoring tools include Wireshark, packet tracer and tcpdump. TCP dump tool was used to analyze the traffic on the network of the bank. In normal condition, the traffic was analyzed and logged for reference. The step is necessary for differentiating the abnormal traffic on the network from the normal traffic in the network. Captured packets revealed the source and destination addresses of the packets as well as the port numbers of the destination application. Although the actual payload of the packets was not revealed in the analysis, the address revelation can also be used for targeted attacks such as the denial of service attacks ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"eZHHvdTm","properties":{"formattedCitation":"(Kennedy et al., 2016)","plainCitation":"(Kennedy et al., 2016)","noteIndex":0},"citationItems":[{"id":11,"uris":["http://zotero.org/users/local/BeyJjeak/items/G6VBDWHG"],"uri":["http://zotero.org/users/local/BeyJjeak/items/G6VBDWHG"],"itemData":{"id":11,"type":"book","title":"Systems and methods for implementing and scoring computer network defense exercises","publisher":"Google Patents","author":[{"family":"Kennedy","given":"Scott"},{"family":"Ayers","given":"II Carleton Rose"},{"family":"Banks","given":"Susan"},{"family":"Allison","given":"Ian Carroll"},{"family":"Spencer","given":"Myoki Elizabeth"},{"family":"Diaz","given":"Michael Anthony"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kennedy et al., 2016). The fact was also verified by running a denial of service attack against the destination address found in the captured packets. In denial of service attack, fake requests are generated to the target causing congestion on the network link. Legitimate connections to the destination server were blocked as a result of the attack.
A successful attack on the destination server revealed the vulnerabilities in the defense mechanism of the destination server that is also a crucial component of eth overall network infrastructure of the bank. The attack revealed that the outside traffic is not blocked properly from reaching the destination service ports. A misconfigured firewall can be a cause of the problem. However, efficient intrusion detection system may have flagged the abnormal traffic at any stage of the attack. The revelation of port numbers in the packets analyzed using the packet capturing tool is dangerous and it can allow the compromise of the entire network environment of the bank.
Recommended Remediation Strategies:
The discovered vulnerabilities in the network of the bank and associated risks can be mitigated by deploying a comprehensive logging and auditing server at each branch of the bank. A logging system will log all network traffic activity and will help in the reconstruction of the events in case of a successful breach. The logging server must be protected by deploying a reverse proxy solution because in most of the targeted attacks the criminals also try to remove the traces of their actions from logging server. The reverse proxy will not allow incoming connections to the logging server. The auditing applications will provide granular visibility into the network activities performed by the employees and criminals as well. All of the opened ports must be closed immediately as soon as the application is closed. All of the application not being used in the network must be removed completely from all of the endpoints to reduce the attack surface of the bank. These measures will help in protecting the confidentiality, integrity, and availability of the vital information required for business continuity.
Joint Network Defense Bulletin
Attacks on financial institutions are increasing at an exponential rate. Hackers are employing sophisticated encryption algorithms to encrypt critical information files on targeted machines and then demand the ransom money for the decryption key. Even if the ransom amount is paid to the criminals there is no guarantee that the files will be decrypted. Therefore, network protection is inevitable in banking environments. All of the bank branches in the United States must install logging servers and protect them with reverse proxies as well. Logging and auditing of the logs collected are inevitable to identify criminal activity in the network.
Firewalls must be configured appropriately to block all of the unwanted connections and port scanning attacks. The data must be transmitted using secure sockets layer protocol to avoid damage caused by the man in the middle attacks. If the network packets are end to end encrypted then the integrity will be ensured. It will be ensured that the payload of an IP packet is not tampered with by any unauthorized party. Security training of the employees must be an essential requirement for all banks and financial institutions. Employees must be aware of social engineering attacks such as phishing and spam email attacks. Almost 65% of attacks investigated in the banking sector were initiated from within the network of the bank by the employees. By following the recommended security standards, we will be able to create a secure digital banking ecosystem not possible otherwise.
References
ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Ekberg, J.-E. (2016). Partially virtualizing PCR banks in mobile TPM. Google Patents.
Hyun, D., Kim, J., Hong, D., & Jeong, J. P. (2017). SDN-based network security functions for effective DDoS attack mitigation. 2017 International Conference on Information and Communication Technology Convergence (ICTC), 834–839. IEEE.
Jungwirth, P., & La Fratta, P. (2016). OS friendly microprocessor architecture: Hardware level computer security. Cyber Sensing 2016, 9826, 982602. International Society for Optics and Photonics.
Kate, A. (2016). Introduction to credit networks: security, privacy, and applications. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 1859–1860. ACM.
Kennedy, S., Ayers, I. C. R., Banks, S., Allison, I. C., Spencer, M. E., & Diaz, M. A. (2016). Systems and methods for implementing and scoring computer network defense exercises. Google Patents.
Martin, B. A., Michaud, F., Banks, D., Mosenia, A., Zolfonoon, R., Irwan, S., … Zao, J. K. (2017). OpenFog security requirements and approaches. 2017 IEEE Fog World Congress (FWC), 1–6. IEEE.
Mbelli, T. M., & Dwolatzky, B. (2016). Cyber security, a threat to cyber banking in South Africa: An approach to network and application security. 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), 1–6. IEEE.
Spiers, B. T., Halas, M., Schimmel, R. A., & Provencher, D. P. (2015). Secure network cloud architecture. Google Patents.
White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.
