Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Network Security

Featuring 16 Papers as of July 7, 2020

  • Using Zero Trust to Enable Secure Remote Access Analyst Paper (requires membership in community)
    by Dave Shackleford - July 7, 2020 

    Many tools and controls can help monitor internal workloads and data moving between hybrid cloud environments. The zero trust model may be the most important when designing a dynamic security architecture.

  • Zero Trust: What You Need to Know to Secure Your Data and Networks Analyst Paper (requires membership in community)
    by Dave Shackleford - April 20, 2020 

    In the ongoing movement toward increasingly hybrid software-based environments, enterprises are designing dynamic security architecture models to start adopting an overarching theme: one of "zero trust." The core elements of a well-rounded zero trust model are still in the development stage but this paper explores the critical missing element to securing your data and network in a zero trust architecture.

  • Knock, Knock: Is This Security Thing Working? Analyst Paper (requires membership in community)
    by Matt Bromiley - March 10, 2020 

    Is our current state of information security working? Is it possible the "same old way" of doing things is simply making us feel secure...until the next breach proves us wrong? This paper explores how the movement toward virtualized data centers has removed obstacles to a long-held goal for information security: the concept of intrinsic security.

  • How to Effectively Use Segmentation and Microsegmentation Analyst Paper (requires membership in community)
    by Dave Shackleford - October 15, 2019 

    In recent years, software-defined networking (SDN) has emerged as a significant technology to help improve network visibility, packet analysis and security functions.  Unfortunately, not all segmentation models are equal when it comes to security. This whitepaper covers several different models of SDN and microsegmentation, and explores situations where security shortcomings are possible. Learn how to test your SDN platform to determine whether it can provide full coverage in detecting and preventing significant security incidents.

  • Increasing Visibility with Ixia's Vision ONE Analyst Paper (requires membership in community)
    by Serge Borso - April 23, 2019 

    Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. The SANS review of the Vision ONE platform examines how it provides enhanced, more efficient security through packet brokers and actionable information at the application level. We also consider how Vision ONE can help reduce operational costs. | Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. The SANS review of the Vision ONE platform examines how it provides enhanced, more efficient security through packet brokers and actionable information at the application level. We also consider how Vision ONE can help reduce operational costs.

  • Gaining Visibility on the Network with Security Onion: A Cyber Threat Intelligence Based Approach Graduate Student Research
    by Alfredo Hickman - January 2, 2019 

    Generating threat intelligence, detecting network intrusions, and preventing cyber threat actors from executing their objectives are critical measures for preserving cybersecurity. Network breaches of organizations such as the U.S. Office of Personnel Management, Target, Anthem, and many others, are proving that individuals and organizations of all sizes and backgrounds are targets of cyber threat actors. Another reality is that not everybody is equipped and funded to leverage threat intelligence to detect network intrusions and respond accordingly.

  • SDN Southbound Threats by Mohamed Mahdy - November 20, 2018 

    SDN (Software-Defined Networks) technologies are based on three pillars: decoupling control and forwarding planes; centralized management with a programmable network; and commodity switches. As with every new technology, the primary concern is always around security. Security concerns are on the rise due to exposing and forwarding internal communications to the network layer. For example, as a result of connecting overseas devices as a single data center or LAN, SDN infrastructure is exposed to external threats. Strategies used for SDN security are similar to legacy networks: defining the perimeters, trust areas, and stakeholders. Monitoring, including logging processes and user activity, is critical to secure the SDN components. Protection against Southbound and Northbound attacks is vital to keep the SDN deployment secured. Due to the concerns about evolving SDN threats and the different components included in their deployment, more informative penetration testing frameworks are needed to test SDN deployment security. The DELTA project (SDN evaluation framework to recognize attack cases against SDN elements and assist in identifying unknown security problems) developed by KAIST (Korea Advanced Institute of Science and Technology) students, is one such project discussed in this paper.

  • To Block or not to Block? Impact and Analysis of Actively Blocking Shodan Scans Graduate Student Research
    by Andre Shori - October 22, 2018 

    This paper details an experiment constructed to evaluate the effectiveness of blocking Shodan search engine scans in reducing overall attack traffic volumes. Shodan is considered to be part of an attacker’s toolset, and there is a persistent perception that blocking Shodan Scans will reduce an organization’s attack surface. An attempt was made to determine what effect, if any, such a block would result in by comparing attacker traffic before and after implementing a block on Shodan scans, and by determining the complexity of performing such a block. The analysis here may provide defenders and managers with useful data when deciding on whether or not to devote resources to blocking Shodan or other similar internet-connected device search engines.

  • PCAP Next Generation: Is Your Sniffer Up to Snuff? Graduate Student Research
    by Scott D. Fether - March 16, 2018 

    The PCAP file format is widely used for packet capture within the network and security industry, but it is not the only standard. The PCAP Next Generation (PCAPng) Capture File Format is a refreshing improvement that adds extensibility, portability, and the ability to merge and append data to a wire trace. While Wireshark has led the way in supporting the new format, other tools have been slow to follow. With advantages such as the ability to capture from multiple interfaces, improved time resolution, and the ability to add per-packet comments, support for the PCAPng format should be developing more quickly than it has. This paper describes the new standard, displays methods to take advantage of new features, introduces scripting that can make the format useable, and makes the argument that migration to PCAPng is necessary.

  • Does Network Micro-segmentation Provide Additional Security? Graduate Student Research
    by Steve Jaworski - September 15, 2017 

    Network segmentation is a concept of taking a large group of hosts and creating smaller groups of hosts that can communicate with each other without traversing a security control. The smaller groups of hosts each have defined security controls, and groups are independent of each other. Network micro-segmentation takes the smaller group of hosts by configuring controls around individual hosts. The goal of network microsegmentation is to provide more granular security and reduce an attackers capability to easily compromise an entire network. If an attacker is successful in compromising a host, he or she is limited to only the network segment on which the host resides. If the host resides in a micro-segment, then the attacker is restricted to only that host. This paper will discuss what network and network micro-segmentation is, where it applies, any additional layer of security including levels of complexity.

  • IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks Graduate Student Research
    by Brandon Peterson - September 12, 2017 

    Most modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment.

  • Basic NGIPS Operation and Management for Intrusion Analysts by Mike Mahurin - August 15, 2017 

    Next Generation Intrusion Prevention Systems (NGIPS) are often referred to as the panacea to modern malware, network intrusion, advanced persistent threat, and application control for complex modern applications. Many vendors position these products in a way that minimizes the value of tuning and intrusion analysis to get the optimum security capability of the solution. This paper will provide a guide for how to maximize the capabilities of these technologies by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.

  • Packet Capture on AWS Graduate Student Research
    by Teri Radichel - August 14, 2017 

    Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.

  • Automating Cloud Security to Mitigate Risk Analyst Paper (requires membership in community)
    by Dave Shackleford - July 20, 2017 

    As cloud computing services evolve, the cloud opens up entirely new ways for potential attacks. This paper explores the potential security challenges enterprises face as they migrate to any kind of cloud setup and offers guidance to ensure a smooth migration to new solutions.

  • Lateral Leadership and Information Security by Stefan Krampe - July 19, 2017 

    In almost every company, a defined hierarchy, job description and organizational chart defines who is in charge of a certain issue. Nevertheless, most employees will recall situations, in which teams without a predefined leader had to collaborate. Being able to navigate these settings effectively is extremely helpful for the information security professional. More often than not, different departments and heterogenous groups have to work together to improve the security posture of a corporation. An open mind, real interest in the ideas of colleagues as well as a reasonable distribution of responsibilities and tasks is needed. Well known principles in information security are actually quite well suited for these circumstances.

  • Network Security Infrastructure and Best Practices: A SANS Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - May 23, 2017 

    Network infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.