The following two terms are commonly used to describe when a threat is detected:
- Zero-day – Sometimes also referred to as zero-day attacks, zero-day threat, or zero-day exploit. This is the day that an unknown vulnerability has been discovered by the vendor. The term is a reference to the amount of time that a vendor has had to address the vulnerability.
- Zero-hour – This is the moment when the exploit is discovered.
A network remains vulnerable between the zero-day and the time it takes a vendor to develop a solution.
In the example in the figure, a software vendor has learned of a new vulnerability. The software can be exploited until a patch that addresses the vulnerability is made available. Notice that in the example, it took several days and a few software patch updates to mitigate the threat.
How can networks be protected against all of the threats and zero-day attacks?
The image is a timeline of the response to a zero-day attack. The timeline starts with a vendor software vulnerability being discovered which starts the timeline at the zero day and zero hour. Day 16, the first patch is released and a security advisory is issued by the vendor. Day 17, the second patch is released and the vendor software is patched. Day 18 the third patch is released.
Protecting Against Network Attacks
Many network attacks are fast moving, therefore, network security professionals must adopt a more sophisticated view of the network architecture. There is no one solution to protect against all TCP/IP or zero-day attacks.
One solution is to use a defense-in-depth approach also known as a layered approach to security. This requires a combination of networking devices and services working together in tandem.
Consider the network in the figure. There are several security devices and services implemented to protect its users and assets against TCP/IP threats.
All network devices including the router and switches are also hardened as indicated by the combination locks on their respective icons. This indicates that they have been secured to prevent attackers from tampering with the devices.
The image is a topology diagram of a campus area network showing a defense in-depth approach to network security. The image has 5 interactive buttons on the diagram for more information about important network security devices in the network: a VPN edge router which is used to provide secure VPN services with corporate sites and remote access support for remote users using secure encrypted tunnels. An ASA firewall router which is a dedicated device providing stateful firewall services. It ensures that internal traffic can go out and come back, but externally traffic cannot initiate connections to inside hosts. An intrusion prevention system (IPS) which monitors incoming and outgoing traffic looking for malware, network attack signatures, and more. If it recognizes a threat, it can immediately stop it. An email security appliance (ESA) which filters spam and suspicious emails, combined with a web security appliance (WSA) which filters known and suspicious internet malware sites. There is also an Authentication, Authorization, and Accounting (AAA) server that contains a secure database of who is authorized to access and manage network devices. Network devices authenticate administrative users using the AAA server and database.