Day 1 - Network Security Essentials Flashcards
Modules
- Defensible Network Architecture
- Virtualization and Cloud Security
> Lab - Virtual Machine Setup - Network Device Security
- Networking and Protocols
> Lab - tcpdump - Securing Wireless Networks
> Lab - Aircrack-ng - Securing Web Communications
> Lab - Wireshark
Defensible Network Architecture
- Network Architecture
- Attacks against Network Devices
- Network Topologies
- Network Design
Understanding the Architecture of the System
- Conceptual Design
- Logical Design
- Physical Design
- Understand Communication Flow
- Know Where Your Valuable Data Is
Conceptual Design
- High-level design
- core components of network architecture
- picture of overall purpose of network
- required for integration, general functionality, data flow, and high level system behavior
- utilizes ‘black box’ diagramming
Logical Design
- represents each logical function in the system
- more detailed
- all major network components and their relationships
- detailed data flows and connections mapped out
- primarily for devs and security architects
- includes business services, application names, and other relevant information
Physical Design
- all major components and entities identified within specific physical servers and locations
- usually the last design created before final implementations
- contains all known details such as OSes, version #s, and relevant patches
- includes physical constraints and limitations
Understand Communication Flow
- begins with logical architecture
- shows how data can flow in and out of network
- maps every communication flow, whether for data exchange or control messages
- used to understand exposure and visibility of key components
- forms the foundation for threat mapping
Know Where Your Valuable Data Is
- also begins with the logical architecture
- to secure a network, you need to know where every piece of your valuable data resides
- focus on critical intellectual property:
> what is it?
> where is it?
> who has access to it?
> who should have access to it?
Networks under attack
- as servers become more difficult to compromise, network infrastructure is a vector of attack
- controlling the routers and switch gives visibility into all of the traffic
- many routers and switches are not secure or kept up to date
- external routers are often visible and accessible via a password
Threat Enumeration
Threats drive the risk calculation and important for understanding the adversary:
- list all possible threat agents
- list the attack methods
- list the system-level objectives
Attacks against Routers
- Denial of Service
- Distributed Denial of Service
- Packet Sniffing
- Packet Misrouting
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CRSF)
- SYN Flood
- TCP Reset Attack
- Routing Table Poisoning
- Malicious Insider/Disgruntled Employee
Attacks against Switches
- CDP Manipulation
- MAC Flooding
- DHCP Spoofing
- STP Attacks
- VLAN hopping attack
- Telnet attack
Physical Topologies
- how the network is actually connected
- how the data actually flows
- wired or wireless
- verification of physical topology is critical to ensure security
- star topology most common
Logical topologies
- how you communicate across wires
- meaning of the information
- language
- ethernet most common (CSMA/CD)
Ethernet
- Ethernet is shared media
> CSMA/CD (carrier sense multiple access with collision detection) - most common logical topology or layer 2 protocol
- steps taken to communicate:
> listen before transmitting
> make sure only one station transmits at a time
> monitor transmissions to check for collisions
Approaches to Network Design
Segmentation
- Network Segment
- Implement Controls at Multiple Layers
- Least Privilege Rule
- Segment Based on Security Requirements
- Whitelisting
Protected Enclave
Software Defined Networking (SDN)
- Micro-segmentation
Network Architecture Design
Prioritized Protection of Key Resources
Most enterprise networks are relatively flat and offer little resistance once the perimeter is breached.
Network Design Objectives
- Provide appropriate access from the internal network to the Internet
- Protect the internal network from external attacks
- Provide defense-in-depth through a tiered architecture
- Control the flow of information between systems
Network sections (1 of 2)
- Public: Internet
- Semi-public (DMZ) : Web, Mail, and DNS servers
- Middleware: Separate DMZ from private network
- Private : Internal systems
Locate firewalls:
- between the internet and other networks
- between semi-public and private network
- between sections of varying trust levels
Network sections (2 of 2)
three goals of network design:
1- any system visible from the internet must reside on the DMZ and cannot contain sensitive info
2- any system with sensitive info must reside on the private network and not be visible from the internet
3- the only way a DMZ system can communicate with a private network system is through a proxy on the middle-ware tier
Summary
- Understanding network technologies, physical, and logical topologies, and network design is vital to create and maintain a secure network
- to secure a network, we must understand how it works
- security must be embedded into the network and not be an afterthought
- only by understanding how components on a network work and through a proper network architecture design can an organization achieve a secure network
Module 2: Virtualization and Cloud Security
- virtualization
- setting up virtualization
- virtualization security
- virtualized architectures
- cloud overview
- cloud security
Virtual machines
- allows software to run virtually on the same hardware
> OS level VMs
> application-level VMs - virtual machine software is responsible for segmenting and creating virtual hardware
The key component of virtualization is the ability for abstracting and emulating of specific hardware components which is done by the ?
hypervisor
VMWare Network Options
1- Host-only network: nothing other than host OS gets to VM across network
2- Bridged network: host and VM behave as though sitting next to each other on a switch …introduces VM MAC address on LAN
3- NAT: host acts as a NAT which VMs sit behind
What is Virtualization Security ?
- collective measures, procedures, and processes that ensure the protection of the virtualization infrastructure and environment
- focuses in on protection and isolation of the various guest OSes
- hypervisor security is a key component of virtualization security
A focus area for attackers and therefore a key focus for security professionals is protecting against VM escape tactics
Benefits of Virtualization for Security
- Isolation - OS and Application
> helps IT managers better handle application instability - Resiliency and High Availability
> admins quickly provision secure machines, replicate security policies across VMs - Automation
- Virtual Appliances
- Forensic Analysis
> can create exact working copy of physical computer
The Hypervisor
- hypervisor is a threat surface
- compromise it and you own everything
- solution: Virtual Machine Introspection
value of hypervisor is that it reduces attack surface that attacker has to work with
drawback is if it is compromised, attacker owns everything
Machines becoming files
- machines as files leads to mobility
- mobility creates opportunity for theft
- virtual sprawl
virtual sprawl
condition in operating environment where number of VMs is so much that they can no longer be effectively managed or secured
Additional Layers of Virtualization Infrastructure Complexity
- Resource sharing
> allows for simplified file exchanges between VMs - Direct memory sharing
> direct memory access to controllers such as video and network cards
Features designed for functionality and enhanced performances can also create security exposures.
With virtualization it is critical to identify and monitor these risks closely.
Mitigating the Risks of Virtualization
- separation > separate dev environment - establish 'trust zones' > each VM should fall into a security category - enforce certain processes - sprawl management > actively manage the virtual environment - stack management - auditing - patching
Data Security
- 3 options for data protection > content discovery > volume storage encryption > object storage encryption - data loss prevention - data migration to the cloud (detection) - DB activity monitoring - file activity monitoring - data dispersion - data fragmentation
Barriers to developing full confidence in Security as a Service
- compliance
- multi-tenancy
- vendor lock-in
what measures do security as a service providers take to earn the trust of their customers?
- strong security controls and system lockdown functions
- rigid physical security
- background checks on personnel
Business continuity and Disaster Recovery
customer should:
- review the contract of third party commitments
- review third party business continuity processes and any particular certification
- conduct on-site assessment
Cloud customers should not depend on a single provider of services and should have a DR plan in place that facilitates migration or failover should a supplier fail
Labs - Section 1
- Virtual machine setup
- tcpdump
- aircrack-ng
- wireshark
Labs - Section 2
- John the Ripper
- Cain & Abel
- Malicious Software
Labs - Section 3
- Nmap
- Snort
- hping3
- command injection
Labs - Section 4
- Image Steganography
- GNU Privacy Guard (GPG)
- Hashing
Labs - Section 5
- Process Hacker
- Microsoft Baseline Security Analyzer
- Secedit
- PowerShell Scripting
Network Devices
Hub
Bridge
Switch
Router
Hub
replicates traffic onto all ports, minimal security
Bridge
maintains track of network addresses, segments traffic, and breaks up collision domains
Switch
micro-segmentation with each port receiving traffic for the appropriate host using the MAC address
Router
connects networks together and determines the path a packet will take over a network
