Day 1 - Network Security Essentials Flashcards
Modules
- Defensible Network Architecture
- Virtualization and Cloud Security
> Lab - Virtual Machine Setup - Network Device Security
- Networking and Protocols
> Lab - tcpdump - Securing Wireless Networks
> Lab - Aircrack-ng - Securing Web Communications
> Lab - Wireshark
Defensible Network Architecture
- Network Architecture
- Attacks against Network Devices
- Network Topologies
- Network Design
Understanding the Architecture of the System
- Conceptual Design
- Logical Design
- Physical Design
- Understand Communication Flow
- Know Where Your Valuable Data Is
Conceptual Design
- High-level design
- core components of network architecture
- picture of overall purpose of network
- required for integration, general functionality, data flow, and high level system behavior
- utilizes ‘black box’ diagramming
Logical Design
- represents each logical function in the system
- more detailed
- all major network components and their relationships
- detailed data flows and connections mapped out
- primarily for devs and security architects
- includes business services, application names, and other relevant information
Physical Design
- all major components and entities identified within specific physical servers and locations
- usually the last design created before final implementations
- contains all known details such as OSes, version #s, and relevant patches
- includes physical constraints and limitations
Understand Communication Flow
- begins with logical architecture
- shows how data can flow in and out of network
- maps every communication flow, whether for data exchange or control messages
- used to understand exposure and visibility of key components
- forms the foundation for threat mapping
Know Where Your Valuable Data Is
- also begins with the logical architecture
- to secure a network, you need to know where every piece of your valuable data resides
- focus on critical intellectual property:
> what is it?
> where is it?
> who has access to it?
> who should have access to it?
Networks under attack
- as servers become more difficult to compromise, network infrastructure is a vector of attack
- controlling the routers and switch gives visibility into all of the traffic
- many routers and switches are not secure or kept up to date
- external routers are often visible and accessible via a password
Threat Enumeration
Threats drive the risk calculation and important for understanding the adversary:
- list all possible threat agents
- list the attack methods
- list the system-level objectives
Attacks against Routers
- Denial of Service
- Distributed Denial of Service
- Packet Sniffing
- Packet Misrouting
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CRSF)
- SYN Flood
- TCP Reset Attack
- Routing Table Poisoning
- Malicious Insider/Disgruntled Employee
Attacks against Switches
- CDP Manipulation
- MAC Flooding
- DHCP Spoofing
- STP Attacks
- VLAN hopping attack
- Telnet attack
Physical Topologies
- how the network is actually connected
- how the data actually flows
- wired or wireless
- verification of physical topology is critical to ensure security
- star topology most common
Logical topologies
- how you communicate across wires
- meaning of the information
- language
- ethernet most common (CSMA/CD)
Ethernet
- Ethernet is shared media
> CSMA/CD (carrier sense multiple access with collision detection) - most common logical topology or layer 2 protocol
- steps taken to communicate:
> listen before transmitting
> make sure only one station transmits at a time
> monitor transmissions to check for collisions
Approaches to Network Design
Segmentation
- Network Segment
- Implement Controls at Multiple Layers
- Least Privilege Rule
- Segment Based on Security Requirements
- Whitelisting
Protected Enclave
Software Defined Networking (SDN)
- Micro-segmentation
Network Architecture Design
Prioritized Protection of Key Resources
Most enterprise networks are relatively flat and offer little resistance once the perimeter is breached.
Network Design Objectives
- Provide appropriate access from the internal network to the Internet
- Protect the internal network from external attacks
- Provide defense-in-depth through a tiered architecture
- Control the flow of information between systems
Network sections (1 of 2)
- Public: Internet
- Semi-public (DMZ) : Web, Mail, and DNS servers
- Middleware: Separate DMZ from private network
- Private : Internal systems
Locate firewalls:
- between the internet and other networks
- between semi-public and private network
- between sections of varying trust levels
Network sections (2 of 2)
three goals of network design:
1- any system visible from the internet must reside on the DMZ and cannot contain sensitive info
2- any system with sensitive info must reside on the private network and not be visible from the internet
3- the only way a DMZ system can communicate with a private network system is through a proxy on the middle-ware tier
Summary
- Understanding network technologies, physical, and logical topologies, and network design is vital to create and maintain a secure network
- to secure a network, we must understand how it works
- security must be embedded into the network and not be an afterthought
- only by understanding how components on a network work and through a proper network architecture design can an organization achieve a secure network
Module 2: Virtualization and Cloud Security
- virtualization
- setting up virtualization
- virtualization security
- virtualized architectures
- cloud overview
- cloud security
Virtual machines
- allows software to run virtually on the same hardware
> OS level VMs
> application-level VMs - virtual machine software is responsible for segmenting and creating virtual hardware
The key component of virtualization is the ability for abstracting and emulating of specific hardware components which is done by the ?
hypervisor
VMWare Network Options
1- Host-only network: nothing other than host OS gets to VM across network
2- Bridged network: host and VM behave as though sitting next to each other on a switch …introduces VM MAC address on LAN
3- NAT: host acts as a NAT which VMs sit behind
What is Virtualization Security ?
- collective measures, procedures, and processes that ensure the protection of the virtualization infrastructure and environment
- focuses in on protection and isolation of the various guest OSes
- hypervisor security is a key component of virtualization security
A focus area for attackers and therefore a key focus for security professionals is protecting against VM escape tactics
Benefits of Virtualization for Security
- Isolation - OS and Application
> helps IT managers better handle application instability - Resiliency and High Availability
> admins quickly provision secure machines, replicate security policies across VMs - Automation
- Virtual Appliances
- Forensic Analysis
> can create exact working copy of physical computer
The Hypervisor
- hypervisor is a threat surface
- compromise it and you own everything
- solution: Virtual Machine Introspection
value of hypervisor is that it reduces attack surface that attacker has to work with
drawback is if it is compromised, attacker owns everything
Machines becoming files
- machines as files leads to mobility
- mobility creates opportunity for theft
- virtual sprawl
virtual sprawl
condition in operating environment where number of VMs is so much that they can no longer be effectively managed or secured
Additional Layers of Virtualization Infrastructure Complexity
- Resource sharing
> allows for simplified file exchanges between VMs - Direct memory sharing
> direct memory access to controllers such as video and network cards
Features designed for functionality and enhanced performances can also create security exposures.
With virtualization it is critical to identify and monitor these risks closely.
Mitigating the Risks of Virtualization
- separation > separate dev environment - establish 'trust zones' > each VM should fall into a security category - enforce certain processes - sprawl management > actively manage the virtual environment - stack management - auditing - patching
Data Security
- 3 options for data protection > content discovery > volume storage encryption > object storage encryption - data loss prevention - data migration to the cloud (detection) - DB activity monitoring - file activity monitoring - data dispersion - data fragmentation
Barriers to developing full confidence in Security as a Service
- compliance
- multi-tenancy
- vendor lock-in
what measures do security as a service providers take to earn the trust of their customers?
- strong security controls and system lockdown functions
- rigid physical security
- background checks on personnel
Business continuity and Disaster Recovery
customer should:
- review the contract of third party commitments
- review third party business continuity processes and any particular certification
- conduct on-site assessment
Cloud customers should not depend on a single provider of services and should have a DR plan in place that facilitates migration or failover should a supplier fail
Labs - Section 1
- Virtual machine setup
- tcpdump
- aircrack-ng
- wireshark
Labs - Section 2
- John the Ripper
- Cain & Abel
- Malicious Software
Labs - Section 3
- Nmap
- Snort
- hping3
- command injection
Labs - Section 4
- Image Steganography
- GNU Privacy Guard (GPG)
- Hashing
Labs - Section 5
- Process Hacker
- Microsoft Baseline Security Analyzer
- Secedit
- PowerShell Scripting
Network Devices
Hub
Bridge
Switch
Router
Hub
replicates traffic onto all ports, minimal security
Bridge
maintains track of network addresses, segments traffic, and breaks up collision domains
Switch
micro-segmentation with each port receiving traffic for the appropriate host using the MAC address
Router
connects networks together and determines the path a packet will take over a network
examples of sniffers
- tcpdump - initial triage
- wireshark - detailed analysis and packet decoding
- snort - NIDS to determine scope of compromise
- dsniff - useful for sniffing on a switch
- kismet - wireless network sniffer and IDS
authorized sniffing
most switches support ‘port mirroring’ , ‘SPAN’, ‘management port’ or similar features. which allow network administrators to perform authorized sniffing to monitor LAN traffic on any computer connected to one designated switch port
unauthorized sniffing
unauthorized sniffing on a switch is difficult but with the advent of tools such as dsniff, it has simplified this task
with an ARP redirect program and IP forwarding, an attacker can sniff every station on your switched network
ARP
Address Resolution Protocol
ARP is the scheme used by one host on a LAN to determine the MAC address of another host on the LAN
ARP is described in which RFC?
RFC 826
At a minimum, a computer has 2 addresses
- IP address
- MAC address
MAC Address (Layer 2)
- 48-bit address (12 hexadecimal digits)
- First half vendor code (00:00:0c - Cisco)
- Determines the next hop
- Hardware address
IP Address is configurable (Layer 3) - description?
- 32-bit address
- part network and part host
- configured by user
- dictated by location
- used to determine the path
- software address
Cisco’s MAC vendor code
00:00:0c
Sun’s MAC vendor code
08:00:20
Device Security: Hardening Routers
- change the default password
- disable IP directed broadcasts
- Disable HTTP configuration for the router, if possible
- Block ICMP ping requests
- Disable IP source routing
- Determine your packet filtering needs and establish them
- Establish ingress and egress address filtering policies
- maintain physical security of the router
- review the security logs
- latest OS
Main uses of virtualization?
- security training
- incident response
- malicious code analysis
- digital forensics
- virtual security lab
- data center consolidation
- cloud based services
Router Hardening: Source Routing
- allows IP packets to specify routing
- can be used to bypass firewalls
- most commonly used by attackers
- should be disabled by default and enabled only if needed
Router hardening: Directed broadcasts
- directed broadcasts are seldom needed with modern protocols
- many historical DoS attacks use these
- if they are needed, should be tightly restricted
Router hardening: IOS ports and services
- router OS called IOS
- IOS has services and open ports
- default installation focuses more on functionality than security
- routers often lack typical password controls like lockout or complexity
Router hardening: Telnet vs SSH
- telnet typically used for remote access of routers
- telnet susceptible to sniffing
- SSH preferred alternative
- SSH helps with password sniffer, but not pword guessing unless certificates or preset keys are used
Router hardening: SSH via internal port
- recommended solution with SSH is to have no open external ports
- VPN behind firewall and connect via SSH to internal interface of router
- added benefit is VPN access is typically logged while router access is not
Switch hardening: VLANs
- segmenting switch to different networks
- separate networks with SW not HW
- reduces visibility and potential damage from attack
Switch hardening: NAC
Network Access Control
- dynamic VLAN allocation
- isolates systems when they intially connect to network
- enables systems to be scanned and checked prior to being put on a trusted segment
Switch hardening: 802.1x
- network level authentication
- only allow authorized devices to connect
- can be used with both wired and wireless devices
Switch hardening: port forwarding
- intercepting traffic going to an ip and port and redirecting to another ip and port
- used to hide what services are running on a network
what is a network protocol?
- agreement of or rules of engagement for how computer networks will communicate
- entities exchanging messages are network’s SW and HW
- protocols define the format and order of messages and actions to be taken upon message receipt
- protocol stacks are a set of network protocol layers that work together to implement communications
3 purposes of communication protocols?
- standardize format
- specify order/timing
- determine meaning of communication
OSI protocol stack
1- physical 2- data link 3- network 4- transport 5- session 6- presentation 7- application
OSI vs TCP/IP
Tcp layers:
1- Network -> OSI 1 and 2
2- Internet (IP) -> OSI 3
3- Transport (TCP) -> OSI 4
4- Application -> OSI 5,6,7
how tcp/ip packets are generated?
as you go down the stack, each layer adds a header
as you go up the stack, each layer removes a header
IP internet protocol
- works at the internet layer of the tcp/ip stack
- layer 3 of osi
- core routing protocol of the internet
- deals with transmission of packets between endpoints
- defines addressing scheme for the internet
IPv4 vs IPv6
- IPv4 accomodates 4.2 billion unique 32-bit addresses
- IPv6 - 128bits accomodate 340 undecillion addresses (7 addresses for each atom of every human)
- IPv6 has authentication of endpoints (IPv4 doesn’t)
- IPv6 supports encryption (whereas IPv4 needs apps to provide encryption)
- IPv6 has QoS features (IPv4 has best effort transport)
IPv4 header
1- version 2- IHL 3- Type of Service 4- Total Length 5- Identification 6- Flags 7- Fragment Offset 8- Time to Live 9- Protocol 10- Header Checksum 11- Source Address 12- Destination Address 13- Options (optional)
Some IP Options
- record route
- IP timestamp
- Strict source routing
- loose source routing
IPv4 key fields
- IP version 4 bits
- protocol 8 bits
- time to live TTL 8 bits
- fragmentation 16 bits (13 bits fragment offset, 3 bits flags)
- source and dest address 32 bits each
IPv6 headers
1- version 4 bits 2- traffic class 8 bits 3- flow label 20 bits QoS management 4- payload length 16 bits length in bytes 5- next header 8 bits next encapsulated protocol 6- hop limit 8 bits 7- src address 128 bits 8- dest address 128 bits
IPv6 features
- extended address space
- route aggregation, improved delegation/management, hierarchy
- auto configuration support
- IPv6 over IPv4 tunneling
- IPv4 over IPv6 translation
- flexible embedded protocol support
- authentication of endpoints
- encryption support
IP protocols with OSI model
Layer 3 - IP and ICMP
Layer 4 - TCP and UDP
ICMP - Internet Control Message Protocol
2 purposes:
- to report errors or troubleshooting
- -> destination host unreachable
- -> fragmentation needed and DF flag set
- to provide network information
- -> ping: is the host alive and latency
tied to IP version:
- ICMPv6 for IPv6
ICMP header
1- ICMP type 8 bits
2- ICMP code 8 bits
3- ICMP checksum 16 bits
4- ICMP payload - variable length
ICMP common types and codes
Type 0: Echo reply Type 3: Destination unreachable - Code 0: Network unreachable - Code 1: Host unreachable - Code 3: Port unreachable - Code 9: Destination network administratively prohibited
Type 5: Redirect Type 8: Echo request Type 11: Time exceeded - Code 0: TTL expired in transit - Code 1: TTL expired during reassembly
TCP
- most common transport protocol today
- provides guaranteed packet delivery or at least notifies of problem
- > overhead to track packet delivery
- > establishes virtual connection called session
TCP uses
- flow control to handle network congestion
- guaranteed delivery more important than speed
- better protection against spoofs
common TCP ports
20 - ftp data 21 - ftp 22- ssh 23 - telnet 25 - smtp 53 - dns 79 - finger 80 - http 443 - https
establishing a tcp connection
1- SYN
2- SYN/ACK
3- ACK
3 way handshake in which ISNs are exchanged
ISN
initial sequence number
TCP header
1- src port 16 bit 2- dest port 16 bit 3- seq num 32 bits 4- ack num 32 bits 5- data offset 4 bits 6- reserved 3 bits 7- flags 12 bits 8- windows size 16bit 9- checksum 16 bit 10- urgent pointer 16 bit 11- options 32bit (padded with 0s if needed)
TCP flags 1 bit each
1- NS experimental
2- CWR congestion window reduced..response to ECE
3- ECE indicates ECN compatibility
4- URG process before other non-urgent packets
5- ACK acknowledge packet receipt
6- PSH process as received instead of buffering
7- RST host not expecting packet
8- SYN establishing 3way handshake
9- FIN no more sender data
Closing TCP session gracefully
A ->FIN
B->ACK
B->FIN
A->ACK
Closing TCP session abruptly
RST
ACK
UDP uses
- real-time communication (multimedia/VOIP)
- repetitive data (NTP)
- large volume where overhead could impact performance (syslog)
common UDP ports
53 - dns 67 and 68 - bootp 69 - tftp 123 - ntp 137-139 - nbt 161-162 - snmp 2049 - nfs
bootp/dhcp
automatically configures network interfaces and load OSes via network on startup
NFS
network file system
UDP header
1- src port 16 bit 2- dst port 16 bit 3- udp length 16 bit 4- udp checksum 16 bit 5- data variable length
tcpdump
- program that dumps traffic on a network
- dependent on libpcap packet capture library
- sniffer
tcpdump tcp
only dump tcp packets
tcpdump tcp and dst port 23
only dump tcp packets with dst port 23
tcpdump host nmap.edu
only dump packets to or from nmap.edu
popular wireless devices
- mobile phone
- laptops
- tablets
- HVAC control units
- medical devices
- personal safety
- tracking and monitoring
vertical markets for wireless
- healthcare
- financial
- academia
- factories/industrial
- retail
- wireless ISPs
- mobile hotspots
wireless advantages
- wiring takes time and money
- users can access network from anywhere
- mobility and connectivity
Bluetooth concurrent connections?
- upto 7
Bluetooth classes
Class 1 - 100mW - 100 meters
Class 2- 2.5 mW - 10 meters
Class 3 - 1 mW - 1 meter
Bluetooth 5
- features and functionality focused on IoT
- increase in overall performance
- > double the speed
- > quadruple the range
- > increased bandwidth over low energy transmission
- supports 2 Mbit transfers
- higher output power
- less focus on security
Bluetooth security issues
- susceptible to eavesdropping
- bluetooth PAN APs can expose wired networks
- bluejacking….unsolicited messages
- bluesnarfing … information disclosure
- bluebugging… backdooring
most vulnerabilities addressed with Bluetooth 2.1
legacy Bluetooth pairing
- bluetooth 2.0 and prior
- utilize same PIN code to pair
- PIN values limited and well known
- PIN often preprogrammed i.e. 0000
Secure Simple Pairing (SSP)
- Bluetooth 2.1 and later
- utilizes public key cryptography
- more secure than utilizing fixed PIN
- helps mitigate MITM
protecting Bluetooth
- use current generation devices and Bluetooth versions - upgrade firmware
- configure devices in non-discoverable mode
- audit the environment for Bluetooth devices
- verify connected Bluetooth devices
- pair devices only in trusted environment
- disable Bluetooth if not using
Zigbee wireless
- based on 802.15.4 spec
- used for product tracking, medical, and industrial sensor/control networks
- gaining wide support for IoT
Zigbee security
- security at MAC, Network, and application layers
- relies on master keys set by manufacturer, installer, or end user -> generates link keys to encrypt traffic
- encryption based on AES-CCM
- security optional: AES may be too resource-intensive for lightweight devices
basics of secure coding
- initialize all variables before use
- validate all user input before use
- don’t make app require admin priv on server/db
- handle errors and don’t display errors to end users
- employ least privilege/limit access
- dont store secrets in code
- use tested reliable libraries for common functions (authentication, encryption, session tracking)
- watch for vuln notifications for open source libs
Data Flow Analysis does what?
- Aids with Incident Response
- Provides Situational Awareness
- Reduces Cost of Network Monitoring
- Enables Attack Detection
