Implementation Flashcards
Adds security features to RTP
- Keep conversations private
Encryption
- Uses AES to encrypt the voice/video flow
Authentication, integrity, and replay protection
-HMAC-SHA1 - Hash-based message authentication code using SHA1
SRTP (Secure Real-Time Transport Protocol)
Secure network time protocol
Cleaned up the code base
- Fixed a number of vulnerabilities
NTPsec
Public key encryption and digital singing of mail content
- Requires a PKI or similar organization of keys
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL
Secure POP and Secure IMAP
If the mail is browser based, always encrypt with SSL
SSL/TLS
Use public key encryption
- Private key on the server
-Symmetric session key is transferred using asymmetric encryption
- Security and speed
Browser-based management
Encrypted communication
HTTPS
Security for OSI Layer 3
- Authentication and encryption for every packet
Confidentiality and integrity/anti-replay
- Encryption and packet signing
Very standardized
- Common to use multi-vendor implementations
Two core protocols
- Authentication Header (AH)
- Encapsulated Security Payload (ESP)
IPSec
FTP over SSL
FTPS (File Transfer Protocol Secure)
Provides file system functionality
Resuming interrupted transfers, directory listings, remote file removal
SFTP (SSH File Transfer Protocol)
Protocol for reading and writing directories over an IP network
- An organized set of records, like a phone directory
X.500 specification was written by the International Telecommunications Union (ITU)
- They know directories
Lightweight and uses TCP/IP
Protocol used to query and update an X.500 directory
- Used in Windows Active Directory, Apple OpenDirectory, OpenLDAP, etc
LDAP (Lightweight Directory Access Protocol)
A non-standard implementation of LDAP over SSL
LDAPS (LDAP Secure)
Provides authentication using many different methods, i.e., Kerberos or client certificate
SASL (Simple Authentication and Security Layer)
Encrypted terminal communication
Replaces Telnet (and FTP)
Provides secure terminal communication and file transfer features
SSH (Secure Shell)
Validate DNS responses
- Origin authentication
- Data integrity
Public key cryptography
- DNS records are signed with a trusted third party
- Signed DNS records are published in DNS
DNSSEC
Confidentiality - Encrypted data
Integrity - No tampering of data
Authentication - Verifies the sources
SNMPv3 (Simple Network Management Protocol version 3)
Securing DHCP
- DHCP does not include any built-in security
- There is no “secure” version of the DHCP protocol
Rogue DHCP servers
- In Active Directory, DHCP servers must be authorized
- Some switches can be configured with “trusted” interfaces
- DHCP distributioin is only allowed from trusted interfaces
- Cisco calls this DHCP Snooping
- DHCP client DoS - Starvation attack
- Use spoofed MAC addresses to exhaust the DHCP pool
- Switches can be configured to limit the number of MAC addresses per interface
- Disable an interface when multiple MAC addresses are seen
Network address allocation
Automated subscriptions
- Anti-virus/Anti-malware signature updates
- IPS updates
- Malicious IP address databases/Firewall updates
Constant updates
- Each subscription uses a different update method
Check for encryption and integrity checks
- May require an additional public key configuration
- Set up a trust relationship
- Certificates, IP addresses
Subscription services
The user’s access - Applications and data
Stop the attackers - Inbound attacks, outbound attacks
Many different platforms - Mobile, desktop
Protection is multi-faceted - Defense in depth
The endpoint
Anti-virus is the popular term
- Refers specifically to a type of malware
- Trojans, worms, micro viruses
Malware refers to a broad malicious software category
- Anti-malware stops spyware, ransomware, fileless malware
The terms are effective the same these days
- The names are more of a marketing tool
- Anti-virus software is also anti-malware software now
- Make sure your system is using a comprehensive solution
Anti-virus and anti-malware
A different method of threat protection
- Scale to meet the increasing number of threats
Detect a threat
- Signatures aren’t the only detection tool
- Behavioral analysis, machine learning, process monitoring
- Lightweight agent on the endpoint
Investigate the threat
- Root cause analysis
Respond to the threat
- Isolate the sytem, quarantine the threat, rollback to a previous config
- API driven, no user or technician intervention required
Endpoint detect and response (EDR)
Where’s your data?
- Social Security numbers, credit card numbers, medical records
Stop the data before the attacker gets it
- Data “leakage”
So many resources, so many destinations
- Often requires multiple solutions
- Endpoint clients
- Cloud-based systems
- Email, cloud storage, collaboration tools
Data Loss Prevention (DLP)
The OSI Application Layer - All data in every packet
Can be called different names
- Application layer gateway
- Stateful multilayer inspection, deep packet inspection
Broad security controls
- Allow or disallow application features
- Identify attacks and malware
- Examine encrypted data
- Prevent access to URLs or URL categories
Next-generation firewall (NGFW)
Software-based firewall
- Personal firewall, runs on every endpoint
Allow or disallow incoming or outgoing application traffic
- Control by application process
- View all data
Identify and block unknown processes
- Stop malware before it can start
Manage centrally
Host-based firewall
Uses log files to identify intrusions
Can reconfigure firewalls to block
Host-based Intrusion Detection System (HIDS)
Recognize and block known attacks
Secure OS and application configs, validate incoming service requests
Often built into endpoint protection software
Identification
- Signatures, heuristics, behavioral
- Buffer overflows, registry updates, writing files to the Windows folder
- Access to non-encrypted data
Host-based Intrusion Prevention System (HIPS)
Security is based on trust
- Is your data safely encrypted?
- Is this web site legitimate?
- Has the operating system been infected?
The trust has to start somewhere
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- Designed to be the hardware root of the trust
Difficult to change or avoid
- It’s hardware
- Won’t work without the hardware
Hardware root of trust
A specification for cryptographic functions
- Hardware to help with encryption functions
Cryptographic processor
- Random number generator, key generators
Persistent memory
- Comes with unique keys burned in during production
Versatile memory
- Storage keys, hardware configuration information
Password protected
- No dictionary attacks
Trusted Platform Module (TPM)
The attack on our systems is constant
- Techniques are constantly changing
Attackers compromise a device
- And want it to stay compromised
The boot process is a perfect infection point
- Rootkits run in kernal mode
- Have the same rights as the operating system
Protecting the boot process is important
- Secure boot, trusted boot, and measured boot
- A chain of trust
Boot integrity
Protections
- BIOS includes the manufacturer’s public key
- Digital signature is checked during a BIOS update
- BIOS prevents unauthorizes writes to the flash
Verifies the bootloader
- Checks the bootloader’s digital signature
- Bootloader must be signed with a trusted certificate
- Or a manually approved digital signature
UEFI BIOS Secure Boot
Bootloader verifies digital signature of the OS kernel
- A corrupted kernel will halt the boot process
Kernel verifies all of the other startup components
- Boot drivers, startup files
Just before loading the drives
- ELAM (Early Launch Anti-Malware) starts
- Checks every driver to see if it’s trusted
- Windows won’t load an untrusted driver
Trusted Boot
Nothing on this computer has changed
- There have been no malware infections
- How do you know?
Easy when it’s just your computer
- More difficult when there are 1,000
UEFI stores a hash of the firmware, boot drivers, and everything else loaded during the Secure Boot
- Trusted Boot process
- Stored in the TPM
Remote attestation
- Device provides an operational report to a verification server
- Encrypted and digitally signed with the TPM
Attestation server receives the boot report
- Changes are identified and managed
Measured Boot
Protecting stored data
- And the transmission of that data
Intellectual property storage
- Data is valuable
Compliance issues
- PCI DSS, HIPAA, GDPR, etc
Keep the business running
- Security provides continuity
Breaches are expensive - Keep costs low
Database security
Replaces sensitive data with a non-sensitive placeholder
- SSN 266-12-1112 is now 691-61-8539
Common with credit card processing
- Use a temporary token during payment
- An attacker capturing the card numbers can’t use them later
This isn’t encryption or hashing
- The original data and token aren’t mathematically related
- No encryption overhead
Steps:
1. User registers a credit card on their mobile phone
2. Card is registered with the token service server
3. Token Service Server provides a token instead
4. Phone is used at a store during checkout using NFC
5. Pay with token card #
6. Card number verification is actual card #
7. Token card # is the token for the actual card #
8. Token is validated
9. Transaction is approved
Tokenization
Represents data as a fixed-length string of text
- A message digest, or “fingerprint”
Will not have a collision (hopefully)
- Different inputs will not have the same hash
One-way trip
- Impossible to recover the original message from the digest
- A common way to store passwords
Hashing
Random data added to a password when hashing
Every user gets their own random salt
- The salt is commonly stored with the password
Rainbow tables won’t work with salted hashes
- Additional random value added to the original password
This slows down the brute force process
- It doesn’t complete stop the reverse engineering
Salting
A balance between time and quality
- Programming with security in mind is often secondary
Testing, testing, testing
- The Quality Assurance (QA) process
Vulnerabilities will eventually be found
- And exploited
Secure coding concepts
What is the expected input?
- Validate actual vs. expected
Document all input methods
- Forms, fields, type
Check and correct all input (normalization)
- A zip code should only be X characters long with a letter in the X column
- Fix any data with improper input
The fuzzers will find what you missed
- Don’t give them an opening
Input validation
Send random input to an application
- Fault-injecting, robustness testing, syntax testing, negative testing
Looking for something out of the ordinary
- Application crash, server error, exception
Dynamic analysis (fuzzing)
Information stored on your computer by the browser
Used for tracking, personalization, session management
- Not executable, not generally a security risk
- Unless someone gets access to them
Have a Secure attribute set
- Browser will only send it over HTTPS
Sensitive information should not be stored in a cookie
- The isn’t designed to be secure storage
Secure cookies
An additional layer of security
- Add these to web server configuration
- You can’t fix every bad application
Enforce HTTPS communication
- Ensure encrypted communication
Only allow scripts, stylesheets, or images from the local site
Prevent XSS attacks
- Prevent data from loading into an inline frame (iframe)
Also helps to prevent XSS attacks
HTTP secure headers
An application is deployed
- Users run application executable or scripts
So many security questions
- Has the application been modified in any way?
- Can you confirm the application was written by a specific developer
The application code can be digitally signed by the developer
- Asymmetric encryption
- A trusted CA signs the developer’s public key
- Developer signs the code with the private key
- For internal apps, use your own CA
Code signing
Nothing runs unless it’s approved - Very restrictive
Allow list
Nothing on the “bad list” can be executed
Anti-virus, anti-malware
Block\Deny list
Help to identify security flaws
Many security vulnerabilities found easily
- Buffer overflows, database injections, etc
Not everything can be identified through analysis
- Authentication security, insecure cryptography, etc
Don’t rely on automation for everything
Still have to verify each finding
- False positives are an issue
Static Application Security Testing (SAST)
Minimize the attack surface
- Remove all possible entry points
Remove the potential for all known vulnerabilities
- As well as the unknown
May have compliance mandates
- HIPAA servers, PCI DSS, etc
There are many different resources
- Center for Internet Security (CIS)
- Network and Security Institute (SANS)
- National Institute of Standards and Technology (NIST)
Application hardening
Every open port is a possible entry point
- Close everything except required ports
Control access with a firewall
- NGFW would be ideal
Unused or unknown services
- Installed with the OS or from other applications
Applications with broad port ranges
- Open port 0 through 65,535
Use Nmap or similar port scanner to verify
- Ongoing monitoring is important
Open ports and services
The primary configuration database for Windows
- Almost everything can be configured from the registry
Useful to know what an application modifies
- Many third-party tools can show registry changes
Some registry changes are important security settings
- Configure registry permissions
- Disable SMBv1
Registry
Prevent access to application data files
- File system encryption
Full disk encryption (FDE)
- Encrypt everything on the drive
- BitLocker, FileVault, etc
Self-encrypting drive (SED)
- Hardware-based full disk encryption
- No operating system software needed
Opal storage specification
- The standard for of SED storage
Disk encryption
Many and varied
- Windows, Linux, iOS, Androic, etc
Updates
- Operating system updates/service packs, security patches
User Accounts
- Minimum password length and complexity
- Account limitations
Network access and security
- Limit network access
Monitor and secure
- Anti-virus, anti-malware
Operating system hardening
Incredibly important
- System stability, security fixes
Monthly updates
- Incremental (and important)
Third-party updates
- Application developers, device drivers
Auto-update - Not always the best option
Emergency out-of-band updates
- Zero-day and important security discoveries
Patch management
Application cannot access unrelated resources
- They plan in their own sandbox
Commonly used during development
- Can be useful production technique
Used in many different deployments
- Virtual machines
- Mobile devices
- Browser iframes (Inline Frames)
- Windows User Account Control (UAC)
Sandboxing
Distribute the load
- Multiple servers
- Invisible to the end-user
Large scale implementations
- Web server farms, database farms
Fault tolerance
- Configurable load
- Very fast convergence
Balancing the load
Configurable load
- Manage across servers
TCP offload
- Protocol overhead
SSL offload
- Encryption/Decryption
Caching
- Fast response
Prioritization
- QoS
Content switching
- Application-centric balancing
Load balancer
Round-robin
- Each server is selected in turn
Weighted round-robin
- Prioritize the server use
Dynamic round-robin
- Monitor the server load and distribute to the server with the lowest use
Active/active load balancing
Scheduling Load Balancing
A kinship, a likeness
Many applications require communication to the same instance
- Each user is “stuck” to the same server
- Tracked through IP address or session IDs
- Source affinity/stick session/session persistence
Affinity
Some servers are active
- Others are on standby
If an active server fails, the passive server takes its place
Active/passive load balancing
Physical, logical, or virtual segmentation
- Devices, VLANs, virtual networks
Performance
-High-bandwidth applications
Security
- Users should not talk directly to database servers
- The only applications in the core are SQL and SSH
Compliance
- Mandated segmentation (PCI compliance)
- Makes change control much easier
Segmenting the network
Devices are physically separate - Air gap between Switch A and Switch B
Must be connected to provide communication
- Direct connect, or another switch or router
Web servers in one rack - Database servers on another
Customer A on one switch, customer B on another
- No opportunity for mixing data
Separate devices
- Multiple units, separate infrastructure
Physical segmentation
Separated logically instead of physically
Cannot communicate between these without a Layer 3 device/router
Virtual Local Area Networks (VLANs)
Previously known as the demilitarized zone (DMZ)
- An additional layer of security between the Internet and you
- Public access to public resources
Screened subnet
A private network for partners
- Vendors, suppliers
Usually requires additional authentication
- Only allow access to authorized users
Extranet
Private network - Only available internally
Company announcements, important documents, other company business
- Employees only
No external access
- Internal or VPN access only
Intranet
Traffic flows with a data center
- Important to know where traffic starts and ends
Traffic between devices in the same data center
Relatively fast response times
East-west traffic
Ingress/egress to an outside device
A different security posture than east-west traffic
North-south traffic
Many networks are relatively open on the inside
Once you’re through the firewall, there are a few security controls
Holistic approach to network security
- Covers every device, every process, every person
Everything must be verified
- Nothing is trusted
- Multifactor authentication, encrypted, system permissions, additional firewalls, monitoring and analytics, etc
Zero-trust
Encrypted (private) data traversing a public network
Concentrator
- Encryption/decryption access device
Many deployment options
- Specialized cryptographic hardware
- Software-based options available
Used with client software
- Sometimes built into the OS
Virtual Private Networks (VPNs)
Uses common SSL/TLS protocol (tcp/443)
- (Almost) No firewall issues!
No big VPN clients
- Usually remote access communication
Authenticate users
- No requirement for digital certificates or shared passwords (like IPSec)
Can be run from a browser or from a (usually light) VPN client
- Across many operating systems
SSL VPN (Secure Sockets Layer VPN)
On-demand access from a remote device
- Software connects to a VPN concentrator
Some software can be configured as always-on
Remote access VPN
Steps:
1) Traffic is encrypted as it passes through the local VPN concentrator
2) Traffic is decrypted in the VPN concentrator on the other side of the tunnel
Site-to-site VPN
Steps:
1) Remote user creates a secure tunnel to the VPN concentrator
2) VPN concentrator decrypts the tunneled traffic and routes it into the corporate network
3) The process is reversed for the return traffic
Full VPN Tunnel
Steps:
1) Only traffic to the corporate network traverses the VPN tunnel
2) Traffic to all other sites is “split” from the tunnel and is not decrypted
Split VPN Tunnel
Connecting sites over a layer 3 network as if they were connected at layer 2
Commonly implemented with IPsec
- This for the tunnel, IPSec for the encryption
- This over IPsec
Layer 2 Tunneling Protocol (L2TP)
Security for OSI layer 3
- Authentication and encryption for every packet
Confidentiality and integrity/anti-replay
Verify standardized
- Common to use multi-vendor implementations
Two core IPSec protocols
- Authentication Header (AH)
- Encapsulation Security Payload (ESP)
IPSec (Internet Protocol Security)
Data integrity
Origin authentication
Replay attack protection
Keyed-hash mechanism
No confidentiality/encryption
Hash of the packet and a shared key
- SHA-2 is common
- Adds this to the packet header
This doesn’t provide encryption
- Provides data integrity (hash)
- Guarantees the data origin (authentication)
- Prevents replay attacks (sequence numbers)
Authentication Header (AH)
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Anti-replay protection
Encrypts and authenticates the tunneled data
- Commonly uses SHA-2 for hash, AES for encryption
- Adds a header, a trailer, and an Integrity Check Value
Combine with Authentication Header (AH) for integrity and authentication of the outer header
Encapsulating Security Payload (ESP)
Combine the data integrity of AH with the confidentiality of ESP
Tunnel mode is the most common
- Transport mode may not even be an option
IPsec Transport mode and Tunnel mode
The language commonly used in web browsers
Includes comprehensive API support
- Application Programming Interface
- Web cryptography API
Hypertext Markup Language version 5 (HTML5 VPNs)
There’s a lot of security that happens at the physical switch interface
- Often the first and last point of transmission
Control and protect
- Limit overall traffic
- Control specific traffic types
- Watch for unusual or unwanted traffic
Different options are available
- Manage different security issues
Port security
Send information to everyone at once
- One frame or packet, received by everyone
Limited scope - The broadcast domain
Routing updates, ARP requests - Can add up quickly
Malicious software or a bad NIC
- Not always normal traffic
Not used in IPv6
- Focus on multicast
Broadcasts
The switch can control broadcasts
- Limit the number of broadcasts per second
Can often be used to control multicast and known unicast traffic
- Tight security posture
Manage by specific values or by percentage
- Or the change over normal traffic patterns
Broadcast storm control
Connect two switches to each other
- They’ll send traffic back and forth forever
- There’s no “counting” mechanism at the MAC layer
This is an easy way to bring down a network
- And somewhat difficult to troubleshoot
- Relatively easy to resolve
IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990)
- Used practically everywhere
Loop protection
Spanning tree takes time to determine if a switch port should forward frames
- Bypass the listening and learning states
- Cisco calls this PortFast
The spanning tree control protocol
If this frame is seen on a PortFast configured interface, shut down the interface
- This shouldn’t happen - Workstations don’t need these
Bridge Protocol Data Unit (BPDU)
IP tracking on a later 2 device (switch)
- The switch is a DHCP firewall
- Trusted: Routers, switches, DHCP servers
- Untrusted: Other computers, unofficial DHCP servers
Switch watches for DHCP conversations
- Adds a list of untrusted devices to a table
Filters invalid IP and DHCP information
- Static IP addresses
- Devices acting as DHCP servers
- Other invalid traffic patterns
DHCP Snooping
The “hardware” address
Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors
Easy to find working MAC addresses through wireless LAN analysis
- MAC addresses can be spoofed
- Free open-source software
Security through obscurity
MAC filtering
No security in the original design
- Relatively easy to poison
Validate responses
- Origin authentication
- Data integrity
Public key cryptography
- Records are signed with a trusted third party
- Signed records are published in this
Domain Name Resolution (DNS)
Stop end users from visiting dangerous sites
- This resolves to a sinkhole address
A query to a known-malicious address can identify infected systems
- And prevent further exploitation
Content filtering
- Prevent these queries to unwanted or suspicious sites
Using DNS for security
The network isn’t available
- Or the device isn’t accessible from the network
Most devices have a separate management interface
- Usually a serial connection/USB
Connect a model
- Dial-in to manage the device
Console router/Comm server
- Out-of-band access for multiple devices
- Connect to the console router, then choose where you want to go
Out-of-band management
Many different devices
- Desktop, laptop, VoIP phone, mobile devices
Many different applications
- Mission critical applications, streaming video, streaming audio
Different apps have different network requirements
- Voice is real-time
- Recorded streaming video has a buffer
- Database application is interactive
Some applications are “more important” than others
- Voice traffic needs to have priority over YouTube
Need for QoS
Prioritize traffic performance
- Voice over IP traffic has priority over web-browsing
- Prioritize by maximum bandwidth, traffic rate, VLAN, etc
Describes the process of controlling traffic flows
Many different methods
- Across many different topologies
Quality of Service (QoS)
More IP address space
- More difficult to IP/port scan (but not impossible)
- The tools already support IPv6
No need for NAT
- NAT is not a security feature
Some attacks disappear
- No ARP, so not ARP spoofing
New attacks willa ppear
IPsec built in / IPsec ready
IPv6 security
Disconnect the link, put this in the middle
- Can be active or passive
Physical taps
Port redirection, SPAN
Software-based tap
Limited functionality, but can work well in a pinch
Port mirror
Constant cybersecurity monitoring
- Ongoing security checks
- A staff of cybersecurity experts at a Security Operations Center (SoC)
Identify threats
- A broad range of threats across many different organizations
Respond to events
- Faster response time
Maintain compliance
- Someone else ensures PCI DSS, HIPAA compliance, etc
Monitoring services
Some files change all the time
- Some files should NEVER change
Monitor important operating system and application files
- Identify when changes occur
Windows - SFC (System File Checker)
Linux - Tripwire
Many host-based IPS options
File Integrity Monitoring (FIM)
Standard issue
- Home, office, and in your operating system
Control the flow of network traffic
- Everything passes through the firewall
Corporate control of outbound and inbound data
- Sensitive materials
Control of inappropriate content
- Not safe for work, parental controls
Protection against evil
- Anti-virus, anti-malware
Universal security control
Filter traffic by port number or application
- Traditional vs. NGFW firewalls
Encrypt traffic - VPN between sites
Most firewalls can be layer 3 devices (routers)
- Often sits on the ingress/egress of the network
- Network Address
- Translation (NAT) functionality
- Authenticate dynamic routing communication
Network-based firewalls
Does not keep track of traffic flows
- Each packet is individually examined, regardless of past history
Traffic sent outside of an active session will traverse a stateless firewall
Stateless firewall
Web security gateway
URL filter/Content inspection
Malware inspection
Spam filter
CSU/DSU
Router, Switch
Firewall
IDS/IPS
Bandwidth shaper
VPN endpoint
Unified Threat Management (UTM)
The OSI Application Layer
- All data in every packet
Can be called different names
- Application later gateway
- Stateful multilayer inspection
- Deep packet inspection
Requires some advanced decodes
- Every packet must be analyzed and categorized before a security decision is determined
Network-based Firewalls
- Control traffic flows based on the application
- Microsoft SQL Server, Twitter, YouTube
Intrusion Prevention System
- Identify the application
- Apply application-specific vulnerability signatures to the traffic
Content filtering
- URL filters
- Control website traffic by category
Next-generation firewall (NGFW)
Not like a “normal” firewall
- Applies rules to HTTP/HTTPS conversations
Allow or deny based on expected input
- Unexpected input is a common method of exploiting the application
SQL injection
- Add your own commands to an application’s SQL query
A major focus of Payment Card Industry
- Data Security Standard (PCI CSS)
Web Application Firewall (WAF)
Access control lists (ACLs)
- Allow of disallow traffic based on tuples
- Groupings of categories
- Source IP, Destination IP, port number, time of day, application, etc
A logical path
- Usually top-to-bottom
Can be very general or very specific
- Specific rules are generally at the top
Implicit deny
- Most firewalls include a deny at the bottom
- Even if you didn’t put one
Firewall rules
Open-source vs proprietary
- Open-source provides traditional firewall functionality
- Proprietary features include application control and high-speed hardware
Hardware vs. Software
- Purpose-built hardware provides efficient and flexible connectivity options
- Software-based firewalls can be installed almost anywhere
Application vs. host-based
- Appliances provide the fastest throughput
- Host-based firewalls are application-aware and can view non-encrypted data
- Virtual firewalls provide valueable East/West network security
Firewall characteristics
Your Internet link
Managed primarily through firewall rules
Firewall rules rarely change
Edge
Control from wherever you are, Inside or outside
Access can be based on many rules
By user, group, location, application, etc.
Access can be easily revoked or changed
Change your security posture at any time
Access control
You can’t trust everyone’s computer
- BYOD (Bring Your Own Device)
- Malware infections/missing anti-malware
- Unauthorized applications
Before connecting to the network, perform a health check
- Is it a trusted device?
- Is it running anti-virus? Which one? Is it updated?
- Are the corporate applications installed?
- Is it a mobile device?
- Is the disk encrypted?
- The type of device doesn’t matter - Windows, Mac, Linux, iOS, Android
Posture assessment
Persistent agents
- Permanently installed onto a system
- Periodic updated may be required
Dissolvable agents
- No installation is required
- Runs during the posture assessment
- Terminates when no longer required
Agentless NAC
- Integrated with Active Directory
- Checks are made during login and logoff
- Can’t be scheduled
Health checks/posture assessment
What happens when a posture assessment fails?
- Too dangerous to allow access
Quarantine network, notify administrators
- Just enough network access to fix the issue
Once resolved, try again
- May require additional fixes
Failing your assessment
Sits between the users and the external network
Receives the user requests and sends the request on their behalf (the proxy)
Useful for caching information, access control, URL filtering, content scanning
Applications may need to know how to use the proxy (explicit)
Some proxies are invisible (transparent)
Proxies
One of the simpliest “proxies” is NAT
- A network layer proxy
Most proxies in use are these
- The proxy understands the way the application works
A proxy may only know one application
- HTTP
Many proxies are multipurpose proxies
- HTTP, HTTPS, FTP, etc
Application proxies
An “internal proxy”
Commonly used to protect and control user access to the Internet
Forward proxy
Inbound traffic from the Internet to your internal service
Reverse proxy
A third-party, uncontrolled proxy
Can be a significant security concern
Often used to circumvent existing security controls
Open proxy
Exploits against operating systems, applications, etc
Buffer overflows, cross-site scripting, other vulnerabilities
Intrusions
Detection - Alarm or alert
Prevention - Stop it before it gets to the network
Detection vs Prevention
Examine a copy of the traffic
- Port mirror (SPAN), network tap
No way to block (prevent) traffic)
Steps:
1) Network traffic is sent from client to server through the network switch
2) A copy of the traffic is sent to the IDS/IPS
Passive monitoring
When malicious traffic is identified
- IPS sends TCP RST (reset) frames
- After-the-fact
- Limited UDP response available
Out-of-band-response
IDS/IPS sits physically inline
-All traffic passes through the IDS/IPS
Steps:
1) Network traffic is sent from the Internet to the core switch, which passes through the IPS
2) The inline IPS can allow or deny traffic in real-time
Inline monitoring
Malicious traffic is immediately identified
- Dropped at the IPS
- Does not proceed through the network
In-band response
Signature-based
- Look for a perfect match
Anomaly-based
- Build a baseline of what’s “normal”
Behavior-based
- Observe and report
Heuristics
- Use artificial intelligence to identify
Identification technologies
High-end cryptographic hardware
- Plug-in card or separate hardware device
Key backup
- Secured storage
Cryptographic accelerators
- Offload that CPU overhead from other devices
Used in large environments
Clusters, redundant power
Hardware Security Module (HSM)
Access secure network zones
- Provides an access mechanism to a protected network
Highly-secured device
- Hardened and monitored
SSH/Tunnel/VPN to this server
- EDP, SSH, or jump from there
A significant security concern
- Compromise to this server is a significant breach
Jump server
Aggregate information from network devices
- Build-in sensors, separate devices
- Integrated into switches, routers, servers, firewalls, etc
Sensors and collectors
Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, emails logs
Sensors
Proprietary consoles (IPS, firewall)
SIEM consoles, syslog servers
Many SIEMs include a correlation engine to compare diverse sensor data
Collectors
An organization’s wireless network can contain confidential information
- Not everyone is allowed to access
Authenticate the users before granting access
- Who gets access to the wireless network?
- Username, password, multi-factor authentication
Ensure that all communication is confidential
- Encrypt the wireless data
Verify the integrity of all communication
- The received data should be identical to the original sent data
- A message integrity check (MIC)
Securing a wireless network
All wireless computers are radio transmitters and receivers
- Anyone can listen in
Solution: Encrypt the data - Everyone has an encryption key
Only people with the right key can transmit and listen
- WPA2 and WPA3
Wireless encryption
Message Authentication Protocol
Data confidentiality with AES
Message Integrity Check (MIC) with CBC-MAC
Counter Mode with Cipher Block Chaining (CCMP)
A stronger encryption than WPA2
Data confidentiality with AES
Message Integrity Check (MIC) with Galois Message Authentication Code (GMAC)
Galois /Counter Mode Protocol (GCMP)
