Lesson 11 Implementing Secure Networks Flashcards
DHCP
Dynamic Host Configuration Protocol
- great time saver allowing users to access the network without real knowledge of network
- provides a method for network address allocation
-prevent rogue DHCP hosts by enabling DHCP snooping Protocols security feature
DHCP Starvation
Type of DoS attack using a rogue client to repeatedly request new IP addresses based on spoofed MAC addresses
This starves the IP address pool available for DHCP
Makes it more likely for clients to then use the rogue DHCP server
Attacks then can redirect users to a rogue DNS or to the attackers machine as default gateway to snoop all network traffic
DNS
Domain Name System
- resolves FQDNs to IP addresses
- uses a distributed database system
- works over UDP port 53
- target of many types of attacks
- domain hijaking
Domain Hijacking
Attackers acquire a domain for a company’s trading name or trademark or some spelling variation of it
In an attack, the attackers gain control over the registration of a domain name, configuring the host records to IP addresses to their needs
URL Redirection
Refers to the use of HTTP redirects to open a page other than the one the user requested
Can be legit if used to direct users to proper newer pages
Attacks use typo spoofing to trick users into going to a illegitimate site
this would be link in a phishing attack
A compromised Server could have the link in .htaccess files or in a JavaScript
A server could have poorly validated form allowing for the script to be uploaded
DNS Poisoning
An attack which changes or modifies the way a client queries the DNS to locate IP address for a domain name (FQDN)
Utilized by:
Man in the Middle
DNS Client Cache Poisoning
DNS Server Cache Poisoning
Man in the Middle
An attack where the attacker changes the queries returned from a DNS or changes the redirects queries to a rogue DNS server.
Can use ARP Poisoning to respond to DNS queries with spoofed replies
Can use DoS and a rogue DHCP to resolve the location of the DNS server to the rogue DNS server
Attacker must be on the same network as the victim(s)
DNS client Cache Poisoning
Attacker utilizes the fact the domain name resolution first checks a local host file (/etc/hosts) before attempting to contact the DNS server.
The file is changed to redirect traffic to the rogue host/server of their choosing
Requires access to the host and Admin Privileges
DNS Server Cache Poisoning
An attack where the attacker corrupts the records used by the DNS server
Attackers can use a DoS to spoof replies to requests from other name servers
Attackers can use a recursive query, which forces the local DNS server to query the authoritative DNS. The authoritative DNS is compromised by the attacker allowing the attacker to provide false domain to IP mappings of their choosing. The local DNS server then added these to their mapping as legit mappings.
Identify by using nslookup or dig tools to determine the inconsistencies in the mappings
DNS footprinting attack
An attack which performs a DNS zone transfer (all the records in a domain) to a rogue DNS.
Prevent by implementing an ACL to prevent zone transfers to unauthorized hosts or domains. This will prevent external users from gaining knowledge about the private network.
DNS Security
On a private network, only allow recursive queries from local hosts not the internet
On the server, implement access controls measures to prevent malicious record updates
Clients should be restricted from using unauthorized DNS servers
DNS servers should be kept patched to the latest versions
Apply ACL entry to prevent zone transfers to unauthorized hosts or domains
DNSSEC
DNS Security Extension
Uses signing keys and top-level domain of trust
DNS root servers are self validated using a M of N type of control group key signing
Network Directory
Is a list of subjects (principle users, computers, and services) and objects(directories and files) which are available on the network.
- has the permissions subjects have over objects.
- facilitates authentication and authorization of subjects allowed on the system.
Network Directory Services
Utilizes Lightweight Directory Access Protocol (LDAP) and
Lightweight Directory Access Protocol Secure (LDAPS)
Authentication, or binding to the server, can be implemented in the following ways:
- no authentication for the directory - it is has anonymous access
- simple bind - clients supply distringushed name (DN) and password, as plain text
- Simple Authentication and Security Layer (SASL) - client and server decide which support authentication mechanism to use, such as Kerberos
- LDAP Secure (LDAPS port 636) - sets up a secure tunnel using a digital certificate for user credential exchange
Network Directory Services Security
For secure access, disable the anonymous and simple authentication access methods on the server
Use an access control policy to properly control query (read-only) and update (read/write) access.
For private implementations, block the LDAP ports from public access via ACL in the firewall. If internet access is required, permit only authorized IPs access to the directory.
Time Synchronization - NTS
Network Time Synchronization (NTS UDP over port 123)
- used in time dependent applications such as authentication and security mechanisms, scheduling apps and backup sw
- there are no security mechanisms provided by this protocol
SNMP Security
Simple Network Management Protocol
- uses monitor and agents
- agents are sw running on network devices (switches, routers, servers,)
- agents maintain a management information base (MIB)
- agents initiate traps on events and transmit information on UDP port 162
- agents listen for queries on UDP port 161
- monitors are sw to allow users to monitor the MIBs of agents or display trap events
Security:
- disable the default configuration if it is not used on the system
- change the default passwords
- remember to do this for any devices you add to the system
- community names are transmitted in plain text, don’t transmit if there is risk to interception
- use difficult to guess community names
- restrict via ACL management operations to known hosts
- use SNMP v3 as it support encryption
HTTP and Web Services
HyperText Transfer Protocol uses TCP over port 80
- submits a request for a resource using a uniform resource locator (URL)
- users can POST data to the server
- integrated with databases on server
- supports scripting and programable features (web applications)
- uses cookies to preserve session information
Security: All of these features increase the attack surface for attacks and expose more vulnerabilities
TLS
Transport Layer Security
- a standard used for sending secure data
- used with HTTP Secure (HTTPS) but also other app protocols and VPN
Implementation:
- server is assigned a Digital certificate signed by a trusted cert authority (CA)
- the cert proves the id of the server
- this validates the servers public and private key pair
- the server uses the key pair and the TLS protocol to agree upon a cipher to use with the client
- the server negotiates an encrypted communications session
- client can also install certificates so the server trusts the client
- usually used for VPN and enterprise networks
Downgrade Attack and TLS versions
A man in the middle tries to force the use of a weaker cipher suite and SSL/TLS version
This utilizes the fact TLS 1.2 can be configured to down grade to a lower version lever of TLS or even SSL 3.0 if the client can not support TLS 1.2
TLS 1.3 is the latest version and removed the use of unsecured features when downgrading to previous versions
Cipher Suites
The algorithms supported by the client and server to perform encryption and hashing operations required by the protocol.
Example:
Prior to TLS 1.3 written as:
ECDHE-RSA-AES128-GCM-SAH256
session key agreement: ECDHE - Elliptical Curve Diffie-Hellman Ephemeral mode
RSA signatures
sym bulk encrypt: 128-bit AES-GCM (Galois counter mode)
HMAC function: 256-bit SHA
TLS 1.3 uses shorten form: TLS_AES_256_GCM_SHA384
HKDF - Hash Key Derivation Function
Hash Key Derivation Function
mechanism to establish shared secret by D-H key agreement to derive symmetrical session keys
API Considerations
Application Programming Interface (API)
- utilized by web applications as way to interface with the application
- uses post, get, etc.
- authorization to use is via a token or secret key
Security considerations:
- management of the token or secret key is very important to avoid data breaches and data thefts
- use SAML or OAuth as a more secure means of authentication and authorization
- monitor usage to ensure only authorized endpoints are making transactions
Subscription Services and Feeds security concerns
These are web and/or cloud apps which provide information and should be secured.
They are vulnerable to XML injection attacks
Allows attackers to:
- show malicious links
- interact with the file system
FTP
File Transfer Protocol
- uses public directories, hosting files and user accounts
- more efficient than HTTP but unsecure
Should use SFTP or FTPS
SFTP
SSH FTP
- encrypts the authentication and data transfer between client server
- uses SSH TCP over port 22
- mitigates eavesdropping or man in the middle attacks
- requires SSH server support SFTP and SFTP client sw
FTPS
FTP over SSL uses SSL/TLS protocols via two means:
- Explicit TLS (FTPES) - use the AUTH TLS cmd to upgrade the connection over port 21 to a secure one. Use PROT to encrypt the data transfer.
- Implicit TLS (FTPS) - creates a SSL/TLS tunnel prior to the exchange of any FTP commands. Uses secure port 990 for the control connection.
FTPS is tricky to configure the firewall
thus FTPES is usually preferred
SMTP
Simple Mail Transfer Protocol (SMTP)
- how mail is sent from one system to another
- uses the Mail Exchanger (MX) record found in DNS to obtain the IP address of the recipient
- uses TCP over port 25 for unsecure message relay
Explicit TLS or opportunistic TLS uses STARTTLS to upgrade the connection to TLS and uses TCP port 587
Implicit TLS uses SMTPS (TCP over port 465) to establish a secure connection priotto message exchange
POP3
Post Office Protocol v3 is used to store messages delivered via SMTP on a server.
- downloads the messages from the server
- user is authenticated prior to download via user name and password
- uses TDP over port 110
- uses secure connection over TCP port 995
IMAP
Internet Message Access Protocol v4
- mailbox service supporting permanent connection to the server and connecting multiple clients to the same mailbox simultaneously
- allows client management of mail folders on the server
- users authentication themselves prior to retrieval
- uses TCP over port 143 for unsecure connection
- uses TCP over port 993 for secure connection
S/MIME
Secure/Multipurpose Internet Mail Extensions provides needed end to end security of email encryption
- provides authentication and confidentiality on a per message basis
- allows two users to exchange secure emails
- user is issued a cert containing users public key signed by the CA
- user has the private key
- both users must exchange certs and be using S/MIME
- sender signs the email with a hash of the message using it’s private key
- sender encrypts the message, hash, and it’s public key and sends to recipient
- recipient the decrypts the message using it’s public key
- recipient decrypts the signature using the public key of sender
- recipient creates hash of the message
- validation occurs by comparing the recipient hash to the hash sent by the sender
Voice and Video Secure Services
Voice over IP (VoIP) and Video transport real-time data and create point to point connections between hosts
- provide session control, data transport, and QoS
Data Transport utilizes the Real-time Transport Protocol (RTP)
Session Control utilizes the Session Initiation Protocol (SIP)
- creates a SIP Unique Resource Indictor (URI) fro each device
- utilize Private Branch Exchange (PBX)
- unencrypted runs TCP over port 5060
SIP Secure (SIPS)
- similar to HTTPS, SIPS uses digital certs to authenticate endpoints and establish TLS tunnel
- generates a master key to interface with Secure RTP (SRTP) to provide confidentiality for the data
- encrypted run TCP over port 5061
Remote Access
Connection of a device from a network outside of the local network
Usually implemented via a Virtual Private Network (VPN) running over the internet
VPN
Virtual Private Network
- establishes a private secure tunnel through the networks
Remote VPN vs Site to Site VPN
Remote VPN is a secure tunnel from a remote device to corporate network
- Client directly connects to a Remote Access Screened Subnet containing a VPN Gateway to a router or firewall
- Client and VPN Gateway create the secure VPN tunnel
- VPN Screened Subnet’s router/firewall connects to the local network’s access point, router/firewall to access authorized servers, etc.
Site to Site VPN is a secure tunnel from a private network to a private network
- Client connects through the local Router/Firewall/VPN Gateway
- the local VPN Gateway then negotiates the setup of the secure VPN tunnel with the distant VPN Gateway on the distant VPN Screened Subnet
- the routing protocols on each end determine which traffic uses the VPN tunnel
VPN Security
Utilizes TLS and IPSec to configure VPN access
TLS VPN or SSL VPN requires a listening port on the remote access server, usually 443
the client creates a connection using TLS so the server is authenticated to the client and a secure tunnel is created
The client then can send credentials to authenticate with the server usually via a RADIUS server
Once authenticated, the VPN will tunnel all traffic to the remote network via the secure socket
Examples:
OpenVPN - open source example of TLS VPN
Socket Secure Tunneling Protocol (SSTP) - MicroSoft version of tunneling via Point-to-Point Protocol (PPP) layer 2 frames over TLS session
PPP provides encapsulation for IP traffic push IP assignment and authentication via the Challenge Handshake Authentication Protocol (CHAP)
IPSec
Internet Protocol Security
- operates at the Network Layer (layer 3 of the OSI model)
- provides encrypted data packets (confidentiality)
- provides anti-replay by signing each packet (integrity)
- adds overhead to do this though
- each device must be assigned an IPSec policy to define which authentication mechanism to use, Authentication Header (AH) or Encapsulation Security Protocol (ESP)
HMAC
Hash-based Message Authentication Code
a method used to verify both the integrity and authenticity of a message by combining the cryptographic hash of a the message with a secret key
IPSec AH
Internet Protocol Security Authentication Header (AH) protocol
- performs a cryptographic hash of the whole packet (includes the IP header, plus shared secret key)
- Adds the hash (HMAC) into the header as an Integrity Check Value (ICV)
- The recipient performs the same function on the packet and key to match to the hash value to show the packet was not modified (integrity)
- However the payload is not encrypted
- Does not work when crossing network gateways, where the IP is re-written
- for this reason AH is not used very often
IPSec ESP
Internet Protocol Security Encapsulation Security Payload (ESP)
- provides confidentiality, authentication and integrity
- encrypts the packet rather than just the HMAC
- attaches a header, padding/trailer, and an Integrity Check Value (ICV)
- the ICV excludes the IP header when calculating the ICV
IPSec Tranport mode
Used to secure communications between hosts on a private network
can utilize either AH or ESP
- use AH for integrity of the IP header
- use ESP to encrypt the payload, the IP header is not encrypted
IPSec Tunnel Mode
Used for communications between VPN gateways across an unsecure network
- referred to as router implementation
- only uses ESP
- AH has no use case
- ESP encrypts the whole packet (header and payload) and encapsulated as a datagram with a new IP header
IKE
Internet Key Exchange (IKE) protocol
- handles authentication and key exchange, referred to as Security Associations (SA)
- utilized by IPSec to provide a means to provide shared secret between hosts which is critical to IPSec framework (mutual authentication)
- uses two phases to negotiate authentication
- Phase 1 establishes identity of the 2 hosts and performs key agreement to create a secure channel
- uses either Digital Certificates or Pre-Shared Key (PSK)
- Phase 2 uses the secure channel to establish which ciphers and key sizes two be used
- AH and/or ESP
L2TP/IPSec VPN
Layer 2 Tunneling Protocol (L2TP)/IPSec VPN
- utilized for remote client user account authentication to a remote networks directory
- main draw back is the overhead of double encapsulation of the traffic
Process:
- client and VPN gateway create a secure IPSec channel via the Internet using pre-shared key or certificates for IKE
- VPN gateway uses L2TP to exchange local network data encapsulated as PPP frames
- client authenticates over the PPP session using EAP or CHAP
IKE v2
Fixes drawbacks of earlier Internet Key Exchange (IKE)
- support for EAP authentication
- simplified connection setup wit a single 4-messages setup to reduce bandwidth
- reliability allowing NAT traversal and MOBIKE multihoming
Multihoming allows a client with multiple interfaces (wifi and cellular - smartphone) to keep the IPSec connection alive during the switch between the interfaces (wifi and cellular)
VPN Client Configuration
May need to configure the client VPN settings if not natively supported by the OS
Always-On VPN
- utilized cached credentials to authenticate
- VPN is setup when ever an internet connection over a trusted node is detected
Split-Tunnel
- LAN traffic to/from the client utilizes the VPN tunnel
- other traffic utilizes the internet
Full-Tunnel
- internet traffic is mediated at the customers Screened Subnet via the DNS Server and a content filter
- could use a proxy to do this as well
Remote Desktop
Another model for remote networking connecting a host in the local network over a remote administration protocol. This is used for GUI rather than CLI like SSH.
Examples:
Remote Desktop Protocol (RDP)
Virtual Network Computing (VNC)
HTML5 VPN - utilizes WebSockets allowing for bidirectional messages
SAW
Secure Admin Workstations
- provides a secure means for admins to perform management functions of a network appliance or server
- must be tightly locked down, ideally installed with only needed SW to do the job
- should be denied internet access or only a handful of approved vendors for patching
- should have stringent access controls
OOB Management
Out-of-Band Management
A remote management method similar to using a serial console or modem port on a router, but is virtual instead. This method creates a separate network infrastructure
Jump server
A server used by admins to manage application servers and network appliances located on the DMZ to permit tighter access control.
Only runs the required protocols, like SSH or RDP
The application servers admin interface has a single ACL entry, that of being the jump server to be allowed while all other being denied
SSH
Secure Shell allows a user to obtain remote access to a command line terminal
SSH servers are identified by a public/private key pair (the host key) and are used to setup a secure channel to allow client to submit authentication credentials
Client Authentication
Username/password - SSH authenticates user against RADIUS/TACACS+ or database
Public Key - remote users public key is in a list of authorized users for server access
Kerberos - client submits Kerberos credentials (TGT) to the SSH server, who then contacts the Ticketing Granting Service (TGS) to validate the client credentials. The TGT is obtained when user logged onto the Workstation to the server using GSSAPI (Generic Security Services API)
Generate SSH keys:
ssh-keygen -t -rsa
Copy SSH keys to server:
ssh-copy-id bobby@10.1.0.10
