Lesson 9 Flashcards
Best practic network design and architecture guides
Cisco’s SAFE Architecture
Places in the Network
Switch, vs hub, vs router
switch - mac addresses - connects computers within the same network
hub - dumb switch
router - IP address - connect computers/devices to eachtoerh and other networks
Application protocols
http - defines the format of message through which web browsersand web servers communicat….
FTP - Tranfering files
SMTP - email servers
RTP (real time transport portocool) - network protocol for delivering autio and video over ip networks
DNS - you know what dns does
Layer 2 forwarding and Layer 3 forwarding
The basic function of a network is to forward traffic from one node to another
Layer 2 - switches - mac addresses within a local networks
Layer 3 - mutiple subnets. ip addresses. routers
ARP
• Address Resolution Protocol (ARP) -Map IP addresses to MAC addresses so that packets can be forwarded
• Routing protocols
• Communicate routing table updates
• Network segment and broadcast domain
A network segment is one where all the hosts attached to the segment can use local
(layer 2) forwarding to communicate freely with one another
The hosts are said to be withing broadcast domain
• Implementing network segments
Assuming an Ethernet network, network segments can be established physically by
connecting all the hosts in one segment to one switch and all the hosts in another
segment to another switch. The two switches can be connected by a router and
the router can enforce network policies or access control lists (ACL) to restrict
communications between the two segments
• Layer 3 subnets
Because enterprise networks typically feature hundreds of switching appliances and
network ports (not to mention wireless access and remote access), segmentation is
more likely to be enforced using virtual LANs (VLANs). Any given switch port can be
assigned to any VLAN in the same topology, regardless of the physical location of
the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical
divisions enforced by IP subnets at layer 3.
Network Topology and Zone
segments, vlans, subnets
network segment seperated physically at layer two. VLANs seperated logically at layer 2 to simplify wiring. Layer 3 can map subnets to VLANs.
zones
Zones represent isolated segments for hosts
that have the same security requirement, Traffic between zones is subject to filtering by
a firewall
zone types
Intranet, Extranet, Internet
Intranet - private
Extranet - business parterns, suppliers, customers
Internet - allows annonymous access
DMZs
- Demilitarized zones (DMZs) isolate hosts that are Internet-facing
- Communications through the DMZ should not be allowed
- Ideally use proxies to rebuild packets for forwarding
Bastion Hosts
DMZs (because they are internet facing)
- Not fully trusted by internal network
- Run minimal services
- Do not store local network account credentials
MitM
Man in the middle
MitM or on-path attack is where
the threat actor gains a position between two hosts, and transparently captures,
monitors, and relays all communication between the hosts.
For example, a MitM host could present a
workstation with a spoofed website form, to try to capture the user credential.
How to seure against a MitM attack
mutual authentication, where both
hosts exchange secure credentials, but at layer 2 it is not always possible to put these
controls in place.
MAC address cloning spponing
MAC hardware interface address - easy to change for a different value
ARP
arp—display the local machine’s Address Resolution Protocol (ARP) cache.
The ARP cache shows the MAC address of the interface associated with each IP
address the local host has communicated with recently.
arp poisoning
Broadcasting unsolicited ARP
replies to poison the cache of local
hosts with spoofed MAC address
• Attacker usually tries to
masquerade as default gateway (router)
- Attacher can either monitor and sent to the router or..
- perform a DoS attack by not forwarding the packets
Mac flooding
• Overwhelm switch memory to
trigger unicast flooding (used to store the switches mac address table)
• Facilitates sniffing
Loop Prevention
Ethernett switch (or bridge) - loopoing around and around. Prevented by Spanning Tree Protocol (STP)
STP
Spanning Tree Protocol - prevents looping by setting up switches or bridges in a heirarchy
Broadcast Storm
Looping results in a storm from an exponential increase in traffic
Storm control - A storm control setting on a switch is a backup mechanism to
rate-limit broadcast traffic above a certain threshold.
BDPU Guard
• Configure switches to defeat attempts to
engineer a loop
• Portfast setting configured for access ports
• BPDU guard disables port if STP traffic is
detected
Methods to prevent looping and broadcast storms
- spanning tree protocol
- Stom control configuration
- BDPU Guard
Physical Port Security
•Secure switch hardware • Physically disconnect unused ports • Disable unused ports via management interface
• MAC address limiting and filtering
Configuring MAC filtering on a switch means defining which MAC addresses are
allowed to connect to a particular port.
• Limit number of MAC changes
DHCP
DHCP is the protocol that allows a server to assign IP address information to
a client when it connects to the network.
DHCP Snooping
DHCP snooping inspects this traffic arriving on
access ports to ensure that a host is not trying to spoof its MAC address.
Dynamic ARP Inspection
Can be configured along with DHCP Snooping
prevents a host attached to an untrusted port from flooding the segment
with gratuitous ARP replies.
Ways to protect Ports
- Physical port security
- MAC address limiting and filtering
- DHCP snooping
- Dynamic ARP inspection
Endpoint security
set of security procedures and technologies designed to restrict network access at a device level (DEFENSE IN DEPTH)…. dmz, in contrast, focus on perimeter security
port-based network access control (PNAC)
PNAC means that the switch uses an AAA server to authenticate the
attached device before activating the port. Network access control (NAC) products
can extend the scope of authentication to allow administrators to devise policies or
profiles describing a minimum security configuration that devices must meet to be
granted network access. This is called a health policy
Posture assessment
- Agent-based vs Agenless
process by which host health checks are performed against
a client device to verify compliance with the health policy. (Most NAC solutions do this)
Agent-based - Most NAC solutions use
client software called an agent to gather information about the device (Posture Assement…health policy
- persistiant - installed in the sofware
- nonloaded into memory
during posture assessment but is not installed on the device.
Agentless - useful when a lot of devices are use (IoT) but less detailed information available
Network Access Control
Network Access Control • Endpoint security/defense in depth • IEEE 802.1X/port-based network access control (PNAC) • Can also enforce health policy • Posture assessment • Agent-based • Persistent versus non-persistent • Agentless • Scanning software • Device polling
route injection
Spoofed routing information. Can redirect traffice to a spoofed website, send it to a black hole or DoD through looping
defend against route injection by configuring the how a router identifies peers, router appliance hardening, patch management
SSID vs BSID
SSID = Each wireless network is identified
by its name
BSSID = Each WAP is identified by its MAC address
Wireless Frequency bands and channels
Wireless networks can operate in either the 2.4 GHz or 5 GHz radio band. Each radio
band is divided into a number of channels, and each WAP must be configured to use
a specific channel.
Co-channel interference (CCI) vs Adjacent channel interference (ACI)—
CCI - when two WAPs in close proximity use the same
channel
ACI - two waps on the same radio band but channels are to close together.
Site Survey
used to measure signal strength and channel usage throughout the
area to cover.
Wifi analyzer
The Wi-Fi
analyzer records information about the signal obtained at regularly spaced points as
the surveyor moves around the area.
Heat map
site survye and wifi analyzer combined to create the heat map. where
a signal is strong (red) or weak (green/blue), and which channel is being used and
how they overlap.
How to secure a wap
Where a site survey ensures availability, the confidentiality and integrity properties of
the network are ensured by configuring authentication and encryption. These settings
could be configured manually on each WAP, but this would be onerous in an enterprise
network with tens or hundreds of WAP.
Wireless controller
Configuration of multi-WAP WLANs. Rather than configure each device individually, enterprise wireless solutions implement
wireless controllers for centralized management and monitoring. A controller can be
a hardware appliance or a software application run on a server.
fat wap vs thin wap
Fat wap - An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller
Thin wap - ne that requires a wireless controller in order to function is
known as a thin WAP.
Wap physical security
Controllers and access points must be made physically secure, as tampering could
allow a threat actor to insert a rogue/evil twin WAP to try to intercept logons. These
devices must be managed like switches and routers, using secure management
interfaces and strong administrative credentials.
WPA V1
Wifi Protected Access WPA. for wifi protected access-
*No considered strong enough
WPA uses the RC4 stream cipher but adds a mechanism called the
Temporal Key Integrity Protocol (TKIP) to make it stronger. But that does not make it stronger. but not stron enough
WEP
similar to WPA v1. not strong enough
WPA2
Better that WPA v1 but still weaknesses found
Advanced Encryption Standard (AES) replaces RC4
•
Counter Mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP
•
Also enables enterprise authentication options
WPA 3
Best. Because of weaknesses found in wpa 2, wpa 3 created
Wifi authentication (WPA 2 vs WPA3
WPA2 pre-shared key authentication
Passphrase used to generate a pairwise master key (PMK)
•4-way handshake
•PMK is used to derive session keys
WPA3 personal authentication
•Password Authenticated Key Exchange (PAKE)
•Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake
•Dragonfly handshake
WPS (Wifi protected Setup)
WPS is designed for residentintial uses to make it easer to secure WAPs
vulnerable to brute force attacks
The Easy Connect method, announced alongside WPA3, is intended to replace WPS as
a method of securely configuring client devices with the information required to access
a Wi-Fi network. Easy Connect is a brand name for the Device Provisioning Protocol
(DPP).
EasyConnect and DPP
The Easy Connect method, announced alongside WPA3, is intended to replace WPS as
a method of securely configuring client devices with the information required to access
a Wi-Fi network. Easy Connect is a brand name for the Device Provisioning Protocol
(DPP).
Open Authentication and Captive Portals
captive portal - used in hotels, etc
•
Use an access point without authentication (or encryption)
•
Secondary authentication via captive portal or splash page
•
Everything sent over link can be snooped
•
Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS)
•
Use a Virtual Private Network (VPN) to create a secure tunnel
•
Wi-Fi Enhanced Open
Enterprise/IEEE 802.1X Authentication
•
Extensible Authentication Protocol (EAP) over Wireless (EAPoW)
•
Network directory authorization via RADIUS or TACACS+
•
User credential is used to generate session encryption key
Extensible Authorization Protocol (EAP)
Designed to provide for interoperable security devices and software
EAP-TLS
is one of the strongest types of authentication and is very widely supported.
- Transport Layer Security (TLS) to authenticate via device certificates/smart cards
- Both server and supplicant must have certificates
- Mutual authentication
PEAP, EAP-TTLS, and EAP-FAST
Just remember these provide Secure tunneling for user credentials
- Protected EAP (PEAP)
- EAP with Tunneled TLS (EAP-TTLS)
- EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
Radius Federation
Allows users for different organizations to log onto the same network
•Federated identity solution
•Mesh network for RADIUS servers operated by different institutions
•Eduroam - allows students of universities from several different countries to log on to the
networks of any of the participating institutions using the credentials stored by their
“home” university
Rogue Access Point
(or Rogue WAP) is one that has been installed on the network without
authorization, whether with malicious intent or not. It is vital to periodically survey
the site to detect rogue WAPs.
A rogue WAP could also be used to capture user logon attempts, allow manin-
the-middle attacks, and allow access to private information.
Evil Twin
Rogue access point (WAP) masquerading as a legit one.
- Use similar SSID
- Capture authentication information
Wifi analyzers and rogue access points
wifie analyzers can detect Rogue WAPs
Deauthentication attack and replay attack
and dissassociation attack
Deauthentication attacck - The use of a rogue WAP may be coupled with a deauthentication attack. This sends a
stream of spoofed frames to cause a client to deauthenticate from a WAP. The deauth
frames spoof the MAC address of the target station.
Replay attack - This might allow the attacker to
perform a replay attack aimed at recovering the network key or interpose a rogue WAP.
Dissassociation attack - similar to dauth attack, but causes it to just dissassociat rater then fully deauthenticate
Configure Management Frame Protection (MFP/802.11w)
Protects against dissacosiation, deauthentication and replay attacks
Intialization Vector (IV) attack
- Generate packets to strip IV ( IV salts the hash believe)
* KRACK/key reinstallation - is a way to do IV attack
Jamming attack
A wireless network can be disrupted by interference from other radio sources.
- Environmental versus malicious interference
- Jamming attacks
* Denial of service
* Promote evil twin - Use spectrum analyzer to locate source
spectrum analyzer
locates source of jamming attacked or non-malicious jamming
Distributed Denial of Service Attacks
comming from multiple sources (bots, botnet)
•Leverage bandwidth from compromised hosts/networks
•Handlers form a command and control (C&C) network
•Compromised hosts installed with bots that can run automated scripts
•Co-ordinated by the C&C network as a botnet
•Overwhelm with superior bandwidth (number of bots)
•
Consume resources with spoof session requests (SYN flood)
Command and control network
coorditnates bots as a botnet (compromised hosts)
Distributed Reflection DoS (DRDoS)
In a distributed reflection DoS (DRDoS) or amplification SYN flood attack, the threat
actor spoofs the victim’s IP address and attempts to open connections with multiple
servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly
consumes the victim’s available bandwidth.
Types of Distributed Reflection DoS (DRDoS) or syn flood attacks
Ammplified Syn flood
Application attack
Operational technology (OT) network attackes
Distributed Denial of Service Attack Mitigation
•
•Drop traffic to protect other hosts in the routing domain
•Access control list (ACL)
•remotely triggered blackhole (RTBH) - traffic goes no where
•Sinkhole routing - goes somewhere it can be annlyzed
•Cloud DDoS mitigation services
Load balancer
Load balancing - multiple servers - balancing the load
- There are multiple ways of distibuting the load
- Ieach web server has an IP address
- The load balancer has an IP address - but we don’t want people to connect to the IP address
So we have another virtural IP address which represents the entire pool.
Types of load balancers
• Layer 4 load balancer—basic load balancers make forwarding decisions on IP
address and TCP/UDP port values, working at the transport layer of the OSI model.
• Layer 7 load balancer (content switch)—as web applications have become more
complex, modern load balancers need to be able to make forwarding decisions
based on application-level data, such as a request for a particular URL or data types
like video or audio streaming. This requires more complex logic, but the processing
power of modern appliances is sufficient to deal with this.
Scheduling (load balancer)
-types of scheduled
heatbeat or health check
- round robin - (simplest) - just picks the next node
- Fewest existing connections or the one with the best response time
- each method can weighted
Heartbeat or health check - The load balancer must also use some type of heartbeat or health check probe to verify
whether each node is available and under load or not. Layer 4 load balancers can only
make basic connectivity tests while layer 7 appliances can test the application’s state,
as opposed to only verifying host availability.
Source IP Affinity and Session Persistence
This is part of load balancing
Source IP Affinitiy (or session affinity) - when a client establishes a session, it becomes stuck to the node that firstaccepted the request.
Session Persistence - Persistence typically works by setting a cookie, either on the node or injected
by the load balancer. This can be more reliable than source IP affinity, but requires the
browser to accept the cookie.
Clustering
Failover
you can cluster load balancers (but also we servers)
Active/Passive vs Active Active (you know this)
Quality of service vs fifo
Most network appliances process packets on a best effort and first in, first out (FIFO)
basis. Quality of Service (QoS) is a framework for prioritizing traffic based on its
characteristics. It is primarily used to support voice and video applications that require
a minimum level of bandwidth and are sensitive to latency and jitter.
Latency vs Jitter (QoS)
Latency is the
time it takes for a transmission to reach the recipient,
Jitter is defined as being a variation in the delay, or an inconsistent rate of packet
delivery.
