Sec+ Chapter 12: Network Security Flashcards
Defense in depth
Medieval army attacking a castle analogy
Security principle that says environments must be built around multiple controls to ensure that one failure in a single control, or multiple controls, won’t cause a security breach
OSI Model
Open systems interconnection model
From the bottom-up
1) Physical
2) Data
3) Network
4) Transport
5) Session
6) Presentation
7) Application
Network segmentation
The act of dividing up a network into logical, virtual, or physical groupings
VLAN
Virtual LAN
A broadcast domain that’s segmented at OSI layer 2 (data)
Switches and other devices are used to create VLANs
DMZ
Demilitarized zone / screened subnet
Network zones containing systems that are exposed to less trusted areas
Commonly used to contain web services or other internet-facing devices
Intranet
Internal network protected from external access
Employees only for internal or VPN access only
Extranet
Network set up for external access, usually by partners or customers rather than the public at large
Unlike a DMZ, this usually requires additional authentication to gain access
Zero trust
A concept that says nobody should be trusted, regardless of if they’re an internal or external person or system
Zero trust network
A network that includes security between systems as well as at security boundaries
NAC
Network access control / network admissions control
NAC validates security status for systems and allows or disallows connection to a network
Rules for access can be based on user, group, location, application, etc
Agent based NAC
Requires installation and adds complexity and maintenance
Provides greater insight and control
Agentless NAC
Lightweight installs, easier to handle for machines that aren’t centrally managed or have devices that don’t support NAC agent
Provides less detail and can’t be scheduled
Port security
Limiting the number of MACs that can be used on a single port
Prevents MAC spoofing, content addressable memory (CAM) table overflows, and extending network through additional devices
CAM table
Content addressable memory table
Maps MAC addresses to IP addresses which allows switches to send traffic to the correct port
CAM table attack vector
Attackers who can fill CAM tables can make switches fail over to broadcasting traffic, making otherwise inaccessible traffic visible on their local port
Effectively turns the switch into a hub without any intelligence for where frames should be sent
All frames are sent to all interfaces on the switch
Loop protection
Detecting loops and disabling ports to prevent loops from causing issues
STP
Spanning tree protocol
A common way to implement loop control on layer 2 networks
STP is also great at finding problems in a network
EX: An outage occurs, and you lose connectivity on a network path
STP constantly monitors itself and can go into convergence mode to examine what interfaces are available based on an outage
It can work around the problem, maintain comms on the network, and still prevent loops
Broadcast storm control
AKA Storm control
Prevents broadcast packets from being amplified as they traverse a network
Occurs when a loop in a network causes traffic amplification as switches attempt to figure out where traffic should be sent
Limit the number of broadcasts per second, control multicast or unicast, or manage the change over normal traffic patterns
BPDU guard
Bridge protocol data unit guard
STP takes 20-30 sec before it understands what path to use when a new device is connected to the network
It has to perform the same checks every time we plug in
Instead of the delay, we can configure the switch to let it know the only thing plugging in is an end station
Bypass the STP listening and learning, plug device in and instantly start communicating on the network
The issue is someone could plug in with another switch, and there would be a loop over that connection
To get the speed with port fast and security of STP, configure BPDU guard on the switch
BPDU is the primary protocol used by STP
Switch will constantly watch comms coming from interfaces, and if an interface ever sends a BPDU frame it recognizes a switch could be on the other side of comm
Port fast is then disabled before a loop can occur
DHCP snooping
Someone can plug in a DHCP server not authorized to be on the network, which creates DoS or security issue
Switches have software that look for these problems though called DHCP snooping
Switch is configured with a list of trusted interfaces, but also other untrusted interfaces
Switch watches for DHCP conversations, and if it appears from an untrusted interface, the switch filters out the conversation and disallows it from being sent
SPAN
Switched port analyzer
Does the same as port mirror, but can combine traffic from multiple ports to a single port for analysis
Port mirror
Sends a copy of all traffic sent to one switch port to another switch port for monitoring
VPN
Virtual private network
Creates a virtual network link across a public network that allows endpoints to act as if they’re on the same network
Encryption is not a requirement, but often used in the tunnel
IPSec VPN
Internet protocol security VPN
Allows authentication and encryption over a layer 3 network, and also supports packet signing along with encryption
This allows for secure data, but anti replay built into the conversation
Two core IPSec protocols:
1) AH (authentication header): No encryption, hash of the packet and a shared key, adds AH to the packet header
Provides data integrity with hash
Guarantee origin of data with authentication key
Prevents replay attacks with sequence numbers
2) ESP (encapsulation security payload): Encryption with AES, hash with SHA 256, and authenticates
In most implementations, this will be combined with AH to make sure the data gets through the network without alteration
Two modes:
1) Tunnel mode: entire packet sent is protected
2) Transport mode: IP header not protected, but IP payload is
SSL VPN
Current implementation actually uses TLS, not SSL and comms over port 443
It’s either:
1) Portal based: Users access through web page and then access services
2) Tunnel mode: IPSec VPN, entire packet sent is protected
L2TP VPN
Layer 2 tunneling protocol VPN
Many site to site VPNs are implemented with L2TP
Connects two networks together as if they’re on same layer 2 network but it’s happening through a layer 3 network
Doesn’t provide encryption, just provides tunnels
Often combined with IPSec for security
Site to site VPN
Used to create a secure network channel between two or more sites
Typically, they’re always on since they extend an org’s network
Firewalls often serve as the VPN concentrators
Remote access VPN
Used mainly by remote workers in as-needed mode and are turned on when they need specific resources, systems, or trusted connection
Full tunnel VPN
All data and network traffic is sent through an encrypted tunnel to the VPN concentrator, and the user can’t break out of that tunnel to send information to another device directly
Data is sent to VPN concentrator which decides where that information needs to go before sending back to the remote user
Split tunnel VPN
The admin of the VPN can configure some information to go through the tunnel, and other information can go outside the tunnel
Traffic doesn’t need to go through the full tunnel to communicate with devices that aren’t on the tunnel
Jump server
A highly secure, hardened, and monitored device that spans two or more networks, allowing users to connect to it from one network and then “jump” to another
SSH, tunnel, VPN to other devices on the network
Load balancer
Distributes traffic to multiple systems, provides redundancy, and allows for ease of upgrades and patching
Proxy server
A device that sits between the users and the rest of the network
Accepts and forwards requests, centralizing the requests and allowing actions to be taken on the requests and responses
Useful for caching info, access control, URL filters, content scanning
Forward proxies
Accepts client requests, forwards to server, receives answer, validates, and sends user copy of the response
Conceals original client and can anonymize traffic or provide access to resources blocked by IP or location
Commonly used to protect and control user access to the internet
Reverse proxies
Users from internet hit a proxy to gain access to internal services on your network
Proxy examines requests from users, if not malicious and valid, sends requests to webserver and gets response, sends copy of answer to user on the internet
NAT
Network address translation
Allows a pool of addresses to be translated to one or more external addresses
EX: Allow many private IPs to use a single public IP to access internet
NAT gateway
In-home router
A network tool that provides private IPs and uses NAT to allow a single public IP to serve many devices behind the router
By default blocks all inbound access
Content filters
Allows or blocks traffic based on specific content rules
Simple rules: blocked URLs, domains, etc
Complex rules: Blocked by IP reputation, pattern matching, etc
DLP solutions
Data loss prevention solutions
Ensure data isn’t extracted or accidentally sent from a network
Frequently pairs agents on systems with filtering capability at the network border, email services, and exfiltration points
IDS
Intrusion detection system
Detects threats in your network and alerts you
Can’t take direct action
IPS
Intrusion prevention system
Detects threats in your network and takes direct action to stop them
Stateless firewalls
Does not keep track of traffic flows, and needs a rule base that covers all comms in both directions
Each packet is individually examined, regardless of past history
Traffic sent outside of an active session will traverse a stateless firewall
Not smart, has no idea about requests and responses, always defaults to its existing rule base
Stateful firewalls
Almost all firewalls today are stateful, and much more intelligent about how they allow traffic through a network
Stateful remembers the “state” of the session and creates a state table about a particular flow as it takes place
Watches all traffic between systems and allows comms to continue only once they’ve been approved vs reviewing every packet
Provides more context to make security decisions
NGFW
Next gen firewall
Application layer OSI firewalls
Often replace UTMs
Firewall with more features like IDS, IPS, antimalware, etc
WAF
Web app firewall
Not like a normal firewall, it’s specifically built for web apps and applies rules to HTTP/S conversations
Inspects traffic sent to web servers, looks for attacks and patterns, and applies rules based on what it sees
UTM
Unified threat management
An all in one security appliance, AKA web security gateway
Devices that include firewall, IDS/IPS, antimalware, URL and email filtering, DLP, VPN, and security analytics
ACL
Access control list
A set of rules used to filter or control network traffic on a firewall
The series of variables that you choose are called tuples, and they’re groupings of information
Evaluates characteristics like src IP, dst IP, port, app, etc to match rules in ACL, looks at disposition, and allows or denies
Usually top to bottom in ACL decision logic, so place specific rules at the top of the list and general at the bottom
QoS
Quality of service
A set of controls that allows us to prioritize network traffic to make it through a network, even when it’s under attack or congested
BGP
+
Border gateway protocol
No strong security built in, which leads to accidental or purposeful BGP hijacking. Router adverts itself and ends up redirecting internet traffic through itself
OSPF
+
Open shortest path first
Some security like MD5 based authentication
Doesn’t secure actual data, but does validate that the data is complete and from the proper router
EIGRP
+
Enhanced interior gateway routing protocol
Cisco-proprietary protocol that provides authentication and helps prevent attackers from sending false routing messages
Routing security
Networks rely on routing protocols to determine what path traffic should take to other networks
Attackers will target routing protocols in order to intercept traffic, cause loop outages, DoS, MITM, congest networks, etc
DNS
Domain name system protocol / port 53
NOT SECURE - UNENCRYPTED AND UNPROTECTED
How to secure DNS?
Config DNS server to prevent zone transfers, turn on DNS logging, block DNS reqs to malicious domains
Domain name system security extensions (DNSSEC)
DNS sinkhole
DNS Sinkhole
A DNS that hands out incorrect IPs
When a client requests an IP of an FQDN, this gives back incorrect or invalid information about the service
If attackers implement DNS sinkholes, they can redirect users to locations or create DoS
More commonly used to provide intel for the security pro
We know that users will visit known malicious sites if they’re infected with malware
Instead of letting them communicate with a malicious, external server, we instead configure a DNS sinkhole
If anyone ever requests the IP of a malicious site, we provide it with an IP for a machine inside our location that we can then create a report on to ID who’s infected with malware within our org
This is often a feature of IPS or NGFW
If someone tries to communicate to a known malicious site, the DNS sinkhole will send an IP that redirects them to a known good site
Also creates an alarm for the security team at the org to know a particular device is infected
Infected device can’t comm with C2 and security team can clear that out before it spreads
File integrity monitor
Detects changes in files or systems that should never change, and reports on them, or restores them to normal
EX: Tripwire, Windows System File Checker (SFC)
Honeypot
A system intentionally configured to appear vulnerable, but are heavily instrumented and monitored to document everything an attacker does trying to access it
Honeynet
Networks set up and instrumented to collect information about network attacks
Multiple honeypots where you can gather info from multiple sources
An attacker may start on one server and go to other, or multiple attackers arrive at one time performing different functions on different honeypots
Honeyfile
A file that contains unique, detectable data left in an area an attacker is likely to find
If the data is discovered outside the network, the org knows they’ve been breached
Lives inside the honeypot and honeynet
EX: a passwords.txt file
Fake telemetry data
Machine learning takes big data and identifies patterns and info within the large data source
To have this ML understand what we’re looking for, we need to train it with actual data
Feed it malware, ransomware, viruses, etc that will show the ML what bad or malicious data looks like
ML then understands what it’s looking for and how to ID malware from the way it operates vs a specific signature
Attackers know this, so they add their own fake telemetry into the data to make the ML think the malware is actually something good
They can send the fake telemetry into the machine, and once the training is over, they can send their malware and it’ll pass
DNS
Domain name system
OG port: UDP/TCP 53
Secure option: DNSSEC
Secure port: UPD/TCP 53
FTP
FTPS / file transfer protocol secure
OG port: TCP 21 (and 20)
Secure port: TCP 21 (explicit) 990 (implicit)
Note: Using TLS
SFTP / secure file transfer protocol
OG port: TCP 21 (and 20)
Secure port: TCP 22 (SSH)
Note: Using SSH
HTTP
Hypertext transfer protocol
OG port: TCP 80
Secure option: HTTPS
Secure port: 443
Note: Using TLS
IMAP
Internet message access protocol
OG port: TCP 143
Secure option: IMAPS
Secure port: TCP 993
Note: Using TLS
LDAP
Lightweight directory access protocol
OG port: UDP / TCP 389
Secure option: LDAPS
Secure port: TCP 636
Note: Using TLS
POP3
Post office protocol v3
OG port: TCP 100
Secure option: POP3
Secure port: TCP 995 - secure POP3
Note: Using TLS
RTP
Real time transport protocol
OG port: UDP 16384-32767
Secure option: SRTP
Secure port: UDP 5004
SNMP
Simple network management protocol
OG port: UDP 161 / 162
Secure option: SNMPv3
Secure port: UDP 161 / 162
Telnet
OG port: TCP 23
Secure option: SSH
Secure port: TCP 22
S/MIME
Secure multipurpose mail exchange protocol
Provides the ability to encrypt and sign MIME data, the format used for email attachments
Requires a certificate for users to be able to send and receive
IPSec
Internet protocol security
An entire suit of security protocols used to encrypt and authenticate IP traffic
AH
Authentication header - IPSec
Uses hashing and shared secret key to ensure integrity of data
Validates senders by authenticating IP packets sent
Ensures IP payload and headers protected
ESP
Encapsulated Security Payload - IPSec
Tunnel mode: Provides integrity and authentication for entire packet
Transport mode: Only protects payload
MITM
Man in the middle / on path attack
Attackers cause traffic to be relayed through their own system or device
They eavesdrop or even alter comms as they wish
SSL stripping
Combines an on-path attack with a downgrade attack, attacker must sit in the middle of the conversation with proxy server, ARP spoof, rogue WiFi hotspot, etc
They’re able to strip the S from HTTPS so the traffic isn’t encrypted anymore, removes the TLS
EX:
1) Victim sends HTTP request for web page
2) Attacker intercepts traffic, sends unchanged HTTP to server
3) Server sends request back to attacker saying let’s do HTTPS instead of HTTP
4) Attacker sends back the HTTPS to the server
5) This sets an encrypted channel between attacker and server, but not victim and attacker
6) Server sends HTTPS to attacker, who decrypts it
7) Sends HTTP page back to victim
8) Victim might send login requests, information, etc that attacker sees
9) Attacker sees, but forwards HTTPS back to server
10) This goes on and on and on for as long as the attacker wants
MITB
Man in the browser / on-path browser
This relies on a Trojan or other malware that’s inserted into a victim’s browser
The malware will run on their machine and automate the processes
Huge advantage for the attacker, as any encrypted data on the network will show as unencrypted since you’re on the same computer
EX: Malware sits, waits for you to log into your bank, and then grabs credentials, keystrokes, etc and then transfers money, modifies your account, etc
Domain hijacking
Changes the registration of a domain so that the domain’s settings and configs can be changed by an attacker
Can intercept traffic, send and receive email, etc while appearing as legit domain holder
Attacker might brute force your password on the account, phish the info, gain access to email, etc
DNS poisoning
Where attackers redirect web traffic to an attacker’s website, often a fake webserver or phishing website, by:
1) Modifying DNS cache
2) MITM / on path and modify DNS queries sent to a client
3) Modify DNS information on the legit DNS server
URL redirection
Insert alternate IPs into a system’s host file
When the system looks up a site via DNS, they use the host file first and will use the modified IP instead of the true IP
Domain reputation
Information about whether or not your domain is a trusted email sender, or if it spams
ARP poisoning
Address resolution protocol poisoning
Sends unprompted, malicious ARP packets and MAC address to machines on a network that it wants to poison
Since ARP has no security, that message is received and interpreted, changes it’s ARP cache information, and then sends traffic to the new MAC address
Attacker then performs the same poisoning to the router, and anything sent from victim to router is relayed through the attacker’s machine
MAC flooding
Media access control flooding
Targets switches (layer 2 attack) that sends so many MACs to the switch that the CAM table gets overfull
Flooding results in switch sending traffic out to all ports to ensure traffic keeps flowing
MAC cloning
Media access control cloning
Duplicate the MAC address of a device
Volume based DDoS
Sends an insane amount of traffic to deny service
EX: UDP and ICMP floods
Protocol based DDoS
Focuses on the underlying protocols used for networking
EX: SYN flood, ping of death, smurf attack, Christmas tree
OT DDoS
Operation technology DDoS
DDoS on software / hardware that controls devices and systems in buildings, factories, powerplants, etc
Similar to network DDoS, but different detection methods and can be harder to ID
theHarvester
OSINT gathering tool that can get emails, domains, usernames, etc using search engines
MAC address
Media access control address
Every adapter card has a different, unique MAC
48 bits long / 6 bytes written in hex
First 3 bytes are the OUI (organizationally unique identifier), or the manufacturer portion of the MAC
The last 3 bytes are the serial number, which is incremented by the manufacturer
SSL / TLS Inspection
There might be malicious information encrypted inside SSL/TLS that we want to block from coming into our network
Since it’s encrypted, inspection lets us view what’s inside
This can’t be done easily, and must be specially configured, but it’s very useful to maintain security
It’s all based on trust. Your browser trusts the device its connecting to and is able to encrypt end to end
With inspection, we put ourselves in the middle but continue to have the trust on both client and server side
Active/ active load balancer modes
Active/active == All servers active, if one fails the others pick up the load and keep going with no interruption
Load balancer affinity
Certain apps require that users communicate to exactly the same server
In those situations, load balancers will always distribute that comm to the same server
Usually tracked using session IDs, or combo of IPs and port numbers
Active/passive load balancer modes
Active/passive == when some of the servers are actively in use, and others are in standby mode
If one fails, other devices can move into active and provide services
Load balancer scheduling modes
1) Round robin: Each server is selected in turn
2) Least connection: Server with lowest use gets request
3) Agent-based adaptive balancing: Updates traffic distro based on agent’s report on server’s ability to respond
4) Source IP hashing: Assigns traffic based on hash of source IP
5) Weighted least: Uses least connection algo combined with predetermined weight for each server
6) Fixed weighted: Preassigned weight for each server based on capability or capacity
7) Weighted response time: Assigns traffic based on server’s current response time
IPS identification
1) Signature based: looks for matches
2) Anomaly based: Examines normal traffic and what changes with the flow
3) Behavior based: Recognizes certain behavior like what an SQL injection looks like when accessing a db
4) Heuristics: Use AI and ML to understand how network operates and ID malware based on the large data and intel
traceroute
Linux command that maps an entire path between two devices know exactly what routers are between point A and B
Information displayed is received by routers on the network by ICMP TTL exceeded error messages
You send packets to the network, causes routers to create error message and send it back to you
FYI, not all devices will reply with ICMP time exceeded messages, some firewalls filter ICMP which could cause gaps
In Windows: tracert, sends ICMP echo requests (aka a ping command) but running in Windows can be difficult because outgoing ICMP is commonly filtered
Use command options to modify how you specify the protocols used
nslookup / dig
Windows and Linux
Query a DNS server to determine names and IPs
Slowly being deprecated in favor of dig (domain information groper)
dig has added functionality, probably your first choice now but needs to be installed in Windows
ifconfig / ipconfig
pathping
Windows command that merges ping and traceroute
Runs a traceroute to a destination IP to determine what routes are between your local device and the other one
Once that’s done, pathping measures the round trip and packet loss at each hop
route
Windows: route print
Linux: netstat -r
Know what the next route is outside the network, or what other routes are configured on a device
arp -a
Check the ARP table for known MAC addresses
curl
Client URL
Gets the raw data for web pages, FTP, emails, databases, etc
IP scanners
Search a network for IP addresses
Many different techniques like ARP if you’re on the local subnet
If not, you can use ICMP requests (ping), TCP ACK, ICMP timestamp requests
A response means more recon can be done with tools like nmap and hping
hping
TCP/IP packet assembler and analyzer
A ping that can send almost anything
Unlike a simple ping command, you can modify almost everything about the packet like IP, TCP, UDP, and ICMP values
sn1per
A recon tool that combines multiple tools into a single framework
dnsenum, metasploit, nmpa, theHarvester, etc
Highly intrusive, know what you’re doing with this one
scanless
A port scan proxy that lets you run port scans from a different host
Cuckoo
A sandbox for malware, where you can safely test files in an isolated and secure environment
