Securing & Supporting the Network Flashcards
Firewall
Filters (permits or denies) traffic based on a set of criteria
Rules created for inbound and outbound connections
Network Based or Host-Based
Network Based Firewall
Physical hardware on the edge of the network
Usually also a router or just in line filter
Usually capable of NAT (Network Address Translation) because they’re internet facing devices
Host-Based Firewall
Software on a computer like Windows Firewall
Controls which applications and ports are allowed to talk inbound and outbound on an individual workstation or host computer
Dedicated Network Firewalls
Can provide multiple security services
Firewalling, VPN services, Anti-Malware, Content Filtering
Usually for corporate environments
This is called UTM (Unified Threat Management)
UTM
Unified Threat Management
A device that provides multiple security services like Firewalling, VPN services, Anti-Malware, Content Filtering
ACL
Access Control List
Used on routers and firewalls to create a list of rules for permitting and denying traffic. Can define the protocol such as IP, Source network, destination network, and the TCP/UDP port # for matching traffic
Stateless Firewall
Employs only Access Control Lists to control inbound and outbound traffic
Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections
Stateful Firewall
Keeps track of connections and can allow return traffic as long as it was first generated from inside the network
Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections
Deep Packet Inspection
Advanced Firewalls are capable of inspecting the contents of packets
Allows a firewall to determine the context of the connection (what it’s really doing) “What is the purpose of this traffic?”
Application Aware Firewall
AKA Context Aware Firewall
Can understand what devices, and what services and applications, the packets are for
Makes Network Based anti-malware possible
Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going
Context Aware Firewall
AKA Application Aware Firewall
Can understand what devices, and what services and applications, the packets are for
Makes Network Based anti-malware possible
Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going
VPN
Virtual Private Network
Establishes a private network connection over public networks and incorporates encryption to protect the tunnels between two end points
Normally incorporates encryption to protect the VPN tunnel
Host to Host VPN
Site to Site VPN
VPN Concentrator
Virtual Private Network Concentrator
A vpn concentrator is a device that is dedicated to handling large amounts of VPN connections. Most of the time the firewall also acts as a VPN Concentrator, but it could be a separate device
VPN Protocols
PPTP (Point-to-Point Tunneling Protocol)
GRE Tunnel (Generic Routing Encapsulation Tunnel)
IPSec (Internet Protocol Security)
SSL VPN (Secure Sockets Layer VPN)
PPTP
Point-to-Point Tunneling Protocol)
VPN Protocol
Uses PPP for authentication and modified GRE (Generic Routing Encapsulation) for the tunnel. No inherent encryption, unsecure, mostly obsolete
GRE Tunnel
Generic Routing Encapsulation Tunnel
VPN Protocol
Used with routers to create a generic tunnel. In combination with IPSec (Internet Protocol Security) to create an encrypted VPN Tunnel
IPSec
Internet Protocol Security
VPN Protocol
Provides a method for authentication and negotiation of crypto keys. Uses IKE (Internet Key Exchange) to negotiate the key and ISAKMP (Internet Security Association and Key Management Protocol) for key exchange
Authentication Algorithms: HMAC-MD5, HMAC-SHA-1
Encrypted Algorithms: DES, 2DES, Blowfish, AES
SSL VPN
Secure Socket Layer Virtual Private Network
Uses SSL to establish VPN connectivity. For host to site VPN. A web browser can be used to connect the VPN which is easier for VPN users.
NOT for site to site
Network Segmentation
An architecture that divides a network into smaller sections or subnets
DMZ
Demilitarized Zone
Private network that sits between a private LAN and the public internet
Used to expose webservers and other servers to the public internet without exposing the private LAN to the internet
If a machine on the DMZ becomes compromised the attacker will not have access to the LAN
Web servers place on the DMZ server with port 80 open from the outside to the DMZ only
Honey Pot
a host that is exposed or partially exposed to invite attacks while monitoring and collecting information
Honey Net
an entire network that is made to seem like a live production environment with weak security that invites attacks for monitoring purposes
Testing Lab
Separated from the production network
Useful for :
Testing patches and updates before deploying to the production network
Test new/different hardware/software set ups
Test fixes to complex problems
Train others on lab equipment without interfering with the production network
VLANs
Virtual Local Area Networks
Used for applying segmentation across the entire network and implement security in different ways for each VLAN
Can set up ACL that apply to each VLAN Gateway
Malware
Software written specifically to harm and infect a host system.
Includes viruses, worms, trojan horses, spyware, adware, ransomware, etc.
Compromised System
A host, server, network node, or other computer system that has been infected with malware or otherwise successfully attacked and exploited.
Compromised system sometimes give themselves
Attacks and Threats
Most attacks are performed by compromising computers with Malware that is designed to perform a specific type of attack
DoS (denial of Service)
DDos (Distributed Denial of Service)
DoS
Denial of Service
Floods the target with traffic
DDoS
Distributed Denial of Service
Bonet, zombie computers, coordinated attack, target cannot handle all the traffic and it goes offline
Smurf Attack
DDoS attack
Floods the target with spoofed ICMP (Internet Control Message Protocol) which spoofs the source IP on ICMP or on the ping
Attacker sends an IP directed broadcast ping to large networks with a spoofed IP source of the target victim and the ICMP replies to the target causing a DDoS attack
Most modern routers have directed broadcast turned off by default
VLAN Hopping
Virtual Local Area Network Hopping
A malicious user on one VLAN gains access to traffic on another VLAN that it shouldn’t have access to
Either acts as trunking switch (switch spoofing) or double tags its Frames with two VLANS
Can also exploit VoIP (Voice over IP) ports as they use data VLAN and voice VLAN
MITM
Main in the Middel attack
An attacker causes traffic between two endpoints to be sent through the attacker
Attacker can then intercept and manipulate the data
Could be on a local LAN with a malicious user or via the public internet
Many kinds of MITM attacks:
ARP Poisoning
Session Hijacking
ARP Poisoning
MITM attack
Malicious user poisons the ARP cache of devices communicating with each other so that their layer 2 frames will be redirected to a machine used to intercept the communication
Session Hijacking
MITM Attack
Malicious user intercepts the authentication cookies for an unsecure (HTTP port 80) web session and gains access to the web session
Various methods, may require the attacker to be in the same broadcast domain as the target or includes cross-site scripting and browser jacking malware that allows attackers to hijack session remotely
Brute Force Attack
Attack uses cracking softrware, disctionary lists, and other username and password lists with the hope of eventually getting the correct combination
Zero-Day Attachs
Attackers using new exploits that are not made public, leaving organizations unprotected from the exploit until it’s exposed and patched / mitigated
Social Engineering
Attackers trick people and use their trust to gain access to systems and critical or private information such as usernames, passwords, accounts numbers, ip addresses, etc.
Phishing, spear phishing, baiting, tailgating, dumpster diving
Use a shredder
Security policies, procedures and end user awareness training are the best ways to stop most social engineering attempts
Spear Phishing
Specific email, like your boss’s emailB
Baiting
Trojan horse malware on flash drive hoping someone will plug it in
Vulnerabilities
Unnecessary programs and services running on a machine (Bit Torrent Emule)
Open TCP/UDP ports
Old or unpatched systems
Clear text credentials and unencrypted channels
Unsecure protocols: Telnet, http, slip, ftp, tftp, snmpv1, smnpv2
RF Emanating / Emanations / EMR
Sensitive systems should be protected from potential snooping/eavesdropping on RF emanations and the TEMPEST standards can be followed to ensure the proper RF shielding is in place
Ransomeware
Attackers use a form of Malware that encrypts all files on the device, holding them hostage for ransom
If ransom is not paid the files will never be decrypted
Phising
Attacker uses electronic communication (like email) to obtain information such as usernames and passwords, bank information, etc.
Phishing emails are disguised as official email from a trusted source and usually attempt to make you click on a link
Deauthentication
Attacker deauthenticates (logs out) a user
Wifi deauthentication attack
Attacker sends deactivation frame AP
Users gets kicked off and attacker can have user reconnect to evil twin access point
Sniff the WPAv 4 way handshake upon user reconnecting
Hijack the wifi connection
Mount a MITM attack
Insider Threat
Malicious employee
Trusted person on the inside who takes advantage of their network access to cause harm or steal data
To identify, check weird login times, downloading large amounts of data, etc.
Logic Bomb
Malicious code that sets off a mlicious function or activity when certain conditions are met
Called a bomb because it is set off or triggered by some condition or certain time
Code, inserted bye an employee, that deletes certain files if they are terminated from the company
NAC
Network Access Control
Define authorized nodes and MAC addresses
Performs posture assessment on connecting hosts for things like antivirus and places them in quarantine if they fail the posture assessment
Persistent agent – reoccuring scanning
Non-persistent – one time scan
Anti-malware Software
Host based:
Cloud server based:
Network based
No single type of anti-malware protection is the best option, it’s best to use multiple forms of anti-malware implementations to provide a wider coverage
Host based Anti-malware
Installed directly on the host computer
All the devices need to signatures updated constantly which is hard to mange
Large organization requires an anti-malware server to track, push and manage updates
Cloud server based Anti-Malware
Centralized anti-malware service that runs in the cloud or on a local server
inbound outbound communication requests are examined
Easy to Manage
Network based Anti-Malware
runs on firewalls or other nodes that process internet traffic like proxy servers
All traffic that passes through it is examined and uses signatures to identify malware
Doesn’t require any software on the host - the entire network is protected
Arp Inspection
Switch Security
With dynamic ARP Inspection (DAI) switches can intercept all ARP requests and replies and determine the validity of the IP to MAC binding
Drops invalid and spoofed ARP packets
Prevents ARP poisioning / spoofing and some MITM attack
DHCP Snooping
Switch Security
Identifies trusted DHCP servers
Acts like DHCP firewall between the servers and hosts
Filters all abnormal/ invalid DHCP traffic
MAC Filtering
Switch Security
Switches can keep a list of MAC addresses to permit or deny access
Port Security
Switch Security
Allows only specified MAC addresses to use the switch port
IF an invalid MAC address is connected the switch port will shut down
VLANS
Virtual Local Area Connections
Switch Security
VLANS allow us to segment the network into smaller parts and apply security to each VLAN seperately
Can restrict which VLANS can talk to each other and restrict other network access with VLAN ACL (Access Control List)
SSH
Secure Protocol that encrypts terminal session
TCP port 22
SNMP v3
Secure Protocol that uses user/password, hashes and encrypts the SNMP traffic (Simple network management protocol)
tcp port 161
SFTP
Secure File Transfer Protool
Secure Protocol
uses SSH to encrypt file transfer
tcp port 22 (same as SSH as it’s using SSH)
HTTPS
Hyper-Text Transfer Protocol Secure
Secure Protocol
uses SSL/TLS encrypts web session
tcp port 443 (for both SSL/TLS)
IPSec
Internet Protocol Security
Secure Protocol
VPN tunnel encryption (up to AES (Advanced Encryption Standards))
tcp port 500
Telnet
Insecure Protocol
Clear text terminal
tcp port 23
SNMP v 1/2
Simple Network Message Protocol
Insecure Protocol
unsecure network management
tcp port 161
FTP
File Transfer Protocol
Insecure Protocol
unsecure file transfer
tcp port 20 and 21
HTTP
Hyper-text Transfer Protocol
Insecure Protocol
unsecure web session
tcp port 80P
PPTP
Point-to-Point Tunneling Protocol VPN
unencrypted vpn
tcp port 1723
802.1x
User Authentication (Extensive user authentication)
Users have zero network access until authenticated
802.1x Protocols
PPP (Point to Point Protocol)
PAP (Password Authentication Protocol, clear text)
MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)
Username and password authentications
Used for remote server access, VPNs, etc.
Kerberos
Centralized network authentication system
Used with Windows domain client authentication
Cane be used to secure any service requests
SSO
Single Sign On
Allows access to multiple systems with a single set of credentials
Creds from a directory server provide access to multiple applications
LDAP) (Light weight directory access protocol)
Authentication token passed to configured SSO application
Multi-Factor Authentication
Two factor authentication, adds a one time password texted to your phone, Security Qs, OPINS, Biometrics, physical token, mobile phone token.
Five factors of MFA
Something you know – PIN, username and password, seurity questions
something you have - phone, authenticator token, usb memory stick, etc
something you are - finger print, retina scan, voice signatures
somewhere you are - factor based on your location, geolocation, ip address
somethingn you do - typing techniques, hand written signature, techniques in writting, hand drawn patterns
Mantraps
Separate room before you go into the main facility
Area to check you for security before you go into a building
Room usually has a locking mechanism
Network CLosets and Locked Racks
Put locked server racks into locked closets
Video Monitoring
IP Cams or CCTV
Door Access Controls
Keypads and cipher locks
proximity readers / key fob
Biometric scans
Security Guards
To keep things secure
IDS
Intrusion Detection System
IDS analyzes traffic that passes through the network, if it sees something abnormal it sends an alert
HIDS
Host based Intrusion detection
On computers
NIDS
Network based Intrusion detection
On network
IPS
Intrusion Prevention System
Actively defends the network and sends alerts
Risk Management
About Assessing and minimizing risk
Security Policies
Outlines the security standards of the network.
Requires users to sign AUP (Acceptable Use Policy) before they can use the network
Security Controls
Enforces security policies
Good end user training is one of the best security measures
Patch Management
Helps to keep on top of patches and updates
Vulnerability Scanning
Assesses network security
PEN Testing
Penetration testing
Assesses network security
First Responders
First person on the scene of a computer crime
Must preserve and safe guard the digital evidence
Must also follow escalation policy and document the scene after securing the area
eDiscovery
Electronic Discovery
Identifying, discovering, collecting, and exchanging ESI (Electronically Stored Information)
Digital documents, emails, texts, audio, video, databases, voicemail, spreadsheets, websites, any kind of electronic information
Evidence / Data Collection
Only a digital Forensics expert should attempt recovery
Storage Imaging / Duplication
Copies of the data can be made for preservation
Only perform imaging if authorized to do so
Handling the Evidence
Chain of Custody - evidence must be handled carefully, record all changes of hands, and should be traceable all the way back to the original scene
Data Transport - keep evidence away from magnetic fields, speakers, magnets, radio transmitters, etc. package during travel and prevent shock and vibration, and document all transportation activities
Forensic Report
Evidence is examined and analyzed
Report provided after digital forensics completed
Written case report to present gathered information
May be provided by authorities or forensic analysists
Legal Hold
If organization becomes part of an investigation a legal hold may be placed on the computer systems and data
Provided notice from legal counsel in anticipation of litigation
Includes precise instructions to preserve digital records, tape backups, archived media and other types of ESI (electronically stored information)
In this case, data must not be destroyed
Change Management
A formal process to introduce change in a controlled and coordinated manner
Ensures changes are properly communicated
Attempts to prevent downtime or outage of system
Change Request
First document the reason for change
Submit a request for this change
Request should include:
Configuration Procedures
Potential Impact of Change
Notification Process
Rollback Process
Approval and IMplementation
Approval process differs based on the size, impact, and urgency
Maintenance window must be established for implementation
Impacted users must be notified of the change
Documentation
After successful implementation of the change, update all documents
Network configurations, additions to the network diagram, and changes to physical locations
Business Continuity
A plan to ensure an organization has a speedy recovery and can continue to operate after a business disruption
Includes Disaster Recovery, mainly concerning IT systems
Disaster Recovery Plan
Documented process to recover and protect a business IT infrastructure in the event of a natural or man-made disaster
DR Data Center
Network Redundancy
Fail over procedures
Storage archives and Backups
Hot Sites / Cold Sites
Power Redundancy
Fire suppression systems
NOC
Network Operations Center
Where network administrators monitor and manage the network
Network health visuals in real time
Automated alerting and after hours paging
Focal point for troubleshooting and maintaining the network devices like routers, switches, firewalls, etc.
Ping Monitoring
Reachability statistics
Up/Down status
SNMP Monitoring and Graphing
Simple Network Messaging System
Reachability stats
Up/Down status
Interface Bandwidth graphic
SNMP Traps
NetFlow and sFlow
Cisco Proprietary, based on IP (Internet Protocol), layer 3 and some layer 2
sFlow is in layer 2
Servers and software for network management
There are many servers and software
Paid:
SolarWinds NPM
Cisco Prime Infrastructure
What’s up Gold
Free:
Nagios
Spiceworks
Cacti
Syslogs
(system logs)
able to receive system level event logs from network infrastructure devices. Normal/standard to have a syslog server on the network to capture this type of info
Configuration Management
How and why to back up device configs
Automated backup jobs or manually set them up in CLI
Once the configuration is backed up it can be used for new devices, or in case the configuration is ever erased or changed
Authentication
AAA
Authentication - is the user a valid user
Authorization - what activity is the user authorized to do
Accounting - what did the user do while they were logged in
Remote Authentication
We can authentication remotely using TACACS (Terminal Access Controller Access-Control System) or RADIUS
Plugs/Connectors
Power plugs and connectors must match, especially with voltage
UPS
Uninterrupted power source unit provides temporary battery back up for racks/hardware
Power Redundancy
Primary Power, battery backups, generators
Rack Mounting
Be aware of airflow and placement for optimal air flow
Label - ports, circuits, patch panel, hardware
Use a naming convention
Rack Monitoring and Security
mointoring systems provide environmental mointoring and security such as door switches and video surveillance
Motion detectors
Fire/smoke/gas detectors
door switch
airflow
temperature
humidity
leaks
video surveillance
web managemnt
alerts via network/email
ICS
Industrial Control System
Monitors, automates, and enables human controls of industrial processes
Enables speed, responsiveness, and reliability in production and industrial controls
Encompasses DCS and Scada
DCS
Distributed Control System
A closed, complete, working integrated and tested ICS system (reliable and secure)
Typically less vulnerable to cyber security attacks than SCADA based systems
SCADA
Supervisory Control and Data Acquisition System
System for monitoring and controlling industrial and manufacturing equipment
Uses PLCs (Programmable Logical Controllers) for controlling machines, equipment, valves, etc.
Electrical, water, oil, gas, automotive, manufacturing, mass transit, traffic signals
Provides ICS (Industrial Control System) over long distance and interfaces with many types of systems and networks
Basic SCADA Components
Machine - industrial machines controlled by SCADA
PLCs (Programmable Logic Controllers) industrial digital computers, control switches, valves, etc.
RTU (Remote Terminal Unit) - remote long distance PLC
ICS Server (Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units
HMI (Human Machine Interface) - enables monitoring and control by a human
PLCs
(Programmable Logic Controllers) industrial digital computers, control switches, valves, etc.
RTU
(Remote Terminal Unit) - remote long distance PLC
ICS Server
(Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units
HMI
(Human Machine Interface) - enables monitoring and control by a human
Asset Management
Track and manage device inventory and the employees that end user devices are assigned to
Network Diagrams
Useful for many things including planning for network upgrades and installs
IP Address Utilization
Document IP Address utilization and create complete list of all private and public network ID’s and IP address assignments
Vendor Documents and Contracts
SLA (Service Level Agreement)
SOW (Statement of Work)
MSA (Master Service Agreement)
MOU (Memorandum of Understanding)
SLA
(Service Level Agreement)
Defines the aspect of a service provided by a service provider such as quality and availability and responsibility
SOW
(Statement of Work)
Defines work to be accomplished during a project
Usually between a consultant/provider and a customer
MSA
(Master Service Agreement)
Payment Terms, warranties, intellectual property
MOU
(Memorandum of Understanding)
Multi-party agreement indicating a common line of action
Not legally binding
Small Office LAN Deployment
Implementation Considerations
List of requirements
Device types and requirements
Environment Limitations
Compatiblity Requirements
Wired/Wireless Considerations
Security Considerations
List of requirements
Create a list of requirements
how many users and work areas
power over ethernet support needed
how many computers will be on the network
wireless access needed
servers and domain services required
LAN cabling needs
closets for LAN Equpiment and patch panel
local internet access or coming from remote site
private WAN for connecttivity
host to host or site to site vpn needed
Device Types / Requirements
Based on the requirements, what network devices do we need?
Create a diagram
LAN Requirements
Map out the connections needed and determine size of switch
Determine if multiples switches will be needed and their locations
WLAN: Determine SSIDs (business, guest) and numbers/location of WAPS
WAN Requirements
If Private WAN connectivity is required then a router will be needed that can accept the wan connection and run the required protocols
Internet Requirements
A basic business grade router/firewall can be use for SOHO internet connectivity
If VPN access is required a more robust firewall/router will be needed
Environmental Limitations
Space
Where to place things
Cooling of equipment
Plenum space where cables need to be placed
Enough power available for the equipment
Equipment Limitations
How much room does the equipment allow for growth
What types of protocols and technologies does the equipment support
Does the equipment contain expansion modules
How will you manage the equipment remotely
What type of remote access can use set up
Compatibility Requirements
Everything must be compatible and work together flawlessly
Ethernet LAN consider bandwidth capabilities
Don’ create unnecessary bottlenecks
Carefully choose WAN connections
Fiber Optics and SPFS (optical transceiver module) types must match
Wired / Wireless Considerations
Follow standards for wired connectivity
Ethernet distance limitation is 100 meters
Structured LAN cabling can be out sourced
Follow structured cabling standards
WAP placement - best coverage
Be sure to have enough WAPS
Other WLANs can conflict (some channels used)
Security Considerations
Physical security - keep the equipment safe
LAN Security - implement switch security features WAN
Security - protect internet connection with an ACL (Access Control List)
Routers and hardware firewalls may not have an ACL (Access Control List) configured by default
Do not connect to the internet unprotected (without an ACL)
Hosts should be running software firewalls (default with windows)
Wireless security - hide ssids, use wPA3, consider adding another form of authentication
Administrator passwords - only administrators should have these. Do not share passwords over regular email or other unsecure messaging platforms
