gkkSecurity essentials domain 2

CCSD SECURITY
ESSENTIAL CERTIFIED
Network Security

• Network Protocol Security
• Network Components Security
• Communication Channel Security
• Network Attack Mitigation
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Communication and Network Security

Network Security Overview
• Network security is one of the most critical topics.
• Rapid changes to technology make networking complex.
• Need to secure each technology separately.
• Need to handle interoperability issues.
• No more clear-cut boundaries for the network.

The OSI Model
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
Web Server Client Browser
Information/Data
Flow

• TCP—establishes, maintains, and terminates a connection-oriented session.
• UDP—sends datagrams to a destination without establishing any session.
• IP—adds a logical address and chooses the best route.
• ICMP—used by network devices to communicate network conditions and conduct
diagnostic tests.
• IGMP—used by downstream applications to inform the router that they still wish to
receive a multicast transmission.
• ARP—used to discover the MAC address used by each IP node.
TCP/IP Protocol Suite

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 1 of 2)
Protocol Vulnerability or Threat Mitigation
TCP • An attacker can predict the incrementing sequence
number of a TCP session and use it to hijack a session
that has already been authenticated and authorized.
• TCP can carry malicious payloads to other computers.
• Use encrypted versions of Layer 7
protocols.
• Encrypt or digitally sign data
payloads.
• Block unused TCP ports on
firewalls.
UDP • UDP requires no acknowledgment, so it’s easy to spoof
the source or destination of UDP packets.
• UPD can cause amplification and other denial-of-service
attacks.
• Use encrypted versions of Layer 7
protocols.
• Encrypt and digitally sign data
payloads.
• Block unused UDP ports on
firewalls.
IP • IP has no mechanism for verifying the actual identity of
the sender or the receiver.
• It’s easy to spoof IP addresses, so that packets are sent
to or received from a machine other than the intended
destination or source.
• An attacker can craft malicious IP packet fragments that
cannot be reassembled by the receiving computer,
causing a denial of service attack.
Configure the router and other IP
devices to disallow IP features that
can be abused, including fragments,
ICMP redirection, and source
routing.

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 2 of 2)
Protocol Vulnerability or Threat Mitigation
ICMP • An attacker can send an ICMP redirect telling targets to
use the attacker's machine as a default gateway.
• An attacker can insert malicious data inside an ICMP
packet, which will pass through routers and firewalls
under the assumption that it is just a status message.
• An attacker can send oversized ICMP packets and
overwhelm the system.
Configure firewalls and routers to
disallow ICMP unless it is actually
needed.
IGMP Malformed IGMP packets can cause a buffer overflow in
denial of service on a receiving host.
Configure firewalls and routers to
disable IGMP unless it is actually
needed.
ARP • ARP (and its twin RARP) is vulnerable because it is sent
in cleartext by broadcast, with no way to verify the
identity of the sending computer.
• An attacker can poison a system's ARP table or cache,
causing traffic to be delivered to the wrong node. This
type of poisoning is the underlying mechanism for most
man-in-the-middle attacks.
Hard-code IP-to-MAC mappings in
switches and device ARP caches.

Application Layer Protocols Vulnerabilities and Mitigation (Slide
1 of 4)
Protocol Vulnerability Mitigation
DHCP Broadcasts in cleartext, so attackers can:
• Plug directly into a network jack and receive an
IP address.
• Set up rogue DHCP servers that provide
incorrect addresses to clients.
Don’t use DHCP; hard code IP addresses on
hosts instead.
DNS Sends data in cleartext with no authentication, so
attackers can:
• Divert, intercept, or deny end-user
communications.
• Perform unauthorized zone transfers with DNS
servers.
• Send inaccurate lookup information to clients.
• Corrupt the DNS server’s database or lookup
cache.
Use DNS Security (DNSSEC) to accompany all
DNS records with digital signatures.
SNMP • Prior to v3, SNMP is sent in cleartext, allowing it
to be sniffed.
• SNMP uses a weak authentication method that
is easy to spoof.
Install SNMP v3, or use a proprietary network
management solution.

2 of 4)
FTP • Standard FTP uses plaintext password
authentication and no encryption, enabling
man-in-the-middle attacks.
• Some FTP implementations permit anonymous
connections.
• Use an encrypted replacement like FTPS or
SFTP.
• Disallow anonymous connections.
• Apply file system permissions on the
directories that contain FTP content.
Telnet • Telnet is sent in cleartext with no encryption or
digital signatures.
• Its sessions can be sniffed, and it is vulnerable
to session hijacking and man-in-the-middle
attacks.
Use SSH instead of Telnet.
SSH • Different implementations have been
vulnerable.
• OpenSSH bug allowed enumeration of
usernames registered on the SSH server.
Make sure your SSH product is patched.
HTTP • Uses plaintext and no authentication, so an
attacker can intercept or manipulate sensitive
information in web forms.
• Lack of encryption and digital signatures allows
for man-in-the-middle attacks.
• Use HTTPS, with TLS v1.2 encryption.
• Configure the web server to require Strict
Transport Security (HSTS) so that an HTTPS
session cannot be downgraded to HTTP.

3 of 4)
SMTP • No authentication or encryption between
servers, allowing fake email servers to send
spam.
• Cleartext SMTP can be sniffed and spoofed.
• Create TLS tunnels and authentication
between email servers.
• Configure clients to use encrypted versions
of SMTP.
POP and
IMAP
Messages are sent in cleartext and can be sniffed
or spoofed by an unauthorized person.
Configure clients to use encrypted versions of
POP3 and IMAP4.
LDAP • LDAP provides weak authentication based on
DNS.
• If DNS is compromised, LDAP is also easy for an
attacker to compromise.
• Standard LDAP sends messages in plaintext,
which can be easily intercepted and read by
attackers.
Configure clients and servers to use encrypted
LDAPS.
Kerberos • Weak implementations can have
vulnerabilities.
• Microsoft implementation allows creation of
fake hash checksums and forged tickets
(Security Bulletin MS14-068).
Patch and update affected systems.

4 of 4)
SMB • Unauthenticated "null session"
enumeration.
• Weak encryption.
• Ransomware like WannaCry.
• Buffer overflows like EternalBlue.
• Patch and update affected systems.
• Configure systems to disallow older
protocol versions and null sessions.
• Block SMB-related ports on the firewall:
TCP 139 and 445, UDP 137, 138, and 139.
RPC Crafted RPC calls can gain system level privilege
from vulnerable Windows Services that use
RPC (CVE-2003-0352/MS03-026 DCOM buffer
overflow being the most notable).
• Patch and update affected systems.
• Block TCP 135 on the firewall.
NFS • Older versions of NFS do not include
encryption mechanisms to prevent
eavesdropping or tampering of data being
transferred.
• Many implementations do not have access
controls to prevent unauthorized
connection and data theft.
• Put access control on all NFS shares.
• Block TCP 2049 on the firewall.
RDP RDP is vulnerable to numerous flooding,
overflow, and cryptographic attacks.
• Patch affected systems, and configure the
RDP server to allow only Network Level
Authentication.
• Use certificates issued by a trusted CA for
authentication.

IP Networking (Slide 1 of 2)
IP Version Description
IPv4 • Uniquely identifies a node on a network.
• Uses 32-bit addressing.
• Requires a subnet mask to determine if the destination is on the same or a different network.
• Subnet mask determines routing of IP address as it divides IP address into two components:
• Network address.
• Node address.
• Example: IP address 192.168.10.5 with a subnet mask of 255.255.255.0.
• First three octets (192.168.10) is the network address.
• Final octet (5) is the node address.

IP Networking (Slide 2 of 2)
IP Version Description
IPv6 • IPv4 issues:
• Availability: 4.2 billion numbers isn’t enough for the future.
• No built-in security mechanisms.
• IPv6 was proposed as a 128-bit number.
• Creates an absolutely huge number (340 undecillion) of possible IP addresses.
• Provides sufficient growth for the foreseeable future.
• Provides more efficient routing.
• Has built-in support for security and quality of service.
• Sample IPv6 globally unique (public) address:
2601:140:8600:cbc:c490:50b2:37ff:3191
• Sample IPv6 link local (private) address:
fe80::c490:50b2:37ff:3191

• Use firewalls/intrusion detection to monitor protocol abuse/suspicious traffic.
• Harden/patch servers and workstations to mitigate risks from TCP/IP protocols.
• Use TCP wrappers on Linux/UNIX devices to verify incoming connections to host.
• Configure personal firewalls on all computers.
• Configure routers to disallow/filter:
• Source routing - can potentially be used for spoofing.
• Subnet broadcasts - can potentially be used for denial of service.
• ICMP - filter ICMP by message type; only allow PING to and from trusted hosts.
• IP fragments - deliberately malformed fragments could be a denial of service technique.
• IP options - excessive use could result in router CPU denial of service.
• IP packets with low time-to-live (TTL) - could be used for denial of service.
Network Vulnerability Mitigation (Slide 1 of 2)

• If practical, implement DNSSEC in your environment.
• If practical, implement authentication/encryption between servers, in your
enterprise, and with partners.
• Use authenticated/encrypted alternatives to cleartext protocols, including:
• SSH (port 22) instead of telnet (port 23).
• HTTPS (port 443) instead of HTTP (port 80).
• SMTPS (port 465) or MSA (port 587) instead of SMTP (port 25).
• IMAPS (port 993) or IMAP-SSL (port 585) instead of IMAP (port 143).
• SSL-POP (port 995) instead of POP3 (port 110).
• When possible, change default port of a service to an unexpected port number.
• When possible, encrypt and digitally sign the payload.
Network Vulnerability Mitigation (Slide 2 of 2)

Wireless Security (Slide 1 of 2)
Wireless Security Protocol Description
WEP • Wired Equivalent Privacy.
• Relies on stream cipher with 24-bit initialization vector (IV).
• Attack on IV can easily predict short value.
• Can be compromised in minutes.
• Obsolete – do not use.
WPA • Wi-Fi Protected Access.
• Provides additional encryption using Temporal Key Integrity Protocol (TKIP).
• TKIP is vulnerable to transmission of arbitrary packets.
• Also vulnerable to decryption of arbitrary packets.
• Obsolete – do not use.
WPA2 (802.11i) • Improvement on WPA.
• Includes stronger encryption (CCMP protocol using AES standard).
• Biggest known vulnerability is choosing a weak password.
• The current best choice for Wi-Fi security.
WPS • Automated mechanism for wireless devices to obtain the Wi-Fi key from the
router.
• Wi-Fi setup is easy and convenient.
• Negotiation can be intercepted and cracked by hacking tools.

When implementing wireless security:
• Select WPA2 (even WPA2 personal) over WEP or WPA.
• When possible, use a RADIUS server for wireless authentication.
• If you must use a pre-shared key, make the password complex and change it
regularly.
• Manually enter Wi-Fi passwords into your device, rather than allowing them to
autoconfigure themselves by using WPS.
• If necessary, enter the MAC addresses of all devices that are permitted to connect to
the wireless network into the access point.
Wireless Security (Slide 2 of 2)

Network Encryption Protocols
Encryption Protocol Description
SSL/TLS • Secure Sockets Layer/Transport Layer Security.
• Combines digital certificates with public-key encryption.
• Offers authenticity, integrity, and confidentiality.
• De facto protocol for protecting HTTP web traffic.
SSH • Secure Shell.
• Secure remote login and transfer of data.
• Session is encrypted.
• Encryption defends against eavesdropping.
• Preferred protocol to work with FTP and access Linux/UNIX shells.
DNSSEC • Domain Name System Security Extension.
• Provides added security to DNS.
• Authenticates DNS data and ensures data integrity.
• Supports zone signing.
PGP • Email encryption protocol using a public-key cryptography variant.
• Supports authentication through digital signatures.
• GNU Privacy Guard (GPG) is open source version.
S/MIME • Secure/Multipurpose Internet Mail Extensions.
• Email encryption using public-key cryptography.
• Uses traditional MIME communication standard.
• Ensures confidentiality, integrity, authentication, and non-repudiation.

Networking Hardware
• Router
• Wireless router
• Switch
• Hub
• Gateway
• Modem
• Multiplexer
• Concentrator
• Front-end processor
• Repeater
• Firewall
• Proxy
• Reverse Proxy
• Appliance
Switch
Modem
Hub
Router
Firewall
Wireless Router

Data Network Types (Slide 1 of 2)
Data Network Type Description
LAN • Local area network.
• Network limited in scope: single building, floor, or room.
• Implemented with copper-based wiring or wireless.
WLAN • Wireless LAN
CAN • Campus area network.
• Connects buildings in a university or enterprise campus.
• Often uses fiber optic media.
MAN • Metropolitan area network.
• Provides networking to a city and surrounding neighborhoods.
• Often implemented as SONET rings or with Ethernet.
WAN • Wide area network.
• Connects networks over long distances.
• Uses X.25, frame relay, and HDLC.
PAN • Personal area network.
• Very small area.
• Often uses Bluetooth to connect a phone with a headset.

Data Network Types (Slide 2 of 2)
Data Network Type Description
SAN • Storage area network.
• Storage devices linked together to create one large storage resource.
• SAN looks like another local drive to devices that use it.
VLAN • Logical grouping of switch ports.
• Provides Layer 2 security on a switched network.
• Limits impact of broadcast traffic.
• Nodes connected to VLAN can only communicate to other nodes in same VLAN.
• Each VLAN assigned its own IP subnet.
• VLANs communicate to other VLANS via routers.
• Biggest risk is improper implementation.
Switched networks • Forward traffic between segments using a single type of network protocol.
• Provide isolation services.
• Forward frames at data link layer.
Routed networks • Connect similar or dissimilar networks at Layer 3.
• Often used to connect LANs to other LANs.
• Router required when connecting a LAN to a WAN.

• If a router is compromised, attacker can use it in a man-in-the-middle attack.
• Like planting a bug in a room to listen in remotely.
• Can also initiate DoS attacks.
• Router must be physically protected first and foremost.
• Theft or tampering with router will result in major network issues.
• Routers are also subject to logical attacks.
• Attacker may attempt to access router using a remote protocol like Telnet/SSH.
• May also try to send excessive or malformed packets to router, causing a DoS.
Router Vulnerabilities

• Deploy the router in a secure, locked area.
• Disable all unnecessary services on the router.
• Disable any unnecessary routing protocols.
• Harden the router per the manufacturer's recommendations.
• Use SSH instead of Telnet.
• Create access control lists.
• Require strong authentication for administrator connections.
• Limit number of admin connections, and disconnect inactive sessions.
• Require authentication to a centralized server on higher-end routers.
• Create custom administrative accounts with limited privileges for support personnel.
• Ensure passwords are stored using encryption.
• Forward all security events to a central syslog server.
• Monitor activity on the router, watching for suspicious behavior.
Router Security

Security Perimeter (Slide 1 of 3)
Zone Description Perimeter Security Control
Internet • Least trusted.
• The point where your network connects to your
ISP.
Firewall
Perimeter • Untrusted.
• A separate network connected to an additional
interface on your firewall.
• Public-facing servers such as web, email, or DNS
servers are placed here.
Firewall
DMZ • Untrusted.
• A separate network sandwiched between two
firewalls.
• The outside firewall connects to the Internet.
• The inside firewall connects to your internal
network.
Two firewalls. Alternatively, a
packet filtering router could
replace outside firewall.
Intranet • Trusted.
• Your organization's private, internal network.
• Usually placed behind a firewall.
Firewall

Extranet • Semi-trusted.
• A server or perimeter network provided for
partners, vendors, contractors, customer, etc.
• Typically requires a VPN connection or a login to a
website.
Firewall, VPN server, or SSL-
protected web server.
Remote access • Usually a VPN or dialup server placed outside the
company's firewall.
• Typically has a secure connection that bypasses
the firewall into the intranet.
• Remote users make secure connections to the
server, and then are permitted to connect through
it into the private network.
VPN or dialup server. Can use
multiple servers connected to
Internet links for fault tolerance
and load balancing. The Remote
Access server must be locked
down with the same care given to
a firewall.

VLAN • Trust level depends on the purpose of the VLAN.
• A group of switch ports that are logically separated
from the rest of the switch.
• Nodes on a VLAN can communicate with each
other, but cannot directly communicate with other
VLANS or networks.
• A router must be used to forward traffic in and out
of a VLAN.
Switch/router.
Secure Internal • Highly trusted.
• Any internal network that is separated from the
rest of the intranet, and given a higher level of
security.
• Often implemented as a VLAN.
• In a military installation, will be a separate physical
network with no connection to other networks.
Internal router/switch.

• Any method used to divide a network, physically or logically.
• Done for security, performance, or management reasons.
• Security zone.
• Customer requirements.
• Administration/traffic management requirements.
• Physically partitioned networks have their own cabling, switches, and routers.
• Secure rooms may contain computers connected to separate networks.
• VLANs can logically partition a network.
• For example, each department has its own VLAN.
• Separate network zones include:
• Extranets
• Perimeter networks
• DMZs
• VLANs also used to separate wired and wireless networks.
Network Partitioning

Firewalls
Firewall Type Description
Packet filtering • Make decisions on packets as they move.
• Each packet treated individually.
• Usually blocks all ports, then opens them as they’re needed.
• For example, ports 25 (SMTP) and 443 (HTTPS) may be open.
Stateful inspection • More sophisticated than packet filtering.
• Can determine the state of the packet.
• Determines if the packet is related to an earlier packet.
• Determines if the conversation was initiated inside or outside of the network.
Proxy • Act as intermediary servers/gateways.
• Will terminate a connection and reactivate as necessary.
• Can also hide identity of sender.
Approved traffic
Unapproved traffic

Additional Firewall Terms (Slide 1 of 2)
• Bastion host
• A host hardened to remove all unnecessary services.
• Servers facing the Internet should be bastion hosts.
• Dual-homed firewall
• Have two network ports.
• One port faces the untrusted network (Internet).
• Other port faces the trusted network.
• Screening host
• A firewall with limited capabilities.
• Screened subnet
• Another term for a DMZ.

Additional Firewall Terms (Slide 2 of 2)
• Perimeter network
• Alternate type of DMZ.
• Single firewall with three interfaces.
• Extranet
• Area of the network reserved for vendors, partners, and contractors.
• Typically a website that requires the user to log in.
• Can also require a VPN to secured servers.
• Network Address Translation (NAT)
• Common feature of firewalls.
• Private addresses are not routable on the Internet.
• Firewall maintains a NAT table.
• Firewall rules + NAT used to protect internal devices.

• Comprehensive solution to secure mobile devices as they connect to network.
• Ensures that these devices are healthy and cannot compromise network.
• Software installed on devices includes:
• Firewall
• VPN client
• Antivirus
• Anti-malware
• Encryption
• Uses client/server security model.
• Central server on network pushes updates to mobile clients and controls access.
• Endpoint security often includes mobile device management (MDM).
Endpoint Security

• Large distributed system of proxy servers that serve web content over Internet.
• CDNs can also deliver content from within an organization.
• Vulnerabilities:
• Lack of input validation.
• Lack of user session management.
• Users accepting untrusted certificates.
• Mitigation strategies:
• Scan for malware.
• Filter out unwanted/dangerous content.
• Deploy systems to monitor content for threats.
• Install endpoint security controls.
• Educate and train users on trusting digital certificates.
CDN

• Various devices enable networking capabilities.
• Often found in server rooms.
• Use the following methods to secure these devices:
• Physically secure all devices against tampering or accidents.
• Lock cabinets and rack doors.
• Use cable locks on laptops and small PCs.
• Mount power adapters, smart jacks, media converters, etc., where they can be easily
monitored and serviced.
• Consider using a "lights out" approach to server management.
• Place non-rack-mountable equipment on boltable trays above the rack floor.
• Route all cables both inside racks and in the ceiling in managed bundles and cable trays.
Physical Devices

• Extra security steps should be taken:
• During voice, conferencing, and collaboration sessions.
• When a user works remotely.
• In high security installations such as military or government
• Encryption is the most common way to secure a channel.
• Encryption can be on the link itself, or at a higher level.
Communication Channel Overview

Voice Vulnerabilities
Issue Description
Eavesdropping • Unauthorized listening can occur at any point of a voice call.
• Older systems failed to encrypt call.
• Conversations could be recorded, reconstructed, and played back.
Wiretapping • Form of eavesdropping.
• Phone lines are physically tapped with a listening device.
Phreaking • Phone hacking to make free long-distance calls.
• Companies didn’t change default admin password on PBX.
War dialing • Dialing a long list of numbers.
• At least one might connect to a dial-up modem or remote access server.
• Hacker can target these systems.
IMSI-catcher • Eavesdropping device for cell phones.
• Can also track movement of device.
• Captures phone’s unique IMSI number.
• Instructs phone not to use encryption, enabling man-in-the-middle.

Securing Voice
General network techniques to secure voice:
• Segregate all voice traffic into its own VLAN.
• Only use VoIP products that encrypt the call.
• Design redundancy into your VoIP network.
• Change default PABX port to something random, and require strong
authentication.
Issue Description
Eavesdropping • Encrypt all phone communications end-to-end.
• Configure PBX to disallow users listening in on incoming calls.
Wiretapping • Encrypt voice traffic end-to-end.
Phreaking • Change default admin password on PBX.
• Use manufacturer’s recommendations to harden PBX.
War dialing • Make sure any dialup modems use unlisted numbers.
• Make sure they don’t use same block of numbers as rest of the company.
IMSI-catcher • Use phones that don’t negotiate encryption with cell tower.
• New products may be able to detect anomalous IMSI-catcher activity.

• Audio/video conferencing.
• Peer-to-peer file sharing.
• Remote meeting.
• Instant messaging.
Collaboration

Collaboration Security Concerns
Collaboration Type Security Concerns
A/V conferencing • Equipment is usually not hardened properly.
• Accessible via public IP with little to no firewall protection.
• Attacker may also “start” A/V services automatically to eavesdrop.
• Most risky when used by senior management to discuss sensitive
operations.
P2P file sharing • Shared files may still be infected.
• Risk increases when users make remote connections.
• Excessive sharing may consume bandwidth and lower availability.
Remote meeting • Misconfigured system will allow unauthorized users to join session.
• Attackers can exploit the meeting to attack the internal network.
Instant messaging • A common vehicle for social engineering.
• Users click on images, videos, or links that download malware.
• Malware can spread throughout the network.

Remote Access
Network resources
Remote
access server
Remote
device
• Accessing internal services without physically being in the network.
• Originally used by telecommuters who needed access to data while away.
• Now remote access is common even internally.
• For example, help desk can assist users without being at their computer.
• Two ways to remote access:
• Dialup
• Virtual Private Network (VPN)
• In either case, a remote access server (RAS) is required.
• RAS now primarily accessed through Internet.
Established connection
mechanism

• Require strong authentication for all users.
• Require two-factor authentication for administrator connections.
• Harden the RAS as much as possible.
• Change default passwords and default configurations.
• Install a good security suite on the operating system.
• Turn on the software firewall on the RAS.
• Lock incoming user accounts after three bad login attempts.
• Install intrusion detection on the network directly behind the RAS.
Remote Access Security
Cellular
Network or
PSTN
Internet
RAS Internal
Company
Network

IPSec
• IPSec consists of two protocols:
• Authentication Header (AH)
• Digitally signs IP header.
• Provides authentication, integrity, and non-repudiation.
• Encapsulating Security Payload (ESP)
• Inserts extra digitally signed UDP header in front of payload.
• Encrypts the payload.
• You can use one or both protocols.
• AH only signs, does not encrypt.
• AH digital signature cannot pass through a NAT.
• ESP digital signature is part of payload and can pass through a NAT.
• IPSec authenticates computers, not users.
• Risk of IPSec is weak passwords.
IPSec Standards

END

gkkSecurity essentials domain 2

More Related Content

What's hot (19)

Similar to gkkSecurity essentials domain 2 (20)

More from Anne Starr (20)

Recently uploaded (20)

gkkSecurity essentials domain 2