4: Communication & Network Security
- simple: physical connectivity, electrical signals flowing
- all hardware devices have a physical layer element
- hubs are layer 1
- theft
- unauthorized access
- vandalism
- sniffing
- interference
- data emanation
- only layer with sublayers
- error control
-
physical addressing
-
MAC address
- physical address of the card
- physically burned into the card
- doesn’t change
- can be spoofed
- good for local addressing, not global addressing
- physical address of the card
-
ARP (address resolution protocol)
- maps an IP address to a MAC address
- ARP cache poisoning
- changing the cached address to point to another address
-
RARP (reverse ARP)
- predecessor to DHCP
-
CSMA/CD (carrier sense multiple address with collision detection)
- IEEE standard
- 802.3 Ethernet
-
CSMA/CD (carrier sense multiple address with collision avoidance)
- IEEE standard
- 802.11 Wireless
-
token passing
- 24 bit control frame passed around the network to determine which system can transmit data
-
sniffer
- a network card set to promiscuous mode. takes in all data it receives
-
Ethernet
- all protocols start with “I” (IMAP doesn’t go here — it’s internet mail application protocol)
- IP
- ICMP
- IGMP
- IGRP
- IPSEC
- IKE
- ISAKMP
- echoing utilities — ping, route, trace
- weak and frequently exploited
- ping flood
- sending an overwhelming amount of ICMP echo requests
- SMURF
- using a spoofed source address (which is the target of the attack) and directing broadcasts to launch a DDoS
- Loki attack
- hiding data within ICMP messages
- ping flood
- reliable, connection-oriented protocol
- uses three-way handshake
- SYN flooding
- connectionless
- unreliable
- no handshaking
- desirable when “realtime” transfer is needed
- Netflix, gamer bois, hot tub Twitch streaming, etc.
- TFTP uses UDP
- responsible for establishing connection between two applications
- dialog control
- release connections
- present data in a format that all computers can understand
- only layer that has no protocols
- concerned with compression, encryption and formatting
- makes sure data is in universal format
- file level compression
- removing redundancy from file (compression)
- defines a protocol that different programs / applications understand
- HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, IMAP, etc.
- application proxies
- non-repudiation
- certs
- integration with directory services
- time awareness
- routing info across network
- provides an addressing scheme
- delivers packets from a source to a destination
- serves as a network layer protocol
-
connection-oriented protocol
-
guarantees delivery via acknowledgement
-
widely used for critical applications
-
TCP flags
SYN
opens a connectionFIN
closes a connectionACK
acknowledges aSYN
orFIN
-
TCP handshake
- source sends
SYN
- destination replies w/
SYN/ACK
- source replies w/
ACK
- source sends
- lightweight connection-less protocol
- doesn’t send acknowledgements
- doesn’t guarantee delivery
- used for voice and video applications
Layer | PDU | Use | |
---|---|---|---|
7 | Application | data | user programs |
6 | Presentation | data | data translation, encryption |
5 | Session | data | exchanges between systems |
4 | Transport | segment | TCP, UDP |
3 | Network | packet | IP |
2 | Data Link | frame | data transfers between nodes |
1 | Physical | bits | wires, radios, optics |
- promotes interoperability between vendors
- enables standardization
- describes the encapsulation (packaging) of data to enable it to get from point A to point B
- each layer adds a header to it
- each header has instructions for where the data should go
- sending - you go down the layers and add headers to the data
- receiving - you go up the layers and remove headers from the data
Layer | |
---|---|
4 | Application |
3 | Transport |
2 | Internet |
1 | Network Access |
OSI | TCP/IP |
---|---|
Application | Application |
Presentation | " " |
Session | " " |
Transport | Transport |
Network | Internet |
Data Link | Network Access |
Physcical | " " |
- pay attention to the question being asked
- learn the OSI model
- remember how TCP/IP aligns with OSI
- uniquely identifies systems on a network
- follow dotted quad notation
- four 8-bit numbers 0–255
- 32-bit address (8 × 4 = 32)
- must not be reused in internet-connected systems
- may be reused on private networks
- allow private networks to be divided
- 192.168.1.100
- first portion is the network address
- second portion is the host address
- works by adjusting which portion of the address is the network and host
-
source
- sender of data
-
destination
- recipient of data
-
machines communicating switch places between the two constantly during communications
- replaces IPv4 due to address exhaustion
- use 128-bit addresses
- consist of eight groups of four hexadecimal numbers
-
static IP addresses
- manually assigned to systems by admin
- must be w/in network range
- often used for servers
-
dynamic IP addresses
- automatically assigned by DHCP (dynamic host configuration protocol) server
- address comes from admin-configured pool
- often used for workstations
-
provides address resolution on the internet
-
DNS server
- translates domain names into IP addresses
- functions over UDP port 53
-
DNS resolution
- URL input into browser
- computer sends DNS query to local DNS server
- DNS server looks up URL, finds IP address and sends back to computer
- computer connects to web server via IP address
-
DNS is hierarchical
- orgs designate servers that are authoritative for their domains
-
some content filters (i.e. Pi-hole, AdGuard Home) alter DNS query results
-
DNSSEC
- adds digital signatures to DNS replies
- protects against DNS poisoning
- guide traffic to the correct final destination
- think of them as apartment numbers (ports) associated with an apartment building address (IP address)
- 16-bit number (65,536 ports)
- 0–65535
- well-known ports
- 0–1023
- used for common apps
- web, mail, FTP, etc.
- registered ports
- 1024–49151
- apps may register for a port number
- dynamic ports
- 49151–65535
Port | Application | |
---|---|---|
admin | 21 | FTP |
22 | SSH | |
53 | DNS | |
137-139 | NetBIOS | |
3389 | RDP | |
25 | SMTP | |
110 | POP | |
143 | IMAP | |
web | 80 | HTTP |
443 | HTTPS |
- housekeeping protocol of the internet
- identifies live systems
- source sends ICMP echo request to destination
- destination replies with ICMP echo reply
- identifies network paths
- destination unreachable
- redirects
- time exceeded
- address mask requests and replies
- TCP/IP is the most common multilayer protocol suite
- provides network connectivity for SCADA systems
- allows for remote collection of data
-
assigned by a central authority
-
routable over the internet
-
ICANN (Internet Corporation for Assigned Names and Numbers)
- distributes blocks of addresses to regional authorities for distribution
-
IP addresses are scarce
- no large blocks are available
- IPv4 allows for 4.3 billion possible addresses
- currently estimate that there are 7.4 billion mobile devices in the world
- translates internal IP addresses of devices to external IP
- advantages:
- can use private addresses internally, don’t need to get a public IP address for each computer
- allows for RFC 1918 IP addresses
- 10.x.x.x
- 172.16.x.x – 172.31.x.x
- 192.168.x.x
- hiding of internal network scheme
- transparent, doesn’t require any special software
- disadvantages:
- single point of failure
- performance bottleneck
- doesn’t provide protection from bad content
- NAT (network address translation)
-
provides translation between public and private addresses
-
security features/issues
- hides internal address from the internet
- limits direct access to systems
- can be difficult to identify the origin of traffic
- admins need to have good logging
-
requires a large pool of public IP addresses
- internal IP addresses are mapped directly to internet IP addresses
-
- PAT (port address translation)
- allows multiple systems to share the same public IP address
- assigns ports to each communication
- advantages:
-
subdivides large networks
-
subnet masks
-
identify the dividing line between the network and host address
-
remember that IP addresses are 32 bit (8-bit × 4)
-
192.168.1.100
- first portion is the network address
- second portion is the host address
-
looking at the address in binary: 11000000.10101000.00000001.01100100
-
the subnet mask is simply a representation of what bits are in the host address, in this case all of the first 16 bits, or
- 255.255.0.0
-
if you want to move the dividing line between network and host, you can do so
-
for example: 11000000.10101000.00000001.01100100
-
this subnet mask is 255.255.255.0
-
-
subnets can be represented in two ways:
-
subnet mask notation
- lists the IP address and the subnet mask
- IP address: 192.168.1.100
- Subnet mask: 255.255.255.0
-
slash notation
- lists the IP address and the number of bits in the subnet mask
- 192.168.1.0/24
-
-
firewalls segment networks into security zones
-
network border firewall
- is placed between internet and an orgs internal network
-
Internet
- public internet
- outside of the org’s control
-
internal network
- internal networks controlled by the org
- may contain various network, servers, etc.
-
DMZ
- demilitarized zone
- systems gain no trust based on their network location
-
extranet
- intranet segments extended to business partners
- example: vendor VPNs into network in intranet
-
honeynets
- decoy networks set up to attract attackers
- similar to honeypots
-
ad-hoc
- temporary networks that bypass security controls
-
east-west traffic
- traffic between systems w/in a data center
-
north-south traffic
- traffic between systems in a data center and the internet
-
separate systems on a network
-
often due to networks not being physically separated
- example: accounting, purchasing, sales all on same floor
-
extend the broadcast domain
- happens at layer 2
-
configuring VLAN
- must enable VLAN trunking
- must assign switchports to VLANs
- exact placement depends on business requirements
-
intrusion detection systems and intrusion prevention systems
-
network taps
-
port mirrors
-
must all be placed on the network segment that they’re designed to collect information from
- example: an IDS placed in the DMZ will only see data from the DMZ
-
aggregation (or distribution) switches connect downstream switches to one another
- note that a traffic collector placed on the aggregation switch may not be able to see traffic between downstream switches
-
SPAN ports receive a copy of all traffic seen on a switch
-
port mirroring allows monitoring of all traffic on a single port
-
systems that gather info using collectors
-
analyze info w/ a centralized aggregation and correlation engine
-
collectors should be placed near the systems generating records
-
correlation engine should be placed in a secure location
-
proxy servers and content filters
- usually belong in the DMZ
- aggregate user connections via VPN
- often reside on their own VPN
- more sophisticated designs might use multiple VLANs that separate users based on roles
-
belong in the DMZ
-
SSL accelerators
- handle cryptography work of setting up TLS connections
- reduce load on web servers
-
load balancers
- distribute connection loads on servers
-
detect and prevent DDoS attempts
-
should be placed as close to the Internet as possible
-
DDoS mitigation services may also be purchased from ISPs
- can be an ideal approach
- prevent DDoS from reaching the org in the first place
-
treats network function and implementation as separate functions
-
reconfiguring traditional networks requires reconfiguring devices
-
control plane
- responsible for making routing and switching decisions
-
data plane
- responsible for carrying out the instructions of the control plane
-
SDN separates the control plane from the data plane
-
this makes a network programmable
-
encapsulation
- allows one protocol to carry traffic that uses another protocol
-
VXLANs
- build overlay networks that operate at layer 2 using layer 3 equipment
-
SD-WANs
- connect larger areas
-
SDN security benefits
- granular network configuration
- facilitate faster responses to security incidents
- can programmatically turn off ports during an incident
-
SDN security issues
- increase network complexity
- require strong access controls
- layered approach to networking (OSI or TCP) allow us to abstract the physical layer
- transmission media allows info to be transmitted over a distance
-
Ethernet cable
- transmits electricity over copper wires
- electricity on line = 1, no electricity on line = 0
-
fiber optic cable
- transmits light over strands of glass
- light = 1, dark = 0
-
wi-fi
- transmits data over radio waves
-
Li-fi
- replaces radio waves with light
- light = 1, dark = 0
-
all media types need to be protected against eavesdropping
building blocks of computer networks
- operate on layer 1
- cheap and dumb
- all devices connected to it are on the same collision domain
- sniffer on a hub → can gather up all data from hub traffic
- connect devices to a network
- reside in wiring closets
- ethernet jack on other end of cable from switch
- WAPs connect to switches and create wifi networks
- by default, operate on layer 2
- data transfer between nodes
- use MAC addresses to direct traffic
- isolates traffic into collision domains
- one domain per port
- doesn’t isolate broadcasts natively
- routers are $$$
- to get broadcast isolation on a switch, a VLAN is necessary
- not all switches support VLANs
- layer 2 switches (even on VLANs) don’t understand layer 3 IP addressing
- a layer 3 switch is needed for inter-VLAN communications
- act like a security guard at the perimeter of a network
- often sit on the perimeter of a network (but not always)
- can see all inbound and outbound connections
- connect three networks
- Internet
- internal network
- DMZ
- demilitarized zone
- contain systems that must accept external connections
- web servers
- isolates systems due to risk of compromise
- protects internal network from compromised systems in the DMZ
- stateless firewalls
- evaluation each connection independently
- are very inefficient
- stateful firewalls
- tracks open connections
- keeps track of connections. knows which conversations are active, who is involved, etc.
- allows return traffic, where a packet filter would have to have a specific rule defining return traffic
- more complex. can launch a DoS by trying to fill up all entries in the state table (use up all memory)
- reboots can disrupt traffic
- provides context dependent access control
- example: user connects to website, firewall allows back and forth communications until connection is no longer needed
- source address
- destination address
- destination port and protocol
- action (allow or deny)
example:- allows all traffic into web server
Source ANY Destination 192.168.1.3 Destination Port 443 Destination Protocol HTTPS Action ALLOW
- allows all traffic into web server
-
if a firewall receives traffic not explicitly defined in a rule, it’s blocked
exam tip
important to know and understand how implicit deny works and the importance of the order of firewall rules.
- incorporate contextual info into decision making
- info from threat sources, IP address origin, etc.
- NAT gateway
- content / URL filtering
- web application firewall
- network hardware vs. host-based software firewall
- will it be a physical device or software running on a server?
- open source vs. proprietary
- hardware appliance vs. virtual machine
- will it be a physical device or a virtual machine?
- block unneccessary ICMP packets
- use simple ACLs
- use implicit deny
- disallow source routed packets
- use least privilege
- block directed IP broadcasts
- perform ingress and egress filtering
- block outbound traffic from non-internal addresses
- sign that something inside that network is acting as a zombie for a DDoS attack
- block inbound traffic from internal addresses
- sign of a potential spoofing attack
- block outbound traffic from non-internal addresses
- enable logging
- drop or reassemble fragments
-
connect to a website on a user’s behalf
-
connection proxying
-
user ↔︎ proxy server ↔︎ web server
-
benefits
-
anonymization
- web server doesn’t know anything about the user, just about the proxy server
-
performance
- proxy server can cache frequently visited websites
-
content filtering
- allows orgs to block employee access to certain websites and services
-
-
-
forward proxy
- works on behalf of clients
- w/out server knowledge
-
reverse proxy
- works on behalf of servers
- w/out user knowledge
-
tranparent proxy
- works w/out client’s or server’s knowledge
-
can handle many different apps, not just web traffic
-
distribute load amongst servers
-
DNS server points to a load balancer instead of a server
- makes this a virtual IP address
- load balancer sends traffic to servers
-
allows for autoscaling
- automatically adding and removing severs as needed
-
security functions
- SSL cert manangement
- URL filtering
- other web security applications
-
load balancing techniques
-
round-robin balancing
- each server gets an equal number of requests
-
other scheduling algortithms may be used based on performance, available capacity, session persistance, etc.
-
session persistance
- routing individual users’ requests to the same server based on previous use
-
-
load balancers can be a single point of failure
- if the load balancer dies, none of the servers are available
-
active-active
- two or more load balancers actively run on the network
- if one dies, other(s) continue to function
- capacity is decreased
-
active-passive
- active load balancer handles all traffic
- passive load balancer monitors all traffic
- if the active load balancer dies, the passive load balancer takes over
- no capacity is lost, just redundancy
- big negative is that the passive load balancer is a lazy boy 99.9% of the time
-
use encryption to create a virtual tunnel
-
everything is encryted when entering the tunnel and decrypted on the other end
-
protects against eavedropping
-
site-to-site VPNs
- connect remote offices to each other and main office
-
remote access VPNs
- gives remote access to org network to mobile users, WFH employees, etc.
-
VPN endpoints
- normal network equipment
- firewall, server, router
- not dedicated systems
- can stuggle with bandwidth, encryption/decryption requirements, etc.
- normal network equipment
-
VPN concentrators
- dedicated piece of equipment
- good for high use, high volume
-
IPsec VPN
- works at network layer (2)
- supports L2TP (layer 2 tunneling protocol)
- provide secure transport
- can be difficult to use and set up
- usually used for static site-to-site connections
-
SSL/TLS VPN
- work at application layer (7)
- work over TCP port 443
- same port as HTTPS
- useful for bypassing firewalls that block other ports
-
HTML5 VPN
- run entirely w/in a browser
-
full tunnel
- all traffic routes through the VPN
-
split tunnel
- some traffic routes through the VPN
- other traffic routes through the Internet
- can provide users w/ a false sense of securiy
-
always-on VPN
- connect automatically
-
point-to-point link between two networks
-
adds an additional IP header to original packet
- frequently used in the psat to encapsulate older protocols like AppleTalk, IPX, etc.
-
data encapsulation
- packets are encapsulated to allow them to travel over an incompatible network
- ex. routing IPv4 packets over an IPv6-only network
-
simplicity
- lacks flow-control and security
- can ease in configuration
- GRE tunnels can be supplemented by IPSec
-
multicast traffic forwarding
- can forward multicast traffic (VPNs cannot)
- multicast traffic (ex. advertisements sent by routing protocols) can be transferred between remote sites
exam tip
GRE doesn’t automatically mean that communicatations are encrypted.
think about a car on a ferry. the car is encapsulated on the boat, but it isn’t encrypted by the boat.
- systems that monitor network traffic for signs of potentially malicious traffic
- SQL injection, malformed packets, unusual logins, botnet traffic, DoS attempts, etc.
- alert admins of suspicious activity
- require monitoring
- require a strong understanding of systems, logs, meaning of alerts, etc.
- require action from admins
- can be tedious to administer
- false positive errors
- alerts when an attack didn’t take place
- false negative errors
- attack takes place and system doesn’t alert
- signature detection systems
- contains a database w/ rules describing malicious activity
- alerts admins to matching signatures
- fails to detect brand new attacks
- reduces false positives
- anomoly detection systems
- aka: behavior-based detection system, heuristic detection system
- build a model of “normal” activity
- alert admins for activity that doesn’t match the model
- often application aware
- can detect previously unknown attacks
- increased false positive rate
- in-band (inline)
- device sits in path of network traffic
- device can block suspicious traffic entering the network
- can be a problem if device shuts down all traffic due to a false positive
- out-of-band (passive)
- device connects to SPAN port on a switch
- device can react after suspicious has entered the network
-
allow for deep traffic inspection
-
uses
- troubleshooting networking issues
- investigating security events
-
must be used carefully
- can eavesdrop on confidential communications
- access to tools should be tightly controlled
-
examples
-
Wireshark
- open source GUI-based packet inspector
-
tcpdump
- open source command line packet inspector
-
Wireshark and
tcpdump
are both built using thelibpcap
library -
tcpreplay
- command line tool
- takes in packet captures from Wireshark or
tcpdump
- can edit or replay traffic
-
-
solutions combine multiple security functions into a single device
-
basic functions
- protect against network attacks
- block unsolicited traffic
- route traffic to/from the Internet
-
additional functions
-
VPN
-
IDS/IPS
-
small business functions
- URL filter
- content inspection
- malware inspection
- email and spam filter
-
-
still require regular monitoring and management
-
content delivery networks or content distribution networks
-
provide scalability and security
-
provide a shared web infrastructure
-
10s to 100s of locations around the world
-
cache website data
- users can get cached data from the nearest CDN server
-
benefits:
- on-demand
- cost effective
- place content closer to users
- security enhancements
- can filter out DDoS attacks
- can provide web application firewall
- filter out SQL injection, XSS, other attacks before traffic reached org’s web servers
-
perimeter security
- stop unwanted remote users
- uses firewalls and other controls
-
network access control
- limit physical network access to authorized individuals and devices
-
policies
-
rule-based
- limit access based on business logic
-
role-based
- limit access based on identity of an individual
-
time-based
- limit access based on time of day
-
location-based
- limit access based on physical location
-
- intercepts network traffic coming from unknown devices
- verify that that a system/user is authorized before allowing communications on the network
- often use 802.1x authentication
-
supplicant
- software on end user’s machine that performs NAC steps
-
authenticator
- receives credentials from user’s machine
-
authentication server
- provides all authentication for authenticators
-
user and device authentication
-
role-based access
- authentication server provides additional user info to the authentictor
- authenticator places the device/user in an appropriate network based on the user’s role
-
posture checking
- user’s device can be checked for multiple security controls
- antivirus software
- current antivirus definitions
- proper firewall configuration
- security patches
- failing devices can be placed onto a quarantine VLAN
- VLAN can have access to patches, antivirus definitions, etc.
- once patched, user can attempt to authenticate again
- user’s device can be checked for multiple security controls
- agent-based
- agentless
- in-line
- out-of-band
- firewall rules define how a firewall should act when it sees a new connection request
- rules are applied in order
- will follow the first matching rule
- last rule is usually a “deny all”
admins need to watch out for these
-
shadowed rule
- a rule that will never be applied due to the rules before it
- it’s generally best to have more specific rules first
-
promiscuous rule
- a rule that allow more access than intended or necessary
-
orphaned rule
- a rule that allows access to decommed systems or services
- can be dangerous if ports or IP addresses of decommed systems are reused in the future
- routers can be configured to perform basic filtering
- this can reduce load on firewalls
restrict network traffic
-
standard ACLs
- filter based on source IP address
-
extended ACLs
- filter based on more advanced criteria
- source/destination IP addresses
- source/destination ports
- source/destination protocols
- filter based on more advanced criteria
-
so why not just use a router as a firewall?
- firewalls are purpose-specific and efficient, routers are not
- firewalls have much more advanced rule capabilities, routers do not
- firewalls have more advanced security functions, routers do not
- need to maintain physical security on switches and other networking equipment
- attackers w/ physical access to a switch has physical access to the network
-
attackers w/ physical access can disconnect a legitimate device and replace it w/ a malicous one
-
switchports should limit devices attached to them via MAC address
-
static port security
- admin manually configures the MAC address allowed for each switchport
- secure, be can be tedious
-
dynamic port security
- switch memorizes the MAC address connected to each switchport, then only allows access to that device
- more convenient for the admin
- can be dangerous w/ unused ports
- inspects DHCP messages
- looks for malformed messages
- checks if DHCP messages are from authorized DHCP servers
- blocks malicious DHCP traffic
-
disable automatic trunk negotiation
- prevents VLAN hopping attacks
-
VLAN pruning
- limit the number of switches where VLANs are switched
- especially important for sensitive VLANs
- limit the number of switches where VLANs are switched
-
VLAN trunk negotiation
- deny automatic VLAN trunk negotiation
- limits the effectiveness of VLAN hopping
- only allow explicitly set up VLAN trunk negotiation
many DoS attacks rely on flooding a network w/ traffic until it’s overwhelmed
-
SYN flood
- attacker created thousands of SYN packets
- don’t reply to SYN/ACK packets
- fills connection state tables of firewalls w/ half-open entries
- attacker created thousands of SYN packets
-
MAC flood
- sends out large numbers of MAC addresses
- hope to overflow MAC address table on a switch
- switch may flood traffic out to all ports
- attacker can eavesdrop
- switch may flood traffic out to all ports
-
flood guard technology
- protect network devices against flood attacks
- control the open number of connections that a system can have
-
occur when there are multiple paths between two devices
- devices mistakenly route broadcast messages
- network fills to capacity with those messages
- known as a broadcast storm
-
spanning tree protocol
-
includes loop protection to protect against broadcast storms
-
uses BPDUs
-
BPDU bridge protocol data units
-
routing status messages that allow recomputation of network paths
-
if exploited, can cripple network with spanning tree attacks
-
BDPU guard
- blocks against spanning tree attacks
-
-
- firewalls and routers have logs that are a rich source of security info
-
logs of every connection
- details about each attempted connection
- timestamps
- firewall rules applied to the attempt
-
uses:
- security incident investigations
- network issue troubleshooting
- anomalous activity detection
-
ingress filtering
- filtering of traffic entering the network
-
egress filtering
- filtering of traffic exiting the network
- full packet inspection requires a large amount of storage capacity
- net flow data captures most details of connections
- source/destination systems
- source/destination ports
- timestamp
- amount of data
- very useful information
- doesn’t capture what, but does capture who, when and how much
security information and event management system
- facilitate rapid analysis of data
- log sources
- firewalls
- network devices
- servers
- application
- automates network monitoring and maintenance tasks
-
managed devices
- routers, firewall, APs
-
agent
- software package that runs on devices
-
network management system
- communicates with agents
- manages the network
-
SNMP requests
- allow the network management system to get information from agents
- network management system → GetRequest → agent
- network management system ← response ← agent
- allow the network management system to get information from agents
-
SNMP configuration
- allows the network management system to configure agents
- network management system → SetRequest → agent
- network management system ← response ← agent
- allows the network management system to configure agents
-
SNMP traps
- if something critical is needed, an agent can send information to the network management system
- network management system ← SNMPtrap ← agent
- if something critical is needed, an agent can send information to the network management system
-
should always use SNMPv3
- earlier versions have critical security flaws
- separates systems of differing security levels
- sensitive systems may be places in their own isolated security zones
AKA jump box, jump server, jump host
- allow connections between differing security zones
- must be carefully secured
- can be used to bypass network segmentation
-
it can be difficult to distinguish attacks from legitimate traffic
-
fake networks, systems, files can be used to tell if traffic is malicious
-
darknet
- unused but monitored address space on a network
- if being used or scanned, likely an attacker
-
honeyfile
- a false store of sensitive-looking data
-
honeypot
- systems designed to attract and trap attackers
- may contain honeyfiles on them
-
honeynet
- a network designed to attrack attackers
- may contain honeypots and honeyfiles
-
DNS sinkhole
- altered DNS records to reroute notnet traffic
- intentionally route traffic away from a botnet
- usually to a webpage letting a user know that their system is compromised
- effectively a beneficial self-inflicted DNS poisoning attack
- use redundant power supplies
- vendors provide crucial services
- understand response times in support contracts
- understand that support contracts provide access to security updates and patches
- warranties provide repair and replacement of defective equipment
-
circuit switching — plain old telephone system (POTS)
- PSTN
- ISDN
- DSL
- T-carriers
-
packet switching — IP
- X.25
- frame relay
- ATM
- VoIP
- MPLS
-
MPLS (multiprotocol labelled system)
- used to create a cost-effective private WAN that is faster and more secure than a regular one routed through public networks (the Internet)
- more secure because a private network can be custom built for your organization
- because it is private, don’t have to maintain and use traditional VPN equipment
- can reduce delay and latency caused by VPN software
- provides QoS for VoIP and other priority traffic
- purely layer 3 technology
converged networks now carry voice and data services
- carries voice communications over data networks
- converts analog voice to digital data
- transmits over IP protocol
- VoIP phones
- softphones
- bridge devices
- convert analog systems to VoIP
-
encryption
- protects traffic
- can degrade voice quality
-
network segmentation
- separated data VLAN from voice VLAN
-
security issues
- eavesdropping
- toll fraud
- vishing
- SPIT
- latency
- jitter
supports communcations w/ teams, partners, clients, vendors, etc.
-
IM (instant messaging)
- AIM, ICQ, MSN, etc.
- was popular, but created security issues
- outside of IT control
- unencrypted, open to eavedropping
- replaced with on-prem or cloud-based solutions
- Skype, Teams, etc.
-
XMPP (extensible messaging and prescence protocol)
- originally called Jabber
- open-source standards-based
- alternative to proprietary protocols
-
SMS (short message service)
- sends messages and images over wireless carrier networks
- convenient and popular
- significant security flaws
- no encryption
- no authentication
- SMS numbers can easily be spoofed
demand lots of dedicated bandwidth for moving large files
- simple
- self-contained
- commonly uses CIFS or NFS
- appears as a file system on the network
- complex
- massive storage systems with dedicated networks
- present storage to devices
- connect to devices with dedicated networks
-
fiberchannel
- uses a direct fiberoptic connection between SAN and devices
-
fiberchannel-over-Ethernet
- replaces fiberoptic cabling w/ Ethernet cables
- a bit slower
-
iSCSI
- runs SCSI connections over network connections
- SANs carry sensitive info
- often unencrypted for speed purposes
- storage traffic should be on a dedicated network, separate infrastructure or a VLAN
- storage VLANs should be carefully trunked
digital certs allow for exchange of public keys over untrusted networks
-
encrypts network communications
-
depends on pairings of encryption and hashing functions known as cipher suites
- TLS is not an cryptographic algorithm
-
steps
- client sends a request w/supported cipher suite to server
- server sends back a message w/ the selected best matching cipher suite to use and the server’s digital cert
- client checks server’s digital cert w/CA
- client creates a random encryption key called a session key
- session key is also known as an ephemeral key
- client uses the public key to encrypt the session key and sends it to the server
- server decrypts the session key w/ the server’s private key
- insecure predecessor to TLS
- has known security flaws
- often incorrectly used to describe TLS
- open source TLS project
- Heartbleed vulnerability
- allows attackers to retrieve info from servers using OpenTLS
- performs “friendly” man-in-the-middle attack to inspect network traffic
original implementation of TCP/IP didn’t consider security
- secures entire packet payload
- ESP (encapsulating security payload)
- provides confidentiality and integrity protection for packet payload
- encrypts payload
- AH (authentication header)
- provides integrity for packet header and payload
- ensures that no changes were made to the header of payload
- ESP and AH can be used in combination
- process that
- identifies cryptograhy algorithms a system can support
- each system lists the cryptography and hashing functions
- they find and agree upon the strongest matching functions in common
- site-to-site VPN
tunnel mode
- encryption tunnel connecting two sites together
- invisible to users
- usually used to connect branch offices and main offices
- end-user VPN
transport mode
- encrypted remote access for individual systems
- once common
- being phased out for TLS-based VPNs
provide command line access to a remote system
- telnet
- used by older Unix systems in the past
- insecure
- doesn’t provide any encryption
- ssh
- provides secure remote shell alternative to telnet
- secure encrypted connection
- authentication modes
- password
- certificate-based
provides graphical access to a remote system
- RDP
- encrypted desktop access to Windows servers and machines
many common protocols don’t include built-in encryption
-
HTTP → HTTPS
- adds TLS to web browsing
-
telnet → SSH
- same functionality of telnet, but w/ encryption
-
FTP → FTPS
- adds TLS to FTP
-
FTP → SFTP
- transfers files over SSH
-
FTP → SCP
- uses SSH to securely copy files
-
TFTP trivial FTP
- insecure
- may be on exam in an attempt to trip you up
-
NTP → NTPSec network time protocol
-
DNS → DNSSEC
- adds digital signatures to DNS replies
-
DHCP
- in Windows, turn off DHCP services on machines not acting as a DHCP server
-
LDAP → LDAPS
-
voice and video services
-
should use TLS
- may need to be turned on in application settings
-
RTP-based VoIP should use SRTP
-
-
email
- use encrypted versions and ports
- can encrypt emails using S/MIME protocol
mail protocol unencrypted port encrypted port POP 110 995 IMAP 143 993 SMTP 25 465
-
wifi standards govern communication on many wireless networks
-
replaces cables w/ radio transmitters and receivers
-
WAPs connect wireless networks to wired networks and the Internet
-
subject to undetectable interception
- needs to be secured w/ encryption
Standard | Year | Max Speed |
---|---|---|
802.11 | 1997 | 2 Mbps |
802.11b | 1999 | 11 Mbps |
802.11g | 2003 | 22 Mbps |
802.11n | 2009 | 600 Mbps |
802.11ac | 2014 | 1 Gbps |
- original wireless encryption standard
- serious security vulnerabilities
- shared authentication passwords
- weak initialization vector (24 bit)
- initialization vector transmitted in plaintext
- uses RC-4 cipher
- easily crackable
- only option for 802.11b
- no longer secure
exam tip
although outdated this is testable as a default for most routers for compatibility reasons.
- replaced WEP in 2003
- backwards compatible with WEP
- stronger initialization vector (48 bit)
- uses TKIP (temporal key integrity protocol) to rapidly rotate encryption keys
- contains vulnerabilities
- still uses RC-4
- no longer secure
- upgrade to WPA introduced in 2004
- encrypts using AES
- uses CCMP
- provides additional encryption strength
- some potential security issues
- not backwards compatible with WEP or WPA
- considered secure
- most wireless netowrks limit access to authorized users
-
simple form of authentication
-
use a 256-bit encryption key in one of two ways
- hexadecimal string
- 64 hex characters that encode a 256-bit encryption key
- password
- 8-13 ASCII characters converted to a 156-bit encryption key using PBKDF2
- hexadecimal string
-
limitations
- changing the key is a pain in the ass
- identifying individual users and revoking their access is impossible
-
use some form of EAP
-
EAP extensible authentication protocol
-
authentication framework
- not a specific authentication mechanism
-
many variants, some secure, some not
-
variants
-
LEAP lightweight EAP
- relies on MS-CHAP
- insecure
-
PEAP protected EAP
- tunnels EAP inside a TLS session
-
EAP-TLS
- secure
-
EAP-TTLS EAP - tunneled TLS
- secure
-
EAP-FAST EAP - flexible authentication via secure tunneling
- replacement for LEAP by Cisco
-
EAP-MD5
- insecure
-
-
exam tip
know which EAP variants are secure.
- redirect users to an authorization webpage
-
many factors affect the ability of radio waves to reach users
-
omnidirectional antennas
- send signals in all directions
-
directional antennas
- direct signals in a single direction
- useful for site-to-site communication
-
beamforming
- 802.11ac feature
- steers signal towards clients
-
optimal AP placement depends on building characteristics
- walls, building materials, pipes, vents, etc.
-
site survey
- determines optimal AP placement
- creates heatmaps to help w/ placement
-
other tips
- avoid overlapping channels w/ neighboring networks
- power levels can be manipulated to modify range and signal strength
- contain all of the hardware and software needed to operate a wireless router
- minimal equipment
- just the radio and chipset
- rely on wireless controllers for configuration and to run the network
- run the network
- manage configurations
- optimize AP performance
- reduce interference w/ other APs
- search for rogue networks
- test wireless security
- Aircrack-ng is a popular security testing tool
- in urban, suburban and rural areas
- can cover distances of 20+ miles
- terrain dependent
- rated according to generation of service
-
cover shorter distances w/higher bandwidth
-
point-to-multipoint
- single basestation to many clients
-
point-to-point
- connects two fixed basestations
-
usable almost anywhere
-
slow and expensive
-
GPS
- provides exact location anywhere on earth
- uses electromagnetic induction for communications
- covers distances measured in cms
- used for Apple Pay, Google Pay
- range of ~30 feet
- used by headphones, speakers, smart watches, etc.
- used to create a PAN (personal area network)
- modes
- discovery mode
- automatic pairing mode
- threats
- bluejacking
- sending spam to nearby bluetooth devices
- bluesnarfing
- copying information off of remote devices
- bluebugging
- more serious
- allows for full use of the phone
- allows attacker to remotely make calls
- allows attacker to eavesdrop on calls as well
- bluejacking
- require a clear path between the transmitter and receiver
- allows for a wired connection
- may be used for tethering
- four-digit passcodes don’t provide strong security
- should use complex passwords
- biometric authentication offers a convenient alternative access method
- FaceID, TouchID
- protects sensitive info
- enabled by default on modern iOS and Android devices
- removes data from lost/stolen devices
- only available of the device is connected to a network to receive remote wipe command
- auto screen locking
- push notifications for two-factor authentication
- MicroSD HSMs
- provide secure key management
- SELinux on Android
- manage settings across many mobile devices
- powerful tool
- ensures that devices used on an org’s network have security settings that match the org’s security policy
- prevents users from modifying security settings
- controls data stored on devices
- remote wiping
- revoking access
- disabling removable storage
- management of apps installed on devices
- app blacklist
- app whitelist
- storage segmentation
- separated sensitive info
- content filtering and management
- orgs need to track mobile devices just like they do all other org assets
- lost devices introduce confidentiality and financial risks
- confidentiality: devices contain sensitive org info
- financial: devices are expensive, upwards of $1,500
- manage device inventories
- should manage throughout the entire lifecycle
- request for device
- ordering and recieving device
- initial configuration of device
- device assignment (and reassignment)
- device decomm
-
allows orgs to locate lost/stolen devices
-
can provide historical location details
-
geofencing
- alerts when a device leaves a predefined area
-
GPS use limits
- limit who has access to data
- ability of the monitored user to disable tracking
- consider auto-disabling after work hours
- clear disclosure is needed
- use strong credential management
- should rely on central authentication
- using external authentication places a great amount of trust in external providers
- encrypt info in transit
- encrypt info at rest on the device
- practice strong key management
- may disclose sensitive org locations
- ex. photos, map apps
- should apply location settings in apps as necessary
-
MDM solutions allow lockdown of mobile device configurations
-
third party app stores may contain unsafe code
-
sideloading
- installing software outside of normal app stores
-
jailbreaking
- installs custom firmware and OS on mobile device
-
rooting
- installs software that allows root access to mobile device
-
all three add security risks to devices
-
-
mobile devices must be patched w/ current patches and OS updates
- often done through OTA (over-the-air) updates
-
device unlocking allows for portability amongst service providers
- less common, devices are usually bought at full price in an unlocked state
-
restrictions on device feature
- many different security policies on devices
- feature use needs to align w/ org’s business purpose and security needs
- examples:
- camera use
- messaging
- external media use
- microphone use
- GPS / geotagging
- Wi-fi usage
- device tethering / hotspots
- mobile payments
- some employees want to use personal devices for business purposes
- not this guy!
- marks a radical shift in philosophy
-
who, what and how?
- who can bring and use devices?
- what devices will they bring?
- how will the devices be securely used?
-
ownership?
- user owns the device
- user owns their personal data
- org owns their data
- org owns their network and IT support
- users should understand monitoring that will be used
- will be unlikely to accept intrusive monitoring
- orgs should consult w/ their legal team
- review local, state, federal laws about privacy
-
onboarding
- ensure that device meets security requirements
-
offboarding
- ensure that all sensitive org data is removed from the device
- consider the impact of BYOD on the org’s technical infrastructure
- MDM use
- patching and AV management
- camera use
- forensic procedures
- limits org control of devices
- users select their device which the org purchases
- size preference: mini, phablet, etc.
- OS prefernce: iOS, Android, etc.
- may provide users w/ a menu of devices to choose from
-
allows for personal use of org-owned devices
-
MDM solutions provide policy enforcement for all of the above models
- desktop OS is in the cloud or the org’s data center
- employee uses their own device to access remote desktop
- admins should config endpoint OSes to meet org security requirements
- attackers that can exploit a vulnerability in one endpoint to attack the entire network
- admins should limit admin access to systems
- can be acheived with Group Policy management
- corrects security issues in applications and OSes
- user configuration management tools to patch
- patches should go through change management process!
- lockdown of configurations
- remove unneccessary software and OS components
- reduces attack surface
- lock down host firewalls
- disable default accounts and passwords
- verify that configurations match industry best practices
- Windows registry
- Unix/Linux/OSX confguration files
malicious software
-
viruses
- spread by human actions
-
worms
- spread by themselves
-
trojan horses
- disguise themselves in other software
-
spyware
- gathers info
- uses many techniques to spread
-
protects against many threats
-
types
- signature detection
- behavior detection
-
advanced real-time protection
-
uses sandboxing
-
sandboxing
- isolated malicious content
-
spam filtering
- blocks unwanted email
-
malware logs on endpoints should be sent to a centralized system (SIEM) for storage and analysis
-
restricts software that can run on a system
-
Applocker: example of Windows application control technology
-
application control logs should be sent to SIEM or central log storage repo
-
whitelisting
- admins create a list of all applications that may run on a system
-
blacklisting
- admins create a list of applications that are prohibited from running on a system
- baseline identifies expected system software
- reports deviations from baseline
- software component of an OS that limits connections to the system
- restricts network traffic
- uses default deny rule
- granting network access requires configuring the host firewall and network firewall
-
IDS (intrusion detection system)
- alerts administrators to suspicious network activity
-
IPS (intrusion prevention system)
- takes actions to block suspicious network activity
-
are also found in third party security solutions
-
usually are not part of an OS
-
logs should be sent to SIEM or central logs repo
- watches for unexpected file modifications
- uses hashing functions
- periodically verifies hash values of critical files
- tuning is crucial
- need to adjust FIM system to meet org needs
- often a compliance requirement
- Tripwire: example of Unix-based FIM software
- analyzing output of FIM is testable on the exam
-
tech solutions the search systems and networks for sensitive info
-
have the ability to remove, block or encrypt the found sensitive info
-
these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization
-
two types:
-
host-based DLP
- software agent on a single system
- looks for sensitive info on the system
- can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data
-
network-based DLP
- scan network transmissions for sensitive info
- may block traffic when sensitive info is found
- may also automatically encrypt traffic that is found
- common in email systems
-
-
scanning methods:
-
pattern matching
- recognizes known patterns of sensitive info
- ex. 123-45-6789 is a SSN, 1-234-567-8910 is a phone number
- recognizes known patterns of sensitive info
-
watermarking
- sensitive info is identified by electronic tags attached to files
-
-
cloud-based DLP systems are available that operate as an MSSP
-
provide isolaton and separation
-
create zones based on trust
-
hardware vs. software
-
use rule based access control (RBAC)
-
enforce network policy
-
usually on the perimeter of a network
- fast, cheap, first line of defense
- packet filtering
- screening router — act as first level of screening network traffic
- inspect layer 3 and 4 headers
- source and destination IPs
- source and destination ports
- protocols (TCP or UDP)
- stateful filtering
- is aware of initiation of sessions and their states
- can block unsolicited replies
- can understand the syntax of lower layer protocols and block “misbehaving” traffic
- slower and more expensive
- aka application proxies or application firewalls
- deep packet inspection
- forward proxy inspects traffic from inside the network going out
- reverse proxy inspects traffic from outside the network coming in
- can inspect content, time, application-awareness, certificates, etc.
- specific to the application layer
- use access control lists (ACLs)
- rules applied to each packet the firewall recieves
- not stateful, can only look at the network and transport layer packets (IP address, port, “flags”)
- can’t look at application layer, look for viruses, etc.
- usually aren’t advanced or customizable
- two types
- circuit level
- application
- both types hide internal hosts/addressing from the outside world
- advantages
- understand the protocol and can add extra security based on that understanding
- can have advanced logging/auditing
- can have advanced access control
- ex:
- restricting website access
- inspecting data for protocol violations
- inspecting data for malware, viruses, etc.
- ex:
- disadvantages
- slower. extra CPU power needed for extra processing and inspection of data
- proxies only understand the protocol that they were written for
- usually need a separate proxy for each protocol that you want to proxy
- Jim says: BlueCoat only handles HTTP
- LAN: local area network
- high speed
- small physical area
- WAN: wide area network
- used to connect LANs
- usually slow, using serial links
- MAN: metropolitan area network
- connect sites together in a smaller geographic region (like a city… hence the metropolitan)