1
Q
Modules
A
- Defensible Network Architecture
- Virtualization and Cloud Security
> Lab - Virtual Machine Setup - Network Device Security
- Networking and Protocols
> Lab - tcpdump - Securing Wireless Networks
> Lab - Aircrack-ng - Securing Web Communications
> Lab - Wireshark
2
Q
Defensible Network Architecture
A
- Network Architecture
- Attacks against Network Devices
- Network Topologies
- Network Design
3
Q
Understanding the Architecture of the System
A
- Conceptual Design
- Logical Design
- Physical Design
- Understand Communication Flow
- Know Where Your Valuable Data Is
4
Q
Conceptual Design
A
- High-level design
- core components of network architecture
- picture of overall purpose of network
- required for integration, general functionality, data flow, and high level system behavior
- utilizes ‘black box’ diagramming
5
Q
Logical Design
A
- represents each logical function in the system
- more detailed
- all major network components and their relationships
- detailed data flows and connections mapped out
- primarily for devs and security architects
- includes business services, application names, and other relevant information
6
Q
Physical Design
A
- all major components and entities identified within specific physical servers and locations
- usually the last design created before final implementations
- contains all known details such as OSes, version #s, and relevant patches
- includes physical constraints and limitations
7
Q
Understand Communication Flow
A
- begins with logical architecture
- shows how data can flow in and out of network
- maps every communication flow, whether for data exchange or control messages
- used to understand exposure and visibility of key components
- forms the foundation for threat mapping
8
Q
Know Where Your Valuable Data Is
A
- also begins with the logical architecture
- to secure a network, you need to know where every piece of your valuable data resides
- focus on critical intellectual property:
> what is it?
> where is it?
> who has access to it?
> who should have access to it?
9
Q
Networks under attack
A
- as servers become more difficult to compromise, network infrastructure is a vector of attack
- controlling the routers and switch gives visibility into all of the traffic
- many routers and switches are not secure or kept up to date
- external routers are often visible and accessible via a password
10
Q
Threat Enumeration
A
Threats drive the risk calculation and important for understanding the adversary:
- list all possible threat agents
- list the attack methods
- list the system-level objectives
11
Q
Attacks against Routers
A
- Denial of Service
- Distributed Denial of Service
- Packet Sniffing
- Packet Misrouting
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CRSF)
- SYN Flood
- TCP Reset Attack
- Routing Table Poisoning
- Malicious Insider/Disgruntled Employee
12
Q
Attacks against Switches
A
- CDP Manipulation
- MAC Flooding
- DHCP Spoofing
- STP Attacks
- VLAN hopping attack
- Telnet attack
13
Q
Physical Topologies
A
- how the network is actually connected
- how the data actually flows
- wired or wireless
- verification of physical topology is critical to ensure security
- star topology most common
14
Q
Logical topologies
A
- how you communicate across wires
- meaning of the information
- language
- ethernet most common (CSMA/CD)
15
Q
Ethernet
A
- Ethernet is shared media
> CSMA/CD (carrier sense multiple access with collision detection) - most common logical topology or layer 2 protocol
- steps taken to communicate:
> listen before transmitting
> make sure only one station transmits at a time
> monitor transmissions to check for collisions
16
Q
Approaches to Network Design
A
Segmentation
- Network Segment
- Implement Controls at Multiple Layers
- Least Privilege Rule
- Segment Based on Security Requirements
- Whitelisting
Protected Enclave
Software Defined Networking (SDN)
- Micro-segmentation
17
Q
Network Architecture Design
A
Prioritized Protection of Key Resources
Most enterprise networks are relatively flat and offer little resistance once the perimeter is breached.
18
Q
Network Design Objectives
A
- Provide appropriate access from the internal network to the Internet
- Protect the internal network from external attacks
- Provide defense-in-depth through a tiered architecture
- Control the flow of information between systems
19
Q
Network sections (1 of 2)
A
- Public: Internet
- Semi-public (DMZ) : Web, Mail, and DNS servers
- Middleware: Separate DMZ from private network
- Private : Internal systems
Locate firewalls:
- between the internet and other networks
- between semi-public and private network
- between sections of varying trust levels
20
Q
Network sections (2 of 2)
A
three goals of network design:
1- any system visible from the internet must reside on the DMZ and cannot contain sensitive info
2- any system with sensitive info must reside on the private network and not be visible from the internet
3- the only way a DMZ system can communicate with a private network system is through a proxy on the middle-ware tier
21
Q
Summary
A
- Understanding network technologies, physical, and logical topologies, and network design is vital to create and maintain a secure network
- to secure a network, we must understand how it works
- security must be embedded into the network and not be an afterthought
- only by understanding how components on a network work and through a proper network architecture design can an organization achieve a secure network
22
Q
Module 2: Virtualization and Cloud Security
A
- virtualization
- setting up virtualization
- virtualization security
- virtualized architectures
- cloud overview
- cloud security
23
Q
Virtual machines
A
- allows software to run virtually on the same hardware
> OS level VMs
> application-level VMs - virtual machine software is responsible for segmenting and creating virtual hardware
24
Q
The key component of virtualization is the ability for abstracting and emulating of specific hardware components which is done by the ?
A
hypervisor
25
VMWare Network Options
1- Host-only network: nothing other than host OS gets to VM across network
2- Bridged network: host and VM behave as though sitting next to each other on a switch ...introduces VM MAC address on LAN
3- NAT: host acts as a NAT which VMs sit behind
26
What is Virtualization Security ?
- collective measures, procedures, and processes that ensure the protection of the virtualization infrastructure and environment
- focuses in on protection and isolation of the various guest OSes
- hypervisor security is a key component of virtualization security
A focus area for attackers and therefore a key focus for security professionals is protecting against VM escape tactics
27
Benefits of Virtualization for Security
- Isolation - OS and Application
> helps IT managers better handle application instability
- Resiliency and High Availability
> admins quickly provision secure machines, replicate security policies across VMs
- Automation
- Virtual Appliances
- Forensic Analysis
> can create exact working copy of physical computer
28
The Hypervisor
- hypervisor is a threat surface
- compromise it and you own everything
- solution: Virtual Machine Introspection
value of hypervisor is that it reduces attack surface that attacker has to work with
drawback is if it is compromised, attacker owns everything
29
Machines becoming files
- machines as files leads to mobility
- mobility creates opportunity for theft
- virtual sprawl
30
virtual sprawl
condition in operating environment where number of VMs is so much that they can no longer be effectively managed or secured
31
Additional Layers of Virtualization Infrastructure Complexity
- Resource sharing
> allows for simplified file exchanges between VMs
- Direct memory sharing
> direct memory access to controllers such as video and network cards
Features designed for functionality and enhanced performances can also create security exposures.
With virtualization it is critical to identify and monitor these risks closely.
32
Mitigating the Risks of Virtualization
```
- separation
> separate dev environment
- establish 'trust zones'
> each VM should fall into a security category
- enforce certain processes
- sprawl management
> actively manage the virtual environment
- stack management
- auditing
- patching
```
33
Data Security
```
- 3 options for data protection
> content discovery
> volume storage encryption
> object storage encryption
- data loss prevention
- data migration to the cloud (detection)
- DB activity monitoring
- file activity monitoring
- data dispersion
- data fragmentation
```
34
Barriers to developing full confidence in Security as a Service
- compliance
- multi-tenancy
- vendor lock-in
35
what measures do security as a service providers take to earn the trust of their customers?
- strong security controls and system lockdown functions
- rigid physical security
- background checks on personnel
36
Business continuity and Disaster Recovery
customer should:
- review the contract of third party commitments
- review third party business continuity processes and any particular certification
- conduct on-site assessment
Cloud customers should not depend on a single provider of services and should have a DR plan in place that facilitates migration or failover should a supplier fail
37
Labs - Section 1
- Virtual machine setup
- tcpdump
- aircrack-ng
- wireshark
38
Labs - Section 2
- John the Ripper
- Cain & Abel
- Malicious Software
39
Labs - Section 3
- Nmap
- Snort
- hping3
- command injection
40
Labs - Section 4
- Image Steganography
- GNU Privacy Guard (GPG)
- Hashing
41
Labs - Section 5
- Process Hacker
- Microsoft Baseline Security Analyzer
- Secedit
- PowerShell Scripting
42
Network Devices
Hub
Bridge
Switch
Router
43
Hub
replicates traffic onto all ports, minimal security
44
Bridge
maintains track of network addresses, segments traffic, and breaks up collision domains
45
Switch
micro-segmentation with each port receiving traffic for the appropriate host using the MAC address
46
Router
connects networks together and determines the path a packet will take over a network
47
examples of sniffers
- tcpdump - initial triage
- wireshark - detailed analysis and packet decoding
- snort - NIDS to determine scope of compromise
- dsniff - useful for sniffing on a switch
- kismet - wireless network sniffer and IDS
48
authorized sniffing
most switches support 'port mirroring' , 'SPAN', 'management port' or similar features. which allow network administrators to perform authorized sniffing to monitor LAN traffic on any computer connected to one designated switch port
49
unauthorized sniffing
unauthorized sniffing on a switch is difficult but with the advent of tools such as dsniff, it has simplified this task
with an ARP redirect program and IP forwarding, an attacker can sniff every station on your switched network
50
ARP
Address Resolution Protocol
ARP is the scheme used by one host on a LAN to determine the MAC address of another host on the LAN
51
ARP is described in which RFC?
RFC 826
52
At a minimum, a computer has 2 addresses
- IP address
| - MAC address
53
MAC Address (Layer 2)
- 48-bit address (12 hexadecimal digits)
- First half vendor code (00:00:0c - Cisco)
- Determines the next hop
- Hardware address
54
IP Address is configurable (Layer 3) - description?
- 32-bit address
- part network and part host
- configured by user
- dictated by location
- used to determine the path
- software address
55
Cisco's MAC vendor code
00:00:0c
56
Sun's MAC vendor code
08:00:20
57
Device Security: Hardening Routers
- change the default password
- disable IP directed broadcasts
- Disable HTTP configuration for the router, if possible
- Block ICMP ping requests
- Disable IP source routing
- Determine your packet filtering needs and establish them
- Establish ingress and egress address filtering policies
- maintain physical security of the router
- review the security logs
- latest OS
58
Main uses of virtualization?
- security training
- incident response
- malicious code analysis
- digital forensics
- virtual security lab
- data center consolidation
- cloud based services
59
Router Hardening: Source Routing
- allows IP packets to specify routing
- can be used to bypass firewalls
- most commonly used by attackers
- should be disabled by default and enabled only if needed
60
Router hardening: Directed broadcasts
- directed broadcasts are seldom needed with modern protocols
- many historical DoS attacks use these
- if they are needed, should be tightly restricted
61
Router hardening: IOS ports and services
- router OS called IOS
- IOS has services and open ports
- default installation focuses more on functionality than security
- routers often lack typical password controls like lockout or complexity
62
Router hardening: Telnet vs SSH
- telnet typically used for remote access of routers
- telnet susceptible to sniffing
- SSH preferred alternative
- SSH helps with password sniffer, but not pword guessing unless certificates or preset keys are used
63
Router hardening: SSH via internal port
- recommended solution with SSH is to have no open external ports
- VPN behind firewall and connect via SSH to internal interface of router
- added benefit is VPN access is typically logged while router access is not
64
Switch hardening: VLANs
- segmenting switch to different networks
- separate networks with SW not HW
- reduces visibility and potential damage from attack
65
Switch hardening: NAC
Network Access Control
- dynamic VLAN allocation
- isolates systems when they intially connect to network
- enables systems to be scanned and checked prior to being put on a trusted segment
66
Switch hardening: 802.1x
- network level authentication
- only allow authorized devices to connect
- can be used with both wired and wireless devices
67
Switch hardening: port forwarding
- intercepting traffic going to an ip and port and redirecting to another ip and port
- used to hide what services are running on a network
68
what is a network protocol?
- agreement of or rules of engagement for how computer networks will communicate
- entities exchanging messages are network's SW and HW
- protocols define the format and order of messages and actions to be taken upon message receipt
- protocol stacks are a set of network protocol layers that work together to implement communications
69
3 purposes of communication protocols?
- standardize format
- specify order/timing
- determine meaning of communication
70
OSI protocol stack
```
1- physical
2- data link
3- network
4- transport
5- session
6- presentation
7- application
```
71
OSI vs TCP/IP
Tcp layers:
1- Network -> OSI 1 and 2
2- Internet (IP) -> OSI 3
3- Transport (TCP) -> OSI 4
4- Application -> OSI 5,6,7
72
how tcp/ip packets are generated?
as you go down the stack, each layer adds a header
as you go up the stack, each layer removes a header
73
IP internet protocol
- works at the internet layer of the tcp/ip stack
- layer 3 of osi
- core routing protocol of the internet
- deals with transmission of packets between endpoints
- defines addressing scheme for the internet
74
IPv4 vs IPv6
- IPv4 accomodates 4.2 billion unique 32-bit addresses
- IPv6 - 128bits accomodate 340 undecillion addresses (7 addresses for each atom of every human)
- IPv6 has authentication of endpoints (IPv4 doesn't)
- IPv6 supports encryption (whereas IPv4 needs apps to provide encryption)
- IPv6 has QoS features (IPv4 has best effort transport)
75
IPv4 header
```
1- version
2- IHL
3- Type of Service
4- Total Length
5- Identification
6- Flags
7- Fragment Offset
8- Time to Live
9- Protocol
10- Header Checksum
11- Source Address
12- Destination Address
13- Options (optional)
```
76
Some IP Options
- record route
- IP timestamp
- Strict source routing
- loose source routing
77
IPv4 key fields
- IP version 4 bits
- protocol 8 bits
- time to live TTL 8 bits
- fragmentation 16 bits (13 bits fragment offset, 3 bits flags)
- source and dest address 32 bits each
78
IPv6 headers
```
1- version 4 bits
2- traffic class 8 bits
3- flow label 20 bits QoS management
4- payload length 16 bits length in bytes
5- next header 8 bits next encapsulated protocol
6- hop limit 8 bits
7- src address 128 bits
8- dest address 128 bits
```
79
IPv6 features
- extended address space
- route aggregation, improved delegation/management, hierarchy
- auto configuration support
- IPv6 over IPv4 tunneling
- IPv4 over IPv6 translation
- flexible embedded protocol support
- authentication of endpoints
- encryption support
80
IP protocols with OSI model
Layer 3 - IP and ICMP
| Layer 4 - TCP and UDP
81
ICMP - Internet Control Message Protocol
2 purposes:
- to report errors or troubleshooting
- -> destination host unreachable
- -> fragmentation needed and DF flag set
- to provide network information
- -> ping: is the host alive and latency
tied to IP version:
- ICMPv6 for IPv6
82
ICMP header
1- ICMP type 8 bits
2- ICMP code 8 bits
3- ICMP checksum 16 bits
4- ICMP payload - variable length
83
ICMP common types and codes
```
Type 0: Echo reply
Type 3: Destination unreachable
- Code 0: Network unreachable
- Code 1: Host unreachable
- Code 3: Port unreachable
- Code 9: Destination network administratively prohibited
```
```
Type 5: Redirect
Type 8: Echo request
Type 11: Time exceeded
- Code 0: TTL expired in transit
- Code 1: TTL expired during reassembly
```
84
TCP
- most common transport protocol today
- provides guaranteed packet delivery or at least notifies of problem
- > overhead to track packet delivery
- > establishes virtual connection called session
85
TCP uses
- flow control to handle network congestion
- guaranteed delivery more important than speed
- better protection against spoofs
86
common TCP ports
```
20 - ftp data
21 - ftp
22- ssh
23 - telnet
25 - smtp
53 - dns
79 - finger
80 - http
443 - https
```
87
establishing a tcp connection
1- SYN
2- SYN/ACK
3- ACK
3 way handshake in which ISNs are exchanged
88
ISN
initial sequence number
89
TCP header
```
1- src port 16 bit
2- dest port 16 bit
3- seq num 32 bits
4- ack num 32 bits
5- data offset 4 bits
6- reserved 3 bits
7- flags 12 bits
8- windows size 16bit
9- checksum 16 bit
10- urgent pointer 16 bit
11- options 32bit (padded with 0s if needed)
```
90
TCP flags 1 bit each
1- NS experimental
2- CWR congestion window reduced..response to ECE
3- ECE indicates ECN compatibility
4- URG process before other non-urgent packets
5- ACK acknowledge packet receipt
6- PSH process as received instead of buffering
7- RST host not expecting packet
8- SYN establishing 3way handshake
9- FIN no more sender data
91
Closing TCP session gracefully
A ->FIN
B->ACK
B->FIN
A->ACK
92
Closing TCP session abruptly
RST
| ACK
93
UDP uses
- real-time communication (multimedia/VOIP)
- repetitive data (NTP)
- large volume where overhead could impact performance (syslog)
94
common UDP ports
```
53 - dns
67 and 68 - bootp
69 - tftp
123 - ntp
137-139 - nbt
161-162 - snmp
2049 - nfs
```
95
bootp/dhcp
automatically configures network interfaces and load OSes via network on startup
96
NFS
network file system
97
UDP header
```
1- src port 16 bit
2- dst port 16 bit
3- udp length 16 bit
4- udp checksum 16 bit
5- data variable length
```
98
tcpdump
- program that dumps traffic on a network
- dependent on libpcap packet capture library
- sniffer
99
tcpdump tcp
only dump tcp packets
100
tcpdump tcp and dst port 23
only dump tcp packets with dst port 23
101
tcpdump host nmap.edu
only dump packets to or from nmap.edu
102
popular wireless devices
- mobile phone
- laptops
- tablets
- HVAC control units
- medical devices
- personal safety
- tracking and monitoring
103
vertical markets for wireless
- healthcare
- financial
- academia
- factories/industrial
- retail
- wireless ISPs
- mobile hotspots
104
wireless advantages
- wiring takes time and money
- users can access network from anywhere
- mobility and connectivity
105
Bluetooth concurrent connections?
- upto 7
106
Bluetooth classes
Class 1 - 100mW - 100 meters
Class 2- 2.5 mW - 10 meters
Class 3 - 1 mW - 1 meter
107
Bluetooth 5
- features and functionality focused on IoT
- increase in overall performance
- > double the speed
- > quadruple the range
- > increased bandwidth over low energy transmission
- supports 2 Mbit transfers
- higher output power
- less focus on security
108
Bluetooth security issues
- susceptible to eavesdropping
- bluetooth PAN APs can expose wired networks
- bluejacking....unsolicited messages
- bluesnarfing ... information disclosure
- bluebugging... backdooring
most vulnerabilities addressed with Bluetooth 2.1
109
legacy Bluetooth pairing
- bluetooth 2.0 and prior
- utilize same PIN code to pair
- PIN values limited and well known
- PIN often preprogrammed i.e. 0000
110
Secure Simple Pairing (SSP)
- Bluetooth 2.1 and later
- utilizes public key cryptography
- more secure than utilizing fixed PIN
- helps mitigate MITM
111
protecting Bluetooth
- use current generation devices and Bluetooth versions - upgrade firmware
- configure devices in non-discoverable mode
- audit the environment for Bluetooth devices
- verify connected Bluetooth devices
- pair devices only in trusted environment
- disable Bluetooth if not using
112
Zigbee wireless
- based on 802.15.4 spec
- used for product tracking, medical, and industrial sensor/control networks
- gaining wide support for IoT
113
Zigbee security
- security at MAC, Network, and application layers
- relies on master keys set by manufacturer, installer, or end user -> generates link keys to encrypt traffic
- encryption based on AES-CCM
- security optional: AES may be too resource-intensive for lightweight devices
114
basics of secure coding
- initialize all variables before use
- validate all user input before use
- don't make app require admin priv on server/db
- handle errors and don't display errors to end users
- employ least privilege/limit access
- dont store secrets in code
- use tested reliable libraries for common functions (authentication, encryption, session tracking)
- watch for vuln notifications for open source libs
115
Data Flow Analysis does what?
- Aids with Incident Response
- Provides Situational Awareness
- Reduces Cost of Network Monitoring
- Enables Attack Detection
