topicCybersecurity_4

CYBER SECURITY
Network Security

Network Security Overview
Copyright © 2019 Logical Operations, Inc. All rights reserved.
• Network security is one of the most critical topics.
• Rapid changes to technology make networking complex.
• Need to secure each technology separately.
• Need to handle interoperability issues.
• No more clear-cut boundaries for the network.

The OSI Model
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
Web Server Client Browser
Information/Data
Flow

• TCP—establishes, maintains, and terminates a connection-oriented session.
• UDP—sends datagrams to a destination without establishing any session.
• IP—adds a logical address and chooses the best route.
• ICMP—used by network devices to communicate network conditions and conduct
diagnostic tests.
• IGMP—used by downstream applications to inform the router that they still wish to
receive a multicast transmission.
• ARP—used to discover the MAC address used by each IP node.
TCP/IP Protocol Suite

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 1 of 2)
Protocol Vulnerability or Threat Mitigation
TCP • An attacker can predict the incrementing sequence
number of a TCP session and use it to hijack a session
that has already been authenticated and authorized.
• TCP can carry malicious payloads to other computers.
• Use encrypted versions of Layer 7
protocols.
• Encrypt or digitally sign data
payloads.
• Block unused TCP ports on
firewalls.
UDP • UDP requires no acknowledgment, so it’s easy to spoof
the source or destination of UDP packets.
• UPD can cause amplification and other denial-of-service
attacks.
• Use encrypted versions of Layer 7
protocols.
• Encrypt and digitally sign data
payloads.
• Block unused UDP ports on
firewalls.
IP • IP has no mechanism for verifying the actual identity of
the sender or the receiver.
• It’s easy to spoof IP addresses, so that packets are sent
to or received from a machine other than the intended
destination or source.
• An attacker can craft malicious IP packet fragments that
cannot be reassembled by the receiving computer,
causing a denial of service attack.
Configure the router and other IP
devices to disallow IP features that
can be abused, including fragments,
ICMP redirection, and source
routing.

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 2 of 2)
Protocol Vulnerability or Threat Mitigation
ICMP • An attacker can send an ICMP redirect telling targets to
use the attacker's machine as a default gateway.
• An attacker can insert malicious data inside an ICMP
packet, which will pass through routers and firewalls
under the assumption that it is just a status message.
• An attacker can send oversized ICMP packets and
overwhelm the system.
Configure firewalls and routers to
disallow ICMP unless it is actually
needed.
IGMP Malformed IGMP packets can cause a buffer overflow in
denial of service on a receiving host.
Configure firewalls and routers to
disable IGMP unless it is actually
needed.
ARP • ARP (and its twin RARP) is vulnerable because it is sent
in cleartext by broadcast, with no way to verify the
identity of the sending computer.
• An attacker can poison a system's ARP table or cache,
causing traffic to be delivered to the wrong node. This
type of poisoning is the underlying mechanism for most
man-in-the-middle attacks.
Hard-code IP-to-MAC mappings in
switches and device ARP caches.

Application Layer Protocols (Slide 1 of 2)
Protocol Port(s) Description
DHCP UDP67
UDP68
• Clients use the DORA process to obtain an IP address lease from a DHCP
server.
DNS UDP 53
TCP 53
• Clients request a DNS server to resolve a name to an IP address.
• DNS servers replicate (zone transfer) their databases to each other.
SNMP UDP161
UDP162
• An SNMP management application queries SNMP-enabled devices (agents)
for their current status.
• Queries are sent on regular intervals. Answers are presented in a console for
an administrator to monitor and act on.
FTP TCP21
TCP20
• Clients upload or download files to an FTP server.
• TCP 21 is used to send commands.
• TCP 20 was used to send the data, but most FTP sessions now negotiate a
different port for data transfer.
Telnet TCP 23 • Used by administrators to obtain a command-line interface for a network
device or server for remote control and administration.
SSH TCP 22 • Encrypted replacement for Telnet.
HTTP TCP 80 • Used by browsers to request web pages from web servers.
SMTP TCP 25 • Used by email clients to send email, and by email servers to relay email to
each other.

Application Layer Protocols (Slide 2 of 2)
Protocol Port(s) Description
POP and
IMAP
TCP 110
TCP 143
• POP is used by email clients to download email from a mailbox on an
email server. The current version of POP is POP3.
• IMAP allows a client to retrieve email interactively, including obtaining
previews of the messages before downloading. The current version of
IMAP is v4.
LDAP TCP 389 • Allows client applications to search and edit X.500-compliant directory
services such as Microsoft Active Directory.
Kerberos TCP 88 • Authentication protocol used by Active Directory and other directory
services.
• Includes secret key cryptography, pre-authentication by the client
computer, and a time-skew limit that inhibits replay attacks.
SMB TCP 445 • Microsoft file and print protocol.
RPC TCP 135 • Used by Microsoft operating system services to make procedure calls to
each other across the network.
• Enabled by default on all Microsoft servers.
NFS TCP 2049
UDP 2049
• Linux/UNIX file transfer protocol.
RDP TCP 3389 • Used by administrators to gain access to the desktop of a remote
Microsoft Windows system for remote management.

Application Layer Protocols Vulnerabilities and Mitigation (Slide
1 of 4)
Protocol Vulnerability Mitigation
DHCP Broadcasts in cleartext, so attackers can:
• Plug directly into a network jack and receive an
IP address.
• Set up rogue DHCP servers that provide
incorrect addresses to clients.
Don’t use DHCP; hard code IP addresses on
hosts instead.
DNS Sends data in cleartext with no authentication, so
attackers can:
• Divert, intercept, or deny end-user
communications.
• Perform unauthorized zone transfers with DNS
servers.
• Send inaccurate lookup information to clients.
• Corrupt the DNS server’s database or lookup
cache.
Use DNS Security (DNSSEC) to accompany all
DNS records with digital signatures.
SNMP • Prior to v3, SNMP is sent in cleartext, allowing it
to be sniffed.
• SNMP uses a weak authentication method that
is easy to spoof.
Install SNMP v3, or use a proprietary network
management solution.

2 of 4)
FTP • Standard FTP uses plaintext password
authentication and no encryption, enabling
man-in-the-middle attacks.
• Some FTP implementations permit anonymous
connections.
• Use an encrypted replacement like FTPS or
SFTP.
• Disallow anonymous connections.
• Apply file system permissions on the
directories that contain FTP content.
Telnet • Telnet is sent in cleartext with no encryption or
digital signatures.
• Its sessions can be sniffed, and it is vulnerable
to session hijacking and man-in-the-middle
attacks.
Use SSH instead of Telnet.
SSH • Different implementations have been
vulnerable.
• OpenSSH bug allowed enumeration of
usernames registered on the SSH server.
Make sure your SSH product is patched.
HTTP • Uses plaintext and no authentication, so an
attacker can intercept or manipulate sensitive
information in web forms.
• Lack of encryption and digital signatures allows
for man-in-the-middle attacks.
• Use HTTPS, with TLS v1.2 encryption.
• Configure the web server to require Strict
Transport Security (HSTS) so that an HTTPS
session cannot be downgraded to HTTP.

3 of 4)
SMTP • No authentication or encryption between
servers, allowing fake email servers to send
spam.
• Cleartext SMTP can be sniffed and spoofed.
• Create TLS tunnels and authentication
between email servers.
• Configure clients to use encrypted versions
of SMTP.
POP and
IMAP
Messages are sent in cleartext and can be sniffed
or spoofed by an unauthorized person.
Configure clients to use encrypted versions of
POP3 and IMAP4.
LDAP • LDAP provides weak authentication based on
DNS.
• If DNS is compromised, LDAP is also easy for an
attacker to compromise.
• Standard LDAP sends messages in plaintext,
which can be easily intercepted and read by
attackers.
Configure clients and servers to use encrypted
LDAPS.
Kerberos • Weak implementations can have
vulnerabilities.
• Microsoft implementation allows creation of
fake hash checksums and forged tickets
(Security Bulletin MS14-068).
Patch and update affected systems.

4 of 4)
SMB • Unauthenticated "null session"
enumeration.
• Weak encryption.
• Ransomware like WannaCry.
• Buffer overflows like EternalBlue.
• Patch and update affected systems.
• Configure systems to disallow older
protocol versions and null sessions.
• Block SMB-related ports on the firewall:
TCP 139 and 445, UDP 137, 138, and 139.
RPC Crafted RPC calls can gain system level privilege
from vulnerable Windows Services that use
RPC (CVE-2003-0352/MS03-026 DCOM buffer
overflow being the most notable).
• Patch and update affected systems.
• Block TCP 135 on the firewall.
NFS • Older versions of NFS do not include
encryption mechanisms to prevent
eavesdropping or tampering of data being
transferred.
• Many implementations do not have access
controls to prevent unauthorized
connection and data theft.
• Put access control on all NFS shares.
• Block TCP 2049 on the firewall.
RDP RDP is vulnerable to numerous flooding,
overflow, and cryptographic attacks.
• Patch affected systems, and configure the
RDP server to allow only Network Level
Authentication.
• Use certificates issued by a trusted CA for
authentication.

IP Networking (Slide 1 of 2)
IP Version Description
IPv4 • Uniquely identifies a node on a network.
• Uses 32-bit addressing.
• Requires a subnet mask to determine if the destination is on the same or a different network.
• Subnet mask determines routing of IP address as it divides IP address into two components:
• Network address.
• Node address.
• Example: IP address 192.168.10.5 with a subnet mask of 255.255.255.0.
• First three octets (192.168.10) is the network address.
• Final octet (5) is the node address.

IP Networking (Slide 2 of 2)
IP Version Description
IPv6 • IPv4 issues:
• Availability: 4.2 billion numbers isn’t enough for the future.
• No built-in security mechanisms.
• IPv6 was proposed as a 128-bit number.
• Creates an absolutely huge number (340 undecillion) of possible IP addresses.
• Provides sufficient growth for the foreseeable future.
• Provides more efficient routing.
• Has built-in support for security and quality of service.
• Sample IPv6 globally unique (public) address:
2601:140:8600:cbc:c490:50b2:37ff:3191
• Sample IPv6 link local (private) address:
fe80::c490:50b2:37ff:3191

• Use firewalls/intrusion detection to monitor protocol abuse/suspicious traffic.
• Harden/patch servers and workstations to mitigate risks from TCP/IP protocols.
• Use TCP wrappers on Linux/UNIX devices to verify incoming connections to host.
• Configure personal firewalls on all computers.
• Configure routers to disallow/filter:
• Source routing - can potentially be used for spoofing.
• Subnet broadcasts - can potentially be used for denial of service.
• ICMP - filter ICMP by message type; only allow PING to and from trusted hosts.
• IP fragments - deliberately malformed fragments could be a denial of service technique.
• IP options - excessive use could result in router CPU denial of service.
• IP packets with low time-to-live (TTL) - could be used for denial of service.
Network Vulnerability Mitigation (Slide 1 of 2)

• If practical, implement DNSSEC in your environment.
• If practical, implement authentication/encryption between servers, in your
enterprise, and with partners.
• Use authenticated/encrypted alternatives to cleartext protocols, including:
• SSH (port 22) instead of telnet (port 23).
• HTTPS (port 443) instead of HTTP (port 80).
• SMTPS (port 465) or MSA (port 587) instead of SMTP (port 25).
• IMAPS (port 993) or IMAP-SSL (port 585) instead of IMAP (port 143).
• SSL-POP (port 995) instead of POP3 (port 110).
• When possible, change default port of a service to an unexpected port number.
• When possible, encrypt and digitally sign the payload.
Network Vulnerability Mitigation (Slide 2 of 2)

• Combination of data and voice networks over one IP network.
• IP not designed for time-sensitive voice traffic.
• Voice over IP (VoIP) is most common converged product.
• Benefits of convergence:
• Improved support for multimedia applications.
• Easy to maintain.
• Flexible.
• Scalable.
• Efficient use of resources.
• Lower operating and maintenance costs.
• Other converged protocols:
• FCoE
• iSCSI
• MPLS
IP Convergence

Wireless Technologies (Slide 1 of 3)
Wireless Technology Description
Wi-Fi • Uses IEEE 802.11 WLAN standards.
• Devices connect to wireless access points.
• New protocols continue to be developed.
• 802.11ac has throughput of at least 500 Mb/s (single link).
Bluetooth • Short-range medium used between two personal devices.
• Typical range is around 30 feet.
WiMax • Longer range than Wi-Fi (50 miles).
• Variable throughput that degrades over long distances.
• Used in very large networks across large areas.
Spread Spectrum • Spreads wireless communications over multiple frequencies.
• Makes it harder for someone to intercept a message.
• Doesn’t employ encryption, but can be used with it.
Cellular/Mobile • Uses orbiting satellites and terrestrial towers.
• Communicates over global distances.
• Primarily used for telephony, but also for data transfer.

Zigbee • Zigbee is an open standard, low power wireless mesh network.
• Devices that connect to it are typically home consumer types that manage
"smart home" automation, power, lighting, health, etc.
• It works at a distance of 10 - 20 meters, uses 128-bit AES symmetric encryption,
and can theoretically support 65,000 devices on a single network.
• It is not IP-based, and therefore does not easily interoperate with Wi-Fi,
Ethernet, or 4G LTE technologies.
Z-Wave • Z-Wave is a proprietary competitor to Zigbee.
• It has a lower data rate, can support up to 232 devices, and can work at a
distance of 100 meters.
• Like Zigbee, Z-Wave is also not IP-based and does not directly interoperate with
IP-based technologies.
WeMo • WeMo is a proprietary competitor to Z-Wave and Zigbee.
• Rather than creating its own infrastructure, it piggybacks off of existing Belkin
Wi-Fi routers.
• Because it uses standard Wi-Fi, WeMo devices consume considerably more
power than Zigbee or Z-Wave devices.
• Some kitchen appliance and home security manufacturers are interoperable
with WeMo.

Thread • Thread is based on IPv6.
• It works in the Wi-Fi frequency range, creating a self-healing, low power
wireless mesh of up to 250 devices.
• Using IPv6, it closes the security holes that plague other Wi-Fi technologies.
Bluetooth Mesh • Bluetooth mesh builds upon the Bluetooth Low Energy standard, allowing
devices to connect to each other in a distributed network that is similar to
Zigbee and Z-Wave.
• It can work up to 100 meters, but its low data rate makes it unsuitable for high-
throughput applications such as video.

Wireless Security (Slide 1 of 2)
Wireless Security Protocol Description
WEP • Wired Equivalent Privacy.
• Relies on stream cipher with 24-bit initialization vector (IV).
• Attack on IV can easily predict short value.
• Can be compromised in minutes.
• Obsolete – do not use.
WPA • Wi-Fi Protected Access.
• Provides additional encryption using Temporal Key Integrity Protocol (TKIP).
• TKIP is vulnerable to transmission of arbitrary packets.
• Also vulnerable to decryption of arbitrary packets.
• Obsolete – do not use.
WPA2 (802.11i) • Improvement on WPA.
• Includes stronger encryption (CCMP protocol using AES standard).
• Biggest known vulnerability is choosing a weak password.
• The current best choice for Wi-Fi security.
WPS • Automated mechanism for wireless devices to obtain the Wi-Fi key from the
router.
• Wi-Fi setup is easy and convenient.
• Negotiation can be intercepted and cracked by hacking tools.

When implementing wireless security:
• Select WPA2 (even WPA2 personal) over WEP or WPA.
• When possible, use a RADIUS server for wireless authentication.
• If you must use a pre-shared key, make the password complex and change it
regularly.
• Manually enter Wi-Fi passwords into your device, rather than allowing them to
autoconfigure themselves by using WPS.
• If necessary, enter the MAC addresses of all devices that are permitted to connect to
the wireless network into the access point.
Wireless Security (Slide 2 of 2)

Network Encryption Protocols
Encryption Protocol Description
SSL/TLS • Secure Sockets Layer/Transport Layer Security.
• Combines digital certificates with public-key encryption.
• Offers authenticity, integrity, and confidentiality.
• De facto protocol for protecting HTTP web traffic.
SSH • Secure Shell.
• Secure remote login and transfer of data.
• Session is encrypted.
• Encryption defends against eavesdropping.
• Preferred protocol to work with FTP and access Linux/UNIX shells.
DNSSEC • Domain Name System Security Extension.
• Provides added security to DNS.
• Authenticates DNS data and ensures data integrity.
• Supports zone signing.
PGP • Email encryption protocol using a public-key cryptography variant.
• Supports authentication through digital signatures.
• GNU Privacy Guard (GPG) is open source version.
S/MIME • Secure/Multipurpose Internet Mail Extensions.
• Email encryption using public-key cryptography.
• Uses traditional MIME communication standard.
• Ensures confidentiality, integrity, authentication, and non-repudiation.

Networking Hardware
• Router
• Wireless router
• Switch
• Hub
• Gateway
• Modem
• Multiplexer
• Concentrator
• Front-end processor
• Repeater
• Firewall
• Proxy
• Reverse Proxy
• Appliance
Switch
Modem
Hub
Router
Firewall
Wireless Router

Data Network Types (Slide 1 of 2)
Data Network Type Description
LAN • Local area network.
• Network limited in scope: single building, floor, or room.
• Implemented with copper-based wiring or wireless.
WLAN • Wireless LAN
CAN • Campus area network.
• Connects buildings in a university or enterprise campus.
• Often uses fiber optic media.
MAN • Metropolitan area network.
• Provides networking to a city and surrounding neighborhoods.
• Often implemented as SONET rings or with Ethernet.
WAN • Wide area network.
• Connects networks over long distances.
• Uses X.25, frame relay, and HDLC.
PAN • Personal area network.
• Very small area.
• Often uses Bluetooth to connect a phone with a headset.

Data Network Types (Slide 2 of 2)
Data Network Type Description
SAN • Storage area network.
• Storage devices linked together to create one large storage resource.
• SAN looks like another local drive to devices that use it.
VLAN • Logical grouping of switch ports.
• Provides Layer 2 security on a switched network.
• Limits impact of broadcast traffic.
• Nodes connected to VLAN can only communicate to other nodes in same VLAN.
• Each VLAN assigned its own IP subnet.
• VLANs communicate to other VLANS via routers.
• Biggest risk is improper implementation.
Switched networks • Forward traffic between segments using a single type of network protocol.
• Provide isolation services.
• Forward frames at data link layer.
Routed networks • Connect similar or dissimilar networks at Layer 3.
• Often used to connect LANs to other LANs.
• Router required when connecting a LAN to a WAN.

Network Topologies
Physical Star
Nodes connect to a central device
in a hub-and-spoke arrangement
Logical Ring
Data moves from node to
node in an unbroken loop
Physical and logical topology do not need to match.

• A link between two devices.
• Offers speed and reliability.
• Very limited size and distance.
• Impractical in most circumstances.
Data Network Topology Types: Point-to-Point Topology

• All devices are connected to a central device.
• Problems with cabling are isolated to a single device.
• Need to run cable for each device back to central device.
• Results in a large amount of cabling.
Data Network Topology Types: Star Topology

• All devices are connected to a single, linear communication path.
• Cabling requirements are minimal.
• A single break in the cable means the entire network is unavailable.
Data Network Topology Types: Bus Topology

• All devices are connected to a branching cable.
• All nodes receive all transmissions.
• Nodes process only traffic destined for that node.
• Damage to one node will not affect the rest.
• Cable failure will bring entire network down.
Data Network Topology Types: Tree Topology

• All devices are connected to a single, circular path.
• Each node connects directly to two other nodes.
• More cabling than a bus topology.
• If the ring is broken, the network will go down.
Data Network Topology Types: Ring Topology

• All devices are directly connected to all other devices.
• Provides greater resiliency to denial of service.
• Requires an enormous amount of cabling infrastructure.
• Usually confined to critical devices in data center.
Data Network Topology Types: Mesh Topology

• Physically protect devices and systems.
• Keep patches up-to-date.
• Keep antivirus software and signatures up-to-date.
• Configure strong firewall rules.
• Disallow browser script execution, or install anti-script plugins (e.g., NoScript).
• Harden systems based on the manufacturer's recommendations.
• Require strong authentication.
• Require two-factor authentication for administrators.
• Install/configure network and host monitoring, such as IDS and logging.
• Include input validation in your application's source code.
• Educate users to protect themselves.
• Regularly scan for rogue wireless access points.
• Lock user accounts after three or five bad login attempts.
• Monitor for malicious network or host activity.
• Keep all critical systems and data backed up.
Countermeasures

• Keep system patches up-to-date.
• Implement endpoint security, especially on mobile devices.
• Turn off unnecessary network services that might permit unauthorized connections
in the background, such as Bluetooth or Wi-Fi.
• Implement IDS/IPS.
• Configure your router to disallow source routing or broadcasting.
• Regularly check for unknown user accounts, especially administrator accounts.
• Forward all logs to a central log collection server.
Control Countermeasures

END

topicCybersecurity_4

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a topicCybersecurity_4

Semelhante a topicCybersecurity_4 (20)

Mais de Anne Starr

Mais de Anne Starr (20)

Último

Último (20)

topicCybersecurity_4