Secure Network Architecture
Network Hardening Best Practices
Network Hardening is the concept of reducing vulnerabilities by configuration and taking steps to make changes.
There is an important concept in security that reasons you increase security by disabling unnecessary services and removing or restricting access to them. Any service that is connected can be attacked.
Implicit Deny is a network security concept that states that anything not explicitly permitted is denied. In networking, this means that the only traffic allowed to pass is traffic that has been deliberately allowed. This is usually configured on a firewall, using ACLs.
Monitoring your network allows you to establish a baseline of what your traffic looks like normally, so you can understand what abnormal or malicious traffic may look like. This is done with log analysis and network traffic monitoring.
Analyzing logs is the “practice of collecting logs from different network and sometimes client devices on your network, then performing an automated analysis on them.”
You may be especially interested in requested connections from untrusted sources to devices on your network.
Logs analysis systems are “configured using user-defined rules to match interesting or atypical log entries.” These systems will send alerts when an activity is detected that matches a rule, such as a connection from a network device to an IP range associated with a botnet.
Normalizing log data is important, because log data from different sources will be formatted differently.
Correlation analysis is the process of matching log data from different systems to events. This is especially important in a post-fail analysis, which is conducted to determine the cause and repercussions of a failure.
Splunk is a popular and powerful logs analysis platform.
Flood guards offer protection against denial-of-service attacks. (maintaining availability in the CIA triad.) Fail2Ban is a popular tool for this purpose.
Network separation (or segmentation) is a security principle that allows for protection and flexibility. Consider using VLANs to divide network devices by class or function. This could be setting up all printers on one VLAN, then users on another, and configuring ACLs for routers to allow traffic between the two networks.
Reading: Network Hardening Best Practices
Lots to read:
Network Hardware Hardening
Here’s some more in-depth info about network hardening through hardware configuration and implementation.
DHCP, as you surely recall, is the network protocol used to configure devices on a network, including automatically assigning devices IP addresses. This makes DHCP servers great targets for certain attackers.
A rogue DHCP server attack is when an attacker is able to deploy a “rogue” DHCP server onto your network, and allowing it to hand out DHCP leases, and even reassigning DNS or gateway addresses. This is a disaster for your network.
An enterprise switch will have DHCP snooping, a system for monitoring DHCP traffic and mapping hosts, their IP assignments and the ports they are connected to. This creates a map of hosts, ports and IP addresses on the network, helping protect against IP spoofing and poisoning attacks.
Dynamic ARP inspection is another form of hardware hardening. ARP is a layer 2, unauthenticated protocol, and is open to a man-in-the-middle attack. This is possible because an attacker can create an ARP response with the MAC address of a victim’s IP address, which would cause all the clients on the network to cache that ARP entry, and will respond with frames intended for the victim to the new IP address, that of the hacker. If the attacker has enabled IP forwarding they can monitor traffic.
Dynamic ARP inspection (DAI) is also a feature of enterprise switches, and can prevent this kind of attack. It does this by using DHCP snooping data to create a table of IP addresses and ports.
IP Source Guard (IPSG) can be used on enterprise switches to prevent IP spoofing. This uses the DHCP snooping table to create ACLs for switch ports, and drops packets that don’t match.
802.1x is the IEEE standard for encapsulating Extensible Authentication Protocol (EAP) over 802 networks. This is also called EAP over LAN, or EAPOL.
Here’s how it works:
When a client tries to authenticate to a network, there are three parties: the supplicant (the client), the authenticator, (either a WAP or an enterprise switch) which acts as a gatekeeper and forwards the request to the actual authentication server, usually a RADIUS server.
EAP-TLS is an authentication system supported by EAP that uses TLS to mutually authenticate a client and server. Authentication may be certificate-based, requiring the client to submit a valid certificate, or the client may use a certificate in conjunction with a username/password and another authentication factor.
EAP-TLS derives security from the inherent security of TLS. This also means that it is susceptible to the same vulnerabilities.
Network Software Hardening
Network software hardening is the next layer of network security, and will include firewalls, proxies, and VPNs.
Firewalls can be dedicated network hardware devices, or can be host-based, providing protection for that one machine. Using both is usually recommended.
A host-based firewall will provide protection for mobile devices, and can help protect the device from corrupted devices on the internal network that will not be remediated by an internet-facing firewall device. All major operating systems have a built-in firewall, along with routers.
VPNs provide secure connections to internal resources from devices located outside the network. They can allow two networks to link together securely.
Proxies are helpful in protecting client devices, as well as providing some security for remote access without using a VPN. A web proxy configuration can be setup to allow web traffic to pass from your devices through a server that you control and out to the internet. This can let you log traffic and block content.
A reverse proxy allows secure access to web services without using a VPN. This server sits inside your network and handles incoming traffic from the internet, and can be secured more with TLS certificates and even setting up ACLs.
Joe, Person Obstacle
He did it, folks. He did it.
WEP Encryption and Why You Shouldn’t Use It
It is “super important” to understand security implementations in wireless networks. The lesson starts with this question:
“What do you think the best security option is for securing a WiFi network?”
My understanding is that there are a lot of holes in wireless security.
Wired Equivalent Privacy (WEP) was the first security protocol developed for 802.11 wireless networks. WEP was supposed to provide comparable security to wired communications, including privacy from third-party eavesdropping. WEP was not good, folks, lots of holes, and was replaced around 2004.
WEP used the RC4 symmetric stream cipher encryption. Here we are treated to a detailed explanation of how WEP encryption worked, which I am leaving out because it was deprecated in 2004.
WEP used either an Open System Authentication mode or a Shared Key authentication mode. The open system didn’t require clients to provide credentials, and could simply authenticate and associate with an access point.
Using the shared key mode involved the access point sending a plaintext and ciphertext data frame to a client during the authentication handshake. This breaks an important rule of security—never share a plaintext and ciphertext message together, as that can allow attackers to work out the key.
WEP used a 24bit initialization vector (IV) to append random data to the shared key, to avoid using the same key. But 24 bits is not very much by today’s computing standards, and after about 5,000 packets this meant a key would be re-used. Attackers were able to use this weakness in IVs to break WEP.
Although no one should still be using WEP, it is important to know about it in case you encounter it running on legacy systems. They should be updated.
Let’s Get Rid of WEP! WPA/WPA2
WiFi Protected Access (WPA) replaced WEP in 2003 as a temporary solution while the permanent replacement, WPA2, was finalized. WPA was designed to be compatible to older WEP hardware through a simple firmware update.
Temporal Key Integrity Protocol (TKIP) was introduced to address the shortcomings of WEP.
TKIP had three features to make it more secure than WEP. The key derivation method more securely integrated the IV into the packet encryption key. A sequence counter was implemented to reject out of order packets to prevent replay attacks. And third, a 64-bit Message Integrity Check (MIC) was implemented to prevent tampering, forging, and corruption of packets.
TKIP used the RC4 cipher like WEP, but had a key mixing function which made unique encryption keys for each packet.
With WPA, the pre-shared key is the password you use to gain access to the wireless network. This is not used to directly encrypt traffic, but rather is fed through the PBKDF2, and I don’t need to tell you folks that that is the password-based key derivation function 2. The network SSID is used as a salt, and this is run through the HMAC-SHA1 function 4,096 times to generate a unique encryption key. This made WPA resistant to brute-force attacks.
WPA2 supplanted WPA, and is the current standard.
WPA2 is based on the AES cipher, and features CCMP or counter mode CBC-MAC protocol.
Here is the authentication process for WPA2:
The AP sends a nonce (some random data) to a client, and the client sends a nonce to the AP. The AP sends a GTK (groupwise transient key) and MIC to the client, and the client responds with an ACK to confirm the success of the handshake.
There are to WPA2 configurations for non-802.11 networks. The WPA2-Personal and WPA2-PSK.
WiFi Protected Setup (WPS) is a feature designed to make joining a WPA2-protected network easier. This is the button on your router that you press when trying to setup wireless printing in your home. WPS supports PIN entry authentication, NFC or USB exchange of network details, or push-button authentication. A PIN system is vulnerable to brute force attacks.
WPA2 is vulnerable to a fairly resource-intensive brute-force attack using rainbow tables, if an attacker is able to capture the four packets sent during the handshake.
The most secure wireless security configuration would be using 802.1x with EAP-TLS, as long as the PKI aspects are handled properly. This method involves a lot of complexity, including using a RADIUS server and additional authentication backend resources. This is impractical for many organizations.
The “next-best” option is to use WPA2 with AES/CCMP mode. It is important to use long, complicated passphrases to help resist rainbow table attacks.
Enterprise environments will not typically use WPS. A best practice is to disable WPS on all access points, and to even use tools to check APs to see if they have WPS enabled.
Heather, Social Engineering
Yes, we are the weakest link in security.
Sniffing the Network
Packet sniffing is the interception of network packets for analytical purposes. This is an important tool for network analysis and troubleshooting.
By default, network devices and the networking software stack in the OS will be setup to only accept and process packets that are addressed to their specific interface address, which is usually their MAC address. If the interface receives a packet with a different destination address it will simply drop the packet.
In order to monitor all network traffic, an interface can be switched into promiscuous mode, in which all packets can be accessed by any device operating in this mode. This is very useful for network monitoring. Admin creds are needed to set an interface to operate in promiscuous mode, and many packet sniffing tools will handle this for you.
It is important to know if you will even be able to monitor packets on your network. If you are downstream from a switch, you will only be able to monitor packets going to and from your host. If you are able to place your machine upstream from the switch, then you can monitor all traffic going to any node after the switch.
Enterprise switches usually have a feature called port mirroring, which allows the switch to take all packets from all ports, specified ports or port ranges, and “mirror” them to a specific port.
You could also connect all the machine you want to monitor to a hub, and connect the hub to the machine you will be monitoring from. Hubs are susceptible to collisions and reduced throughput, so this is not the most elegant solution.
Monitoring traffic on a wireless network is slightly different. You could place your device into promiscuous mode and monitor traffic on the network it is connected to.
If you want to capture all traffic in the immediate area across all networks, you can enable monitor mode, which scans through all wireless channels to see traffic from APs and clients. Your client device does not be connected to any wireless network.
If a wireless network is encrypted, you can still capture packets, but you will need to decrypt payloads in order to read data.
Wireshark and tcpdump
tcpdump is a lightweight command-line utility used to capture and analyze packets. tcpdump allows saving packets to a file for later analysis, replaying traffic, and sharing.
By default, tcpdump operates in a “brief analysis” mode, converting data from layers 3 and up into human-readable information, and prints information about each packet into your terminal, including dotted IP addresses and port numbers being used.
A tcpdump output will show a timestamp in local time; the layer protocol being used; the source address and port and destination address and port; the TCP flags and sequence number, if set; ACK number, TCP window size, and any TCP options; finally, it shows payload size.
Wireshark is another, more powerful graphical packet capture and analysis tool. Wireshark can decrypt payloads if encryption keys are known, and can extract file transfer data payloads through HTTP and SMB.
Wireshark can filter captured packets based on a filter string, so that you can search for specific URLs.
The Wireshark interface is divided in thirds, with the list of packets at the top, followed by the layers of the selected packet, followed by a hex and ASCII representation of the selected packet.
Colors are used to distinguish types of traffic when selected, buy default green is for TCP, light blue for UDP, and dark blue for DNS. Black designates “problematic” packets, such as repeated or out of order packets.
Wireshark supports over 2,000 protocols, so there is a lot to read up on.
Reading: Promiscuous Mode
Intrusion Detection/Prevention Systems
Intrusion Detection and Prevention Systems (IDS/IPS) work by monitoring network traffic and analyzing it. IT support may include maintaining this type of system, updating rules, and responding to alerts from the system.
IDS systems will only detect and log events, while an IPS system is able to update firewall rules and respond to intrusions on the fly. They can either be host-based or network-based.
A network intrusion detection system (NIDS) is deployed somewhere on a network where it can monitor the traffic for a segment or subnet.
A host-based IDS is software that monitors traffic to and from only that host. It may also monitor system files for unauthorized changes or behavior.
NIDS are similar to firewalls, but are designed to detect malicious behavior coming from within a network, and must be placed carefully within the network.
Using port mirroring to the port the NIDS is connected to will allow you to monitor all traffic passing through a switch.
A network intrusion prevention system is, unfortunately, referred to as a NIP system. A NIPS will be placed differently in the network topology than a NIDS. A NIPS device must be located where it can take action on the traffic it is monitoring, by blocking or dropping packets.
Signatures are known behaviors of malicious traffic, and underly the intrusion prevention concept. Signatures are also used in anti-malware software.
NIDS will detect events and traffic, capture that traffic and generate a log, and can be configured to send alerts to network admins.
This lab introduces the student to tcpdump, learning a couple basic commands, capture some packets and monitor some DNS traffic
First of all, the exercise does NOT mention that you must install tcpdump in your virtual instance. Luckily, somehow, I thought of this after getting “command not found.”
sudo apt-get install tcpdump
Further on, you will also have to use the dig command, which, they don’t tell you requires you to install the dnsutils package on your Debian/ubuntu system.
sudo apt-get install dnsutils
Overall a good exercise, once you determine you have to install some software.
Fire HD 8 Tablet with Alexa, 8" HD Display, 32 GB Winner Outfitters Double Camping Hammock - Lightweight Nylon Samsung 860 EVO 500GB 2.5 Inch SATA III Internal SSD The Chapo Guide to Revolution: A Manifesto Against Logic, Facts, and Reason Jesus Jiggler Vacationland: True Stories from Painful Beaches The Hapless Rube's Apocalypse Survival Guide Homer's Odyssey Dell XPS 13 9300 13.3" 3200x1800 QHD 4K Premium Flagship Laptop