defending networks - recording from cyber security webinar 4
TRANSCRIPT
1
DEFENDINGNETWORKS
CYBER SECURITYWEBINAR PART 4
JARNO NIEMELÄ F-SECURE
15th of October 2015
CYBER SECURITY WEBINAR SERIES - PART 4
© F-Secure2
• INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS• DEFENDING SERVERS• DEFENDING NETWORKS - NOW• RESPONDING TO AN INCIDENT 9TH NOVEMBER 2015• BUILDING SECURE SYSTEMS 3RD DECEMBER 2015
RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
3
DEFENDINGNETWORKS
JARNO NIEMELÄ SENIOR RESEARCHER
F-SECURE
WHAT DOES HACKING LOOK LIKE?
Let’s hack like in the movies Kali 2.0
Armitage graphical hacking environment
https://www.kali.org/
In real life hacking is not mostly this easy But it is, if attacker has a working exploit or system is totally out of date
Most commonly the attacked service is some web application
Or company in house application
© F-Secure4
BASICS OF NETWORK DEFENCE
Limit access also inside the local network
Update all hosts, servers and network equipment
Have only the services visible that are needed
Monitor the network
Perform regular audits
© F-Secure5
A TYPICAL NETWORK
© F-Secure6
DC Email and File server
Office
DMZ
Internal Servers
Web server
A TYPICAL INFECTED NET
© F-Secure7
DC Email and File server
Office
DMZ
Internal Servers
Web server
A TYPICAL INFECTED NET
© F-Secure8
DC Email and File server
Office
DMZ
Internal Servers
Web server
A TYPICAL INFECTED NET
© F-Secure9
Web server
DC Email and File server
Office
DMZ
Internal Servers
WELL BUILT NETWORK
© F-Secure10
Web server
Rabbit(DC) Turtle(Email and File server)
VPN
DMZ
Internal Servers
Office
Use port isolating switches All routing with firewalls Except some server to server connections
Do not have servers with obvious names Have honeypots with obvious names
Control all traffic with firewalls Workstations can only access the servers
they need Allow outside access only over proxies Servers cannot connect to clients
or other servers they don’t need
DC (honeypot)
TAKE CARE OF NETWORK EQUIPMENT
Nowadays network equipment are just custom Linux servers Make sure you keep them up to date
Don’t have any open services that are not needed Firewall should have no open ports visible to the internet
Use separate VPN server and route over firewall
Monitor firewall for abnormalities Any traffic coming from firewall without corresponding external source
is rather suspicious
Monitor that your DNS server is giving correct answers
© F-Secure11
MOVE PUBLIC THINGS TO PUBLIC CLOUDS
Your public web server is a visible target Almost every DOS attack hits the easy target
Do not run public services in same network as rest of company systems Either have a separate network, or move things to cloud
This way a DOS attack against your website does not kill the rest of the systems
Mask the identify of your office/production network Attacker is not supposed to see your vital connections with Whois
Make sure your ISP contact includes a DOS mitigation service
© F-Secure12
AUDIT TO MAKE SURE Configuration is not secure until it has been tested
Make sure that all security controls are always tested after modifications
At minimum use Nmap or another scanner to check for open ports
Network audit by a consultant is also an option to consider Although consultant should be involved in planning stage
© F-Secure13
LOGS AND IDS ARE YOUR EYES AND EARS
Logs are invaluable in investigation So make sure you log long enough also on network traffic
Use IDS to detect anomalies
Install honeypots to your network
Look for things out of place Workstation using RDP to another workstation
Workstation doing anything but DC queries to domain controller
Server accessing another server that it is not supposed to
© F-Secure14
IDS IS NOT MAGICSignature IDS detects only incompetent attackers
Scanners are relatively useless in AV
They are even more useless in network traffic
Anomaly IDS are mostly false alarm generators
Thus for IDS to be useful, you need a well configured network
When normal traffic is restricted anomalies are interesting
If a workstation is breaking rules It means someone has disabled the local firewall
© F-Secure15
CONCLUSIONS Network security is all about limiting and monitoring
Limit what connections servers and workstations can do
Monitor for anything that breaks those limitations
© F-Secure16
THANK YOU FOR YOUR PARTICIPATION!
17
STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:
9 November 2015 at 11.00 EET: “Responding to an incident”
3 December 2015 at 11.00 EET: “Building secure systems”
The Recording will be available at the BUSINESS SECURITY INSIDER
https://business.f-secure.com