“fundamentals of ip networking 2017 webinar …€œfundamentals of ip networking 2017 webinar...
TRANSCRIPT
“Fundamentals of IP Networking 2017 Webinar Series”
Part 5 Cybersecurity Fundamentals & Securing the Network
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Educational Broadcast Services – KAMU Public Broadcasting
August_2017 IP_Net_Fundamentals-Part-5
“Fundamentals of IP Networking 2017 Webinar Series” Advertised Presentation Scope
Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29
2
Part 5 will wrap up the webinar series by providing an understanding the conceptual aspects of network security and practical structured implementation steps. Practical implementation practices will focus upon “defense in depth” tactics that includes the creation of a security policy, physical security, Ethernet switch security, and layer 3 security approaches.
Today’s Outline:
• 1. Takeaway Review From Webinar 4
• 2. Structured Security Implementation
– Intro to Network Security & Terminology
– 1- Physical Layer
– 2 - Data-Link Layer
– 3 - Network Layer & Above
• 3. Thinking Like a “Hacker”
– Mindset
– Tools of the Trade
• 4. Best Practices, References, & Questions
3
Takeaway Points – Part 4
• Use Segmented Networks Design Techniques: – Performance – Security – Policy
• VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets
• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme
• L2 Ethernet Switches Eliminate Collision Domains • L3 Routers Control Broadcast Domains • NAT Can Be Used to Minimize IPV4 Address Space • IP Addressing Rules Must Be Obeyed:
– Each Network MUST Have a Unique Network ID – Each Host MUST Have a Unique Host ID – Every IP Address MUST Have a Subnet Mask – An IP Address Must Be Unique Globally If Host on the Public Internet – The First & Last IP Address of a Network is Not Useable!
4
Structured Security Implementation
IP Network Security Risks to the Broadcast Station
• Dead Air
• Impact Upon Resources
• Loss of Revenue
• Public Embarrassment
• Breach of Data
• Potential Liability
• Lost Trust
Courtesy: Chris Homer @ PBS
6
The Broadcast Technical Plant Is Changing (has changed – will continue to change)
• Transition to IP Based Plant
• Transition to Cloud Based Services
• Transition to Service Based Architecture
7
Cybersecurity • Cybersecurity is focused upon the protection of computers, networks,
programs and data from change, destruction, or unauthorized change.
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity Confidentiality
International Telecommunications Union ITU-T X.1205
8
A Cyber Attack Chain Model
Step Description
Reconnaissance & Probing
Find Target
Harvest information (email, conference listings, public lists, etc.)
Delivery & Attack Place delivery mechanism online
Use social engineering to induce target to access malware or other exploits
Installation & Exploitation
Exploit vulnerabilities on target systems to acquire access
Elevate user privileges and install additional “tools”
Compromise & Expansion
Exfiltration of data
Use compromised systems to exploit additional systems
Courtesy: Chris Homer @ PBS 9
Attributes of a Secure Network • Layered Approach (“Defense in Depth” NOTE 1)
– Different Security Controls Within Different Groups
• Security Domains – Segmentation of Network Into Areas or Groups
• Privileges – Restrict to “Need – To – Access”
– “Deny by Default”
• Access – Restrict by Firewalls, Proxies, etc.
• Logging – Accountability , Monitoring, & Activity Tracking
NOTE 1 – Cisco Security Terminology
10
Goals of Data Security
• Provides Confidentiality – Prevent Disclosure - Maintain Privacy
• Maintains Data Integrity – Prevent Data Alteration
• Provides Availability – Prevent Denial of Use The CIA or AIC Triad
11
Protocols
Send Host Receive Host
MediaMedia
DATA
Implement a Multi-Layer Approach “Defense – In – Depth”
12
“Defense – In – Depth”
Data
Application
Host
Internal Network
Perimeter Network
Physical
Administrative Procedures & Policies
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
13
Layer 1 - Physical Access
• Restricted Physical Access to Network Infrastructure
• Controlled Access: – Access Badges
– Cyber-Locks
– Bio-Recognition
• Monitor Access – Access Logs
– Surveillance Cameras
14
Switch Port Security Actions • Port Security Options:
– Specific MAC Address/Port
– Limit Learned MAC’s
• Port Security Violations: – Discards Frame if Violation
– Discards Frame if Violation - Send SysOp Notification
– Shutdown Switch Port if Viloation
15
Layer 2 – Data-Link Layer Access
• Implement Ethernet Switch Port Security
Disable Any
Unused
“Access”
Or
“Untagged”
Ports
Configure
“Trunk”
Or
“Tagged”
Ports
Only
When
Required
Enable Switch Port Security:
Specific MAC address
Limit number of MAC addresses / port
Specify “shutdown” violation response
VLAN
100
VLAN
200 VLAN
300
Segment Network Traffic 16
Layer 3 and Above …….. • Utilize Network Equipment Security Features
• Implement “Access Control Lists”
• Implement Firewalls
– Border
– Internal
• Implement Encryption
– Secure Connectivity “IPSec”
• Utilize Application Security Where Possible
• Identity Trust “AAA”
17
Access Control List “ACL”
• Provides “Basic” Network Access Security Buffer - Packet Filter Based
• Filter IP Network Packets: – Forwarded @ Egress Interface
– Blocked @ Ingress Interface
• Standard Access List – Can Only Permit or Deny The Source Host IP Address
– Placed Closest to Destination Host
• Extended Access List – Can Permit or Deny Based Upon:
• Source IP Address
• Destination IP Address
• TCP Port #
• UDP Port #
• TCP/IP Protocol
– Placed Closest to Source Network
18
Implementing an Access Control List
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Interface
0/0
Interface
0/1
Permit or Deny:
Source IP Address
Destination IP Address
ICMP
TCP/UDP Source Port
TCP/UDP Destination Port
One ACL per:
Interface
Direction
Protocol
Create
Access Control List Apply
Access Control List
19
ACL Implementation Example Block External Users From “Pinging” Inside Network Hosts
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1: access list 10 deny icmp any any
access-list 10 permit ip any any
Apply Access List to Interface: interface ethernet1
ip access-group 10 in Configuration Disclaimer:
Exact configuration commands may vary based upon specific
equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
20
Network Security Tools
• Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying
Network Packets – Filters Based Upon Preset Rules
21
Firewall Types • Stateless Packet Filtering – Single Packet Inspection
– Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layer 3
• Stateful Packet Filtering – Conversation Inspection
– Filters on IP Header info – Layers 3-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
22
Firewall Implementation
Internet
(Outside)
Internal
Network(s)
Server
Web
Server
Demilitarized
Zone
“DMZ”
HTTP & SMTP / POP
Only Allowed
All Allowed
Return Session Only
Allowed“Stateful” Firewall
Functionality
May Be Implemented in
“Border” Router
All Allowed
All Blocked
23
Firewall Use Caution • False Sense of Security
– “I Have A Firewall”
– Know What The Firewall is Doing
• Minimize Protection Zone
• Formal Policy Required – Pre-Define Rules
– Periodic Review
– Monitor Activity
• Performance Impact – Throughput (packets/sec)
– Latency
• Don’t Overlook Egress – Permit Only Ports Needed
24
“IPsec” Internet Protocol Security
• IPsec – End-to-End Scheme to Encrypt Communications – IPv4 – Optional Implementation
– IPv6 – Mandatory Implementation (Recommended)
• Layer 3 Implementation
• Modes: – Tunnel Implementation (VPN Packet Encapsulation)
– Transport (Host-to-Host Payload) Implementation
Encapsulating Security Payload
Encrypt & Authenticate
New Header
Added
25
Thinking Like a “Hacker”
The “Hacker” Culture • “White Hat” Hacker
– Intent is to protect IT systems
• “Black Hat” Hacker – Intent is to harm IT systems
• “Gray Hat” Hacker – Intent is the challenge
27
The “White Hat Hacker”
• “Ethical Hackers” - Work to Protect Systems as a Network
Security Professional by Using Network Hacker Tools
• Hacker Types: – Script Kiddies
– Hacktivists
28
Common IP Network Threats
• IP Address Spoofing – Packets sent from a false source address
– Common use in Denial-of-Service “DoS” Attack
• ARP Spoofing – Links false MAC address to a legitimate IP address
– Common “Man-In-The-Middle” Attack
• DNS Server Spoofing – Routes a legitimate domain to a false destination address
29
Tools of the “Hacker”
https://www.concise-courses.com/hacking-tools/
30
Tools of the “Hacker” 10 Most Popular
• nmap • Metasploit • John The Ripper • THC Hydra • OWASP Zed • Wireshark • Aircrack-ng • Maltego • Cain and Abel Hacking Too • Nikto Website Vulnerability Scanner
31
• “Open Source” Protocol Analyzer
• Often Referred to as a “Sniffer”©
• Developed in 1998 as “Ethereal”
• Renamed Due to Trademark Issues
• Analyses of “Live” & “Recorded” Network Activity
• Useful To:
– Isolate performance issues
– Understand application interaction
– Network Benchmarking
– Determine What is Not the Problem
– Network Forensics – Detect Malware (signature display)
32
Tools of the “Hacker”
• Available for Windows, Mac OSx, & Linux
• Download at: www.wireshark.org
• Include Libraries: – WinPcap
– Libpcap
33
packet 192 selected
Header Details Displayed
Payload Data Decoded (hex & ASCII)
34
Filtering
• Filter Building Blocks: – Protocol
– Direction (Source or Destination)
– Type
• Capture Filters – Selectively Capture Packets
– Pre-Capture Configuration
– Minimizes Captured Data
• Analysis Filters – Applied When Viewing
– Allows Focusing on an Attribute
– All Data is Retained
35
Using “Capture” Filters
36
Useful “Capture” (pcap) Filter Examples
• ip
• tcp
• udp
• host 165.95.240.130
• host 165.95.240.128/26
• host 165.95.240.128 mask 255.255.255.192
• src net 165.95.240.128/26
• dst net 165.95.240.128/26
• port 80
• not broadcast and not multicast
http://www.tcpdump.org/manpages/pcap-filter.7.html 37
Using “Display” Filters
38
Useful “Display” Filter Examples
• eth.addr==00:19:c8:c8:22:7f
• ip
• ip.addr==165.95.240.130
• ip.addr==165.95.240.130 or ip.addr==165.95.240.129
• tcp
• tcp.port==80
• udp
• udp.port==50000
• http
http://www.firstdigest.com/2009/05/wiresharks-most-useful-display-filters/
39
Tools of the “Hacker” • Obtain & Install “nmap”: https://nmap.org/
– Linux (BEST-Ubuntu, Fedora, Centos, BSD, Kali)
– Windows (> WIN7 but limitations)
• Obtain & Install “zenmap”: https://nmap.org/zenmap/
40
“Network Mapper”
• Determine Active Network Hosts
• Determine Host OpSys
• Determine Open Ports / Services Active
• Diagram Network Architecture
Network Mapper is a open source network scanning utility used to determine
information about network hosts.
Used For: Host Discovery
Security Profile Auditing Network “Hacking”
41
Disclaimer “Network Scanning”
• Be Aware of Network Scanning Ethics & Legalities
• Guidelines to Follow: – Insure You Have Permission to Scan
– Limit Target & Scope of Your Scan
– Understand Your ISP AUP
– Use Caution with Options
– Have a Reason to Scan Network
• Be Aware: – Aggressive Scanning Can Crash a Host - Use Caution!
Further Information:
https://nmap.org/book/legal-issues.html
42
Simple nmap Scan nmap <ip address>
43
nmap Profiles Create Your Custom Profile
44
nmap Examples • Scan Single Host
• Scan Multiple Hosts
• Scan Range of IP Addresses
• Scan a Subnet
• Perform an Aggressive Scan
• Discovery Attempt: No Ping
• Discovery Attempt: Ping Only
• Discovery Attempt: Host OS
• Fast Port Scan
• Scan Specific Port
Sampling of > 125 nmap commands
45
Scan Range of IP Addresses
46
Scan a Subnet
NOTE CIDR Notation
47
Perform an Aggressive Scan
48
Discovery Attempt: Ping Only Topology Map
49
Discovery Attempt: Host OS
50
Fast Port Scan
nmap scans top 1,000 ports by default
“Fast Port Scan” scans top 100 ports
51
NSE - nmap Scripts
• Nmap Scripting Engine (NSE)
• Automates nmap Tasks
• Activating NSE: “-sC option”
• Script Library: https://nmap.org/nsedoc/
• Create Your Own: LUA Script Framework
52
https://www.adminsub.net/tcp-udp-port-finder
Port: 80-HTTP
443-HTTPS
22-SSH
631-IPP
53
Port:
21-FTP
139-NetBios
445-Active Directory
2100-Amiga File System
6789-
54
55
56
TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS
59
Takeaway Points - Security • Recognize & Accept The “Security Lifecycle”
• Understand Security Threat Landscape
• Segment Your Network – Security
– Performance
• Lock All Your Doors – Limit Privileged Users
– Implement “Layer 1-3” Security Features
– Don’t Overlook the “Back Door” Access
• Use Firewall(s) to Limit Ingress & Egress
• Follow Industry “Best Practices”
• Implement “Defense in Depth” Strategy
• Monitor Your Network Activity – Know the “Norm”
• Test Your Network Security – Think Security “Proof-of-Performance”
60
Network Security Best Practices
• Recognize Physical Security
• Change Default Logins
• Utilize Strong Passwords
• Disable Services Not Required
• Adopt a Layered Design Approach
• Segregate Network(s)
• Separate Networks via VLANS
• Implement Switch Port Security
• Utilize Packet Filtering in Routers & Firewalls
• Do Not Overlook Egress Traffic
• Deny All Traffic – Then Permit Only Required
• Keep Up With Equipment “Patches”
• Utilize Access Logging on Key Network Devices
• Utilize Session Timeout Features
• Encrypt Any Critical Data
• Restrict Remote Access Source
• Understand & Know Your Network Baseline
• Actively Monitor and Look for Abnormalities
• Limit “Need-to-Access”
• Disable External “ICMP” Access
• Don’t Use VLAN 1
61
The Challenge
SECURITY USEABILITY
62
FCC Working Group 4
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
63
Local Broadcast Radio Station
64
Local Broadcast TV Station
65
EAS Advisory Group http://www.sbe.org/sections/news/EASsecurity.php
66
nmap Practice Target scanme.nmap.org
67 67
On-Line nmap Tools
• https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
68
My Favorite Reference Texts:
69
70