Securityic2

CCSD SECURITY
ESSENTIAL
Network Security

Network Security Overview
Copyright © 2019 Logical Operations, Inc. All rights reserved.
• Network security is one of the most critical topics.
• Rapid changes to technology make networking complex.
• Need to secure each technology separately.
• Need to handle interoperability issues.
• No more clear-cut boundaries for the network.

The OSI Model
7 Application 7 Application
6 Presentation 6 Presentation
5 Session 5 Session
4 Transport 4 Transport
3 Network 3 Network
2 Data Link 2 Data Link
1 Physical 1 Physical
Web Server Client Browser
Information/Data
Flow

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 1 of 2)
Protocol Vulnerability or Threat Mitigation
TCP • An attacker can predict the incrementing sequence
number of a TCP session and use it to hijack a session
that has already been authenticated and authorized.
• TCP can carry malicious payloads to other computers.
• Use encrypted versions of Layer 7
protocols.
• Encrypt or digitally sign data
payloads.
• Block unused TCP ports on
firewalls.
UDP • UDP requires no acknowledgment, so it’s easy to spoof
the source or destination of UDP packets.
• UPD can cause amplification and other denial-of-service
attacks.
• Use encrypted versions of Layer 7
protocols.
• Encrypt and digitally sign data
payloads.
• Block unused UDP ports on
firewalls.
IP • IP has no mechanism for verifying the actual identity of
the sender or the receiver.
• It’s easy to spoof IP addresses, so that packets are sent
to or received from a machine other than the intended
destination or source.
• An attacker can craft malicious IP packet fragments that
cannot be reassembled by the receiving computer,
causing a denial of service attack.
Configure the router and other IP
devices to disallow IP features that
can be abused, including fragments,
ICMP redirection, and source
routing.

TCP/IP Core Protocol Vulnerabilities and Mitigation
(Slide 2 of 2)
Protocol Vulnerability or Threat Mitigation
ICMP • An attacker can send an ICMP redirect telling targets to
use the attacker's machine as a default gateway.
• An attacker can insert malicious data inside an ICMP
packet, which will pass through routers and firewalls
under the assumption that it is just a status message.
• An attacker can send oversized ICMP packets and
overwhelm the system.
Configure firewalls and routers to
disallow ICMP unless it is actually
needed.
IGMP Malformed IGMP packets can cause a buffer overflow in
denial of service on a receiving host.
Configure firewalls and routers to
disable IGMP unless it is actually
needed.
ARP • ARP (and its twin RARP) is vulnerable because it is sent
in cleartext by broadcast, with no way to verify the
identity of the sending computer.
• An attacker can poison a system's ARP table or cache,
causing traffic to be delivered to the wrong node. This
type of poisoning is the underlying mechanism for most
man-in-the-middle attacks.
Hard-code IP-to-MAC mappings in
switches and device ARP caches.

Application Layer Protocols Vulnerabilities and Mitigation (Slide
1 of 4)
Protocol Vulnerability Mitigation
DHCP Broadcasts in cleartext, so attackers can:
• Plug directly into a network jack and receive an
IP address.
• Set up rogue DHCP servers that provide
incorrect addresses to clients.
Don’t use DHCP; hard code IP addresses on
hosts instead.
DNS Sends data in cleartext with no authentication, so
attackers can:
• Divert, intercept, or deny end-user
communications.
• Perform unauthorized zone transfers with DNS
servers.
• Send inaccurate lookup information to clients.
• Corrupt the DNS server’s database or lookup
cache.
Use DNS Security (DNSSEC) to accompany all
DNS records with digital signatures.
SNMP • Prior to v3, SNMP is sent in cleartext, allowing it
to be sniffed.
• SNMP uses a weak authentication method that
is easy to spoof.
Install SNMP v3, or use a proprietary network
management solution.

2 of 4)
FTP • Standard FTP uses plaintext password
authentication and no encryption, enabling
man-in-the-middle attacks.
• Some FTP implementations permit anonymous
connections.
• Use an encrypted replacement like FTPS or
SFTP.
• Disallow anonymous connections.
• Apply file system permissions on the
directories that contain FTP content.
Telnet • Telnet is sent in cleartext with no encryption or
digital signatures.
• Its sessions can be sniffed, and it is vulnerable
to session hijacking and man-in-the-middle
attacks.
Use SSH instead of Telnet.
SSH • Different implementations have been
vulnerable.
• OpenSSH bug allowed enumeration of
usernames registered on the SSH server.
Make sure your SSH product is patched.
HTTP • Uses plaintext and no authentication, so an
attacker can intercept or manipulate sensitive
information in web forms.
• Lack of encryption and digital signatures allows
for man-in-the-middle attacks.
• Use HTTPS, with TLS v1.2 encryption.
• Configure the web server to require Strict
Transport Security (HSTS) so that an HTTPS
session cannot be downgraded to HTTP.

3 of 4)
SMTP • No authentication or encryption between
servers, allowing fake email servers to send
spam.
• Cleartext SMTP can be sniffed and spoofed.
• Create TLS tunnels and authentication
between email servers.
• Configure clients to use encrypted versions
of SMTP.
POP and
IMAP
Messages are sent in cleartext and can be sniffed
or spoofed by an unauthorized person.
Configure clients to use encrypted versions of
POP3 and IMAP4.
LDAP • LDAP provides weak authentication based on
DNS.
• If DNS is compromised, LDAP is also easy for an
attacker to compromise.
• Standard LDAP sends messages in plaintext,
which can be easily intercepted and read by
attackers.
Configure clients and servers to use encrypted
LDAPS.
Kerberos • Weak implementations can have
vulnerabilities.
• Microsoft implementation allows creation of
fake hash checksums and forged tickets
(Security Bulletin MS14-068).
Patch and update affected systems.

4 of 4)
SMB • Unauthenticated "null session"
enumeration.
• Weak encryption.
• Ransomware like WannaCry.
• Buffer overflows like EternalBlue.
• Patch and update affected systems.
• Configure systems to disallow older
protocol versions and null sessions.
• Block SMB-related ports on the firewall:
TCP 139 and 445, UDP 137, 138, and 139.
RPC Crafted RPC calls can gain system level privilege
from vulnerable Windows Services that use
RPC (CVE-2003-0352/MS03-026 DCOM buffer
overflow being the most notable).
• Patch and update affected systems.
• Block TCP 135 on the firewall.
NFS • Older versions of NFS do not include
encryption mechanisms to prevent
eavesdropping or tampering of data being
transferred.
• Many implementations do not have access
controls to prevent unauthorized
connection and data theft.
• Put access control on all NFS shares.
• Block TCP 2049 on the firewall.
RDP RDP is vulnerable to numerous flooding,
overflow, and cryptographic attacks.
• Patch affected systems, and configure the
RDP server to allow only Network Level
Authentication.
• Use certificates issued by a trusted CA for
authentication.

• Use firewalls/intrusion detection to monitor protocol abuse/suspicious traffic.
• Harden/patch servers and workstations to mitigate risks from TCP/IP protocols.
• Use TCP wrappers on Linux/UNIX devices to verify incoming connections to host.
• Configure personal firewalls on all computers.
• Configure routers to disallow/filter:
• Source routing - can potentially be used for spoofing.
• Subnet broadcasts - can potentially be used for denial of service.
• ICMP - filter ICMP by message type; only allow PING to and from trusted hosts.
• IP fragments - deliberately malformed fragments could be a denial of service technique.
• IP options - excessive use could result in router CPU denial of service.
• IP packets with low time-to-live (TTL) - could be used for denial of service.
Network Vulnerability Mitigation (Slide 1 of 2)

• If practical, implement DNSSEC in your environment.
• If practical, implement authentication/encryption between servers, in your
enterprise, and with partners.
• Use authenticated/encrypted alternatives to cleartext protocols, including:
• SSH (port 22) instead of telnet (port 23).
• HTTPS (port 443) instead of HTTP (port 80).
• SMTPS (port 465) or MSA (port 587) instead of SMTP (port 25).
• IMAPS (port 993) or IMAP-SSL (port 585) instead of IMAP (port 143).
• SSL-POP (port 995) instead of POP3 (port 110).
• When possible, change default port of a service to an unexpected port number.
• When possible, encrypt and digitally sign the payload.
Network Vulnerability Mitigation (Slide 2 of 2)

Wireless Security (Slide 1 of 2)
Wireless Security Protocol Description
WEP • Wired Equivalent Privacy.
• Relies on stream cipher with 24-bit initialization vector (IV).
• Attack on IV can easily predict short value.
• Can be compromised in minutes.
• Obsolete – do not use.
WPA • Wi-Fi Protected Access.
• Provides additional encryption using Temporal Key Integrity Protocol (TKIP).
• TKIP is vulnerable to transmission of arbitrary packets.
• Also vulnerable to decryption of arbitrary packets.
• Obsolete – do not use.
WPA2 (802.11i) • Improvement on WPA.
• Includes stronger encryption (CCMP protocol using AES standard).
• Biggest known vulnerability is choosing a weak password.
• The current best choice for Wi-Fi security.
WPS • Automated mechanism for wireless devices to obtain the Wi-Fi key from the
router.
• Wi-Fi setup is easy and convenient.
• Negotiation can be intercepted and cracked by hacking tools.

When implementing wireless security:
• Select WPA2 (even WPA2 personal) over WEP or WPA.
• When possible, use a RADIUS server for wireless authentication.
• If you must use a pre-shared key, make the password complex and change it
regularly.
• Manually enter Wi-Fi passwords into your device, rather than allowing them to
autoconfigure themselves by using WPS.
• If necessary, enter the MAC addresses of all devices that are permitted to connect to
the wireless network into the access point.
Wireless Security (Slide 2 of 2)

Networking Hardware
• Router
• Wireless router
• Switch
• Hub
• Gateway
• Modem
• Multiplexer
• Concentrator
• Front-end processor
• Repeater
• Firewall
• Proxy
• Reverse Proxy
• Appliance
Switch
Modem
Hub
Router
Firewall
Wireless Router

• If a router is compromised, attacker can use it in a man-in-the-middle attack.
• Like planting a bug in a room to listen in remotely.
• Can also initiate DoS attacks.
• Router must be physically protected first and foremost.
• Theft or tampering with router will result in major network issues.
• Routers are also subject to logical attacks.
• Attacker may attempt to access router using a remote protocol like Telnet/SSH.
• May also try to send excessive or malformed packets to router, causing a DoS.
Router Vulnerabilities

• Deploy the router in a secure, locked area.
• Disable all unnecessary services on the router.
• Disable any unnecessary routing protocols.
• Harden the router per the manufacturer's recommendations.
• Use SSH instead of Telnet.
• Create access control lists.
• Require strong authentication for administrator connections.
• Limit number of admin connections, and disconnect inactive sessions.
• Require authentication to a centralized server on higher-end routers.
• Create custom administrative accounts with limited privileges for support personnel.
• Ensure passwords are stored using encryption.
• Forward all security events to a central syslog server.
• Monitor activity on the router, watching for suspicious behavior.
Router Security

• Comprehensive solution to secure mobile devices as they connect to network.
• Ensures that these devices are healthy and cannot compromise network.
• Software installed on devices includes:
• Firewall
• VPN client
• Antivirus
• Anti-malware
• Encryption
• Uses client/server security model.
• Central server on network pushes updates to mobile clients and controls access.
• Endpoint security often includes mobile device management (MDM).
Endpoint Security

• Various devices enable networking capabilities.
• Often found in server rooms.
• Use the following methods to secure these devices:
• Physically secure all devices against tampering or accidents.
• Lock cabinets and rack doors.
• Use cable locks on laptops and small PCs.
• Mount power adapters, smart jacks, media converters, etc., where they can be easily
monitored and serviced.
• Consider using a "lights out" approach to server management.
• Place non-rack-mountable equipment on boltable trays above the rack floor.
• Route all cables both inside racks and in the ceiling in managed bundles and cable trays.
Physical Devices

Attackers
Attacker Description
White hat Someone who breaks computer security for non-malicious purpose, usually to improve
security.
Black hat Someone who breaks computer security for malicious reasons or personal gain.
Grey hat Someone whose ethics lie somewhere between white and black.
Blue hat A hacker employed to find security bugs in software so they can be patched before product
launch.
Elite hacker A highly skilled hacker. Almost always a programmer.
Hacktivist Someone who hacks to support a cause.
Script kiddie Someone who uses hacking tools written by others, with little/no understanding of
underlying technology.
Newbie A beginner. Also known as "noobie" or "noob."
Nation state A country's cyberwarfare operatives.
Organized
crime
A group that carries out organized criminal hacking for profit.

Securityic2

More Related Content

What's hot (18)

Similar to Securityic2 (20)

More from Anne Starr (20)

Recently uploaded (20)

Securityic2