Please enable JavaScript.
Coggle requires JavaScript to display documents.
Darril Gibson's Security+ Chapter 4 Securing Your Network (Using a…
Darril Gibson's
Security+
Chapter 4
Securing Your
Network
Advanced Security
Devices
IDS
Intrusion
Detection System
https://www.youtube.com/watch?v=hEgWPWIuq_s
monitors a networks
and sends alerts when
there's an potential intrusion
uses protocol analyser (like IPS)
can catch some things
traditional anti virus will miss
usually is monitoring traffic reaching the
network/host but can also monitor application
usually only monitors
can't prevent attacks
BUT
Some IDS
(active IDS) can do
things like modify ACL
on firewalls, close processes
divert attack to safe environment
like honeypot
can only do all
these things AFTER
attack has started because
it's out of band/passive
Data sources
IDS takes logs
from bunch of other
devices
(e.g. firewall logs, system logs etc)
Some IDS scan
logs in real time
but some periodically
scan
reporting
Report events as either
alerts or alarms according to
rules set by administrators
false positives
v
false negatives
admins have to set
thresholds and sensitivity
aim to set high
enough that minimises false
positives but low enough to
avoid ANY false negatives
false positives eat
up sysadmin time!
Can be network based (NIDS)
or host based (HIDS)
HIDS
traffic passes
through the network card
NIC
NIDS
Has NIDS sensors on
various parts of network
that phone home to a central
NIDS server
can only monitor unencrypted traffic
can collect information
from a "switch tap" aka port mirror
Can be signature based
or heuristic based
heuristic
/behavioral/anomaly based
Anomaly requires a baseline
compares current
activity to baseline
resestablish
baseline if there
are major changes to
the system
unlike signature based these can
spot zero days
Two sense of zero day
1) admins don't know of vulnerability
2) admins know but haven't created a patch
heuristic/behavorial works similarly
to heuristic/behavioural
antivirus
signature based
signatures require updating
signatures very similar to
anti virus signatures
is
out of band
aka passive
as traffic
doesn't go through it
can detect SYN Flood
Attacks
IPS
Intrusion Prevention
System
https://www.youtube.com/watch?v=hEgWPWIuq_s
monitors like an
IDS but can intervene
to prevent them reaching the
network/system
Can be
network based (NIPS)
or host based (HIPS)
usually on the
edges of networks
an organisation
may have more than
i.e. one for each network
or subnet
this prevents the damage
a RAT (Remote Access Trojan)
can do because it'll get caught
when it tries to move networks
Can be signature based
or heuristic based
heuristic based
requires a baseline
resestablish
baseline if there
are major changes to
the system
unlike signature based this can
spot zero days
signature based
signatures require updating
Is usually
inline
with traffic as
traffic has to go through it
uses a protocol analyser
like IDS
can prevent a SYN Flood
Attack
this is where the server is
flooded with SYN packets
without follow up ACK packets
SSL Decryptors
malware often
wrapped in encryption
to avoid detection
SSL Decryptor
unencrypts it so that NIPS
can see it
this can result in
a bit of a reduction in
performance
where?
usually placed
in the DMZ
SDN
Software Defined Network
A recent development in
networking
more info here if the concept is unclear
https://www.youtube.com/watch?v=2BJyIIIYU8E
uses virtualisation to
separate
the data plane
and control planes
in a network
control plane
intelligence for the routers
including instructions about how to weight services
e.g. should VOIP be prioritised over FTP traffic
Also other instructions for routers
control plane becomes
centralised in one place
that can talk to all routers through software
on those routers. It gives them instructions
data plane
the actual forwarding/blocking
of traffic
This takes place on the
individual router hardware
commonly uses
ABAC Attribute Based Access Control
instead of each router having ACLs
the Control Plane can tell all the routers what
to do with traffic and this can potentially be updated
in real time
Honeypots/Honeynets
https://www.youtube.com/watch?v=1PTw-uy6LA0
fake system
designed to attract
attackers
often left with minimal
security
but
too little security
can make experienced
attackers worried it's a honeypot
will have fake files
maybe even fake credit card numbers for example
why?
either divert attacks
or gain intelligence about attacks
can allow researchers
to spot zero days
Honeypot is one fake system.
Honeynet is a whole fake network
usually built using virtualisation
attacker can't easily
tell if a system is virtual
extra credit
https://www.projecthoneypot.org/
IEE 802.1x
aka Port Based Network Access Control (PNAC)
https://www.youtube.com/watch?v=G3XJH0xvS1o
What?
Port based
authentication protocol
for wireless
and
wired
requires user to authenticate
when connecting to wireless AP
or physical port
how authenticate?
username/pw combo
or
certificates
why?
blocks rogue APs/devices
connecting to network
implementation
can use authentication server like RADIUS
or Diameter
also authenticates for VPNs
can be combined with a VLAN so authorised users
go to network and unauthorised guests go to VLAN
also uses EAP
components
supplicant (endpoint)
talks to authenticator
authenticator
talks to authentication
server
authentication server
Securing Wireless
Devices
Wireless Basics
Wireless APs (Access Point)
connects wireless clients
to the wired network
may have routing capabilities
Fat v Thin
Access Points
Fat
Wireless "routers"
typical Wireless AP is
marketed as a "wireless router"
(strictly speaking it's more than a router)
all wireless "routers"
are wireless APs but
not all wireless APs are
wireless routers
Other Names
standalone AP
intelligent AP
autonomous AP
often has multiple
systems onboard
NAT
DHCP
security options
(e.g. firewall, ACL)
modem
router
switch
implementation
have to be configured
separately from other Fat
APs
Thin
is controller based AP
so not autonomous
so you can
set up and manage
multiple APs from
one place
also seen in small offices
and home networks but rarer
in these places
at fat AP often controls
the thin APs
usually has a wired port
"Ad hoc" mode
aka Peer to Peer
when you connect two
wireless devices
without
using a wireless AP
not all devices
can do this
latin for "as needed"
in contrast to
"infrastructure mode"
which uses APs
Bands/Channels
2.4GHz v 5GHz
actually multiple channels
starting at 2.4 and 5
exact number of channels
varies by country
2.4 band much more
crowded
Standards and Protocols
IEEE - Institute of Electrical
and Electronic Engineers has the 802.11 group of protocols/standards
e.g
802.11b
802.11g
802.11n
802.11ac
SSIDs
Service Set Identifiers
name of the wireless network
changing name from default (e.g. Linksys343)
gives attacker less info on network
e.g. Linksys343
lets attacker know it's
linksys and so can may
target linksys vulnerabilities first
disable SSID broadcasts?
no this is security theatre.
The SSID can still be found easily
with protocol analyser
Enabling MAC filtering
MAC Media Access Control
Addresses are usually six pairs of
hexadecimal characters like
00-16-EA-DD-A6-60.
Every NIC (Network Interface Card)
has one
problem
attacker can see what MACs are allowed and easily spoofed
ability to do this
is native on most OSs
can be used to restrict access just like on switches
Antenna and Placement
omnidirectional
most common
transmit and receive in all directions
directional
more range than
omnidirectional
transmits and receives in one direction
sometimes used to connect two buildings
if two antenna put one vertical
and one horizontally
site survey
done before to check for issues
like devices on same frequency
or rogue APs
often repeated
look for rogue APs
check signal good enough
for everyone. If not move
Power and Signal
some APs allow
you to modify the trasmit power
might want to reduce
to limit range within the office
so people can't hack
from parking lot
Wireless Security Protocols
https://www.youtube.com/watch?v=DspgyuedICM
Why?
Because wifi packets
travel through air and
can be easily intercepted
WPA
Wi-Fi Protected Access
interim replacement
for WEP
didn't require
users to upgrade hardware
vulnerability to
password-cracking
especially if weak passphrase
authentication packets
captured and then brute forced
offline
encryption protocol
TKIP
Temporary Key
Integrity Protocol
is deprecated
WEP
Wired Equivalent Privacy
super vulnerable
do not use. :warning: Can be hacked in seconds
WPA2
replaces WPA
has stronger cryptography
Wi-Fi certified stickers
anything with WI-FI certified sticker
is required to meet WPA2 standards
including CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol)
enterprise mode
allows authentication
unlike WPA2-Personal
users must authenticate
with unique credentials
uses 802.1x server
often implemented as
RADIUS or Diameter
all attempts to authenticate
are redirected to this server
which then tells the AP whether to give access
configuration
requires IP of the
802.1x server
often RADIUS
requires RADIUS (if using) port
default is 1812 but
some vendors differ like
1645
use the port the 802.1x server is using
Shared secret
like password
enter as used on RADIUS server
Authentication Protocols
(used by 802.1x server)
Remember which support
or requires certificates!
EAP
Extensible
Authentication
Protocol
allows to systems to agree
on an encryption key
PMK (Pairwise Master Key)
key is then
used to encrypt traffic
between the systems
used by both TKIP
and CCMP
EAP-FAST
(Flexible Authentication
via Secure Tunnelling)
made by Cisco as secure replacement
for LEAP
(Lightweight EAP)
supports optional
certificates
PEAP
(Protected EAP)
puts EAP in TLS tunnel
(so encrypted)
requires certificate on server
but not clients
common implementation
wtith MS-CHAPv2
EAP-TTLS
EAP Tunneled TLD
extension of PEAP
allows systems to use
older auth methods like PAP within TLS tunnel
requires certificate on server nut not clients
EAP TLS
one of most secure and
most implemented
main difference with PEAP is that EAP TLS
requires certificates on server and clients
RADIUS Federation
federations is two or
more entities that share an
same identify management system i.e. SSO (Single Sign On)
like when you 'log in with twitter'
Covered elsewhere in Security +
encryption protocol
CCMP
Cipher Block Chaining
Message Authentication
Code Protocol
replaces TKIP
based on AES
Advanced Encryption Standard
What is 'Open Mode'
Anyone and everyone can connect
no authentication
or authorisation challenge
usually seen in security settings as "None"
some public
networks will
use captive portal
to authenticate
Understanding Wireless
Attacks
Disassociation Attack
disassociation frame
with spoofed client Mac sent
to AP
AP receives frame
and shuts down connection
removes client from network
client then
needs to reauthenticate
real world use?
previously used by hotels
against hotspots
before they were fined!
WPS Attacks
Wifi-Protected Set up
https://www.youtube.com/watch?v=drHyM--ZY5c
WPS lets you
connect by pressing button
or by entering a PIN
The PIN can be
easily brute forced
in hours if you avoid the slowdown function
otherwise days/weeks
once it gets
the PIN it can get
the passphrase
in WPA and WPA2 networks
best practice is disable this
https://www.youtube.com/watch?v=XqAn2iR9Cc0
Rogue Access
Point (AP)
AP placed in network
without authorisation
maybe by employee
trying to bypass security
or by attacker
employee may
have misconfigured
attacker could use to
sniff and then broadcast to
car park or could use it
to connect to wired network
Need to physically
secure wireless closets
and physically disconnect any found rogues
Evil Twin Attacks
Rogue Access Point with
same or very similar SSID
People connect to the
Evil Twin which can
then collect data including
authentication details
easy to set up with
any laptop with WiFi card
hence hacker looks
like any other user
Or could be set up off premises but nearby
e.g. in parking lot
How to protect
Site surveys with wireless
scanners
i.e. same protections as against
rogue APs
https://www.youtube.com/watch?v=wqq_uWVqFso
Jamming Attacks
attacker creates noise
or alt signal on same frequency
as wifi network
degrades performance and
stops users from connecting to
wifi network
attacker needs to be close by
protection
switch channels
problem is the attacker
can also switch channels
increase power level of AP
may help
basically a Denial of Service Attack
cam be unintentional
e.g. microwave
IV Attacks
Initialization Vector
tries to find PSK
from the IV
often uses packet
injection technique
What's an IV
a number
sometimes combined with PSK
to encrypt data in traffic
attacks succeeds when
encryption system reuses an IV
reuse happens on WEP because
the IV is only a 24 bit number
this means WEP can
often be cracked in
less than a minute
NFC
Near Field Communication
attacks
attacker uses
NFC reader to
intercept data
from other devices
evesdropping
intercepts data between
two devices
more advanced attacks
has been combined
with trojans on targeted
device
NFC is built on RFID
they have similar problems
replay
jamming
MiTM
https://www.youtube.com/watch?v=ofTKPoLOxnA
Bluetooth Attacks
Bluejacking
sending unsolicited messages
to Bluetooth devices
Bluetooth standard has been updated this isn't possible now
Bluesnarfing
theft of information
from a Bluetooth device
can access email,
contact lists, calendars, text messages
tools used in attack
hcitool
obexftp
rare today
because pairing usually
requires manual approval now
Bluebugging
phone can call
attacker at any time
and act like bug
Wireless Replay Attacks
attack captures data,
modifies and replays it
in order to impersonate
WPA2 not vulnerable
but WPA is because of
TKIP vulnerability
https://www.youtube.com/watch?v=GXck1pf7-KE
RFID
Radio Frequency ID
RFID system involves
reader and tags
used to track and manage
inventory
some tags as
small as a grain of rice
they don't have power
source
Sniffing
Data goes through
air so can be captured.
attacker needs to know
frequency and protocols used
Replay
e.g. copying a tag
so that a stolen item doesn't
seem stolen
DoS
if frequency is known
then attack can flood it with signal/noise
encrypted
but a lot of encryption keys
found via googling
Using a VPN
https://www.youtube.com/watch?v=tuVwJsFJtr8
What
allow user to access
private network via a
public network
Data is sent in encrypted tunnel
can create by enabling
services on a regular server
server requires two NICs
VPN
Concentrators
https://www.youtube.com/watch?v=tj0gxuTP2QM
Dedicated device for
VPN
why?
all the encryption is
very CPU intensive
where
typically put in the DMZ
so has a public IP
would get and give traffic to the firewall
between the DMZ and internet
Authentication
VPN would use a RADIUS
server for this to which it would
send credentials
RADIUS server either
has user databases to check
against or forwards to a server (e.g. LDAP) that does
Tunnelling Protocols
IPSec
tunnel mode
encrypts the entire
IP packet
used by VPNs on open
internet
Transport mode
only encrypts payload
used only within private networks
IPsec provides both
authentication and encryption
Authentication
has Authentication Header (AH)
to allow everyone to authenticate
everyone else
IPsec uses Internet
Key Exchange (IKE)
over port 500 to authenticate
clients
IKE creates
security associations (SEs)
for VPN and uses these to set up
secure channel between client and
VPN server
Encryption
uses Encapsulating Security Payload
ESP to encrypt data.
ESP includes AH
TLS
some tunnelling
protocols use
TLS to secure
VPN traffic
e.g. Secure Socket
Tunneling Protocol (SSTP)
uses TLS
used by VPN
applications like
OpenVPN
and OpenConnect
Remote Access VPNs
Split Tunnel v
Full Tunnel
Full Tunnel
all traffic goes through the VPN
can be slower
than split tunnel
Split Tunnel
some traffic goes through VPN
some traffic goes directly to internet
Network Access Control
(NAC)
what?
runs health checks
on systems before they connect to
network
why?
if devices can connect
remotely then these may be BYOD
devices and might have malware or
other problems that could spread to
network
Host health checks
often include
up to date antivirus?
Up to date definitions?
Up to date OS?
Firewall enabled?
if health check failed
client sent to remediation
network (aka quarantine)
remediation network
contains resources for
client to repair themselves
e.g. approved patches
can also be run on
clients already on network
False positives
a possible problem
will kick a client
off network
can also be
used on network
without VPN
e.g. checking clients that
plug into a wall port
Permanent v
Dissolvable NAC
Permanent always installed on
client
Dissolvable is downloaded as needed
they remove themselves
when not needed
often used on mobile BYOD
sometimes called Agentless capability
(misnomer)
Authentication
https://www.youtube.com/watch?v=20X8WVwvUh4
https://www.youtube.com/watch?v=JynPMcC4XmI
PAP - Password
Authentication Protocol
Used with PPP
Point to Point Protocol
Sends passwords in cleartext
over the network :warning:
so avoid using
and if have to used with
protocol that provides encryption
was primarily used with dial up
uses a password or pin
CHAP
Challenge Handshake
Authentication Protocol
like PAP it is used
with PPP
more secure than PAP
allows client to pass credentials
safely over public network
client and server know
shared secret but client
hashes it after combining with
a nonce
three way handshake
1 After link established server
sends challenge message
2 client responds with a password
hash
3 server compares received hash with
stored hash
can happen periodically
vulnerable due to use of the DES protocol :warning:
RADIUS
Remote Access
Dial In User Service
centralised authentication service
so VPN servers can forward authentication
requests to a RADIUS server
this centralisation
reduces labour
(imagine changing stored credentials
on many servers)
usually RADIUS server won't
store credentials though and will
leave this to a LDAP server
can be used as a 802.1x server with WPA2 Enterprise mode
uses UDP mostly
only encrypts the password
created before EAP
but can work with some EAP flavours
an AAA
protocol
Diameter
extension of RADIUS
"twice as good"
cos diameter = 2xradius
backwards compatible with RADIUS
there's an upgrade path from RADIUS to
diameter
plays nicer with EAP
Uses TCP instead of UDP
(which RADIUS uses)
is an AAA protocol
TACAC/XTACAC/TACACS+
Terminal Access Controller
Access Control System Plus
CISCO alternative to RADIUS
Two improvements over RADIUS
encrypts all auth process not just password
uses multiple challenge and responses between
client and server
TACACS+
can work with Kerberos
allows Cisco VPN
concentrator to work in a MS Active
Directory environment
most modern version
provides AAA services
not backwards compatible with older versions of TACACS
added more authentication requests and response codes
uses TCP
used to authenticate network
devices
devices must be TACAC enabled
TACAC server does the authentication
TACACS
used on original ARPAnet!
XTACACS
Cisco version of TACACS
added accounting and auditing
MS CHAP
and
MS CHAPv2
CHAPv2 allowed
mututal
authentication of client and server
reduces chances of authenticating
to rogue server
built by MS as
improvement over CHAP
for MS clients
vulnerable due to use
of the DES protocol! :warning:
Site to Site
VPNs
two VPN servers
that connect two
physically separated networks
through the internet
Always On
VPN
remote access VPNs
instead of user
initiating connection with
VPN this happens automatically
when the endpoint connects to internet
authenticates in the background
site to site VPNs
the two VPN Servers
always maintain the connection