CSNT 181 Chapter 6
IP address schemas used to assign IP addresses to devices to that address alone can tell you about the host so when you review network logs you can quickly tell if the IPA represents a client, server or router
1. X.X.X.1 - Router 2. X.X.X.20-50 - Servers 3. X.X.X.101-200 - DHCP clients like workstations
File Transfer Protocol
A communications method for transferring data between computers on the Internet. allows network access to files not secure gradually displaced by SFTP and FTPS uses port 20/21.
PGP (Pretty Good Privacy)
A data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication
Zero Trust
A network security model; even w/in perimeter all traffic is assumed to be hostile until proven otherwise. Protect surface - critical data, applications, assets, and services. Security controls are placed as close to that surface as possible.
Wi-Fi Easy Connect
A new simple connection protocol for WPA2 and WPA3 networks, designed to overcome the security of WPS and streamline the addition of IoT devices to Wi-Fi networks. Each device has a unique QR code; users use a smartphone camera to add device to network.
Security Associations (SA)
A policy for unidirectional flow of data from one point to another: security methods, endpoint addresses and ports. Used between two or more communicating nodes.
Point-to-Point Tunneling Protocol (PPTP)
A protocol that works with PPP to provide a secure data link between computers using encryption. Not very secure
Virtual Private Networks
A secure connection between two or more computers or device that are not on the same private network. They serve two functions: enhancing security across public networks and allowing LAN traffic to transparently be carried across a public network with different protocols or addressing.
NetBIOS (Network Basic Input/Output System)
A session-layer API for network applications, rather than an application protocol used for file and printer sharing as well as computer identification on local network segments. NetBIOS uses TCP and UDP ports 137-139.
Securing IPv6 networks
A significant change for security professionals accustomed to IPv4; it requires new tools and strategies to secure. Tools must be updated to support IPv6.
Wi-Fi Protected Setup (WPS)
A standard included on many WAPs and clients to make secure connections easier to configure. It's an addition to PSK mode that allows the key to be shared with a new device by other methods like a PIN. PIN easily cracked by brute force, not recommended.
Simultaneous Authentication of Equals (SAE)
A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discovering pre-shared keys. Uses the improved Dragonfly handshake - a Diffie-Hellman key agreement provides forward secrecy.
HTTP/HTTPS
A web-based control panel for a network device or service
Host-to-site VPN
Allows a single computer to join a trusted network remotely, also known as remote access. It can take the place of older dial-in technologies.
SNMP (Simple Network Management Protocol)
An Application-layer protocol used to exchange information between network devices like routers and switches. uses UDP port 161 and 162. SNMPv3 has security.
Wired Equivalent Privacy (WEP)
An IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information. WEP has significant vulnerabilities and is not considered secure. used RC4 stream cipher
captive portal AP
An infrastructure on public access WLANs that uses a standard web browser to provide information, and gives the wireless user the opportunity to agree to a policy or present valid login credentials to provide a higher degree of security.
VNC - Virtual Network Computing
An open set of standards based on the Remote Frame Buffer (RFB) protocol. Like RDP, VNC allows you to access a complete graphical desktop but directly shares input and output rather than creating a remote user session useful for screen sharing
WPA-Enterprise / WPA-802.1X
Authenticates users individually with an authentication server (i.e., RADIUS). Once clients are authenticated, they get full network access. Clients can authenticate once, then remain joined into the network regardless of which AP they are nearest to. Wi-Fi roaming works best with thin APs or controllerless APs designed to operate as part of a more extensive network.
IPsec traffic
Both AH and ESP carry data protected by IKE's keys. Since they offer different services, they can be combined, but since they also have a lot of overlap, it's more common to pick just one for performance reasons. Both protocols can operate in two modes: tunnel or transport.
Since IPsec provides tunneling and the entire CIA triad, there are clients that use it as a complete VPN solution.
Combining with L2TP improves compatibility with many networks and older operating systems especially when using older IKE implementations.
Network Configuration Management
Core is documentation ensure the following are up to date: 1. Physical/logical diagrams of the network 2. Lists of hardware and software network assets include MAC addresses 3. Assigned and available IP addresses 4. Internal operating policies and procedures
HTTP vs. HTTPS
Data transmitted using HTTP may be visible to a man in the middle as it is not encrypted. Whereas HTTPS is encrypted so even if the data is intercepted it won't be decipherable. Syntax and function are exactly the same, the difference is that the browser and server both pass HTTP traffic thru TLS in HTTPS.
Network Security Posture
Design based on a strong understanding of the technical details of network devices, protocols, and attack types. Maintain network configuration thru: 1. Network documentation 2. Constant security monitoring and analyzing security logs. 3. Conduct regular vulnerability assessments 4. Perform security audits
AH vs ESP
ESP is more computationally expensive because your encrypting the entire payload. AH uses a single Authentication Header - contains protocol configuration data as well as an ICV hash. ESP is more popular because it provides data confidentiality and integrity
Security Audits
Elements of a security audit include: 1. Scanning to find undetected security issues 2. Review security logs 3. Review incident response reports 4. Review user and administrator activities to verify compliance with network policies 5. Review user permissions to minimize potential unauthorized access 6. Review device/application installation
Wireless Encryption
Encrypts all data that passes over the network, but it's local rather than end to end. Note that while frame payloads themselves are encrypted, the Layer 2 header is not, this means that all connected MAC addresses, as well as the network SSID are readable to an eavesdropper.
Transport mode (IPsec)
Encrypts only the payload and is commonly used in private networks, but not with VPN's.
Encapsulating Security Payloads
Encrypts the packet payloads along with integrity and authentication information.
Hardening Network Hosts and Applications
Establish onboarding and offboarding procedures for devices added to or removed from the network and ensure that devices are joined only to appropriate network segments
Securing Internal Network Infrastructure
Even on relatively low security networks, however, it still should have some measure of internal security.
VPN protocols include:
Generic Routing Encapsulation (GRE) - Encapsulates almost any L3 protocol in a virtual point-to-point link. It's used for tunneling, but has no other VPN functions on its own.
host-to-host VPN
Joins two computers as though they were directly wired together. Mirrors the ways you can use a traditional Point to Point Protocol connection.
Securing Network Data
Just connecting a system with sensitive data to the network makes the data vulnerable to attackers.
Network Security Troubleshooting
Keep an eye out for changes and unusual network behaviors 1. Consider malicious action when you encounter connectivity issues, performance problems, unusual user behavior. 2.
IPsec can provide end-to-end L3 security on any IP network.
Like VPNs, it can be used to protect traffic host-to-host, host-to-network, or network-to-network. IPsec is comprised of 3 protocols. All based on the idea of security associations between 2 or more communicating nodes. (IKE, AH, ESP)
Broadcast Domain
Logically grouped network nodes that can communicate directly via broadcast transmissions. By default, switches and repeating devices, such as hubs, extend broadcast domains. Routers and other Layer 3 devices separate broadcast domains.
Remote Desktop (RDP)
Microsoft proprietary remote access method provides encryption and authentication allows you to log into a complete windows desktop over the network Port 3389
Secure Socket Layer
Most widespread standard for securing the upper layers of the network along with its successor Transport Layer Security (Layer 5 - Session or Layer 6 Presentation). They lie somewhere between application protocols themselves and the Transport layer protocols used by the TCP/IP stack
Air Gap
No connectivity to external systems. Allows no physical layer including wireless connections to untrusted networks. VLANs can emulate an air gap by giving no path into or out of an isolated network, but this method is still subject to some attacks. Vulnerable to removable storage.
High volume servers can benefit from TLS accelerators
Offloading encryption to specialized devices takes stress of the server
Implementing a cryptosystem is prone to error so most clients/servers rely on 3rd party TLS libraries to perform these functions.
OpenSSL is a general purpose library; centerpiece is an API developers can use for their applications which can perform the following: store/verify certificates & signatures key generation/encryption for public secret key create self-signed certificates establish private root
DHCP
Operates on UDP port 67 for servers and UDP port 68 for clients; no inherent security so easy for attackers to deploy rogue DHCP servers to enable attacks use snooping feature to counter.
Microsegmentation
Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point.
Placing wireless networks
Place WAP antennas as close as possible to the center of the coverage area but distant from outside walls or low-security areas.
Most secure way to separate broadcast domains
Place each on its own switch and then separate them with routers or firewalls. Using VLAN to logically separate traffic on a switched network provides more flexible segmentation. It's best practice for each broadcast domain to correspond to a single subnet.
Securing Routing and Switching
Prime target for DoS, DNS poisoning, ARP poisoning. Most protocols for routers and switches not designed with security in mind.
Authentication Header (AH)
Provides data integrity and source authentication through cryptographic hashes of the packet contents and source identity.
IKEv2/IPsec
Provides similar functionality to L2TP/IPsec while offering higher performance and better firewall traversal.
SSH uses public-key to authenticate connections.
Relies on users to manually verify each other through an out-of-band public key exchange before creating a client-server connection for the first time. SSH can be used as a tunneling protocol to carry a w
Protocols used to share files and media over a network
SMB Server Message Block allows folders or hard drives to be shared over a network over TCP port 445 versions called CIFS and the linux implementation is called Samba.
Secure Shell
SSL has encryption, authentication, and tunneling features that can be used as a limited VPN for port forwarding or tunneling a single application at a time.
HTML5 (Clientless VPN)
SSL/TLS can provide tunneling, strong encryption, and certificate-based authentication. HTML5 web application that executes entirely within the browser. Remote user can log into the enterprise NGFW via a web portal then access the intranet via browser based TLS tunnel.
S/MIME
Secure/ Multipurpose Internet Mail Extensions. Used to secure e-mail. S/ MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt e-mail, including the encryption of e-mail at rest (stored on a drive) and in transit (data sent over the network). It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.
Wi-Fi Protected Access (WPA)
Support AES encryption encrypts traffic using Temporal Key Integrity Protocol (TKIP) - uses 128 bit encryption key a more secure IV and a 64 bit MIC. TKIP isn't as weak as WEP but AES is better/.
Cipher suites - several algorithms used within a single protocol
TLS session requires a public key cipher for key exchange, a symmetric cipher for bulk encryption, a hashing algorithm to validate certificates and a psuedorandom number generator to create session keys and nonces. During a session both parties have to use cipher suite that entirely match each others.
There are many remote access protocols with varying levels of security be aware of the individual security risks
Telnet allows a command line terminal interface with a remote system - TCP port 23 no security. similar is rlogin don't use
L2TP/IPSec
The most secure VPN tunneling protocol that can use certification, Kerberos authentication, or a preshared key. Provides both a secure tunnel and authentication. Used by major VPN vendors such as CIsco, Microsoft, Sonic Wall, and Checkpoint.
Remote Browser Isolation
The user's local browser is nothing more than a streaming connection to a cloud-based container that runs a web browser. The endpoint does not trust any websites or handle any external content - when session is over container destroyed. Malicious websites never have an opportunity to compromise the endpoint.
Categorize VPNs by just what network communications are sent through the tunnel
Traditional VPN connections are what is called a full tunnel connection; all your network traffic is routed thru VPN tunnel. Secure but some traffic doesn't need to go to your network slows tunnel.
Common Network Services
Typical enterprise networks rely on many protocols for vital services; secure alternatives can replace insecure protocols
DNS
UDP port 53 client-server & TCP port 53 for server-server no inherent security; susceptible to DNS poisoning attacks fill cache with false information. Counter with DNSSEC extensions authenticate responses with crypto signatures or DNS-over-TLS or VPN
Network Segmentation
Use a defense in depth strategy where security is applied throughout the entire organization. Break network into multiple zone and control how each zone talks to another.
Secure File Sharing
Use group policies to ensure all hosts use the same requirements. Include enabling signing and encryption and disable insecure authentication methods. Use only Kerberos authentication or NTLM v2
Securing Segmented Networks
Use stricter isolation for segments with legacy devices and applications that are likely to use insecure protocols or have unpatched vulnerabilities
Internet Message Access Protocol (IMAP)
Used just like POP3 but supports more advanced features. Insecure version on port 143 and SSL/TLS on port 993.
Real Time Transfer Protocol RTP
Used to stream audio and video over networks, insecure
SSL/TLS (Client-based)
VPN clients can use SSL/TLS to tunnel the entire IP stack, the result is a robust and secure alternative to L2TP/IPsec with higher performance.
Pre-shared Key (PSK)
WPA-Personal; fine for small networks but all users have the same key; if compromised all users have to change key.
Remediation Policy
When vulnerability scans show the state of the network doesn't meet the baseline; allows you to classify the severity of the problem and formulate a suitable response plan.
SSL and TLS use certificate-based authentication, then perform a key exchange to set up a symmetrically encrypted communication session that lasts until the connection is broken.
When you connect to an SSL-secured website, the server's certificate allows your browser to authenticate that the server is genuine. SSL/TLS can perform two-way authentication where both the client and server must have a certificate to present to the other.
Securing Wireless Access Points
Wifi networks with weak security should be kept on the perimeter network, as should those available to guests and the general public.
There 3 Available Encryption Standards on modern Wi-Fi networks
Wired Equivalent Privacy (WEP), WPA2, WPA3
Transport Layer Security (TLS)
a cryptographic protocol that ensures data security and integrity over public networks, such as the Internet. Supports newer encryption standards and fixes security issues. Public key certificates are generically called SSL certificates even when they're not used for SSL at all.
Network File System (NFS)
a protocol that supports file sharing from a UNIX and Linux operating system. It allows multiple clients to mount a file system to be shared by a remote server. NFS uses port 111 or 2049.
Post Office Protocol version 3 (POP3)
a protocol used by servers to send mail to clients. insecure version uses TCP port 110 and TCP port 995 for SSL/TLS.
Trivial File Transfer Protocol
a simplified version of FTP for very lightweight applications, most commonly used hosts and devices configured to boot from network, no security features don't use over untrusted networks uses port 69
Emails only secure in transit not while on server; use encryption or digital signature for contents of email
as long as the clients support the method used doesn't matter what security measure is used in transit. There are 2 primary standards for securing email.
Always-on VPN
automatically detects when a device connects to an untrusted network and establishes a VPN connection.
Site-to-site VPN
connects two trusted networks over an untrusted one. It can the place of older leased-line WAN connections.
Baseline configuration
describing initial settings and expected functions includes the security settings that later monitoring/assessments can be compared against.
IPSec tunnel mode
encrypts the entire IP packet used in the internal network. Popular for site-to-site configurations and allows IPsec to be a complete VPN solution. Comes at the cost of increased overhead and chance of packet fragmentation.
IKE negotiation
functions to negotiate and maintain SAs, creating tunnels that carry AH and ESP traffic. The entire IPsec process uses cryptographic tools for several purposes and there are multiple options for each.
Sometimes encryption is undesirable in a trusted SSL network
it can impair traffic monitoring so place SSL decryptors on network boundaries to open/inspect TLS traffic.
Split-tunnel VPN
like a router, VPN reads the destination of each packet, then, it decides whether to send it thru the tunnel or over the open internet connection. Not compatible with all clients or network configurations not helpful if you want to protect all traffic
Lightweight Directory Access Protocol
manages distributed directory information services across a network. Allows clients to query a central network database for user accounts, printers, and other network resources. isn't secure so use LDAP over SSL or LDAPS. LDAP TCP port 389 or LDAPS uses TCP port 636.
WPA2
mandatory support of AES; allows TKIP as an option
Lightweight Extensible Access Protocol
more than WEP itself adds individual credentials and mutual authentication, LEAP enables dynamic encryption keys for WEP. There are more secure replacements.
IKE (Internet Key Exchange)
negotiates and authenticates SA between two hosts and exchanges encryption keys to set up a secure channel.
WPA authentication
offers 3 methods for authentication and key distribution initially and added 2 more later w/ WPA3.
East-west segmentation
rarely monitored or restricted but volume of traffic increasing; use microsegmentation and/or zero trust
Secured Email
securing and authenticating email is historically tricky SMTP supports operation over SSL/TLS in one of two modes - 1. Implicit TLS initiates the connection with a TLS certificate 2. Start TLS begins the connection in plaintext and upgrades to TLS if possible. used by clients to send mail to servers TCP port 25.
Secure Real-Time Transfer Protocol SRTP
security extension to RTP
Each OSI layer has its own set of roles and protocols
security isn't tied to any particular layer, you could apply encryption at every layer but it would damage compatibility/performance.
VLAN
simplest way to partition broadcast domains is by placing router between two switches but not always efficient.
Collision Domain
smallest network segment, no real privacy w/out individualized encryption
WPA3
supports 192-bit AES encryption w/ 256 Galois/Counter Mode Protocol. Enables personalized authentication on open Wi-Fi networks, making eavesdropping more difficult on public hotspots.
Network Time Protocol (NTP)
synchronizes clocks between network devices used to keep accurate system logs, etc. Susceptible to DoS or MitM attacks requires updated software and secure configuration of time services. uses UDP port 123
If you're not a software developer you can interact with the API using the openssl command
use it create keys/hashes, verify hashes or certificates, determine what versions of SSL a web server supports, password-encrypt a file.
SSH -Secure Shell
uses port 22 allows stronger authentication and encrypted transmission than rlongin or telnet