Chapter 3 - Network and Security Components, Concepts and Architectures
Advantages and Disadvantages of using DMZ
Adv: - Allows controlled access to publicly available servers - Allows precise control of traffic between the internal, external and DMZ zones Disadv: - Requires additional interfaces on the firewall - Requires multiple public IP addresses for servers in the DMZ
DAM Log-based model
Analyzes and extracts information from the transaction logs.
DAM Interception-based Model
Watches the communication between the client and the server
Advantages and Disadvantages of Firewall Types ( Packet filtering, Circuit level, Application level, Kernel proxy)
1- Packet-filtering firewall Adv: -Best performance Dis: - Cannot prevent IP spoofing, Attacks that are specific to an application, attacks that depend on packet fragmentation, attacks that take advantage of the TCP handshake 2- Circuit level: Adv: - Secure addresses from exposure - Support a multi-protocol environment - Allow for comprehensive logging Disadv: - Slight impact on performance - May require a client on the computer (SOCKS proxy) - No application layer security 3- Application level proxies Adv: - Understand the details of the communication process at layer 7 for applications Disadv: - Big impact on performance 4- Kernel Proxy Firewalls Adv: - Inspect the packet at every layer at the OSI model Disadv: Don't impact performance as do application layer proxies
Typical placement of firewall types
1- Packet-filtering firewall: Location between subnets, which must be secured 2- Circuit-level proxies: At the network edge 3- Application level proxies: Close to the application server it is protecting 4- Kernel proxy firewalls: Close to the systems it is protecting
2 main categories of NIDS
1- Signature Based IDS - Pattern-Matching - Stateful-Matching 2- Anomaly-based IDS - Statistical anomaly based IDS - Protocol anomaly based IDS - Traffic anomaly based IDS - Rule or Heuristic based IDS - Application-based IDS
4 Transition Mechanisms from IPv4 to IPv6
1- 6 to 4: This allows IPv6 to communicate with each other over an IPv4 . 2- Teredo: This assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators (NATs) 3- Dual Stack: This solution runs both IPv4 and IPv6 on networking devices 4- GRE tunnels: Generic routing Encapsulation( GRE) can be used to carry IPv6 packets across an IPv4 network by encapsulating them in GRE IPv4 packets
Network Access Protection(NAP) steps
1- Access requested 2- Health state sent to NPS ( RADIUS) 3- NPS evaluates against local health policies 4- If compliant, access is granted 5- if not compliant, restricted network access and remediation
3 Planes that form the networking architecture
1- Control plane: This plane carries signaling traffic originating from or destined for a router. This is the information that allows routers to share information and build routing tables 2- Data plane: Also known as the forwarding place, this plane carries user traffic 3- Management plane: This plane administers the router
Availability Control Techniques
Redundant Hardware Fault Tolerant Technologies RAID Storage Area Network (SANs) Failover Failsoft Clustering Load Balancing
Telemetry System
Such a system connects RTUs and PLCs to control centers and the enterprise
Advantages and Disadvantages of Network Authentication Protocols (PAPCHAP-EAP!)
UPLOAD PICTURE
World
World
Clues, Mitigation and Typical Sources of Firewall attacks
Clues: Multiple drop/ reject/ deny events from the same IP address Mitigation: Alert sent on 15 or more of these events from a single IP address in a minute Typical Sources: Firewall, Routers, Switches
Shortening the representation of IPv6 address
Given the following IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 Following rules can be applied: 1 - Leading zeros in each section can be omitted, but each section must be represented by at least one character, unless you are making use of the rule number 2. Resulting IPv6 address will be: 2001:0db8:85a3:0:0:8a2e:0370:7334 2- Another option would be to replace one or more consecutive sections with only 0 with empty section ( double colons) 2001:0db8:85a3::8a2e:0370:7334 3- The second rule can be applied only once within an address. For example, the following IPv6 address, which contains two sets of consecutive sections with all zeros, could have the second rule applied only once. This address: 2001:0000:0000:85a3:8a2a:0000:0000:7334 could NOT be represented as follows: 2001::85a3:8a2a::7334
Port number for HTTP, HTTPS, SHTTP
HTTP : 80 HTTPS: 443 SHTTP: 80
Hello
Hello
Metrics used to measure and control availability
SLA MTBF and MTTR
SAN
Storage Area Networks High capacity storage devices that are connected by a high speed private network, using storage specific switches
Human Interfaces
Such in interface presents data to the operator
SCADA
Supervisory Control and Data Acquisition It is a system operating with coded signals over communication channels so as to provide control of remote equipment It includes: Sensors, Remote Terminal Units (RTUs), Programmable logic controllers (PLCs), Telemetry systems, Human Interface
SSL transport protocol and port number
TCP Port Number: 443
HTTPS transport protocol and port number
TCP Port Number: 443 (uses SSL)
HTTP transport protocol and port number
TCP Port Number: 80
FTP transport protocol and port number
TCP Port Number: 20 and 21
SSH transport protocol and port number
TCP and UDP Port Number: 22
DNS transport protocol and port number
TCP and UDP Port Number: 53
Clustering
THis refers to a software product that provides load balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances using round robin, weighted round robin or a lest-connections algorithm
Stateful firewalls
These firewalls are aware of the proper functioning of the TCP handshake, keep track of the state of all connections with respect of this process, and can recognize when packets are trying to enter the network that don't make sense in the context of the TCP handshake.
Packet-filtering Firewall
These firewalls are the least detrimental to throughput as they only inspect the header of the packet for allowed IP addresses or port numbers. While performing this function slows traffic, it involves only looking at the beginning of the packet and making a quick decision to allow or disallow.
Failsoft
This is the capability of a system to terminate noncritical processes when a failure occurs
Signature Based IDS
This type of IDS analyzes traffic and compares it to attack or state patterns, called signatures, that resides within the IDS database. While this is popular, it can only recognize attacks as compared with its database and is therefore only effective as the signatures provided. Frequent updates are necessary.
Pattern-Matching IDS
This type of Signature Based IDS compares traffic to a database of attack patterns. The IDS carries out specific steps when it detects traffic that matches an attack pattern.
Wireless controllers
Wireless controllers are centralized appliances or software packages that monitor, manage and control multiple wireless access points.
Advantages - Disadvantages of RDP
****Advantages :) - Data is kept in the data center, so disaster recovery is easier - Users can work from anywhere when using RDP in a virtual desktop infrastructure - There is a potential reduction in the cost of business software when using an RDP model where all users are using the same base VM(Virtual Machine) ****Disadvantages :( - Server downtime can cause issues for many users - Network issues can cause problems for many users - Insufficient processing power in the host system can cause bottlenecks - Implementing and supporting RDP requires sold knowledge
Advantages and Disadvantages of SSL
****Advantages: - Data is encrypted - SSL is supported on all browsers - Users can easily identify it( via https://) ****Disadvantages: - Encryption and decryption require heavy resource usage - Critical troubleshooting components( like SQL queries, URL path, passed parameters) are encrypted
Limitations of IDS
- Networks noise limits effectiveness by creating false positives - A high number of false positives can cause a lax attitude on the part of the security team. - Signatures must be updated constantly - There is a lag between the release of an attack and the release of the corresponding signature - An IDS cannot address authentication issues - Encrypted packets cannot by analyzed - In some cases, IDS is susceptible to attacks
Limitations of DAM
- With some solutions that capture traffic on its way to the database, inspection of SQL statements is not as thorough as with solutions that install an agent on the database. Issues may be missed - Many solutions do a poor job of tracking responses to SQL queries - As the number of policies configured increases, the performance declines.
Security features of Wireless Controllers (3)
1- Interference detection and avoidance: This is achieved by adjusting the channel assignment and RF power in real time 2- Load Balancing: Load balancing is used to connect a single user to multiple APs for better coverage and data rate 3- Coverage gap detection: This type of detection can increase the power to cover holes that appear in real time.
802.1x
802.1x is a standard that defines a framework for centralized port-based authentication. It can be applied to both wireless and wired networks and uses 3 components: - Supplicant: User or device requesting access to the network - Authenticator: The device through which the supplicant is attempting to access the network - Authentication server: The centralized device that performs authentication
Advantages and Disadvantages of of NGFWs
>>> Advantages: - Provides enhanced security - Provides integration between security services - May save costs on appliances >>> Disadvantages: - Is more involved to manage than a standard firewall - Leads to reliance on a single vendor - Performance can be impacted
Advantages and Disadvantages of UTM
>>>Advantages: -Lower upfront cost -Lower maintenance cost -Less power consumption -Easier install and configuration -Full integration >>>Disadvantages: -Single point of failure -May lack the granularity provided in individual tools -Performance issues related to one device performing all functions
Pros and Cons of In-Line and Out-Of-Band WAF implementations
>>>In-Line Adv: -Can prevent attacks Disadvantages: - May slow web traffic and could block legitimate traffic >>> Out-Of-Band Adv: - Non Intrusive and doesn't interfere with traffic Disadvantage: -Can't block live traffic
Difference between RADIUS and TACACS+
>>>Transport Protocol: - RADIUS: Uses UDP, which may result in faster response - TACACS+: Uses TCP, which offers more information for troubleshooting >>>Confidentiality: -RADIUS:Encrypts only the password in the access-request packet - TACACS+: Encrypts the entire body of the packet but leaves a standard TACACS+ header for troubleshooting >>>Authentication and Authorization: -RADIUS: combines authentication and authorization - TACACS+: Separates authentication, authorization, and accouting processes >>> Supported Layer 3 Protocols: -RADIUS: Does NOT support: Remote Access Protocol(ARA), NetBIOS, Frame Protocol, Control Protocol, X.25 PAD connections - TACACS+: Supports all protocols >>> Devices: -RADIUS: Does NOT support securing the available commands on routers and switches - TACACS+: Supports securing the available commands on routers and switches >>> Traffic: -RADIUS: Creates Less traffic - TACACS+: Creates more traffic
Dynamic packet-filtering
Although this is not actually a type of firewall, dynamic packet filtering is a process that a firewall may or may not handle. When internal computers are attempting to establish a session with a remote computer, this process places both a source and destination port number in the packet.
Network Authentication Methods (Hint: PAPCHAP-EAP!)
Authentication protocols must be made when creating a remote access solution. They include: 1 - PAP (Password Authentication Protocol): 2 - CHAP ( Challenge Handshake Authentication Protocol) 3- EAP (Extensible Authentication Protocol)
CHAP (Challenge Handshake Authentication Protocol) Context: Network Authentication Methods
CHAP doesn't send credentials. Instead, the server sends a random text (called challenge) to the client. The client encrypts the text with a password and sends it back. The server decrypts the text with same password and compares the result ( the original text it sent). With matching results, the server can be assured that the client has the right password and there will be no need to send it across the network - MS-CHAP v1 . First version of a variant CHAP by Microsoft. It works only with Microsoft devices. - MS-CHAP v2: Update of MS-CHAP.
Clues, Mitigation and Typical Sources of IPS/ IDS attacks
Clues: Multiple drop/ reject/ deny events from the same IP address Mitigation: Alert sent on 7 or more of these events from a single IP address in a minute Typical Sources: IPS, IDS
Clues, Mitigation and Typical Sources of Authentication attacks
Clues: Multiple unsuccessful attempts at logon Mitigation: Alert sent and/or disabling after 3 failed attempts Typical sources: Active Directory, Syslog, RADIUS, TACACS+
DAM
Database Activity Monitors: They monitor transactions and the activity of database services. They can be used for monitoring unauthorized access and fraudulent activities as well as for compliance auditing. They have different architectures: - Interception-based model - Memory-based model - Log-based model
EAP (Extensible Authentication Protocol) Context: Network Authentication Methods
EAP is not a single protocol but a framework for port-based access control that uses the same three components that are used in RADIUS*. A wide variety of these implementations can use all sorts of authentications mechanisms, including certificates, a PKI or even simple passwords. Variants: -EAP-MD5-CHAP: Use the CHAP Challenge process, but the challenges and responses are sent as EAP messages. It allows the use of passwords with EAP. - EAP-TLS: This form of EAP requires a public key infrastructure because it reauires certificates on both server and clients. It doesn't use passwords (immune to password attacks) - EAP-TTLS: This form of EAP requires a certificate on the server only. The client uses a password, but the password is sent within a protected EAP message. *Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
Load Balancing
Hardware products provide load balancing services. Application Delivery Controllers( ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, an so on, to adjust the balance of the load. Load balancing solutions are refered to as farms or pools
Switch Spoofing
If your switch is set to either dynamic desirable or dynamic auto, it would be easy for a hacker to connect a switch to that port, set his port to dynamic desirable and thereby form a trunk ( A trunk is a link between switches and routers that carry the traffic of multiple VLANs) All switch ports should be hard-coded to trunk or access, and DTP should not be used.
DMZ
In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a usually larger and untrusted network, usually the Internet.
ICS
Industrial Control Systems ICS is a general term that encompasses several types of control systems used in industrial production ( SCADA)
IaaS
Infrastructure as a service With IaaS, the vendor provides the hardware platform or data center, and the company installs and manages its own operatins systems and application systems. With IaaS, customers can benefit from the dynamic allocation of additional resources in times of high activity while those same resources are scaled back when not needed, saving money
MTBF
Mean Time Between Failures Average amout of time between failures during normal operations
MTTR
Mean Time To Repair Average amount of time it will take to get the device fixed and back online
NAC
Network Access Control It is a service that goes beyond authentication of the user and includes an examination of the state of the computer the user is introducing to the network when making a remote access or VPN connection to the network.
NIDS
Network Intrusion Detection System It is a system that is responsible for detecting unauthorized access or attacks. It can verify, itemize and characterize threats from outside and inside the network.
NFGWs
NextGen Firewalls: A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering the performance.
PAP (Password Authentication Protocol) Context: Network Authentication Methods
PAP provides authentication but the credentials are sent in clear text and can be read with a sniffer
PaaS
Platform as a Service With PaaS, the vendor provides the hardware platform or data center and the software running on the platform including the operating systems and infrastructure software
PLC
Programmable Logic Controllers PLCs connect to the sensors and convert sensor data to digital data. They do NOT include telemetry hardware
RAID 1 Minimal Number of Drives, Strengths and Weaknesses
RAID 1 Minimal Number of Disks: 2 Description : Disk Mirroring Strengths: Very high performance Very high data protection Very minimal penalty on write performance Weaknesses : High redundancy cost overhead because all data is duplicated, twice the storage capacity is required
RAID 3 Minimal Number of Drives, Strengths and Weaknesses
RAID 3 Minimal Number of Disks: 3 Description: Byte-level data striping with dedicated parity drive Strengths: Excellent performance for large, sequential data requests Weaknesses: Not well suited for transaction-oriented network applications the single parity drive doesn't support multiple simultaneous read and write requests
RAID 5 Minimal Number of Drives, Strengths and Weaknesses
RAID 5 Minimal Number of Drives: 3 Description: Block level data striping with with distributed parity Strengths: Best cost/performance for transaction-oriented networks, very high performance and data protection, supports simultaneous Read and Write requests. Weaknesses: Write performance is slower than with RAID 0 and RAID 1
RAID 0 Minimal Number of Drives, Strengths and Weaknesses
RAID0 Minimal Number of Disks: 2 Description: Data stripping without redundancy Strengths: Highest Performance Weaknesses: No Data protection. If one drive fails, all data is lost
Remote Desktop Protocol ( RDP)
RDP is a proprietary Microsoft product that provides a graphical interface to connect to another computer over a network connection. Unlike Telnet and SSH that allow only working from the command line, RDP enable working on a remote computer as if you were actually sitting at its console.
RAID
Redundant Arry of Inexpensive/ Independent Disks RAID is a hard drive technology in which data is written across multiple disks in such way that a disk can fail and the data can be quickly made available by remaking disks in the array without resorting to a backup tape. Common types of RAID: RAID0, RAID1, RAID3 and RAID5
RTU
Remote Terminal Unit RTUs connect to the sensors and convert sensor data to digital data, including telemetry hardware
SSL
Secure Sockets Layer: It is another option for creation secure connections to servers. It works at the application layer of the OSI model. It can be implemented in two ways: - SSL Portal VPN: In this case, a user has a single SSL connection for accessing multiple services on the web server. Once authenticated, the user is provided a page that acts as a portal to other services - SSL Tunnel VPN: A user may use an SSL tunnel to access services on a server that is not a web server. This solution uses custom programming to provide access to non-web services through a web browser
Sensors
Sensors typically have digital or analog I/O and are not in a form that can be easily communicated over long distances
SLA
Service Level Agreement SLAs are agreements about the ability of the support system to respond to problems within a certain time frame while providing an agreed level of service. They can be internal between departments or external with service providers
SDN
Software Defined Network: SDN has been classically defined as the decoupling of the control plane and the data plane in networking. In a conventional network, these planes are implemented in the firmware of routers and switches. SDN implements the control plane software, which enables programmatic access to it.
SaaS
Software as a Service With SaaS, the vendor provides the entire solultion, including the operating system, the infrastructure software and the application. It frees the customer company from performing updates and other maintenance of the applications.
POP3 transport protocol and port number
TCP Port Number: 110
SFTP transport protocol and port number
TCP Port Number: 22 (uses SSH)
SMTP transport protocol and port number
TCP Port Number: 25
Fault tolerant technologies
These technologies are based on multiple computing systems or devices working together to provide uninterrupted access, even in the failure of the one of the systems. (ex: Grip computing and clustering of servers)
Application Based IDS
This is specialized Anomaly Based IDS that analyzes transaction log files for a single application. This type of IDS is usually provided as part of the application or can be purchased as an add-on.
Failover
This is the capacity of a system to switch over to a backup system if a failure in the primary system occurs
Redundant Harware
This technique focuses on providing redundant instances of hardware(such as hard drives and network cards) in order to ensure a faster return to access after a failure. It has the advantage of enabling more availability but it increases the costs
Protocol anomaly based IDS
This type of Anomaly Based IDS has knowledge of the protocols that it will monitor. A profile of normal usage is built and compared to activity.
Statistical Anomaly Based IDS
This type of Anomaly Based IDS samples the live environment to record activities. The longer the IDS is in operation, the more accurate the profile that is built. However, developing a profile that will not have a large number of false positives can be difficult and time consuming. Thresholds for activity deviations are important in this type of IDS. Too low a threshold will result in false positives, while too high a threshold will result in false negatives.
Traffic anomaly based IDS
This type of Anomaly Based IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample. Changing the threshold reduces the number of false positives or false negatives. This type of filter is excellent for detecting unknown attacks. But user activity may not be static enough to effectively implement such a system
Rule or Heuristic Based IDS
This type of Anomlay Based IDS is an expert system that uses a knowledge based, an inference engine and rule based programming. The knowledge is configured as rules. The data and traffic analyzed, and the rules are applied to the analyzed traffic. The inference engine uses its intelligent software to learn. If characteristics of an attack are met, alerts or notifications are triggered. This is often referred to as an if/then, or expert, system.
Stateful-Matching
This type of Signature Based IDS records the initial operating system state. Any changes to the system state that specifically violate the defined rules result in an alert or a notification being sent.
Proxy firewalls
This type of firewall actually stands between an internal-to-external connection and makes the connection on behalf of the endpoints. Therefore, there is no direct connection. The proxy firewall acts as a relay between the two endpoints. They operates at two different layers of the OSI model (Circuit level proxies and Application level proxies)
Kernel proxy firewall
This type of firewall is an exemple of the fifth-generation firewalls. It inspects a packet at every layer of the OSI moel but does not introduce the same performance hit as an application-layer firewall because it does this at the kernel layer. It also follows the proxy model in that it stands between two systems and creates connections on their behalf.
UTM
Unified Threat Management: UTM is an approach that involves performing multiple security functions within the same device or appliance. Functions may include: Network firewalling, network intrusion prevention, Gateway antivirus, Gateway antispam, VPN, Content filtering, Load Balancing, Data Leak Prevention, On appliance reporting
DAM Memory-based Model
Uses a sensor attached to the database and continually polls the system to collect the SQL statements as they are being performed.
VLAN Hopping
VLAN hopping is a computer security exploit, a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. ( From Wikipedia)
Advantages and Disadvantages of VLANs
VLANS ( Virtual LANs): They are logical subdivisions of a switch that segregate ports from one another as if they were in different LANs. >>> Advantages: - Flexibility: Removes the requirement that devices in the same LAN be in the same location. - Performance: Creating smaller broadcast domains( each VLAN is a broadcast domain) improves performance. - Security: Provides more separation at layers 2 or 3 - Cost: Switched networks with VLANs are less costly than routed networks because routers cost more than switches >>>Disadvantage: - Managerial overhead securing VLANs.
WAF
Web Application Firewall A WAF applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. It has two placement options: Inline when it is placed directly behind the firewall and in front of the web server farm. It can be also out-of-band.