IP Network Security Part 2

Wayne M. Pecena, CPBE, CBNE

Texas A&M University

Educational Broadcast Services

Part 2-v2

November 15, 2016

IP Network Security Part 2

2

Advertised Webinar Scope: Webinar Major Topics:

Overview

As broadcast station IP networks have grown and become an integral part of the broadcast

technical facility, so has the security threats grown such that network security is an ongoing

essential task for the broadcast engineer with IT responsibilities.

This webinar will build on the security foundation principals presented in part 1 by focusing on

verification of a secure network environment by use of network penetration tools. Practical

penetration test examples utilizing public domain tools such as nmap and the zenmap GUI will be

presented.

Today’s Agenda

• Brief Review of IP Network Security Fundamentals - Part 1 Takeaways

• What Makes a Secure Network?

• Verification of Network Security & Introduction to Penetration Testing – Understanding TCP/IP & IP Port

– Introduction to nmap

– Introduction to zenmap GUI

– Penetration Exploration Examples

• Reference Resources

• Conclusion, Takeaways, & Questions

3

Brief Review of IP Network Security Fundamentals - Part 1

Takeaways

4

Cybersecurity

• Cybersecurity is focused upon the protection of computers, networks, programs and data from change, destruction, or unauthorized change.

5

Cybersecurity is the collection of tools, policies, security concepts, security

safeguards, guidelines, risk management approaches, actions, training, best

practices, assurance and technologies that can be used to protect the cyber

environment and organization and user’s assets. Organization and user’s

assets include connected computing devices, personnel, infrastructure,

applications, services, telecommunications systems, and the totality of

transmitted and/or stored information in the cyber environment. Cybersecurity

strives to ensure the attainment and maintenance of the security properties of

the organization and user’s assets against relevant security risks in the cyber

environment.

The general security objectives comprise the following:

Availability

Integrity

Confidentiality International Telecommunications Union ITU-T X.1205

Network Infrastructure Threats • Focus - Protecting the “Network Infrastructure”

• Common Threats: – DHCP Snooping

– ARP Spoofing (IP Spoofing)

– Rogue Routers Advertisements

– Denial of Service Attacks

– Application Layer Attacks

• Implementation Considerations: – Know Your Enemy

– Cost

– Human Factors

– Understand Your Network

– Limit Scope of Access

– Don’t Overlook Physical Security

6

A Cyber Attack Chain Model

Step Description

Reconnaissance & Probing

Find Target

Harvest information (email, conference listings, public lists, etc.)

Delivery & Attack Place delivery mechanism online

Use social engineering to induce target to access malware or other exploits

Installation & Exploitation

Exploit vulnerabilities on target systems to acquire access

Elevate user privileges and install additional “tools”

Compromise & Expansion

Exfiltration of data

Use compromised systems to exploit additional systems

Courtesy: Chris Homer @ PBS

Goals of Network Security

• Provides Confidentiality – Prevent Disclosure - Maintain Privacy

• Maintains Data Integrity – Prevent Data Alteration

• Provides Availability – Prevent Denial of Use

8

Network

Send Host Receive HostDATA

The CIA Triangle

Security Begins With Policy Common Policy Terminology

• Asset – Any object of value

• Vulnerability – A system weakness to be exploited

• Threat - Possible danger to a system or its information

• Risk – The feasibility that a vulnerability might be exploited

• Exploit - An attack directed at a vulnerability

• Countermeasure - An action or mitigation of a risk

9

Security Policy Lifecycle

10

Planning

Policy

Creation

Management &

Monitoring

Assessment

Policy

Implementation

& Enforcement

Detection

Threat

Analysis

The OSI Model Open Systems Interconnection (OSI) Model

Defines How Data Traverses From An Application to the Network – Layer by Layer Breaks Networking Processes Into Manageable Parts

11

Networking

Focus

The “OSI” Model Data Flow Layers Provide the Structured Implementation Approach

12

Transport

Physical

Data Link

Network

4

1

2

3

Manages End-End Connections:

TCP, UDP, & Flow Control

Interfaces to Physical Network, Moves Bits Onto &

Off Network Medium

Provides Network Access Control, Physical

Address (MAC), & Error Detection

Provides Internetwork Routing (path)

Provides Virtual Addressing (IP)

Layer 1 - Physical Access

• Restricted Physical Access to Network Infrastructure

• Controlled Access: – Access Badges

– Cyber-Locks

– Bio-Recognition

• Monitor Access – Access Logs

– Surveillance Cameras

13

Layer 2 – Data-Link Layer Access

• Implement Ethernet Switch Port Security

14

Disable Any

Unused

“Access”

Or

“Untagged”

Ports

Configure

“Trunk”

Or

“Tagged”

Ports

Only

When

Required

Enable Switch Port Security:

Specific MAC address

Limit number of MAC addresses / port

Specify “shutdown” violation response

VLAN

100

VLAN

200 VLAN

300

Segment Network Traffic

Layer 3 and Above ……..

• Utilize Network Equipment Security Features – Secure Connectivity “IPSec”

– Threat Control “IPS”

– Identity Trust “AAA”

• Implement Firewalls – Border

– Internal

• Implement “Access Control Lists”

• Utilize Application Security Where Possible

15

“IPsec” Internet Protocol Security

• IPsec – End-to-End Scheme to Encrypt Communications – IPv4 – Optional Implementation

– IPv6 – Mandatory Implementation (Recommended)

• Layer 3 Implementation

• Modes: – Tunnel Implementation (VPN)

– Host-to-Host Implementation

16

Send Host Receive Host

Encrypted Data

Encrypted Data

Firewall Types

• Determines What IP Traffic Can Enter or Exit a Network Based Upon Pre-Defined Rules

• Stateless Packet Filtering – Single Packet Inspection – Access Control List “ACL” – Ingress or Egress Filtering

– No knowledge of flow

– Filters on IP Header info – Layer 3

• Stateful Packet Filtering – Conversation Inspection – Filters on IP Header info – Layers 3-4

– Records conversations – then determines context:

» New Connections

» An Existing Conversation

» Not involved in any conversation

17

Implementing an Access Control List

18

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Interface

0/0

Interface

0/1

Permit or Deny:

Source IP Address

Destination IP Address

ICMP

TCP/UDP Source Port

TCP/UDP Destination Port

One ACL per:

Interface

Direction

Protocol

Create

Access Control List

Apply

Access Control List

What Makes a Secure Network?

19

Attributes of a Secure Network

• Layered Approach (“Defense in Depth” NOTE 1) – Different Security Controls Within Different Groups

• Security Domains – Segmentation of Network Into Areas or Groups

• Privileges – Restrict to “Need – To – Access”

– “Deny by Default”

• Access – Restrict by Firewalls, Proxies, etc.

• Logging – Accountability , Monitoring, & Activity Tracking

20

NOTE 1 – Cisco Security Terminology

Characteristics of a Secure Network

• Network Infrastructure Equipment Current With System Updates

• VLAN(s) Traffic Separation (do not over-trust)

• Access Control Lists (ACL) Implementation

• Un-Used Ports (Protocols/Services) Disabled

• External ICMP Access Blocked

• Minimize Administrative Access Points

• External Administrative Access Blocked

• Multi-Level Network Design Approach Utilized

• Implement Encryption Between Networks

• Traffic Audit Capability Implemented – NTP-log Synchronization

– Permitted Traffic (Layer 3 headers)

– Denied Traffic (Layer 3 headers)

21

Multi-Layer Approach “Defense – In – Depth”

22

Separate Networks into “Layers”

With Different Security Controls: External or Public Network

“DMZ” or Demilitarized Zone or

Perimeter Network

Internal Network(s)

Verification of Network Security & Introduction to Penetration Testing

23

Network Addressing

• Layer 2 PHYSICAL ADDRESS: – MAC Address – 6 Bytes – Hexadecimal Notation - 00:12:3F:8D:4D:A7

– 2-part: Fixed “Burned-in-Address” – OUI + Mfg. Assigned

– Local in Scope

• Layer 3 VIRTUAL ADDRESS – IP Address – 4 Bytes (IPv4) – Doted-Decimal Notation – 165.95.240.185

– 2-part: Virtual Network ID + Host ID

– Globally Unique

24

172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF

Destination

MAC

Source

MAC

Destination

IP

Source

IP

Encapsulated IP Packet

(Layer 3)

Encapsulated Ethernet

Frame (Layer 2)

Simplified Representation

The 2-Part IPv4 Address

25

192

32 bit IP Address

1100000010101000110010011111110

168 100 254

11000000 10101000 1100100 11111110

Subnet

Mask

Determines

Network

Address

Host

Address

Octet 1 Octet 2 Octet 3 Octet 4

4 Bytes

Every IP Address Must Have a Subnet Mask

IP Address Subnet Mask Expression

26

TCP 3-Way Handshake

27

Host 1 Host 2

SYN

SYN + ACK

ACK

Host 1 Sends

Synchronize Message

to Host 2

Host 2 Responds With

Acknowledgement

Plus Sends It’s Own

Synchronization

Message to Host 1Host 1 Completes the

3-Way Handshake By

Sending

Acknowledgement to

Host 2

Host 1 Initiates

Connection to Host 2

TCP/UDP Port Numbers Port Number Range: 1 – 65,535

0 - 1023 are Reserved ports / 1024 - 49151 are Registered ports / 49152 – 65535 are Dynamic (private) ports An IP Address + Port Number = A “Socket”

• RESERVED PORT Examples

“System Port Numbers” • Port 20 / 21 – FTP “File Transfer Protocol”

• Port 23 – TELNET

• Port 53 – DNS “Domain Name Service”

• Port 80 – HTTP

• Port 110 – POP3 “Post Office Protocol”

• Port 123 – NTP “Network Time Protocol”

• Port 161 – SNMP “Simple Network Management Protocol” (UDP)

• Port 443 - HTTPS

• REGISTERED PORT Examples

“User Port Numbers” • Port 1720 – H.323 Video Call Setup

• Port 1812 – RADIUS Authentication

• Port 2000 – CISCO “Skinny”

• Port 3074 – “X-Box” Live

• Port 4664 – Google Desktop

• Port 5004 – RTP “Real Time Transport Protocol”

• Port 5060 – SIP “Session Initiation Protocol

• Port 5631 – PC Anywhere

• Port 8080 – Alternate HTTP

28

http://www.iana.org/assignments/port-numbers

Getting Started

• Obtain & Install “nmap”: https://nmap.org/ – Linux (BEST-Ubuntu, Fedora, Centos, BSD, Kali)

– Windows (> WIN7 but limitations)

• Obtain & Install “zenmap”: https://nmap.org/zenmap/

29

Disclaimer “Network Scanning”

• Be Aware of Network Scanning Ethics & Legalities

• Guidelines to Follow: – Insure You Have Permission to Scan

– Limit Target & Scope of Your Scan

– Understand Your ISP AUP

– Use Caution with Options

– Have a Reason to Scan Network

• Be Aware: – Aggressive Scanning Can Crash a Host - Use Caution!

30

Further Information:

https://nmap.org/book/legal-issues.html

“Network Mapper” or nmap

• Determine Active Network Hosts

• Determine Host OpSys

• Determine Open Ports / Services Active

• Diagram Network Architecture

31

Network Mapper is a open

source network scanning

utility used to determine

information about

network hosts.

Used For:

Host Discovery

Security Profile Auditing

Network “Hacking”

Simple nmap Scan nmap <ip address>

32

nmap Scanning Discovery

• Scope of Scan

– Single / Multiple Host

– Range of Hosts

– Subnet

• Port Scan – open/closed/filtered

• Protocol Scan

– ARP

– TCP SYN & ACK

– ICMP

33

-T4 = Intense Aggregate Timing Scan

-A = Use Features: OS Detect, Ver Detect

-v = Verbose Output

nmap Profiles Create Your Custom Profile

34

nmap Examples

• Scan Single Host

• Scan Multiple Hosts

• Scan Range of IP Addresses

• Scan a Subnet

• Perform an Aggressive Scan

• Discovery Attempt: No Ping

• Discovery Attempt: Ping Only

• Discovery Attempt: Host OS

• Fast Port Scan

• Scan Specific Port

35

Sampling of > 125 nmap commands

Scan Single Host

36

Scan Multiple Hosts

37

Scan Range of IP Addresses

38

Scan a Subnet

39

NOTE

CIDR Notation

Perform an Aggressive Scan

40

Discovery Attempt: No Ping

41

Discovery Attempt: Ping Only

42

Discovery Attempt: Ping Only Topology Map

43

Another Discovery Attempt: Ping Only Topology Map Scope: Class C Network

44

Discovery Attempt: Host OS

45

Fast Port Scan

46

nmap scans top 1,000 ports by default

“Fast Port Scan” scans top 100 ports

Scan Specific Port

47

NSE - nmap Scripts

• Nmap Scripting Engine (NSE)

• Automates nmap Tasks

• Activating NSE: -sC option

• Script Library: https://nmap.org/nsedoc/

• Create Your Own: LUA Script Framework

48

Other nmap Suite Utilities:

• Ndiff – Compare scans and denote differences

• Nping – Enhanced ping utility “ping on Steroids” – Specify ping count, delay, rate, & delay

– Specify TCP or UDP

– Specify a payload

– Specify a port

– ARP ping

• Ncat – Server or Client TCP/IP simulation utility – Test a webserver

– Test a SMTP server

– File Transfer

– Create Ad Hoc Chat Server & Webserver

49

nmap Practice Target scanme.nmap.org

50

Reference Resources

51

On-Line nmap Tools

• https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

52

zmap https://zmap.io

53

KALI Linux Debian Based – Special Distribution for Network Forensics & Penetration Testing

• Incorporates Family of Security Tools

• https://www.kali.org

• Install Options: Dedicated / Dual-Boot - Win or MAC

54

55

http://cs.lewisu.edu/~klumpra/camssem2015/nmapcheatsheet1.pdf

56

https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20NMap%20Quick%20Reference%20Guide.pdf

Reference Texts:

57

Recent Industry DDoS Attack

58

Distributed Denial of Service “DDoS” Attack • A DDoS attack seeks to disrupt the availability of a network or an individual network host by

flooding the target with a high volume of illegitimate requests.

• Executed from multiple compromised hosts devices targeted at a specific host or network. Often thousands of compromised hosts involved.

• DDoS Symptoms:

– Slow Network Performance

– Host Unavailability (IE website, server)

• DDoS Attack Techniques:

– ICMP Flood

– Nuke (fragmented packets)

– Reflected (spoofing)

– SYN Flood

• DDoS Malware Tools:

– MyDoom (classic DDoS malware)

– Mirai

59

October 21 DDoS Attack Target: DYN.com

• Historic Attack Scale – > 1 million attacker hosts – Excess of 665 Gbps of IP traffic generated

• DYN is a Major Domain Name Service (DNS) Provider • Impacted Availability of Numerous Domain(s): Amazon, Comcast, PayPal,

Netflix, Pinterest, PlayStation, Spotify, Reddit, Twitter, Verizon • Executed form Internet of Thing (IoT) Devices:

– Primary MFG: Hangzhou Xiongmai Technology

60

Active Digital Attacks: http://www.digitalattackmap.com

61

Conclusion, Takeaways, & Questions

62

The Challenge

SECURITY USEABILITY

63

Risks to the Broadcast Station

• Dead Air

• Impact to Resources

• Loss of Revenue

• Embarrassment

• Potential Liability

• Breach of Data

Courtesy: Chris Homer @ PBS

Takeaway Points • Understand Security Threats

• Segment Your Network – Performance

– Security

• Lock All Doors – Don’t Overlook Physical Security

– Limit Privileged Users

– Implement “Switch-Port” Security

– Don’t Overlook the “Back Doors”

• Use Firewalls to Limit Ingress & Egress

• Monitor/Log Network Activity – Know the “Norm”

• Scan Your Network on a Regular Basis (PM) – Create nmap “Profile”

65

Best Practices to Consider • Recognize Physical Security

• Change Default Logins

• Utilize Strong Passwords

• Disable Services Not Required

• Adopt a Layered Design Approach

• Segregate Network(s)

• Separate Networks via VLANS

• Implement Switch Port Security

• Utilize Packet Filtering in Routers & Firewalls

• Do Not Overlook Egress Traffic

• Deny All Traffic – Then Permit Only Required

• Keep Up With Equipment “Patches”

• Utilize Access Logging on Key Network Devices

• Utilize Session Timeout Features

• Encrypt Any Critical Data

• Restrict Remote Access Source

• Understand & Know Your Network Baseline

• Actively Monitor and Look for Abnormalities

• Limit “Need-to-Access”

• Disable External “ICMP” Access

• Don’t Use VLAN 1

66

67

Thank You for Attending!

Wayne M. Pecena Texas A&M University w-pecena@tamu.edu 979.845.5662

68

? Questions ?