Upload
dangnga
View
222
Download
2
Embed Size (px)
Citation preview
IP Network Security Part 2
Wayne M. Pecena, CPBE, CBNE
Texas A&M University
Educational Broadcast Services
Part 2-v2
November 15, 2016
IP Network Security Part 2
2
Advertised Webinar Scope: Webinar Major Topics:
Overview
As broadcast station IP networks have grown and become an integral part of the broadcast
technical facility, so has the security threats grown such that network security is an ongoing
essential task for the broadcast engineer with IT responsibilities.
This webinar will build on the security foundation principals presented in part 1 by focusing on
verification of a secure network environment by use of network penetration tools. Practical
penetration test examples utilizing public domain tools such as nmap and the zenmap GUI will be
presented.
Today’s Agenda
• Brief Review of IP Network Security Fundamentals - Part 1 Takeaways
• What Makes a Secure Network?
• Verification of Network Security & Introduction to Penetration Testing – Understanding TCP/IP & IP Port
– Introduction to nmap
– Introduction to zenmap GUI
– Penetration Exploration Examples
• Reference Resources
• Conclusion, Takeaways, & Questions
3
Cybersecurity
• Cybersecurity is focused upon the protection of computers, networks, programs and data from change, destruction, or unauthorized change.
5
Cybersecurity is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets. Organization and user’s
assets include connected computing devices, personnel, infrastructure,
applications, services, telecommunications systems, and the totality of
transmitted and/or stored information in the cyber environment. Cybersecurity
strives to ensure the attainment and maintenance of the security properties of
the organization and user’s assets against relevant security risks in the cyber
environment.
The general security objectives comprise the following:
Availability
Integrity
Confidentiality International Telecommunications Union ITU-T X.1205
Network Infrastructure Threats • Focus - Protecting the “Network Infrastructure”
• Common Threats: – DHCP Snooping
– ARP Spoofing (IP Spoofing)
– Rogue Routers Advertisements
– Denial of Service Attacks
– Application Layer Attacks
• Implementation Considerations: – Know Your Enemy
– Cost
– Human Factors
– Understand Your Network
– Limit Scope of Access
– Don’t Overlook Physical Security
6
A Cyber Attack Chain Model
Step Description
Reconnaissance & Probing
Find Target
Harvest information (email, conference listings, public lists, etc.)
Delivery & Attack Place delivery mechanism online
Use social engineering to induce target to access malware or other exploits
Installation & Exploitation
Exploit vulnerabilities on target systems to acquire access
Elevate user privileges and install additional “tools”
Compromise & Expansion
Exfiltration of data
Use compromised systems to exploit additional systems
Courtesy: Chris Homer @ PBS
Goals of Network Security
• Provides Confidentiality – Prevent Disclosure - Maintain Privacy
• Maintains Data Integrity – Prevent Data Alteration
• Provides Availability – Prevent Denial of Use
8
Network
Send Host Receive HostDATA
The CIA Triangle
Security Begins With Policy Common Policy Terminology
• Asset – Any object of value
• Vulnerability – A system weakness to be exploited
• Threat - Possible danger to a system or its information
• Risk – The feasibility that a vulnerability might be exploited
• Exploit - An attack directed at a vulnerability
• Countermeasure - An action or mitigation of a risk
9
Security Policy Lifecycle
10
Planning
Policy
Creation
Management &
Monitoring
Assessment
Policy
Implementation
& Enforcement
Detection
Threat
Analysis
The OSI Model Open Systems Interconnection (OSI) Model
Defines How Data Traverses From An Application to the Network – Layer by Layer Breaks Networking Processes Into Manageable Parts
11
Networking
Focus
The “OSI” Model Data Flow Layers Provide the Structured Implementation Approach
12
Transport
Physical
Data Link
Network
4
1
2
3
Manages End-End Connections:
TCP, UDP, & Flow Control
Interfaces to Physical Network, Moves Bits Onto &
Off Network Medium
Provides Network Access Control, Physical
Address (MAC), & Error Detection
Provides Internetwork Routing (path)
Provides Virtual Addressing (IP)
Layer 1 - Physical Access
• Restricted Physical Access to Network Infrastructure
• Controlled Access: – Access Badges
– Cyber-Locks
– Bio-Recognition
• Monitor Access – Access Logs
– Surveillance Cameras
13
Layer 2 – Data-Link Layer Access
• Implement Ethernet Switch Port Security
14
Disable Any
Unused
“Access”
Or
“Untagged”
Ports
Configure
“Trunk”
Or
“Tagged”
Ports
Only
When
Required
Enable Switch Port Security:
Specific MAC address
Limit number of MAC addresses / port
Specify “shutdown” violation response
VLAN
100
VLAN
200 VLAN
300
Segment Network Traffic
Layer 3 and Above ……..
• Utilize Network Equipment Security Features – Secure Connectivity “IPSec”
– Threat Control “IPS”
– Identity Trust “AAA”
• Implement Firewalls – Border
– Internal
• Implement “Access Control Lists”
• Utilize Application Security Where Possible
15
“IPsec” Internet Protocol Security
• IPsec – End-to-End Scheme to Encrypt Communications – IPv4 – Optional Implementation
– IPv6 – Mandatory Implementation (Recommended)
• Layer 3 Implementation
• Modes: – Tunnel Implementation (VPN)
– Host-to-Host Implementation
16
Send Host Receive Host
Encrypted Data
Encrypted Data
Firewall Types
• Determines What IP Traffic Can Enter or Exit a Network Based Upon Pre-Defined Rules
• Stateless Packet Filtering – Single Packet Inspection – Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layer 3
• Stateful Packet Filtering – Conversation Inspection – Filters on IP Header info – Layers 3-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
17
Implementing an Access Control List
18
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Interface
0/0
Interface
0/1
Permit or Deny:
Source IP Address
Destination IP Address
ICMP
TCP/UDP Source Port
TCP/UDP Destination Port
One ACL per:
Interface
Direction
Protocol
Create
Access Control List
Apply
Access Control List
Attributes of a Secure Network
• Layered Approach (“Defense in Depth” NOTE 1) – Different Security Controls Within Different Groups
• Security Domains – Segmentation of Network Into Areas or Groups
• Privileges – Restrict to “Need – To – Access”
– “Deny by Default”
• Access – Restrict by Firewalls, Proxies, etc.
• Logging – Accountability , Monitoring, & Activity Tracking
20
NOTE 1 – Cisco Security Terminology
Characteristics of a Secure Network
• Network Infrastructure Equipment Current With System Updates
• VLAN(s) Traffic Separation (do not over-trust)
• Access Control Lists (ACL) Implementation
• Un-Used Ports (Protocols/Services) Disabled
• External ICMP Access Blocked
• Minimize Administrative Access Points
• External Administrative Access Blocked
• Multi-Level Network Design Approach Utilized
• Implement Encryption Between Networks
• Traffic Audit Capability Implemented – NTP-log Synchronization
– Permitted Traffic (Layer 3 headers)
– Denied Traffic (Layer 3 headers)
21
Multi-Layer Approach “Defense – In – Depth”
22
Separate Networks into “Layers”
With Different Security Controls: External or Public Network
“DMZ” or Demilitarized Zone or
Perimeter Network
Internal Network(s)
Network Addressing
• Layer 2 PHYSICAL ADDRESS: – MAC Address – 6 Bytes – Hexadecimal Notation - 00:12:3F:8D:4D:A7
– 2-part: Fixed “Burned-in-Address” – OUI + Mfg. Assigned
– Local in Scope
• Layer 3 VIRTUAL ADDRESS – IP Address – 4 Bytes (IPv4) – Doted-Decimal Notation – 165.95.240.185
– 2-part: Virtual Network ID + Host ID
– Globally Unique
24
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
Encapsulated IP Packet
(Layer 3)
Encapsulated Ethernet
Frame (Layer 2)
Simplified Representation
The 2-Part IPv4 Address
25
192
32 bit IP Address
1100000010101000110010011111110
168 100 254
11000000 10101000 1100100 11111110
Subnet
Mask
Determines
Network
Address
Host
Address
Octet 1 Octet 2 Octet 3 Octet 4
4 Bytes
Every IP Address Must Have a Subnet Mask
TCP 3-Way Handshake
27
Host 1 Host 2
SYN
SYN + ACK
ACK
Host 1 Sends
Synchronize Message
to Host 2
Host 2 Responds With
Acknowledgement
Plus Sends It’s Own
Synchronization
Message to Host 1Host 1 Completes the
3-Way Handshake By
Sending
Acknowledgement to
Host 2
Host 1 Initiates
Connection to Host 2
TCP/UDP Port Numbers Port Number Range: 1 – 65,535
0 - 1023 are Reserved ports / 1024 - 49151 are Registered ports / 49152 – 65535 are Dynamic (private) ports An IP Address + Port Number = A “Socket”
• RESERVED PORT Examples
“System Port Numbers” • Port 20 / 21 – FTP “File Transfer Protocol”
• Port 23 – TELNET
• Port 53 – DNS “Domain Name Service”
• Port 80 – HTTP
• Port 110 – POP3 “Post Office Protocol”
• Port 123 – NTP “Network Time Protocol”
• Port 161 – SNMP “Simple Network Management Protocol” (UDP)
• Port 443 - HTTPS
• REGISTERED PORT Examples
“User Port Numbers” • Port 1720 – H.323 Video Call Setup
• Port 1812 – RADIUS Authentication
• Port 2000 – CISCO “Skinny”
• Port 3074 – “X-Box” Live
• Port 4664 – Google Desktop
• Port 5004 – RTP “Real Time Transport Protocol”
• Port 5060 – SIP “Session Initiation Protocol
• Port 5631 – PC Anywhere
• Port 8080 – Alternate HTTP
28
http://www.iana.org/assignments/port-numbers
Getting Started
• Obtain & Install “nmap”: https://nmap.org/ – Linux (BEST-Ubuntu, Fedora, Centos, BSD, Kali)
– Windows (> WIN7 but limitations)
• Obtain & Install “zenmap”: https://nmap.org/zenmap/
29
Disclaimer “Network Scanning”
• Be Aware of Network Scanning Ethics & Legalities
• Guidelines to Follow: – Insure You Have Permission to Scan
– Limit Target & Scope of Your Scan
– Understand Your ISP AUP
– Use Caution with Options
– Have a Reason to Scan Network
• Be Aware: – Aggressive Scanning Can Crash a Host - Use Caution!
30
Further Information:
https://nmap.org/book/legal-issues.html
“Network Mapper” or nmap
• Determine Active Network Hosts
• Determine Host OpSys
• Determine Open Ports / Services Active
• Diagram Network Architecture
31
Network Mapper is a open
source network scanning
utility used to determine
information about
network hosts.
Used For:
Host Discovery
Security Profile Auditing
Network “Hacking”
nmap Scanning Discovery
• Scope of Scan
– Single / Multiple Host
– Range of Hosts
– Subnet
• Port Scan – open/closed/filtered
• Protocol Scan
– ARP
– TCP SYN & ACK
– ICMP
33
-T4 = Intense Aggregate Timing Scan
-A = Use Features: OS Detect, Ver Detect
-v = Verbose Output
nmap Examples
• Scan Single Host
• Scan Multiple Hosts
• Scan Range of IP Addresses
• Scan a Subnet
• Perform an Aggressive Scan
• Discovery Attempt: No Ping
• Discovery Attempt: Ping Only
• Discovery Attempt: Host OS
• Fast Port Scan
• Scan Specific Port
35
Sampling of > 125 nmap commands
NSE - nmap Scripts
• Nmap Scripting Engine (NSE)
• Automates nmap Tasks
• Activating NSE: -sC option
• Script Library: https://nmap.org/nsedoc/
• Create Your Own: LUA Script Framework
48
Other nmap Suite Utilities:
• Ndiff – Compare scans and denote differences
• Nping – Enhanced ping utility “ping on Steroids” – Specify ping count, delay, rate, & delay
– Specify TCP or UDP
– Specify a payload
– Specify a port
– ARP ping
• Ncat – Server or Client TCP/IP simulation utility – Test a webserver
– Test a SMTP server
– File Transfer
– Create Ad Hoc Chat Server & Webserver
49
On-Line nmap Tools
• https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
52
KALI Linux Debian Based – Special Distribution for Network Forensics & Penetration Testing
• Incorporates Family of Security Tools
• https://www.kali.org
• Install Options: Dedicated / Dual-Boot - Win or MAC
54
55
http://cs.lewisu.edu/~klumpra/camssem2015/nmapcheatsheet1.pdf
56
https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20NMap%20Quick%20Reference%20Guide.pdf
Distributed Denial of Service “DDoS” Attack • A DDoS attack seeks to disrupt the availability of a network or an individual network host by
flooding the target with a high volume of illegitimate requests.
• Executed from multiple compromised hosts devices targeted at a specific host or network. Often thousands of compromised hosts involved.
• DDoS Symptoms:
– Slow Network Performance
– Host Unavailability (IE website, server)
• DDoS Attack Techniques:
– ICMP Flood
– Nuke (fragmented packets)
– Reflected (spoofing)
– SYN Flood
• DDoS Malware Tools:
– MyDoom (classic DDoS malware)
– Mirai
59
October 21 DDoS Attack Target: DYN.com
• Historic Attack Scale – > 1 million attacker hosts – Excess of 665 Gbps of IP traffic generated
• DYN is a Major Domain Name Service (DNS) Provider • Impacted Availability of Numerous Domain(s): Amazon, Comcast, PayPal,
Netflix, Pinterest, PlayStation, Spotify, Reddit, Twitter, Verizon • Executed form Internet of Thing (IoT) Devices:
– Primary MFG: Hangzhou Xiongmai Technology
60
Risks to the Broadcast Station
• Dead Air
• Impact to Resources
• Loss of Revenue
• Embarrassment
• Potential Liability
• Breach of Data
Courtesy: Chris Homer @ PBS
Takeaway Points • Understand Security Threats
• Segment Your Network – Performance
– Security
• Lock All Doors – Don’t Overlook Physical Security
– Limit Privileged Users
– Implement “Switch-Port” Security
– Don’t Overlook the “Back Doors”
• Use Firewalls to Limit Ingress & Egress
• Monitor/Log Network Activity – Know the “Norm”
• Scan Your Network on a Regular Basis (PM) – Create nmap “Profile”
65
Best Practices to Consider • Recognize Physical Security
• Change Default Logins
• Utilize Strong Passwords
• Disable Services Not Required
• Adopt a Layered Design Approach
• Segregate Network(s)
• Separate Networks via VLANS
• Implement Switch Port Security
• Utilize Packet Filtering in Routers & Firewalls
• Do Not Overlook Egress Traffic
• Deny All Traffic – Then Permit Only Required
• Keep Up With Equipment “Patches”
• Utilize Access Logging on Key Network Devices
• Utilize Session Timeout Features
• Encrypt Any Critical Data
• Restrict Remote Access Source
• Understand & Know Your Network Baseline
• Actively Monitor and Look for Abnormalities
• Limit “Need-to-Access”
• Disable External “ICMP” Access
• Don’t Use VLAN 1
66
Thank You for Attending!
Wayne M. Pecena Texas A&M University [email protected] 979.845.5662
68
? Questions ?