SBE Webinar Series - 2018

Broadcast Infrastructure Cybersecurity - Part 1

Wayne M. Pecena, CPBE, CBNE Texas A&M University

Educational Broadcast Services – KAMU FM-TV

Broadcast Infrastructure Cybersecurity Advertised Presentation Scope

2

Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process.

Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers.

Broadcast Infrastructure Cybersecurity

3

Webinar # 1 – “Introduction & Network Security Principals” Major Topics: Introduction to Cybersecurity in the Broadcast Plant The Security Policy Structured Security Implementation Hardening the Broadcast IP Network – layer 2 Takeaway Points & Reference Resources Questions & Discussion

Introduction to Cybersecurity in the Broadcast Plant

Broadcast Infrastructure Cybersecurity

The Broadcast Technical Plant Is Changing (has changed – will continue to change)

• Transition to IP Based Plant

• “Cloud” Based Services

• Service Based Architectures:

– IaaS, PaaS, SaaS

5

Why Be Concerned?

6

2018 Threat Predictions*

• Ransomware – Expanding to Mac OS, Linux, Smartphones

• Malware in the Cloud – Cyber-Crime as a Service “CCaS”

• IoT, DDoS, Malware – Coordinated Botnets

• Spam – Fishing – Social Engineering – Human Error Will Dominate

7 *source - Andy O. Heikkila, Cyber Security Trends and Threats to Watch for in 2018

Cybersecurity Risks to the Broadcast Station

• Dead Air

• Impact Upon Resources

• Loss of Revenue

• Public Embarrassment

• Breach of Data

• Potential Liability

• Lost Trust

Courtesy: Chris Homer @ PBS 8

Cybersecurity

• Cybersecurity is focused upon the protection of computers, networks, programs and data from change, destruction, or unauthorized change.

9

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity Confidentiality

International Telecommunications Union ITU-T X.1205

Cybersecurity Attack Model

10

Network Probing&

Reconnaissance

Delivery&

Attack

Installation& Exploitation

Compromise&

Expansion

Passive & Active Approaches Find Target(s)

Harvest Information

Network Threats • DHCP Snooping

• ARP Spoofing (IP Address Spoofing)

• Rogue Router Advertisements

• Denial of Service Attacks - DoS

• Distributed Denial of Service Attacks - DDoS

• Application Layer Attacks

11

Threat Mitigation Considerations

• Know Your Enemy – Understand Threat Environment

• Understand and Consider Business Requirements

• Implementation Cost vs Risk

• Don’t Overlook Human Factors – Social Engineering

12

Attributes of a Secure Network • Established Security Policy

– The Organizations Security “Rule Set”

– What Must Be Secured Identified

– How It Is Secured Outlined

• Complies With “CIA” Triad Objectives – Confidentiality, Integrity, Availability

• Layered Design Approach (“Defense in Depth” NOTE 1) – Segmentation of Network Into Workgroup Areas or Groups

– Different Security Controls Within Areas / Groups

• Privileges Limited: – Limit “Privileged” Users

– Restrict to “Need – To – Access”

– “Deny by Default”

• Access Controlled – Restrict by Firewalls, Proxies, etc.

• Active Support, Monitoring, & Logging – Patch Maintenance

– Establish Accountability Trail

– Activity Logging / Tracking / Monitoring 13 NOTE 1 – Cisco Security Terminology

Goals of Network Security • Provides Confidentiality

– Prevent Disclosure - Maintain Privacy

• Maintains Data Integrity – Prevent Data Alteration Thu Network

• Provides Resource Availability – Prevent Denial of Use of Network

Resources

14

The CIA or AIC Triad

The Security Policy

Broadcast Infrastructure Cybersecurity

The Security Policy • Security Implementation Begins With a Security Policy

• This is Your Implementation Roadmap

• Apply to “Anyone / Anything” With Network Access! – Company / Regulatory Policy Objectives

– System Business Standards /Requirements

– User Practices

– Specific Procedures

16

Common Policy Terminology

• Asset – Any object of value

• Vulnerability – A system weakness that could be exploited

• Threat - Possible danger to a system or its information

• Risk – The feasibility that a vulnerability might be exploited

• Exploit - An attack directed at a vulnerability

• Countermeasure - An action or mitigation of a risk

17

Be Aware: A Vulnerability Today

Becomes An Exploit Tomorrow

Security Policy Templates

18

https://www.sans.org/security-resources/policies

Security Lifecycle

19

Planning

Policy

Creation

Management &

Monitoring

Assessment

Policy

Implementation

& Enforcement

Detection

Threat

Analysis

Ultimate Network Security

Air Gap

20

Structured Security Implementation

Broadcast Infrastructure Cybersecurity

?

1st Step in Network Security

22

Prevent Reconnaissance Exploration or Probing

of the Network

Networking Standards

• IEEE- Institute of Electrical & Electronic Engineers • Project 802 Ethernet Standards:

– 802.1 Bridging

– 802.3 Ethernet

– 802.11 Wireless

• IETF – Internet Engineering Task Force • Request for Comments – RFC xxxx

– The “Standards Bible” of the Internet

– Requirement Levels:

• Required

• Recommended

• Elective

• Limited Use / Not Recommended / Depreciated

23

www.rfc-editor.org/rfc.html

http://standards.ieee.org/about/get/

Network Addressing

• Layer 2 – Media Access Control (MAC) Address

• Layer 3 – Internet Protocol (IP) Address

24

172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF

Destination

MAC

Source

MAC

Destination

IP

Source

IP

IPv4 Packet

Ethernet Frame

Simplified Representation

The OSI Model Open Systems Interconnection (OSI) Model

Conceptual Model – Abstract in Nature – Modular in Structure

Defines How Data Traverses From An Application to the Network

25

Networking

Focus

Structured Implementation Plan

26

Layer 1 – Physical Access

Layer 2 – Ethernet Switch Security

Layer 3 – Packet Filtering

Layer 4 and above – Encryption & Authentication

The Segmented Network

27

192.168.1.0

192.168.1.0 /26

192.168.1.64 /26

192.168.1.128 /26

Organize By:

Workgroup

Geographic

Policy / Regulation

For Enhanced:

Performance

Security

Security Zone 2

Security Zone 1 Security Zone 3

Implement a Multi-Layer Approach “Defense – In – Depth”

28

Separate Networks into “Layers”

With Different Security Controls: External or Public Network

“DMZ” or Demilitarized Zone or

Perimeter Network

Internal Network(s)

Security Zones Segmented Network Architecture

Security Zone 1

Security Zone 2

Security Zone 3

Security Zone 4

29

DMZ – email / web

Financial

Office / Admin

Broadcast Content/Transmission

Layer 1 - Physical Access

• Restricted Physical Access to Network Infrastructure

• Controlled Access: – Access Badges

– Cyber-Locks

– Bio-Recognition

• Monitor Access – Access Logs

– Surveillance Cameras

30

Layer 2 Attacks • MAC Address – CAM Overflow – MAC Flooding

• VLAN Hopping – Double Encapsulation - Nested

• ARP - MITM

• DHCP Starvation

• Spanning Tree Re-Calculations

• Port Authentication

• Mfg Specific Attacks: – Cisco CDP

– VLAN Management

31

Ethernet Switch Functions

• Learn MAC Addresses – Build “Table”

• Filter / Forward Ethernet Frames

• Flood Ethernet Frames

– Broadcast Frame

– MAC Not in CAM Table)

• Establish VLAN(s)

• Provide Loop Avoidance - Redundancy (STP)

• Provide Port Security Features

• Provide Multicast Support (IGMP Snooping)

Basic

Switch

Functions

32

Managed

Switch

Functions

MAC Physical Address Formats Always 48 Bits – Expressed as Hexadecimal

33

Byte

6

Byte

1

Byte

2

Byte

3

Byte

4

Byte

5

6 Bytes

Organization Unique

Identifier “OUI”

Network Interface

Controller “NIC”

Can Be Represented in Several Formats:

00:A0:C9:14:C8:29

00-A0-C9-14-C8-29

00A0.C914.C829

00A0C9.14C829

L2 - Ethernet Switch Functions

34

08-3e-8e-11-11-11

08-3e-8e-22-22-22 08-3e-8e-33-33-33

A1

A2A3

A4

Switch MAC Address Table

“Content Addressable Memory (CAM) Table”

MAC ADDRESS PORT

08-3e-8e-22-22-22 A2

08-3e-8e-11-11-11 A1

08-3e-8e-33-33-33 A3

08-3e-8e-44-44-44 A4

08-3e-8e-44-44-44

VLAN AGING

1

1

1

1

300

300

300

300

CAM Table

It is Not Infinite

Aging Timer

Time a non-transmitting host MAC address

remains in the table

(Cisco – 300 second default)

Layer 2 - Switch Port Security • Port Security Options:

– Permit Specific MAC Address / Port

– Limit # MAC Address / Port

– “Sticky” MAC Learning Configuration

• Port Security Violations: – Discard Frame

– Shutdown Port

– Notification

35

Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks

Switch Port Security

• 1 – Specify Interface

• 2 – Set Interface Mode

• 3 – Enable Port Security

36

# interface FastEthernet 0/1

# switchport port-security

# switchport mode access

Switch Port Security

37

# switchport port-security [max #] violation {protect | restrict |

shutdown}] [mac-address mac-address [sticky] ] [aging time #]

switchport port-security command syntax ● Sets # of MAC addresses ● Enables violation mode ● Enables how Mac addresses are learned ● Sets aging time

Switch Port Security

38

# interface range FastEthernet 0/1-48

# switchport port-security

Enables port security on all 48 ports

# switchport port-security mac-address sticky

# switchport port-security mac-address 0021.706a.cc3c note format

once MAC is learned – entered into configuration

VLAN Hopping

39

PREAMBLESOURCE MAC

ADDRESS

DESTINATION

MAC ADDRESSTYPE DATA CRC

PREAMBLESOURCE MAC

ADDRESS

DESTINATION

MAC ADDRESSTYPE DATA CRCTAG

TPID “0X8100” PRI

C

F

I

VLAN

ID

ETHERNET FRAME

802.1Q ETHERNET FRAME

802.1Q TAG

PREAMBLESOURCE MAC

ADDRESS

DESTINATION

MAC ADDRESSTYPE DATA CRCTAGTAG

ARP Address Resolution Protocol

• RFC 826 Defines

• Maps Network Address to Physical Address

• Maps IP Address to MAC Address

• “Request – Response” Format Protocol

• Local Network in Scope (ARP Request NOT routed)

• Inverse ARP (RFC 1293) / Reverse ARP (RFC 903)

• Gratuitous ARP

• Host ARP Cache

40

Don’t Confuse: MAC Address Table (switch)

ARP Table (host)

Authentication 802.1x

• RADIUS Server Application Based

• “Remote Authentication Dial-In User Service”

• Centralized Authentication, Authorization, & Accounting

• Client – Server Based Protocol

41

Background Service or Dedicated Appliances

Layer 2 – Data-Link Layer Access • Implement Ethernet Switch Port Security

• Disable Unused Ports

• Config “Trunk / Tagged” Ports With Caution

42

Disable Any

Unused

“Access”

Or

“Untagged”

Ports

Configure

“Trunk”

Or

“Tagged”

Ports

Only

When

Required

Enable Switch Port Security:

Specific MAC address

Limit number of MAC addresses / port

Specify “shutdown” violation response

VLAN

100

VLAN

200 VLAN

300

Segment Network Traffic

Hardening the Broadcast IP Network

Broadcast Infrastructure Cybersecurity

Layer 2 Hardening

• Disable Telnet – Use SSH

• Set SNMP Secrets

• Minimize Spanned VLAN(s)

• Set STP Root Designation

• Enable Spoofing Features

• Disable Unused Ports

• Do Not Use VLAN1

• Disable CDP (Cisco)

• Enable Port Security

• Use Authentication (802.1x)

44

Takeaway Points & Reference Resources

Broadcast Infrastructure Cybersecurity

Takeaway Points – Part 1 • Recognize & Accept The “Security Lifecycle” • Have a Security Policy • Utilize “Defense in Depth” Strategy • Understand Security Threat Landscape • Begin With Network Design - Segment Your Network

– Security – Performance Enhancement

• Implement a Structured Plan – Begin with Physical Security – Implement Switch Port Security – Implement Packet Filtering – Implement Encrypted Access – Implement Trust (authentication)

• Implement Ethernet Port Security • Disable Any “Unused” Ports • Enable “Truck/Tagged” Ports w/Caution • Do Not Use VLAN 1 • Monitor Your Network – Know What is Normal!

46

Future Webinars Will Continue to Build This List

FCC Working Group 4

47

https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf

48

The Challenge

SECURITY USEABILITY

49

SBE Webinar Series - 2018

Broadcast Infrastructure Cybersecurity

50

Webinar # 2 – “Understanding The Firewall” Major Topics (February 27, 2018): Webinar #1 Takeaway Point Review The Access Control List (ACL) The Firewall Firewall Implementation & Ruleset Configuration Applying the Security Policy – Firewall Ruleset Takeaway Points & Reference Resources Questions & Discussion Webinar # 3 – “Understanding Secured Remote Access” Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 – “Security Verification Thru Penetration Testing” Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion

My Favorite Reference Texts:

51

52

Thank You for Attending! Wayne M. Pecena Texas A&M University wpecena@sbe.org w-pecena@tamu.edu 979.845.5662

53

Questions & Discussion

Secretary, Board of Directors Executive Committee Member Chair, Education Committee