Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity - Part 1
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Educational Broadcast Services – KAMU FM-TV
Broadcast Infrastructure Cybersecurity Advertised Presentation Scope
2
Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process.
Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers.
Broadcast Infrastructure Cybersecurity
3
Webinar # 1 – “Introduction & Network Security Principals” Major Topics: Introduction to Cybersecurity in the Broadcast Plant The Security Policy Structured Security Implementation Hardening the Broadcast IP Network – layer 2 Takeaway Points & Reference Resources Questions & Discussion
Introduction to Cybersecurity in the Broadcast Plant
Broadcast Infrastructure Cybersecurity
The Broadcast Technical Plant Is Changing (has changed – will continue to change)
• Transition to IP Based Plant
• “Cloud” Based Services
• Service Based Architectures:
– IaaS, PaaS, SaaS
5
Why Be Concerned?
6
2018 Threat Predictions*
• Ransomware – Expanding to Mac OS, Linux, Smartphones
• Malware in the Cloud – Cyber-Crime as a Service “CCaS”
• IoT, DDoS, Malware – Coordinated Botnets
• Spam – Fishing – Social Engineering – Human Error Will Dominate
7 *source - Andy O. Heikkila, Cyber Security Trends and Threats to Watch for in 2018
Cybersecurity Risks to the Broadcast Station
• Dead Air
• Impact Upon Resources
• Loss of Revenue
• Public Embarrassment
• Breach of Data
• Potential Liability
• Lost Trust
Courtesy: Chris Homer @ PBS 8
Cybersecurity
• Cybersecurity is focused upon the protection of computers, networks, programs and data from change, destruction, or unauthorized change.
9
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity Confidentiality
International Telecommunications Union ITU-T X.1205
Cybersecurity Attack Model
10
Network Probing&
Reconnaissance
Delivery&
Attack
Installation& Exploitation
Compromise&
Expansion
Passive & Active Approaches Find Target(s)
Harvest Information
Network Threats • DHCP Snooping
• ARP Spoofing (IP Address Spoofing)
• Rogue Router Advertisements
• Denial of Service Attacks - DoS
• Distributed Denial of Service Attacks - DDoS
• Application Layer Attacks
11
Threat Mitigation Considerations
• Know Your Enemy – Understand Threat Environment
• Understand and Consider Business Requirements
• Implementation Cost vs Risk
• Don’t Overlook Human Factors – Social Engineering
12
Attributes of a Secure Network • Established Security Policy
– The Organizations Security “Rule Set”
– What Must Be Secured Identified
– How It Is Secured Outlined
• Complies With “CIA” Triad Objectives – Confidentiality, Integrity, Availability
• Layered Design Approach (“Defense in Depth” NOTE 1) – Segmentation of Network Into Workgroup Areas or Groups
– Different Security Controls Within Areas / Groups
• Privileges Limited: – Limit “Privileged” Users
– Restrict to “Need – To – Access”
– “Deny by Default”
• Access Controlled – Restrict by Firewalls, Proxies, etc.
• Active Support, Monitoring, & Logging – Patch Maintenance
– Establish Accountability Trail
– Activity Logging / Tracking / Monitoring 13 NOTE 1 – Cisco Security Terminology
Goals of Network Security • Provides Confidentiality
– Prevent Disclosure - Maintain Privacy
• Maintains Data Integrity – Prevent Data Alteration Thu Network
• Provides Resource Availability – Prevent Denial of Use of Network
Resources
14
The CIA or AIC Triad
The Security Policy
Broadcast Infrastructure Cybersecurity
The Security Policy • Security Implementation Begins With a Security Policy
• This is Your Implementation Roadmap
• Apply to “Anyone / Anything” With Network Access! – Company / Regulatory Policy Objectives
– System Business Standards /Requirements
– User Practices
– Specific Procedures
16
Common Policy Terminology
• Asset – Any object of value
• Vulnerability – A system weakness that could be exploited
• Threat - Possible danger to a system or its information
• Risk – The feasibility that a vulnerability might be exploited
• Exploit - An attack directed at a vulnerability
• Countermeasure - An action or mitigation of a risk
17
Be Aware: A Vulnerability Today
Becomes An Exploit Tomorrow
Security Policy Templates
18
https://www.sans.org/security-resources/policies
Security Lifecycle
19
Planning
Policy
Creation
Management &
Monitoring
Assessment
Policy
Implementation
& Enforcement
Detection
Threat
Analysis
Ultimate Network Security
Air Gap
20
Structured Security Implementation
Broadcast Infrastructure Cybersecurity
?
1st Step in Network Security
22
Prevent Reconnaissance Exploration or Probing
of the Network
Networking Standards
• IEEE- Institute of Electrical & Electronic Engineers • Project 802 Ethernet Standards:
– 802.1 Bridging
– 802.3 Ethernet
– 802.11 Wireless
• IETF – Internet Engineering Task Force • Request for Comments – RFC xxxx
– The “Standards Bible” of the Internet
– Requirement Levels:
• Required
• Recommended
• Elective
• Limited Use / Not Recommended / Depreciated
23
www.rfc-editor.org/rfc.html
http://standards.ieee.org/about/get/
Network Addressing
• Layer 2 – Media Access Control (MAC) Address
• Layer 3 – Internet Protocol (IP) Address
24
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
IPv4 Packet
Ethernet Frame
Simplified Representation
The OSI Model Open Systems Interconnection (OSI) Model
Conceptual Model – Abstract in Nature – Modular in Structure
Defines How Data Traverses From An Application to the Network
25
Networking
Focus
Structured Implementation Plan
26
Layer 1 – Physical Access
Layer 2 – Ethernet Switch Security
Layer 3 – Packet Filtering
Layer 4 and above – Encryption & Authentication
The Segmented Network
27
192.168.1.0
192.168.1.0 /26
192.168.1.64 /26
192.168.1.128 /26
Organize By:
Workgroup
Geographic
Policy / Regulation
For Enhanced:
Performance
Security
Security Zone 2
Security Zone 1 Security Zone 3
Implement a Multi-Layer Approach “Defense – In – Depth”
28
Separate Networks into “Layers”
With Different Security Controls: External or Public Network
“DMZ” or Demilitarized Zone or
Perimeter Network
Internal Network(s)
Security Zones Segmented Network Architecture
Security Zone 1
Security Zone 2
Security Zone 3
Security Zone 4
29
DMZ – email / web
Financial
Office / Admin
Broadcast Content/Transmission
Layer 1 - Physical Access
• Restricted Physical Access to Network Infrastructure
• Controlled Access: – Access Badges
– Cyber-Locks
– Bio-Recognition
• Monitor Access – Access Logs
– Surveillance Cameras
30
Layer 2 Attacks • MAC Address – CAM Overflow – MAC Flooding
• VLAN Hopping – Double Encapsulation - Nested
• ARP - MITM
• DHCP Starvation
• Spanning Tree Re-Calculations
• Port Authentication
• Mfg Specific Attacks: – Cisco CDP
– VLAN Management
31
Ethernet Switch Functions
• Learn MAC Addresses – Build “Table”
• Filter / Forward Ethernet Frames
• Flood Ethernet Frames
– Broadcast Frame
– MAC Not in CAM Table)
• Establish VLAN(s)
• Provide Loop Avoidance - Redundancy (STP)
• Provide Port Security Features
• Provide Multicast Support (IGMP Snooping)
Basic
Switch
Functions
32
Managed
Switch
Functions
MAC Physical Address Formats Always 48 Bits – Expressed as Hexadecimal
33
Byte
6
Byte
1
Byte
2
Byte
3
Byte
4
Byte
5
6 Bytes
Organization Unique
Identifier “OUI”
Network Interface
Controller “NIC”
Can Be Represented in Several Formats:
00:A0:C9:14:C8:29
00-A0-C9-14-C8-29
00A0.C914.C829
00A0C9.14C829
L2 - Ethernet Switch Functions
34
08-3e-8e-11-11-11
08-3e-8e-22-22-22 08-3e-8e-33-33-33
A1
A2A3
A4
Switch MAC Address Table
“Content Addressable Memory (CAM) Table”
MAC ADDRESS PORT
08-3e-8e-22-22-22 A2
08-3e-8e-11-11-11 A1
08-3e-8e-33-33-33 A3
08-3e-8e-44-44-44 A4
08-3e-8e-44-44-44
VLAN AGING
1
1
1
1
300
300
300
300
CAM Table
It is Not Infinite
Aging Timer
Time a non-transmitting host MAC address
remains in the table
(Cisco – 300 second default)
Layer 2 - Switch Port Security • Port Security Options:
– Permit Specific MAC Address / Port
– Limit # MAC Address / Port
– “Sticky” MAC Learning Configuration
• Port Security Violations: – Discard Frame
– Shutdown Port
– Notification
35
Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks
Switch Port Security
• 1 – Specify Interface
• 2 – Set Interface Mode
• 3 – Enable Port Security
36
# interface FastEthernet 0/1
# switchport port-security
# switchport mode access
Switch Port Security
37
# switchport port-security [max #] violation {protect | restrict |
shutdown}] [mac-address mac-address [sticky] ] [aging time #]
switchport port-security command syntax ● Sets # of MAC addresses ● Enables violation mode ● Enables how Mac addresses are learned ● Sets aging time
Switch Port Security
38
# interface range FastEthernet 0/1-48
# switchport port-security
Enables port security on all 48 ports
# switchport port-security mac-address sticky
# switchport port-security mac-address 0021.706a.cc3c note format
once MAC is learned – entered into configuration
VLAN Hopping
39
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRC
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRCTAG
TPID “0X8100” PRI
C
F
I
VLAN
ID
ETHERNET FRAME
802.1Q ETHERNET FRAME
802.1Q TAG
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRCTAGTAG
ARP Address Resolution Protocol
• RFC 826 Defines
• Maps Network Address to Physical Address
• Maps IP Address to MAC Address
• “Request – Response” Format Protocol
• Local Network in Scope (ARP Request NOT routed)
• Inverse ARP (RFC 1293) / Reverse ARP (RFC 903)
• Gratuitous ARP
• Host ARP Cache
40
Don’t Confuse: MAC Address Table (switch)
ARP Table (host)
Authentication 802.1x
• RADIUS Server Application Based
• “Remote Authentication Dial-In User Service”
• Centralized Authentication, Authorization, & Accounting
• Client – Server Based Protocol
41
Background Service or Dedicated Appliances
Layer 2 – Data-Link Layer Access • Implement Ethernet Switch Port Security
• Disable Unused Ports
• Config “Trunk / Tagged” Ports With Caution
42
Disable Any
Unused
“Access”
Or
“Untagged”
Ports
Configure
“Trunk”
Or
“Tagged”
Ports
Only
When
Required
Enable Switch Port Security:
Specific MAC address
Limit number of MAC addresses / port
Specify “shutdown” violation response
VLAN
100
VLAN
200 VLAN
300
Segment Network Traffic
Hardening the Broadcast IP Network
Broadcast Infrastructure Cybersecurity
Layer 2 Hardening
• Disable Telnet – Use SSH
• Set SNMP Secrets
• Minimize Spanned VLAN(s)
• Set STP Root Designation
• Enable Spoofing Features
• Disable Unused Ports
• Do Not Use VLAN1
• Disable CDP (Cisco)
• Enable Port Security
• Use Authentication (802.1x)
44
Takeaway Points & Reference Resources
Broadcast Infrastructure Cybersecurity
Takeaway Points – Part 1 • Recognize & Accept The “Security Lifecycle” • Have a Security Policy • Utilize “Defense in Depth” Strategy • Understand Security Threat Landscape • Begin With Network Design - Segment Your Network
– Security – Performance Enhancement
• Implement a Structured Plan – Begin with Physical Security – Implement Switch Port Security – Implement Packet Filtering – Implement Encrypted Access – Implement Trust (authentication)
• Implement Ethernet Port Security • Disable Any “Unused” Ports • Enable “Truck/Tagged” Ports w/Caution • Do Not Use VLAN 1 • Monitor Your Network – Know What is Normal!
46
Future Webinars Will Continue to Build This List
FCC Working Group 4
47
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf
48
The Challenge
SECURITY USEABILITY
49
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity
50
Webinar # 2 – “Understanding The Firewall” Major Topics (February 27, 2018): Webinar #1 Takeaway Point Review The Access Control List (ACL) The Firewall Firewall Implementation & Ruleset Configuration Applying the Security Policy – Firewall Ruleset Takeaway Points & Reference Resources Questions & Discussion Webinar # 3 – “Understanding Secured Remote Access” Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 – “Security Verification Thru Penetration Testing” Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion
My Favorite Reference Texts:
51
52
Thank You for Attending! Wayne M. Pecena Texas A&M University [email protected] [email protected] 979.845.5662
53
Questions & Discussion
Secretary, Board of Directors Executive Committee Member Chair, Education Committee