“Fundamentals of IP Networking 2017 Webinar Series”

Part 5 Cybersecurity Fundamentals & Securing the Network

Wayne M. Pecena, CPBE, CBNE Texas A&M University

Educational Broadcast Services – KAMU Public Broadcasting

August_2017 IP_Net_Fundamentals-Part-5

“Fundamentals of IP Networking 2017 Webinar Series” Advertised Presentation Scope

Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29

2

Part 5 will wrap up the webinar series by providing an understanding the conceptual aspects of network security and practical structured implementation steps. Practical implementation practices will focus upon “defense in depth” tactics that includes the creation of a security policy, physical security, Ethernet switch security, and layer 3 security approaches.

Today’s Outline:

• 1. Takeaway Review From Webinar 4

• 2. Structured Security Implementation

– Intro to Network Security & Terminology

– 1- Physical Layer

– 2 - Data-Link Layer

– 3 - Network Layer & Above

• 3. Thinking Like a “Hacker”

– Mindset

– Tools of the Trade

• 4. Best Practices, References, & Questions

3

Takeaway Points – Part 4

• Use Segmented Networks Design Techniques: – Performance – Security – Policy

• VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets

• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme

• L2 Ethernet Switches Eliminate Collision Domains • L3 Routers Control Broadcast Domains • NAT Can Be Used to Minimize IPV4 Address Space • IP Addressing Rules Must Be Obeyed:

– Each Network MUST Have a Unique Network ID – Each Host MUST Have a Unique Host ID – Every IP Address MUST Have a Subnet Mask – An IP Address Must Be Unique Globally If Host on the Public Internet – The First & Last IP Address of a Network is Not Useable!

4

Structured Security Implementation

IP Network Security Risks to the Broadcast Station

• Dead Air

• Impact Upon Resources

• Loss of Revenue

• Public Embarrassment

• Breach of Data

• Potential Liability

• Lost Trust

Courtesy: Chris Homer @ PBS

6

The Broadcast Technical Plant Is Changing (has changed – will continue to change)

• Transition to IP Based Plant

• Transition to Cloud Based Services

• Transition to Service Based Architecture

7

Cybersecurity • Cybersecurity is focused upon the protection of computers, networks,

programs and data from change, destruction, or unauthorized change.

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity Confidentiality

International Telecommunications Union ITU-T X.1205

8

A Cyber Attack Chain Model

Step Description

Reconnaissance & Probing

Find Target

Harvest information (email, conference listings, public lists, etc.)

Delivery & Attack Place delivery mechanism online

Use social engineering to induce target to access malware or other exploits

Installation & Exploitation

Exploit vulnerabilities on target systems to acquire access

Elevate user privileges and install additional “tools”

Compromise & Expansion

Exfiltration of data

Use compromised systems to exploit additional systems

Courtesy: Chris Homer @ PBS 9

Attributes of a Secure Network • Layered Approach (“Defense in Depth” NOTE 1)

– Different Security Controls Within Different Groups

• Security Domains – Segmentation of Network Into Areas or Groups

• Privileges – Restrict to “Need – To – Access”

– “Deny by Default”

• Access – Restrict by Firewalls, Proxies, etc.

• Logging – Accountability , Monitoring, & Activity Tracking

NOTE 1 – Cisco Security Terminology

10

Goals of Data Security

• Provides Confidentiality – Prevent Disclosure - Maintain Privacy

• Maintains Data Integrity – Prevent Data Alteration

• Provides Availability – Prevent Denial of Use The CIA or AIC Triad

11

Protocols

Send Host Receive Host

MediaMedia

DATA

Implement a Multi-Layer Approach “Defense – In – Depth”

12

“Defense – In – Depth”

Data

Application

Host

Internal Network

Perimeter Network

Physical

Administrative Procedures & Policies

Application

Session

Presentation

Transport

Physical

Data Link

Network

7

5

6

4

1

2

3

13

Layer 1 - Physical Access

• Restricted Physical Access to Network Infrastructure

• Controlled Access: – Access Badges

– Cyber-Locks

– Bio-Recognition

• Monitor Access – Access Logs

– Surveillance Cameras

14

Switch Port Security Actions • Port Security Options:

– Specific MAC Address/Port

– Limit Learned MAC’s

• Port Security Violations: – Discards Frame if Violation

– Discards Frame if Violation - Send SysOp Notification

– Shutdown Switch Port if Viloation

15

Layer 2 – Data-Link Layer Access

• Implement Ethernet Switch Port Security

Disable Any

Unused

“Access”

Or

“Untagged”

Ports

Configure

“Trunk”

Or

“Tagged”

Ports

Only

When

Required

Enable Switch Port Security:

Specific MAC address

Limit number of MAC addresses / port

Specify “shutdown” violation response

VLAN

100

VLAN

200 VLAN

300

Segment Network Traffic 16

Layer 3 and Above …….. • Utilize Network Equipment Security Features

• Implement “Access Control Lists”

• Implement Firewalls

– Border

– Internal

• Implement Encryption

– Secure Connectivity “IPSec”

• Utilize Application Security Where Possible

• Identity Trust “AAA”

17

Access Control List “ACL”

• Provides “Basic” Network Access Security Buffer - Packet Filter Based

• Filter IP Network Packets: – Forwarded @ Egress Interface

– Blocked @ Ingress Interface

• Standard Access List – Can Only Permit or Deny The Source Host IP Address

– Placed Closest to Destination Host

• Extended Access List – Can Permit or Deny Based Upon:

• Source IP Address

• Destination IP Address

• TCP Port #

• UDP Port #

• TCP/IP Protocol

– Placed Closest to Source Network

18

Implementing an Access Control List

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Interface

0/0

Interface

0/1

Permit or Deny:

Source IP Address

Destination IP Address

ICMP

TCP/UDP Source Port

TCP/UDP Destination Port

One ACL per:

Interface

Direction

Protocol

Create

Access Control List Apply

Access Control List

19

ACL Implementation Example Block External Users From “Pinging” Inside Network Hosts

Router

1

192.168.10.1 /24

192.168.10.2 /24

192.168.10.6 /24

The

“Internet”E0

E1

Create Access List on Router 1: access list 10 deny icmp any any

access-list 10 permit ip any any

Apply Access List to Interface: interface ethernet1

ip access-group 10 in Configuration Disclaimer:

Exact configuration commands may vary based upon specific

equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

20

Network Security Tools

• Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying

Network Packets – Filters Based Upon Preset Rules

21

Firewall Types • Stateless Packet Filtering – Single Packet Inspection

– Access Control List “ACL” – Ingress or Egress Filtering

– No knowledge of flow

– Filters on IP Header info – Layer 3

• Stateful Packet Filtering – Conversation Inspection

– Filters on IP Header info – Layers 3-4

– Records conversations – then determines context:

» New Connections

» An Existing Conversation

» Not involved in any conversation

22

Firewall Implementation

Internet

(Outside)

Internal

Network(s)

Email

Server

Web

Server

Demilitarized

Zone

“DMZ”

HTTP & SMTP / POP

Only Allowed

All Allowed

Return Session Only

Allowed“Stateful” Firewall

Functionality

May Be Implemented in

“Border” Router

All Allowed

All Blocked

23

Firewall Use Caution • False Sense of Security

– “I Have A Firewall”

– Know What The Firewall is Doing

• Minimize Protection Zone

• Formal Policy Required – Pre-Define Rules

– Periodic Review

– Monitor Activity

• Performance Impact – Throughput (packets/sec)

– Latency

• Don’t Overlook Egress – Permit Only Ports Needed

24

“IPsec” Internet Protocol Security

• IPsec – End-to-End Scheme to Encrypt Communications – IPv4 – Optional Implementation

– IPv6 – Mandatory Implementation (Recommended)

• Layer 3 Implementation

• Modes: – Tunnel Implementation (VPN Packet Encapsulation)

– Transport (Host-to-Host Payload) Implementation

Encapsulating Security Payload

Encrypt & Authenticate

New Header

Added

25

Thinking Like a “Hacker”

The “Hacker” Culture • “White Hat” Hacker

– Intent is to protect IT systems

• “Black Hat” Hacker – Intent is to harm IT systems

• “Gray Hat” Hacker – Intent is the challenge

27

The “White Hat Hacker”

• “Ethical Hackers” - Work to Protect Systems as a Network

Security Professional by Using Network Hacker Tools

• Hacker Types: – Script Kiddies

– Hacktivists

28

Common IP Network Threats

• IP Address Spoofing – Packets sent from a false source address

– Common use in Denial-of-Service “DoS” Attack

• ARP Spoofing – Links false MAC address to a legitimate IP address

– Common “Man-In-The-Middle” Attack

• DNS Server Spoofing – Routes a legitimate domain to a false destination address

29

Tools of the “Hacker”

https://www.concise-courses.com/hacking-tools/

30

Tools of the “Hacker” 10 Most Popular

• nmap • Metasploit • John The Ripper • THC Hydra • OWASP Zed • Wireshark • Aircrack-ng • Maltego • Cain and Abel Hacking Too • Nikto Website Vulnerability Scanner

31

• “Open Source” Protocol Analyzer

• Often Referred to as a “Sniffer”©

• Developed in 1998 as “Ethereal”

• Renamed Due to Trademark Issues

• Analyses of “Live” & “Recorded” Network Activity

• Useful To:

– Isolate performance issues

– Understand application interaction

– Network Benchmarking

– Determine What is Not the Problem

– Network Forensics – Detect Malware (signature display)

32

Tools of the “Hacker”

• Available for Windows, Mac OSx, & Linux

• Download at: www.wireshark.org

• Include Libraries: – WinPcap

– Libpcap

33

packet 192 selected

Header Details Displayed

Payload Data Decoded (hex & ASCII)

34

Filtering

• Filter Building Blocks: – Protocol

– Direction (Source or Destination)

– Type

• Capture Filters – Selectively Capture Packets

– Pre-Capture Configuration

– Minimizes Captured Data

• Analysis Filters – Applied When Viewing

– Allows Focusing on an Attribute

– All Data is Retained

35

Using “Capture” Filters

36

Useful “Capture” (pcap) Filter Examples

• ip

• tcp

• udp

• host 165.95.240.130

• host 165.95.240.128/26

• host 165.95.240.128 mask 255.255.255.192

• src net 165.95.240.128/26

• dst net 165.95.240.128/26

• port 80

• not broadcast and not multicast

http://www.tcpdump.org/manpages/pcap-filter.7.html 37

Using “Display” Filters

38

Useful “Display” Filter Examples

• eth.addr==00:19:c8:c8:22:7f

• ip

• ip.addr==165.95.240.130

• ip.addr==165.95.240.130 or ip.addr==165.95.240.129

• tcp

• tcp.port==80

• udp

• udp.port==50000

• http

http://www.firstdigest.com/2009/05/wiresharks-most-useful-display-filters/

39

Tools of the “Hacker” • Obtain & Install “nmap”: https://nmap.org/

– Linux (BEST-Ubuntu, Fedora, Centos, BSD, Kali)

– Windows (> WIN7 but limitations)

• Obtain & Install “zenmap”: https://nmap.org/zenmap/

40

“Network Mapper”

• Determine Active Network Hosts

• Determine Host OpSys

• Determine Open Ports / Services Active

• Diagram Network Architecture

Network Mapper is a open source network scanning utility used to determine

information about network hosts.

Used For: Host Discovery

Security Profile Auditing Network “Hacking”

41

Disclaimer “Network Scanning”

• Be Aware of Network Scanning Ethics & Legalities

• Guidelines to Follow: – Insure You Have Permission to Scan

– Limit Target & Scope of Your Scan

– Understand Your ISP AUP

– Use Caution with Options

– Have a Reason to Scan Network

• Be Aware: – Aggressive Scanning Can Crash a Host - Use Caution!

Further Information:

https://nmap.org/book/legal-issues.html

42

Simple nmap Scan nmap <ip address>

43

nmap Profiles Create Your Custom Profile

44

nmap Examples • Scan Single Host

• Scan Multiple Hosts

• Scan Range of IP Addresses

• Scan a Subnet

• Perform an Aggressive Scan

• Discovery Attempt: No Ping

• Discovery Attempt: Ping Only

• Discovery Attempt: Host OS

• Fast Port Scan

• Scan Specific Port

Sampling of > 125 nmap commands

45

Scan Range of IP Addresses

46

Scan a Subnet

NOTE CIDR Notation

47

Perform an Aggressive Scan

48

Discovery Attempt: Ping Only Topology Map

49

Discovery Attempt: Host OS

50

Fast Port Scan

nmap scans top 1,000 ports by default

“Fast Port Scan” scans top 100 ports

51

NSE - nmap Scripts

• Nmap Scripting Engine (NSE)

• Automates nmap Tasks

• Activating NSE: “-sC option”

• Script Library: https://nmap.org/nsedoc/

• Create Your Own: LUA Script Framework

52

https://www.adminsub.net/tcp-udp-port-finder

Port: 80-HTTP

443-HTTPS

22-SSH

631-IPP

53

Port:

21-FTP

139-NetBios

445-Active Directory

2100-Amiga File System

6789-

54

55

56

SHODAN https://www.shodan.io

57

SHODAN https://www.shodan.io

58

TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS

59

Takeaway Points - Security • Recognize & Accept The “Security Lifecycle”

• Understand Security Threat Landscape

• Segment Your Network – Security

– Performance

• Lock All Your Doors – Limit Privileged Users

– Implement “Layer 1-3” Security Features

– Don’t Overlook the “Back Door” Access

• Use Firewall(s) to Limit Ingress & Egress

• Follow Industry “Best Practices”

• Implement “Defense in Depth” Strategy

• Monitor Your Network Activity – Know the “Norm”

• Test Your Network Security – Think Security “Proof-of-Performance”

60

Network Security Best Practices

• Recognize Physical Security

• Change Default Logins

• Utilize Strong Passwords

• Disable Services Not Required

• Adopt a Layered Design Approach

• Segregate Network(s)

• Separate Networks via VLANS

• Implement Switch Port Security

• Utilize Packet Filtering in Routers & Firewalls

• Do Not Overlook Egress Traffic

• Deny All Traffic – Then Permit Only Required

• Keep Up With Equipment “Patches”

• Utilize Access Logging on Key Network Devices

• Utilize Session Timeout Features

• Encrypt Any Critical Data

• Restrict Remote Access Source

• Understand & Know Your Network Baseline

• Actively Monitor and Look for Abnormalities

• Limit “Need-to-Access”

• Disable External “ICMP” Access

• Don’t Use VLAN 1

61

The Challenge

SECURITY USEABILITY

62

FCC Working Group 4

https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf

63

Local Broadcast Radio Station

64

Local Broadcast TV Station

65

EAS Advisory Group http://www.sbe.org/sections/news/EASsecurity.php

66

nmap Practice Target scanme.nmap.org

67 67

On-Line nmap Tools

• https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

68

My Favorite Reference Texts:

69

70

Thank You for Attending!

Wayne M. Pecena wpecena@sbe.org

979.845.5662

71