SBE Webinar Series - 2018

Broadcast Infrastructure Cybersecurity - Part 2

Wayne M. Pecena, CPBE, CBNE Texas A&M University

Educational Broadcast Services – KAMU FM-TV

Broadcast Infrastructure Cybersecurity Advertised Presentation Scope

2

Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process.

Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers.

Broadcast Infrastructure Cybersecurity

3

Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control List (ACL) Firewall Implementation & Ruleset Configuration Takeaway Points & Reference Resources Questions & Discussion

Takeaway Points – Part 1 • Recognize & Accept The “Security Lifecycle” • Have a Security Policy • Utilize “Defense in Depth” Strategy • Understand Security Threat Landscape • Begin With Network Design - Segment Your Network

– Security – Performance Enhancement

• Implement a Structured Plan – Begin with Physical Security – Implement Switch Port Security – Implement Packet Filtering – Implement Encrypted Access – Implement Trust (authentication)

• Implement Ethernet Port Security • Disable Any “Unused” Ports • Enable “Truck/Tagged” Ports w/Caution • Do Not Use VLAN 1 • Monitor Your Network – Know What is Normal!

4

Future Webinars Will Continue to Build This List

Ethernet Switch Functions

• Learn MAC Addresses – Build “Table”

• Filter / Forward Ethernet Frames

• Flood Ethernet Frames

– Broadcast Frame

– MAC Not in CAM Table)

• Establish VLAN(s)

• Provide Loop Avoidance - Redundancy (STP)

• Provide Port Security Features

• Provide Multicast Support (IGMP Snooping)

Basic

Switch

Functions

5

Managed

Switch

Functions

Layer 2 - Switch Port Security • Port Security Options:

– Permit Specific MAC Address / Port

– Limit # MAC Address / Port

– “Sticky” MAC Learning Configuration

• Port Security Violations: – Discard Frame

– Shutdown Port

– Notification

6

Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks

Layer 2 – Data-Link Layer Access • Implement Ethernet Switch Port Security

• Disable Unused Ports

• Config “Trunk / Tagged” Ports With Caution

7

Disable Any

Unused

“Access”

Or

“Untagged”

Ports

Configure

“Trunk”

Or

“Tagged”

Ports

Only

When

Required

Enable Switch Port Security:

Specific MAC address

Limit number of MAC addresses / port

Specify “shutdown” violation response

VLAN

100

VLAN

200 VLAN

300

Segment Network Traffic

Layer 2 Hardening

• Disable Telnet – Use SSH

• Set SNMP Secrets

• Minimize Spanned VLAN(s)

• Set STP Root Designation

• Enable Spoofing Features

• Disable Unused Ports

• Do Not Use VLAN1

• Disable CDP (Cisco)

• Enable Port Security

• Use Authentication (802.1x)

8

Cybersecurity Attack Model

9

Network Probing&

Reconnaissance

Delivery&

Attack

Installation& Exploitation

Compromise&

Expansion

Passive & Active Approaches Find Target(s)

Harvest Information

Structured Implementation Plan

10

Layer 1 – Physical Access

Layer 2 – Ethernet Switch Security

Layer 3 – Packet Filtering

Layer 4 and above – Encryption & Authentication

L3 and Above Network Security Tools • Firewall

– Used to Create a “Trusted” Network Segment by Filtering Network Packets • Permit • Deny

– Types of Firewalls: • Stateless Packet Filtering – Single Packet Inspection Based

• Stateful Packet Filtering – Flow or Conversation Inspection Based

• Proxy – Intermediary Host or Software Ap

– Access Control Mechanism • Detection Tools

– Intrusion Detection Systems (IDS) • Signature Based • Anomaly Based

– False + / False - – Intrusion Prevention Systems (IPS)

• Combine Firewall & IDS Functions

11

Proxy

External Network

External Network

The Firewall

Broadcast Infrastructure Cybersecurity

What is a Firewall?

13

Device (hardware or software) That Controls Which IP Packets Enter or Exit a Network (Permit or Deny)

Why Use? ● First level of defense ● Protection for hosts lacking security ● Protection for a group of hosts

Generations of Firewall Technology • Generation 1:

– Packet Filtering (static inspection)

• Generation 2: – Circuit Level Gateway (NAT)

• Generation 3: – Packet Filtering (stateful inspection - dynamic)

• Generation 4: – Application Level Gateway (Proxy)

• Generation 5 and beyond: – Application Level - Kernal Proxy

14

Firewall Types

• Packet Filtering (stateless)

• Packet Filtering (stateful inspection)

• Application Gateway (proxy)

• Circuit Gateway (NAT)

• Next-Gen Firewall

15

Hides Internal Host IP Address

Traditional Stateless / Stateful Firewall + Application Deep Packet Inspection (DPI) + Intrusion Prevention System (IPS)

A “State” • A dynamic rule created by the firewall based upon a host-host source

destination address-port combination

16

Send HostReceive Host

I Want to Connect. My

Sequence Number is 100

SEQ = 100

CONTROL = SYN

I Received Your

Sequence 100! My

Sequence Number is 1 &

Ready for 101

SEQ = 1

ACK=100

CONTROL = SYN, ACK

I Received Your

Sequence 1 & Ready for

Sequence 2

SEQ = 101

ACK=2

CONTROL = ACK

165.95.240.130:32985 ---> 74.125.21.147:443 74.125.21.147:443 ---> 165.95.240.130:32985

Firewall Software & Appliances

• Software Based: – IP Tables (linux)

– PFSense

– ZoneAlarm (Win)

• Appliance Based: – Cisco PIX

– Cisco ASA

– Checkpoint FireWall -1

– Barracuda Firewall

17

The IPv4 Packet Header • Protocol – Indicates upper layer protocol (TCP, UDP, ICMP as examples)

• Source Address – Address of “sending” Host

• Destination Address – Address of “receiving” Host

18

Version

(4)

Header

(4)

Precedence / Type

(8)

Length

(16)

Identification

(16)

Flag

(3)

Offset

(13)

Time to Live

(8)

Protocol

(8)

Header Checksum

(16)

Source IP Address

(32)

Options & Padding

(0 or 32)

Destination IP Address

(32)

Packet Payload

(Transport Layer Data)

4 bytes

32 bits

20

Bytes

The Access Control List (ACL)

Broadcast Infrastructure Cybersecurity

Packet Filtering Border Router

20

ExternalNetwork(Internet)

InternalNetwork

(Private)

Security Perimeter

Border Router w/Packet Filtering (ACL)

Boundary Creating “Trust” Zone

Trusted Un-Trusted

The Access Control List “ACL”

• Statements That Permit or Deny Layer 3 Network Traffic

• The “ACL” is a Predefined “Rule” Script

• Packet (layer 3 PDU) Filtering Accomplished: – By A Layer 3 Router

– Inspect Incoming & Outgoing Packets Against Rule

– Determine if Packet Is to Be Forwarded or Dropped

• The Layer 3 Router with ACL’s Implemented – Becomes a Basic Firewall (Generation 1)

• Why Use an ACL? – Provide Security by Denying Specific Packets – Destination Host (s)

– Provide Security by Denying Specific Packets – Source Host(s)

– Provide Security by Denying Specific Packets – Protocol(s)

– Minimize Specific Packets to Increase Performance

– Classify Packets for Quality-of-Service (QoS) Applications

21

Access Control List “More Details”

• Provides “Basic” Network Access Security Buffer - Packet Filter Based • Filter IP Network Packets:

– Forwarded @ Egress Interface – Blocked @ Ingress Interface

• Standard Access List – Layer 3 Header Info – Can Only Permit or Deny The Source Host IP Address – Placed Closest to Destination Host

• Extended Access List – Layer 3 & 4 Header Info – Can Permit or Deny Based Upon:

• Source IP Address • Destination IP Address • TCP Port # • UDP Port # • TCP/IP Protocol

– Placed Closest to Source Network

• ACL Can Be Numbered or Named – Standard: 1 – 99 or 1300 - 1999 – Extended: 100 – 199 or 2000 - 2699

22

ACL Guidelines • One (1) ACL / Interface / Protocol / Direction • The ACL is Hierarchal Processed (top down)

– More specific statements first – Less specific statements follow

• The ACL is Created Globally – Applied to Specific Interface • The ACL Filters:

– Packets passing through router – Packets to the router – Packets from the router

• The ACL Has “Implicit Deny All” @ End – ACL must contain at least one “permit” statement

23

Reference: www.routerfreak.com/understanding_access-control-lists-acl/

#access-list 100 permit ip any any

Implementing an Access Control List

24

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Egress ACL Filters

Outbound Packets

Ingress ACL Filters

Inbound Packets

Interface

0/0

Interface

0/1

Permit or Deny:

Source IP Address (standard)

Source IP Address (extended)

Destination IP Address

ICMP

TCP/UDP Source Port

TCP/UDP Destination Port

One ACL per:

Interface

Direction

Protocol

Create

Access Control List

Apply

Access Control List

Access Control List (ACL) Syntax

• Standard ACL:

• Extended ACL:

25

access-list access-list-number {permit|deny}match-parameter

Match-parameters: any|host IP|network IP + wilcard

access-list access-list-number {permit|deny}protocol {source

source-wildcard|host} {destination destination-

wildcard|host}

The Access Control List (ACL) “Examples”

Broadcast Infrastructure Cybersecurity

“Wildcard” Mask • Common Use: Routing Protocols & ACL

• Used to Specify a Range of IP Addresses

• IPv4 Wildcard Mask is 32 bits

• Equivalent to Inverted Subnet Mask: “255.255.128.0” Subnet Mask “0.0.127.255” Inverted Mask

• Binary Operators:

– “0” bit Indicates Match

– “1” bit Indicates No-Match

11111111.11111111.10000000.00000000 Subnet Mask 00000000.00000000.01111111.11111111 Wildcard Mask

27

Calculate the Wildcard Mask

• Subnet Mask = 255.255.128.0

• Wildcard Mask = 0.0.127.255

IPv4 Address Space 255.255.255.255 subtract subnet mask 255.255.128.0 Yields Inverted Mask 000.000.127.255

28

ACL Example(s)

• Permit ALL IPv4 Addresses: – #access-list 1 permit 0.0.0.0 255.255.255.255

• Permit All 192.168.1.0 Hosts: – #access-list 1 permit 192.168.1.0 0.0.0.255

• Permit Only IP Address 192.168.1.100 – #access-list 1 permit 192.168.1.100

• Deny Only IP Address 192.168.1.100 – #access-list 1 deny 192.168.1.100

– #access-list 1 permit any any

29

Remember Implicit DENY

Remember to Apply ACL to Interface

“ping” Packet Internet Groper

30

Send Hosts Sends ICMP “echo request”

Destination Host Replies ICMP “echo reply”

Round-Trip Times Returned

Be Aware of Command Line Options

ICMP Messages:

• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol

• Platform Utilized by ping &

traceroute

31

Access Control List (ACL) - Example

32

Router

1

192.168.10.1 /24

192.168.10.2 /24

192.168.10.6 /24

The

“Internet”E0

E1

Create Access List on Router 1: access list 100 deny icmp any any

access-list 100 permit ip any any

Apply Access List to Interface: interface ethernet1

ip access-group 100 in

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

Block External Users From “Pinging” Inside Network Hosts

Port Numbers RFC 1700

• Applications Are Indexed by a “Port Number”

• Port Numbers Can Be Between 0 – 65,535

– 0 – 1,023 Considered Reserved

– 1,024 – 49,151 Can Be Registered

– 49,152 – 65,535 Considered Dynamic or Private

• 65,535 TCP Ports

• 65,535 UDP Ports

33

Service Name and Transport Protocol Port Number Registry: http://www.iana.org/assignments/port-numbers

Examples:

“Well Known - System Port Numbers”

Port 20 / 21 – FTP “File Transfer Protocol”

Port 23 – TELNET

Port 53 – DNS “Domain Name Service”

Port 80 – HTTP

Port 110 – POP3 “Post Office Protocol”

Port 123 – NTP “Network Time Protocol”

Port 161 – SNMP “Simple Network

Management Protocol” (UDP)

Port 443 - HTTPS

34

A Firewall: • Filter Packets:

– Positive Filtering - Permit – Negative Filtering - Deny

• Filtering Based Upon (L3 header): – Source IP Address (range of addresses) – Destination IP Address (range of addresses) – Source IP Port – Destination IP Port – Protocol

• Can Do More: – Serve as Proxy Server – VPN Implementation (IPsec Encryption) – Network Address Translation (NAT) – Touch Point for Monitoring (logging)

• Firewall Form Factors: – Software Based – Layer 3 Router Based – Dedicated Appliance

35

Firewall Types • Filters What IP Traffic Can Enter or Exit a Network Based

Upon Pre-Defined Rules

• Stateless Packet Filtering – Single Packet Inspection – Access Control List “ACL” – Ingress or Egress Filtering

– No knowledge of flow

– Filters on IP Header info – Layer 3

• Stateful Packet Filtering – Conversation Inspection – Filters on IP Header info – Layers 3-4

– Records conversations – then determines context:

» New Connections

» An Existing Conversation

» Not involved in any conversation

36

Stateless vs Stateful

37

Internet

HTTP Request

HTTP ReplyBlocked X

Internet

HTTP Request

Blocked X

HTTP Reply

Telnet Session

Packet Filtering - “Stateless” Packet Filtering - “Stateful”

Filtering Parameters: IP Source Address

IP Destination Address

Protocol

TCP Traffic

UDP Traffic

Port Number

“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall

Can Detect Packet Anomalies: – IP Packet Header Makeup

– IP Addressing Non-Compliance

– IP Fragmentation Errors

– TCP Flow Sequencing

– UDP Flow Sequencing

– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant

• ICMP Errors

38

Misconceptions With Firewalls

• Prevents ALL Cybersecurity Threats

• Blocks Undesirable Packets

• Permits Authorized Packets

• Should Be Component of Multi-Perimeter Approach (Defense-in-Depth)

• Requires Regular “Housekeeping”

• Install and Forget

39

Firewall Use Caution • False Sense of Security

– Don’t Bother Me - “I Have A Firewall” – I’m Secure!

• Minimize Protection Zone – Tendency is to Maximize Host(s) in Protection Zone

• Formal Policy Required – Create Policy First

– Then Create Rule Syntax

• Performance Impact – Throughput (packets/sec) Impact

– Latency Impact

• Don’t Overlook Egress – Be a Good Network Citizen

40

Firewall Implementation & Ruleset Configuration

Broadcast Infrastructure Cybersecurity

Firewall Placement Network Architecture

42

ExternalNetwork(Internet)

InternalNetwork

(Private)

ExternalNetwork(Internet)

InternalNetwork

(Private)

Firewall

WebServer

“DMZ”

ExternalNetwork(Internet)

InternalNetwork

(Private)

Firewall

WebServer

“DMZ”

ACL(s) Implemented

“3-Legged” Firewall

The Bastion Host • Host Device – Bare Essentials to Support Application

– Minimized Op System

– Minimum Services Enabled/Implemented

• Implemented with a Firewall – Only Application Protocol Permitted

43

ExternalNetwork(Internet)

InternalNetwork

(Private)

Firewall

BastionHost

“DMZ” Dematerialized

Zone

Only Firewall

& Bastion Host Exposed

Proxy Firewall • Hides “Internal” Network Hosts

• External Hosts Only Sees Proxy Address

• Limits Network Access to Application Protocols

• Client – Server Relationship

• Can Be Implemented Within Firewall

• Can Be Implemented Within Server

• Can Filter Content

44

ExternalNetwork(Internet)

InternalNetwork

(Private)

Proxy Server

Firewall

Policy vs Rule

• Policy is Starting Point

• Create Rule Syntax to Implement Policy

45

Security Policy: Accept Incoming http Traffic From Public Internet to Webserver

Firewall Rule: permit tcp any WEB-SERVER1 http

Security Policy: Allow RDP from Network Engineer workstation Webserver

Firewall Rule: permit tcp 128.194.247.54 3389 WEB-SERVER1

Basic Default Firewall Polices:

• Egress: – Source IP Address within Internal Network IP Address Space

– Destination IP Address is NOT within Internal Network IP Address Space

• Ingress: – Source IP Address NOT within Internal Network IP Address Space

– Destination IP Address is within Internal Network IP Address Space

46

IP Tables (linux)

• Creates Host Firewall Rules

• Command Line Based or GUI Based

• Rules Created in a “Chain”:

– Input

– Output

– Forward

• Command Line Syntax: iptables –A chain firewall-rule

47

iptables –A INPUT –I eth0 –p tcp –-dport22 –j accept

Input Rule

Interface Protocol

Port Action

iptables –A INPUT –j DROP

Permits “SSH”

ie port 22

Firewall Ruleset

• Default Ruleset: – Discard

– Forward

• Ruleset Parsed “Top-to-Bottom” – More Specific – Top of List

– Implicit “DENY” – End of List

• Example:

48

Takeaway Points & Reference Resources

Broadcast Infrastructure Cybersecurity

OSI Model & Security Protection Techniques

50

Application

Session

Presentation

Transport

Physical

Data Link

Network

Application Gateway7

Application Gateway5

Application Gateway6

Circuit Gateway

Packet Filtering

MAC Based Security

Physical Device Security

4

1

2

3

Takeaway Points – Part 2 • The firewall is the 1st defense perimeter – but not the only protection

• A firewall is any software or device that filters packets to establish a trust perimeter

• A firewall is a necessary evil – Do NOT install & forget

• Firewall “housekeeping” is essential – Updates & Monitoring

• Do not solely depend upon a single border firewall: – Harden host devices – disable any un-used services

• Develop mindset – deny everything – permit when necessary

• Block ICMP to prevent internal network host exploration

• NAT alone should not be considered an effective firewall

• Don’t over-look egress filtering: – Exiting packet should be within your internal network IP range

51

Future Webinars Will Continue to Build This List

The Challenge

SECURITY USEABILITY

52

SBE Webinar Series - 2018

Broadcast Infrastructure Cybersecurity

53

Webinar # 3 – “Understanding Secured Remote Access” Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Building the Secure Network Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 – “Security Verification Thru Penetration Testing” Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion

My Favorite Reference Texts:

54

55

Thank You for Attending! Wayne M. Pecena Texas A&M University wpecena@sbe.org w-pecena@tamu.edu 979.845.5662

56

Questions & Discussion

Secretary, Board of Directors Executive Committee Member Chair, Education Committee