sbe webinar series - 2018 broadcast infrastructure ...webinar # 2 – “understanding the...
TRANSCRIPT
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity - Part 2
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Educational Broadcast Services – KAMU FM-TV
Broadcast Infrastructure Cybersecurity Advertised Presentation Scope
2
Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process.
Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers.
Broadcast Infrastructure Cybersecurity
3
Webinar # 2 – “Understanding The Firewall” Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control List (ACL) Firewall Implementation & Ruleset Configuration Takeaway Points & Reference Resources Questions & Discussion
Takeaway Points – Part 1 • Recognize & Accept The “Security Lifecycle” • Have a Security Policy • Utilize “Defense in Depth” Strategy • Understand Security Threat Landscape • Begin With Network Design - Segment Your Network
– Security – Performance Enhancement
• Implement a Structured Plan – Begin with Physical Security – Implement Switch Port Security – Implement Packet Filtering – Implement Encrypted Access – Implement Trust (authentication)
• Implement Ethernet Port Security • Disable Any “Unused” Ports • Enable “Truck/Tagged” Ports w/Caution • Do Not Use VLAN 1 • Monitor Your Network – Know What is Normal!
4
Future Webinars Will Continue to Build This List
Ethernet Switch Functions
• Learn MAC Addresses – Build “Table”
• Filter / Forward Ethernet Frames
• Flood Ethernet Frames
– Broadcast Frame
– MAC Not in CAM Table)
• Establish VLAN(s)
• Provide Loop Avoidance - Redundancy (STP)
• Provide Port Security Features
• Provide Multicast Support (IGMP Snooping)
Basic
Switch
Functions
5
Managed
Switch
Functions
Layer 2 - Switch Port Security • Port Security Options:
– Permit Specific MAC Address / Port
– Limit # MAC Address / Port
– “Sticky” MAC Learning Configuration
• Port Security Violations: – Discard Frame
– Shutdown Port
– Notification
6
Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks
Layer 2 – Data-Link Layer Access • Implement Ethernet Switch Port Security
• Disable Unused Ports
• Config “Trunk / Tagged” Ports With Caution
7
Disable Any
Unused
“Access”
Or
“Untagged”
Ports
Configure
“Trunk”
Or
“Tagged”
Ports
Only
When
Required
Enable Switch Port Security:
Specific MAC address
Limit number of MAC addresses / port
Specify “shutdown” violation response
VLAN
100
VLAN
200 VLAN
300
Segment Network Traffic
Layer 2 Hardening
• Disable Telnet – Use SSH
• Set SNMP Secrets
• Minimize Spanned VLAN(s)
• Set STP Root Designation
• Enable Spoofing Features
• Disable Unused Ports
• Do Not Use VLAN1
• Disable CDP (Cisco)
• Enable Port Security
• Use Authentication (802.1x)
8
Cybersecurity Attack Model
9
Network Probing&
Reconnaissance
Delivery&
Attack
Installation& Exploitation
Compromise&
Expansion
Passive & Active Approaches Find Target(s)
Harvest Information
Structured Implementation Plan
10
Layer 1 – Physical Access
Layer 2 – Ethernet Switch Security
Layer 3 – Packet Filtering
Layer 4 and above – Encryption & Authentication
L3 and Above Network Security Tools • Firewall
– Used to Create a “Trusted” Network Segment by Filtering Network Packets • Permit • Deny
– Types of Firewalls: • Stateless Packet Filtering – Single Packet Inspection Based
• Stateful Packet Filtering – Flow or Conversation Inspection Based
• Proxy – Intermediary Host or Software Ap
– Access Control Mechanism • Detection Tools
– Intrusion Detection Systems (IDS) • Signature Based • Anomaly Based
– False + / False - – Intrusion Prevention Systems (IPS)
• Combine Firewall & IDS Functions
11
Proxy
External Network
External Network
The Firewall
Broadcast Infrastructure Cybersecurity
What is a Firewall?
13
Device (hardware or software) That Controls Which IP Packets Enter or Exit a Network (Permit or Deny)
Why Use? ● First level of defense ● Protection for hosts lacking security ● Protection for a group of hosts
Generations of Firewall Technology • Generation 1:
– Packet Filtering (static inspection)
• Generation 2: – Circuit Level Gateway (NAT)
• Generation 3: – Packet Filtering (stateful inspection - dynamic)
• Generation 4: – Application Level Gateway (Proxy)
• Generation 5 and beyond: – Application Level - Kernal Proxy
14
Firewall Types
• Packet Filtering (stateless)
• Packet Filtering (stateful inspection)
• Application Gateway (proxy)
• Circuit Gateway (NAT)
• Next-Gen Firewall
15
Hides Internal Host IP Address
Traditional Stateless / Stateful Firewall + Application Deep Packet Inspection (DPI) + Intrusion Prevention System (IPS)
A “State” • A dynamic rule created by the firewall based upon a host-host source
destination address-port combination
16
Send HostReceive Host
I Want to Connect. My
Sequence Number is 100
SEQ = 100
CONTROL = SYN
I Received Your
Sequence 100! My
Sequence Number is 1 &
Ready for 101
SEQ = 1
ACK=100
CONTROL = SYN, ACK
I Received Your
Sequence 1 & Ready for
Sequence 2
SEQ = 101
ACK=2
CONTROL = ACK
165.95.240.130:32985 ---> 74.125.21.147:443 74.125.21.147:443 ---> 165.95.240.130:32985
Firewall Software & Appliances
• Software Based: – IP Tables (linux)
– PFSense
– ZoneAlarm (Win)
• Appliance Based: – Cisco PIX
– Cisco ASA
– Checkpoint FireWall -1
– Barracuda Firewall
17
The IPv4 Packet Header • Protocol – Indicates upper layer protocol (TCP, UDP, ICMP as examples)
• Source Address – Address of “sending” Host
• Destination Address – Address of “receiving” Host
18
Version
(4)
Header
(4)
Precedence / Type
(8)
Length
(16)
Identification
(16)
Flag
(3)
Offset
(13)
Time to Live
(8)
Protocol
(8)
Header Checksum
(16)
Source IP Address
(32)
Options & Padding
(0 or 32)
Destination IP Address
(32)
Packet Payload
(Transport Layer Data)
4 bytes
32 bits
20
Bytes
The Access Control List (ACL)
Broadcast Infrastructure Cybersecurity
Packet Filtering Border Router
20
ExternalNetwork(Internet)
InternalNetwork
(Private)
Security Perimeter
Border Router w/Packet Filtering (ACL)
Boundary Creating “Trust” Zone
Trusted Un-Trusted
The Access Control List “ACL”
• Statements That Permit or Deny Layer 3 Network Traffic
• The “ACL” is a Predefined “Rule” Script
• Packet (layer 3 PDU) Filtering Accomplished: – By A Layer 3 Router
– Inspect Incoming & Outgoing Packets Against Rule
– Determine if Packet Is to Be Forwarded or Dropped
• The Layer 3 Router with ACL’s Implemented – Becomes a Basic Firewall (Generation 1)
• Why Use an ACL? – Provide Security by Denying Specific Packets – Destination Host (s)
– Provide Security by Denying Specific Packets – Source Host(s)
– Provide Security by Denying Specific Packets – Protocol(s)
– Minimize Specific Packets to Increase Performance
– Classify Packets for Quality-of-Service (QoS) Applications
21
Access Control List “More Details”
• Provides “Basic” Network Access Security Buffer - Packet Filter Based • Filter IP Network Packets:
– Forwarded @ Egress Interface – Blocked @ Ingress Interface
• Standard Access List – Layer 3 Header Info – Can Only Permit or Deny The Source Host IP Address – Placed Closest to Destination Host
• Extended Access List – Layer 3 & 4 Header Info – Can Permit or Deny Based Upon:
• Source IP Address • Destination IP Address • TCP Port # • UDP Port # • TCP/IP Protocol
– Placed Closest to Source Network
• ACL Can Be Numbered or Named – Standard: 1 – 99 or 1300 - 1999 – Extended: 100 – 199 or 2000 - 2699
22
ACL Guidelines • One (1) ACL / Interface / Protocol / Direction • The ACL is Hierarchal Processed (top down)
– More specific statements first – Less specific statements follow
• The ACL is Created Globally – Applied to Specific Interface • The ACL Filters:
– Packets passing through router – Packets to the router – Packets from the router
• The ACL Has “Implicit Deny All” @ End – ACL must contain at least one “permit” statement
23
Reference: www.routerfreak.com/understanding_access-control-lists-acl/
#access-list 100 permit ip any any
Implementing an Access Control List
24
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Egress ACL Filters
Outbound Packets
Ingress ACL Filters
Inbound Packets
Interface
0/0
Interface
0/1
Permit or Deny:
Source IP Address (standard)
Source IP Address (extended)
Destination IP Address
ICMP
TCP/UDP Source Port
TCP/UDP Destination Port
One ACL per:
Interface
Direction
Protocol
Create
Access Control List
Apply
Access Control List
Access Control List (ACL) Syntax
• Standard ACL:
• Extended ACL:
25
access-list access-list-number {permit|deny}match-parameter
Match-parameters: any|host IP|network IP + wilcard
access-list access-list-number {permit|deny}protocol {source
source-wildcard|host} {destination destination-
wildcard|host}
The Access Control List (ACL) “Examples”
Broadcast Infrastructure Cybersecurity
“Wildcard” Mask • Common Use: Routing Protocols & ACL
• Used to Specify a Range of IP Addresses
• IPv4 Wildcard Mask is 32 bits
• Equivalent to Inverted Subnet Mask: “255.255.128.0” Subnet Mask “0.0.127.255” Inverted Mask
• Binary Operators:
– “0” bit Indicates Match
– “1” bit Indicates No-Match
11111111.11111111.10000000.00000000 Subnet Mask 00000000.00000000.01111111.11111111 Wildcard Mask
27
Calculate the Wildcard Mask
• Subnet Mask = 255.255.128.0
• Wildcard Mask = 0.0.127.255
IPv4 Address Space 255.255.255.255 subtract subnet mask 255.255.128.0 Yields Inverted Mask 000.000.127.255
28
ACL Example(s)
• Permit ALL IPv4 Addresses: – #access-list 1 permit 0.0.0.0 255.255.255.255
• Permit All 192.168.1.0 Hosts: – #access-list 1 permit 192.168.1.0 0.0.0.255
• Permit Only IP Address 192.168.1.100 – #access-list 1 permit 192.168.1.100
• Deny Only IP Address 192.168.1.100 – #access-list 1 deny 192.168.1.100
– #access-list 1 permit any any
29
Remember Implicit DENY
Remember to Apply ACL to Interface
“ping” Packet Internet Groper
30
Send Hosts Sends ICMP “echo request”
Destination Host Replies ICMP “echo reply”
Round-Trip Times Returned
Be Aware of Command Line Options
ICMP Messages:
• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol
• Platform Utilized by ping &
traceroute
31
Access Control List (ACL) - Example
32
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1: access list 100 deny icmp any any
access-list 100 permit ip any any
Apply Access List to Interface: interface ethernet1
ip access-group 100 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Block External Users From “Pinging” Inside Network Hosts
Port Numbers RFC 1700
• Applications Are Indexed by a “Port Number”
• Port Numbers Can Be Between 0 – 65,535
– 0 – 1,023 Considered Reserved
– 1,024 – 49,151 Can Be Registered
– 49,152 – 65,535 Considered Dynamic or Private
• 65,535 TCP Ports
• 65,535 UDP Ports
33
Service Name and Transport Protocol Port Number Registry: http://www.iana.org/assignments/port-numbers
Examples:
“Well Known - System Port Numbers”
Port 20 / 21 – FTP “File Transfer Protocol”
Port 23 – TELNET
Port 53 – DNS “Domain Name Service”
Port 80 – HTTP
Port 110 – POP3 “Post Office Protocol”
Port 123 – NTP “Network Time Protocol”
Port 161 – SNMP “Simple Network
Management Protocol” (UDP)
Port 443 - HTTPS
34
A Firewall: • Filter Packets:
– Positive Filtering - Permit – Negative Filtering - Deny
• Filtering Based Upon (L3 header): – Source IP Address (range of addresses) – Destination IP Address (range of addresses) – Source IP Port – Destination IP Port – Protocol
• Can Do More: – Serve as Proxy Server – VPN Implementation (IPsec Encryption) – Network Address Translation (NAT) – Touch Point for Monitoring (logging)
• Firewall Form Factors: – Software Based – Layer 3 Router Based – Dedicated Appliance
35
Firewall Types • Filters What IP Traffic Can Enter or Exit a Network Based
Upon Pre-Defined Rules
• Stateless Packet Filtering – Single Packet Inspection – Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layer 3
• Stateful Packet Filtering – Conversation Inspection – Filters on IP Header info – Layers 3-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
36
Stateless vs Stateful
37
Internet
HTTP Request
HTTP ReplyBlocked X
Internet
HTTP Request
Blocked X
HTTP Reply
Telnet Session
Packet Filtering - “Stateless” Packet Filtering - “Stateful”
Filtering Parameters: IP Source Address
IP Destination Address
Protocol
TCP Traffic
UDP Traffic
Port Number
“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall
Can Detect Packet Anomalies: – IP Packet Header Makeup
– IP Addressing Non-Compliance
– IP Fragmentation Errors
– TCP Flow Sequencing
– UDP Flow Sequencing
– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant
• ICMP Errors
38
Misconceptions With Firewalls
• Prevents ALL Cybersecurity Threats
• Blocks Undesirable Packets
• Permits Authorized Packets
• Should Be Component of Multi-Perimeter Approach (Defense-in-Depth)
• Requires Regular “Housekeeping”
• Install and Forget
39
Firewall Use Caution • False Sense of Security
– Don’t Bother Me - “I Have A Firewall” – I’m Secure!
• Minimize Protection Zone – Tendency is to Maximize Host(s) in Protection Zone
• Formal Policy Required – Create Policy First
– Then Create Rule Syntax
• Performance Impact – Throughput (packets/sec) Impact
– Latency Impact
• Don’t Overlook Egress – Be a Good Network Citizen
40
Firewall Implementation & Ruleset Configuration
Broadcast Infrastructure Cybersecurity
Firewall Placement Network Architecture
42
ExternalNetwork(Internet)
InternalNetwork
(Private)
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
WebServer
“DMZ”
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
WebServer
“DMZ”
ACL(s) Implemented
“3-Legged” Firewall
The Bastion Host • Host Device – Bare Essentials to Support Application
– Minimized Op System
– Minimum Services Enabled/Implemented
• Implemented with a Firewall – Only Application Protocol Permitted
43
ExternalNetwork(Internet)
InternalNetwork
(Private)
Firewall
BastionHost
“DMZ” Dematerialized
Zone
Only Firewall
& Bastion Host Exposed
Proxy Firewall • Hides “Internal” Network Hosts
• External Hosts Only Sees Proxy Address
• Limits Network Access to Application Protocols
• Client – Server Relationship
• Can Be Implemented Within Firewall
• Can Be Implemented Within Server
• Can Filter Content
44
ExternalNetwork(Internet)
InternalNetwork
(Private)
Proxy Server
Firewall
Policy vs Rule
• Policy is Starting Point
• Create Rule Syntax to Implement Policy
45
Security Policy: Accept Incoming http Traffic From Public Internet to Webserver
Firewall Rule: permit tcp any WEB-SERVER1 http
Security Policy: Allow RDP from Network Engineer workstation Webserver
Firewall Rule: permit tcp 128.194.247.54 3389 WEB-SERVER1
Basic Default Firewall Polices:
• Egress: – Source IP Address within Internal Network IP Address Space
– Destination IP Address is NOT within Internal Network IP Address Space
• Ingress: – Source IP Address NOT within Internal Network IP Address Space
– Destination IP Address is within Internal Network IP Address Space
46
IP Tables (linux)
• Creates Host Firewall Rules
• Command Line Based or GUI Based
• Rules Created in a “Chain”:
– Input
– Output
– Forward
• Command Line Syntax: iptables –A chain firewall-rule
47
iptables –A INPUT –I eth0 –p tcp –-dport22 –j accept
Input Rule
Interface Protocol
Port Action
iptables –A INPUT –j DROP
Permits “SSH”
ie port 22
Firewall Ruleset
• Default Ruleset: – Discard
– Forward
• Ruleset Parsed “Top-to-Bottom” – More Specific – Top of List
– Implicit “DENY” – End of List
• Example:
48
Takeaway Points & Reference Resources
Broadcast Infrastructure Cybersecurity
OSI Model & Security Protection Techniques
50
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application Gateway7
Application Gateway5
Application Gateway6
Circuit Gateway
Packet Filtering
MAC Based Security
Physical Device Security
4
1
2
3
Takeaway Points – Part 2 • The firewall is the 1st defense perimeter – but not the only protection
• A firewall is any software or device that filters packets to establish a trust perimeter
• A firewall is a necessary evil – Do NOT install & forget
• Firewall “housekeeping” is essential – Updates & Monitoring
• Do not solely depend upon a single border firewall: – Harden host devices – disable any un-used services
• Develop mindset – deny everything – permit when necessary
• Block ICMP to prevent internal network host exploration
• NAT alone should not be considered an effective firewall
• Don’t over-look egress filtering: – Exiting packet should be within your internal network IP range
51
Future Webinars Will Continue to Build This List
The Challenge
SECURITY USEABILITY
52
SBE Webinar Series - 2018
Broadcast Infrastructure Cybersecurity
53
Webinar # 3 – “Understanding Secured Remote Access” Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Building the Secure Network Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 – “Security Verification Thru Penetration Testing” Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion
My Favorite Reference Texts:
54
55
Thank You for Attending! Wayne M. Pecena Texas A&M University [email protected] [email protected] 979.845.5662
56
Questions & Discussion
Secretary, Board of Directors Executive Committee Member Chair, Education Committee