security+ all-in-one edition chapter 8 – infrastructure security brian e. brzezicki
TRANSCRIPT
Security+All-In-One Edition
Chapter 8 – Infrastructure Security
Brian E. Brzezicki
WARNING!ALOT of the material in these slides and in this
lecture is NOT in the book. This book does a good job of presenting most of the material needed for the security+ exam. However the info in chapter 8 is a little thin… so play close note to the slides. Perhaps I provide a little too much depth for the security+ exam… but it’s well worth doing the extra learning… especially if you want to take the CISSP or really understand networks and network security concepts to be USEFUL in real life!
Infrastructure Security
Infrastructure security is concerned with providing security for the entire network infrastructure. Infrastructure security is concerned with providing availability to authorized users, ensuring no one is allowed to access resources in an unauthorized manner, and ensuring that the network integrity is maintained. That is Infrastructure security is concerned with the entire CIA triad.
Devices on the Network
Workstations
Workstations (202)
Often overlooked in security, workstations are a very attractive target for hackers. Often IT staff spend time securing servers and don’t realize the dangers their unprotected workstations are.
(more)
Workstations (202)
Workstations are often “low hanging fruit” manned by end users who are themselves are a security risk. Once a workstation is infiltrated an attacker may have access to data directly, via the authorized users on the system, and that workstation can be used as an attack point into the network.
Workstation security is CRITICAL to the “holistic” network health and security.
Workstation Security Best Practices (basic hardening) (203)
Physical• Physically restrict access to workstation• Use locking devices to ensure computer cannot be
opened, or be stolen (whether in whole or in part)• Set a BIOS password• Do not allow booting from removable media / or
allow altering of the boot order• Remove removable media attachments if possible• Use an encrypted file system (efs) or disk
encryption technology (Bit Locker) if possible
(more)
Workstation Security Best Practices (basic hardening) (203)
Basic Account hardening
• Rename the administrator account, set a strong password
• Disable un-needed accounts
• Set strong password policies
(more)
Workstation Security Best Practices (basic hardening) (203)
Basic software hardening and maintenance• Shutdown services that are not needed• Remove software that is not needed• Use a standard workstation image for consistent
installs and configuration• Keep the OS and applications patched!• Install anti-virus and anti-spyware on the workstation,
keep it auto-updated *• Install host based firewall tools and tcp-wrappers.
(more)
Workstation Security Best Practices (basic hardening) (203)
Basic System Network Hardening
• Remove un-necessary protocols such as NetBIOS or IPX/SPX
• Remove any file/printer shares (generally workstations should not share files)
• Use a host based firewall
• Use host based IDS if possible
• Remove workstation remote access (ex. Modems… remote desktop etc)
Workstation Hardening
Please note the last few slides showed only the BASIC/minimum levels of workstation hardening. These are much more specific details you should be concerned with in real life. However the last few slides provide the info the security+ exam is conserned with and also provide a solid base from which you can expand to protect your workstations.
Servers
Servers (204)Ok everyone understand that you need to protect servers right?
With servers• Follow best practices of securing workstations• Identify which servers need to run which services (web,
email, file sharing)• Try to ensure only one server runs one specific service and
that service and OS is configured for maximum security• Set network service daemons to run as non-privileged users• Set strict permissions on network resources• Disable or completely remove if possible all NON essential
services
(more)
Servers (204)• If you cannot have a dedicated machine for each
specific service, consider using virtualization. (use virtualization even if you have multiple servers)
• As an Administrator UNDERSTAND which processes are required for the OS and service. Try to ensure only those processes are running and be weary if you see other processes running
• Once installed run tripwire or other checksum software to indentify and verify that critical files don’t “change” (why is this important, what could it mean?)
(more)
Servers (204)• On Internet access servers (mail servers,
web proxies etc) ensure that you have anti-virus and malware protection on the incoming data streams, even if your workstations have anti-virus. If possible use a different anti-virus product/engine then you use on your workstations.– Layered security / defense in depth– Diversity of defense
(more)
Servers (204)• Run a host based IDS on your servers
• Periodically do vulnerability assessments on your servers
• Periodically verify software and configuration files have not changed and no new services have been run. Use version control if possible on configuration files.
Virtualization (n/b)Virtualization is KEY to network security, availability
and maintenance/ease of operation.
(see next slide)
Can anyone describe to me what virtualization is?
What does it allow you to accomplish
How does it make your life as an admin easier
How does it increase availability
How does it allow you to make servers more modular?
How does it increase security and integrity?
Virtualization
Virtualization migration
OSI Model
Oh no…
OSI (n/b)
OSI (n/b)Before we talk about network equipment we need to
discuss the OSI framework briefly.
The OSI is a model of how network communications should be broken down into functional “tasks”. Each layer performs one task. It provides “services” to the layer above it, and uses services from the layer below it.
The OSI model is broken down into 7 levels (layers) which we will discuss.
OSI model – layer 1 physical (n/b)• Layer 1 Physical – simply put is concerned
with physically sending electric signals over a medium. Is concerned with – specific cabling, – voltages and – Timings
• This level actually sends data as electrical signals that other equipment using the same “physical” medium understand – ex. Ethernet
OSI model – layer 2 data link (n/b)• Layer 2 Data Link – data link goes hand in hand with
physical layer. The data link level actually defines the format of how data “Frames”* will be sent over the physical medium, so that two network cards of the same network type will actually be able to communicate. These frames are sent to the “physical” level to actually be turned into the electronic signals that are sent over a specific network. (layer 2 uses the services of layer 1)
• Two network cards on the same LAN communicate at the data link layer.
OSI model – layer 3 network (n/b)
Layer 3 Network – Layer 3 is concerned with network addressing and specifically moving packets between networks in an optimal manner (routing). Some Layer 3 network protocols are– IP– IPX/SPX– Apple Talk
OSI model Layer 4 Transport (n/b)• OSI Layer 4 Transport – Provides “end-to-
end” data transport services and establishes a logical connection between 2 computers systems”
• Virtual connection between “COMPUTERS”
OSI Model Layer 5 Session (n/b)• OSI Layer 5 Session – responsible for
establishing a connection between two APPLICATIONS! (either on the same computer or two different computers)
• Create connection
• Transfer data
• Release connection
OSI model Layer 6 – Presentation (n/b)
• OSI Layer 6 – present the data in a format that all computers can understand– Concerned with encryption, compression and formatting
Example: big endian vs. little endianDecimal 10 is written in binary as 1010However some computers read binary left to right and
some read it right to left1010 != 0101 1010 = 10, 0101 = 5So all computers on a network must agree what
format to represent binary data in (left to right, or right to left) (note this is not “truly” what big endian means… but it’s easier to explain it this way ;)
OSI model Layer 7 – Application (n/b)
• This defines a protocol (way of sending data) that two different programs or protocols understand. – HTTP– SMTP– DNS
• This is the layer that most software uses to talk with other software.
OSI vs. TCP/IP model
TCP/IP model
• Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?
• Network = OSI layer 3 – defines addressing and routing
• Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hosts
• Application = OSI layers 6,7 the application data that is being sent across a network
Network Access
• Maps to Layer 1 and 2 of the OSI model
• The Level that a Network Interface Card Works on
• Source and Destination MAC addresses are used defining communications endpoints
• Protocols include– Ethernet– Token Ring– FDDI
Network Layer
• Maps to layer 3 of the OSI model
• Concerned with moving data from one LAN (network) to another.
• Breaks data into packets
• Source and Destination endpoints are defined by IP Addresses
• Protocols is IP
(IP addresses next slide)
IP addressesIP addresses which in IPv4 have the form 0-255 . 0-255 . 0-255 . 0-255Example: 130.85.1.4
There are a few ranges of IPs that are considered “private”
10.x.x.x192.168.x.x172.16.x.x – 172.31.x.xWhat does it mean to be a private address?
Transport / (Host to Host)
• Maps to layer 4 and 5 of the OSI model
• Concerned with establishing sessions between two applications
• Source and destination endpoints are defined by port numbers
• The two transport protocols in TCP/IP are TCP and UDP
(TCP and UDP next)
TCP (n/b)Connection oriented “guaranteed” delivery.
Advantages– Easier to program with– Truly implements a “session”– Adds security
Disadvantages– More overhead / slower
UDP (n/b)Connectionless, non-guaranteed delivery (best
effort)Advantages
– Fast / low overhead
Disadvantages– Harder to program with– No true sessions– Less security– A pain to firewall (due to no connections)
Application Layer
• Maps to layer 7 of the OSI model
• The actual protocol/language that the application uses
Examples– HTTP– SMTP– DNS
Network Equipment
The network is the backbone of a company, as such it’s pretty important you understand some of the critical network equipment and concepts.
Network Interface Cards
Network Interface Cards (205)Network Interface Cards are used to connect a
computer to a LAN. NICS work on the physical and data link layer of the OSI model.
• A NIC is the physical connection to the network.
• NICS only understand how to package and move data between two computers on the same LAN.
• NICS use MAC addresses… they don’t understand IP addresses.
MAC addresses (206)A layer 2 (Data link) address. It's how NICs
communicate• Consists of 6 “2 hex digit” characters
– Example:
00:1A:4D:56:02:5E• A portion of the MAC address space is assigned to
NIC vendors• NICS communicate directly with MAC addresses,
the OS maps IP addresses to MAC addresses with ARP.
(more)
A quick discussion on IPs (n/b)• Every computer on an IP network has at
least 1 IP address• Every NIC port has 1 MAC address• Any IP address can be spread across
multiple NICs (for performance)So every computer has at least 1 IP address
and every IP address corresponds to at least one MAC address.
ALL network traffic will designate both an IP address and a MAC address!
IPs and MACs
MAC address security (n/b)• ARP - Operating systems and applications
use IP addresses, but the network cards use MAC addresses. ARP is a protocol to translate IP addresses into MAC addresses.
• ARP poisoning is an attack against a network, where one computer send fake ARP replies, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight “hijacking” attack.
Next a bit about Network Traffic Types (n/b)
• Unicast – network traffic sent from one specific computer to another specific computer.
• Broadcast – network traffic sent to ALL computers on a network
• Multicast – network traffic sent to a specific group of computers on a network
(see visualization next slide)
Unicast, Broadcast and Multicast
Hub (206)
Hub (206)An OSI layer 1 (physical layer) device. Simply sends
and electrical signal received down all ports.
• Hubs are unintelligent• All computers connected to the hub receive the
signal (so it’s easy to see other peoples network traffic)
• Everyone shares the network for speaking, only one at a time. If two nodes try to speak at the same time that is called a collision.
• All computers connected to a hub are in the same collision domain.
Bridge (206)
A bridge connects two segments of the SAME LAN together. However a bridge has some interesting features
• It is intelligent, it learns which MAC addresses are on each side of the bridge and uses that to determine how to send traffic
• A bridge isolates traffic to each side of the bridge and only forwards it across the bridge if necessary (good for security and performance) See next 3 slides
Bridge (206)
A bridge learns which computers (MAC addresses) are on each side of the bridge) It will forward traffic across the bridge if necessary.
Bridge (206)
A bridge will only forward traffic across the bridge IF and ONLY IF, a computer on one side of the bridge is trying to communicate with a computer on the other side of the bridge.
Bridge (206)
A bridge can optimize performance, by allowing two conversations to occur (one on each side of the bridge).
A and B can communicate at the SAME time C and D communicate
Bridge (206)
Bridges will forward all broadcasts. Bridges will also forward traffic if doesn’t know which side the destination address is.
Bridge Overview (n/b)
A bridge separates segments into two or more collision domains. However it still remains one broadcast domain.
A bridge builds a table of MAC addresses known for each port
A bridge increases performance and security
A bridge is a layer 2 (data link device)
A bridge can be used to mix different LAN technologies (ex. a wireless AP is a bridge)
Switches
Switch (206)A network Switch is just a multi-port bridge. Switches
will often have 24 or more ports, and learns which MAC addresses are on which ports.
• Works at layer 2 (data link)• On a switch a computer can send data AND receive
data at the same time (full duplex… increasing performance by up to 2x)
• On a switch each port is it’s own collision domain, and will not have a collision, therefore allowing line speed communication on each port
(more)
Switch (206)• A switch only sends traffic from the sending
computer to the receiving computer, therefore stops sniffing (watch for MAC flooding attacks though)
• Since switches inspect the MAC address on all traffic, a switch can be programmed to only allow certain MAC addresses to communicate, and ignore other MAC addresses.
Switch (206)
Multiple conversations can occur on a switch at the same time!
Switch Specific Attacks (n/b)Mac Flooding – Putting out tons of packets with
different MAC addresses in the attempts to overfill the switches MAC tables. If this happens a switch might simply drop into “hub mode” and start simply sending traffic down each port.
(see visualization next slide)
MAC flooding (n/b)
Switch Security (207)Switches are intelligent devices with memory, CPU
and an firmware/Operating System. As such switches can be attacked/hacked.
Best Practices• Switches should have their firmware/OS updated to
proper levels at all times• Switches should be managed from a serial console
whenever possible• If using a network management interface, ensure
encryption and proper authentication practices.• If possible restrict network management to
“management network IP addresses”
Hubs Bridges and Switches (n/b)
An important concept… all computers connected via Hubs, Bridges and switches are in the same broadcast domain and these computers form a LAN. They SHOULD be on the same IP network. (see slide)
192.168.1.4 / 255.255.255.0
192.168.1.100 / 255.255.255.0
192.168.1. 14 / 255.255.255.0
LAN (n/b)
All these computers are on the same LAN, and logical IP network. All are in the same broadcast domain.
VLANs (207)A VLAN is the concept of creating multiple broadcast
domains (LANs) on a single switch
• Why would it be used?• Do you still have to route between VLANS?*• Two different VLAN protocols• 802.1Q*, or Cisco ISL* for trunking between
switches• Use VLANS for convenience and for creating
network security zones. One use is to create “dead” or “restricted” networks unless authentication is done via 802.1x
VLAN
Routers (208)Can anyone define what a router does (in
layman's terms) without using the word route?
(answers next slide)
Routers (208)Routers connect different networks (LANS) and allow
these LANs to communicate with each other. They allow traffic to leave a local network and help direct the best path to get to the destination network.
• Layer 3 (network) devices• Look at IP addresses NOT MAC addresses• Routers do NOT forward broadcasts, as such they
create different broadcasts domains!• Can statically determine routes, or dynamically• Can apply access control lists to allow or deny
certain types of traffic (firewall)
see visualization next page
Router (208)
Routers create separate LAN networks. These networks will have different IP ranges
192.168.1.0 / 255.255.255.0 10.1.2.0 / 255.255.255.0
Router Security (209)Routers like switches are intelligent devices with
memory, CPU and an firmware/Operating System. As such switches can be attacked/hacked.
Best Practices (same as switches)• Routers should have their firmware/OS updated to
proper levels at all times• Routers should be managed from a serial console
whenever possible• If using a network management interface, ensure
encryption and proper authentication practices.• If possible restrict network management to
“management network IP addresses”
Firewall (209)
Firewall (209(An advanced network device. It’s purpose is to enforce
an organizations network security policy.
A firewall is often a “router” on steroids. Firewalls generally connect 2 or more networks, however firewall generally are not concerned heavily with finding best routes. Instead they are concerned with analyzing packets to see if the packets should be allowed or dropped base on the network security policy.
(more)
Firewalls (209)
• Firewalls have advanced functionality and can operate on layer 3 (network), 4 (transport) all the way to layer 7 (application).
• Firewalls generally consult Access Control Lists (ACLs) which are simply rules of what types of traffic to allow or deny
• Firewalls should always follow the principals of least access and implicit deny
There are many types of firewalls which we will discuss on the upcoming slides.
Firewall Types (211)There are a few types of firewalls we will talk
about in the next couple slides
• Packet Filters
• State full Filters
• Circuit Level Proxies– SOCKS– NAT
• Application Proxies
Packet Filters (211)A packet filter is the most basic and first type of
firewall. IT is effectively a router that inspects layer 3 (network) and layer 4 (transport) headers for each packet. It compares these headers with a list of allowed or denied actions (ACL) to determine how to handle a packet.
Ex.permit tcp any any host www.myserver.com eq 80
Packet Filter (211)Advantages:
• Cheap
• Does not keep state (can be rebooted)
Disadvantages
• Does not keep state • Only look at layer 3 and 4 addresses
• Can be broken via fragmentation
• Cannot inspect actual packet data
• Can be complex to setup
State full Packet Filter (211)
Like a Packet filter, but actually builds a table of ongoing communication and understands whom is communicating to whom. What type of communication is happening and when communication is over.
Can allow return traffic without a specific return traffic rule (which is convenient)
State full Packet Filters (211)Advantages:• Cheap• Does keep state (makes return rules easier, and
adds some security)Disadvantages• Does not keep state (rebooting breaks stuff)• Only look at layer 3 and 4 addresses• Might be broken via fragmentation• Cannot inspect actual packet data• Can be complex to setup (less though than regular
packet filters)
Proxies (212)
A Proxy is simply a middleman. When you want to communicate with the internet, you contact a proxy, who communicates on your behalf to the destination server. Then the Proxy will return the data to you from the destination… You NEVER directly communicate with the destination when using a proxy
Two Types
• Circuit Level Proxy – Example: SOCKS, NAT
• Application Proxy – Example: Squid
Circuit Level Proxy (212)Simply put a middleman.
You talk to a proxy which takes your information and sends it to a remote server, it also receives a response and sends it back to you.
Circuit Level Proxies (212)
Advantages• Fairly simple• Hides internal network addresses• When used with a firewall, stops people from directly
starting conversations with internal hosts, while still allowing internal hosts to communicate with the Internet
Disadvantages• A single point of failure and performance issues• Does not actually “analyze data” doesn’t protect
from “dangerous data”
NAT/PAT (211)A proxy that works without special software and
is transparent to the end users.Remaps IP addresses, allowing you to use
“private addresses” (later) internally and mapping them to “public IP addresses”
NAT maps one “public” IP directly to a “private” IP
PNAT allows multiple “private IPs” to share one “public” IP
(see slides)
NAT
NAT
1. Computer 10.0.0.1 sends a packet to 175.56.28.32. Router grabs packet, notices it is NOT address to him..
Modifies the src address to one from it’s pool (215.37.32.202), then sends the packet on it’s way to the destination*
3. The end machine accepts the packet as it’s addressed to him.
4. End machine creates response, src = itself (172.56.28.3) dest = 215.37.32.202
5. Router grabs packet, notices the dest address, and looks up in it’s NAT table, rewrites the dest to 10.0.0.1 and sends it on its way*
6. Originating machine grabs response since it’s addressed to him, he processes it.
PAT
PAT 1. Client computer creates packet
SRC: 10.0.0.1:TCP:10000 DEST: 130.85.1.3:TCP:80
2. Router rewrites the SRC portion to be SRC: 208.254.31.1:1026 Makes an entry in the PNAT table
3. End server accepts packet4. End server creates return packet
SRC: 130.85.1.3:TCP:80 DEST: 208.254.31.1:1026
5. Router receives packet, rewrites destination to be– DEST: 10.0.0.1:TCP:10000
6. Client receives the return packet
NAT/PAT difference (n/b)• NAT ONLY looks and rewrite the IP addresses.• NAT requires 1 public IP for each computer that
wants to access the Internet simultaneously. If you have 100 computer and you expect 20 of them to access the Internet at any time… you need 20 public IP addresses
• PAT looks at the IP and TCP/UDP headers and rewrites both
• PAT only requires 1 public IP address and can support about 64,000 simultaneous connections for each IP public IP address.
NAT / PAT (n/b)Advantages
– Allows you to use private addresses Internally, you don’t need to get real public IP addresses for each computer
– Protects the network by stopping external entities from starting conversations to internal machines
– Hides internal network structure– Transparent, doesn’t require special software
Disadvantages– Single Point of Failure / Performance Bottleneck– Doesn’t protect from “bad data”
Application Proxies (212)
Like circuit layer proxies, but actually understand the application/protocol they are proxing!
This allows for additional security as they can inspect the data for protocol violations or malware!
Application Proxies (212)
Examples: Squid web proxy server
Internet Security and Acceleration Server (MS web proxy)
SMTP proxies
FTP proxies
Application Proxies (212)
AdvantagesApplication proxies understand the protocol, so they can
add extra security– Ex. Restrict users to only allowed websites– Ex. Inspect data for protocol violations– Ex. Inspect data for malware (viri etc)
Disadvantages– Extra processing requires extra CPU (slower)– Proxies ONLY understand the protocols they were written
to understand. So you generally have a separate application proxy for EACH protocol you want to proxy
PBX systems (215)
Some (almost all) medium to large organizations run their own PBX (Private Branch Exchange).
Beware of attacks against PBX systems. Hackers may use your PBX to get free long distance calls etc. (using 2600Hz whistles was famous.. Captain Crunch storey
Be aware that the original phone system hacking was called phreaking.
Be aware the concept of phishing using phones is called vishing.
Network Access Control (216)Did we talk about NAC and NAP yet, if not
explain NAC and NAP.
Security Zones
Bastion Host (230)• Bastion Host – a server that is highly locked
down (hardened). Usually put in a DMZ (later). These machines can be directly accessed by the internet (though usually though one layer of firewall) so they are “hardened” (what do I mean by that?)
Security Zones (229)It is common practice in network and physical
security to group different security levels into different areas or zones. Each zone is either more or less trusted then the other zones. Interfaces between zones have some type of access control to restrict movement between zones (like biometric and guard stations) or firewalls.) In Network security there is often a median zone between the Internet and internal network called a DMZ.
DMZ (230)• A buffer zone between an unprotected
network and a protected network that allows for the monitoring and regulation of traffic between the two.– You generally put your “Internet” accessible
servers (bastion hosts) in a DMZ between your organizations internet network and the Internet.
DMZ
Multi Homed Firewall (n/b)
• Pretty much any firewall, dual homed means there are two network interfaces, one on the “Internet” one on the “Internal network”
• Multi-homed just means 2 or more interfaces. Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)
• On any dual/multi-homed machine, “IP forwarding” should be disabled.*
Multi-homed firewall
Screened Subnet (n/b)
• A type of DMZ, where there is a “middle” network where internet services reside before the “Internal” network (see next slide). In a screen subnet, there is usually a router performing packet filtering before the “first firewall”
Screened Subnet
Internal firewalls (n/b)
• You may have a firewall that protects internal networks from each other!
Networking Media / Cabling
Coax (219)
Coax (219)
• Coaxial – copper core surrounded by a shielding layer and a grounding wire.– 200 and 500 meter maximum lengths– More resistant to EMI than UTP
• Note used much anymore– Can be baseband (one channel Ethernet) or
broadband (multiple channels, cable TV)
Twisted Pair
Twisted Pair (219)• Like phone wire, but more wires.• 100 meter maximum lengths• RJ-45 connector• Two main “types” UTP, and STP• STP is shielded and better if you have EMI issues• UTP is unshielded and susceptible to EMI and
crosstalk• UTP also gives off signals which could be picked up
if you have sufficient technology. (tempest stuff)• “least secure vs. coax and fiber”
Fiber
Fiber (221)• Glass tubes
• High speed, long haul
• NOT effected by EMI, doesn’t “lose” signal either (attenuation)
• Does NOT radiate energy, better security
• Expensive
• Difficult to work with
• Used in backbones
Random Terms
Terms (231)Intranet - A network that has the same
functionality of the Internet, but lies within an organizations internal network.
Extranet – An extension of a companies “intranet” made available to external partners. Allowing businesses to share information and resources. Should be protected by some type of security mechanism such as a VPN, or an SSL based website.
(more)
Chapter 8 - Review
Q. What layer of the OSI model does a switch operate at, what addresses does it “switch”
Q. What layer of the OSI model does a router look at, what addresses does it “route”
Q. The purpose of twisting the wires in a twisted pair cable is what?
Q. Fiber Optic cabling is / is not susceptible to electromagnetic interference?
Chapter 8 ReviewQ. What is a Bastion Host
Q. What is the purpose of a DMZ
Q. What is NAC/NAP?
Q. What is the main purpose of a circuit layer proxy.
Q. How is an application layer proxy different than a circuit layer proxy?
Chapter 8 - ReviewQ. What are the Private IP ranges
Q. How is STP different than UTP?
Q. What is ARP poisoning?
Q. What is MAC flooding?