Broadcast Infrastructure Cybersecurity - Part 2

Transcription

1 SBE Webinar Series Broadcast Infrastructure Cybersecurity - Part 2 Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU FM-TV

2 Broadcast Infrastructure Cybersecurity Advertised Presentation Scope Webinar Series Overview As broadcast station IP networks have grown and become an integral part of the broadcast technical plant, so has the security threats grown such that network security is an ongoing essential task for the broadcast engineer with IT responsibilities. This webinar series will provide an understanding of IP network security terminology, security plan principals, best practices, proactive implementation techniques, and active security verification. Practical implementation examples utilizing popular network infrastructure equipment will be provided with public domain security assessment tools. At the conclusion of this webinar series, you should have a fundamental understanding of IP network security principals, an understanding of developing a network security plan for your organization, and best practice implementation approaches. Network security is an on-going IT process and should never be considered a one-time setup and forget process. Prerequisite Knowledge: It is recommended that participants have an understanding of IP networking fundamentals that includes OSI model structure, Ethernet switch operation, IP layer 3 system protocols, TCP 3-way handshake, and the use of port numbers. 2

3 Broadcast Infrastructure Cybersecurity Webinar # 2 Understanding The Firewall Major Topics: Webinar #1 Takeaway Point Review The Firewall The Access Control List (ACL) Firewall Implementation & Ruleset Configuration Takeaway Points & Reference Resources Questions & Discussion 3

4 Takeaway Points Part 1 Recognize & Accept The Security Lifecycle Have a Security Policy Utilize Defense in Depth Strategy Understand Security Threat Landscape Begin With Network Design - Segment Your Network Security Performance Enhancement Implement a Structured Plan Begin with Physical Security Implement Switch Port Security Implement Packet Filtering Implement Encrypted Access Implement Trust (authentication) Implement Ethernet Port Security Disable Any Unused Ports Enable Truck/Tagged Ports w/caution Do Not Use VLAN 1 Monitor Your Network Know What is Normal! 4 Future Webinars Will Continue to Build This List

5 Ethernet Switch Functions Learn MAC Addresses Build Table Filter / Forward Ethernet Frames Flood Ethernet Frames Broadcast Frame MAC Not in CAM Table) Establish VLAN(s) Provide Loop Avoidance - Redundancy (STP) Provide Port Security Features Provide Multicast Support (IGMP Snooping) Basic Switch Functions Managed Switch Functions 5

6 Layer 2 - Switch Port Security Port Security Options: Permit Specific MAC Address / Port Limit # MAC Address / Port Sticky MAC Learning Configuration Port Security Violations: Discard Frame Shutdown Port Notification Prevents CAM Table Overflow Attacks Limits DoS & DDoS Attacks 6

7 Layer 2 Data-Link Layer Access Implement Ethernet Switch Port Security Disable Unused Ports Config Trunk / Tagged Ports With Caution VLAN 100 VLAN 200 VLAN Enable Switch Port Security: Specific MAC address Limit number of MAC addresses / port Specify shutdown violation response Segment Network Traffic Disable Any Unused Access Or Untagged Ports Configure Trunk Or Tagged Ports Only When Required

8 Layer 2 Hardening Disable Telnet Use SSH Set SNMP Secrets Minimize Spanned VLAN(s) Set STP Root Designation Enable Spoofing Features Disable Unused Ports Do Not Use VLAN1 Disable CDP (Cisco) Enable Port Security Use Authentication (802.1x) 8

9 Cybersecurity Attack Model Network Probing & Reconnaissance Passive & Active Approaches Find Target(s) Harvest Information Delivery & Attack Installation & Exploitation 9 Compromise & Expansion

10 Structured Implementation Plan Layer 4 and above Encryption & Authentication Layer 3 Packet Filtering Layer 2 Ethernet Switch Security Layer 1 Physical Access 10

11 L3 and Above Network Security Tools Firewall Used to Create a Trusted Network Segment by Filtering Network Packets Permit Deny Types of Firewalls: Stateless Packet Filtering Single Packet Inspection Based Stateful Packet Filtering Flow or Conversation Inspection Based Proxy Intermediary Host or Software Ap Access Control Mechanism Detection Tools Intrusion Detection Systems (IDS) Signature Based Anomaly Based False + / False - Intrusion Prevention Systems (IPS) Combine Firewall & IDS Functions External Network Proxy External Network 11

12 Broadcast Infrastructure Cybersecurity The Firewall

13 What is a Firewall? Why Use? First level of defense Protection for hosts lacking security Protection for a group of hosts Device (hardware or software) That Controls Which IP Packets Enter or Exit a Network (Permit or Deny) 13

14 Generations of Firewall Technology Generation 1: Packet Filtering (static inspection) Generation 2: Circuit Level Gateway (NAT) Generation 3: Packet Filtering (stateful inspection - dynamic) Generation 4: Application Level Gateway (Proxy) Generation 5 and beyond: Application Level - Kernal Proxy 14

15 Firewall Types Packet Filtering (stateless) Packet Filtering (stateful inspection) Application Gateway (proxy) Circuit Gateway (NAT) Next-Gen Firewall Hides Internal Host IP Address Traditional Stateless / Stateful Firewall + Application Deep Packet Inspection (DPI) + Intrusion Prevention System (IPS) 15

16 A State A dynamic rule created by the firewall based upon a host-host source destination address-port combination Send Host Receive Host I Want to Connect. My Sequence Number is 100 SEQ = 100 CONTROL = SYN SEQ = 1 ACK=100 CONTROL = SYN, ACK I Received Your Sequence 100! My Sequence Number is 1 & Ready for 101 I Received Your Sequence 1 & Ready for Sequence 2 SEQ = 101 ACK=2 CONTROL = ACK : > : : > :

17 Firewall Software & Appliances Software Based: IP Tables (linux) PFSense ZoneAlarm (Win) Appliance Based: Cisco PIX Cisco ASA Checkpoint FireWall -1 Barracuda Firewall 17

18 The IPv4 Packet Header Protocol Indicates upper layer protocol (TCP, UDP, ICMP as examples) Source Address Address of sending Host Destination Address Address of receiving Host 4 bytes 32 bits Version (4) Header (4) Precedence / Type (8) Length (16) Identification (16) Flag (3) Offset (13) Time to Live (8) Protocol (8) Header Checksum (16) 20 Bytes Source IP Address (32) Destination IP Address (32) Options & Padding (0 or 32) Packet Payload (Transport Layer Data) 18

19 Broadcast Infrastructure Cybersecurity The Access Control List (ACL)

20 Packet Filtering Border Router Border Router w/packet Filtering (ACL) Internal Network (Private) External Network (Internet) Trusted Boundary Creating Trust Zone Un-Trusted Security Perimeter 20

21 The Access Control List ACL Statements That Permit or Deny Layer 3 Network Traffic The ACL is a Predefined Rule Script Packet (layer 3 PDU) Filtering Accomplished: By A Layer 3 Router Inspect Incoming & Outgoing Packets Against Rule Determine if Packet Is to Be Forwarded or Dropped The Layer 3 Router with ACL s Implemented Becomes a Basic Firewall (Generation 1) Why Use an ACL? Provide Security by Denying Specific Packets Destination Host (s) Provide Security by Denying Specific Packets Source Host(s) Provide Security by Denying Specific Packets Protocol(s) Minimize Specific Packets to Increase Performance Classify Packets for Quality-of-Service (QoS) Applications 21

22 Access Control List More Details Provides Basic Network Access Security Buffer - Packet Filter Based Filter IP Network Packets: Egress Interface Ingress Interface Standard Access List Layer 3 Header Info Can Only Permit or Deny The Source Host IP Address Placed Closest to Destination Host Extended Access List Layer 3 & 4 Header Info Can Permit or Deny Based Upon: Source IP Address Destination IP Address TCP Port # UDP Port # TCP/IP Protocol Placed Closest to Source Network ACL Can Be Numbered or Named Standard: 1 99 or Extended: or

23 ACL Guidelines One (1) ACL / Interface / Protocol / Direction The ACL is Hierarchal Processed (top down) More specific statements first Less specific statements follow The ACL is Created Globally Applied to Specific Interface The ACL Filters: Packets passing through router Packets to the router Packets from the router The ACL Has Implicit Deny End ACL must contain at least one permit statement #access-list 100 permit ip any any Reference: 23

24 Implementing an Access Control List One ACL per: Interface Direction Protocol Ingress ACL Filters Inbound Packets Egress ACL Filters Outbound Packets Egress ACL Filters Outbound Packets Ingress ACL Filters Inbound Packets Interface 0/0 Interface 0/1 Create Access Control List Permit or Deny: Source IP Address (standard) Source IP Address (extended) Destination IP Address ICMP TCP/UDP Source Port TCP/UDP Destination Port Apply Access Control List 24

25 Access Control List (ACL) Syntax Standard ACL: access-list access-list-number {permit deny}match-parameter Match-parameters: any host IP network IP + wilcard Extended ACL: access-list access-list-number {permit deny}protocol {source source-wildcard host} {destination destinationwildcard host} 25

26 Broadcast Infrastructure Cybersecurity The Access Control List (ACL) Examples

27 Wildcard Mask Common Use: Routing Protocols & ACL Used to Specify a Range of IP Addresses IPv4 Wildcard Mask is 32 bits Equivalent to Inverted Subnet Mask: Subnet Mask Inverted Mask Subnet Mask Wildcard Mask Binary Operators: 0 bit Indicates Match 1 bit Indicates No-Match 27

28 Calculate the Wildcard Mask Subnet Mask = IPv4 Address Space subtract subnet mask Yields Inverted Mask Wildcard Mask =

29 ACL Example(s) Permit ALL IPv4 Addresses: #access-list 1 permit Permit All Hosts: #access-list 1 permit Permit Only IP Address #access-list 1 permit Deny Only IP Address #access-list 1 deny #access-list 1 permit any any Remember Implicit DENY Remember to Apply ACL to Interface 29

30 ping Packet Internet Groper Send Hosts Sends ICMP echo request Destination Host Replies ICMP echo reply Round-Trip Times Returned Be Aware of Command Line Options 30

31 ICMP Messages: Network Layer Based RFC 1256 The Tattle Tale Protocol Platform Utilized by ping & traceroute 31

32 Access Control List (ACL) - Example Block External Users From Pinging Inside Network Hosts / /24 E0 E1 The Internet Router /24 Create Access List on Router 1: access list 100 deny icmp any any access-list 100 permit ip any any Apply Access List to Interface: interface ethernet1 ip access-group 100 in 32 Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes.

33 Port Numbers RFC 1700 Applications Are Indexed by a Port Number Port Numbers Can Be Between 0 65, ,023 Considered Reserved 1,024 49,151 Can Be Registered 49,152 65,535 Considered Dynamic or Private 65,535 TCP Ports 65,535 UDP Ports Service Name and Transport Protocol Port Number Registry: 33

34 Examples: Well Known - System Port Numbers Port 20 / 21 FTP File Transfer Protocol Port 23 TELNET Port 53 DNS Domain Name Service Port 80 HTTP Port 110 POP3 Post Office Protocol Port 123 NTP Network Time Protocol Port 161 SNMP Simple Network Management Protocol (UDP) Port HTTPS 34

35 A Firewall: Filter Packets: Positive Filtering - Permit Negative Filtering - Deny Filtering Based Upon (L3 header): Source IP Address (range of addresses) Destination IP Address (range of addresses) Source IP Port Destination IP Port Protocol Can Do More: Serve as Proxy Server VPN Implementation (IPsec Encryption) Network Address Translation (NAT) Touch Point for Monitoring (logging) Firewall Form Factors: Software Based Layer 3 Router Based Dedicated Appliance 35

36 Firewall Types Filters What IP Traffic Can Enter or Exit a Network Based Upon Pre-Defined Rules Stateless Packet Filtering Single Packet Inspection Access Control List ACL Ingress or Egress Filtering No knowledge of flow Filters on IP Header info Layer 3 Stateful Packet Filtering Conversation Inspection Filters on IP Header info Layers 3-4 Records conversations then determines context:» New Connections» An Existing Conversation» Not involved in any conversation 36

37 Stateless vs Stateful Packet Filtering - Stateless Packet Filtering - Stateful HTTP Request HTTP Request HTTP Reply Internet Internet Blocked X HTTP Reply Blocked X Telnet Session 37 Filtering Parameters: IP Source Address IP Destination Address Protocol TCP Traffic UDP Traffic Port Number

38 Stateless Firewall In Addition to TCP/IP Header Checks, A Stateless Firewall Can Detect Packet Anomalies: IP Packet Header Makeup IP Addressing Non-Compliance IP Fragmentation Errors TCP Flow Sequencing UDP Flow Sequencing Anomalies Associated with Packet Flows: SYN-ACK Sequence Not Compliant ICMP Errors 38

39 Misconceptions With Firewalls Prevents ALL Cybersecurity Threats Blocks Undesirable Packets Permits Authorized Packets Should Be Component of Multi-Perimeter Approach (Defensein-Depth) Requires Regular Housekeeping Install and Forget 39

40 Firewall Use Caution False Sense of Security Don t Bother Me - I Have A Firewall I m Secure! Minimize Protection Zone Tendency is to Maximize Host(s) in Protection Zone Formal Policy Required Create Policy First Then Create Rule Syntax Performance Impact Throughput (packets/sec) Impact Latency Impact Don t Overlook Egress Be a Good Network Citizen 40

41 Broadcast Infrastructure Cybersecurity Firewall Implementation & Ruleset Configuration

42 Firewall Placement Network Architecture Internal Network (Private) External Network (Internet) Web Server Internal Network (Private) External Network (Internet) Internal Network (Private) Web Server 3-Legged Firewall External Network (Internet) DMZ Firewall Firewall DMZ ACL(s) Implemented 42

43 The Bastion Host Host Device Bare Essentials to Support Application Minimized Op System Minimum Services Enabled/Implemented Implemented with a Firewall Only Application Protocol Permitted DMZ Dematerialized Zone Bastion Host Only Firewall & Bastion Host Exposed Internal Network (Private) External Network (Internet) Firewall 43

44 Proxy Firewall Hides Internal Network Hosts External Hosts Only Sees Proxy Address Limits Network Access to Application Protocols Client Server Relationship Can Be Implemented Within Firewall Can Be Implemented Within Server Can Filter Content Proxy Server Internal Network (Private) External Network (Internet) Firewall 44

45 Policy vs Rule Policy is Starting Point Create Rule Syntax to Implement Policy Security Policy: Accept Incoming http Traffic From Public Internet to Webserver Firewall Rule: permit tcp any WEB-SERVER1 http Security Policy: Allow RDP from Network Engineer workstation Webserver Firewall Rule: permit tcp WEB-SERVER1 45

46 Basic Default Firewall Polices: Egress: Source IP Address within Internal Network IP Address Space Destination IP Address is NOT within Internal Network IP Address Space Ingress: Source IP Address NOT within Internal Network IP Address Space Destination IP Address is within Internal Network IP Address Space 46

47 IP Tables (linux) Creates Host Firewall Rules Command Line Based or GUI Based Rules Created in a Chain : Input Output Forward Command Line Syntax: iptables A chain firewall-rule iptables A INPUT I eth0 p tcp -dport22 j accept Input Rule Protocol Interface Port Action Permits SSH ie port 22 iptables A INPUT j DROP 47

48 Firewall Ruleset Default Ruleset: Discard Forward Ruleset Parsed Top-to-Bottom More Specific Top of List Implicit DENY End of List Example: 48

49 Broadcast Infrastructure Cybersecurity Takeaway Points & Reference Resources

50 OSI Model & Security Protection Techniques Application Presentation Session Transport Network Data Link Physical Application Gateway Application Gateway Application Gateway Circuit Gateway Packet Filtering MAC Based Security Physical Device Security 50

51 Takeaway Points Part 2 The firewall is the 1 st defense perimeter but not the only protection A firewall is any software or device that filters packets to establish a trust perimeter A firewall is a necessary evil Do NOT install & forget Firewall housekeeping is essential Updates & Monitoring Do not solely depend upon a single border firewall: Harden host devices disable any un-used services Develop mindset deny everything permit when necessary Block ICMP to prevent internal network host exploration NAT alone should not be considered an effective firewall Don t over-look egress filtering: Exiting packet should be within your internal network IP range 51 Future Webinars Will Continue to Build This List

52 The Challenge SECURITY USEABILITY 52

53 SBE Webinar Series Broadcast Infrastructure Cybersecurity Webinar # 3 Understanding Secured Remote Access Major Topics (March 27, 2018): Webinar #2 Takeaway Point Review Secured Remote Access Establishing Secured Remote Access VPN Implementation & Configuration Building the Secure Network Takeaway Points & Reference Resources Questions & Discussion Webinar # 4 Security Verification Thru Penetration Testing Major Topics (April 24, 2018): Webinar #3 Takeaway Point Review Proactive Security Monitoring Network Penetration Testing Overview Network Penetration Testing Tools Network Penetration Tool Example(s) Takeaway Points, Reference Resources, & Webinar Series Wrap-Up Questions & Discussion 53

54 54 My Favorite Reference Texts:

55 55

56 Thank You for Attending! Wayne M. Pecena Texas A&M University Questions & Discussion 56 Secretary, Board of Directors Executive Committee Member Chair, Education Committee