Fundamentals of IP Networking 2017 Webinar Series Part 5 Cybersecurity Fundamentals & Securing the Network

Similar documents
Broadcast Infrastructure Cybersecurity - Part 2

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Network Security. Thierry Sans

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Indicate whether the statement is true or false.

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

CHCSS. Certified Hands-on Cyber Security Specialist (510)

Education Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CSE 565 Computer Security Fall 2018

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Implementing Cisco Network Security (IINS) 3.0

Computer Network Vulnerabilities

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

COMPUTER NETWORK SECURITY

ASA/PIX Security Appliance

Penetration Testing with Kali Linux

Understanding Cisco Cybersecurity Fundamentals

Chapter 4. Network Security. Part I

Internet Security: Firewall

Securing CS-MARS C H A P T E R

Port Mirroring in CounterACT. CounterACT Technical Note

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Fundamentals of Network Security v1.1 Scope and Sequence

CompTIA Network+ Study Guide Table of Contents

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Hands-On TCP/IP Networking

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Computer Security and Privacy

Principles of ICT Systems and Data Security

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Chapter 2. Switch Concepts and Configuration. Part II

Index. Numerics. Index 1

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Curso: Ethical Hacking and Countermeasures

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Global Information Assurance Certification Paper

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

ch02 True/False Indicate whether the statement is true or false.

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

20-CS Cyber Defense Overview Fall, Network Basics

Three interface Router without NAT Cisco IOS Firewall Configuration

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Chapter 9. Firewalls

Hackveda Training - Ethical Hacking, Networking & Security

HikCentral V1.3 for Windows Hardening Guide

Simple and Powerful Security for PCI DSS

SECURITY & PRIVACY DOCUMENTATION

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Chapter 8 roadmap. Network Security

HikCentral V.1.1.x for Windows Hardening Guide

Unit 4: Firewalls (I)

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

CTS2134 Introduction to Networking. Module 08: Network Security

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

hidden vulnerabilities

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

ANATOMY OF AN ATTACK!

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Security+ SY0-501 Study Guide Table of Contents

Insights on IPv6 Security

5. Execute the attack and obtain unauthorized access to the system.

ASA Access Control. Section 3

WHITE PAPER: IRONSHIELD BEST PRACTICES MANAGEMENT VLANS

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

IP Multicast: Does It Really Work? Wayne M. Pecena, CPBE, CBNE

CyberP3i Course Module Series

Managing an Active Incident Response Case. Paul Underwood, COO

Network security session 9-2 Router Security. Network II

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CCNA Security 1.0 Student Packet Tracer Manual

Preview Test: cis191_chap1_quiz

2. INTRUDER DETECTION SYSTEMS

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

ipro-04n Security Configuration Guide

IT Foundations Networking Specialist Certification with Exam

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CompTIA Security+ (2008 Edition) Exam

Syllabus: The syllabus is broadly structured as follows:

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ACL Rule Configuration on the WAP371

CSC 574 Computer and Network Security. TCP/IP Security

Ethical Hacking and Prevention

Transcription:

Fundamentals of IP Networking 2017 Webinar Series Part 5 Cybersecurity Fundamentals & Securing the Network Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU Public Broadcasting August_2017 IP_Net_Fundamentals-Part-5

Fundamentals of IP Networking 2017 Webinar Series Advertised Presentation Scope Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29 Part 5 will wrap up the webinar series by providing an understanding the conceptual aspects of network security and practical structured implementation steps. Practical implementation practices will focus upon defense in depth tactics that includes the creation of a security policy, physical security, Ethernet switch security, and layer 3 security approaches. 2

Today s Outline: 1. Takeaway Review From Webinar 4 2. Structured Security Implementation Intro to Network Security & Terminology 1- Physical Layer 2 - Data-Link Layer 3 - Network Layer & Above 3. Thinking Like a Hacker Mindset Tools of the Trade 4. Best Practices, References, & Questions 3

Takeaway Points Part 4 Use Segmented Networks Design Techniques: Performance Security Policy VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme L2 Ethernet Switches Eliminate Collision Domains L3 Routers Control Broadcast Domains NAT Can Be Used to Minimize IPV4 Address Space IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! 4

Structured Security Implementation

IP Network Security Risks to the Broadcast Station Dead Air Impact Upon Resources Loss of Revenue Public Embarrassment Breach of Data Potential Liability Lost Trust Courtesy: Chris Homer @ PBS 6

The Broadcast Technical Plant Is Changing (has changed will continue to change) Transition to IP Based Plant Transition to Cloud Based Services Transition to Service Based Architecture 7

Cybersecurity Cybersecurity is focused upon the protection of computers, networks, programs and data from change, destruction, or unauthorized change. Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user s assets. Organization and user s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity Confidentiality International Telecommunications Union ITU-T X.1205 8

A Cyber Attack Chain Model Step Reconnaissance & Probing Delivery & Attack Description Find Target Harvest information (email, conference listings, public lists, etc.) Place delivery mechanism online Use social engineering to induce target to access malware or other exploits Installation & Exploitation Compromise & Expansion Exploit vulnerabilities on target systems to acquire access Elevate user privileges and install additional tools Exfiltration of data Use compromised systems to exploit additional systems Courtesy: Chris Homer @ PBS 9

Attributes of a Secure Network Layered Approach ( Defense in Depth NOTE 1) Different Security Controls Within Different Groups Security Domains Segmentation of Network Into Areas or Groups Privileges Restrict to Need To Access Deny by Default Access Restrict by Firewalls, Proxies, etc. Logging Accountability, Monitoring, & Activity Tracking NOTE 1 Cisco Security Terminology 10

Goals of Data Security Provides Confidentiality Prevent Disclosure - Maintain Privacy Maintains Data Integrity Prevent Data Alteration Provides Availability Prevent Denial of Use The CIA or AIC Triad Media Protocols Media Send Host DATA Receive Host 11

Implement a Multi-Layer Approach Defense In Depth 12

Defense In Depth 7 6 5 4 3 2 Application Presentation Session Data Transport Application Host Network Internal Network Perimeter Network Data Link Physical 1 Physical Administrative Procedures & Policies 13

Layer 1 - Physical Access Restricted Physical Access to Network Infrastructure Controlled Access: Access Badges Cyber-Locks Bio-Recognition Monitor Access Access Logs Surveillance Cameras 14

Switch Port Security Actions Port Security Options: Specific MAC Address/Port Limit Learned MAC s Port Security Violations: Discards Frame if Violation Discards Frame if Violation - Send SysOp Notification Shutdown Switch Port if Viloation 15

Layer 2 Data-Link Layer Access Implement Ethernet Switch Port Security Enable Switch Port Security: Specific MAC address Limit number of MAC addresses / port Specify shutdown violation response VLAN 100 VLAN 200 VLAN 300 Segment Network Traffic Disable Any Unused Access Or Untagged Ports Configure Trunk Or Tagged Ports Only When Required 16

Layer 3 and Above.. Utilize Network Equipment Security Features Implement Access Control Lists Implement Firewalls Border Internal Implement Encryption Secure Connectivity IPSec Utilize Application Security Where Possible Identity Trust AAA 17

Access Control List ACL Provides Basic Network Access Security Buffer - Packet Filter Based Filter IP Network Packets: Forwarded @ Egress Interface Blocked @ Ingress Interface Standard Access List Can Only Permit or Deny The Source Host IP Address Placed Closest to Destination Host Extended Access List Can Permit or Deny Based Upon: Source IP Address Destination IP Address TCP Port # UDP Port # TCP/IP Protocol Placed Closest to Source Network 18

Implementing an Access Control List Create Access Control List One ACL per: Interface Direction Protocol Apply Access Control List Ingress ACL Filters Inbound Packets Egress ACL Filters Outbound Packets Interface 0/0 Interface 0/1 Permit or Deny: Source IP Address Destination IP Address ICMP TCP/UDP Source Port TCP/UDP Destination Port Egress ACL Filters Outbound Packets Ingress ACL Filters Inbound Packets 19

ACL Implementation Example Block External Users From Pinging Inside Network Hosts 192.168.10.2 /24 192.168.10.1 /24 E0 E1 The Internet Router 1 192.168.10.6 /24 Create Access List on Router 1: access list 10 deny icmp any any access-list 10 permit ip any any Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes. Apply Access List to Interface: interface ethernet1 ip access-group 10 in 20

Network Security Tools Firewall Used to Create a Trusted Network Segment by Permitting or Denying Network Packets Filters Based Upon Preset Rules 21

Firewall Types Stateless Packet Filtering Single Packet Inspection Access Control List ACL Ingress or Egress Filtering No knowledge of flow Filters on IP Header info Layer 3 Stateful Packet Filtering Conversation Inspection Filters on IP Header info Layers 3-4 Records conversations then determines context:» New Connections» An Existing Conversation» Not involved in any conversation 22

Firewall Implementation Web Server Email Server Demilitarized Zone DMZ All Allowed HTTP & SMTP / POP Only Allowed All Blocked Internet (Outside) Internal Network(s) All Allowed Return Session Only Allowed Stateful Firewall Functionality May Be Implemented in Border Router 23

Firewall Use Caution False Sense of Security I Have A Firewall Know What The Firewall is Doing Minimize Protection Zone Formal Policy Required Pre-Define Rules Periodic Review Monitor Activity Performance Impact Throughput (packets/sec) Latency Don t Overlook Egress Permit Only Ports Needed 24

IPsec Internet Protocol Security IPsec End-to-End Scheme to Encrypt Communications IPv4 Optional Implementation IPv6 Mandatory Implementation (Recommended) Layer 3 Implementation Modes: Tunnel Implementation (VPN Packet Encapsulation) Transport (Host-to-Host Payload) Implementation Encapsulating Security Payload Encrypt & Authenticate New Header Added 25

Thinking Like a Hacker

White Hat Hacker The Hacker Culture Intent is to protect IT systems Black Hat Hacker Intent is to harm IT systems Gray Hat Hacker Intent is the challenge 27

The White Hat Hacker Ethical Hackers - Work to Protect Systems as a Network Security Professional by Using Network Hacker Tools Hacker Types: Script Kiddies Hacktivists 28

Common IP Network Threats IP Address Spoofing Packets sent from a false source address Common use in Denial-of-Service DoS Attack ARP Spoofing Links false MAC address to a legitimate IP address Common Man-In-The-Middle Attack DNS Server Spoofing Routes a legitimate domain to a false destination address 29

Tools of the Hacker https://www.concise-courses.com/hacking-tools/ 30

nmap Metasploit John The Ripper THC Hydra OWASP Zed Wireshark Aircrack-ng Maltego Cain and Abel Hacking Too Nikto Website Vulnerability Scanner Tools of the Hacker 10 Most Popular 31

Open Source Protocol Analyzer Often Referred to as a Sniffer Developed in 1998 as Ethereal Renamed Due to Trademark Issues Analyses of Live & Recorded Network Activity Useful To: Isolate performance issues Understand application interaction Network Benchmarking Determine What is Not the Problem Network Forensics Detect Malware (signature display) 32

Tools of the Hacker Available for Windows, Mac OSx, & Linux Download at: www.wireshark.org Include Libraries: WinPcap Libpcap 33

packet 192 selected Header Details Displayed Payload Data Decoded (hex & ASCII) 34

Filtering Filter Building Blocks: Protocol Direction (Source or Destination) Type Capture Filters Selectively Capture Packets Pre-Capture Configuration Minimizes Captured Data Analysis Filters Applied When Viewing Allows Focusing on an Attribute All Data is Retained 35

Using Capture Filters 36

ip tcp udp Useful Capture (pcap) Filter Examples host 165.95.240.130 host 165.95.240.128/26 host 165.95.240.128 mask 255.255.255.192 src net 165.95.240.128/26 dst net 165.95.240.128/26 port 80 not broadcast and not multicast http://www.tcpdump.org/manpages/pcap-filter.7.html 37

Using Display Filters 38

Useful Display Filter Examples eth.addr==00:19:c8:c8:22:7f ip ip.addr==165.95.240.130 ip.addr==165.95.240.130 or ip.addr==165.95.240.129 tcp tcp.port==80 udp udp.port==50000 http http://www.firstdigest.com/2009/05/wiresharks-most-useful-display-filters/ 39

Tools of the Hacker Obtain & Install nmap : https://nmap.org/ Linux (BEST-Ubuntu, Fedora, Centos, BSD, Kali) Windows (> WIN7 but limitations) Obtain & Install zenmap : https://nmap.org/zenmap/ 40

Network Mapper Determine Active Network Hosts Determine Host OpSys Determine Open Ports / Services Active Diagram Network Architecture Network Mapper is a open source network scanning utility used to determine information about network hosts. Used For: Host Discovery Security Profile Auditing Network Hacking 41

Disclaimer Network Scanning Be Aware of Network Scanning Ethics & Legalities Guidelines to Follow: Insure You Have Permission to Scan Limit Target & Scope of Your Scan Understand Your ISP AUP Use Caution with Options Have a Reason to Scan Network Be Aware: Aggressive Scanning Can Crash a Host - Use Caution! Further Information: https://nmap.org/book/legal-issues.html 42

Simple nmap Scan nmap <ip address> 43

nmap Profiles Create Your Custom Profile 44

nmap Examples Scan Single Host Scan Multiple Hosts Scan Range of IP Addresses Scan a Subnet Perform an Aggressive Scan Discovery Attempt: No Ping Discovery Attempt: Ping Only Discovery Attempt: Host OS Fast Port Scan Scan Specific Port Sampling of > 125 nmap commands 45

Scan Range of IP Addresses 46

Scan a Subnet NOTE CIDR Notation 47

Perform an Aggressive Scan 48

Discovery Attempt: Ping Only Topology Map 49

Discovery Attempt: Host OS 50

Fast Port Scan nmap scans top 1,000 ports by default Fast Port Scan scans top 100 ports 51

NSE - nmap Scripts Nmap Scripting Engine (NSE) Automates nmap Tasks Activating NSE: -sc option Script Library: https://nmap.org/nsedoc/ Create Your Own: LUA Script Framework 52

https://www.adminsub.net/tcp-udp-port-finder Port: 80-HTTP 443-HTTPS 22-SSH 631-IPP 53

Port: 21-FTP 139-NetBios 445-Active Directory 2100-Amiga File System 6789-54

55

56

SHODAN https://www.shodan.io 57

SHODAN https://www.shodan.io 58

TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS 59

Takeaway Points - Security Recognize & Accept The Security Lifecycle Understand Security Threat Landscape Segment Your Network Security Performance Lock All Your Doors Limit Privileged Users Implement Layer 1-3 Security Features Don t Overlook the Back Door Access Use Firewall(s) to Limit Ingress & Egress Follow Industry Best Practices Implement Defense in Depth Strategy Monitor Your Network Activity Know the Norm Test Your Network Security Think Security Proof-of-Performance 60

Network Security Best Practices Recognize Physical Security Change Default Logins Utilize Strong Passwords Disable Services Not Required Adopt a Layered Design Approach Segregate Network(s) Separate Networks via VLANS Implement Switch Port Security Utilize Packet Filtering in Routers & Firewalls Do Not Overlook Egress Traffic Deny All Traffic Then Permit Only Required Keep Up With Equipment Patches Utilize Access Logging on Key Network Devices Utilize Session Timeout Features Encrypt Any Critical Data Restrict Remote Access Source Understand & Know Your Network Baseline Actively Monitor and Look for Abnormalities Limit Need-to-Access Disable External ICMP Access Don t Use VLAN 1 61

The Challenge SECURITY USEABILITY 62

FCC Working Group 4 https://transition.fcc.gov/pshs/advisory/csric4/csric_iv_wg4_final_report_031815.pdf 63

Local Broadcast Radio Station 64

Local Broadcast TV Station 65

EAS Advisory Group http://www.sbe.org/sections/news/eassecurity.php 66

nmap Practice Target scanme.nmap.org 67

On-Line nmap Tools https://pentest-tools.com/network-vulnerability-scanning/tcp-portscanner-online-nmap 68

My Favorite Reference Texts: 69

70

Thank You for Attending! Wayne M. Pecena wpecena@sbe.org 979.845.5662 71

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback