1/28
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
---|
No study sessions yet.
Secure SNMP
Simple Network Management Protocol
- monitor and control servers, switches, routers, firewalls, and other devices
Different versions through the years.
- SNMPv1 and SNMPv2 do not encrypt network traffic
SNMPv3
- version 3 added encrypted communication
- not all devices support SNMPv3
- use it everywhere you can
Router Advertisement (RA) guard
The ICMP Router Solicitation message is sent from a computer host to any routers on the local area network to request that they advertise their presence on the network
In response, the router sends back a Router Advertisement (RA) back to the computer
Sometimes, hackers could set up a rogue device pretending to be a router and deliver a DDoS, on-path attack, etc
Router Advertisement guard validates every advertisement to make sure it's legit
Port security
Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.
Dynamic ARP inspection
A security feature on a switch that monitors ARP messages in order to detect faked ARP messages.
It does this by using DHCP snooping to figure out every device's IP addresses on the network and their corresponding MAC addresses
Invalid IP-to-MAC address bindings are dropped
Control plane policing
On networking devices, there is a control plane and a data plane
Data plane handles forwarding of traffic + operational processes
Control plane controls configuration and management of the device
Control Plane
-very important to secure against DoS
-need to define a QoS filter to protect the control plane
-block all unnecessary control plane traffic types that is not used
-rate limit control plane traffic flow
Private VLANs
• Port isolation
- Restrict access between interfaces
- Even when they're in the same VLAN
• You might already be using private VLANs
- Your home Internet can't directly connect to
another home
- Hotel room access is limited to Internet connectivity
Disable unneeded switchports
A good way to make sure that no one can plug unauthorized cables and devices into
switches, and in turn inject or capture traffic, is to disable unneeded switch ports by
issuing the shutdown command or each individual interface.
• Administratively disable unused ports
- More to maintain, but more secure
• Network Access Control (NAC)
- 802.1X controls
- You can't communicate unless you are authenticated
Disable unneeded network services
• Every open port is a possible entry point
- Close everything except required ports
• Control access with a firewall
- NGFW would be ideal
• Unused or unknown services
- Installed with the OS or from other applications
• Applications with broad port ranges
- Open port 0 through 65,535
• Use Nmap or similar port scanner to verify
- Ongoing monitoring is important
Change default passwords
• Most devices have default usernames and passwords
- Change yours!
• The right credentials provide full control
- Administrator access
Password complexity/length
• Increase password entropy
- No single words, no obvious passwords
- Mix upper and lower case and use special characters
- Don't replace a o with a 0, t with a 7
• Stronger passwords are at least 8 characters
- Consider a phrase or set of words
Enable DHCP snooping
• a security feature that is used to validate DHCP (Dynamic Host Configuration Protocol) messages and prevent unauthorized DHCP servers from providing IP addresses to devices on a network.
• Switch watches for DHCP conversations
- Adds a list of untrusted devices to a table
• Filters invalid IP and DHCP information
- Static IP addresses
- Devices acting as DHCP servers
Change default VLAN
• All access ports (non-trunk ports) are assigned to a VLAN
- Without any additional security (i.e., 802.1X), anyone
connecting will be part of the default VLAN
• The default VLAN might also be used by default for
control plane access/management
- Don't put users on the management VLAN
- Change the management VLAN to something exclusive
• Assign unused interfaces to a specific non-routable, nonforwarding
VLAN
- A "dead-end" or "impasse" VLAN
Patch and firmware management
• Many network devices do not use a traditional
operating system
- All updates are made to firmware
• The potential exists for security vulnerabilities
- Upgrade the firmware to a non-vulnerable version
• Plan for the unexpected
- Always have a rollback plan
- Save those firmware binaries
Access control list
A list of permissions associated with a given system or network resource
▪ Block SSH for a single computer based on its IP address
▪ Block any IP using port 110
▪ Block any IP and any port from outside the LAN
▪ Block incoming requests from private loopback and multicast IP ranges
▪ Block incoming requests from protocols that should only be used locally
▪ Block all IPv6 traffic or allow it to only authorized hosts and ports
Role-based access
• Not everyone connecting to a switch or router needs
the same level of access
- Administrators, help desk, management, API access
• Many devices allow the configuration of specific roles
- Rights and permissions are based on the role
- Administrators can configure and reboot the device
- Help desk can view statistics
- API access can't interactively login/SSH
Firewall rules
• Manage access from the firewall
- Additional security options - Username, VPN, MFA
• Most firewall rules include an implicit deny
- If there's no explicit rule, then traffic is blocked
- These implicit deny rules aren't usually logged
• Some firewall administrators will add explicit deny rules
- Anything denied by a rule is logged by default
- Can be useful for identifying reconnaissance
or access attempts
Explicit deny
When an administrator sets a rule that denies a specific type of traffic access through a firewall, often within an ACL (access control list)
An explicit deny statement drops packets meeting certain criteria, including source
IP address, destination IP address, protocol, and port
Implicit deny
A rule in an ACL that blocks all traffic that hasn't been explicitly allowed. The implicit deny rule is the last rule in an ACL.
Wireless security
Any method of securing your WLAN network to prevent unauthorized network access and network data theft while ensuring that authorized users can connect to the network.
MAC filtering
• Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors
• Easy to find working MAC addresses through
wireless LAN analysis
- MAC addresses can be spoofed. For example, you can scan all the MAC addresses on a network, and when one disconnects, you can copy their MAC address and re-join
-Not a foolproof method; not really a true security measure
Antenna placement
Place antennas so it covers only inside your building
Helps prevent people outside your area to try to access the network
Power levels
To measure power levels, manuacturers use scales called received signal strength
indication (RSSI) to show the signal between a WAP and a receiver.
Wireless client isolation
• Wireless client isolation
- Wireless devices on an access point can't
communicate with each other
- Useful in a hotel or public area
- May not be useful at work with peer-to-peer
applications
Guest network isolation
- The guest network does not have access to the
internal private network
- This is almost always the right configuration
Preshared keys (PSKs)
• Configure the authentication on your
access point / wireless router
• Open System - No authentication
password is required
• WPA2/3-Personal / WPA-PSK
- WPA2 or WPA3 with a pre-shared key
- Everyone uses the same 256-bit key
• WPA2/3-Enterprise / WPA2/3-802.1X
- Authenticates users individually with an
authentication server (i.e., RADIUS, LDAP)
EAP
▪ Allows for numerous different mechanisms of authentication
● EAP-MD5
o Utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication
● EAP-TLS
o Uses public key infrastructure with a digital certificate being installed on both the client and the server
● EAP-TTLS
o Requires a digital certificate on the server and a password on the client for its authentication
● EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
o Uses a protected access credential to establish mutual authentication between devices
● Protected EAP (PEAP)
o Uses server certificates and Microsoft's Active Directory databases to authenticate a client's password
● Lightweight EAP (LEAP)
o A proprietary protocol that only works on Cisco-based devices
Geofencing
The use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area.
-restrict or allow features when the device is in a particular area
-only allow logins when the device is in a particular area
Captive portal
A technical solution that forces wireless clients using web browsers to complete a process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.
IoT Security
IoT security
• Internet of Things devices
- Smart devices, appliances, garage doors, door locks,
lights, etc.
• Security is probably not the primary focus
- In some cases, it's not a consideration at all
• IoT devices should be segmented from the private network
- Keep your personal devices and storage systems away
from IoT devices
- If an IoT device is breached, your personal data is
not accessible
• Use a separate VLAN
- Many home access points provide a "guest" network
- This is different than the DMZ or screened-subnet