Networking Security Notes

Securing Networks

  • Networks are frequent targets of attacks.

  • Network security breaches can disrupt e-commerce, cause data loss, threaten privacy, and compromise data integrity.

  • The Cisco Talos Intelligence Group provides threat intelligence.

  • Cisco PSIRT investigates and mitigates vulnerabilities in Cisco products.

Attack Vectors

  • An attack vector is a path used to gain access to a server, host, or network, originating from inside or outside the network.

  • Threat actors may target a network through the internet to disrupt operations via Denial of Service (DoS) attacks.

Data Loss Vectors

  • Email/Social Networking: Intercepted communications can reveal confidential information.

  • Unencrypted Devices: Stolen laptops may contain unencrypted confidential data.

  • Cloud Storage Devices: Weak security settings can compromise sensitive data.

  • Removable Media: Unauthorized data transfer to USB drives poses a risk; lost USB drives may contain corporate data.

  • Hard Copy: Improper disposal of sensitive documents can lead to information retrieval by unauthorized parties.

  • Improper Access Control: Stolen or weak passwords can grant easy access to data.

Network Topology Overview - Campus Area Networks (CAN)

  • VPN: Secures data in motion from CAN to the outside world, ensuring confidentiality and integrity from authenticated sources.

  • ASA Firewall: Performs stateful packet filtering to filter return traffic into the campus network.

  • IPS: Monitors network traffic for malicious activity, logs information, and attempts to block and report it.

  • Layer 3 Switches: Secured distribution layer switches provide secure redundant trunk connections to Layer 2 switches, implementing features like ACLs, DHCP snooping, DAI, and IP source guard.

  • Layer 2 Switches: Secured access layer switches connect user-facing ports, implementing security features like port security, DHCP snooping, and 802.1X user authentication.

  • ESA/WSA: Provides advanced threat defense, application visibility and control, reporting, and secure mobility to secure email and web traffic.

  • AAA Server: Authenticates users, authorizes actions, and tracks user activity.

  • Hosts: Endpoints secured using antivirus/antimalware, Host Intrusion Protection System, and 802.1X authentication.

Small Office and Home Office (SOHO) Networks

  • Consumer-grade wireless routers provide integrated firewall features and secure wireless connections (WPA2).

  • Layer 2 switches are hardened with security measures such as port security.

  • Wireless hosts use WPA2 data encryption.

  • Hosts typically have antivirus and antimalware software installed.

Wide Area Networks (WANs)

  • WANs span wide geographical areas, often over the public internet, requiring secure data transport.

  • Adaptive Security Appliance (ASA) provides stateful firewall features and establishes secure VPN tunnels.

Data Center Networks

  • Data centers house sensitive data and connect to corporate sites using VPN technology with ASA devices and integrated data center switches.

  • Physical security is critical, including measures like fire alarms, sprinklers, seismically-braced server racks, HVAC, and UPS systems.

  • Outside perimeter security: On-premise security officers, fences, gates, video surveillance, and security breach alarms.

  • Inside perimeter security: Video surveillance, electronic motion detectors, security traps, and biometric access and exit sensors.

Cloud Networks and Virtualization

  • Virtualization is the foundation of cloud computing, separating the OS from the hardware.

  • Cloud networks consist of physical and virtual servers in data centers using VMs.

  • VMs are prone to attacks like:

    • Hyperjacking: Hijacking a VM hypervisor to attack other devices.

    • Instant On Activation: Outdated security policies upon VM activation.

    • Antivirus Storms: Simultaneous antivirus updates causing network issues.

The Evolving Network Border

  • Bring Your Own Device (BYOD) trend: Smartphones and tablets replace office PCs.

  • Cisco Borderless Network supports access from various locations and devices.

  • Mobile Device Management (MDM) features:

    • Data Encryption: Ensuring devices support and enable data encryption.

    • PIN Enforcement: Requiring PIN locks to prevent unauthorized access.

    • Data Wipe: Remotely wiping lost or stolen devices.

    • Data Loss Prevention (DLP): Preventing careless or malicious handling of critical data.

    • Jailbreak/Root Detection: Detecting and restricting access for jailbroken/rooted devices.

Who is Attacking Our Network?

  • Important terms: threat, vulnerability, attack surface, exploit, and risk.

Risk Management Strategies

  • Risk acceptance: Accepting the risk when the cost of management outweighs the risk itself.

  • Risk avoidance: Eliminating the activity or device that presents the risk.

  • Risk reduction: Reducing exposure to risk or its impact through mitigation strategies.

  • Risk transfer: Transferring risk to a third party, like an insurance company.

Hacker vs. Threat Actor

  • "Hacker" describes a threat actor and can refer to:

    • A clever programmer.

    • A network professional securing networks.

    • A person gaining unauthorized access.

    • An individual disrupting network access or corrupting data.

  • Types of hackers: white hat, gray hat, and black hat.

Evolution of Threat Actors

  • From phone phreaking in the 1960s to diverse threat actors.

  • Script Kiddies: Inexperienced actors using existing scripts for harm, not profit.

  • Vulnerability Brokers: Grey hat hackers discovering and reporting exploits.

  • Hacktivists: Grey hat hackers protesting political and social ideas.

  • Cybercriminals: Black hat hackers seeking financial gain.

  • State-Sponsored: Actors stealing secrets, gathering intelligence, and sabotaging networks.

Cybercriminals

  • Motivated by financial gain, often financed by criminal organizations, stealing billions annually.

Cybersecurity Tasks

  • Using a trustworthy IT vendor.

  • Keeping security software up-to-date.

  • Performing regular penetration tests.

  • Backing up to cloud and hard disk.

  • Periodically changing WIFI password.

  • Keeping security policy up-to-date.

  • Enforcing use of strong passwords.

  • Using two factor authentication.

Cyber Threat Indicators

  • Indicators of Compromise (IOCs): Evidence of an attack, such as malware files, IP addresses, filenames, and system software changes.

  • Indicators of Attack (IOAs): Focus on the motivation and strategies used by attackers.

Threat Sharing and Cybersecurity Awareness

  • US Cybersecurity Infrastructure and Security Agency (CISA) uses Automated Indicator Sharing (AIS).

  • CISA and NCSA promote cybersecurity awareness through campaigns like "National Cybersecurity Awareness Month" (NCSAM) in October.

  • The European Union Agency for Cybersecurity (ENISA) assists EU member states with cybersecurity challenges.

Threat Actor Tools

  • Attack tools have become more sophisticated and automated, requiring less technical knowledge.

Evolution of Security Tools

  • Ethical hacking uses various tools to test networks and devices.

  • Password crackers: Used to crack or recover passwords (e.g., John the Ripper, Ophcrack).

  • Wireless hacking tools: Used to detect wireless network vulnerabilities (e.g., Aircrack-ng, Kismet).

  • Network scanning and hacking tools: Used to probe for open TCP or UDP ports (e.g., Nmap, SuperScan).

  • Packet crafting tools: Used to test firewall robustness (e.g., Hping, Scapy).

  • Packet sniffers: Used to capture and analyze packets (e.g., Wireshark, Tcpdump).

  • Rootkit detectors: Used to detect installed rootkits (e.g., AIDE, Netfilter).

  • Fuzzers: Used to discover security vulnerabilities (e.g., Skipfish, Wapiti).

  • Forensic tools: Used to find traces of evidence (e.g., Sleuth Kit, Helix).

  • Debuggers: Used to reverse engineer binary files or analyze malware (e.g., GDB, WinDbg).

  • Hacking operating systems: Preloaded with hacking tools (e.g., Kali Linux, Parrot OS).

  • Encryption tools: Used to safeguard data (e.g., VeraCrypt, OpenSSL).

  • Vulnerability exploitation tools: Used to identify vulnerable remote hosts (e.g., Metasploit, Core Impact).

  • Vulnerability scanners: Used to scan for open ports and known vulnerabilities (e.g., Nessus, OpenVAS).

Categories of Attacks

  • Eavesdropping attack: Capturing and listening to network traffic.

  • Data modification attack: Altering data in packets without sender/receiver knowledge.

  • IP address spoofing attack: Creating packets that appear to originate from a valid internal address.

  • Password-based attacks: Using obtained credentials to gain access and modify data/configurations.

  • Denial-of-service (DoS) attack: Preventing normal use of a computer or network by valid users.

  • Man-in-the-middle attack (MiTM): Monitoring, capturing, and controlling communication between a source and destination.

  • Compromised key attack: Obtaining a secret key to gain access to secured communication.

  • Sniffer attack: Capturing network data exchanges; can reveal data if packets are not encrypted.

Malware

  • Malware (malicious software/code) damages, disrupts, steals, or inflicts illegitimate actions on data, hosts, or networks.

  • Common types: viruses, worms, and Trojan horses.

Viruses

  • Spread by inserting a copy of itself into another program, requiring human help to spread.

  • Viruses can mutate to avoid detection and spread via USB drives, CDs, DVDs, network shares, and email.

Trojan Horses

  • Appear legitimate but contain malicious code, exploiting user privileges.

  • Often attached to online games, Trojans can cause immediate damage, provide remote access, or perform actions remotely.

Trojan Horse Classification

  • Remote-access: Enables unauthorized remote access.

  • Data-sending: Provides sensitive data to the attacker.

  • Destructive: Corrupts or deletes files.

  • Proxy: Uses the victim's computer as a source for attacks.

  • FTP: Enables unauthorized file transfer services.

  • Security software disabler: Stops antivirus programs or firewalls.

  • Denial of Service (DoS): Slows or halts network activity.

  • Keylogger: Steals confidential information by recording keystrokes.

Worms

  • Replicate and cause damage, independently exploiting network vulnerabilities.

  • SQL Slammer exploited a buffer overflow in Microsoft's SQL Server.

Worm Components

  • Enabling vulnerability: Installs itself using an exploit mechanism.

  • Propagation mechanism: Replicates itself and locates new targets.

  • Payload: Malicious code creating backdoors or DoS attacks.

Ransomware

  • Denies access to the infected system or data, demanding payment for release, often using Bitcoin for anonymity.

  • Email and malicious advertising (malvertising) are common vectors.

  • Social engineering is also used.

Other Malware

  • Spyware: Gathers user information without consent.

  • Adware: Displays pop-up ads to generate revenue.

  • Scareware: Uses social engineering to induce anxiety and trick users into installing malware.

  • Phishing: Attempts to convince people to divulge sensitive information.

  • Rootkits: Hides its intrusion and provides privileged access to threat actor.

Common Malware Behaviors

  • Appearance of strange files, programs, or desktop icons

  • Antivirus and firewall programs are turning off or reconfiguring settings

  • Computer screen is freezing or system is crashing

  • Emails are spontaneously being sent to your contact list without your knowledge

  • Files have been modified or deleted

  • Increased CPU and/or memory usage

  • Problems connecting to networks

  • Slow computer or web browser speeds

  • Unknown processes or services running

  • Unknown TCP or UDP ports open

  • Connections are made to hosts on the internet without user action

  • Other strange computer behavior

Common Network Attacks

  • Categorized into Reconnaissance, Access, and DoS Attacks.

Reconnaissance Attacks

  • Gathering information through:

    • Information queries using search engines and tools like WHOIS.

    • Ping sweeps to determine active IP addresses.

    • Port scans to identify available services (e.g., Nmap, SuperScan).

    • Vulnerability scanners to determine OS and application versions (e.g., Nessus, OpenVAS).

    • Exploitation tools to discover vulnerable services (e.g., Metasploit, Core Impact).

Access Attacks

  • Exploit vulnerabilities in authentication, FTP, and web services.

    • Password Attacks: Discovering system passwords.

    • Spoofing Attacks: Falsifying data to pose as another device.

    • Trust Exploitation: Using unauthorized privileges.

    • Port Redirection: Using a compromised system for attacks.

    • Man-in-the-Middle: Intercepting and modifying data between two parties.

    • Buffer Overflow Attack: Overwhelming buffer memory, causing a DoS.

Social Engineering Attacks

  • Manipulating individuals into performing actions or divulging information.

    • Pretexting: Pretending to need personal or financial data.

    • Phishing: Sending fraudulent emails disguised as trusted sources.

    • Spear Phishing: Targeted phishing for specific individuals or organizations.

    • Spam: Unsolicited emails containing harmful links or deceptive content.

    • Something for Something (Quid pro quo): Requesting information in exchange for a gift.

    • Baiting: Leaving a malware-infected flash drive in a public location.

    • Impersonation: Pretending to be someone else to gain trust.

    • Tailgating: Following an authorized person into a secure location.

    • Shoulder Surfing: Stealing passwords or information by looking over someone’s shoulder.

    • Dumpster Diving: Discovering confidential documents in trash bins.

Strengthening the Weakest Link

  • Personnel are the weakest link; training and a security-aware culture are crucial.

Network Attacks - Denial of Service, Buffer Overflows, and Evasion

DoS and DDoS Attacks

  • Denial of Service (DoS): Interrupting network services through overwhelming traffic or maliciously formatted packets.

  • Distributed DoS (DDoS): DoS attack from multiple coordinated sources.

Components of DDoS Attacks

  • Zombies: Compromised hosts running malicious code (bots).

  • Bots: Malware infecting hosts and communicating with a handler system.

  • Botnet: A group of zombies controlled by handlers.

  • Handlers: Master command-and-control (C2) servers controlling zombies.

  • Botmaster: The threat actor controlling the botnet and handlers.

Buffer Overflow Attack

  • Exploiting memory flaws to render a system inoperable, creating a DoS attack.

Evasion Methods

  • Encryption and tunneling: Hiding or scrambling malware files.

  • Resource exhaustion: Overwhelming the target host to disable security detection.

  • Traffic fragmentation: Splitting malicious payloads into smaller packets to bypass security detection.

  • Protocol-level misinterpretation: Exploiting improper handling of protocol features.

  • Traffic substitution: Obfuscating data by encoding it in a different format (e.g., Unicode instead of ASCII).

  • Traffic insertion: Inserting extra bytes of data in a sequence of malicious data.

  • Pivoting: Expanding access within a compromised network.

  • Rootkits: Hiding attacker activities on the local system.

  • Proxies: Redirecting traffic through intermediate systems to hide stolen data destinations.

Mitigating Threats

Defending the Network

  • Network security professionals must stay ahead of hackers by upgrading skills, attending training, subscribing to threat feeds, and maintaining familiarity with network security organizations.

Network Intelligence Communities

  • SANS Institute: Provides free resources, including the Internet Storm Center, NewsBites, and security alerts.

  • Mitre Corporation: Maintains a list of common vulnerabilities and exposures (CVE).

  • FIRST: Facilitates cooperation in information sharing and incident prevention.

  • SecurityNewsWire: Aggregates news on alerts, exploits, and vulnerabilities.

  • (ISC)2: Provides vendor-neutral education products and career services.

  • CIS: Offers cyber threat prevention, protection, and response for state, local, tribal, and territorial governments.

Network Security Certifications

  • Offered by GIAC, (ISC)2, ISACA, EC-Council, and CWNP.

  • Cisco CCNP Security certifications: 300-710 SNCF, 300-715 SISE, 300-720 SESA, 300-725 SWSA, 300-730 SVPN, 300-735 SAUTO

Communications Security: CIA

  • Confidentiality: Only authorized access to sensitive information.

  • Integrity: Protection of data from unauthorized alteration.

  • Availability: Uninterrupted access to network resources and data.

Network Security Policies

Network Security Domains

  • Specified by ISO/IEC.

    • Information Security Policies: Creation, review, and maintenance of security policies.

    • Organization of Information Security: Governance model for information security.

    • Human Resources Security: Security responsibilities for employees.

    • Asset Management: Inventory and classification of information assets.

    • Access Control: Restriction of access rights.

    • Cryptography: Data encryption and sensitive information management.

    • Physical and Environmental Security: Protection of physical facilities and equipment.

    • Operations Security: Management of technical security controls.

    • Communications Security: Security of data communicated on networks.

    • System Acquisition, Development, and Maintenance: Ensuring information security across the entire lifecycle.

    • Supplier Relationships: Contractual agreements protecting information and technology assets.

    • Information Security Incident Management: Anticipating and responding to security breaches.

    • Business Continuity Management: Protection, maintenance, and recovery of business-critical processes.

    • Compliance: Ensuring conformance with security policies and regulations.

Business Policies

  • Guidelines governing an organization's actions.

    • Company policies: Rules of conduct and responsibilities for employees and employers.

    • Employee policies: Salary, pay schedule, benefits, and work schedule policies.

    • Security policies: Security objectives, rules, and system requirements.

Security Policy

  • Informs users of requirements for protecting technology and information assets.

    • Identification and authentication policy: Specifies authorized access and verification procedures.

    • Password policies: Ensures strong passwords and regular changes.

    • Acceptable Use Policy (AUP): Identifies acceptable network applications and uses.

    • Remote access policy: Identifies how remote users can access a network.

    • Network maintenance policy: Specifies OS and application update procedures.

    • Incident handling procedures: Describes how security incidents are handled.

BYOD Policies

  • Address risks associated with employees using their own devices.

    • Password protected access: Unique passwords for each device and account.

    • Manually control wireless connectivity: Turn off Wi-Fi and Bluetooth when not in use.

    • Keep updated: Always keep the device OS and other software updated.

    • Back up data: Enable backup of the device in case it is lost or stolen.

    • Enable “Find my Device”: Subscribe to a device locator service with remote wipe feature.

    • Provide antivirus software: Provide antivirus software for approved BYOD devices.

    • Use Mobile Device Management (MDM) software: MDM software enables IT teams to implement security settings and software configurations.

Regulatory and Standards Compliance

  • Organizations must develop and implement security policies based on compliance regulations.

Security Tools, Platforms, and Services

The Security Onion and The Security Artichoke

  • Security Onion: A defense-in-depth approach where a threat actor must peel away layers of defense.

  • Security Artichoke: A changing landscape where threat actors only need to remove certain "leaves" to reach the target.

Security Testing Tools

Includes password crackers, wireless hacking tools, network scanning tools, packet crafting tools, packet sniffers, rootkit detectors, fuzzers, forensic tools, debuggers, hacking operating systems, encryption tools, vulnerability exploitation tools and vulnerability scanners.

Data Security Platforms

  • Integrated security solutions combining traditionally independent tools.

  • FireEye Helix: A cloud-based security operations platform for event management, network behavior analytics, and threat detection.

  • Cisco SecureX: A unified platform providing visibility, automation, and stronger defenses for networks, users, and endpoints.

Security Services

  • Threat intelligence and security services allow the exchange of threat information.

  • Cisco Talos Threat Intelligence Group: Collects information about active, existing, and emerging threats.

Mitigating Common Network Attacks

  • Constant vigilance and ongoing education are required to defend your network against attack.

Best Practices

  • Develop a written security policy for the company.

  • Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.

  • Control physical access to systems.

  • Use strong passwords and change them often.

  • Encrypt and password-protect sensitive data.

  • Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering.

  • Perform backups and test the backed-up files on a regular basis.

  • Shut down unnecessary services and ports.

  • Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.

  • Perform security audits to test the network.

Mitigating Malware

  • Use antivirus software, and prevent malware files from entering the network at all

Mitigating Worms

  • Requires diligence and coordination on the part of network security professionals. The response to a worm attack can be broken down into four phases: containment, inoculation, quarantine, and treatment.

  • Containment: Limiting spread by segmenting the network and using ACLs on routers and firewalls.

  • Inoculation: Patching uninfected systems.

  • Quarantine: Identifying and isolating infected machines.

  • Treatment: Disinfecting systems or reinstalling them in severe cases.

Mitigating Reconnaissance Attacks

  • Implementing authentication, encryption, anti-sniffer tools, a switched infrastructure, a firewall and IPS.

  • Mitigating Access Attacks: Strong password security, minimum trust, cryptography, and OS/application patches.

  • Mitigating DoS Attacks: antispoofing technologies, such as port security, Dynamic Host Configuration Protocol (DHCP) snooping, IP Source Guard, Dynamic Address Resolution Protocol (ARP) Inspection, and access control lists (ACLs).

Cisco Network Foundation Protection Framework
NFP Framework

  • Provides guidelines for protecting the network infrastructure.

    • Control plane: Responsible for routing data correctly.

    • Management plane: Responsible for managing network elements.

    • Data plane: Responsible for forwarding data.

Securing the Control Plane

  • Routing protocol authentication and Control Plane Policing (CoPP) to prevent unnecessary traffic from overwhelming the route processor.

  • AutoSecure to lock down the management plane and forwarding plane.

Securing the Management Plane

  • Login and password policy, legal notification, data confidentiality, role-based access control (RBAC), and management access reporting.

Securing the Data Plane

  • Using ACLs, antispoofing mechanisms, and Layer 2 security features like port security, DHCP snooping, DAI, and IP Source Guard on Cisco Catalyst switches.