Professional Documents
Culture Documents
Network Security Fundamentals & Concepts (INE-converted)
Network Security Fundamentals & Concepts (INE-converted)
Security Principles
Types of Data
At rest
In motion
How do we classify?
Value, replacement cost, age, usefulness
Vulnerability Categories
Physical access to the equipment for unuauthorized personnel
Human factors
Hardware and Software vulnerabilities
Incorrect Designs
Misconfigurations
Weaknesses in Protocols
Security Principles
Countermeasure Classification
To know our weapons
Countermeasure Categories
Physical (enforcing physical security)
Technical/Logical (software/hardware solutions)
Administrative (Policies, Procedures, Guidelines and Standards)
Security Threats
Security Threats
Threats
Anything that can harm our systems
In general it might be an attacker or a piece of software
Attacker Types
Hackers
Criminals
Terrorists
Disgruntled employees
Competitors
Foreign governments
Security Threats
Common Attack Methods
Reconnaissance (network discovery)
Social Engineering (fouling/tricking people)
Privilege Escalation (getting more access)
Code Execution (activating malicious code)
Backdoors (software installed to allow remote access in the future)
Covert Channels (hidden communication channel)
Trust Exploitation (utilizing an existing policy to obtain more access)
Man in The Middle aka “MiTM” (when an attacker puts himself into a session)
Security Threats
Common Attack Methods
Denial of Service “DoS” (making a device/system unusable)
Distributed DoS “DDoS” (a DoS performed by multiple attackers, e.g. BotNet)
Password Guessing/Cracking
Dictionary Attack (password guessing with a dictionary)
Brute-Force Attack (trying all possible combinations of a password)
IPS Fundamentals
IPS Fundamentals
Intrusion Sensors
Intrusion Detection System (IDS)
Able to detect attacks
Analyzes a copy of real traffic
Intrusion Prevention System (IPS)
Able to detect and stop attacks
Works on real data packets (inline)
IPS Fundamentals
Sensor Deployment Modes
Promiscous/Passive
SPAN, RSPAN or Network Tap
No delay, can’t become a bottleneck
Inline
L2
L3 (e.g. FirePOWER)
Throughput and/or latency might be an issue
Fail Open vs Fail Close
Sensor Platforms
Network-Based Sensors (NIPS)
Physical appliances, such as FirePOWER 7000/8000
ASA/IOS module, such as IOS IPS AIM or ASA FirePOWER
Host-Based Sensors (HIPS)
Originally deployed using Agents installed on endpoints and Monitor Systems
Currently often deployed in Cloud
The Cloud is accessed through the Connectors installed on endpoints
Has some advantages over NIPS
Full visibility into encrypted traffic
Able to detect attacks that don’t generate any network traffic
Might be hard to deploy and monitor
Attack Detection Strategies
Signatures
Set of rules/conditions describing an attack
An attack must be already known and signatures must be kept up-to-date
Anomaly Detection
Initially learns patterns of normal network activities (baseline profile)
This profile is then constantly compared to current activities
Policy-Based
Traffic detected outside the configured policy triggers an alarm
Configuring a policy might be challenging and time consuming
Reputation-Based
Traffic is evaluated based on reputation of IP addresses, URLs and domain
names
Sensor Actions
A sensor can respond to an attack by taking certain action(s)
Alert/Alarm : generates a log
Drop : „kills” malicious packet(s)
Block : session, all traffic from the attacker or traffic between attacker and
victim
Reset : disconnects a TCP session
Shun : asking other devices to block malicious traffic
Blacklist, Whitelist
Evaluated before sensor policies (signatures, rules, reputation etc.)
Statically pre-configured list of bad (or good -> whitelist) IP addresses
Blacklist can be downloaded dynamically from Cisco
Sensor Decision Classification
Sensor decisions are classified based on their correctness
„True” means that behavior was correct, „False” that it was not
All „False” events require signature/policy tuning
„Positive” means that a signature fired, „Negative” that it did not
Summary
True Positive : offending traffic caused a signature to fire (OK)
True Negative : normal traffic did not trigger a signature (OK)
False Positive : a signature fired for normal traffic (WRONG)
False Negative : the attack went undetected (WRONG)
NGIPS
FirePOWER is an example of Next-Generation IPS
Analyzes network traffic in real time looking for threats
Threats are identified based on Cisco Talos Security Intelligence signatures
Virtual ESA
ESAV
Hybrid
Cloud for inbound, on-premise for outbound traffic
Email Security Appliance (ESA)
Email Exchange
Emails are generally forwarded based on the destination domain name
Information about the organization’s mail server is stored in a DNS „MX”
record
The „A” lookup must be still used to find an IP address of the SMTP server
If „MX” record does not exist, the „A” lookup is performed on the domain itself
Inbound vs Outbound exchange
Web Security
Web Security Appliance
Web Security Appliance (WSA)
Combination of a fast Web Proxy and an advanced content filtering solution
Designed for HTTP[S] and FTP
Strong caching, inspection, policy enforcement and anti-malware capabilities
Relies on multiple engines and technologies
WSA Security Components
URL Filtering
Application Visibility and Control (AVC)
Anti-malware scanning
L4 Traffic Monitor (L4TM)
HTTPS Decryption
WSA Deployment
Web Proxy
Explicit Forward
Requires re-configuration of clients’ browsers (manually or by using a PAC file)
WSA placement is arbitrary
Transparent
Completely transarent to the end users
Traffic is redirected by a router/ASA/L4 switch using WCCPv2
Recommended design : Internet Edge Distribution Layer (ASA’s inside interface)
L4TM
Requires the traffic (TCP) to be redirected to the WSA
SPAN/RSPAN, Hub or Network Tap
Cloud Web Security
Cloud Web Security (CWS)
Software-as-a-Service (SaaS) implementation of a WSA
No maintanance and support required
Very similar functionality (except for FTP support)
Traffic must be redirected to the CWS cloud so it can be inspected by the SIO
engines
Explicit Forward
Addresses of Cloud Proxies are provided based on the location and deployment size
Cloud Connectors
ISR G2 routers, ASA firewalls and WSA
AnyConnect (mobile and remote users)
Endpoint Security
Endpoint Security
Endpoints (PCs, laptops, mobile etc.) are critical to every organization
Often contain important or highly sensitive data
802.1x components
Supplicant (client software)
Authenticator (policy enforcement)
Switch / Access Point (AP)
Authentication Server (RADIUS)
802.1x Authentication
The Process
Authentication starts on a reception of EAP Request Identity frame
The frame is sent periodically, when a port goes up or upon reception of EAP START
Authenticator acts as a proxy between supplicant (EAPOL) and RADIUS server
EAP data is encapsulated using two RADIUS EAP-specific attributes
Authentication method is negotiated
Authentication is performed
OK : Access-Accept with authorization data -> EAP Success
FAIL : Access-Reject -> EAP Failure
Deny access, then after dot1x timeout quiet-period re-authenticate
Wired networks : use next authentication method or assign an Auth-Fail VLAN
802.1x Authentication
Configuration (wired networks)
Enable AAA (aaa new-model)
Define RADIUS server (radius-server host or radius server name)
Enable 802.1x globally (dot1x system-auth-control)
Configure 802.1x method list (aaa authentication dot1x default)
Configure a switchport
Enable access mode (switchport mode access)
Activate 802.1x (authentication port-control auto)
Make sure port is acting as Authenticator (dot1x pae authenticator)
Bring Your Own Device
(BYOD)
Bring Your Own Device (BYOD)
BYOD allows employees to use their personal devices in corporate
network
Flexible and convenient but not secure
Broad access methods like public hot spots, mobile (3G/4G), wireless, wired, VPN
Higher potential for malware, insecure OS etc.