Network security

intronetworksecurity

Common security controls 🛫

  • Disable insecure/unused services/protocols
  • Secure remote connections (timeout, max number of connections, disable internet if not required, use strong passwords or a certificate...)
  • Harden network interfaces (timeout/keepalive, ACLs...)
  • Change default parameters (WPA, SSID, SNMP...)
  • ...

In security, we often categorize the traffic into two types

  • East-West traffic 🏡: traffic between two internal hosts/apps
  • North-South traffic 🌍: traffic with an external network

Security controls are determined based on the type of traffic.

Common networking attacks

protocolsandservers2

Sniffing 🐛: without or with a weak encryption, an actor can listen to exchanged packets, to learn more about the network architecture, and to find the weak point.

Spoofing 🪪: an actor can usurp another machine identity to fake messages coming from the victim (ex: MAC spoofing).

Tampering 😈: without integrity checks, an actor can tamper with messages without the sender/receiver being aware of it

MITM (Man-in-the-middle) 🥷: an actor intercepts communications and modify or manipulate the data being transmitted.

Password 🔑: we must ensure that administrators/managers do not use weak/compromised passwords.

DoS 🔥: Denial of Service. Attackers send malicious packets to slow down a host; they generate a high level of traffic...

➡️ See DDoS, Reflection/amplification DoS, Smurf DDoS, or the ping of death, Spoofed disconnect attack, CTS flood...

Firewalls

extendingyournetwork

A firewall is a solution present in every modern secure network. It is used to filter 👮, and block unauthorized traffic ⛔.

There are many kind of firewalls, that operate at multiple OSI layers.

There are two kind of firewall architectures:

  • Stateless firewalls 🧑: check every packet
  • Stateful firewalls 🚗: check the session/connection

Network zoning

Network zoning is a form of network segmentation that focuses on security rather than performances or similar reasons that could lead to network segmentation.

The focuses is in creating zones with devices that shares the same security requirements/level, to apply specific appropriate security controls according to the security level of the group.

➡️ Traffic between zones are filtered by firewalls/...

➡️ You can sort devices by CIA level, like if a device need up to 4 hours of unavailability, then A=high...

Demilitarized Zone (DMZ)

A Demilitarized Zone (DMZ) is a physical or logical subnet separating two networks, often a LAN and a WAN. It's usually used to isolate public servers from internals servers. For instance,

  • Web servers
  • Email servers
  • VPN servers
  • DNS servers
  • ...

Access control lists (ACLs)

Access control lists (ACLs) are used to control traffic flow on a network interface by allowing or denying traffic based on specific criteria.

  • 🚛 one ACL for each enabled protocol
  • ✈️ one ACL per direction (incoming and outgoing)
  • 🎯 you can create one ACL for each interface

They can be used on many types of network devices. There are two types of ACLs:

  • Standard ACLs: filter based on the IP address
  • Extended ACLs: filter based on the source and destination IP address and port, the protocol...

Extended ACLs are usually placed near the source of the traffic, preventing the forbidden traffic to leave the subnet.

👉 Avoid useless bandwidth usage.

Standard ACLs are usually placed near the destination of the traffic, and they filter based on the source, regardless of the destination.

👉 We only define the source, so we need to ensure only allowed sources are allowed.

TCP Wrappers

linuxfundamentals

TCP Wrappers is a host-based networking ACL system for Linux. It can be used to control access to network services based on the IP address of the client requesting access.

  • /etc/hosts.allow: list allowed hosts (whitelist)
  • /etc/hosts.deny: list forbidden hosts (blacklist)

TCP/IP Protocol Stack Security

The set of protocols that make up the TCP/IP suite, a.k.a. as the TCP/IP protocol Stack, is exposed to some vulnerabilities.

  • Weak authentication

👉 The source and the destination of packets is not guaranteed, an attacker can easily spoof them. 💥 Spoofing ➡️ Implement authentication and access control.

  • Lack of Integrity Protection

👉 Messages can be tampered. 💥 ICMP Redirect. Packet injection. ➡️ Use encryption and digital signatures.

  • Confidentiality

👉 Messages sent as cleartext. 💥 Sniffing ➡️ Use encryption/a VPN.

  • Availability

👉 Can be make unavailable. 💥 DoS, spoofing, poisoning. ➡️ Use firewalls, IDS/IPS...

  • Accounting (track network usage)

👉 It's difficult to find the source because it can be spoofed. ➡️ Implement logging and auditing to track network traffic.

  • Non-repudiation (user denying having performed some action)

👉 IP addresses can be spoofed. 💥 The hacker claim that someone else used his IP for the attack. ➡️ Use digital signatures and encryption to ensure that we know who sent the packet.

👻 To-do 👻

Stuff that I found, but never read/used yet.

  • Advanced Malware Protection (AMP)
  • Duo (two-factor)
  • Identity Services Engine (ISE)
  • Umbrella
  • Secure Access Service Edge (SASE)
  • Isolate VLAN during attack
  • Fork bomb
  • workstation on their own network, host-firewall to prevent them for exchanging with each other (ideally)
  • Switch+Router on an Administration Network to avoid fake OSPF advertisements?
  • Blind spoofing

Access

  • Network Access Control (NAC): allow based on user+device (DAC, MAC, RBAC)
  • Get requests to sniff (see)
    • Network Taps
    • MAC flooding
    • ARP poisoning

Firewall applicative

  • Application-level gateway (FTP, SIP, or HTTP)
  • FirewallD, Netfilter (Linux)

CMDB

  • Configuration Managment Database
  • inventory software/hardware/... basically every asset?
  • auto-discovery?
  • lansweeper

Others

  • Network security monitoring (NSM)