Network Security 1.2

DOMAIN 1.0 Network Security

1.2 Apply and implement secure network administration principles

Rule-based Management

Firewall Rules

ip access-list standard workstations

remark Permit only Cybrary computer through

permit 172.16.2.88

remark Do not allow BadGuy computer through

deny 172.16.3.13

No. Permit Source Destination Service Interface Dir. Desc. 1 Yes 172.16.42.88 Any IP Eth0 In Permit

VLAN Management

Secure Router Configuration

Access Control Lists

Port Security

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet 3/12

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 5

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# end

Switch# show port-security interface fastethernet 3/12

Port Security :Enabled

Port Status :Secure-up

Violation Mode :Shutdown

Aging Time :0

Aging Type :Absolute

SecureStatic Address Aging :Enabled

Maximum MAC Addresses :5

Total MAC Addresses :0

Configured MAC Addresses :0

Sticky MAC Addresses :11

Last Source Address :0000.0000.0401

Security Violation Count :0

802.1x

Flood Guards

Loop Protection

Implicit Deny

access-list 1 permit host 192.168.10.1

Prevent Network Bridging by Network Separation

Log Analysis

You might also like >>

Based on CompTIA’s list of Security + exam objectives (their PDF list of domains is found here: http://certification.comptia.org/docs/default-source/exam-objectives/comptia-security-sy0-401.pdf ), I’ll go through each one, giving examples and details where possible, so you know better what each listed item means, does and looks like. The examples are not in any particular order, preference, or even recommendation – they’re just quick-and-easily-found examples. I have no affiliations with any of the companies or products mentioned.I mention these products and examples because:1. When you’re starting out it can be difficult to get a grasp of what’s what;2. If you’re in charge of a virtual environment, you probably won’t come in contact with many of these because they’re managed solely by your VM provider (e.g., firewall and NIDS); and,3. If you’re in a small business you might not have any use for a host of load balancers, NIDs, routers, and switches, and/or may not have the resources (e.g., money and space) to try your hand at these.This is the second installment.Rules, rules, rules. You set the rules, filters or values. Examples of things that manage events using rules are firewalls, proxies and IPs. Whether the devices needs specific value input (e.g., Block Port 22) or an if-then statement (e.g., if port=22 then deny), you need to double-check the priority and sequence of the rules to make sure they don’t negate each other (if Deny All takes precedence, then no other port will be allowed).When it comes to firewalls and since they’re typically defaulted to Implicit Deny/Deny All, it’s important to specify what you will and won’t allow. Allow All/Explicit Allow isn’t an option for security. You have to setup Inbound and Outbound rules for programs, services, port, protocols, users, computers and scopes. The rules are typically ordered and the last rule is Default Deny. This means “This rule is applied, then that rule and after all rules have been applied, Deny everything else.”Here’s a CLI view of some firewall rules might look like:Here’s what the text of the GUI might look like:Be familiar with Explicit and Implicit, Deny and Allow.After you’ve split up your network into VLANs (which is done to help traffic flow), you’ll need to maintain them. Typically, VLAN1 is the management VLAN and from there you can specify, modify, isolate and manage your VLANs as you wish. It’s often done using CLI, though there are free, open-source tools like FreeNAC (found here, though out-of-date: http://freenac.net/ ).A router may come with all ports open, so you’ll need to lock it down. There are also protocols, interfaces and trusted resources that you’ll need to allow or block. At minimum, you need to reset the default router password ASAP - as pretty much all default usernames and passwords for devices can be found on the internet with a brief search. If someone scans your network, they’ll see, among other things, what kind of hardware you have and will try the default username and password. If they have that, they own your device.ACLs (pronounced “ACK-uls”), are aka filters. It’s what you do to specify who and what has access (both locally and remotely) to your gear and what they can do with it (e.g., read or make changes). Here’s what the network access list might look like on a firewall: access-list 10 permit 192.168.146.0 0.0.1.255You will have separate rules for inbound and outbound traffic, each with Allow or Deny.The anatomy of an ACL consists of 4 parts:1. Rule Number2. Protocol3. Inbound/Outbound Rule4. Allow/DenyThe typical default is “Deny All” or “Implicit Deny,” so you have to set up rules in your org as to which ports you allow. You’ll allow port 80 and 443 for internet traffic, port 25 for email to pass through, port 22 if you need SSH (you should specify exactly what devices can access this), etc. Since each device is different in its default settings, you’ll need to check each device as soon as you can and secure it accordingly.This also includes the use of physical network jacks. You can open or close the ports or designate what MAC addresses or device types are allowed on the jack.Do an internet search for List of Well-Known Ports to get a good idea of what you need to start with.Here’s an example (from http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html ) of how configuring port security might look like:This can be used on wired networks, but it’s very often seen in reference to wireless networds. It’s the umbrella term for 802.11a/b/g/i/n 802.16, et al. Your computer is the Supplicant; the router is the Authenticator (using WEP, WPA, etc.); the Authenticator uses EAP to connect to the server, which is the Authentication Server. Then, when you’re authenticated it lets you in. Get familiar with the IEEE, who provides standards like this. And, be familiar with LAN, WLAN, EAP, EAPOL, MD5, PKI, TLS and Man-in-the-Middle (MitM) attacks.These are controls that you set to prevent things like DoS, ping floods, SYN floods/attack and MAC floods. You set rules on your firewall to prevent other devices from overwhelming your network with bogus traffic (e.g., 150,000 requests per minute). Your network has only so many connection points, so a flood will slow or cripple your network. Get familiar with SYN. An internal loop (see the next item) can create a flood.When you plug in two unmanaged switches to each other (accidentally, of course!), they’ll send packets to each other, never resolving where the traffic goes. Switch 1 (S1) gets the packet and forwards it through all ports (let’s say two ports) to Switch 2 (S2). S2 now gets 2 packets, and send those 2 through its 2 ports to S1, which now receives 4 packets, until the# of packets overwhelms the network and it slows down dramatically. It’s a Layer 2 (Ethernet) and Layer 3 (IP) event. To protect from this, we have Spanning Tree and Loop Protection. In short, these technologies look for loops by monitoring the traffic behavior and then disabling the port(s). cf. HP ProCurve Switches.For a perfect example of how this can disable a network, see these articles about the network collapse of CareGroup in 2003:1. http://geekdoctor.blogspot.com/2008/03/caregroup-network-outage.html 2. http://www.computerworld.com/article/2581420/disaster-recovery/all-systems-down.html Many devices come with this by default. Unless something has been explicitly allowed, it’s implicitly denied. The configuration could look like this:You’ll notice that there’s nothing to say “deny everything else.” Because Implicit Deny is the default, you have to state explicitly that the host 92.168.10.1 is allowed. Everything else, at this point, is denied.It can be a pain, but going through the training of configuring something when starting from Implicit/Default Deny helps you understand ports, protocols, and your network much better.Network Bridging is where one network can see another network’s traffic. E.g., if you want to separate a guest wireless network from your real network, then make a new VLAN on your switch and direct ports/cable/traffic to that side of the switch (you’ll need 2 internet feeds, BTW– one going to your work network VLAN, and one feeding your WiFi VLAN). Otherwise, if you just try to hide your network from a guest WiFi that you’ve setup on your normal network (only obfuscation, not separation), then anyone who knows that the internal addresses are 192.168.x, 172.16.x, or 10.0.x can use something like AngryIP to scan and start detecting the IP scheme and devices on your network.If you administer a network, you’ll need to check your Event, System, Application, et al. logs to see what’s taking place. A couple of free log analyzers are Splunk Log Analyzer ( http://www.splunk.com/en_us/solutions/solution-areas/log-management.html ) and Log Parser (by Microsoft, though old). Search the internet for Security Event ID Cheat Sheet and you’ll find lots of free resources to help you decipher log details. Thanks for reading! Good luck with your next steps.