Applying Network Hardening Techniques

# Compare and Contrast Types of Attacks ## General Attack Types - Understanding attacker types and their motivations - Footprinting -> allow traffic to occur and trying to learn, outside scans // and fingerprinting -> getting into systems and getting deeper into attacks - have to do with enumeration, PORT SCANNING, IDENTIFY OS, SYSTEM TYPES, APPLICATION ON PORT - Discover how the network and its security systems are configured - Spoofing - Any type of attack where the attacker disguises his or her identity - DoS attacks - Any attack that causes a service to become unavailable to users - May be purely destructive or may allow attacker to spoof the legitimate service ## On-path Attacks Specific type of spoofing attack, compromises connection between 2 hosts. Reads and may alter data in between the 2 hosts - Threat actor intercepts communication path - "man in the Middle (MitM)" -> dont use this, it is now called **On-path attack** - MAC spoofing and IP spoofing - disguise identity - circumvent ACL, or may impersonate a server - arbitrarily change address value in packet - ARP spoofing "ARP cache poisoning" - common means of perpetrating an on-path attack - may be also a DoS attack - Broadcast unsolicited/gratuitous ARP replies - usually are attempting to masquerade as MAC address of default gateway - Rogue DHCP - Configure clients with malicious default gateway/DNS server IP ## DNS Poisoning Attacks - Spoofing trusted hosts/sites (pharming) - DoS -> direct all traffic for a FQDN to an invalid IP address (blackhole) - Client-side attacks - Change/intercept resolver traffic - Modify HOSTS file - Server-side attacks - Hacker server and change name records - Pollute server cache ## VLAN Hopping Attacks - send traffic to VLAN that would not normally be accessible - exploits the native VLAN feature of 802.1Q "provide compatibility with non VLAN switches" - Double tag exploit against weakly configured native VLANs (802.1Q) - Masquerade as trunk - ensure ports for trunks are predetermined and without autoconfiguring for trunk ports ## Wireless Network Attacks - Rogue access points - not an authorized AP - can be an phone with tethering capabilities - Potential backdoor - Risks from shadow IT - Evil Twins - rogue AP masquerading as a legit one - Spoofs SSID and BSSID (MAC) of legitimate AP - could harvest authentication info from clients and expand from there - De-authentication attacks - may be coupled with evil twins to get people disconnected off the good network and reauthenticate on the bad one - Causes clients to disconnect from AP - mitigate with MFP/802.11w ## DDoS Attacks and Botnets - Co-ordinated attacks launched by multiple hosts simultaneously - overwhelm bandwidth - overwhelm process resource (flood state table) - Distribute reflection DoS (DRDoS) - spoofs victim IP address and attempts to open connections with multiple servers - the connected servers direct their SYB/ACK responses to the victim server, rapidly consuming the available bandwidth - Amplification attack - Spoof victim IP to overwhelm it with responses - Botnets - group of compromised hosts used to perpetrate DDoS/DRDoS - Handler/herders vs bots - Command and control (C&C/C2) network ## Malware and Ransomware Attacks - malware classification by vector - Viruses and worms - Trojan -> acts secretly - Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs) - Malware classification by payload - Spyware, rootkit, remote access trojan (RAT), ransomware, etc... - Ransomware - Spoof shell/dialogs/notifications - Crypto-malware - WannaCry ## Password Attacks - Password capture - Plaintext storage and transmission - password hashes - Password hash cracking - Dictionary - Brute force - Protecting password hashes ## Human and Environmental Attacks - Social engineering or hacking the human (social engineering) - Reasons for effectiveness - Phishing - social engineering over email - Also uses spoofed resource like a website - Shoulder surfing - Observing password/PIN entry - Tailgating and piggybacking - Gaining unauthorized entry to premises # Apply Network hardening Techniques ## Device and Service Hardening - Hardening means applying a secure configuration to each network host or appliance - Change default passwords - enforce password complexity/length requirements - Configure role-based access - Disable unneeded network services - Disable unsecure protocols ## Endpoint Security and Switchport Protection - Disable unneeded switchports - Restrict physical access/unplug patch cord - Administratively disable port - Assign to blackhole VLAN - Configure protection mechanisms - MAC filtering and Dynamic ARP inspection - DHCP snooping -> inspect by switch DHCP traffic arrive on access ports to ensure the host is not trying to spoof it s MAC address - Can also prevent rogue DHCP servers from operating - with DHCP snooping, only DHCP offers from ports configured as trusted are allowed - Neighbor Discovery (ND) inspection and Router Advertisement (RA) Guard - Port Security (IEEE 802.1X Port-Based Network Access Control) - MAC limiting/filtering ## VLAN and PVLAN Best Practices (L2) - Private VLAN (PVLAN) - Further segment traffic with host/primary VLAN - Promiscuous, isolate, and community ports - Default VLAN and native VLAN - VLAN ID: 1 is default VLAN - Native VLAN contains any untagged traffic on trunks - Native VLAN is also VLAN 1 by default - can and should change this - should not have the same VID as any other VLAN for any other data traffic6 - Change to unique value on both ends of trunk ## Firewall Rules and ACL Configuration - Network ACL - Top-to-bottom - Default block (implicit deny) -> typically if traffic doesn't match a rule it is blocked by default - explicit deny -> typically added to the end of the ACL - Tuples - iptables - chains (input, output, and Forwarding) - INPUT -> affecting incoming connections. (match source IP address and destination port to a rule in the input chain) - OUTPUT -> For outgoing connections (e.x: ping a FQDN, check rules regarding ping and comptia.org or the IP address that it resolves to before allowing/denying connection attempt) - FORWARDING -> connections that are passing thru the host, rather then being delivered locally. For example when the host is configured as a network firewall - stateful rules ## Control Plane Policing - Control, data, and management planes - Control and management require CPU resources - Control and management must always be kept "open" - Sufficient bandwidth - Sufficient processing resource - Control plane policing policy - Mitigate route processor vulnerabilities - ACL-based filters - Rate-limiting ## Wireless Security - Pre-shared keys (PSKs) - Extensible authentication protocol (EAP) - Captive portal - MAC filtering - Geofencing -> station is within a valid geographical location. Like the device connecting is within the building - Antenna placement and power levels - Wireless client isolation - guest network isolation ## IoT Access Consideration - audits to prevent use of shadow IT - Secure administration interfaces - Include IoT in patch and vulnerability management - Isolate management and monitoring traffic for embedded systems - Audit supplier security policies and procedures regularly ## Path and Firmware Management - Monitor security and patch advisories - Appliance firmware updates vs OS patches - Firmware upgrade procedure - Downgrading/rollback firmware - Configuration backup