# Compare and Contrast Security Appliances ## Network Segmentation Enforcement ------------------ applied with a combination VLANs and subnets (layer 1 & 2) - separate broadcast domains ## Screened Subnets ------------------------------------- - Different security configurations for public and private gateways - Screening firewall on the public interface - choke firewall on the internal interface -> DMZ - Triple homed firewall configuration Uses 2 firewalls located on either side of the perimeter network zone - edge firewall restricts traffic on the external/public interface - also allows permitted traffic to hosts in the perimeter zone subnet - also referred to as the screening firewall - internal firewall - filters communications between hosts and the perimeter and hosts on the LAN - also referred to as the choke firewall - purposely narrow gateway that facilitates better access control and easier monitoring ![[Pasted image 20230601074351.png]] ## Firewall Uses and Types ------------------------------- The basic function of a firewall is traffic filtering. Process traffic according to rules; traffic not conforming to a rule that allows access is blocked. There are many types of firewalls and many ways of implementing a firewall. One distinction can be made between firewalls that protect a whole network (one that is placed inline in the network and inspects all traffic that passes through) and firewalls that protect a single host only (one that is installed on the host and inspects only that traffic addressed to that host). #### Packet Filtering Firewalls ---- - access control list (ACL) with accept or deny rules - **Layer 3** (+ TCP/UDP port) ONLY - IP source/destination, IP protocol type, source/destination port - rules will be based on IP packet headers.... - IP filtering -> accepting or denying traffic on its source and/or destination IP address - Protocol ID/type -> TCP, UDP, ICMP, routing protocol, etc... - Port filtering/security -> accept or denying a packet based on source and destination port numbers (TCP or UDP application type) - ACLs might be designed to control only inbound or both inbound and outbound. - Referred to as ingress and egress traffic filtering - STATELESS firewall - does not preserve info about the connection between 2 hosts - least processing effort - vulnerable to an attack spread over a sequence of packets #### Stateful Inspection Firewalls ---- - **layer 4** - monitor connection state - Layer 7 (WAF) -> web application firewall - inspect application protocol packet contents - maintains stateful information about the session established between 2 hosts - info is stored in a dynamically updated state table - operates at Layer 5 (session) - When a packet arrives the firewall checks it to confirm whether it belongs to an existing connection - if not, it applies ordinary packet filtering rules (to determine if it passes) - once a connection is allowed, the firewall allows traffic to pass unmonitored, in order to conserve processing effort ## Firewall Selection and Placement --------------------- - consider how a firewall is implemented - hardware/software for instance to cover a given placement or use on the network - some types are better for network or segment borders others are designed to protect individual hosts - will depend on the amount of traffic it has to process - a single firewall can represent a network bottleneck - appliance firewall - stand alone hardware firewall that performs only firewall functions - router firewall - functionality is build into the router firmware - most SOHO router/modems have this type of firewall functionality ## Proxy Servers ----------------------------------------- A proxy server forwards requests and responses on behalf of its clients. Rather then inspecting traffic as it passes through, the proxy deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on, providing it conforms to the rules. Places in a perimeter network. #### Forward Proxies ---- Forwarding proxy server provides for protocol specific outbound traffic. Some proxy servers are application specific; others are multipurpose. A multipurpose one is configured with filters for multiple protocol types, such as HTTP, FTP, and SMTP The main benefit of a proxy server is that clients connect to a specified point within the perimeter network for web access - provides a degree of traffic management and security - Provide caching engines, where frequently requesting web pages are retained on the proxy negating the need to re-fetch those pages for subsequent requests Proxy servers can generally be classed as non-transparent or transparent. A nontransparent server means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080. A transparent (or “forced” or “intercepting”) proxy intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance. <u>NON TRANSPARENT -> NEEDS TO BE CONFIGURED</u> <u>TRANSPARENT -> INLINE ON THE NETWORK</u> #### Reverse Proxies ---- A reverse proxy server provides for protocol-specific inbound traffic. For security purposes, it is inadvisable to place application servers, such as messaging and VoIP servers, in the perimeter network, where they are directly exposed to the Internet. Instead, you can deploy a reverse proxy and configure it to listen for client requests from a public network (the Internet) and create the appropriate request to the internal server on the corporate network. Reverse proxies can publish applications from the corporate network to the Internet in this way. **In addition, some reverse proxy servers can handle the encryption/ decryption and authentication issues that arise when remote users attempt to connect to corporate servers**, reducing the overhead on those servers. Typical applications for reverse proxy servers include publishing a web server, publishing messaging or conferencing applications, and enabling POP/IMAP mail retrieval. ## Network Address Translation (NAT) ------------------- Devised as a way of freeing up scarce IP address for hosts needing internet access. NAT is a service translating between a private (or local) addressing scheme and a public IP address. - configured on a border device, such as a router, proxy server, or firewall - NOT a security mechanism In a basic NAT static config - a simple 1:1 mapping is made between private IP and public IP A single static mapping is not very useful in most scenarios. Under dynamic NAT, the NAT device exposes a pool of public IP addresses. To support inbound and outbound connections between the private network and the Internet, the NAT service builds a table of public to private address mappings. Each new session creates a new public-private address binding in the table. When the session is ended or times out, the binding is released for use by another host. ## Port Address Translation (PAT) ------------------------ Basic NAT supports multiple simultaneous connections but is still limited by the number of available public IP addresses. Smaller companies may only be allocated a single or small block of addresses by their ISPs. In such cases, a means for multiple private IP addresses to be mapped onto a single public address would be useful. This function is provided by Port Address Translation (PAT). This can be referred to as Network Address Port Translation (NAPT) or NAT overloading or one-to-many NAT. ![[Pasted image 20230601081920.png]] PAT works by allocating each new connection an ephemeral TCP or UDP port. For example, say two hosts (10.0.0.101 and 10.0.0.102) initiate a web connection at the same time. The PAT service creates two new port mappings for these requests (10.0.0.101:61101 and 10.0.0.102:61102) in its state table. It then substitutes the private IP for the public IP and forwards the requests to the public Internet. It performs a reverse mapping on any traffic returned using those ports, inserting the original IP address and port number, and forwarding the packets to the internal hosts. ## Defense in Depth -------------------------------------- - firewalls, screened subnets, proxy servers try to establish a secure barrier at the network edge (perimeter security) - essentially placing security controls throughout the network The proliferation of mobile devices with wireless or cellular data access and cloud services, plus the better recognition of insider threat and vulnerabilities to malware, has eroded confidence in a solely perimeter-based security model. Network security design must address the concept of defense in depth. This refers to placing security controls throughout the network, so that all access attempts are authenticated, authorized, and audited. Some examples of security controls that provide defense in depth additional to network segmentation and screened subnets include Network Access Control, honeypots, separation of duties, and intrusion detection. #### Network Access Control (NAC) ---- System for authenticating endpoints at the point they connect to the network - uses 802.1X port security mechanism - lock down a port to a MAC address - Basic NAC can authenticate a client on the basis of machine certificates and or passwords - More advanced solutions can enforce a health policy - a report proves that the client is running an authorized OS and has up-to-date patches and security scanner config - NAC = PORT SECURITY #### Honeypots ---- Computer system set up to attract attackers, with the intention of analyzing attack strategies and tools, to provide early warning of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Can also be used to detect internal fraud, snooping, and malpractice. Honeynets are an entire decoy network. It can be setup as an actual network or simulated by an emulator. On a production network, a honeypot is more likely to be located in a protected but untrusted area between the Internet and the private network or on a closely monitored and filtered segment within the private network itself. This provides early warning and evidence of whether a threat actor has been able to penetrate to a given security zone. #### Separation of Duties ---- Means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by **insider** threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. ## Intrusion Detection and Prevention Systems ---------- - Intrusion detection system (IDS) - sniff traffic to match signatures of suspicious packets/flows - passive detection - ONLY DETECTS - think like learning mode, its finding what is normal traffic on normal, then you can "flip a switch" and change it to an IPS - Intrusion prevention system (IPS) - can block traffic when needed - will be at the edge of the network - Standalone vs integrated with firewall # Troubleshoot Service and Security Issues ## DHCP Issues ------------------------------------------ - Server scope and exhaustion issues - server offline - address pool exhausted - no DHCP relay - Scopes reconfigured - clients may have "expired" configuration - Rogue DHCP server issues - accidental deployment - malicious - could change the default gateway and/or DNS resolver addresses for the subnet and route communications via his or her machine - there is no preferred DHCP server, if there are 2 on the network, clients could end up with a bad IP config ## Name Resolution Issues ------------------------------- - Name Resolution methods - Verify name resolution sequence - test services with HOSTS - check client's DNS server address configuration - Check server availability - DNS configuration issues - suspect name resolution problem when link test by IP address works - Establish scope of problem - single client? subnet? - Verify Client configuration - DNS server and suffix - Static assignments or DHCP - use lookup tools to verify resource records on DNS server ## VLAN Assignment Issues ----------------------------- - Check configuration on switch - Check VLAN membership - Check services available to VLAN - Routing - DHCP/DHCP relay/IP helper - DNS - Authentication/network applications ## Unresponsive Service and Network Performance ----- - Verify scope - is it a client or server problem - Application/OS crash - Hardware overutilization - Network congestion - Broadcast storm - Denial of service (DOS) ## Misconfigured Firewall and ACL Issues ---------------- - Authorized application blocked - Blocked TCP or UDP port - Blocked IP address or network - Test from inside or outside firewall - Inspect firewall log - Unauthorized application not blocked ## Untrusted Certificate Issues -------------------------- - Must be trust relationship with the server's CA - Check root certificates store - Apps may use separate trust store - Self-signed certificates - Subject name and key usage issues - Expired or revoked certificates (or CA certificates) - Time sync (NTP) ## Other Common Issues --------------------------------- - NTP issues - Verify accurate time synch - Bring your own device (BYOD) challenges - Compatibility support for wide range of employee-selected devices - Security issues - Enterprise Mobility Management (EMM) and corporate workspaces - Licensed feature issues - Expiry of trial periods - Activation failure