Implementing Secure Network Designs

# Implement Secure Network Designs ![[Pasted image 20230630093944.png]] ![[Pasted image 20230630093954.png]] ## Network Segmentation ![[Pasted image 20230630094611.png]] ![[Pasted image 20230630094631.png|700]] ![[Pasted image 20230630094850.png]] ## Screened Host - Screened Host - Local Network screened by a firewall - "SOHO DMZ" - SOHO router config option - Host configured to accept connections from the internet ![[Pasted image 20230630094948.png]] ## Implications of IPv6 - Enabled by default config issues - Risks of unmanaged configurations - IPv6-specific attack vectors - Map IPv6 address space to appropriate security zones - Configure IPv6 Firewall rules - Typically no need for address translation ## Other Secure Network Design Considerations - Data center and cloud design requirements - East-west traffic - North-south traffic -> enters and leaves data center - East-west -> traffic between servers within the data center - Problem for security inspection and filtering - Zero trust (NIST SP 800-207) - Do not rely on perimeter security - Continuous/context-based authentication - Microsegmentation - Single host zones ![[Pasted image 20230630095352.png]] # Implement Secure Switching and Routing ## Man-in-the-Middle and Layer 2 Attacks - MITM / On path - Threat actor intercepts and maybe modify communications - Snooping - Spoofing - MAC address cloning/spoofing - MAC hardware interface address - Easy to change for a different value ## ARP poisoning and MAC flooding attacks - ARP poisoning - Broadcasting unsolicited ARP replies to poison cache of local hosts with spoofed MAC address - Attacker usually tries to impersonate as the default gateway - MAC flooding - Overwhelm switch memory to trigger unicast flooding - Facilitates flooding ## Loop Prevention - (Rapid) Spanning Tree Protocol ((RSTP)/STP) - Broadcast storm prevention - Broadcast and flooded unicast getting amplified as it loops continually around network - Storm control if STP has failed - Bridge Protocol Data Unit (BPDU) guard - Configure switches to defeat attempts to engineer a loop - Port fast setting configured for access ports - BPDU guard disables port if STP traffic is detected ## Physical Port Security and MAC Filtering - Physical port security - Secure switch hardware - Physically disconnect unused ports - Disable unused ports via management interface - MAC address limiting and filtering - Configure permitted MACs - Limit number of MAC changes - DHCP snooping - Dynamic ARP inspection ## Network Access Control - Even if you plugin to a swithc, your MAC address must be approved to be on the network ## Route Security - Sources of routing table updates - Preventing route injection - Source Routing - Patch Management and router appliance hardening # Implement Secure Wireless Infrastructure ## Wireless Network Installation Considerations - Ensure maximum availability from legitimate access points - **Wireless access point (WAP)** Placement - SSID and BSSID - Co-channel interference (CCI) - Adjacent channel interference (ACI) - Site surveys and heat maps - Architectural plan - Wi-Fi analyzer - Heat map plots signal strength from high (red) to low (green/blue) - Channel layout shows overlapping usage ## Controller and Access Point Security - Configurations of multi-WAP WLANs - FAT wireless AP -> can login and make changes on some kind of interface - THIN AP -> stripped down in what you can do and configure, typically pointed to a controller where it gets the configuration from - way better for security, there is only what running that is need to be a WAP - hardware and software controllers - Fat vs thin WAPs - Physical security and management interfaces ## Wi-Fi Protected Access - WPA (v1) - RC4 with Temporal Key Integrity Protocol (TKIP) - easy to compromise just a little harder then WEP - Wi-Fi protected access 2 (WPA2) - Advanced Encryption Standard (AES) replaces RC4 - Counter mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP - Also enables enterprise authentication options - Wi-Fi protected access 3 (WPA3) - Simultaneous Authentication of Equals (SAE) - Enhanced Open - Updated cryptography - Management Protection frames - or digitally signs the communication from the WAP ## Wi-Fi Authentication Methods - WPA2 pre-shared key authentication - Passphrase used t o generate a pairwise master key (PMK) - 4-way handshake - PMK is used to derive session keys - WPA3 personal authentication - Password Authenticated Key Exchange (PAKE) - Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake - Dragonfly handshake ## Wi-Fi Protected Setup (WPS) - Pushbutton or passcode autoconfig of access points and clients - Brute-force vulnerability in passcode algorithm - Access point may support lockout to mitigate - Make sure access point firmware is up-to-date - EasyConnect and Device Provisioning Protocol (DPP) ## Open Authentication and Captive Portals - Use and Access point without authentication (or encryption) - Secondary authentication via captive portal or splash page - Everything sent over link can be snooped - Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS) - Use a VPN to create a secure tunnel - Wi-Fi Enhanced Open ## Enterprise/IEEE 802.1X Authentication - Extensible Authentication Protocol (EAP) over Wireless (EAPoW) - Network directory authorization via RADIUS or TACACS+ - RADUS -> VPNS and wireless access - TACACS+ -> authenticating network devices to the network - User credential is used to generate session encryption key ## Extensible Authentication Protocol - Designed to provide for interoperable security and devices and software - EAP-TLS - TLS to authenticate via device certificates/smart cards - Both server and supplicant must have certificates - Mutual authentication ## PEAP, EAP-TTLS, and EAP-FAST - Secure tunneling for user credentials - Protected EAP (PEAP) BELOW ARE ALL AUTHENTICATION PROTOCOLS - Password authentication thru a TLS-protected tunnel - Server certificate only - PEAPv0 (EAP-MSCHAPv2) - PEAPv1 (EAP-GTC) - EAP with Tunneled TLS (EAP-TTLS) - Similar to PEAP but with more flexibility on inner authentication methods - EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) - Cisco alternative to PEAP that can be setup without certificate infrastructure ## RADIUS Federation - Federated identity solution - Mesh network for RADIUS servers operated by different institutions - Eduroam ![[Pasted image 20230703075424.png]] ## Rogue Access Points and Evil Twins - Rogue access point - Troubleshooting access point misconfig - Disable unused devices and interfaces - Evil twin - Masquerade as a legitimate AP - uses a similar SSID - captures authentication info - Wi-Fi analyzers ## Disassociation and Replay Attacks - Deauthentication attack - Attacked sends spoofed deauth packet - DoS and assists other attacks - Disassociation Attack - Similar but causes station to disassociate - Misconfigure Management Frame Protection (MFP/802.11w) - Initialization vector (IV) attack - Generate packets to strip IV - KRACK/key reinstallation ## Jamming Attacks - Environmental vs malicious interference - Jamming attacks - Denial of service - Promote evil twin - use spectrum analyzer to locate source # Implement Load Balancers ## DDoS - Leverage bandwidth from compromised hoasts/networks - Handlers form and command and control (C&C) network - Compromised hosts installed with bots that can run automated scripts - Co-ordinated by the C&C network as a botnet - Overwhelm with superior bandwidth (number of bots) - Consume resources with spoof session requests (SYN flood) ## Amplification, Application, and OT Attacks - Distributed Reflection DoS (DRDoS) - Amplified SYN flood - Spoof victim's IP address and attempt to open connections with multiple servers - Those servers direct their SYN/ACK responses to the victim - Application attacks - Bogus DNS/NTP queries - Direct responses at victim - Queries can be constructed to generate large response packet - Operational Technology (OT) networks - DoS against embedded systems - can be more vulnerable to mis-crafted packets then computing hosts ![[Pasted image 20230703080924.png]] ![[Pasted image 20230703081024.png]] ![[Pasted image 20230703081032.png]] ![[Pasted image 20230703081039.png]]