Chapter 8 – Infrastructure Security pdf

Workstation Security Best Practices basic hardening 203 Physical • Physically restrict access to workstation • Use locking devices to ensure computer cannot be opened, or be stolen whet

All-In-One Edition Chapter 8 – Infrastructure

Security

Brian E Brzezicki

ALOT of the material in these slides and in this lecture is NOT in the book This book does a good job of presenting most of the material needed for the security+ exam However the info in chapter 8 is a little thin… so play close note to the slides Perhaps I provide a little

too much depth for the security+ exam… but it’s well worth doing the extra learning…

especially if you want to take the CISSP or

really understand networks and network

security concepts to be USEFUL in real life!

Infrastructure Security

Infrastructure security is concerned with

providing security for the entire network

infrastructure Infrastructure security is

concerned with providing availability to

authorized users, ensuring no one is allowed

to access resources in an unauthorized

manner, and ensuring that the network

integrity is maintained That is Infrastructure security is concerned with the entire CIA triad

Devices on the Network

Workstations

Workstations (202)

Often overlooked in security, workstations are a very attractive target for hackers Often IT

staff spend time securing servers and don’t

realize the dangers their unprotected

workstations are

(more)

Workstations (202)

Workstations are often “low hanging fruit”

manned by end users who are themselves are a security risk Once a workstation is

infiltrated an attacker may have access to

data directly, via the authorized users on the system, and that workstation can be used as

an attack point into the network

Workstation security is CRITICAL to the

“holistic” network health and security

Workstation Security Best Practices

(basic hardening) (203)

Physical

• Physically restrict access to workstation

• Use locking devices to ensure computer cannot be

opened, or be stolen (whether in whole or in part)

• Set a BIOS password

• Do not allow booting from removable media / or

allow altering of the boot order

• Remove removable media attachments if possible

• Use an encrypted file system (efs) or disk

encryption technology (Bit Locker) if possible

(more)

Workstation Security Best Practices

(basic hardening) (203)

Basic Account hardening

• Rename the administrator account, set a

strong password

• Disable un-needed accounts

• Set strong password policies

(more)

Workstation Security Best Practices

(basic hardening) (203)

Basic software hardening and maintenance

• Shutdown services that are not needed

• Remove software that is not needed

• Use a standard workstation image for consistent

installs and configuration

• Keep the OS and applications patched!

• Install anti-virus on the workstation, keep it

auto-updated

(more)

Workstation Security Best Practices

(basic hardening) (203)

Basic System Network Hardening

• Remove un-necessary protocols such as

NetBIOS or IPX/SPX

• Remove any file/printer shares (generally

workstations should not share files)

• Use a host based firewall

• Use host based IDS if possible

• Remove workstation remote access (ex

Modems… remote desktop etc)

Workstation Hardening

Please note the last few slides showed only the BASIC/minimum levels of workstation

hardening These are much more specific

details you should be concerned with in real life However the last few slides provide the

info the security+ exam is conserned with and also provide a solid base from which you can expand to protect your workstations

Workstation Anti-Virus (202)

Don’t go on the network without it…

And keep it updated (why?)… malware run by people

in your internal network… is an easy access method

Personal / Host Based Firewalls

(n/b)

In the last 10 or so years, host based firewalls have Been shipped on every major OS You should run them on your workstations as

another layer of defense (remember defense

in depth/layered defense)

– Windows Firewall

– IP filter for Solaris

– IP tables for Linux

Windows Firewall (n/b)

Quickly walk everyone through windows firewall

Servers

Servers (204)

Ok everyone understand that you need to protect servers right?

With servers

• Follow best practices of securing workstations

• Identify which servers need to run which services (web,

email, file sharing)

• Try to ensure only one server runs one specific service and that service and OS is configured for maximum security

• Set network service daemons to run as non-privileged users

• Set strict permissions on network resources

• Disable or completely remove if possible all NON essential services

(more)

Servers (204)

• If you cannot have a dedicated machine for each

specific service, consider using virtualization (use virtualization even if you have multiple servers)

• As an Administrator UNDERSTAND which

processes are required for the OS and service Try

to ensure only those processes are running and be weary if you see other processes running

• Once installed run tripwire or other checksum

software to indentify and verify that critical files don’t

“change” (why is this important, what could it mean?)

(more)

Servers (204)

• On Internet access servers (mail servers,

web proxies etc) ensure that you have

anti-virus and malware protection on the incoming data streams, even if your workstations have anti-virus If possible use a different anti-virus product/engine then you use on your

workstations

– Layered security / defense in depth

– Diversity of defense

(more)

Servers (204)

• Run a host based IDS on your servers

• Periodically do vulnerability assessments on your servers

• Periodically verify software and configuration files have not changed and no new services have been run Use version control if possible

on configuration files

Virtualization (n/b)

Virtualization is KEY to network security, availability and maintenance/ease of operation.

(see next slide)

Can anyone describe to me what virtualization is?

What does it allow you to accomplish

How does it make your life as an admin easier

How does it increase availability

How does it allow you to make servers more modular? How does it increase security and integrity?

Virtualization

Virtualization migration

OSI Model

Oh no…

OSI (n/b)

Before we talk about network equipment we need to discuss the OSI framework briefly.

The OSI is a model of how network communications should be broken down into functional “tasks” Each layer performs one task It provides “services” to the layer above it, and uses services from the layer

below it.

The OSI model is broken down into 7 levels (layers) which we will discuss.

OSI model – layer 1 physical (n/b)

• Layer 1 Physical – simply put is concerned

with physically sending electric signals over a medium Is concerned with

– specific cabling,

– voltages and

– Timings

• This level actually sends data as electrical

signals that other equipment using the same

“physical” medium understand – ex Ethernet

OSI model – layer 2 data link (n/b)

• Layer 2 Data Link – data link goes hand in hand with physical layer The data link level actually defines

the format of how data “Frames”* will be sent over the physical medium, so that two network cards of the same network type will actually be able to

communicate These frames are sent to the

“physical” level to actually be turned into the

electronic signals that are sent over a specific

network (layer 2 uses the services of layer 1)

• Two network cards on the same LAN communicate

at the data link layer.

OSI model – layer 3 network (n/b)

Layer 3 Network – Layer 3 is concerned with network addressing and specifically moving packets between networks in an optimal

manner (routing) Some Layer 3 network

protocols are

– IP

– IPX/SPX

– Apple Talk

OSI model Layer 4 Transport (n/b)

• OSI Layer 4 Transport – Provides

“end-to-end” data transport services and establishes

a logical connection between 2 computers systems”

• Virtual connection between “COMPUTERS”

OSI Model Layer 5 Session (n/b)

• OSI Layer 5 Session – responsible for

establishing a connection between two

APPLICATIONS! (either on the same

computer or two different computers)

• Create connection

• Transfer data

• Release connection

OSI model Layer 6 – Presentation

(n/b)

• OSI Layer 6 – present the data in a format that all computers can understand

– Concerned with encryption, compression and formatting

Example: big endian vs little endian

Decimal 10 is written in binary as 1010

However some computers read binary left to right and some read it right to left

1010 != 0101 1010 = 10, 0101 = 5

So all computers on a network must agree what

format to represent binary data in (left to right, or

right to left) (note this is not “truly” what big endian means… but it’s easier to explain it this way ;)

OSI model Layer 7 – Application

OSI vs TCP/IP model

• Transport/Host to Host = OSI layer 4, 5 – defines

a communication session between two

applications on one or two hosts

• Application = OSI layers 6,7 the application data that is being sent across a network

Network Access

• Maps to Layer 1 and 2 of the OSI model

• The Level that a Network Interface Card

Network Layer

• Maps to layer 3 of the OSI model

• Concerned with moving data from one LAN

(network) to another

• Breaks data into packets

• Source and Destination endpoints are defined

by IP Addresses

• Protocols is IP

(IP addresses next slide)

Transport / (Host to Host)

• Maps to layer 4 and 5 of the OSI model

• Concerned with establishing sessions

between two applications

• Source and destination endpoints are defined

TCP (n/b)

Connection oriented “guaranteed” delivery Advantages

– Easier to program with

– Truly implements a “session”

– Adds security

Disadvantages

– More overhead / slower

Application Layer

• Maps to layer 7 of the OSI model

• The actual protocol/language that the application uses

Examples

– HTTP

– SMTP

– DNS

Network Interface Cards

Network Interface Cards (205)

Network Interface Cards are used to connect a computer to a LAN NICS work on the

physical and data link layer of the OSI model

• A NIC is the physical connection to the

(more)

A quick discussion on IPs (n/b)

• Every computer on an IP network has at

least 1 IP address

• Every NIC port has 1 MAC address

• Any IP address can be spread across

multiple NICs (for performance)

So every computer has at least 1 IP address and every IP address corresponds to at least one MAC address

ALL network traffic will designate both an IP

address and a MAC address!

IPs and MACs

MAC address security (n/b)

• ARP - Operating systems and applications

use IP addresses, but the network cards use MAC addresses ARP is a protocol to

translate IP addresses into MAC addresses

• ARP poisoning is an attack against a network,

where one computer send fake ARP replies,

in the attempt to trick another computer on

the same network to communicate with it

instead of the real machine This can be used

as a man in the middle attack, or a straight

“hijacking” attack

Next a bit about Network Traffic

Types (n/b)

• Unicast – network traffic sent from one

specific computer to another specific

Unicast, Broadcast and Multicast

Hub (206)

An OSI layer 1 (physical layer) device Simply sends and electrical signal received down all ports

• Hubs are unintelligent

• All computers connected to the hub receive the

signal (so it’s easy to see other peoples network

traffic)

• Everyone shares the network for speaking, only one

at a time If two nodes try to speak at the same time

that is called a collision.

• All computers connected to a hub are in the same collision domain.

to determine how to send traffic

• A bridge isolates traffic to each side of the

bridge and only forwards it across the bridge if necessary (good for security and

performance) See next 3 slides

Bridge (206)

A bridge learns which computers (MAC

addresses) are on each side of the bridge) It will forward traffic across the bridge if

necessary

Bridge (206)

A bridge will only forward traffic across the

bridge IF and ONLY IF, a computer on one side of the bridge is trying to communicate with a computer on the other side of the

bridge

Bridge Overview (n/b)

A bridge separates segments into two or more collision domains However it still remains one broadcast domain

A bridge builds a table of MAC addresses

known for each port

A bridge increases performance and security

A bridge is a layer 2 (data link device)

A bridge can be used to mix different LAN

technologies (ex a wireless AP is a bridge)

Switches

Switch (206)

A network Switch is just a multi-port bridge Switches will often have 24 or more ports, and learns which MAC addresses are on which ports.

• Works at layer 2 (data link)

• On a switch a computer can send data AND receive

data at the same time (full duplex… increasing

performance by up to 2x)

• On a switch each port is it’s own collision domain, and will not have a collision, therefore allowing line speed communication on each port

(more)

Switch (206)

• A switch only sends traffic from the sending computer to the receiving computer,

therefore stops sniffing (watch for MAC

flooding attacks though)

• Since switches inspect the MAC address on all traffic, a switch can be programmed to

only allow certain MAC addresses to

communicate, and ignore other MAC

addresses

Switch (206)

Multiple conversations can occur on a switch at the same time!

Switch Specific Attacks (n/b)

Mac Flooding – Putting out tons of packets with different MAC addresses in the attempts to

overfill the switches MAC tables If this

happens a switch might simply drop into “hub mode” and start simply sending traffic down each port

(see visualization next slide)

MAC flooding (n/b)

• If possible restrict network management to

“management network IP addresses”

Hubs Bridges and Switches (n/b)

An important concept… all computers

connected via Hubs, Bridges and switches

are in the same broadcast domain and these

computers form a LAN They SHOULD be

on the same IP network (see slide)

192.168.1.4 / 255.255.255.0

192.168.1.100 / 255.255.255.0

192.168.1 14 / 255.255.255.0

LAN (n/b)

All these computers are on the same LAN, and logical

IP network All are in the same broadcast domain.

VLANs (207)

A VLAN is the concept of creating multiple broadcast domains (LANs) on a single switch

• Why would it be used?

• Do you still have to route between VLANS?*

• Two different VLAN protocols

• 802.1Q*, or Cisco ISL* for trunking between

switches

• Use VLANS for convenience and for creating

network security zones One use is to create “dead”

or “restricted” networks unless authentication is

done via 802.1x

VLAN

Routers (208)

Can anyone define what a router does (in

layman's terms) without using the word route?

(answers next slide)

Routers (208)

Routers connect different networks (LANS) and allow these LANs to communicate with each other They allow traffic to leave a local network and help direct the best path to get to the destination network.

• Layer 3 (network) devices

• Look at IP addresses NOT MAC addresses

• Routers do NOT forward broadcasts, as such they create different broadcasts domains!

• Can statically determine routes, or dynamically

• Can apply access control lists to allow or deny

certain types of traffic (firewall)

see visualization next page