Network security
Ing. Lubomír Ošmera
Terms
• Topology traditionally means the path by which frames propagate
around a network
• CTSEC EXAM - zone or topology is a functional subgroup of a network
• LAN, DMZ, and extranet
Switch
• Hub vs. switch
• switches physically segment LANs into different pieces, but a better
switch can also logically separate hosts into entirely different LANs,
called virtual LANs (VLANs)
Router
• filter and forward IP traffic from one LAN to another
• Interconnect LANs
Network firewall
• May manifest as a specialized hardware device or server software
• Network-based firewalls typically protect entire network segments
• Separating public networks from private networks
• separate sensitive network segments from other internal network
• wide variety of criteria, including port, protocol, network service, time
of day, source or destination host
Stateless Firewalls – packet filters
• looks at every incoming packet individually without considering
anything else that might be taking place
• checklist that the firewall uses to determine whether a packet should
be blocked
• Example: router’s access control list (ACL) – IP addr, port, time
• Example home funny: keep your child’s desktop system from
accessing any Web pages (ports 80 and 443) between the hours of 10
p.m. and 6 a.m. on school nights
Statefull multilayer firewall
• understands several functions expected in normal TCP and UDP
communication and uses that intelligence to inspect the state of that
connection
Application Firewall
• works at all seven layers of the OSI model and can inspect data within
protocols
• whether the protocol itself is allowed, over which port the traffic is
destined, its source or destination IP address, if it is the result of an
established connection, and so on
• Host based is likely
DMZ
NAT
• How does communication to the internet like?
• Private addresses, public addresses
Network segmentation
• Network segregation - ACL that controls which hosts may communicate
with which other hosts and what information they may transfer
• Network segmentation - partition a single network into two or more,
usually smaller, networks. Improves efficiency by reducing the size of the
broadcast domain
• Network isolation means to separate one network from another. This
protects one network from another, but prevents direct communication.
• Two tiered wireless LAN –
1. Internet wireless to everyone, the Guest zone.
2. Wi-Fi access enables authenticated Wi-Fi devices to get to the company’s secure
resources.
VLAN
• What device divide topology into smaller lans?
• A VLAN creates a logical network in which to assign hosts
• Once a host is assigned to a VLAN, it follows LAN conventions, as if it
were physically a part of a LAN
• VLAN membership can be based:
•
•
•
•
Port-based - upon the switch port the host is plugged into
MAC-based VLAN - upon the MAC address of the client
protocol-based VLAN
802.1x with combination dynamic VLANs
Load Balancers
• round-robin type of system
• session affinity across load-balanced resources
• Performance, amount of request
NAC
• prohibiting hosts from connecting to the organization’s infrastructure
unless they meet certain criteria
• is used as an entry point or gateway into the network
• a host health check—against a specified set of criteria before allowing
it to access the network (latest antivirus signatures, the latest security
updates, and other security configuration items)
Securing the LAN
• ARP spoofers steal the MAC addresses of legitimate systems, enabling
man-in-the-middle attacks
• Denial-of-service attacks can flood a switch with confusing MAC
information.
• An attacker can plug in a rogue DHCP server, knocking systems off the
network.
Man in the
middle
Main in the middle
Main in the middle
• Scan the hosts
Basic authentication
Dhcp spoofing
Phishing
https://www.npinc.ca/wp-content/uploads/2017/03/Office-365-phishing-scam-3.jpg
https://www.mailguard.com.au/blog/o-365-phishing-180226
https://medium.com/proferosec-osm/simple-rules-to-protect-against-spoofed-windows-net-phishing-attacks714a2e52dd3c
Secure LAN
• persistent MAC or sticky MAC addressing
• Some switches give you the ability to only accept DHCP or IPv6 data
from certain port (DHCP guard)
• Router query its DHCP server for legitimate systems on the network
• Loop prevention – STP
• 802.1X
Proxy servers
• These boxes accept incoming requests from clients and forward those
requests to servers
Forward proxy - blocked URLs, time-of-day restrictions
Reverse proxy - server protection, strong firewall
Honeypots
• is a host designed to be compromised, so it has multiple
vulnerabilities
• is placed on the network (DMZ) to attract the attention of malicious
hackers, hopefully drawing them away from being interested in other,
more sensitive hosts
• If an attacker victimizes a honeypot, you can study his methods and
techniques to help you better protect the actual network against
those same methods and technique
• Logs everything!
• Don t allow delete logs to attacker
Honeypot
• Set up to attract and trap people
who attempt to penetrate an
organization s network
• Log port access attempts, monitor
attacker keystrokes, warning to
admins
Honeypot installation
Honeybot
Netstat -ano
Honeypots advantages
• Easy to compromise, focusing from attackers
• Tracking the attacks
• Zero days
• Easy to deploy
• Confusing attackers
Honeypots
VPN
IPSEC
ZÁHLAVÍ
IP
ORIGINAL
ZÁHLAVÍ
IP
ZÁHLAVÍ
ESP
ZÁHLAVÍ
IP
ORIGINAL
DATAGRA
M
DATAGRA
M
ESP prives
ESP MAC
IDS
signatures, anomaly, heuristic
Port Mirror
• A port mirror (also called a Switch Port Analyzer, or SPAN in Cisco
devices) is a special port on a managed switch configured to listen for
all data going in and out of the switch. Port mirroring is convenient
and easily changed to reflect any changes in your NIDS/NIPS
monitoring strategy.
IDS placement
internet
Router
IDS
DMZ
Intranet
IDS
IDS purpose
IPS
• NETWORK appliance that combines functions firewall and IDS
• Extension f IDS
• IPS is able to actively prevent/block detected intrusions on the
network
IPS features
Resources
• Resource: CND (Certified network defender course)
• COMPTIA SECURITY + COURSE