Comprehensive Guide On Network Security

1. COMPREHENSIVE GUIDE ON NETWORK SECURITY WHITEPAPER PREPARED BY PRESENTED BY Mr.Venkatesh SecurityEngineer @briskinfosecBintlab NCDRC (NationalCyberDefence ResearchCentre) incollabrationwith BINTLab www.ncdrc.res.in.

2. 1.INTRODUCTION Welcometotheworldof 'networksecurity' whichisanunavoidable termincybersecurity. Thiswhitepaperof 'Networksecurity' encompassesthemostsignificantandpredominantlyused networkingsecurityconceptswhicharehighlyimportantfor maintainingyournetworkenvironmentsecure. Goontoreadit! CONTENTS Wirelessencryptionstandards Authenticationandsecurityonawirelessnetwork Networkattacksandthreats Securingnetworkingdevices Mitigationtechniques TCP/IPSecurity OrganizationalSecurity TroubleshootingtheNetwork. WWW.BRISKINFOSEC.COM

3. 2. WIRELESS SECURITY Inthissection, wewillfocusourattentionontheimportanceof wirelesssecurity, andthenwe'lldiveintolearningandunderstanding aboutvariouswirelessencryptionstandardsandtechnologiesthatare usedtohelpinsecuringthetransmissionoftrafficonawireless network. Wewillalsolookatdifferentwirelessauthenticationand authorizationmethodsthatwillaidyouindesigningand implementingasaferwirelessnetworkforyourhomeoroffice. 2.1 WIRELESS ENCRYPTION STANDARDS Inthissection, wearegoingtodiveintovariousencryptionstandards thatareusedonwirelessnetworks. 2.1.1 WIRELESS EQUIVALENT PRIVACY (WEP) WEPisanencryptionstandardthatwasusedinearlygenerationsof wirelessnetworks. WEPusestheRC4cipher, whichprovideda40-bit keyfordataencryption. In2002, varioussecurityflawswere discovered, whichallowedanattackertocompromisetheencryption key. Duetoweakencryptionkey, WEPcanbecompromisedwithina fewhours. It'snotrecommendedtouseaWEPencryptionstandardon wirelessnetworksanymore. 2.1.2 Wi-Fi PROTECTED ACCESS (WPA) WPAwascreatedin2002tofixthesecurityflawsofWiredEquivalent Privacy (WEP). WPAusesTemporalKeyIntegrityProtocol (TKIP), which appliestheRC4encryptioncipherfordataprivacy. Furthermore, the initializationvector (IV) islargeroneachpacketandusesahashvalue toproduceanencryptionkeyof128-bits. TKIPusesthesecretkey combinedwiththeinitializationvectorIV; thisproducestheTKIP value, whichchangesfrequentlybetweentheclientandthewireless router/accesspoint. Additionally, asequencecounterisusedasacountermeasureforany replayattacksthatareattemptedbyahackeroramalicioususer. Eachpacketsentbetweenthewirelessrouter/accesspointandthe clientdevicecontainsintegritychecking, whichisdonethrougha64- bitkeytopreventanddetectanymodificationsofpacketsbetween thesenderandreceiver. However, withalotoftechnologies, TKIPhas itsvulnerabilitiesandwaslaterdisapprovedduringwirelesssecurity implementationsin2012. WWW.BRISKINFOSEC.COM

4. 2.1.3 WI-FI PROTECTED ACCESS 2 (WPA2) TheWPA2wirelesssecurityencryptionstandardusestheAdvanced EncryptionStandard (AES) fordataencryptionratherthantheRC4. Thisisanupgradefordatasecurity. Furthermore, WPA2appliedthe CounterModewithCipherBlockChainingMessageAuthentication CodeProtocol (CCMP), whichreplacedtheneedforTKIP. TheCCMP usesa128-bitkeyforitsdataencryptionbyusingtheAES, which createsdatablocksof128-bitinsize. Duetolargerdatablocksand strongerencryptionalgorithmsbeingusedinWPA2, morecomputing resourcesarerequired. CCMPprovidesthefollowingduringwirelesstransmissions: Accesscontrol Confidentiality Authentication 3. AUTHENTICATION AND SECURITY ON WIRELESS NETWORK Inthissection, wewillcovervariouswirelessauthenticationand securitymethodsonawirelessnetwork. 3.1 EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) EAPisaframeworkthatallowsaclienttoauthenticatetoawireless network. TheInternetEngineeringTaskForce (IETF) hasmanyRequest ForComments (RFC) standardsfortheEAPframework. WWW.BRISKINFOSEC.COM

5. 3.2 EAP FLEXIBLE AUTHENTICATION VIA SECURE TUNNELLING (EAP-FAST) OneversionofEAPCiscothatwasproposedwastheLightweightEAP (LEAP), whichwasconsideredtobelightweightandsecure. However, CiscohassinceupdatedtheirframeworktotheEAP-FAST, whichhas improvedsecurityonthewirelessnetworks. 3.3 EAP TRANSPORT LAYER SECURITY (EAP-TLS) TheEAP-TLSprovidesstrongsecurity. TLShassincegainedpopularity asthesuccessoroftheSecureSocketLayer (SSL). Withimproved securityfeatures, EAP-TLSwaswidelyimplementedinwireless devices. WWW.BRISKINFOSEC.COM

6. 3.4 EAP TUNNELED TRANSPORT LAYER SECURITY (EAP-TTLS) ThisversionoftheTLStunnelallowedorganizationstotunnelother authenticationmethodsandprotocolsthroughtheEAPtunnel. 3.5 PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL (PEAP) PEAPwasdevelopedbyvarioustechnologyvendorssuchasCisco, RSA security, andMicrosoft. PEAPallowsEAPwithinaTLStunnel. However, itwasmostcommonlyimplementedinEAP-MSCHAPv2on Microsoftsystems, whichallowsforauthenticationtoMicrosoft'sMS- CHAPv2databases Onyourwirelessrouteroraccesspoint, undertheWirelesssecurity settings, youwillhavevarioussecuritymodestochoosefromWEP, WPA, WPA2, andsoon. Afterchoosingasecuritymode, thedevicewill allowyoutochooseanencryptionstandard, suchasTKIP, AES, or both: Afterchoosingtheencryptionmode, thedevicewillallowyoutoseta Pre-SharedKey (PSK) (betterknownasaWPA2-PSK), whichisused duringtheauthenticationphasebetweenthewirelessrouter/access andtheclient. TheWPA2securitymodeusesa256-bitkeyfordata encryptionofalltraffictoandfromtheclient. WWW.BRISKINFOSEC.COM

7. 3.6 MAC FILTERING AwirelessroutercanfilteraMediaAccessControl (MAC) address, whicheitherallowsordeniesaccesstothewirelessnetwork. However, attackershavefoundawaytospoofanauthenticatedclient'sMAC address. Thisallowsanattackertobypassthefilteringaccesscontrol listfeatureonthewirelessrouter/accesspoint. Thebelowscreenshot showstheclientdevices (stations) thatarecurrentlyauthenticatedto awirelessrouter (BasicServiceSetIdentifier (BSSID), withtheMAC addressandtheExtendedServiceSetIdentifier (ESSID) -thenameof thenetwork).   PleasenotethatpartsoftheMACaddressesandtheESSIDhavebeen blurredoutforprivacyconcerns: 3.7 GEOFENCING Geofencingiswhereyourestrictorallowfeatures, whenthedeviceis ina particularareausingaclient'sGlobalPositioningSystem (GPS) location service. Forexample, ifawirelessclientisoutsidea geographicalarea, somefeaturesmaynotwork. Therefore, geofencing ensuresthatusersareinaparticularareasothattheycanusea deviceorfeature. 4. NETWORK ATTACKS AND THREATS Inthissection, wewilldiveintounderstandingvarious networksecurityattacksandthreatsthatattacker’susein anattempttodestroyaservice, orcompromisean organization'sassetsforvariousreasons. WWW.BRISKINFOSEC.COM

8. 4.1 DENIAL OF SERVICE (D0S) ATTACKS Invariousplacesaroundtheworld, wheneveragovernment oranorganizationdoessomethingofwhichcitizensor employeesdon’tgenerallyaccept, theyusuallystarta protestoracorporatestrike. Attimes, theseprotestsleadto planninganorganizedstrikewherethecitizensor employeesofanorganizationplandon'tshowupattheir relevantworkplace. Indigitalworld, aDoSattackisalso applicable. Let'stakealookatasimplecasestudyofthe famoushacktivistgroup ‘Anonymous’. Justtoclarify, hacktivismistheuseofcomputerstopromotesomesortof politicalagendaorasocialchangeeitherlocallyor internationally. Backin2003, Anonymouswasformed throughthefamousimageboardwebsite (http://www.4chan.org). Duringthistime, 4chanballowed memberstocreatethreadsandpostwithoutusinga particularusername. Thisallowedeveryonetopostas Anonymous, andthereforeaperson'sidentitycouldbe concealedforprivacyandanonymity. Someoftheirattacks involvedanetworkstresstesttool, namedasLowOrbitIon Cannon (LOIC). ThetoolwasusedtosendacontinuousstreamofTCPor UDPpacketstoasingleserverorwebsite. Therecipient, uponhavingreceivedeachpacket, willneedtoprocessand respondaccordinglyandeventually, stoppingtorespondfor legitimaterequests. WWW.BRISKINFOSEC.COM

9. 4.1.1 REFLECTIVE: Inareflectiveattack, theattackersends unsolicitedrequeststoaserverbyusing thevictim'sIPaddressastheattacker's sourceIPaddress. Thisimpersonation processisknownasspoofing. Whenthe serverreceivestherequestfromthe attacker, itsendsitsrepliestothe sourceIPaddresswithintheIPpackets ithasreceived. Therefore, allofthe responseswillgotothevictim's machineandnot totheattacker's. 4.1.2 AMPLIFIED: Theamplifiedattackissimilartothereflectiveattack. Inan amplifiedattack, theattackerspoofstheIPaddressofthe victimandsendsacontinuousstreamofunsolicited messages (requests) tomultipleserverssuchasDNSservers. Wheneachserverprocesseseachpacket, theyallrespondto thevictim'smachine. Thevictim'smachinewillconstantly befloodedwithmessagesfromvariousonlineservers. WWW.BRISKINFOSEC.COM

10. 4.1.3 DISTRIBUTED: InaDistributedDenial-of-Service (DDoS) attack, thevictim receivesacontinuousstreamofunsolicitedmessagesfrom multiplesources. Thistypeofattackissimilartothe amplifiedattack. On1st March2018, theHackerNews (www.thehackernews.com) reportedoneofthebiggest DDoSattackstoevertakeplace. Thiswas1.35TB humongous, whichhitthefamousGitHubwebsite (www.github.com). 4.2 SOCIAL ENGINEERING Socialengineeringistheartofmanipulatingorconvincinga persontorevealprivateorconfidentialinformationabout someoneorsomething. Mostofthetime, thevictim inadvertentlyprovidessensitiveinformationtotheattacker.   Thefollowingarethephasesinwhichanattackerexecutes asocialengineeringattack:   Theattackerperformsreconnaissanceonthe target/potentialvictim. Theattackerdevelopsarelationshipwiththevictim (employees). Thisisusedtobuildtrust. Finally, theattackerexploitstheirrelationshipwiththe victim. WWW.BRISKINFOSEC.COM

11. Topreventsocialengineeringattack, anorganizationmust ensurethefollowing: Sufficienttrainingisprovidedtoeachemployee. Presenceofappropriatesecuritypolicies, procedures, and controlsinplace. Existenceofregulatedaccessandmonitoringof information. 4.3 INSIDER THREAT Ineachorganization, whetherlargeorsmall, thereisat leastoneemployeewhoisdisgruntledabouttheircurrent positionwithintheorganization. Adisgruntledemployeeis oneofthebiggestthreatstoanycompany, asthisperson alreadyknowstheorganization'sprocedures, systems, and hasaccesstothecompany'sassetssuchasfinancialand customerrecords, confidentialinformation, andsoon. Alot oftime, wheneveranemployeeleavesacompanyonbad terms, theyusuallyhavetheideaofcausingthe organizationsomesortofharmupontheirresignationor termination. 4.4 LOGIC BOMB Alogicbombisatypeofvirusthatremainsinadormant stateuntilaparticularactionisexecutedonthesystemit hasinfected. Howcanalogicbombbeusedinareal-world situation? Let'simagineahackerhascompromisedaserverthathas veryimportantandconfidentialdataonthelocaldrives. The hackerinstallsabackdoorandalogicbomb. AsI’ve previouslymentioned, abackdoorisadoorwayinthe operatingsystemthatisusedtoallowahacker, gainentry intothesystem.Whenthehackerhascompletedhis objectivesonthecompromisedsystem, thelaststepisto covertheirtracks, removeanylogs, files, andtracesasthey wouldrevealwhatthehackerhasdoneinthesystem. WWW.BRISKINFOSEC.COM

12. Attimes, anorganizationmayhaveaninternalincident responseteamorhireanexternalteamtoperformdigital forensicsonthecompromisedsystemtodeterminewhat happenedandwhodidthecrime. Thisiswherethelogic bombplaysitsrole. Duringtheacquisitionphase (obtaining evidence) whichisperformedbytheforensicsexpertson thelivesystem, thelogicbombmaybetriggeredtounleash itspayload, whichmaywipetheentireharddriveofthe Organizationandremoveanyfurtherevidence. 4.5 ROGUE ACCESS POINT (AP) Oneofthemanypopularmethodsofwirelesshackingis settinguparogueAP. ArogueAPisusedbyahackerwho usesawirelessrouterofhis/herown, andcreatesaService SetIdentifier (SSID) oranetworknameinthehopesof attractingpeopletoconnecttoit. ThenameoftheSSID wouldbesomethingthatwoulddefinitelyattractusers, suchasVIPAccess, freeWi-Fi, oreventhenameofapopular coffeehouse. Thegoalistogetpeopletoconnectandwhile theyarebrowsingtheinternet, thehackerinterceptsall theirnetworktraffic, lookingforanysensitiveor confidentialinformation.   Asimplemitigationtechniqueistonotconnecttoany wirelessnetworksthathasasuspiciousnameorsomething thatyoudon'ttrust. Sometimes, uponseeinganopen wirelessnetwork, somebodymightthinkit'sagoldmine thathasfreeinternetaccess. However, toahacker, it'sa bait, andtheirgoldminewouldbethevictim'strafficand datathat'sintercepted. WWW.BRISKINFOSEC.COM

13. 4.6 EVIL TWIN AnEviltwinissimilartotherogueaccesspointmodel, but theeviltwiniseitherawirelessrouteroranaccesspoint that'sdeployedonacompany'snetwork, byahackerora malicioususer. Thismethodallowsthehackertocapture sensitivedatawhilemobileusersaccessthecompany's network. Thislittle, pocketsizedeviceisusedbyboth hackersandpenetrationtestersforauditingwireless networks. TheabovedeviceisknownastheWi-FiPineapple. CountermeasuresforbothrogueAPsandEvintwin deploymentsareasfollows: ConductregularwirelessauditsusingaWi-Fi spectrumanalysersuchastheinsider (www.metageek.com), toscanforanysuspicious wirelessroutersinrange. Trainstaffinwirelesssecurityawareness. 4.7 WAR-DRIVING: Someofus, upongettingourfirstWi-Fienableddevicesuch asalaptop, wouldprobablyhavethethoughtofdriving aroundtheneighbourhood, lookingforanyonewithanopen wirelessnetworkforfreeinternetaccess. Ahackerwould probablyattempttodothesame, drivingarounda communityorneighbourhoodlookingforanyopenwireless networks, connectingtoitandinterceptingthetraffic, or compromisingthenetworkdeviceswithmalicious intentions. WWW.BRISKINFOSEC.COM

14. Usually, thedevicesusedinawar-drivingscenariowouldbe alaptopeitherpreloadedwithapenetrationtestingLinux distributionsuchasKaliLinux (www.kali.org), andahigh- gainwirelessantenna, whichsupportswirelesspacket injectionandmonitoring. Thefollowingaresomecountermeasuresforwar-driving: Ensurethatyourwirelessnetworkissecuredbyusing strongencryptionstandards. Ensurethatyourpasswordforthewirelessnetworkisvery strong. Donotleaveyourwirelessnetworkopen. Donotplacewirelessroutersoraccesspointsclosetothe outerperimeterofacompoundorabuilding. 4.8 RANSOMWARE Hackersusuallycompromiseanonlineserverandinject theirmaliciouscodesintotheserverorfilesontheserver. Then, aregularuser (potentialvictim) accessesthe resourcesontheserverorsimplyvisitsthewebsite, andthe userdownloadsamaliciousfilewithoutknowingitis harmfulonhissystem. Aproposofthat, themaliciouscode onthewebserverattemptstopushitselfonthepotential victim'ssystems. Regardlessofwhichmethodisused, once themaliciousfileexecutesonthevictim'ssystem, it immediatelybeginstoencrypttheentirelocaldrivesusing asecretkey (passphraseoradigitalcertificate). Whilethisis beingdone, itattemptstospreadacrossthenetwork. When thesystemisencryptedwithransomware, itbecome unusablewithasinglescreenpresentedtothevictim, informingthemtopayaransom. Theransomwouldbe somethingofmonetaryvalue, eitheraskingthevictimto providetheircreditcarddetailsortopaythroughsomesort ofcrypto-currency, suchasBitcoin. WWW.BRISKINFOSEC.COM

15. Somecountermeasuresforransomwareareasfollows: Implementanextgenerationfirewall. Implementendpointsecurityandensurethatvirus definitionsareup-to-date. Implementanti-ransomwareprotectiononenddevices. Ensurethatyoursystemshavethelatestpatchesand updatesinstalled. Implementdatabackupandretentionpolicies. Ifavictim doesnotpaytheransom, hecanstillrestoredatafroma lastknowngoodbackup. 4.9 DNS POISONING IfahackerisabletocompromiseaDNSserverandmodify theDNSrecords, anunsuspectingusermayvisitan incorrectwebsite, eventhoughthehostnameisaccurate. Atthispoint, youmaybewonderingwhattheimpactand effectsofanattackerperformingDNSpoisoningonan organizationoranindividualare. Forasecurityincidentof thisnaturetooccur, theDNSrecordsoftheDNSserverused bythevictimwerecompromisedandmodified, ortheDNS ServerIPconfigurationsweremodifiedonthevictim's computerandwereresolvingentriesontheattacker'sDNS server. TherearemanyrecordsinaDNSserver. Thefollowingare themostcommonlyusedentries: WWW.BRISKINFOSEC.COM

16. UsingthenslookupcommandonWindows, youcan troubleshootDNSissues. Bysimplyexecutingthenslookup command, yourcurrentDNSserversettingswillbe presented: C:\>nslookup DefaultServer: one.one.one.one Address: 2606:4700:4700::1111 4.10 ARP POISONING Oneofthemostpopularprotocolsthatexistsbetweenthe DataLinkandtheNetworkLayersoftheOSIreference modelistheAddressResolutionProtocol (ARP). ARPmostly operatesattheDataLinklayer, withitspurposemeantto resolveIPaddresstoMediaAccessControl (MAC) addresses. Youmaybewondering, whydodevicesonanetworkneed toresolveIPaddressestoMACaddresses? Aswitchisalayer2device, andisonlyabletoreadthelayer 2headeroftheframe. Thispartoftheframecontainsonly MACaddresses, andsoifdevicesareusingtheInternet Protocol (IP) tocommunicateonalocalnetwork, the switcheswillnotbeabletoreadtheNetworkLayerheader whichcontainstheIPaddresses. Therefore, all communicationthatoccursonalocalnetworkuseslayer2 addressing, insteadofusingMACaddresses.   Usingthearp –acommandonWindows, wecanseethe currentARPentriesofthelocaldevice: WWW.BRISKINFOSEC.COM

17. ARPpoisoningiswhereanattackersendsintentional gratuitousARPmessagestoapotentialvictim'smachine, in effect, causingthevictim'smachinetoupdatetheARP cache. Let'stakealookatthefollowingdiagramtogetabetter understandingofanARPpoisoningattack. WheneverPC1 wantstosendtrafficouttotheinternet, itsends BB:BB:BB:BB:BB:BBtoitsdefaultgatewaybyusingthe router'sMACaddress. Therouter, inreturn, willrecordthe PC1MACaddress, AA:AA:AA:AA:AA:AA. Let'simaginethatan attackerhasjoinedthenetwork, asshowninthefollowing diagram. TheattackerisattemptinganARPcache poisoningattack. Theattacker'smachinewillsenda GratuitousARPmessagetoPC1, tellingitthatthedefault gateway'sIP-to-MACmappinghasbeenupdatedto 192.168.1.1 – CC:CC:CC:CC:CC:CC. TheeffectofthischangeonPC1willbethatallofthetraffic destinedoutsideofthelocalnetworkandthedefault gatewaywillnowbesenttotheattacker'smachine. Furthermore, theattackerwillsendaGratuitousARP messagetotherouter, informingtheMACthattheaddress of192.168.1.10hasbeenupdatedtoCC:CC:CC:CC:CC:CC. Therefore, returningtrafficfor192.168.1.10willnowbesent totheattacker’smachine. ThisisbothanARPcache poisoningandaMan-In-The-Middle (MITM) attack, asall trafficbetweenPC1andtherouterwillbepassingthrough theattacker. WWW.BRISKINFOSEC.COM

18. 4.11 DE-AUTHENTICATION Wheneverweconnecttoawirelessnetworkusingdevices likesmartphone, laptop, andothers, thisconnectionis knownasanassociationbetweentheclientandthewireless router/accesspoint. Ade-authenticationattackfocuseson bumpingoutallofthewirelessdevicesthatareconnected toawirelessrouter/accesspoint. Fromanattacker'spointof view, theattackermachinedoesnotneedtobe connected/associatedtothetargetwirelessnetwork, insteadofbeingwithinrangeofthewirelesssignal. The effectofthistypeofattackistocreateaDenial-of-Service (DoS) attackfortheclientswhomareconnectedtothe wirelessnetwork. 4.12 BRUTE FORCE Let'simagineyou'reaconstructionworkerwho'sbeenhired tobreakdownawall. Unfortunately, youdon'thaveany heavymachineryequipmenttoaidintheprocess, butyou haveasledgehammer. Youknowthiswon'tbeenough, becauseafterthefirststrikeatthewall, youhaven'tdone anydamage. Ifyoucontinuestrikingthewallwiththesame sledgehammer, you'lleventuallynoticethatthewallbegins tocrackandshatter. Thisistheeffectofbruteforce. So, howdoesabruteforceattackworkinthedigitalworld? Let'simaginethatanattackeristryingtocrackapassword foraloginportalforavictim'swebserver. Let'stakealook atthefollowingloginpagefortheJoomlawebframework: WWW.BRISKINFOSEC.COM

19. Ifanattackerhasfiguredoutthecredentialsofauser, hecan tryallofthepossiblepasswordsinthePasswordfieldonthe portal. Thisisprovidedthatthewebsiteadministratorhas notmodifiedtheadministratorinanyway. Thiswouldmean thattheattackermachinewillslaminallpassword possibilitiesuntilthecorrectpasswordisfound. Abruteforce attackisalwaysormostlysuccessful. However, thedownside isthatthetimeittakestocrackthesystemisverylong. 5. TCP/IP SECURITY Inearlydays, duringthecreationofprotocolsandTCP/IP, securitywasn'tahugeconcern. Cybercriminalsandcyber terroristsweren'tevenathingtobepetrified, andtheterm hackerreferredtoapersonwhowasacomputerwizardand notwhatisknownfortoday, Astimepassesandthe technologyevolves, therearemorecyberthreatseachday.   TheformerCEOofCiscoSystemsoncesaidthefollowing: "Therearetwotypesofcompanies: thosethathavebeen hacked, andthosewhodon'tknowtheyhavebeen hacked." 5.1 VULNERABILITIES ON EACH LAYER OF TCP/IP STACK VulnerabilitiesattheApplicationLayer VulnerabilitiesattheTransportLayer VulnerabilitiesattheInternetLayer VulnerabilitiesattheNetworkAccess/LinkLayer. WWW.BRISKINFOSEC.COM

20. 5.1.1 VULNERABILITIES AT THE APPLICATION LAYER TheApplicationLayeroftheTCP/IPstackconsistsofthe Application, Presentation, andSessionLayersoftheOSI referencemodel. Aswe’velearnedbefore, wheneveracomputer wantstosendtraffic (datagrams) tothenetwork, thecreation oftheProtocolDataUnits (PDUs) beginsatthetopofthe TCP/IPstack, theApplicationLayer: Thefollowingaresomeoftheapplicationlayerprotocolswhich wemustgiveintensecloseattentiontoonournetwork: FileTransferProtocol (FTP) Telnet SecureShell (SSH) SimpleMailTransferProtocol (SMTP) DomainNameSystem (DNS) DynamicHostConfigurationProtocol (DHCP) HypertextTransferProtocol (HTTP) Eachoftheseprotocolswasdesignedtoprovidethefunctionit wasbuilttodo, andwithalesserfocusonsecurity. Malicious usersandhackersareabletocompromiseboththeapplication thatutilizestheseprotocolsandthenetworkprotocols themselves. Hereisthelistofmajorproblemsthatoccursin ApplicationLayer: PROBLEMS CrossSiteScripting (XSS) SQLinjection (SQLi) LightweightDirectoryAccessProtocol (LDAP) injection Cross-SiteRequestForgery (CSRF) Sessionhijacking Cookiepoisoning WWW.BRISKINFOSEC.COM

21. DNS DistributedDenial-of-Service (DDoS) Registrarhijacking Cachepoisoning Typosquatting / URLHijacking 5.1.2 VULNERABILITIES AT THE TRANSPORT LAYER: FINGERPRINTING Fingerprintingisn'talwaysusedbyhackersorthosewith maliciousintent. Thistechniqueisalsousedbysystem/network administrators, networksecurityengineers, andcybersecurity professionalsalike. Imagineyou'reanetworkadministrator assignedtosecureaserver; apartfromapplyingsystem hardeningtechniquessuchaspatchingandconfiguringaccess controls, youwouldalsoneedtocheckforanyopenportsthat arenotbeingused. Eachnetworkprotocolrunningatthe ApplicationLayeroftheTCP/IPstackbindsitselfwithalogical portwithintheoperatingsystemtoacceptincomingtraffic. Let'stakealookatamorepracticalapproachtofingerprinting inthecomputingworld. Wehaveatargetmachine, 10.10.10.100, onournetwork. Asahackeroranetworksecurityprofessional, wewouldliketoknowwhichTCPandUDPportsareopen, the servicesthatusetheopenports, andtheservicedaemon runningonthetargetsystem. Inthefollowingscreenshot, we've usedn-maptohelpindiscoveringtheinformationweare seeking. Then-maptooldeliversspeciallycraftedprobestoa targetmachine: WWW.BRISKINFOSEC.COM

22. ENUMERATION Inacyberattack, thehackerusesenumerationtechniquesto extractinformationaboutthetargetsystemornetwork. This informationwillaidtheattackerinidentifyingsystemattack points. Thefollowingarethevariousnetworkservicesandports thatstandsoutforahacker: Port53 : DNSzonetransferandDNSenumeration Port135 : MicrosoftRPCEndpointMapper Port25 : SimpleMailTransferProtocol (SMTP) DNS ENUMERATION DNSenumerationiswhereanattackerisattemptingto determinewhetherthereareotherserversordevicesthatcarry thedomainnameofanorganization. Let'stakealookathow DNSenumerationworks. Imaginewearetryingtofindoutall thepubliclyavailableserversthatGooglehasontheinternet. UsingthehostutilityinLinuxandspecifyingahostname, host www.google.com, wecanseetheIPaddress172.217.6.196, has beenresolvedsuccessfully. Thismeansthere'sadevicewitha hostnameofwww.google.comactive. Furthermore, ifwe attempttoresolvethehostname, gmail.google.com, anotherIP addressispresentedbutwhenweattempttoresolve mx.google.com , noIPaddressisgiven. Thisisanindication thatthereisn'tanactivedevicewiththemx.google.comhost nameasshownbelow: WWW.BRISKINFOSEC.COM

23. DNS ZONE TRANSFER DNSzonetransferallowsthecopyingofthemasterfilefroma DNSservertoanotherDNSserver. Therearetimeswhen administratorsdonotconfigurethesecuritysettingsontheir DNSserverproperly, whichallowsanattackertoretrievethe masterfilecontainingalistofthenamesandaddressesofa corporatenetwork. MICROSOFT RPC ENDPOINT MAPPER Nottoolongago, CVE-2015-2370wasrecordedontheCVE databaseathttps://cve.mitre.org. Thisvulnerabilitytook advantageoftheauthenticationimplementationoftheRemote ProcedureCall (RPC) protocolinvariousversionsofthe MicrosoftWindowsplatform, bothindesktopsandserver operatingsystems. Asuccessfulexploitwouldallowanattacker togainlocalprivilegesonavulnerablesystem. SMTP SMTPisusedinmailservers, aswiththePOPandtheInternet MessageAccessProtocol (IMAP). SMTPisusedforsendingmail, whilePOPandIMAPareusedtoretrievemailfromanemail server. SMTPsupportsvariouscommands, suchasEXPNand VRFY. TheEXPNcommandcanbeusedtoverifywhethera particularmailboxexistsonalocalsystem, whiletheVRFY commandscanbeusedtovalidateausernameonamailserver. Anattackercanestablishaconnectionbetweentheattacker's machineandthemailserveronport25. Onceasuccessful connectionhasbeenestablished, theserverwillsendabanner backtotheattacker'smachinedisplayingtheservernameand thestatusoftheport (open). Oncethisoccurs, theattackercan thenusetheVRFYcommandfollowedbyausernametocheck foravaliduseronthemailsystemusingtheVRFYbobsyntax. WWW.BRISKINFOSEC.COM

24. SYN FLOODING OneoftheprotocolsthatexistattheTransportLayerisTCP. TCPisusedtoestablishaconnection-orientedsessionbetween twodevicesthatwanttocommunicateorexchangedata. Let's recallhowTCPworks. Therearetwodevicesthatwantto exchangesomemessages, BobandAlice. BobsendsaTCP Synchronization (SYN) packettoAlice, andAlicerespondsto BobwithaTCPSynchronization/Acknowledgment (SYN/ACK) packet. Finally, BobreplieswithaTCPAcknowledgement (ACK) packet. ThefollowingdiagramshowstheTCP3-WayHandshake mechanism: ForeveryTCPSYNpacketreceivedonadevice, aTCPACK packetmustbesentbackinresponse. Onetypeofattackthat takesadvantageofthisdesignflawinTCPisknownasaSYN Floodattack. InaSYNFloodattack, theattackersendsa continuousstreamofTCPSYNpacketstoatargetsystem. This wouldcausethetargetmachinetoprocesseachindividual packetandresponseaccordingly. Eventually, withthehigh influxofTCPSYNpackets, thetargetsystemwillbecometoo overwhelmedandstopsrespondingtoanyrequests. WWW.BRISKINFOSEC.COM

25. 5.1.3 VULNERABILITIES AT THE INTERNET LAYER TheInternetLayer (TCP/IPstack) andtheNetworkLayer (OSI model) aretheplaceswheretheInternetProtocol (IP) resides. TheInternetLayerandtheNetworkLayerare responsibleforIPv4andIPv6addressing, androutingIP packets. VariousroutingprotocolssuchasRouting InformationProtocol (RIP), OpenShortestPathFirst (OSPF), IntermediateSystem-IntermediateSystem (IS-IS), Enhanced InteriorGatewayRoutingProtocol (EIGRP), andBorder GatewayProtocol (BGP) operateshere. Therearemany weaknesses/flawswhichanattackercanleveragebysimply exploitingthedesignoftheInternetProtocol (IP). ROUTE SPOOFING Routespoofingiswhereanattackerattemptstoinjectfake routesintotheroutingtableofadevice. Theroutingtableis usedasaforwardingdatabaseforalocaldevicesuchasa computer, multiplelayerswitch, router, orfirewalltodetermine apathforsendingtraffictoaspecificdestination. Ifanattacker hassuccessfullyinjectedspoofed/fakeroutesintoatarget device, thiswillcausethevictim’smachinetore-routeits outgoingnetworktraffictoanotherpath, whichmayallowthe attackertointerceptit. OnaWindowssystem, toviewtheroutingtable, simplyusethe routecommandinCommandPrompt: WWW.BRISKINFOSEC.COM

26. ToviewtheroutingtableofaCiscoIOSrouter, youcanusethe “showiproute” command, asshowninthefollowing screenshot: However, itisrecommendedtoensurerouteauthenticationis turnedonbetweenroutersthatareparticipatinginRIP, EIGRP, OSPF, andBGProuting. Itisagoodpracticetoensureonly authenticatedroutinginformationisexchangedbetweenpeer routersonanetwork. IP ADDRESS SPOOFING AnIPspoofingattackiswhereanattackermodifiesthesource IPaddressoftrafficoriginatingfromhismachine. Thepurpose ofthisattackistomasktheattacker'sidentityandmakethe attackseemtooriginatefromanothersource, ortocausea reflectiveattack.   BothIPv4andIPv6arevulnerabletoIPspoofingattacks, and theprotocolsthatusetheIPare: INTERNET CONTROL MESSAGE PROTOCOL (ICMP) ICMPisaveryusefulprotocolthathelpsnetworkprofessionals todeterminewhetherthereareanyissuesinanetwork segmentandtheirpossiblecauses. Eventhoughoneofthe mainfunctionsofthisprotocolistoaidsystemsand networkingprofessionalsintheirtroubleshootingand diagnosticswhencheckingconnectivityonanetwork, this protocolcanalsobeusedformaliciousactivitiesbyanattacker like: DoSvulnerabilityinICMP Smurfattack Teardropattack PingofDeath (PoD) WWW.BRISKINFOSEC.COM

27. DOS VULNERABILITY IN ICMP In2004, aDoSsecurityvulnerabilitywaspublishedbythe NationalVulnerabilityDatabase (https://nvd.nist.gov) withthe IDCVE-2004-1060. Thisrecordedsecurityvulnerabilityallowed anattackertocauseareductioninnetworkperformanceby sendingunsolicitedandfakeICMPpacketswithalownext-hop MaximumTransmissionUnit (MTU) value. SMURF ATTACK ASmurfattackisaformofDDoSattackthattakesadvantageof theICMP. InaSmurfattack, theattackersendsacontinuous streamofICMPmessagestoanIPnetworkusinganIP broadcastaddressasthedestination, whilespoofingtheIP addressofthepotentialvictim'smachineasthesourceIP address. Therefore, eachdevicethatreceivesanICMPmessage fromtheattackerwiththespoofedIPaddresswillattemptto respond. Iftherearealotofdevicesonthebroadcastnetwork, theyallwillbereplyingtothespoofedpackets. Thiswillresult inaDDoSattackonthevictim. TEARDROP ATTACK ATeardropattackisanothertypeofDoSattack. Itleveragesthe designflawintheTCP/IPfragmentationreassemblyprocess. In ateardropattack, theattackersendsfragmentsofpacketstoa potentialvictim. Asnotedonolderoperatingsystemssuchas Windows3.1x, Windows95, WindowsNT, andversionsofthe Linuxkernel2.1.63, thereceivingmachinecannotreassemble thepacketsduetoabuginTCP/IPfragmentationreassembly. Sincethereceivingsystemcannotreassemblethepacket, the packetswilleventuallybegintooverlapeachother. Thehost operatingsystemwillnotbeabletohandlethistypeof fragmentation, anditwillcrash. WWW.BRISKINFOSEC.COM

28. PING OF DEATH (POD) InaPoDattack, theattackersendsaspeciallycraftedping packetgreaterthan65,536bytestoavictimmachine. Since TCP/IPsupportsfragmentationofpacketsacrossanetwork, a malicioususerisabletotakeadvantageofthisfeatureby breakingdownapacketof65536ormorebytesintosmaller pieces. Thiswouldallowtheattackertosendthesesmaller piecestoavictim. Whenthevictim'smachinereassemblesthe pieces, manyoperatingsystemswon'tknowhowtoprocessthis largepacketandwilleitherfreeze, reboot, orcrash. Thisis anotherformofDoSattack. 5.1.4 VULNERABILITIES AT THE NETWORK ACCESS/LINK LAYER TheDataLinkLayer (layer2) isresponsibleforerrorchecking, reassemblyofframes, deliveryofframes, MediaAccessControl (MAC) addressing, flowcontrolofframesastheyaresentand receivedonthenetwork. ThePhysicalLayer (layer1) is responsiblefortheelectricalandmechanicalfunctionsandfor deliveringthebitsfromonedevicetoanother. Asthename suggests, thePhysicalLayeristhephysicalmediausedfor transmissionofthebits, suchasthecables, hubs, radio frequency, andsoon. WewillgroupthevulnerabilitiesundertheDataLinkandthe PhysicalLayersoftheOSIreferencemodel. DATA LINK LAYER Here, wewillbediscussingaboutthevulnerabilitiesthataffects theDataLinkLayer: AddressResolutionProtocol (ARP) poisoning Sniffing Broadcaststorms VLANhopping WWW.BRISKINFOSEC.COM

29. ARP POISONING TheARPwasdesignedtoresolveIPaddresstoMACaddresson anetwork. AlldevicesonaLocalAreaNetwork (LAN) useMAC addressesforcommunicationbetweenonedeviceandanother. However, therearetimeswhenadevicehasonlytheIPaddress ofitsdestination. Inthissituation, thesenderdevicewould sendanARPrequestoutontheLANandifadevicehastheIP addresscontainedintheARPrequestmessage, itresponds withitsMACaddress. TheIPisnowboundtotheMACaddress inthelocalARPcacheofthesender.   AnattackermayattempttomodifytheARPcacheofavictim's machinebysendingaGratuitousARPwithanupdate containingachangetotheMACaddressofanexistingentry withinthevictim'sARPcache. Ifthechangeissuccessfulonthe victim'smachine, anytrafficdestinedfortheIPaddresswill nowbesenttothedevicethathasthenewMACaddress specifiedintheGratuitousARPmessage. Thiswouldallowthe attackertoeitherintercepttrafficorre-routethevictim'straffic onthenetwork. SNIFFING Sniffingisthemonitoringofdatapacketsastheypassthrough thenetworkorbetweendevices. ASnifferisusuallya software/applicationthathastheabilitytopresentrawnetwork trafficashuman-readableinformationforanalysis. Sniffersare usedbyboth, goodandthebadguys. Thegoodguys, suchas networkengineers, useasniffertohelpindetermining problemsonanetwork. Asecurityengineerwoulduseasniffer tomonitornetworktrafficforanytypeofsecurityintrusion, suchasmalwaretraversingthenetwork. However, anattacker woulduseasniffertodeterminethetypesofservicesthatare beingusedonavictim'snetworkandtofindanyconfidentialor sensitiveinformationpassingacrossthenetwork. WWW.BRISKINFOSEC.COM

30. BROADCAST STORMS Abroadcaststormisanextremelyconcentratedamountof broadcasttrafficbeingfloodedeitherbyoneormultiple devicesonanetwork. Eachdeviceonanetworkreceivesa broadcastmessageandprocessesitaccordingly. Imaginethere arehundredsofpeoplewithinasingleroom (network) and everyoneisshoutingatanotherperson (broadcasting), butno oneintheroomwillbeabletoprocessandcommunicate properlyastherewouldbealottoprocessandnoise. Thisis howabroadcaststormworksonanetwork. Eventually, aftera fewminutes, thenetwork'sperformancewilldegradegradually anditmayeventuallybecomecrippled.   VLAN HOPPING VLANhoppingallowsanattackertoaccessthenetwork resourcesandtrafficofotherVLAN’sthatarenormally inaccessible. VLANhoppingattacksoccuronswitcheswith theirphysicalportsconfiguredtoconvertintoatrunkport automatically. AtrunkallowsmultipleVLANtraffictopass acrosssimultaneously. TheCiscoDynamicTrunkingProtocol (DTP) issusceptibletoVLANhoppingattacks. Theattackercan establishaphysicalconnectiontoaswitchandinjectspecially craftedIEEE802.1Qframesintotheswitchport. Ifauto- trunkingisenabled, theportwillbeconvertedintoatrunk. This wouldthenallowtheattackertoaccessallVLANsonthe network. PHYSICAL LAYER Here, wewilloutlineanddiscussvariousvulnerabilitiesatthe physicallayer. WIRETAPPING Wiretappingisatypeofsniffingthatinvolvesthemonitoringof atelephonesystemandinternetconversations. Thisallowsan attackertoactivelyorpassivelymonitor, intercept, andrecord anyconversationsonthewire. Wiretappingisdonebyplacingaphysicalcomponentinline, on thetelephonewireorthenetworkcable.   WWW.BRISKINFOSEC.COM

31. OTHER PHYSICAL ISSUES Theotherphysicalissuesareasfollows: CABLE CUTTING Thecuttingofnetworkcablescandefinitelycauseanetwork outage, whichwillresultinaphysicalformofDoSfor legitimateusersonanetwork. POWER INSTABILITIES Poweroutagesareacriticalconcernfordailyoperationsof businesses. Ifadevice'spowersupplyblowsout, thedevicewill bedownuntilthepowersupplyisreplaced. Ifthebuilding losespower, allcomponentswilllosepower. However, alotof companiesinvestinUninterruptiblePowerSupply (UPS) for theircoreandmissioncriticalnetworkappliancesandservers. AUPScansupplypowertoacomponentforaveryshortperiod oftime. Therefore, abackupgeneratorisrecommendedto counteractapoweroutageinabuildingorcompound. Anothertypeofpowerinstabilityisanelectricalsurge, which canshortoutorblowelectricalcomponents. Usingapower surgeprotectororanautomaticvoltageregulator (AVR), wecan protectnetworkappliancesfromsuchabnormalspikesin electricalcurrent. 6. SECURING NETWORKING DEVICES Asanupcomingnetworkprofessional, itisveryimportantto understandhowtosecureandmitigatethesethreatsand vulnerabilitiesonanetworkinfrastructure. Inthissection, we aregoingtotakealookatapplyingsomesimpleandeffective controlsonasystemandnetworktoassistinpreventingand mitigatingthesesecuritythreats. WWW.BRISKINFOSEC.COM

32. 6.1 CHANGING DEFAULT CREDENTIALS Whetheryouhavepurchasedacomputeroranetwork appliance, thesedeviceshavedefaultaccountsthatallowthe ownertologintotheadministratororrootaccount. Insome cases, usersdonotchangeordisablethedefaultaccountsor passwordsthathavebeenimplemented, whichisusually classedasasecurityvulnerabilityonanetwork. Failingto changethedefaultconfigurationsonadevicecouldleadtoa securitybreachonthenetwork, andthecomplexityofthe attackwouldbesimpleforeitherguessingthepassword, or checkingthemanufacturer'swebsitefordefaultaccountand passwordinformation. 6.2 AVOIDING COMMON PASSWORDS In2014, wehadtheprivilegeoflookingatarouter's configurationfilesafteracyberattackhadoccurredata reputableorganizationintheregion. Theattackisknown as toll-fraud, whichresultsinacompany'stelephonebillbeing extremelyhighduetounaccountableinternationalcalls. After reviewingtheconfigurationsofthecompromisedrouter, it seemedthatthepersonwhohadmadetheconfigurationsor setthedevicepassword, actuallyusedaverycommonanda guessablepassword.   Thiswasaclearindicationthattheattackerdidn'thavethe needtoperformanysortofcomplexattackorpassword crackingtechniques, butsimplyjustneededtoguessthe passwordbasedonthemanufacturerofthedevice. Asaresult ofnothavingaproperpasswordpolicyandapplyingbasic securitypractices, theorganizationhadtospendthousandsof dollarsremediatinganydamagethatwasdonewithintheir networkandthehighcostofthetelephonebill. Thisisthe resultofsettingcommonpasswordsondevices. WWW.BRISKINFOSEC.COM

33. 6.3 DEVICE HARDENING Firmwareisapieceofsoftwarethatispermanently programmedintotheRead-OnlyMemoryofanelectronic component. It'squiteimportanttoupdate/upgradethe firmwareonasystemsinceanupdatedversionwillcontain fixesforanybugswithintheprogramandsecurityissues, and willimplementnewerfeaturesfromthevendor. Firmware updatescanbefoundonthedevicemanufacturer'swebsite.   Installingdeviceupdates, patches, hotfix, andservicepackson anoperatingsystemwillassistinminimizingtheattacksurface andreducethethreatlandscapewithinanorganization. These updatesarefrequentlyreleasedbysoftwarecompaniesasa continuousservicetoensurethatanybugsandsecurityissues areresolvedasquicklyaspossible. Devicehardeningisnotonlyfocusedoninstallingupdates, but alsoonapplyingbaselinepoliciesacrossallsystemsand deviceswithintheorganization. Thisensuresthattheminimum securitystandardsareappliedtoeveryoneandeachdeviceaids inminimizingsecuritythreatsandrisk. 6.4 DISABLING UNNECESSARY SERVICES Aslearntinpreviouschapters, wheneverthereareservices runningonanoperatingsystem, therearelogicalnetworkports assignedtoeachuniqueservice. Havingunnecessaryservices activeonasystemposesasecurityvulnerabilityonthedevice. Fromanattacker'spointofview, eachopenportonasystemis adoorwayintotheoperatingsystem. Leavingadoorwayopen inrealitycanbeaninvitationforanintruder. 6.5 DISABLING PHYSICAL PORTS We'vebeentalkingaboutlogicalportsalotthusfar, butwe mustnotforgetaboutdisablinganyunusedphysicalportsona deviceeither. Leavingphysicalportsactivecanallowa malicioususerorhackertoaccessphysicallyconnected specializeddevicestoanetworkforcreatingphysicalbackdoor access. WWW.BRISKINFOSEC.COM

34. 7. MITIGATION TECHNIQUES Let'stalkaboutthevariousmitigationtechniquesthatareused forsecuritythreatsonanetworkinfrastructurealittlebitmore. 7.1 NETWORK SEGMENTATION –DEMILITARIZED ZONE Mostorganizationshaveserversthatareaccessiblebyusersof thepublicinternet. Someoftheseserversarewebserversand emailservers. It'sdefinitelynotrecommendedtoallowany trafficoriginatingfromtheinternettoaccessyourinternal, privatenetwork. CreatingaDMZtoplacethesepublicly accessibleserversishighlyrecommended.   TheDMZisasemi-trustedsegmentofthecompany'snetwork thatallowsusersfromtheinternetlimitedaccesstodevicesin thisarea, whichiswhyit'sthebestpossiblelocationtoplace thepubliclyaccessibleserversontheorganization'snetwork. 7.2 NETWORK SEGMENTATION – VLANS Asanupcomingnetworkingprofessional, leavingallportson thesameVLANwillresultinalogicalflatnetworkwithoutany segmentation. Thiswouldleadtounnecessarybroadcast messages, whichwillreducethenetwork'sperformanceand increasetheriskofanetworksecurityincident. VLANsonaphysicalnetworkwillassistinimprovingthe securitypostureofthenetwork. Let'simaginethateach departmentwithinanorganizationisonauniqueVLAN. Ifan intruderplugshisattackermachineintoaswitchport, only thatlogicalsegmentmaybecompromiseduntiltheattacker findsawaytoperformVLANHopping. WWW.BRISKINFOSEC.COM

35. HavingmultipleVLANsalsoallowsAccessControlLists (ACLs) tobeimplementedontheroutersthathandletheinter-VLAN routingoftraffic. TheACLscanbeusedtoeitherpermitordeny trafficoriginatingfromoneVLANtoanother. 7.3 SPANNING TREE PROTOCOL (STP) THREAT MITIGATION TECHNIQUES STPthreatmitigationtechniquesareasfollows: 7.3.1 BRIDGE PROTOCOL DATA UNIT (BPDU) GUARD BPDUguardisusedtopreventBPDUsfromenteringaswitch port. Thesefeaturesarerecommended, iftheswitchisusing ‘Portfast’ onaparticularinterface. Itassistsinpreventinga hackerfrominjectingmaliciousBPDUmessagesintotheswitch inthehopesofadjustingtherootbridgetotheattacker's machinesandmanipulatinglayer2traffic. 7.3.2 ROOT GUARD Therootguardisplacedatthelocalinterfacesofboththeroot bridgeandthesecondaryrootbridgethatconnectstoother switchesexceptthemselves. Therootguard'sfeaturesisusedto enforcetheplacementofrootbridgesonanetwork. 7.4 MITIGATING SECURITY THREATS Tosecureanorganization'snetwork, onemustfirstidentifythe assetsofthecompany. Assetscanbecategorizedintothe following: Tangible Intangible Employees WWW.BRISKINFOSEC.COM

36. 7.4.1 IMPLEMENT A NEXT-GENERATION FIREWALL Built-inIntrusionPreventionSystem (IPS) VirtualPrivateNetwork (VPN) capabilities Botnetfiltering APTfiltering Preventzero-daybreakouts Deeppacketinspection Malwareandransomwareprevention 7.4.2 IMPLEMENT AN IPS AnothertypeofsecurityapplianceisanIPS. AnIPShasthe abilitytodetectandblockattackersandotheranomaliesthat othersecurityappliancescannotfind. WithinanIPS, thereare rulesthatgovernhowtheappliancemonitorsandfilters networktraffic, andtheserulescanbecustomizedbyasecurity engineertodetectandstopcertainactivitiesthatareof interesttoasingleorganization. SinceanIPSisusuallyplaced behindafirewall, itblocksmalicioustrafficthatweremissedby thefirewallappliance. 7.4.3 IMPLEMENT WEB SECURITY APPLIANCE (WSA) Protectingourusersalsomeansprovidingwebsecurityforboth outgoingandincomingtraffic. AWSAisawebcontentsecurity appliancethathastheabilitytomitigatethreats, handle contentfiltering, andallowssecureaccesstotheweb. Whena userentersaURLintheirwebbrowser, dataissenttotheWSA forfurtheranalysisandvalidationofthedata, leavingthe organizationandtheintentedwebsite/server. Ifthewebtraffic orwebsiteisharmful, theWSAwillpreventthemalicioustraffic fromenteringtheorganization'snetworkandrestrictaccessto themaliciouswebsite/server. WWW.BRISKINFOSEC.COM

37. 7.4.4 IMPLEMENTING EMAIL SECURITY APPLIANCE Therearemanytypesofthreatsforwhichattackeruseemailas theirdeliveryplatform. Thesethreatsareasfollows: Spam Malware Phishing Spear-phishing UsinganEmailSecurityAppliancewillprocessbothincoming andoutgoingemailsfromanorganizationtohelpstop cyberattacksthataredeliveredbyemailmessaging. The incomingemailsgothroughvariousprocessingandanalysis stages, suchasanti-spamfiltering, antivirusesforvirus detection, contentfiltering, andsoon. Theoutgoingemailsgo throughaverysimilarprocesstopreventanyinternally compromisedsystemswithintheorganizationfromspreading malwareordistributinganysortofthreat. 7.4.5 IMPLEMENT LAYER 2 SECURITY ON SWITCHES Securinglayer2, theswitchnetwork, isaveryimportantaspect whenimplementingnetworksecurity. ManypeopleI've encounteredwithintheITindustryfromITtechstomanagers, haven’trealizedtheimportanceofsecuringanetworkusinga layeredapproach, suchasDiD. Havinganext-generation firewallisn'tgoingtostopallthreats. Whataboutpreventingan insiderthreat, whichalotofusforgetabout? Over90% of cyber-attackshappenfromtheinside, withinanetwork, rather thanoriginatingfromtheinternet. Thefollowingarerecommendedassomeofthebestnetwork securitypractices: Applyingportsecurityonaswitch'sportwillpreventa ContentAddressableMemory (CAM) tableoverflow. CAM tablehasbeenmentionedinChapter3Ethernet. Blockallswitchportnegotiationstopreventanattackerfrom performingaVLANhoppingattack. RemoveallportsfromVLAN1anddonotuseVLAN1for anything. ImplementDHCPsnooping ontheswitchestopreventa malicioususerorattackerfrominstallingarogueDHCP serveronthenetwork. WWW.BRISKINFOSEC.COM

38. ImplementBPDUguard topreventanattackerfrominjecting speciallycraftedBPDUmessagesintoaswitchportto becometheroleofarootbridge. ImplementDynamicARPInspection (DAI) topreventARP spoofingonthelayer2network. 7.4.6 IMPLEMENT VIRTUAL PRIVATE NETWORKS (VPNS) ImplementingaVPNcanhelpinprotectingthedatainmotion, asittransitsfromonelocationtoanother. Thiswillaidin preventinganyonewhoisattemptingtoeavesdroponthe network. AVPNallowssecureaccesstoacorporatenetworkfor membersofstaffwhoaretraveling, workingoutinthefield, or evenworkingremotely. 7.4.7 OTHER IMPORTANT SECURITY CHECKS Theotherimportantsecuritychecksareasfollows: ImplementanAuthentication, Authorization, andAccounting (AAA) serverforusermanagementonnetworkandsecurity appliances. AAAisusedforcentralmanagementofuser accounts, privileges, policies, andlogmanagementinasingle unifiedsystem. Trainandeducateemployeestohaveabetterunderstanding ofcybersecurity. Installthelatestupdatestofixanybugsandsecurityflawsin thesoftwareonasystem. Keepregularbackupsofdataintheeventofaransomware attackorsystemcrash. Disableanyunnecessaryservicesonappliancesandsystems. Encryptandapplypasswordsonsensitivedata. Performregularvulnerabilityassessmentsonthenetwork infrastructuretodetermineriskratingandmitigation. Performpenetrationtestingregularly, bothannouncedand unannounced, tofindanyhiddenvulnerabilitiesonasystem andnetworkbeforearealattackerdiscoversandtakes advantageofthem. WWW.BRISKINFOSEC.COM

39. 8. TROUBLESHOOTING A NETWORK Inordertoillustratetheentirenetworktroubleshooting methodology, wewillexaminecommonhardwareandsoftware toolsthatareutilizedtogatherdataonissues, andalsodiscuss someeverydayproblemsthatplaguebothwiredandwireless networks. Finally, wewillexploreanumberoftypicalnetwork serviceissuesthatareprevalentacrossmanynetworks. This phasewillaidyouinconnectingtheconceptstothereal-life issuesyou'llfaceinadministeringanetwork, allowingyouto quicklyandconfidentlydiagnoseandresolvemanyofthese issues. 8.1 HARDWARE-BASED TROUBLESHOOTING TOOLS Crimper Punchdowntools Toneandprobetool Loopbackadapter Multimeter 8.2 SOFTWARE-BASED TROUBLESHOOTING TOOLS packetsniffer portscanner Wi-Fianalyzer arptool pingtool tracerttool nslookuptool ipconfigtool iptables routetool netstattool NetworkMapper (Nmap) tool WWW.BRISKINFOSEC.COM

40. 8.3 COMMON ISSUES ON WIRED AND WIRELESS NETWORKS Commonissuesonwirednetworks Linklights/statusindicators Damagedcablesandconnectors IncorrectTX/RXalignment CrosstalkandEMI Badports/transceivers COMMON ISSUES ON WIRED AND WIRELESS NETWORKS Physicallayerissues Antennaissues Signalpowerissues Interference Clientconfigurationissues 8.4 COMMON NETWORK SERVICE ISSUES IPaddressduplication MACaddressduplication Incorrectgatewayandnetmask IncorrectDNS/NTPservers ExpiredIPaddress UntrustedSSLcertificate Incorrectnetworkorhostfirewallsettings. WWW.BRISKINFOSEC.COM

41. 9. CONCLUSION Whetheryou'reaseasonednetworkengineer, anITtechnician, anenthusiast, orsimplystartingyourstudiesinnetworking, securitythreatsandattacksexisteverywhere. Nonetwork infrastructureexiststhat'sfullysecurebecauseeachminute, hour, orday, anewcyberthreatemerges. If  yournetworkisn't protected,itsagoldmineforhackerstostealassetsof immeasurablevalue. So, securingitisobviouslymandatory. To dothis, reachingoutasuccessfulcybersecurityorganizationis thesanestchoice. We havebeenlistedasoneamongthe “Top20MostPromising CyberSecurityProvider.” Wehavealsosetthe “India Book of Recordsforidentifyingmostnumberofvulnerabilities”. Lastbut nottheleast, weareaCERTContactustogainin-depthinsight onCybersecurity. WWW.BRISKINFOSEC.COM

42. YOUMAYBEINTERESTEDONOURPREVIOUSWHITEPAPER YOUMAYBEINTERESTEDONOURPREVIOUSWORKS REFERENCESABOUTBRISKINFOSEC BLOGS RESEARCH COMPLIANCES SERVICES CASESTUDIES SOLUTIONS

43. This White Paper is proudly presented by BRISKINFOSEC TECHNOLOGY AND CONSULTING PVT LTD Feel free to reach us for all your cybersecurity needs contact@briskinfosec.com | www.briskinfosec.com |USA|INDIA|UK