Tag Archives: comptia

Security+ Series Part 9: Strategies to Reduce Risks

Hello and welcome back to the Security+ series. After a long awesome break we will jump straight into strategies that help reduce risks in our super secret enterprise enviroment. You will learn a bunch of new stuff about change management, user permissions, audits and other various tech controls that help keep 0100101100 secure and available. Lets get the ball rolling.

Music Recommendation for this article: Deftones – White pony

Change management

Imagine that you have a very dynamic environment where the rate of chages is huge. Server ops team is banging their heads implementing Heartbleed patch to Unix frontends, network security folks is migrating main Data Center ATM WAN links, and you are sharping your knife for next complex routing party which will change global traffic flow. Without a proper controls in place these actions carried out at same time could interfere with each other creating a mess.

Therefore there is a need to keep track of all planned changes. A change management code such as HP Service Manager helps with that. There can be multiple types of changes like easy cheese routine, normal and emergency change that need to be done asap, and the process of implement thoses changes will be different.

A typical change would go through process of planning and preparing the configuraiton scripts, scheduling the implementation date, assessing the possible risks, defining the configuration item – CI that this change will affect and other basic variables. Then you would pass it to your team mate for peer review. After that it would go through Technical Advisory Board – TAB and then Change Advisory Board – CAB. The more ciritical the environment is, the lenghtier the process is. Finally after all approval, you are allowed to carry out with the change. After succesfully implemting a change, a closure process follow. It will require information like actual implementation time, post change verification and closure comment.

HP Service Manager is what HP folks uses to plan the changes.

Incident Management

As the name implies incidement management describes the steps that are usually followed when we face a service outage. It defines how to log an incident, e.g. thorugh a service desk manually, or automatically through monitoring solution. Incidents are then assigned to a group or an individual that is trying to restore the affected service. A root cause analysist is perfomed and it determines what triggered this outage. This could be for example a power supply or module failure, or a software bug or misconfiguration after a unsuccessfull change.

To resolve future incidents quicker a lesson learned is tracked in database for teams to review and learn from them.

Incident Management Simply

User Rights and Permission Management

In a typical business there are many boring job roles, such as human resources, accounting, marketing, technical services and more. Each employee requires access to certain applications and services to perform his everyday tasks. This implies that there is some kind of separation of who can access what. I would not like your receptionist to have permission to change to core data center switches would you? No saying she would really care.

User rights help maintain the right level of permissions to resources. These controls can be found in every system that is out there. From user accounts in Windows domain, network infrastructure devices, remote access and so forth.

User Account Control makes itself heard

Routine audits

A regular security audits are mandatory everytime a company handles precious information such as health record or credit card numbers. It is carried out by internal or external team who perform a penetration testing against live system to determine if the company put enough security measures to keep the bad guys out. Audit can reveal configuration weaknesses or unpatched systems that could lead to data and reputation loss, giving a big advantage to your competition.

Me neither

Preventing Data Loss

There are many ways to prevent data loss. For example a solid rock organizationa policy could outline how the systems needs to be used securely. Technical measures such as configuration best practices and tight firewall rules can also help prevent data leaking out from our pipes. There are even technologies that specialize in this particular area. For example Checkpint has a firewall blade that can help mitigate accidential leakage of sensitive information.

And that my friends is the end of this short part of Security+ Series. If you are studying for the CompTia Security+ exam, you are one step closer to your goal.I hope you enjouyed reading it as much as I enjoyed writing it. In next one we will look what is Forensics all about and some basic terms and examples related to it.

Advertisements

Security+ Series Part 8: 3rd Party Integration Risks

Our Security+ fast track continues, and in this article we will look at terms that are used in conjunction with 3rd party integration and associated risks.

Sooner or later your company grows larger and start to make business with other companies. Your business applications and data needs to be accesses by your partners and customers.

This lesson will teach you about concepts that can help you deal with data protection when such situation happens.

Lets get going.

On-boarding/Off-boarding business partners

Well the name says it all. The best practice is to have a policy or procedure defined when such event occurs. This could encompass what kind of access is needed, to what data at what circumstances. For example you can setup a secure VPN for your supplier.

There is a certain procedure when kids are being on boarded onto the school bus

Social media networks and/or applications

Social networks  are phenomenon of our time. If you use them right way they can offer you great benefits. Your marketing department can use these media for marketing company, product promotion or general feedback from customers.

There are however also some risk associated with social network missuses. If your employees are not trained well they could accidental leak private information.

Your policy should also outline how to use these media the proper way.

Starbucks using Facebook for promoting pumpkin spice latte

Interoperability agreements

There are several agreements that can be signed between two entities when they decided to work together for common goal. Here are the most often used:

There can be a lot of agreements between two parties

SLA

Service Level Agreement is a formal document between two parties that defines what service is being offered. For example when you order a MPLS VPN service to meet you branch connectivity needs, you will agree with provider what level of service you have in terms of access rates, quality of service, service availability.

BPA

Business partner agreement is yet another document that can be signed between partners when you decide to go do business together. It may contain things like profit sharing, cost sharing and so on.

MOU

A less bilateral document called Memorandum of Understanding describes a gentlemen agreement between two companies that plan to do a business together. It outlines what they are trying to accomplish together.

ISA

Interconnection security agreement is a document that mandates what actions needs to be taken when connecting or disconnecting to a business partner. It focuses on technology side of the partnership. An example can be found here.

Privacy considerations

When you have many partners and customers, you need to make sure that the data they are working with are safe and confidential. You would not like of partner A could access partners B data, or use your network as a transit.

Risk awareness

Before we can mitigate the risks we first need to aware of it. Risk awareness training is important not only for your own staff, but for partners and suppliers. They can all help you solidify the integrity of your company.

Unauthorized data sharing

When you are working with a partner make sure you are only giving access to data that are needed to complete the workflow. This way you minimize the risk of unauthorized data sharing. You also need to be clear on how your partner will protect your data within their infrastructure.

Data is slowly leaking out of your data pipes just like water.

Data ownership

When you working on a project for a customer you may often involve some of your partners to deliver sub-service. For example your company may take care of server part while your partner will deliver the network infrastructure.

In such case you need to agree where you will store project documents such as sales orders, design documents, configuration scripts and others. You also need to decide who will present these documents to end customers – this may for example affect the document form, logos, forms and so on.

Data backups

As I mentioned above, when data ownership is sorted out, it is vital to agree who will protect the data against loss. Usually the data owner is responsible for this part.

Follow security policy and procedures

As my colleagues would say, stay calm and carry on. At your company you have certain procedures how to handle data, perhaps depending on security level. Make sure that your business is also aware and follows the policy when handling the data.

Review agreement requirements to verify compliance and performance standards 

When you have everything written, make sure that you and your partner know and understand the requirements for using data that he is access. Performance standards can describe what level of resources will the partner have, for example in virtualized environments this can encompass the pool of RAM, CPU or Storage.

And we came to a very end of this article. As I always I hope you learned something useful and see you in next post in the series which will cover some strategies to reduce risks.

Security+ Series Part 7: Risk Calculation

Welcome back to Security+ series.. In this post we are going to explore some techie and non-techie terms that will help us argue with our management to get some funding to get the security ball rolling.

We all know how important is to keep our stuff safe and available but sometimes that feeling itself  is not enough to convince our stakeholders to give us some money to make it happen.

That is why is important to provide some real numbers. And this is the purpose if this series. Putting risk and math together.

Risk Calculation

Risk describes the likelihood that a weakness in the system will be successfully exploited. For example Heartbleed or ShellShock are examples of vulnerabilities with very high risk. Simple because so many systems were vulnerable and the impact is high. It companies would definitely invest time and money to fix this issue asap otherwise they could loose a lot of reputation and money. If you speak to management, always quantify in numbers (meaning $$$), they will listen you more closely.

One example would be to justify a build of a disaster site in case of primary data center failure. The capital and operational expanse might be high, but in case of primary DC failure the service and therefore financial loss can be even higher, not mentioning loosing customers.

Alain Robert the real life spiderman has risk under his control

Likelihood 

Likelihood is the probability that a vulnerability will be exploited. For example a likelihood stealing data through SQL injection is much higher physically compromising the database server. Simple because everybody on the internet can play with your web app, but not many of those folks have guts to pull out a social engineering tactics to get to your premises physically.

There is a likelihood to not walk away alive from after this game

Impact

Do you remember on game called space impact which was epic on Nokia 3310? You were in space ship shooting down aliens and at the end of each level a big boss would appear.

When you destroy few of those small alien ships nothing fancy would happen, but when you default the boss, boy that was a huge impact for aliens.

The same is true with security, if your DB get comprised you are in big trouble, much bigger if someone would root your counter strike server, because they usually not hold sensitive data, only provide a presentation layer.

Space impact helps you understand the impact

SLE

Single Loss Expectancy is the cost associated with certain type of unwanted event. For example if your hard drive fail and you do not have a backup the cost may be higher than just the price for a new drive. The cost will include any lost data which you need to re-create at the best case, at worst case they are lost forever. The SLE is represented in cash.

ARO

Annualized Rate of Occurance, as the name implies it describes how often does the unwanted event occur. Does your HDD fail twice a year or once per 5 years. It is important to know because sometimes the risk cost may be lower than cost associated to eliminate risk. For example if all your important files are already backup and only system files could be lost, well in that case installing 2nd HDD and enabling RAID in every client machine would not be cost effective. ARO is usually describes as event per year, for example if event occurs twice a  year the ARO would be 2.

ALE

Annualized Loss Expectancy the number you get when you multiple Single Loss Expectancy and Annualized Rate of Occurrence. It gives you better overview how much will cost you to mitigate certain risk.

For example if you loose main power to your production gear twice a year and this event cost you $10000 in loss of revenue. The ALE would be $10000 * 2 = $20000.

In such case it would be wise to invest in UPS device or 2nd power feed.

MTTR

Mean Time To Repair describes how long it will take to restore the service to way it was. For example if you run out of toner, how long it will take to install new one? If it take just a few minutes because you have spares on site that is perfectly fine. But you have no spare you need to quote and order one, it may take a week to get the printer up an running. Execs would not be happy that they need to wait a week to print a financial report for a meeting.

MTBF

Everything fails, do not argue about that. Rather than question how often does it fail? Mean Time Between Failure can give you an estimation. Vendors usually list a value with their product. For example Cisco states that their Catalyst 2960G-48TC-L will likely to fail every 221 432 hours. Usually what fails most of the time is the power supply, therefore for critical devices aim for at least 2 PS units.

MTTF

Mean Time to Fail is very similar to MTBF, the difference here is that MTTF is relate to products that are not usually reparable. For example some micro compoments of a larger system, a capacitor for example it could have certain number of cycles that it can handle over its lifetime.

Quantitative vs. qualitative (ALE) 

The Annualised Loss Expectancy can be expressed by two ways. Quantitatite means you have the numbers in pounds, you can relate to amount of cost, to put it simple you have the data backing you up when you speak to shareholders.

The qualitative representation is your gut feeling which likely comes from your previous life experience. You just know that that hard drive will not last forever.

Vulnerabilities

Vulnerabilities are kinda favorite topic in security world. You can find them everywhere, and everybody talks about them. What is a vulnerability exactly. Well to put it simple it is a weakness in system. Weakness can be introduced by design itself, by implementation, by not following best practices. To put some meat into discussion, the ShellShock vulnerability in Bash was present almost 20 years in the code before it was released to public.

Offensive security runs a website called Exploit-db which collects list of newly discovered vulnerabilities.

One of the most advanced computer virus Stuxnet had capability to exploit 20 zero days weaknesses. Its mission was to slowly destroy centrifuges in factory. The term zero day refers to a vulnerability that has not been revealed to public.

Well done presentation about Stuxnet

Threat vector

Threat vector is a term that describes the attack surface. For example a web service exposes a different surface than a print server. Web application can be attacked by web based attacks such as SQL Injection, XSS, or vulnerability in daemon. More services – bigger attack vector.

For example a router with lock down SSH and minimal services running has smaller attack surface than an Internet facing web server.

Probability 

Probability describes how likely would be the vulnerability exploited. As I mentioned a SQL Injection would be much more likely to occur than social engineering at your corporate premises.

Risk-avoidance, transference, acceptance, mitigation

Sometimes introduction to new services could bring so high risk that company can decided to not implement the service. This is typical for new software releases, often companies wait a months after initial release just to avoid bugs and vulnerabilities in new code.

Other times, companies may accept risk associated with services. For example BYOD or Bring Your Own Device may open a new attack vectors for company, but the value of the service outstands this risk.

Mitigation refers how we reduce risks. Following the best practices, regularly patching and revising system configuration, performing vulnerability scanning. All these activities help reduce the risk of being exploited.

Risks associated with Cloud Computing and Virtualization 

With new trends come new risks. Cloud computing can provide a number of great benefits but it is important to understand the risks as well. For example what if one customer of a multitenant cloud gets compromised, how well did the cloud provider isolated the contaminated environment so other customers are safe?

What if attacker finds a way to crack the hypervisor and gain access to all virtual machines running on top of it?

RTO 

The Recovery Time Objective describes how long it will take to restore a failed system back online. If your e-commerce generates a ton of money you obviously want to have it up and running in no time.

Ma’am restoring these backups will take ages.

RPO

Recovery Point Objective is usually related to storage. How often you do full backup for example every night? In such case you can only recover up to that point and you lost data that were written during day. In practices you usually backup on daily or hourly basis but you also keep track of transaction that happened during the day so you can restore to most recent point of time. Obviously shorter RPO will cost you more money.

And with that my friends we are closing this section on risk calculation. I hope that you learned something new today. In the next one, we will be exploring risk associated with connecting our infrastructure to third parties.

Security+ Series Part 6: Compliance and Operational Security

Welcome back to part 6 of the series. In this one we are going explore compliance and operational aspects of security. You will learn what control types we have, what is false positive, and what kind of policies are used in real life. Take a deep breath we starting at 3..2..1.

Control types 

Control types define how we are going to enforce security policy in our company. They are defined in NIST Special Publication 800-53. Generally it can be broken into three categories.

The first one is Technical, and it can describe for example how we are going to filter web content traffic or how are going to enforce that only authenticated users will connect to wireless network.

The second category include Management control types. An excellent example from this category is change management process. For example, It describes how we are going to handle firewall change requests, what approvals are needed, how the change is tracked.

The last category include Operational control types. This category may state what level of security awareness us required from personal, how to respond to incidents and security breaches.

False positives

This term is used to describe when Intrusion Prevention System fires an alert on traffic that was not harmful. This is undesirable because the IPS effective killed our production traffic, therefore when deploying IPS in productions it is good idea to use some time to fine tune the inspection engine.

False negatives

This term is also used in IPS realm, it describes an event when IPS did not caught the malicious traffic and an attack took place. Again, this event is undesirable and it may when attacker pulls out a 0-day (unknown) exploit to take advantage of unpatched vulnerability.

Importance of policies in reducing risk

Company’s policies have a major role in reducing overall risk. They can specify what actions are allowed and disallowed within company and how to react in certain situation e.g. fire, floods. These information should be shared with each employee.This not only limited to IT system usage but also to general work environment. Some examples of policies include: Acceptable Encryption Policy, Acceptable Use Policy, Clean Desk Policy, Email Policy, Password Protection Policy and many more.

Privacy policy 

Privacy policy is a document that describes how to handle sensitive information, for example credit card numbers, social security numbers, basically all internal and confidential documents or any other form of intellectual property.

It can cost you some bucks if you hand out company’s secrets

Acceptable use

Acceptable use policy may be part of security policy or a standalone document. As the name implies its purpose is to define how IT services can be leverage and how to handle corporate resources and information.

Security policy

Security policy is a another written document that defines rules that must be followed within an organization. It may describe what behavior is allowed or prohibited. For example it may defined what site categories is employee allowed to visit on the Internet. An example of this and other types of policy documents can be found at SANS. They may be used as your starting points when defining security policy for your own organization.

Mandatory vacations 

Often found in many companies, mandatory vacations mean that employees are required to some days off to avoid becoming crazy and clear their heads from work, or to reveal a fraud. Mandatory vacation can be requested by your manager or boss.

Do you need anybody force to do this? Seriously?

Job rotation 

Job rotation is common practice where people from different teams such as engineering and operational swap their roles for certain period of time. This is useful to get a broader picture how each team works and should help increase the level of cooperation between people.

Even farmers know what job rotation means

Separation of duties

With great power comes great responsibility as uncle Ben would say. Separation of duties in IT means that tasks are divided between many people. One group may handle change supervising, next group handles change implementation, other group is in charge of change approval and review.

The main point here that no single person has all roles. It is always required that more eyes look at the change before it gets implemented. This approach reduces risk.

This speaks for itself

Least privilege 

In our company we may have multiple teams that handle different parts of IT delivery. We may have service desk which essentially answers to service requires. We may have guys at Network Operation Center who monitor network health, and we also many have hardcore admins doing heavy duty troubleshooting.

All these roles have different privilege requirements. For example Level 1 NOC may have only read-only access for basic checking and the L3 guys may have root access. This approach also increases overall security and it often required to comply with security audits.

Call center folks do not get system level privileges but are quite happy without them

And with that sentence this article came to its ending. I hope you learned something new today and see you in next one which will be spinning around risk calculation.

Security+ Series Part 5: Wireless Security

Wireless networks are celebrating huge success these days. They are available almost everywhere from businesses, metro stations, bars, coffee shops to our homes. They connect million of devices – phones, tablets, notebooks, thermostats, televisions and the number is growing. Often security of these networks are overlooked or ignored and expose them to various types of attacks. The motivation may differ from simple free  Internet access to intentional targeted attacks. Although it might not sound scary on the first sight, once you gain access to wireless network you can pull another form of attack, for example ARP spoofing or DNS spoofing.

Random Trivia: Delain playing during post creation.

Disabling SSID Broadcasting

One of the common misunderstanding out there is the fact that when you disable SSID broadcasting you are more secure. It is good to do so if you choose but bear in mind that it will not stay hidden from someone who intentionally scans the radio frequency environment with tools such as inSSIDer or Aircrack-ng.

inSSIDer is useful too for RF analysis. It discovers nearby wireless networks.

MAC Filtering 

Stepping one step up in the security ladder we have MAC address filtering. Fundamentally how this feature works is allows only MAC addresses which are defined in database. This DB can be right on access point or wireless LAN controller. This approach is not very secure and it should not be your primary tool for defense. MAC address can be easily spoofed.

Changing MAC address with MacAppStuff is easy cheese

WEP 

Wired Equivalent Privacy is a wireless network security standard introduced in 1999. Wireless network at that time gained significant popularity and everyone wanted to have one. The main purpose of WEP was to bring data confidentiality and integrity. To achieve this, WEP uses RC4 stream cipher and CRC32 for checksum. WEP uses same key for authentication and encryption. Throughout the years, it was revealed that WEP is no longer secure anymore and is susceptible to multiple forms of attacks because of the weak initialization vector. If the attacker has enough captured packets he can retrieve the original key. We will look at some attacks on WEP network in Offensive Security Series, which is coming soon. If you must use WEP for example to support old bar-code scanners, terminate this network at firewall and allow only required minimum services.

WPA

Wi-Fi Protected Access was introduced in 2003 by a Wi-Fi Alliance to quickie WEP’s weaknesses. The idea was to use same hardware but provider better security. It would be implemented through firmware upgrade. What WPA brings to the table is Temporal Key Integrity Protocol (TKIP) which uses dynamic 128-bit key for each packet. WPA also implements message integrity check to prevent against anti-replay attacks. Unfortunately WPA is also susceptible to some forms of attacks such as re-injection and spoofing, however it is still better choice than WEP.

Aircrack-ng in action, pwning your favorite password.

WPA2

Wi-Fi Protected Access 2 brings new encryption. It was introduced in 2004 and for WEP capable devices it would require a hardware upgrade because of the improvements. It uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol or simply CCMP with AES.

CCMP is an encryption protocol that is part of 802.11i standard. It offers enhanced security compared to TKIP. It uses 128-bit keys and 48-bit IV to mitigate reply attacks.

You must know that WPA or WPA2 with pre-shared keys are still susceptible to attacks when weak or predicable pass-phrase is used. An attacker could possible crack password with good wordlist or brute force attack. Aircrack-ng is one of most favorite tool set to penetrate wireless networks.

WPS

Wi-Fi Protected Setup was introduced in 2006. It purpose was help securing wireless networks without requiring user to know all moving parts underneath. You usually activate this feature physically on wireless router itself or in web GUI and it will help you pair new device. Although this worked well, later in 2011 a security flaw was found in this implementation, which would allow attacker to recovery the WPS PIN using brute force attack.

See the blue button with arrow signs underneath? That is used for WPS.

EAP

Extensible Authentication Protocol is a framework. It is used in most enterprise wireless deployments. It provide a means of transporting key materials and parameters used by various EAP flavors such as PEAP, LEAP, or EAP-TLS. EAP can be used with WPA or WPA2 to provide better authentication and key management.

As you see the limitation of WPA or WPA2 with pre-shared key is the fact that they use pre-shared key. It is one key for everyone. Imagine that you have contractor in office who work for you temporarily, you need to grant him access to be able to work. However once he is finished, you do not want to change the pre shared key every time to keep network security high. That is why in enterprise we need a more advanced method for authentication. When EAP is used over LAN or WLAN network it is referred to as 802.1x.

PEAP

PEAP stands for Protected Extensible Authentication Protocol, it was developed big players in industry Cisco, Microsoft and RSA Security to address security weaknesses in WEP. It is yet another way how to encapsulate EAP frames. PEAP authenticate server with digital certificate and carries data in TLS tunnel.  Each host receives unique encryption key used with TKIP to provide data confidentiality. This protocol meant to replace Cisco’s proprietary LEAP.

LEAP

Lightweight Extensible Authentication Protocol was developed for Cisco by Cisco. It also uses dynamic WEP keys which are changing over time. However LEAP relies on MS-CHAP which did not offer strong protection of credentials.

EAP-TLS

One of the most popular and widely used flavor of EAP.As the name says it uses Transport Layer Security. It requires digital X.509 certificate present on authentication server as well as on client.

Captive portals

Captive portals are excellent choice for wireless guest access. The way it works is that in your office you have an open SSID for example CompanyX-Guest. This network has no authentication, everyone can connect. Once they are connected they redirected to web page which has information about usage policy that need to be accepted. Often a username and password is required for tracking purposes. A receptionist or ambassador who takes care of his guest. During guest account creation there is an option to set the duration that this account will be valid. For example 8 hours.

Starbucks uses captivate portal before letting you on dark net. Enjoy your coffee

VPN (over open wireless)  

You are in the coffee shop enjoying your latte connected to Starbucks Free Wi-Fi and everything is hunky dory. It is it? Think about it for a minute, no authentication, no encryption, is your communication really confidential? Well it depends :-). You could be protected by other protocols like SSL/TLS for example when you visiting https web sites. For application that do not use any additional level of security, their traffic is visible on these wireless networks.

For secure corporate access this may impose a risk. Therefore it is recommended to use IPSec or SSL VPN over these unsecured wireless networks. I use this approach all at he time to secure my communication or bypass site restrictions.

Antenna Placement and Types 

Although antenna placement is not only security related. It does what tools the attacker has,  if he has really bad or no signal he will be very frustrated. by selecting the right antenna for your deployment you can increase security of the environment. Some popular antenna types include bidirectional, directional and yagi. By adjusting power controls you can also right-size the coverage.

Antenna is like water hose, it can focus signal in right direction.

Wireless site survey 

Wireless site survey is the first step for proper wireless network deployment. Its role is to closely map environment form radio frequency point of view. It identifies what areas needs to covered and makes sure that signal levels are acceptable. Voice Wireless network have more strict requirements. Wireless signals are susceptible to many form of interference, for example evaluators or microwave ovens  may cause pose a problem. The output of survey will include heat maps, recommended access point models, their radio power settings and antenna types.

Cisco Wireless Control System can help you perform a predictive site survey.

And with that last piece of information this post came to the very end. I hope you had learned something new while having fun, because that is the whole point. The information summarized here can help you pass the Security+ exam but the real value is to use these skills in real world.

In next part we will look at Compliance and Operational Security. Until then, take care and spread the words.

Security+ Series Part 4: Protocols and Ports

Welcome back to part 4 of security+ series. As promised in this part we are going to look at protocols and ports our apps use to communicate across network. Without any further trash talk, lets get started.

IPSec

I mentioned IPSec when we described Virtual Private Networks. Generally it is not just single protocol, rather than a protocol family. The IPSec’s job is to provide authentication, confidentiality, integrity, and anti replay protection for traffic that is on the move from one point to another.

To achieve authentication, several methods can be used. From simple pre-shared keys, RSA signatures to digital certificates.

Data confidentially is definitively a high priority. IPSec can utilize industry grade standard protocols such as DES, 3DES or AES. Advanced Encryption Standard is most recent it is recommended among the three. The way it works is IPSec will wrap your data into Encapsulated Security Payload and encrypt everything inside, therefore a middle man would have a hard time to putting the original message together.

Message Integrity checks that no one tampered with your payload during transit. For this purpose, hashing algorithms are used. They perform a one-way mathematical function on data and spill out a unique string of characters – hash. The receiving party will run the same algorithm against data and compare the hashes. If they match, data did not changed. Most popular hashing standards are MD5 and SHA.

Frenzy, one of decepticons steals data from Air Force One, and sends them to Megatron over an IPSec tunnel. Feds have no clue what they are cooking out there.

SNMP

Simple Network Management Protocol, or known by name Security is Not My Problem is used for network device management. It uses a put and pull model. Every value in device is stored in Management Information Base – MIB. These MIBs have a structure. A value can anything from CPU utilization, RX/TX rate on an interface, or even a password. These value are protected by read-only or write community strings. SNMP is used my management solutions such as Cacti, Cisco’s Prime Infrastructure and many others.

These guys get their favorite monitoring sitcom via SNMP.

The bad thing about SNMP version 1 and version 2c is they are not encrypting any communication between server and SNMP agent (device). If some one would play a man in the middle game and they could easily get the strings and that is game over my fiends.

It is recommends to use version 3, which adds more robust authentication mechanisms as well as encryption and message integrity. Add an access control list on top of that and you are on the right track. SNMP uses TCP port 161 for GET/SET operations and TCP port 162 for Traps.

There are more options how to manage security devices. An example is Security Device Event Exchange (SDDE). SDEE uses TCP port 443.

SNMPwalk pulling stuff out of a box.

Telnet

Telnet a legacy protocol but still used on lot of networks for remote device administration, or watching cool movies. It was invented back in 1968. It is lightweight and it does not provide any data confidentiality. It is not recommended to use Telnet anymore, SSH is better option. Telnet uses TCP port 23.

Start Wars Episode IV ASCII edition. This is how new Episode VII will be shot.

SSH

Secure Shell, is most widely used remote access protocol in the wild. It brings encryption to the table and is used for remote access device management. An engineer would use it to connect to remote router or a scripting tool can use it to perform repeatable tasks on the box. Most popular SSH clients include Putty and SecureCRT. SSH uses TCP port 22.

Putty is simple and very customizable and free.

RDP

Remote Desktop Protocol is often used for remote graphical administration of Windows based systems. It was developed by Microsoft and provides data confidentiality and authentication using TLS from version 5.2. The server listens on TCP port 3389.

Connecting to NSA surveilance server via RDP

I am connecting to remote server in NSA domain

DNS

Without DNS there is no Internet, and without Internet there is no DNS. The Domain Name System plays huge role. It helps us translate human readable names into IP addresses. For example when you hit google.com, are really connecting to one of many addresses that they service is running on. DNS can also be used form load-sharing.

There are two types of DNS traffic out there, client-server, this uses UDP port 53. And server-to-server traffic e.g. zone transfer, this uses TCP port 53. It is important to keep DNS secure and available. Many other things depend on it.

DNS packets displayed in popular traffic capture tool Wireshark.

SSL

Secure Socket Layer is protocol used for encrypting connections over the Internet. For example It is used when you communicate with your bank or social network. You can see the presence of this layer in your browser, often noted by a lock or https prefix in URL. SSL negotiate secure connection between two parties, client and server negotiate what kind of encryption, hashing, and authentication will they use. This security model is tightly related to Public Key Infrastructure – PKI. We will touch on this more in later parts. Besides HTTPS TCP port 443 other protocols can take advantages of SSL service.

Screen Shot 2014-10-12 at 17.07.19

Bank uses digital certificate to proof its identify and build secure connection

TLS

Transport Layer Security is also a cryptographic protocol as SSL. It is an open standard successor, created by IETF. It operates very similarly to SSL, and may see these terms often interchanged. Client and server can negotiate which protocol they are going to use SSL or TLS.

Bank's digital certificate details.

Bank’s secure connection details.

TCP/IP

The famous TCP/IP started it all. The term refer to protocol stack naming two most used protocols which work together. Transmission Control Protocol take care of reliable packet delivery, sequencing, flow control and session multiplexing. The Internet Protocol on the other hand handles logical addressing and routing.

TCP/IP are like characters in Army of Two. The work with each other.

IPv4

Internet Protocol version 4 is in charge of logical addressing. The most common analogy to this protocol is your mail address. For someone to send you a letter, they need to know you address. They write this destination address on an envelope along with source address, in case you wanna reply to letter. IP does the same except it does use numeric 32 bit values.

For use humans it would be hard to remember an address like this

11001100100001000010100010011011

Therefore we tend to divide this number into octets or group of 8 bits. Like this

11001100.10000100.00101000.10011011

And then convert each group of 8 bits into decimal. This gives us IP address:

204.132.40.155

IP address are then divide into Network and Host portion. Routers works with this information to route packet to right way, same way as mail services routes letters. Besides logical addressing, there are some extra features in IPv4 header like error checking and options.

IP packet is like a letter. It has it source and destination address.

IPv6

The next generation Internet Protocol brings extended address space and more efficient header usage. It is twice as big as IPv4 header, 40 Bytes. It provides 128-bit dressing space, which is huge extension. It provides 2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

The header it self was rewritten to omit some fields like fragmentation, header checksum and added fields called Flow Label and Next Header. The header it self is much more modular now.

IPv4 vs. IPv6 Header

FTP

File Transfer Protocol is one of oldest protocols out there. The original publication is dating back to 1971. The protocol name says it for itself. It uses TCP port 20 and 21, it does not provide any data confidentiality.

FTPS

Remember when I told you about SSL/TLS and that they service can be used by other protocols? That is exactly what is happening here. File Transfer Protocol over SSL would use them secure data in transit. This is different that Secure File Transfer Protocol. It is not used very often in the wild. There are better ways.

SFTP

SSH File Transfer Protocol is an extension to classic SSH protocol. It uses same mechanisms but is generally used for file transfer. whether classic SSH is used for remote administration via CLI. It uses TCP port 22.

TFTP

Trivial File Transfer Protocol is the last flavor which we mention. As name says, it is very lightweit and simple. Offers no authentication, encryption or data reliability. It leverages UDP port 69. It is often used in IP telephony where phones use it to download firmware. Most embedded systems also support this protocol for reasons mentioned earlier.

TFTP is lightweight like these shoes

HTTP

Good old buddy Hyper Test Transport Protocol has been around since 1991. It is an application layer protocol used to request various types of resources from simple text-based HTML pages to multimedia. It defines message types, response codes, basic authentication, caching and more. By default it uses TCP port 80.

HTTPS

Another case with using SSL/TLS secure services. Original HTTP is plain text communication, therefore needs another protocol to secure its communication. As mentioned HTTPS rides on TCP port 443.

HTTPS uses SSL/TLS to secure your data

SCP

Secure Copy Protocol uses same mechanism for authentication, encryption and hashing than SSH can use. It provides just another way how to transfer files securely.

ICMP

Internet Control Message Protocol was invented to provide control services for IP. One of the most used protocols in the world are in fact using ICMP. They are the famous ping command and also some implementations of traceroute.

ICMP is often used in monitoring systems to determine system availability. The management station would sent an ICMP Request in regular intervals and expect and ICMP Reply. Often firewalls do not permit this type of traffic because of higher security risk of network reconnaissance – mapping whats alive on the net.

Valve Portal’s turret uses ICMP to check if you are alive.

SMTP

Simple Mail Transfer Protocol is used to carry out email messages from one email server to another. SMTP uses TCP port 25. There is also a flavor of SMTP that uses TLS called SMTPS and it uses TCP port 465.

POP3

Post Office Protocol is also used in email communication, introduced in 1984. It is used by email client to retrieve message from server. It supports download and delete actions for simple mail manipulation. Usually a client would connect, download the message and delete it from server. POP service listens on TCP port 110. This protocol can provide confidentiality using TLS, in that case it runs on TCP port 995.

Good luck reading the mail.

IMAP

Internet Message Access Protocol, has similar function as POP but brings additional features. IMAP client can send complex queries, for example retrieve just email header information. It supports online and offline type of operation. Plain IMAP runs on TCP port 143 and the flavor that uses TLS for security uses TCP port 993 (IMAPS).

Microsoft Outlook is popular POP3/IMAP client

iSCSI

SCSI stands for Small Computer System Interface. It is used to interact with storage device such as hard drive. It can be used over network hence the name (Internet)SCSI to interact with remote storage device at block-level. iSCSI client is referred as initiator and remote storage is often called target. It is commonly used in small scale Storage Area Network deployments. Storage servers can offer higher reliability and data protection through technologies such as RAID. These networks have higher demands on bandwidth and reliability than other types of traffic.

Clients disks appear like they are directly connected. But in fact they are located on iSCSI target (server).

Fibre Channel

Fibre Channel is another technology used to access remote storage at block level. FC uses dedicated Host Bus Adapters on servers side that connect to Fibre Channel Switches which also connect storage appliances that contain various disk types, Solid State Drives, SAS Drives, SATA Drives and Tape Libraries. Fiber Channel technology is pretty costly compared to iSCSI.

EMC storage array.

FCoE

Historically data and storage operated over two distinct physical networks. The reason was that storage traffic has different requirements for transport, and it usually requires a high speed links 4,8 or 16Gbps. As 10Gbps Ethernet evolved and matured, a new flavor of FC was introduced. Fiber Channel over Ethernet can use same infrastructure for data and storage traffic. FC frames are encapsulated into Ethernet frames and receive special treatment from transport fabric.

This can reduce CAPEX and OPEX expanses since you no longer need to have separate data and storage connections to servers and separate data and storage switches.

NetBIOS

Network Basic Input Output System  is a legacy protocol used in windows-based networks. It uses several services, for example name services run on UDP137, data gram services UDP 138 and session services on TCP 139.

used in windows network all ows PC to communicate, UDP 137 (name services) UDP138 (data gram services) TCP 139 (session services)

And that my friends is the of this post. I would not think at the beginning that this will be so long, if you made till the end, you have my praise. Stay tuned for next post in the series that will cover Wireless Security.

Security+ Series Part 3: Network Security Design

In the part of the Security+ series we are going to dive into design best practices. You may be already familiar with some of terms from previous posts therefore we are going to build on top of those. The exam version SY0-401 also touches cloud computing concepts, so made sure to include those as well.

DMZ

A Demilitarized Zone has origins in military and describes a neutral area for both fighting parties. The same concept is used in computer networking, where this area holds services that are accessible, both from the Internet as well as Intranet. You can further divide DMZ into sub-DMZs for example, a Web Proxy Appliance can be in one zone, and your e-commerce servers can be in different zone. Each zone can have its own policies. DMZs are typically connected to firewall which enforce these policies. Inside a DMZ you can use other security technologies for further isolation, for example Private VLANs.

DMZ between North Korea and South Korea.

Subnetting

Subnetting is easy like Jackson Five’s ABC. Definitely one of the favorite topics in CCNA Routing and Switching or Compia’s Network+. What subnetting does, is it breaks a large chunks of address block into smaller more manageable pieces. For example you could use a private address space 10.0.0.0/8 for your company and start to divide that into subnets, one block would be used for data center (a.k.a Willy Wonka’s data factory) would receive 10.0.0.0/16, your regions would get 10.1.0.0/17 and 10.1.128.0/17 and so forth. The key here is to plan ahead, otherwise you will have a mess in your IP address management – IPAM.

Subletting is like dividing a cake.

VLAN/PVLAN

Virtual Area Networks have been around for many years, they are so obvious that no one really thinks about them as visualization technology, but in fact they are. VLAN is an equivalent of broadcast domain, it provides separation on L2. It became popular after we started to push a lot of different types of traffic onto our network. Therefore not only data traffic was riding on our switch links but also voice and video traffic. To be able to communicate between VLANs we need a L3 device, multilayer switch, router or even firewall will do well.

Concept of VLAN have been later extended to include a feature that would protect between users in same VLAN. The idea is useful for example in hotels, where all guests sit on same VLAN but you need to ensure that they cannot talk to each other directly. The extension is called Private VLAN.

NAT

We already briefly touched NAT in previous post. NAT was invented to slow down the depletion of IPv4 address space. Since IPv4 addresses are “only” 32 bit long, there is finite number hosts that can access the public Internet. The idea is that inside our organization, we would use a private address range, like 10.0.0.0/8 but when we would like to access resource on internet we would translate our source address into public one assigned by service provider. Since many organization have thousand hosts inside and just a few public IPs, we need to do port multiplexing or overloading. This feature is called Port Address Translation – PAT. NAT/PAT is also used when companies merge and they have overlapping address space.

Remote Access

Internet is fundamentally changing the way we communicate. One of the features that many companies use is remote access. The idea here is that an employee or partner connected to Internet would create a secure tunnel to our corporate network. All communication within this tunnel is encrypted. IPSec is one the famous protocol stack that is used for this purpose. It contain many different pieces for this to happen. There are however other emerging technologies that simplify configuration of tunnels, namely SSL/TLS VPN. We will dig deeper into this area later in series.

These guys are stuck at airport. They could get some VPN magic rolling to get the job done.

Telephony

Since the time voice services joined data on same transport network, we also must take caution protecting this type of communication. Fundamentally, it is good idea to put IP phones in separate VLAN and harden it with protocols we mentioned previously. Optionally encryption can be used for voice barrier to prevent against eavesdropping. QoS is also essential to protect these little voice fellas in transit against DoS. On the other side of control plane, call processing servers, voice mail servers need the right level of security.

Get this retro IP Phone and people will be like Whaaaat?!

NAC

Network Admission Control is feature allows you to perform a security posture on hosts that is trying to access the network. For example it will only allow access if the OS security patches are current, malware protection is enabled, host intrusion prevention system is active, disk is encrypted and so on. If that is not true, it can moved client to remediation VLAN where it can receive all patches.

Lucky enough, NAC deals with computers.

Virtualization

Oh boy, this is a BIG one on my list. Server virtualization fundamentally changed the way we utilize hardware resources. In past, we had a model where one business app would ride on an OS and this OS would be installed directly on physical machine. It was is cumbersome, slow process. Just think how much would you wait for hardware itself.

Virtualization introduce a new layer between hardware and operating system. This layer is referred as hypervisor. Hypervisor can abstract physical resources underneath, therefore we can now run many Virtual Machines – VMs on single server. And that was just beginning, we can take pool of physical servers and cluster them, so if any of them fails we move workload somewhere else.

Image that you could do same with networking. Stay tuned for NSX series, you will love it.

The picture says it all.

Cloud Computing

The and the winner of 2013/2014 buzzword is… Cloud Computing. This is one of most abused term out there. What marketing departments did with it is beyond imagination.

To bring same value to this term back, cloud is not really new, it has been around for many years, just nobody called it that way. Essentially a cloud is a resource that located somewhere else. So even Willy Wonka’s traditional data factory can be a cloud with some additional services such as Pay As You, or utility based computing – same model as electric energy, water or gas has today.

See. They measure your actual usage. How clever.

SaaS

A Software as a Service term was born when companies such as Google, Amazon, and Microsoft start to offer traditional software as a…service. You got it! The main point is, that you do not own or maintain hardware, operating systems that these run on, you just use the app. Examples include Office 365, SalesForce, Gmail, even WordPress is a SaaS.

MaaS

This one made me laugh, as you can offer almost anything as a service. So a Monitoring as a Service was born. For example, Cisco offers a cloud wireless solution called Meraki. They will ship you a bunch of lightweight access points and they will be managed from controller sitting in their data center.

Cisco Meraki Access Points. Thumbs up for clean design.

PaaS

Moving one layer below SaaS, you find Platform as a Service. In this model, provider provides you with hardware and operating system and perhaps a development environment. Out there in the wild some known PaaS providers are Google App Engine, Amazon Elastic Beanstalk, Microsoft Azure, HP Cloud. The number is growing.

IaaS

Infrastructure as a Service moves another layer below. The provider will provide hardware and hypervisor. It is up to you to build and spin virtual machines on top them. This is very extendable, you can use predefined virtual machines from market, or you can build an application blueprints and create entire application stacks very quickly. One such example include Sharepoint Reference Architecture. The list of providers include major names players – Google, Amazon, Microsoft, Vmware, HP, Rackspace and many more.

Cloud Ownership

Depending on implementation and ownership you can choose between various cloud models

  • Private – built in house, you manage hardware, hypervisor, os and applications
  • Public – resources rented from cloud provider, responsibilities depending on type (SaaS, PaaS, IaaS)
  • Hybrid – a combination of two above
  • Community – multiple internal customers using same platform, for example government agencies

Who has the keys to your kingdom?

Defense in Depth

Defense in depth is concept where you implement security mechanisms at multiple places. Starting at user level with training, moving to host security, switch security, firewall security and so one. This approach decreases the likelihood of being compromised.

With defense in depth our network is like fortress.

And with that my friends we are at the end of this part of series. I hope you enjoyed it and learned something new. See you in next part which will spin around Protocols and Ports.