• When we speak of Perimeter Security, we are talking about those controls that we deploy between areas of different trust.
  • WAN-to-DMZ
  • DMZ-to-WAN
  • LAN-to-WAN
  • DMZ-to-LAN
  • Workstations-to-Workstations
  • Servers-to-WAN
  • VPN Road Warrior to LAN
  • Site A – Site B
  • Domain to Forest
  • Domain to Domain
• Increasingly there is the discussion of zero trust where every connection is eyed with suspicion
• In the end, we are trying to protect the enterprise's assets, data, networks and people.
  • What information and associated assets does the business need to carry out its mission?
  • Where is the data and what controls are in place to protect it both at rest and in transit.
  • Who/what needs access to it?
  • How can we recover from disaster?

• the VM network
• firewall-cmd -- permanent firewall-cmd -- reload
• /29 for DMZ
• systemctl restart rsyslog on both client and server
• the static rounte, double check with
  • ip route
• multiple ip's on a single vyos instance
  • Just remove by replacing set with delete
• linux allows you to add an ip address even when dhcp/automatic is selected, this will not work.

• Schneirer: talks about security after 9/11 and the amount of money spent and has a tree that goes over breaking into a safe
• Considerations & Mindsets
  • Recom
  • Lateral movement
  • Cost increase the further dawn the tree, sequence of graph you go
    • Killchain
  • Attacker is intelligent, they will be successful
  • Defenses need to both detect and delay
  • Defenses need to be active

• A record of an event. In tis case we are talking about an event on your network and system
  • Syslogs
    • Time and date
    • Ip address
    • Sshd number
    • Description
    • Src and dest
    • Port
    • Protocol or service
• If done correctly, logging can enable the security principle of accountability.
  • Who did what and when did they do it?
• Compliance
• Investigations
• Operations and Maintenance

• Put logs on a separate volume
• Logging volume and collection has expanded exponentially.
• Log Management must be considered when implementing any logging effort.
• Important to collect only those logs you have a need for as opposed to debug logging for everything (. in a syslog sense).
• Some logging vendors charge by volume (splunk)

• Process for generation, transmission, storage, analysis and disposal
• Defined Logging Requirements and Goals
  • Some of these will be based upon regulatory compliance, best practices (NIST SP 800-92)
  • Prioritized list of logging sources and data retention requirements.
    • Logging everything and keeping it forever is not a good answer
  • CIA of log data. Original versus modified/normalized
  • Organization entity should be in charge of log management

• Analyze the sizing requirements.
  • What is the anticipated volume of logs and how will that grow in the out years.
  • What is the impact of this volume on the network
  • Where will the logs be stored and how much space?
  • Compression?
  • Copies?
  • Rotation/Destruction/Decay requirements
• Staffing and Budget
  • Who will analyze these logs, and what tools will they have at their disposal?
  • Cost, Schedule and Functionality
    • A 24x7 SOC is expensive

• Are all sources producing logs? Are they making it from source to storage?
• Is the rotation scheme working?
• Time, is it synchronized?
• Do all log sources have analytic task associated with them
• Log reduction scheme
• Log normalization

• Timestamps and time accuracy
  • Use NTP and log in UTC format accrosse the board
  • Validate time sync periodically
  • Use an accurate cloke
• Formate and Correleation
  • Logs between data sources are inconsistent. Is the source ip address in a particular field or is it called something like srcip, attacker ip, srcaddr or ip.
  • Normalization is needed to allow a correlated analysis across multiple log sources.
• Speed and indexing
  • SIEM and correlation tools are all well and good but if the data of interest is not ingested or indexed properly then the questions you ask will take a long time to answer
• SSD, Spinning Disks, Tape? Longterm Backup?

• Syslog is a standard nearly all devices support
• Agents are software running on hosts that provide far more fidelity and functionality than a simple syslog feed.
• Agents cannot be deployed to all devices so…
• Some combination of syslog and agents are typically part of the logging solution

• Systemctl restart syslog
• Firewall-cmd permanent reload (rocky)
• Recursive logs filling disk (maybe)
• Sub,itting at 12:30am (no more breaks on this). Get the labs done in time to request help if you get into trouble
• 300+ level classes and tutors
• Tech journal
  • More care, with focus on readable, reusable and easily accessible content
  • root@localhost will get you a -1 from here on out

• Easy to maitian
  • All hosts and services can talk to one another
  • Workstation to workstation
  • Sever to server
  • Ssh and rdp anywhere
• Difficult to monitor and secure
  • Attacks can easily traverse network
  • Attacks aren’t visible if they don’t traverse a network appliance (router, firewall, IDS)
  • Rate and speed of infection and compromise is high

• How can we separate traffic and services like …
  • SSH, SysLog, RDP so that it always originates from an isolated and protected space?
  • ! = Traffic that violates this policy becomes very visible & becomes an exception, rather than noise in non-segmented network

• Physical separate management network
  • Option 1: duel homing managed hosts
  • Option 2: route management traffic from MGMT -> PROD through a firewall
• VLANs
• Proprietary
  • Windows Server and Network Isolation (IPSec based)

• The lan
• The MGMT segment
• Log01 is retired
• Wazuh n mgmt
• A new firewall
  • Fw-managment
  • Rip routing
• Wsk1
  • Win10
• Mgmt01
  • Server 2019

• DNS, it is always DNS
• What is APT
  • Attacker has goals and means to achieve them. $, expertise, and movement.
  • Sony. What was the goal?
    • revenge attack for the movie "the interview"

• vtOS and many other firewall vendors have a implemented zone-based firewalls. In this case, each zone is tied to an ethernet interface:
• fw01 has 3 interfaces: LAN, WAN and DMZ, thus we have three zones, and each zone is tied to an interface
• fw-mgmt has two interfaces: LAN and MGMT, so two zones each tied to an interface

Zones can communicate with one another.

• Traffic from Zone A → B gets its own firewall definition
• Traffic from Zone B → A also gets its own independent firewall definition

WAN -> to -> DMZ firewall

• allow TCP/80 from WAN to web01
• start your first substantive fule at 10 and increment by 10
• rule 1 reserved for either allowing all or just establish
• the return stamp
  • allow connections initiated and allowed from within the DMZ to return back through the WAN interface (state established), usually rule 1

DMZ -> to -> WAN

• allow existing and allowed connections from the WAN to return through the firewall
• later we will need to allow things such as NTP and software update through

• WAN to DMZ
• DMZ to WAN
• DMZ to LAN
• LAN to DMZ
• LAN to WAN
• WAN to LAN

• LAN to MGMT
• MGMT to LAN

4 Step Process

1. create the zones - one per interface
   1. 1. “set zone-policy zone WAN interface eth0”
2. create the firewall
   1. 1. One in each direction between each zone
   2. 1. 1. set firewall name WAN-to-DMZ default-action drop
3. 1. So, if two interfaces/zone = 2 firewalls
4. 1. Three interfaces/zones = 6 firewalls
5. assign the firewalls to zones
   1. 1. E.g. set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
6. Create the rules in the firewall
   1. 1. set firewall name DMZ-to-WAN rule X ….

Start all firewall exercises with a default drop and log and only open up those ports and protocols that are required for operation.

Try an operation you wish to work, and monitor the firewall logs (/var/log/messages) to find out exactly which firewall needs to be adjusted. Be as specific as possible using filters such as:

• Destination or Source Address
• Destination or Source Port
• Protocol
• Descriptions!

• rw01 browsed to eth0 on fw01
  • static route is gone to 50 network
  • tcp 80 is redirected to the desired host (web01)
• similar for ssh access to the jump host
• fw01 cannot listen on eth0:22 AND forward 22 to jump so adjust the ssh listen address to an internal one

• A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. The most common example is managing a host in a DMZ from trusted networks or computers.
• https://en.wikipedia.org/wiki/Jump_server

The Jump Box is:

• on the DMZ
  • Typically SSH and sometimes RDP
• Reached by Port Forwarding
• Immune to brute force password attack
  • ssh keys
• Heavily monitored
• Jump User is unprivileged
• Restricted in its ability to communicate to the necessary requirements

• extend your intranet across the internet
• can encapsulate the entire packet, or just the data/payload
• uses
  • corporate email
  • authentication
  • web
  • distributed file systems and shares
  • network resources

• Site-to-Site
• Host-to-Host
• Remote Access - Road Warrior

• A geographically separate organization
• Establish a long-term connection that makes site-to-site connectivity transparent to end users
  • When user in Burlington accesses the Montreal Web Server, it is done seamlessly, securely, and transparently, even if running over http
  • Encryption occurs between two configured gateways, and clients act normally.

• Remote Access, Road Warrior Use Case
  • Teleworker who wants to access Exchange email just as if they were internally connected
  • Access a Terminal Services Session in order to use virtual Corporate Desktop
  • Remote SysAdmin who needs to access Network Management Resources securely
  • User is somewhat aware of the encryption. It is not transparent, as they need to turn on the VPN connection.

• IPSEC based VPNs
  • Out of the Box for Windows , OSX, CISCO, vyOS
• SSL Based VPNs
  • OpenVPN, etc…
  • Interesting example of tunnelling a lower level protocol over a higher level protocol
  • Becoming very popular do with mobility of workforce

How can we protect data and/or packets?

• TLS/SSL
  • Transport Layer Security (TLS)/Secure Sockets Layer (SSL)
  • Layer 5+ protection (session layer)
  • Widely used to protect the data portion of TCP/IP communications
  • Protects against eavesdropping (confidentiality) and data payload tampering (integrity).
  • Offers certificate-based protection against spoofing (authentication)
• IPSEC
  • Internet Protocol Security
  • Layer 3 (network layer) protection
  • Widely used to secure communications on Virtual Private Networks (VPN)
  • Can protect against eavesdropping, tampering, and spoofing

• IP SECurity
  • Operates at Layer 3 (network Layer)
• Authenticates and/or encrypts each IP Packet
• Security Architecture
  • Encapsulating Security Protocol (ESP)
    • Provides C+I+A and Authentication of the entire IP Packet
  • Authentication Header (AH)
    • Provides Integrity and Authentication … Not Payload Encryption
• Extraordinarily complicated protocol suite
• High-level Security

• Dedicated connection between two hosts can be established using the same technology
  • Not a common use case but can be done, particularly if you have a service (consider syslog or MySQL transactions) you wish to secure between say an app server and remote database or log server and crypto is not baked in to those protocols.