Network Defense methods - Dleifnesor/NET-150 GitHub Wiki

Considerations

How is the system connected to the network

How is the system connected to the network? o Not connected to any network (stand-alone)? • The best network defense o On a private network (not the Internet)? • Highly secure environments (military, utility grid...) may run separate networks o On the Internet?

Network based defenses

Routers- devices that “route” traffic between different networks

o Can create routing rule to control which networks can communicate.

o Can create Access Control Lists (ACLs) to drop certain types of traffic

• Spoofed addresses

• Certain protocols

• certain incoming traffic from specific IPs

Network Address Translation: (NAT) o Using private IP addresses internally and translating to “public” IP’s when communicating on Internet • Private IP Addresses o 10.0.0.0 o 192.168.0.0 o 172.16.0.0 • Organizations use private addresses on the local network • Router translates private to public IP’s and keeps track of translation in a table.

{4C1C21CE-4E1E-4BAD-98B8-266FA412D1CA}

Firewalls

Layer 4 Firewalls

• Rules based on Layer 3:

o IP Addresses of both internal and external computers

• e.g. allow all external systems to 129.170.20.101

• Allow 153.104.15.6 to 129.170.118.112

• Allow 153.104.15.0/24 to 129.170.18.0/24

• Deny Any to 129.170.15.0/24

• And Layer 4 “Port Numbers”

o Such as Port 80 (HTTP), 443 (HTTPS), 3389 (RDP)

• e.g. allow all external systems to 129.170.20.101 on port 80

• Allow 153.104.15.6:3389 to 129.170.118.112:3389

• Allow 153.104.15.0/24 to 129.170.18.0/24 on port 443

• Deny Any to 129.170.15.0/24 on port 3389

Advanced Firewalls (Application Firewalls)

  • Newer

  • Can inspect the entire packet, including the data

  • Can set rules on layers 3 and 4 Plus Info in the data (like URLs)

Particular applications, regardless of ports

• Examples:

o Allow port 80 (HTTP) but block Facebook

o Allow port 80 (HTTP) to 129.170.20.101 but block if URL contains “/admin.php”

intrusion Detection and Intrusion Prevention

Intrusion Detection Systems (IDS):

o Monitor network traffic for patterns that look like cyber attacks

o Generate alerts to notify network and system administrators

Intrusion Prevention System (IPS):

o Same as IDS but can block/drop traffic identified as attacks

Reputation-based IPS

Maintains a list of malicious IP addresses and domains

Lists are updated frequently

Can block traffic from bad IPs and domains

Anomaly based IPS

Inspects traffic flows

creates a comparison against "normal" traffic flow

Inspects Data about transmissions between hosts

• IP addresses, ports, number of packet, bytes

o Can detect “anomalous” (abnormal) activity and can block hosts if they are misbehaving

o Can detect:

• Sudden and excessive e-mail (spam engine)

• Scans of network

• Port scans of individual hosts

• Denial-of-Service attacks

{18EF9FD3-B63F-48C6-9B00-5F3C2A289509}

Stealthwatch Anomaly IPS

Stealth Watch

• Anomaly-based Intrusion Prevention System on network border

• Blocks worms, bots, spam engines

• Defends against denial-of-service attacks

Palo Alto Layer 7 Firewall - IPS

• As a firewall

• Provides access control based on IP addresses and ports as well as application, user, packet content

• But also IPS

• Inspecting packets as well

• Offers additional protection because it combine sessions (anomaly) and traffic inspection (signature)

Other Network Based Defenses

VPN

• Encrypted remote access prevents network traffic sniffing

Secure Wireless

• Authenticated and encrypted wireless network prevents eavesdropping

CIA (Confidentiality, Integrity, Availability)

Confidentiality

Can be breached by eavesdropping/sniffing network transmission

Can be protected by:

• Securing physical access to network links

• Encryption, encryption, encryption!!!

Encrypting application data (like with HTTPS)

Encrypting wireless transmission (like WPA2)

Encrypting packet when application doesn’t support it (IPSEC)

DDOS

Common DoS Methods:

• Resource Exhaustion: Make so many requests that the service can’t keep up

o E.g. Have thousands of systems repeatedly download a large file from a web server

o Flood a switch with fake source MAC addresses

o Send 100’s of complex queries to a database server

• Bandwidth Exhaustion:

o Only so many 1’s and 0’s can cross a network connection. If an attacker is able to generate enough traffic, the bandwidth will be used up

A DOS attack using DNS amplification

{36F1181A-C4E2-4827-A150-36E23C383A48}