3.3 Given a scenario, implement network hardening techniques - Paiet/Tech-Journal-for-Everything GitHub Wiki

3.3 Given a scenario, implement network hardening techniques

  • Anti-malware software
    • Host-based
      • Installed on each end device
      • Manages its own updates and definitions
    • Cloud/server-based
      • Installed on a server (physical or cloud)
      • Manages updates and definition for clients
      • Centralized management
        • Policies
        • Exceptions
        • Status/reports
        • Alerts
          • Email/SMS
    • Network-based
  • Switch port security
    • DHCP snooping
      • Uses info gathered from the DHCP server to make sure that devices accessing the network are legit
      • Looks at the MAC-to-DHCP IP Address Lease traffic and builds a database with those mappings
      • Inspects IP-MAC packets for improper mappings and drops their network access

To Begin

SW01(config)#ip dhcp snooping
SW01(config)#ip dhcp snooping vlan 90
SW01(config)#interface fastethernet 0/1
SW01(config-if)#ip dhcp snooping trust
SW01(config)#ip dhcp snooping limit rate 5
SW01(config-if)#exit
SW01(config)#interface range fastethernet 0/22 - 24
SW01(config)#switchport mode access
SW01(config)#switchport access vlan 90
SW01(config)#exit
SW01#show ip dhcp snooping
SW01#show ip dhcp snooping binding
  • ARP inspection
    • Checks ARP packets for invalid IP-to-MAC bindings
      • Checks that pass are forwarded
      • Checks that fail are dropped

To Begin

SW01(config)#ip arp inspection vlan 20
SW01(config)#interface fastethernet 0/1
SW01(config-if)#ip arp inspection trust
SW01(config-if)#exit
SW01(config)#show ip arp inspection
  • MAC address filtering
    • Set the specific MACs for specific devices for access to the network
    • Like a door-man, If you're not on the list you don't get in

To Begin

SW01(config)#interface fastethernet 0/15
SW01(config-if)#switchport mode access
SW01(config-if)#switchport port-security
SW01(config-if)#switchport port-security mac-address sticky
SW01(config-if)#switchport port-security maximum 2
SW01(config-if)#switchport port-security violation shutdown
  • VLAN assignments
    • Network segmentation
      • Segmentation via VLAN keeps like traffic grouped and helps reduce unnecessary traffic
      • Can assign a "Guest" VLAN for granting access to only certain minimal network resources

To Begin

SW01(config)#interface fastethernet 0/16
SW01(config-if)#switchport mode access
SW01(config-if)#switchport access vlan 30
SW01(config-if)#% Access VLAN does not exist. Creating vlan 30
SW01(config-if)#do show vlan brief
verify vlan is created and port is associated with vlan 30
  • Security policies
    • The formal and technical document that describes the official security standpoint and procedures for your company/organization
    • Most organization may rely on industry standard templates to help them to create their policy so they are not reinventing the wheel for each policy.
  • Disable unneeded network services
    • It doesn't make sense to have unnecessary services running
    • Gives the bad guys more opportunity to break in
  • Use secure protocols
    • SSH
    • SNMPv3
    • TLS/SSL
    • SFTP
    • HTTPS
    • IPsec

3.3 Given a scenario, implement network hardening techniques Pt2

  • Access lists
    • Web/content filtering
      • Proxy server
    • Port filtering
      • Use firewall ACLs to block traffic to/from unnecessary ports
        • This will stop outsiders as well as insiders
          • Insiders may have inadvertently installed rogue software/malware
    • IP filtering
      • Use firewall ACLs to block traffic to/from known IP addresses that are used for malicious activity
      • Block IP traffic from attackers
    • Implicit deny
      • Works off the idea that only the explicitly allowed traffic is allowed and all other traffic is denied
      • Note the grayed out message on pfSense firewall
  • Wireless security
    • WEP
    • WPA/WPA2
      • Enterprise
      • Personal
    • TKIP/AES
      • TKIP is the the encryption method for WPA
      • AES is the underlying encryption method for WPA2
    • 802.1x
      • Uses EAP to authenticate using a RADIUS server and an authentication server (like Windows AD)
        • Client sends auth request to AP
        • AP asks for EAP identity
        • Client sends EAP identity response to AP
        • AP sends EAP identity response to RADIUS server
        • RADIUS sends RADIUS access challenge to client through the AP
        • Client sends RADIUS challenge response to the RADIUS server through the AP
        • RADIUS verifies the user and tells the AP of the results
        • AP sends EAP success to client and then client is able to connect to AP
    • TLS/TTLS (Tunneled Transport Layer Security)
      • TLS uses certificates and public key cryptography for authentication and data encryption
      • TTLS is an EAP protocol that has the strength of TLS but doesn't use certificates to the users
        • Certificates are issued to the authentication servers instead
    • MAC filtering
      • Only allow access to the wireless network to a list of specified MAC addresses
  • User authentication
    • PAP (Password Authentication Protocol)
      • Simple form of remote authentication
      • Client sends request for access with Client ID and password
      • Server checks credentials against authentication database
      • If ID/Password is found, access is granted
      • It does all this using CLEARTEXT!!!
        • Some non-Windows based PPP servers don't support encryption
    • CHAP/MSCHAP (Challenge Handshake Authentication Protocol)
      • Provides encrypted RAS access
        • User requests RAS access
        • Server sends challenge (random value)
        • User's client encrypts the challenge with its encryption key and sends it back to server
        • Server encrypts the challenge and compares the values of its results and the client's challenge response
        • If the values match, access is granted
      • MSCHAP(v2)
        • Used to authenticate Windows workstations
        • Stronger encryption
        • 2-way authentication
    • EAP (Extesible Authentication Protocol)
      • EAP allows devices to check with a user account database
      • Enables hardware based authentication
        • Biometric scanners
        • Smart cards
        • Tokens
      • Allows hardware based auth to work in conjunction with passwords
    • Kerberos
      • Time-sensitive ticket granting system
      • Central server that processes all authentication requests
        • It can do this for multiple services
        • Single Sign-on
      • Proccess:
        • User logs on to domain
        • User requests a Ticket Granting Ticket (TGT)
        • Server sends TGT with a time stamp
        • The user sends the TGT back to the Auth server and asks for a service ticket to access a service
        • Server sends the service ticket to user
        • User uses that service ticket to access the service
        • The server checks the ticket and grants access
    • Multifactor authentication
      • Employs at least 2 authentication methods
        • Authentication factors:
          • Who you are
          • What you have
          • What you know
    • Two-factor authentication
      • Specifically 2 authentication factors
      • Example: Bank Card
        • What you have
        • What you know
      • Username/password is NOT 2-factor authentication
    • Single sign-on
      • Makes security easier for the user, but could pose a threat due to the access granted
        • Keys to the castle with one point of authentication
        • Passwords need to be super secure
  • Hashes
    • MD5 (Message Digest 5)
      • 128-bit
      • Feed input into the algorithm and a hash value is generated
      • Hash values are unique to the input data
    • SHA (Secure Hash Algorithm)
      • SHA-1 = 160-bit
      • SHA-2 = 224, 256, 384, or 512-bit