Practical Network Scanning

3 (2 reviews total)
By Ajay Singh Chauhan
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Fundamental Security Concepts

About this book

Network scanning is the process of assessing a network to identify an active host network; same methods can be used by an attacker or network administrator for security assessment. This procedure plays a vital role in risk assessment programs or while preparing a security plan for your organization.

Practical Network Scanning starts with the concept of network scanning and how organizations can benefit from it. Then, going forward, we delve into the different scanning steps, such as service detection, firewall detection, TCP/IP port detection, and OS detection. We also implement these concepts using a few of the most prominent tools on the market, such as Nessus and Nmap. In the concluding chapters, we prepare a complete vulnerability assessment plan for your organization.

By the end of this book, you will have hands-on experience in performing network scanning using different tools and in choosing the best tools for your system.

Publication date:
May 2018
Publisher
Packt
Pages
326
ISBN
9781788839235

 

Chapter 1. Fundamental Security Concepts

In  an ever-evolving world of technology, security and data privacy are of paramount importance. This chapter will address some of the basic concepts of IT infrastructure security. In order to secure a system, the key task is to identify and classify the information assets and define a security framework.

This chapter will cover what security means to network and system administrators. It will also explore how to build a secure network, incorporating the security principles defined in your framework. 

Let's get started with network infrastructure security. We will cover the following topics in this chapter:

  • Why security?
  • Building blocks of information security
  • Computer security
  • Network security
  • Internet security
  • Security issues, threats, and attacks
 

Why security?


As the internet grows and technology evolves for modern computer networks, network security has become one of the most crucial factors for everyone. This includes everyone from end users and small and medium-sized businesses (SMBs) to cloud service providers.

Due to a growing volume of network attacks, network security should be a priority when designing network architecture. To understand the importance of this, imagine what could happen if there was a network integrity breach at a bank, stock exchange, or other financial database.

The importance of network security is not just limited to the IT industry. It is also important within industries such as health care. Health records contain some of the most valuable information available, including Social Security numbers, home addresses, and patient health histories. If this data is accessed by unauthorized persons, it can be stolen or sold to the black market.

Security awareness is important for everybody and not just the IT department. If you work with internet enabled devices, it's your responsibility too. However, you can only control information security once you know how to secure it.

No one can get into your system until something is compromised. Similarly, if your door is locked from the outside, nobody can enter your house unless they gain access to a duplicate key or have a similar key built by getting physical access to the lock. A few examples of how a system might be compromised are as follows:

  • A targeted email could be sent to random users with an attachment (Drive by Download). If a user opened that attachment, their system would be compromised.
  • An email is received which poses as a domain such as banking and asks you to change your password through a provided link. Once you do this, your username and password can be stolen.
  • If a small typo is made when typing a website address into a browser, a similar page may open (Phishing) which is not genuine, and your credentials can be stolen.
  • Features provided by websites for resetting forgotten passwords can also be very risky. Let's say somebody knows my email ID and attempts to access my account by selecting a forgotten password option. If the security question asks for my date of birth, this can easily be found on my resume.
  • A password for an Excel file can easily be broken by a brute-force attack.
  • The most widespread types of ransomware encrypt all or some of the data on your PC, and then ask for a large payment (the ransom) in order to restore access to your data.
  • During DNS hijacking, an online attacker will override your computer's TCP/IP settings so that the DNS translation gets altered. For example, typing in abc.com will translate it into this IP: 140.166.226.26. However, a DNS hijacker will alter the translation so that abc.com will now send you the IP address of a different website.
  • Denial of Service network attacks disrupt the normal volume of traffic sent to targeted services with excessive amounts of traffic. This can be damaging in various ways. One example could be if a company has a Friday sale, and a competitor launches an attack on them in order to shut their services down and consequently increase their own sales.

According to research by British insurance company Lloyd's, the damage from hacks cost businesses $400 billion a year.

To further explore the cost of cybercrimes, visit the following webpage:  https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#612db25c3a91.

The market research firm Gartner estimates that global spending on cybersecurity is somewhere around $96 billion in 2018. By 2020, companies around the world are expected to spend around $170 billion—a growth rate of nearly ten percent in the next five years.

 

Building blocks of information security


Your data can be easily separated into the following three categories. This is especially important to know in order to determine the value of your data before planning for security:

  • Low Business Impact (LBI): If LBI data is disclosed, limited information loss could occur. Examples of this kind of data include name, gender, and/or the country of residence.
  • Moderate Business Impact (MBI): If MBI data is disclosed, disastrous information loss could occur, which directly damages the reputation of an organization. Examples of MBI data include first and last name, email ID, mailing address, and phone number.
  • High Business Impact (HBI): If HBI data is disclosed, serious information loss could occur. Access and permission must be controlled and limited to a need-to-know basis. Examples of HBI data include government IDs, credit card information, medical health records, passwords, and real-time location.

Proper security control measures are required to ensure tight security. The following flowchart helps us to understand the security process:

  • Risk Management Process: This is particularly important when designing a secure network. Risk management analysis must be done in advance as this aids designing secure infrastructure. Steps should include risk identification, risk analysis, risk ranking, and mitigation plans. For example, an ISP link can be a public or private Wide Area Network (WAN) connection. Data transfer between two sites over public infrastructure can be secured by implementing VPNs. Data transfer between two sites over private links can be future encrypted by link device. The purpose and funding of connection must be identified, and a proper risk assessment must be carried out before installing or activating any links.
  • InfoSec Design Process: Perimeter boundaries must be defined and documented. For example, connecting to WAN internet or connecting to another location over WAN must be defined. When I say boundaries, we should always take a layered approach. There is no ideal situation to ensure 100% security, but by implementing security on every layer, you can ensure tight security. A layered security method encompasses both technological and non-technological safety measures.

    For example, perimeter security can be protected by firewalls. Infrastructure details, such as server type and services running on the system, must be identified. Software and operating system bugs should be documented. IP space and security zones should be defined. System admin access should be controlled by security groups.

  • Verification process: The purpose of the verification process for each extranet/intranet connection is to generate all audit evidence documented in the compliance procedures of the security design. This will have information about users, remote IP, and tasks performed by them. Network scanning, penetration testing, and scorecard reporting provide an in-depth view of infrastructure security.

    A periodic audit is always required in order to know if there is unexpected activity.  Firewall logs, TCP/IP headers from load balancers on IIS, and two-factor authentications are examples of a verification process.

  • Security implementation process: At this stage you should have the following items ready to be implemented:
    • Security policies—password policies and access control
    • Disaster recovery plan
    • Backup and recovery plan
    • WAN recovery plan
    • Network security zones
    • Database security
    • IIS or web security
    • Data and asset classification
    • Data encryption
    • Resource control for application users
    • Operating system security
    • Incident management and response
    • Change management and version control
 

Computer security


Computer security is not all about end user computing, it also includes server/application infrastructure. For any data transfer between server and client, both ends should be secure. Even the communication channel should be secure enough to avoid data theft.

We know that professionals understand network security, but how about end users? We can force users to implement security strategies, but is that enough? For better security, awareness is key. Security issues are constantly being found with the software we use every day, including common and reliable programs such as Windows, Internet Explorer, and Adobe's PDF Reader. It is therefore very important that we take some simple steps towards becoming more secure.

People often think of computer security as something technical and complicated, but that is not strictly the case. In the following, we will explore the most basic and important things you should do in order to make yourself safer online:

  • Use antivirus and antimalware and know which links are safe to click in emails
  • Be careful about programs you download and run; don't trust your pop-up notifications
  • On the server level, encryption chips can be used just to avoid physical theft of hardware

Most computer facilities continue to protect their physical assets far better than their data, even when the value of the data is several times greater than the value of the hardware.

Since awareness is especially important, we should also consider how much awareness we have within the organization. This can simply be achieved by sending a few emails that look genuine and getting the statistics of how many users opened such an email. Activities can be tracked in terms of number. For example, the statistics can be viewed for how many users shared their password and how many downloaded an attachment.

 

Network security


With today's complex network architecture and constantly growing networks, protecting data and maintaining confidentiality play a very important role. Complex networks consist of network traffic flowing between enterprise networks, data center networks and, of course, the cloud as well. A secure network helps us to protect against data loss, cyber-attacks and unauthorized access, thus providing a better user experience. Network security technologies equip multiple platforms with the ability to deal with the exact protection requirements.

Firewalls

A firewall is a network security appliance that accepts or rejects traffic flow based on configured rules and preconfigured policies. Placement of a firewall totally depends on the network architecture, which includes protection for network perimeters, subnets, and zones. Perimeter firewalls are always placed on a network's edge to filter packets entering the network. Perimeter firewalls are the first layer of security, and if malicious traffic has managed to bypass, host-based firewalls provide another layer of protection by allowing or denying packets coming into the end host device. This is called the multilayer security approach. Multiple firewalls can be set up to design a highly secure environment.

Firewalls are often deployed in other parts of the network to provide proper segmentation and data protection within enterprise infrastructure, on access layers and also in data centers.

Firewalls can be further classified as the following:

  • Simple packet filtering
  • Application proxy
  • Stateful inspection firewalls
  • Next-Generation Firewall

A traditional firewall provides functions such as Packet Address Translation (PAT), Network Address Translation (NAT), and Virtual Private Network (VPN). The basic characteristic of a traditional firewall is that it works according to the rules. For example, a user from subnet (10.10.10.0/24) wants to access Google DNS 8.8.8.8 on a UDP port 53.

A typical firewall rule will look like this:

Source IP

Destination IP

Protocol

Port

Action

10.10.10.0/24

8.8.8.8/32

UDP

53

Permit

However, Next-Generation Firewall works based on application and user-aware policies. Application-level control allows you to set policies depending on the user and the application.

For example, you can block peer-to-peer (P2P) downloads completely or disable Facebook chat without even blocking Facebook.

We will discuss firewalls in detail in upcoming chapters. The following diagram reflects zones and connectivity, which shows how firewall zones connect to multiple businesses:

  • Demilitarized zone (DMZ): Internet-facing applications are located in DMZ. Other services on other zones remain inaccessible to the internet. The most common services placed in DMZ include email services, FTP servers, and web servers.
  • Inside zone: The inside zone is known as the trusted zone to users. Applications in that area are considered highly secure. In the trusted area, security is maintained by denying all traffic from less trusted zones in any given firewall by default.
  • Cloud and internet zone: Let's not focus on naming these. They are standard segments we see on an enterprise network. These zones are considered to be below security zones.

Intrusion detection systems / intrusion prevention systems

There is a high chance that attacks may enter a network. Intrusion prevention system (IPS) / Intrusion detection system (IDS) is a proactive measure to detect and identify suspicious or undesirable activities that indicate intrusion. In IDS, deployment can be online or offline, and the basic idea is to redirect traffic you wish to monitor. There are multiple methods like switch port SPAN or fiber optic TAP solution, which can be used to redirect traffic. Pattern matching is used to detect known attacks by their signature and anomalies. Based on the activity, monitoring alerts can be set up to notify the network administrator.

As the following diagram shows, SPAN port is configured on a switch in order to redirect traffic to the IDS sensor. An actual SPAN port creates a copy of data flowing for a specific interface and redirects it to another port on the switch:

IPS offers proactive detection and prevention against unwanted network traffic. In an inline placement of IPS, all the traffic will travel via IPS devices. Based on the rules, actions can then be taken. When a signature is detected on an IPS device it can be used for resetting, blocking, and denying connections, as well as logging, monitoring, and alarming. A system admin can also define a policy-based approach with defined policy violation rules and actions to keep in mind when well-known signatures are released. Actions should be defined by the system admin.

The following diagram shows a topology for inline setup of IPS. All the traffic travels through IPS devices for traffic inspection. This is a bit different to doing a port SPAN, since all data goes through an IPS box. Consequently, you should be aware of what type of data has to be inspected:

There are a number of different attack types that can be prevented using an IPS, including:

  • Denial of Service
  • Distributed Denial of Service
  • Exploits
  • Worms
  • Viruses

Multitier topology

Multitier topology gives you flexibility to segment resources based on role and access policies. In a typical three-layer application, architecture that has web, app, and DB servers can be distributed based on location. Since web/app zone is something always exposed to end users, Demilitarized Zone (DMZ) IP space is always public. Subnet and database servers should not be directly accessible, hence why we should always allocate private IP space from RFC 1918.

This offers gradual access to control, based on IPs and resource locations. When designing a network, you can introduce a multi-layer firewall approach. In a multiple layer design approach, the basic idea is to isolate resources from each other, considering the fact that if one layer is compromised then others are not impacted.

Cross-premises IPsec tunneling provides you with a way to establish secure connections between two networks and multiple on-premises sites, or other virtual networks in Azure/AWS. This can secure data transfer by encrypting your data via the IPsec encryption using the IPsec framework. Virtual networks in AWS are called VPC and, in Azure, VNET.

Distributed Denial of Service: A Denial-of-Service (DoS) attack or Distributed Denial-of-Service (DDoS) attack  is an attempt to make a network resource out of service to its targeted users.

The real-world target would be online services such as e-commerce and the gaming industry, preventing the shop from doing any business by making front resources unavailable for end users. Just think about a situation during big billion-day sales hours if someone launches a DDOS attack and makes your e-commerce portal shut down.

The two most basic types of DDoS attacks are as follows:

  • WAN attacks: WAN DDoS attacks utilize available bandwidth on physical links with a high volume of packets with bigger payloads, or a high volume of packets with smaller payloads. Bigger payload network resources such as router or firewalls will process packets and consume all the bandwidth. With smaller payload network resources like routers, firewalls will try to process all the packets. However, due to limited CPU, cycle hardware resources won't be able to process genuine packets from end users and can fail under the load.
  • For example, let's assume you have a 10 Mbps WAN link and during attack BW, utilization is just 5 Mbps. However, a number of small packets can reach one million packets per second. In this case, assume that your network gear has no CPU cycle to process all tiny packets

    Another example would be if someone launched a DDOS attack using a large ICMP packet. This can choke your bandwidth and leave no space for the rest of the application.

  • The most common form of bandwidth attack is a packet-flooding attack, in which a large number of legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a targeted or aimed destination. Such attacks become more difficult to detect if attackers use techniques such as spoofing source addresses.
  • Application attacks: These DDoS attacks use the expected behavior of protocols such as TCP and HTTP. Application attacks are disruptive but small and silent in nature and extremely hard to detect since they use expected behavior. Application-layer attacks are easy to generate and require fewer packets with a small payload to achieve out of services for targeted applications. Application attacks are focused on web-application layers. For a small HTTP request, the actual server has to execute a lot of resources on the web server to fetch the content or resources. Every such server resource will have limited CPU and memory and can be easily targeted. In this example, I am not considering cloud-based web applications, where you have elasticity features enabled and with growth in the number of requests, server resources are automatically created to accommodate such requests.

 

Let us understand more about this with the help of an example:  

  • HTTP Floods: These are simple attacks in nature that try to access the same web page again and again in an automated fashion. They typically use the same range of IP addresses. Based on the trend, as this is being originated from the same source, the source pool can be blocked to mitigate attacks.
  • Randomized HTTP Floods: These are complex attacks that use a large pool of IP addresses from multiple locations and randomize the URLs. Since these kind of attacks originate from multiple locations, it is not easy to block the source IP. However, the rate limit can be fixed on server resources.

To simplify, DDoS is a form of attack where multiple compromised networks/hosts are used to target a single system. This is like a zombie attack and it is very tough to identify genuine users. Once infected, the internet-connected devices become part of a botnet army, driving malicious traffic toward a given target.

 

Internet security


These are the basic things you need to understand when you are working with online systems. When working with them day to day, we expose ourselves to risks.

Let's jump into the basic components of internet security.

Password

Since we own internet enabled devices, we are responsible for our own security. So, let's begin with our passwords. As users, we must choose a strong password. Alternatively, organizations should encourage users to choose one.

Password analysis shows that quite a common password used by users is 123456 and other similar, simple patterns. Most users choose the same password across multiple platforms. If a server or database is compromised by hackers, it would be easy to crack passwords such as this.

Few common web portals contain personal information. However, if an employee is required to create a username consisting of their first and last name or employee ID, and this is combined with a simple default password such as abcX123, then their information is easy to guess.

System upgrade and updates

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 triggered by the WannaCry ransomware crypto worm. This attack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Such infection happens because people are running outdated software and attackers exploit this. This is not limited to PCs but also to mobile devices and other internet enabled devices.

Phishing

Phishing is a form of online fraud where you receive an email that looks similar to a trusted source. The message may ask you to validate, confirm, or update your account information by logging into fake websites. Targets are contacted via telephone, email, and text message, which are used to extract credit card details and passwords.

This is my own email box, which contains a message stating that I am supposed to get 13,17422 INR, and I need to update my details. While the attacker is using money as a temptation tool, it is important to think instead about your IT return. Is this type of mail really to be expected from the IT department? You can easily guess that this is not a genuine domain just by looking at the email header. Following the instructions of this message can consequently have disastrous consequences:

Beware of phishing phone calls

Attackers might call you on the phone and offer to solve your computer problems by selling you a software license or by obtaining your personal information in order to update your details in a backend system.

Once they've gained your trust, cybercriminals might ask for your username and password or ask you to go to a website to install software that will let them access your computer in order to fix it. Once you do this, your computer and your personal information is hijacked.

In the same way, a banking fraud can take place. This includes cybercriminals calling you and trying to persuade you to share your credit card and banking details.

Some signs of phishing phone calls include:

  • You have been specially selected for any offering
  • You have won money in a lottery
  • You have income tax refund
  • Someone asking about credit card CVV and other details to update a banking database

Phishing protection

Phishing attack protection requires steps to be taken by both users and enterprises. For users, awareness is the key. A spoofed message often contains some mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they're even receiving such an email or phone call.

You should report such emails to authorities so that appropriate actions can be taken.

 

Security issues, threats, and attacks


Every day we use our computers and phones to connect to the internet, open emails, do online transactions, check our social media, create files, take photos of our friends, family or favorite places.

IoT security risk

The next big thing, which is going to play a big role in our life, is going to be Internet of Thing (IoT). Everything will be connected to the internet—fans, tube lights, refrigerators, doors, cars, even in medical terms, our heart—could be connected to an IoT sensor. This list will be long. Think about the situation if a person's heart rate controlled by an IoT sensor is hacked.

One of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything.

Computer security risk

Computer security risks are events that may damage or steal data or allow unauthorized access to a computer without notifying the user. Your computer is all about operating systems and applications, the majority of such attacks come along with malicious applications, or bad software, in other words. It is commonly believed that all damages are only done by computer viruses, but in reality there are several types of bad software. Features such as back door, dialer, spyware, virus and worm, key logger, adware, and many more can result in a computer security risk.

Security Risk-Border Gateway Protocol

In the networking world, imagine a situation where attackers plug their cable into your network, establish a Border Gateway Protocol (BGP) session, and sniff all the data going into the wire. This is not limited to sniffing your information, but you can cause a lot of trouble for others.

For example:

  • YouTube blockage by PTA:
    • Scenario: Pakistan telecom was connected to the global internet via PCCW telecom
    • Problem: PCCW did not validate a prefix advertised by Pakistan telecom and there was no built-in mechanism in the BGP protocol to authenticate information
    • Impact: DoS to customers, traffic redirection, prefix hijacking, and AS hijacking
  • On 24 February 2008, Pakistan Telecom Authority (PTA) began to advertise a specific prefix of YouTube. PTA intended to block access to YouTube in Pakistan and advertised the specific prefix 208.65.153.0/24. This was part of the prefix used by YouTube 208.65.152.0/22-208.65.155.255. The intention was that YouTube's traffic would be forwarded to Null0 interface and, consequently, YouTube would get blocked within Pakistan. However, the same route was advertised to upstream ISP (PCCW AS number 3491). PCCW presented this information to other peers as well. YouTube then initiated a more specific prefix (208.65.153.128/25) to recover traffic.

 

  • MAN in the Middle (MITM): This is another example. Think about a situation in which someone from your organization can do the sniffing inside your network by configuring SPAN for switch where all finance employees are connected. All username and password information can be extracted if they are not using a secure way to access the finance portal. This is the reason I say there should be HTTPS for everything. Even hackers can gain access to sniff data, but they cannot decode encrypted data from the system. All these types of hacking come under MITM where attackers have access to data wire or are able to divert traffic.
  • Address Resolution Protocol (ARP): Spoofing can be a similar kind of attack. For local area network-address resolution protocol, it is required to know the computer identity on Local Area Network (LAN). Let's assume you are internet gateway configured in your LAN and all the internet traffic travels via that device. The attacker can do the ARP-spoofing and advertise a new system as an internet gateway. Now all the traffic for internet goes through the attacker's system, and they can sniff your data. There are many tools available on the market for spoofing, which do nothing but change the MAC address of your machine.

MITM attacks can be further divided into two categories: WAN and LAN.

Security and threats

In a growing connected world, security threats are constantly evolving to find new ways to steal or damage data. For any organization and any individual who has an internet enabled system, it becomes very important to protect that information. Malicious or ignorant human activity are major threats to computers. Malicious action always has a goal to achieve and a specific target to be attacked.

Attackers generally have motives or goals. These motives and goals usually abide by the following formula:

Motive + Method + Vulnerabilities = Attack:

As the following diagram shows, security threats are driven either by humans or natural disasters. Threats driven by humans can be further categorized into external or internal threats, or can be put down to user ignorance. We will discuss each of these in detail:

Natural disasters

A natural disaster is a major adverse event resulting from the natural processes of the earth. Examples include floods, hurricanes, tornadoes, volcanic eruptions, earthquakes, tsunamis, and other geologic processes. Nobody can prevent nature from taking its course. Such events can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and Business Continuity Plans (BCP) in place.

Human threats

Human threats consist of inside attackers or outside attackers. Insiders can be employees, vendors, or contractors with privileged access to systems. They can also be organizations and outside attacks by non-employees or groups of individuals just looking to harm and disrupt an organization due to a motive or aim.

The most dangerous form of attackers are usually insiders, because they have access to the system and know security measures that are already in place. Insider attacks can be malicious or negligent and can also be accidental.

All companies in this world have to deal with employee work force reduction and expansion. Consequently, controlling and changing the permission on system assets is a very important action item. Lack of process and failure to remove access to sensitive assets for employees who no longer have a business requirement increase an asset's exposure to unauthorized access. This can be a common cause of insider attacks, which is often overlooked.

Since there is usually a trust between employee and employer, most employees are not out to harm them. However, there's no way to ensure that this is the case with all employees, so the best practice is to be cautious and take the appropriate measures to prevent inside threat.

Here is one classic example:

A company's important application was operated by the personal credentials of an employee who had been working there for many years. However, one day the company laid that employee off. The next day, the IS department deleted his credentials. The application then stopped working. An issue like this can cause major damage to a system, and it will definitely take time to identify and fix the problem.

Human security threats can be something as simple as a person opening an attachment loaded with malicious script or malware that opens the system's back door and allows outsiders to extract information. The worst-case scenario often isn't a hacker breaching internal systems, but an employee that loses his smartphone or has his laptop stolen. The best defense lies in securing the data, not just the devices. This means encrypting at the file-level, so confidential information is protected even it is stolen.

Security vulnerabilities

A malicious attacker uses a method to find the resources of a target, finds known vulnerabilities of targeted resources, and then exploits vulnerabilities in order to achieve a goal. Vulnerabilities are weaknesses, misconfigurations or loopholes in security that an attacker exploits in order to gain access to the network or resources on the network.

Security vulnerabilities are not limited to web, SQL DB, or operating systems. The same approach goes for any infrastructure networking gears.

These are the three main categories:

  • Technology weaknesses
  • Configuration weaknesses
  • Security policy weaknesses

Technology weaknesses

These include TCP/IP protocol weaknesses, operating system weaknesses, software weaknesses running on operating systems and network equipment weaknesses.

TCP/IP is a protocol suite, which is used to transfer data through networks. The most important part of the suite is IP, which is the user identity on a network. The main protocols associated are:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP)

TCP ports numbers identify an application. For example:

  • Port 21: FTP
  • Port 23: Telnet
  • Port 80: HTTP
  • Port 443: HTTPS

TCP/IP was meant to provide a reliable connection between two hosts but does not provide any inbuilt security functions, such as encryption or authentication. Protocols like HTTP, FTP, TFTP, and TELNET are insecure since all the information is in clear text.

A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a targeted victim in an attempt to utilize all available server resources to make the system unavailable to legitimate traffic.

This is normal behavior for TCP three-way handshake. The SYN packet is sent by a user who is then acknowledged by the server and, finally, by ACK.

In the case of SYN, flood systems are unavailable to process SYN packets. Attackers in green send a series of SYN packets and get ACK as well. Meanwhile, attackers consume all server resources, hence real users in violet do not even get SYN-ACK.

The UNIX, Linux, Macintosh, Windows, and OS/2 operating systems all have security problems. Security updates and bug fixes are released by these companies from time to time.

Network equipment such as routers, firewalls, optical equipment, and switches have security weaknesses that must be recognized and protected.

In upcoming chapters, we will discuss these kind of attacks in detail, looking at how to deal with them in a live network.

Configuration weaknesses 

As a network/system administrator, we should know what configuration weaknesses are and what the corrective measures are for their computing and network devices.

User account information might be transmitted in clear text across the network, exposing usernames and passwords to an intruder. For example, if you manage your devices over Telnet, your username and password can be sniffed. The same thing is also applicable when you manage devices using GUI on HTTP.

Misconfigurations of the devices can cause significant network equipment security problems and open doors for unauthorized access. For example, misconfigured access lists, routing protocols, or SNMP community strings can open large security holes. Misconfigured encryption, lack of encryption, or low encryption ciphers for remote-access controls can also cause significant security issues.

Authentication and authorization is a major concern. If you are interested in knowing who is doing what on a piece of network equipment or system, then you might want to centralize authentication with a single authentication platform by accounting logs enabled to perform an audit regularly.

To reduce the threats to your network, the best option is to disable any unused services on all your networking devices and computing system. For instance, if you have a web server, you should disable FTP, SMTP, and other services. Another example would be if you are managing your devices with SSH, you can disable Telnet, HTTP, and FTP running on the same box.

You should only run the applications that are necessary on a device. All unnecessary applications and services should be disabled, to minimize exposure to the outside world.

Security policy weaknesses

Security policy weaknesses can create unforeseen security threats. The network infrastructure can pose security risks to itself if the system administrator does not follow the security policy, and best practices being used in the industry. Every organization must have a security policy and that should be enforced to all users/admin/infrastructure. Security weaknesses emerge when there is no clear-cut or written baseline security policy document.

Always follow a baseline for all infrastructure gears and networks for compliance with the policy. Systems should be in place to verify non-compliance devices. For example, if you have millions of devices in a network, it's very hard to check if all of them are matching compliances or not. However, a system like HPNA and other tools can scan a baseline set of configuration for all devices and reports can be generated.

Single password verification: There are three basic methods for authentication:

  • Username and password
  • One-time password
  • Certificates

In the first methods, passwords are basically user defined, and certificates are computer generated and based on keys. Brute-force attacks can easily crack passwords; passwords are easy to forget and are often reused on multiple services or applications. These passwords are like symmetric keys and are stored somewhere within the service. It is the duty of the service provider to protect your password. However, on the news we also often hear that password databases are hacked and millions of passwords are leaked. The third method is based on keys and strong algorithms, but even they are not 100% foolproof as private keys can be stolen as well.

Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides password information by combing two methods to verify that users are who they say they are. Two-factor authentication provides an additional layer of security by keeping half of the part of a password static in nature and the rest of the part dynamic, constantly changing after a given interval. This makes it harder for attackers to gain access to a person's devices and online accounts; knowing the victim's password alone is not enough to pass the authentication check, because a combined password is dynamic in nature and has an expiry associated with it. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have sniffed or stolen a password.

Best practices are being followed by companies like Google. Even if you change your smartphone or browsers you get notified immediately. Companies follow methods of smart card authentication along with phone authentication in order to validate the identity of users. The banking sector distributed RSA tokens for 2FA.

Using unencrypted or weak encryption for a website

Protocols such as Telnet, HTTP, or FTP opens doors for MITM attacks. The main reason behind that is that these protocols do not offer end-to-end encryption. File transfer protocol is used for data transfer between two hosts, and every time you need to enter usernames and passwords, which are in clear text, and it is very easy for attackers to sniff credentials and data being transferred. To protect information from attackers, we should not use any protocol that does not support encryption. For example, for management purposes, we should use SSH instead of Telnet on any device. All websites must offer HTTPS, and instead of FTP data transfer should be done using SCP or SFTP. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

SSL SHA1, an extremely popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared almost 10 years ago. In 2012, some calculations showed that breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. 

Protect Domain Controller: Eliminates use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos. Kerberos is a token-based system. Refresh time is so fast that even if someone hacked your session, you would get new tokens as refresh time makes it more reliable.

In the same way, you should float guidelines for the secure management of assets. All the servers and assets should be managed by domain controller security groups. Using interactive logon with a service account can cause major damage too, hence interactive logon for service accounts should be disabled. The reason behind this is that if a system is compromised, attackers can gain access to the domain controller as well.

Connect to unsecured Wi-Fi network access: Connecting through a public Wi-Fi network or hotspot can compromise your computer/mobile security and put your information at risk. Whether you are on your computer or your mobile device, it's relatively easy for hackers to access the information you type and send over an unsecured Wi-Fi network, including your login and password information.

Users need to be educated on how to use Wi-Fi with their computer devices. Here are some important tips that every company employee should know:

  • If possible, make sure that you connect to secure networks only 
  • Use strong passwords for all your online accounts and change them often
  • Use VPN for accessing corporate resources
 

Summary


So far, we discussed why infrastructure is an absolute requirement for today's internet world and what this means for system admins and internet users. We also learned how to build secure IT infrastructure and policy frameworks to protect information.

One of the major weaknesses in information security today is the human element. The everyday behavior of employees and end users represents one of the greatest risks to organizations and customers. IT technology is evolving faster than ever before. We are seeing new security controls, policies, and best practices put in place within organizations, but every day security breaches continue to take place. Nobody is 100% protected from small to large organizations. It only takes a simple mistake from an uneducated end user to leave a back door open in your information security. Organizations need to be aware of the people they work with, within the organization and outside as well. Developing adequate training and security frameworks for employee and end users becomes very important for protecting systems, especially considering the fact that it's not just technology which plays an important role, but also its users. I again repeat: if you have internet enabled devices, it is also your responsibility to secure them.

In 2017, Ransomware such as WannaCry, NotPetya, and Bad Rabbit have demonstrated the dangers of this threat and the potential impact on almost any industry. In 2018, it is predicted that IOT will be a big target for attackers in upcoming years, as well as Cloud infrastructures, Artificial Intelligence (AI), and of course the rise of mobile attackers increases daily.

In our next chapter we will discuss how to design secure infrastructure, keeping common risk factors in mind. This starts with placement of firewall and DDoS protection techniques.

Here is a famous quote to keep in mind:

“If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked” ― Richard Clarke

 

Questions


  1. What are the different types of firewalls?
    1. Simple packet filtering
    2. Application proxy
    3. Stateful inspection firewalls
    4. Next-Generation firewalls
    5. All of above
  1. What kind of attacks can be prevented using IDS/IPS?
    1. Denial of Service
    2.  Distributed Denial of Service
    3. Exploits
    4. Worms
    5. Viruses
  1. Which of the following pieces of information can be found in the IP header?
    1. Source and destination address of the IP packet
    2. Source and destination port of the IP packet
    3. Sequence number of the IP packet
    4. Both (1) and (2) only.
  1. What is the standard port number used for requesting HTTPs?
    1. 80
    2. 53
    3. 443
    4. 25
  1. Which of the following is not considered an external threat to a network?
    1. Human ignorance
    2. Virus
    3. Hackers
    4. Malware
 

Further reading


Visit the following link for more information:

About the Author

  • Ajay Singh Chauhan

    Ajay Singh Chauhan is an experienced Network and Security Architect and has been working extensively in the IT industry for 15 years. During his career, he has had varied responsibilities, ranging from looking after an entire IT infrastructure to providing network operations, implementation, and network design solutions.

    Ajay works almost exclusively with large-scale cloud datacenter multi-vendor technologies. He contributes to the Cisco blogging platform by providing IT Professionals with troubleshooting tips and tricks.

    Browse publications by this author

Latest Reviews

(2 reviews total)
Me parece que el precio que he pagado por la suscripción es razonable comparado con el enorme valor que me aporta
No hand on practical No Activity I would like to retain it
Practical Network Scanning
Unlock this book and the full library FREE for 7 days
Start now