Perimeter & Network

Security Engineering

ine.com
Brian Olliff
Defensive Engineering Instructor

[email protected]
@CybeardSec
https://www.linkedin.com/in/brianolliff/
 Introduction
Topics Perimeter Security
DNS
Network Segmentation
Securing Network Devices
Wireless Security
Logging & Analysis
 Learning Objectives

● Understand what a “network perimeter” is and how to secure it

● Demonstrate proper firewall security, including configuring rules
● Be able to properly secure a remote access solution
● Understand various aspects of DNS security
● Describe network segmentation and why it is important
● Properly secure network devices such as switches and routers
● Understand different levels of wireless security
● Be able to configure logging and perform basic log analysis
Perimeter Introduction
 Perimeter Network

● Outside boundary of the network

● First line of defense against attacks
● Securing both inbound & outbound traffic

● Perimeter can consist of

○ Firewalls and other network equipment
○ Email gateways
○ Web filtering/proxy
○ DMZ
 Perimeter & Cloud

● Definition of “perimeter” is getting blurred

● Previously - hard network boundary
● Cloud services introduce complications with that definition
○ Traditional website hosting
○ Cloud-based email
○ Organizations hosting file shares in cloud
● IaaS (Infrastructure as a Service)
● SaaS (Software as a Service)
● PaaS (Platform as a Service)
 DMZ

● Secure way to self-host public resources

● Boundary between internal and external networks
● Can contain
○ Firewalls
○ Web servers
○ Email servers
○ Remote access terminators
○ DNS Servers
○ Other supporting infrastructure
Network Introduction
 Internal Network

● Typically a private network

● Can be divided into multiple networks
● Hosts all internal resources
○ Active Directory
○ File servers
○ Mail servers
○ Database servers
○ Network equipment (switches, routers, firewalls)
○ Wireless infrastructure
 Importance of Securing

● Many different aspects to securing internal infrastructure

● Improperly secured switches
○ Attackers could use default credentials to reset configuration or eavesdrop
● Insufficient network segmentation
○ Ransomware spreads unchecked across all servers and workstations
○ “Wormable” vulnerabilities could easily compromise entire infrastructure
● Improper inbound firewall rules
○ RDP open to the internet allows attacker to brute-force
● Improper outbound firewall rules
○ Invisible image in email leaks credentials to attacker
Securing Firewalls
 Firewall Security Basics

● Various types of firewalls

○ Packet filtering
○ NGFW (Next Generation Firewall)
○ WAF (Web Application Firewall)
● Secure management protocols
○ SSH instead of telnet
○ SNMPv3
○ HTTPS for web administration
● Secure authentication
○ RBAC (Role Based Access Control)
○ Centralized authentication methods
● Limit administrative access
○ Secure administration workstation (jump box)
 Firewall Security Basics

● Always change default credentials

● Disable services that are not needed
○ DNS server
○ DHCP servers
○ VPN services
● Keep proper inventory of devices
○ Helps with device lifecycle management
○ Much easier to audit and secure
 Centralized Logging

● Aggregated logs simplify troubleshooting

● Limits attacker abilities to delete logs
● Automated log analysis from multiple devices
○ Assists in identifying attacks
○ Can identify potential configuration/hardware problems (availability)

● Various types of centralized logging

○ Log offloading
○ SIEM (Security Information and Event Management)
○ Vendor-specific systems
 Secure Firewall Rules

● Rules applied in “top down” manner (depending on vendor)

● Implicit deny
○ “Block by default”
● Some standard recommendations
○ Block inbound RDP (3389)
○ Limit outbound SMTP (25)
○ Block outbound SMB (139 & 445)
 Anatomy of a Firewall Rule

● Standard components
○ Action (Permit, Deny)
○ Protocol
○ Source IP/subnet
○ Destination IP
○ Source Port (sometimes)
○ Destination Port

permit tcp any 192.168.1.100 https

Firewall Demo
DMZ Security
 Importance of DMZ

● Secure location to publicly host resources

○ Alternative to hosting on internal network
● Boundary between external and internal networks
● Lines becoming blurred with cloud
○ On-prem hosting less prominent
○ Even with cloud-hosted, remote access may still be needed
● Often first-attacked network segment
○ Architecture and firewall rules critically important
 What’s in a DMZ?

● Public resources
○ Web servers
○ Application servers
● Remote access for employees/vendors
○ VPN terminators
○ Application storefronts
● Email servers
● Security appliances
○ Firewalls
○ IPS (Intrusion Prevention Systems)
● Supporting infrastructure
 DMZ Security

● Secure firewall rules are a priority

○ Only allow what’s absolutely necessary (inbound & outbound)
○ Limited access into internal network
● Public self-hosted DNS servers
○ Only if absolutely necessary
○ Easy for attacker to abuse
● MFA (Multi-Factor Authentication)
○ Use for all remote access
● Regular audits & tests of network perimeter
● No management access exposed
 Public Web Servers

● HTTPS-only recommended
○ Certificate lifecycle management
● Proper logging
○ Centralized logging if available
○ Source (IP, browser data, OS, etc)
○ Destination (port, server, directory, file)
○ Activity (GET, PUT, etc)
● Up-to-date patches
● Continuous monitoring
● Routine testing
 Email Edge Servers & Access

● Email portal secured with MFA

○ Ideally - behind other remote access
● Cloud-hosted email filtering
○ Restrict inbound mail from that system only
● On-prem filtering (inbound and outbound)
● Restrict outbound mail flow
○ Only allowed through email filters
○ Individual systems must route through central point
● TLS communication
○ Forced TLS
○ Opportunistic TLS
● No mailbox servers in DMZ
Remote Access
 Types of Remote Access

● VPN access (Virtual Private Network)

○ Uses specific software to connect to a termination point
○ End result - similar to computer on internal network
○ Proper restrictions, ACLs should be implemented

● Storefront
○ Usually web-based
○ User logs into a specific site, chooses application to launch
○ Sandboxed applications run over remote connection
○ Normally more secure (depends on configuration)
 VPN vs Storefront

● VPN
○ Usually easier to deploy
○ Less management overhead
○ Can be less secure, easier to exploit if improperly configured
○ Segmentation and least privilege access are critically important
● Storefront
○ Longer deployment timeline
○ More management required for individual applications
○ More secure (if properly configured) because of sandboxing
○ Less network exposure
 Multi-Factor Authentication (MFA)

● Critically important for ANY remote access

● Can be the difference between compromised and secure
● Consists of two or more:
○ Something you know (password, PIN)
○ Something you have (mobile phone, hardware token)
○ Something you are (biometrics)
● Types of MFA options
○ SMS codes
○ Token codes (either hardware or software)
○ Push notifications
○ Hardware tokens (Yubikey or similar, smartcard)
○ Biometrics
 Other Security Considerations

● Least privilege access regardless of remote access solution

○ VPN - rules to allow access only to what is needed
○ Storefront - users only see applications required for their job
● RBAC (Role Based Access Control)
○ Replaces directly-assigned user permissions
○ Normally performed with centralized authentication/authorization
○ Groups created, permissions assigned to those groups
○ Helps with access changes, new users, terminations
○ Easier to audit and log access and permission changes
DNS Security
 DNS Basics

● Domain Name Service

● Dictionary for IP addresses
○ www.google.com = 74.125.21.104
○ 4.2.2.2 = b.resolvers.level3.net
● Various tools to lookup IPs/domain names
 DNS Security Concerns

● Standard DNS queries are not encrypted

○ DNS over HTTPS addresses this
● Logging is important
○ Can help identify malicious traffic on network (C2, etc)
○ Useful for other types of audits

● Typosquatting
○ Registering a DNS name confusingly similar to existing
○ Examples
■ microsoft.com -> rnicrosoft.com
■ GOOGLE.COM -> G00GLE.COM
 DNS Security Concerns

● DNS spoofing
○ Malicious DNS server answering a legitimate DNS query
○ Returns attacker-supplied IP
● DNS cache poisoning
○ Causes a DNS server to cache “wrong” IP address
● Denial of service attacks (DoS)
● DNS amplification
○ Uses insecure recursive DNS server to amplify attack against third-party
victim
● Server vulnerabilities
 DNSSEC (DNS Security Extensions)

● Designed to help protect against DNS-based attacks

● Digitally signs DNS data using public key cryptography
○ Zone owner uses private key to sign DNS data
○ Public key is then used to validate that data
● Provides data authentication and integrity protection
● Requires configuration at multiple locations
○ DNS registrar
○ TLD registry
○ DNS resolver must validate signatures
 DNS over HTTPS (DoH)

● Standard DNS queries (port 53) are not encrypted or private

● Designed to improve privacy of DNS traffic
● Both queries and responses are encrypted
● Uses port 443 (standard HTTPS port)

● If traffic cannot be decrypted, DNS cannot be monitored/logged

● Attackers using to bypass traditional DNS controls
● Risk assessment required to identify need to enable/block DoH
● Browsers fall back to standard DNS if DoH fails (for now)
Other Perimeter Considerations
 Email Security Appliances

● Used to reduce spam, phishing, other malicious emails

● Cloud-hosted or on-prem (or combination of both)
○ Cloud-hosted reduces amount of malicious email hitting network
○ On-premise allows on-site relay (if needed)
● If on-prem, normally in DMZ
● 90%+ of attacks start via email
○ Phishing, spear phishing, whaling
○ Ransomware, data exfil, cyber espionage, etc
● Can provide insight into types of attacks based on logging
○ Allows security team to focus their efforts
 OWASP (Open Web Application Security Project)

● Non-profit organization - works to improve the security of software

● OWASP Top 10
○ List of top ten web security risks & vulnerabilities
○ Built from a consensus among security experts
○ Updated every 2-3 years (last update Sept, 2021)
● Commonly used as a framework for vulnerability assessment and
pentests

https://owasp.org/Top10/
 Web Application Firewalls (WAF)

● Placed in front of a web server to analyze traffic

● Designed to protect against application vulnerabilities
● Can protect against
○ Cross-site forgery
○ Cross-site-scripting (XSS)
○ File inclusion
○ SQL injection
● Different types
○ Network-based
○ Host-based
○ Cloud-based
Network Segmentation
 Why Segment?

● Practice of physically or logically separating parts of network

● Overall goal: reduce attack surface
● Network management benefits
○ Smaller subnets
○ Cleaner organization
● Can prevent lateral movement
○ Ex: attackers compromise workstation on Sales network, cannot pivot to
Finance server network
● Limits spread of ransomware (or other wormable malware)
○ Worm: malware than can self-replicate and self-propagate without any
interaction from users
Network
Segmentation
 Network Segmentation Methods

● ACLs (Access Control Lists)

○ Rules can be on switches and/or routers
○ Manual process of segmentation
● Internal Firewalls
○ Placed between network segments - physical separation
○ Depending on number, can be expensive
● VLANs (Virtual Local Area Networks)
○ Logical separation between network segments
○ Rules can allow routing between VLANs (or not)
 Network Segmentation Methods

● NAC (Network Access Control)

○ Sees new device on network and attempts to identify
○ May require authentication to connect
○ Can evaluate security posture of device
■ If ✅ - allowed to access resources (based on authorization)
■ If 🚫 - access denied, placed into “remediation network”
○ What can be evaluated?
■ AV/EDR settings and updates
■ Windows updates
■ Member of domain?
■ … and much more
Switches & Routers
 General Security Considerations

● Physical security
○ Network equipment behind locked doors
● Unused ports
○ If not patched, can be disabled
○ If patched, but not in use - disable or filter
● Evaluate using NAC or MAC address filtering
○ Can limit devices that are allowed to connect
● Careful use of trunk ports vs access ports
○ Trunk port - allows use of multiple VLANs on single port
○ Access port - single VLAN, used for endpoint device
 Device Management

● Always use secure management protocols

○ SSH (secure shell) instead of telnet
○ SFTP (secure file transfer protocol) or SCP (secure copy protocol)
● Console access
○ Secure physical location
○ Different settings than virtual terminal access (remote access)
● NTP (Network Time Protocol)
○ Centralized timestamps across all devices
○ Greatly simplifies logging
● Backup and save configurations
○ Off-device backups
 Authentication

● Always change default credentials

● Most switches/routers support multiple types (local, centralized)
● Local authentication
○ With few devices, can be simpler to implement
○ Many devices - becomes cumbersome and complicated
○ No central management or auditing
● Centralized authentication
○ One location to configure accounts
○ RBAC
○ Easier monitoring, logging, and auditing of access
○ Simple to terminate access to all devices if needed
○ Requires extra configuration on each device
 Logging

● Central logging always recommended

○ One location to monitor logs
○ Automated alerts
○ More difficult for attackers to compromise logs
○ Synchronized timestamps (use NTP)
● What should be logged?
○ Login attempts (successful and failed)
■ User, source, type
○ Configuration changes
○ Consider logging port link states
○ Refused connections/failed authentications for NAC
 More Logging

● What can you see in logs?

○ Unauthorized devices attempting to connect to network
○ Nmap or other port scans
○ Multiple failed login attempts against device
○ Evidence of compromised workstation
● Log retention
○ Retention time depends on business needs
○ Storage
● Backups!
○ Device failure (“A” in CIA triad)
○ Compromised devices
Securing Switches Demo
Wireless Security
 Access Point Device Security

● General security recommendations

○ Change default credentials
○ Disable unnecessary services
■ Depends on class of device (consumer, prosumer, commercial)
○ Use only secure management protocols
● Central wireless controllers
○ One (or redundant) system that manages all APs
○ Automatic inventory of devices
○ Easy patching and maintenance
○ Central configuration for ease of management (including security policies)
 Secure SSIDs (Service Set Identifier)

● Never use WEP

● WPA-PSK (WiFi Protected Access, Pre-shared key)
○ Uses single password for all connections
○ Can be compromised with some effort

WEP
● WPA-Enterprise
○ Central authentication using 802.1x
○ Normally using RADIUS server
○ Different types of EAP authentication can be used
● WPA2
○ Previous standard until ~July, 2020
● WPA3
○ New standard, stronger encryption, more secure PSK mode
 Wireless Network Security

● MAC filtering
○ Similar to network device MAC filtering
○ Allow list of addresses permitted to connect to wireless
○ More practical in smaller environments
○ MAC addresses can be spoofed
● Network Access Control (NAC)
○ Set of requirements for device before allowed to connect
■ AV, Windows updates, domain membership, others
● Wireless radio power
○ Distance that wireless signal travels
○ Should be carefully set to avoid “signal bleed”
○ AP placement influences
 Guest Networks

● Secure way to allow non-employees to connect to internet

● Isolated network
○ Either physical or logical separation from enterprise network
● Normally only has internet access
● For customers, visitors, etc to connect for convenience
● Implementation depends on wireless equipment/vendor
○ May use same APs with separate SSIDs
○ Can also use completely isolated APs
Logging & Analysis
 Centralized Logging

● Critical piece of a secure infrastructure

● Ease of auditing and monitoring
○ Compare 1,000 separate endpoints to 1 central log system
● Increases difficulty for attackers altering/deleting logs
● Ability to introduce automation and alerting
● Example scenarios:
○ Monitor changes to administrative groups across server infrastructure
○ Alerts for brute force password attacks against remote access gateway
○ Notification of port scans against perimeter network
○ Report of user activity across multiple systems
 Types of Logs

● Various Formats
○ Syslog
○ SNMP
○ Windows event log
○ JSON
○ CEF
○ Application specific (IIS, W3C)
● Log Sources
○ Web servers
○ Email
○ Security (logon events, account changes, etc)
○ DNS
○ Other applications
 Logging Automation

● Security Information and Event Management (SIEM) systems

○ Aggregates and consolidates logs from multiple sources
○ Provides dashboards, automation, alerting
● Triggered processes
○ Log monitoring and configured thresholds can trigger actions
○ Ex: email log show phishing message, VPN logs show multiple failed
attempts -> account flagged and disabled
● Alerting
○ Can be tied in with automated actions
○ Ability to connect to ticketing systems as well
● Multiple vendors & systems exist
 Automation Scenarios

● Multiple failed logins from account with elevated access

○ Logs from IPS are also sampled
○ Account is automatically disabled
○ IP address is blocked on firewall
○ Security admins notified
● Employee is terminated, manager suspects they took data upon departure
○ Logs from AD, file servers, email servers, and workstations
○ Search for user in log dashboard - shows all activity
○ Filtering criteria shows user copied data from server, attempted to place on
USB and then attempted to email to personal - all unsuccessful
 One More Scenario

● User reports to Payroll they have not received their paycheck

○ Payroll contacts IT, who then contacts Security
○ Correlated events/timeline shown in log dashboard
■ Email: user received phishing email (flagged malicious after arrival)
■ Web filter: user clicked on link and entered credentials
■ FW: VPN login for user from unusual IP address at unusual time
■ HR application: at same time, from same IP, direct deposit information
updated for user
○ All seen on one screen in one system
○ Any of those attack phases could also have generated alert
Wireshark Introduction
 What is Wireshark?

● Free, open source packet analyzer

● Network troubleshooting tool
● Requires a good foundational network understanding
● Security usage
○ Analyze network traffic looking for suspicious activity
○ Find unsecure connections/traffic on network
○ See evidence of potential data exfiltration
● Can perform live analysis or after-action analysis on packet captures
 Wireshark Usage

● Can only monitor traffic that is destined for installed machine

○ Unless analyzing packet capture file (.pcap)
● Filters
○ Capture filters
■ Live filter, limits captured data
■ Reduces processing overhead and capture file size
○ Display filters
■ Can be used during capture, or afterwards
■ Doesn’t reduce processing overhead
■ Assists with narrowing down what’s shown
● “Follow stream”
○ Isolate specific entry
○ Follows the communication path and only shows that data
 Wireshark Display

● 3 main sections in application

○ Packet list
○ Packet details
○ Packer bytes
Wireshark Demo
Other Internal Network Considerations
 Internet of Things (IoT) Devices

● Types of devices
○ Thermostats
○ Media devices (AppleTV, Chromecast, Roku, etc)
○ Security cameras, doorbell cameras
○ Smoke detectors, security systems, smart locks
○ HVAC system controls
● Mirai botnet
● Securing can be difficult
○ Use same general guidelines as other systems
● Network segmentation is critical
● Disallow access to enterprise network entirely
 Printers

● Use central print server if possible

○ Restrict printing from that server only
● Ensure administrative access is restricted
● Change default passwords
● Change default SNMP strings
● Ensure newest firmware is used
● Disable unnecessary services/protocols on device (wireless, bluetooth)
● Network segmentation
● MFPs
○ Disable services not being used (print, scanning, copying, faxing, etc)
○ Ensure sensitive information is not stored locally
 General Recommendations

● Ensure systems are updated

○ Patch security vulnerabilities
○ New features & functionality
● Test updates, patches, and new configurations in test environment
● Defense in depth strategy
○ Layering defensive systems
○ Redundancy across security infrastructure
○ Multiple levels of security to mitigate risks and attacks
○ Often implemented with variety of vendors
● Encourage users to report suspicious activity, emails, phone calls