Week 1
Week 1
NETWORKING FOUNDATION
CRITERIA % COMMENTS
FINAL EXAM 100 PASSING GRADE IS 50%
TOTAL 100
1. BASIC NETWORK DESIGN
OSI Model
The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes
and standardizes the communication functions of a telecommunication or computing system
without regard to its underlying internal structure and technology. Its goal is the interoperability
of diverse communication systems with standard communication protocols.
Layer 6 Presentation Syntax Layer SSL, IMAP, SSH, FTP, MPEG, JPEG
• Adds the ability to handle physical addresses, framing, error handling and
messaging
• Contains logical Link Control (LLC) and Media Address Control (MAC)
• Frame: a container where data is placed in order to be transported
• Flow control : makes sure that the information sent does not exceed the capabilities
of the physical connection
• Supports a mechanism known as Address Resolution Protocol (ARP) translates IPv4 to
known MAC addresses
• Security threats: Denial of Service (DoS), MAC Spoofing, WEP cracking, active and
passive sniffing
OSI MODEL REVIEW – NETWORK LAYER – LAYER 3
Layer Name Description Examples
• Offers the ability to have the data sent completely and correctly using error
recovery and flow control technics
• Complements Layer 2 ( Data link ) with the guarantee of the data delivery
• Responsible for communications between host computers and ensure both the
sender and receiver are ready to initiate the data transfer
• Protocols:
• Transmission Control Protocol (TCP) – connection oriented using handshaking ,
acknowledgements, error detection and session tear down
• User Datagram Protocol (UDP) – connectionless - speed and low overhead
• Security threats: SYN attacks, port scanning, Denial of service (DoS), service
enumeration, flag manipulation, buffer overflow
OSI MODEL REVIEW – SESSION LAYER – LAYER 5
Layer Name Description Examples
Layer 6 Presentation Syntax Layer SSL, IMAP, SSH, FTP, MPEG, JPEG
• Responsible for taking data that has been passed up from lower levels and
putting it into a format that Application layer programs can understand
• These common formats include American Standard Code for Information
Interchange (ASCII), Extended Binary-Coded Decimal Interchange Code
(EBCDIC), and American National Standards Institute (ANSI)
• Gateway service will allow sending data between two networks that use
different protocols, otherwise incompatible
• Encryption and decryption happen at this layer
• Security threats: NetBIOS enumeration, clear text extraction, protocol attack
OSI MODEL REVIEW – APPLICATION LAYER – LAYER 7
Layer Name Description Examples
Data Application
UDP header UDP data Transport
IP Header IP Data Internet
Layer 7 - Application DHCP, FTP, IMAP, MIME, NNTP, NTP, POP3, RADIUS, RDP, BitTorrent, SMTP, SOAP,
TELNET
Layer 3 - Network ICMP, IGRP, IPv4, IPv6, IPSec, GRE, OSPF, RIP
Layer 2 - Data Link ARP, FDDI, Frame Relay, L2TP, PPP, MAC, Token Ring, VLAN, Wi-Fi, X.25
Layer 1 - Physical Bluetooth, Ethernet physical layer, USB, Wi-fi Physical layer, DSL
TCP/IP: LAYER REVIEW
Layer
Layer5 5 Session
Session Sync & Send
Sync & Sendtotoport
port
Layer
Layer 33 Host-to-host
Host-to-host
Layer
Layer4 4 Transport
Transport End-to-end Connections
End-to-end Connections
Layer
Layer3 3 Network
Network Packets
Packets Layer
Layer 22 Network
Network
Layer
Layer2 2 Data
Datalink
link Frames
Frames
Layer 11
Layer Physical
Physical
Layer1 1
Layer Physical Physical structure
Physical Physical structure
PHYSICAL OR NETWORK ACCESS LAYER – LAYER 1
• Physical or Network Access Layer uses the following devices: repeaters, hubs,
bridges, switches.
• Protocols: Address Resolution Protocol (ARP), Reverse Address resolution
Protocol (RARP), Neighbor Discovery Protocol (NDP), Invers Neighbor
Discovery (IND) Transport Layer Security (TLS), Layer 2 tunneling protocol
(L2TP), Point-to-point Protocol (PPP) and serial line Interface protocol (SLIP).
• arp – a – dynamic
• arp -s add static – no broadcast
• IPv6 doesn’t use arp – it’s using NDP – NS Neighbor Solicitation is sent and
receives NA Neighbor Advertisement – NDP is more secure than ARP but the
request is still in clear text.
NETWORK OR INTERNET LAYER – LAYER 2
• The primary equipment is the router who work on protocols like Routing
Information protocol (RIP), and Open Shortest Path First (OSPF).
• Routers characteristics:
• Do not forward broadcast packets
• Forward multicast packets
• Highest latency
• Most flexibility
• Makes forwarding decision based on the destination IP
• Requires configuration
3. Connection ACK
established
• The end-to-end delivery, segments data and adds checksums to make sure it was
transmitted with no corruptions. The delivery is done using TCP or UDP.
• TCP is a connection-oriented protocol provides reliable data transmission –
guarantee the data transmission process using sequence and acknowledgment
numbers.
• UDP is a connectionless transport protocol that doesn’t have any handshaking
processes – less reliable it’s very fast – DNS is using UDP.
• The host-to-host layer needs security: Secure Sockets Layer (SSL), Transport Layer
Security (TLS), SOCKS, Secure RPS
APPLICATION LAYER - LAYER 4
• Maps to OSI layer 5-7 and each service uses a port to help directing traffic :
• Well known ports – 0-1023
• Registered ports – 1024-49151
• Dynamic ports – 49152- 65535
• Example:
• 21 FTP – Control
• 22 SSH Remote Login Protocol
• 23 Telnet
• 25 Simple Mail Transfer Protocol (SMTP)
• 53 Domain Name System (DNS)
• 80 HTTP
• 389 Lightweight Directory Access Protocol (LDAP)
• 443 HTTPS
TCP/IP
TCP - SOCKETS
TCP Socket states
LISTEN - Waiting for a connection request from a remote TCP application. This is
the state in which you can find the listening socket of a local TCP server.
SYN-SENT - Waiting for an acknowledgment from the remote endpoint after
having sent a connection request. Results after step 1 of the three-way TCP
handshake.
SYN-RECEIVED - This endpoint has received a connection request and sent an
acknowledgment. This endpoint is waiting for final acknowledgment that the other
endpoint did receive this endpoint's acknowledgment of the original connection
request. Results after step 2 of the three-way TCP handshake.
TCP - SOCKETS
Class B: The first bit is one, and the second bit is zero.
Class C: The first two bits are both one, and the third bit is zero.
IP ADDRESSES
Class D: The first three bits are all one, and the fourth bit is zero.
For performance reasons, networks are usually segmented into broadcast domains
that are smaller than even Class C addresses provide.
SUBNETTING
A subnet is a network
that falls within a
Class A, B, or C
network.
SUBNET MASKS
The router must be told which portion of the host ID should be used for the subnet
network ID.
The IP address bits that represent the network ID are represented by a 1 in the
mask, and those bits that represent the host ID appear as a 0 in the mask. As a
result, a subnet mask always has a consecutive string of ones on the left, followed
by a string of zeros.
This is the mask for 144.28.0.0:
11111111 11111111 11110000 00000000
20 bits are ones, and the remaining 12 bits are zeros.
The complete network ID is 20 bits in length, and the actual host ID portion of the
subnetted address is 12 bits in length.
SUBNET MASKS
This is how you find the network ID from an IP address:
144 . 28 . 16 . 17
IP address: 10010000 00011100 00010000 00010001
Subnet mask: 11111111 11111111 11110000 00000000
Network ID: 10010000 00011100 00010000 00000000
144 . 28 . 16 . 0
The operation is called a logical AND between the IP address and subnet in
order to extract the network ID. 0&&0 =0 0&&1 = 0 1&&1=1
The subnet is :255 . 255 . 240 . 0
NETWORK PREFIX NOTATION
Network prefix indicate how many bits of an IP address represent the network
ID. The network prefix is indicated with a slash immediately after the IP
address, followed by the number of network ID bits to use.
The IP address 144.28.16.17 with the subnet mask 255.255.240.0 can be
represented as 144.28.16.17/20 because the subnet mask 255.255.240.0 has
20 network ID bits.
Network prefix notation is also called classless interdomain routing notation
(CIDR, for short) because it provides a way of indicating which portion of an
address is the network ID and which is the host ID without relying on standard
address classes.
IP BLOCK PARTIES
A subnet can be thought of as a range or block of IP addresses that have a
common network ID.
The CIDR 192.168.1.0/28 represents the following block of 14 IP addresses:
192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
192.168.1.5 192.168.1.6 192.168.1.7 192.168.1.8
192.168.1.9 192.168.1.10 192.168.1.11 192.168.1.12
192.168.1.13 192.168.1.14
IP BLOCK PARTIES
What are the valid IP addresses for 192.168.1.100 when the subnet mask is
255.255.255.240? The first step is to determine the actual network ID. You can do that by
converting both the IP address and the subnet mask to binary and then extracting the network
ID:
192 . 168 . 1. 100
IP address: 11000000 10101000 00000001 01100100
Subnet mask: 11111111 11111111 11111111 11110000
Network ID: 11000000 10101000 00000001 01100000
192 . 168 . 1. 96
You calculate the allowable hosts in the subnet based on the network by subtracting the last
octet of the subnet mask from 254. The number of allowable hosts is 254 - 240 = 14.
The first IP address: add 1 to the network ID: 96+1=97 192.168.1.97
The last IP address: add number of hosts to network ID: 96+14=110 192.168.1.110
SWITCHES
A switch is a device in a computer network that connects other devices together.
Multiple data cables are plugged into a switch to enable communication
between different networked devices. Switches manage the flow of data across
a network by transmitting a received network packet only to the one or more
devices for which the packet is intended. Each networked device connected to a
switch can be identified by its network address, allowing the switch to direct the
flow of traffic maximizing the security and efficiency of the network. A network
switch is a multiport network bridge that uses MAC addresses to forward data
at the data link layer (layer 2) of the OSI model. Some switches can also
forward data at the network layer (layer 3) by additionally incorporating
routing functionality.
SWITCHES
Unmanaged switches have no configuration interface or options. They are plug and play. They
are typically the least expensive switches, and therefore often used in a small office/home
office environment.
Managed switches have one or more methods to modify the operation of the switch. Common
management methods include: a command-line interface (CLI) accessed via serial console, telnet
or Secure Shell, an embedded Simple Network Management Protocol (SNMP) agent allowing
management from a remote console or management station, or a web interface for management
from a web browser.
Smart switches are managed switches with a limited set of management features.
Likewise, "web-managed" switches are switches that fall into a market niche between
unmanaged and managed. They provide a web interface and allow configuration of basic
settings, such as VLANs, port-bandwidth and duplex.
Enterprise managed switches have a full set of management features, including CLI,
SNMP agent, and web interface. Enterprise switches have more features that can be customized
or optimized and are generally more expensive than smart switches. Enterprise switches are
typically found in networks with a larger number of connections, where centralized management
is a significant savings in administrative time and effort.
SWITCHES - VLANS
Transitioning from hubs to switched networks was a big improvement. These are
a few benefits: control over collisions, increased throughput, and the additional
features offered by switches.
Extensive flat topologies can create congested broadcast domains and can
involve compromises with security, redundancy, and load balancing.
These issues can be mitigated through the use of virtual local area networks, or
VLANs.
COLLISION DOMAIN
The Ethernet term collision domain refers to a network scenario wherein one
device sends a frame out on a physical network segment forcing every other
device on the same segment to pay attention to it.
BROADCAST DOMAIN
To be able to connect multiple VLANs across multiple switches you have to use a trunk
line. The primary use of a trunk line in a data network is to convey VLAN information.
When a trunk line is installed, a trunking protocol is used to modify the Ethernet frames
as they travel across the trunk line.
SWITCHES - VLANS
By default, all ports are called “access ports.” This describes a port used by a
computer or other end node to “access” the network.
When a port is used to interconnect switches and convey VLAN information, the
operation of the port is changed to a trunk.
On the trunk ports, a trunking protocol is run that allows the VLAN information to
be included in each frame as it travels over the trunk line. For configuration,
there are generally two steps: converting the port to trunk mode and
determining the encapsulation (trunking protocol) to be used.
SWITCHES - SPANNING TREE
The basic problem is that at Layer 2, Ethernet does not have any ability to
remove continuously circulating frames or prevent loops. Unlike IP, which has a
time to live (TTL) field, Ethernet devices such as hubs and switches will simply
continue to forward frames even when a loop is present.
SWITCHES - SPANNING TREE
Spanning tree requires that switches send out frames called bridge protocol data
units (BPDUs) and the information contained within these BPDUs is received and
processed by neighboring switches.
There are three sections to the BPDU: protocol details, fields specific to the
comparison algorithm, and the timer values. The spanning tree is to eliminate
loops by automatically blocking ports on the network. It figures out which ports to
block through the comparison algorithm. The comparison algorithm uses up to four
fields to make the comparison: root identifier, root path cost, bridge identifier
(transmitting bridge/switch), and the port identifier (transmitting port)
SWITCHES - SPANNING TREE
For a fresh powered on switch all ports start out in the “blocked” state. Movement between
states is governed by a forwarding delay timer.
Blocked
A port in this state can receive but not transmit BPDUs. It does not transmit or forward data
frames. A port in this state may actually begin forwarding depending on the STP information
received (or not received) from neighboring bridges.
Listening
This is the first transitional state and is entered when spanning tree detects that the port may
have to participate in data frame forwarding. The port will receive and process BPDUs but does
not forward data frames. In this state, ports begin sending BPDUs.
Learning
This state is similar to listening except that the port and switch now understand the topology and
are preparing to forward data frames. The port will continue to receive and process BPDUs.
ARP
Client access a
web server:
ARP
Address resolution can be accomplished in two ways:
Direct Mapping: A formula is used to map the higher-layer address into the
lower layer address. This is the simpler and more efficient technique, but has
some limitations, especially regarding the size of the data link layer address
compared to the network layer address.
Dynamic Resolution: A special protocol is used that allows a device with only an
IP address to determine the corresponding data link layer address, even if they
take completely different forms. This is normally done by interrogating one or
more other devices on a local network to determine what data link layer
address corresponds to a given IP address. This is more complex and less
efficient than direct mapping but is more flexible.
ARP
Address Resolution Through Direct Mapping
Direct mapping chooses a scheme for layer two and layer three addresses so
that you can determine one from the other using a simple algorithm. This
enables you to take the layer three address, and follow a short procedure to
convert it into a layer two address. In essence, whenever you have the layer
three address you already have the layer two address.
As an example, we can set up an IP network on such a LAN by taking a class C
(or /24) network and using the data link layer as the last octet. So, if our
network were, for example, 198.168.33.0/24, we could assign the device with
#1 the IP address 198.168.33.1, the device with address #29 would be
198.168.33.29 and so forth.
ARP
Dynamic Address Resolution
Device A needs to send data to Device B but knows only its IP address ("IPB"),
and not its hardware address. A broadcasts a request asking to be sent the
hardware address of the device using the IP address "IPB". B responds back to
A directly with the hardware address.
There is no need for any specific relationship between the network layer
address and the data link layer address; they can have a completely different
structure and size.
ARP
The most important address resolution protocol is the TCP/IP protocol bearing
the same name as the technique itself: the Address Resolution Protocol (ARP).
ARP is a full-featured dynamic resolution protocol used to match IP addresses to
underlying data link layer addresses. Originally developed for Ethernet, it has
now been generalized to allow IP to operate over a wide variety of layer two
technologies.
It works by allowing an IP device to send a broadcast on the local network,
requesting that another device on the same local network respond with its
hardware address.
ARP
This basic operation is supplemented by methods to improve
performance. Since it was known from the start that having to
perform a resolution using broadcast for each datagram was
inefficient, ARP has always used a cache, where it keeps bindings
between IP addresses and data link layer addresses on the local
network. Refinements and additional features, such as support for
cross-resolution by pairs of devices as well as proxy ARP, have also
been defined over the years and added to the basic ARP feature
set.
ARP
ARP Address Specification and General Operation
An Address Resolution Protocol transaction begins when a source device on an IP
network has an IP datagram to send. It must first decide whether the destination
device is on the local network or a distant network. If the destination is local, it
will send directly to the destination; if the destination is distant, it will send the
datagram to one of the routers on the physical network for forwarding. Either
way, it will determine the IP address of the device that needs to be the
immediate destination of its IP datagram on the local network. After packaging
the datagram it will pass it to its ARP software for address resolution.
ARP
ARP
General Operation
ARP
On the switch:
On source PC :
On the destination:
ARP
Using the arp Command
Using the arp command allows you to display and modify the
Address Resolution Protocol (ARP) cache, which is a simple mapping
of IP addresses to MAC addresses. Each time a computer’s TCP/IP
stack uses ARP to determine the Media Access Control (MAC)
address for an IP address, it records the mapping in the AP cache so
that future ARP lookups go faster.
ARP
Threat-focused NGFW
These firewalls include all the capabilities of a traditional NGFW and also provide
advanced threat detection and remediation. With a threat-focused NGFW you can:
Know which assets are most at risk with complete context awareness
Quickly react to attacks with intelligent security automation that sets policies
and hardens your defenses dynamically
Better detect evasive or suspicious activity with network and endpoint event
correlation
Greatly decrease the time from detection to cleanup with retrospective security
that continuously monitors for suspicious activity and behavior even after initial
inspection
Ease administration and reduce complexity with unified policies that protect
across the entire attack continuum
TYPES OF FIREWALLS
Stateless or packet filtering firewalls inspect each packet
individually, without considering the trends of the data you're
receiving.
Stateful firewalls do what stateless firewalls do, and they also
consider the connection states of streams of data. Stateful firewalls
will collect a series of packets before it determines their connection
state, and then compares those findings to the firewall rules, rather
than applying the rules to each individual packet of data.
Application firewalls generally do everything that stateful firewalls
do, and they also analyze the actual data content of the packets,
not just the headers.
FIREWALLS
TCP Header
FIREWALLS
TCP packets contain information such as source and destination addresses,
packet sequence information, and payload. That information allows your
network interface to deliver data properly, and a firewall can compare that
information to the rules you configured it with.
UDP packets can be filtered by port, but their headers lack the information that
TCP packets have for more sophisticated filtering.
Firewall rules can be designed to block, allow, or filter specific TCP/IP ports,
block or allow specific IP addresses or address ranges.
INTRUSION DETECTION SYSTEM
An intrusion detection system (IDS) is a device, or software application that
monitors a network or systems for malicious activity or policy violations. Any
intrusion activity or violation is typically reported either to an administrator or
collected centrally using a security information and event management (SIEM)
system. A SIEM system combines outputs from multiple sources and uses alarm
filtering techniques to distinguish malicious activity from false alarms.
When placed at a strategic point or points within a network to monitor traffic to
and from all devices on the network, an IDS will perform an analysis of passing
traffic, and match the traffic that is passed on the subnets to the library of
known attacks. Once an attack is identified, or abnormal behavior is sensed, the
alert can be sent to the administrator.
INTRUSION DETECTION SYSTEM
IDS Detection Types
There is a wide array of IDS, ranging from antivirus software to tiered
monitoring systems that follow the traffic of an entire network. The most common
classifications are:
Network intrusion detection systems (NIDS): A system that analyzes
incoming network traffic.
Host-based intrusion detection systems (HIDS): A system that monitors
important operating system files.
INTRUSION DETECTION SYSTEM
The most common variants are based on signature detection and anomaly detection.
Signature-based: Signature-based IDS detects possible threats by looking for specific
patterns, such as byte sequences in network traffic, or known malicious instruction
sequences used by malware. This terminology originates from antivirus software, which
refers to these detected patterns as signatures. Although signature-based IDS can
easily detect known attacks, it is impossible to detect new attacks, for which no pattern
is available.
Anomaly-based: a newer technology designed to detect and adapt to unknown
attacks, primarily due to the explosion of malware. This detection method uses machine
learning to create a defined model of trustworthy activity, and then compare new
behavior against this trust model. While this approach enables the detection of
previously unknown attacks, it can suffer from false positives: previously unknown
legitimate activity can accidentally be classified as malicious.
INTRUSION DETECTION SYSTEM
Evasion Techniques
Fragmentation: Sending fragmented packets allow the attacker to stay under the radar,
bypassing the detection system's ability to detect the attack signature.
Avoiding defaults: A port utilized by a protocol does not always provide an indication to
the protocol that’s being transported. If an attacker had reconfigured it to use a different
port, the IDS may not be able to detect the presence of a trojan.
Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers, or
even allocating various ports or hosts to different attackers. This makes it difficult for the
IDS to correlate the captured packets and deduce that a network scan is in progress.
Address spoofing/proxying: attackers can obscure the source of the attack by using
poorly secured or incorrectly configured proxy servers to bounce an attack. If the source
is spoofed and bounced by a server, it makes it very difficult to detect.
Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight
adjust to the attack architecture, detection can be avoided.
INTRUSION PREVENTION SYSTEM
An intrusion prevention system (IPS) is an automated network security device
used to monitor and respond to potential threats. Like an intrusion detection
system (IDS), an IPS determines possible threats by examining network traffic.
Because an exploit may be carried out very quickly after an attacker gains
access, intrusion prevention systems administer an automated response to a
threat, based on rules established by the network administrator.
The main functions of an IPS are to identify suspicious activity, log relevant
information, attempt to block the activity, and finally to report it.
INTRUSION PREVENTION SYSTEM
IPS’s include firewalls, anti-virus software, and anti-spoofing software. In
addition, organizations will use an IPS for other purposes, such as identifying
problems with security policies, documenting existing threats and deterring
individuals from violating security policies. IPS have become an important
component of all major security infrastructures in modern organizations.
An intrusion prevention system works by actively scanning forwarded network
traffic for malicious activities and known attack patterns. The IPS engine
analyzes network traffic and continuously compares the bitstream with its
internal signature database for known attack patterns. An IPS might drop a
packet determined to be malicious, and follow up this action by blocking all
future traffic from the attacker’s IP address or port. Legitimate traffic can
continue without any perceived disruption in service.
INTRUSION PREVENTION SYSTEM
Intrusion prevention systems can also perform more complicated observation and
analysis, such as watching and reacting to suspicious traffic patterns or packets.
Detection mechanisms can include:
Address matching
HTTP string and substring matching
Generic pattern matching
TCP connection analysis
Packet anomaly detection
Traffic anomaly detection
TCP/UDP port matching
INTRUSION PREVENTION SYSTEM
Intrusion Countermeasures
Many IPS can also respond to a detected threat by actively preventing it from
succeeding. They use several response techniques, which involve:
Changing the security environment – for example, by configuring a firewall to
increase protections against previously unknown vulnerabilities.
Changing the attack's content – for example, by replacing otherwise malicious
parts of an email, like false links, with warnings about the deleted content.
Sending automated alarms to system administrators, notifying them of possible
security breaches.
Dropping detected malicious packets.
Resetting a connection.
Blocking traffic from the offending IP address.
INTRUSION PREVENTION SYSTEM
IPS Classifications
Intrusion prevention systems can be organized into four major types:
Network-based intrusion prevention system (NIPS): Analyzes protocol activity across the
entire network, looking for any untrustworthy traffic.
Wireless intrusion prevention system (WIPS): Analyzes network protocol activity across
the entire wireless network, looking for any untrustworthy traffic.
Host-based intrusion prevention system (HIPS): A secondary software package that
follows a single host for malicious activity, and analyzes events occurring within said
host.
Network behavior analysis (NBA): Examines network traffic to identify threats that
generate strange traffic flows. The most common threats being distributed denial of
service attacks, various forms of malware, and policy abuses. pattern matching to
detect attacks. By making slight adjust to the attack architecture, detection can be
avoided.
INTRUSION PREVENTION SYSTEM
IPS Detection Methods
Most intrusion prevention systems use one of three detection methods: signature-based,
statistical anomaly-based, and stateful protocol analysis.
Signature-based detection: Signature-based IDS monitors packets in the network and
compares with predetermined attack patterns, known as “signatures”.
Statistical anomaly-based detection: An anomaly-based IDS will monitor network
traffic and compare it to expected traffic patterns. The baseline will identify what is
"normal" for that network – what sort of packets generally through the network and
what protocols are used. It may however, raise a false positive alarm for legitimate use
of bandwidth if the baselines are not intelligently configured.
Stateful protocol analysis detection: This method identifies protocol deviations by
comparing observed events with pre-determined activity profiles of normal activity.
NETWORK PERIMETER
A network perimeter is the secured boundary between the private and locally
managed side of a network, often a company’s intranet, and the public facing side of
a network, often the Internet.
For most modern businesses, there is no single defensible boundary between a
company’s internal assets and the outside world.
Internal users are not simply connecting from inside an organization’s building, network,
or inner circle. They are connecting from external networks and using mobile devices to
access internal resources.
Data and applications are no longer housed on servers that businesses physically own,
maintain, and protect. Data warehouses, cloud computing, and software as a service
present immediate access and security challenges for both internal and external users.
Web services have opened a wide door to interactions outside of normal trust
boundaries. To serve multiple clients, or simply to communicate with other services, both
internal and external, insecure interactions on external platforms occur all the time.
NETWORK PERIMETER
A network perimeter includes:
Border Routers: Routers serve as the traffic signs of networks. They direct traffic into, out of, and
throughout networks. The border router is the final router under the control of an organization
before traffic appears on an untrusted network, such as the Internet.
Firewalls: A firewall is a device that has a set of rules specifying what traffic it will allow or
deny to pass through it. A firewall typically picks up where the border router leaves off and
makes a much more thorough pass at filtering traffic.
Intrusion Detection System (IDS): This functions as an alarm system for your network that is used
to detect and alert on suspicious activity. This system can be built from a single device or a
collection of sensors placed at strategic points in a network.
Intrusion Prevention System (IPS): Compared to a traditional IDS which simply notifies
administrators of possible threats, an IPS can attempt to automatically defend the target without
the administrator's direct intervention.
De-Militarized Zones / Screened Subnets: DMZ and screened subnet refer to small networks
containing public services connected directly to and offered protection by the firewall or other
filtering device.
NETWORK PERIMETER
Network Perimeter Guidelines
Strong authentication to allow controlled access to information assets. Two
factor authentication acts as an extra layer of security for logins, ensuring that
attempted intrusions are halted before any damage is done.
Hardening of mobile and IoT devices that connect to the network. Access
control policies define high-level requirements that determine who may access
information, and under what circumstances that information can be accessed.
Embedded security services inside devices and applications. Embedded
security solutions can help protect devices ranging from atm’s to automated
manufacturing systems. Features including application whitelisting, antivirus protection,
and encryption can be embedded to help protect otherwise exposed IoT devices.
Collecting security intelligence directly from applications and their hosts.
Maintaining an open communication line with cloud service providers like AWS can
greatly increase security protections.
DMZ NETWORK
URL filtering limits access to specific URLs by comparing addresses of sites that
users are attempting to visit against a database of either permitted or blocked
sites. The purpose of URL filtering is to prevent employees from accessing sites
that may interfere with the operation of the business – such as sites not related
to work, sites with objectionable or illegal content, or sites associated with
phishing attempts.
While unrestricted web access is useful for employees and can make them more
productive, it can also expose organizations to a wide range of security risks,
such as propagation of threats, data loss or seizure, or legal issues.
URL FILTERING
URL filtering matches all web traffic against a defined database, and then permits or
denies access to a site based on whether it is found in the database. A URL filtering
database will assign catalogued websites a URL category, or group.
It will also define the conditions of access to that URL. For example, an address could
be:
Blocked: Defined on a site by site basis. This can apply to distracting sites, like
social media or local news, or sites known to host various forms of malware.
Allowed: SaaS websites, relevant to the organization and its workflow.
Attached to defined IT policies: Visits to a particular website could be logged
and organized, so that IT can see who visits certain sites, and at what time.
Blocked or allowed URL categories: When actions are determined not on a
site-by-site basis, but rather by the category encompassing multiple sites. This could
include categories for malware or phishing sites, innocent but distracting sites, or
questionable sites.
URL FILTERING
-F, --flush [chain] Flush the selected chain (all the chains in the table
if none is given). This is equivalent to deleting all the rules one by
one.
-Z, --zero [chain] Zero the packet and byte counters in all chains. It is
legal to specify the -L, --list (list) option as well, to see the counters
immediately before they are cleared.
-N, --new-chain chain Create a new user-defined chain by the given
name. There must be no target of that name already.
FIREWALLS
Drop - Drop the connection, act like it never happened. This is best if you don’t
want the source to realize your system exists.
Reject - Don’t allow the connection, but send back an error. This is best if you
don’t want a particular source to connect to your system, but you want them to
know that your firewall blocked them.
FIREWALLS
To check the status of iptables:
Block an IP:
FIREWALLS
Clear an IP :
FIREWALLS
To improve the security of your machine using iptables follow the rules:
# 1. Delete all existing rules
iptables - F
# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 3. Block a specific ip-address
BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
FIREWALLS
# 4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 5. Allow incoming SSH only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 6. Allow incoming HTTP – if you run a web server
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# 7. Allow incoming HTTPS – if you run a web server
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
FIREWALLS
# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS) – if required
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j
ACCEPT
# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 9. Allow outgoing SSH only to a specific network
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
FIREWALLS
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 15. Allow packets from internal network to reach external network – router like
if eth1 is connected to external network (internet)
if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
FIREWALLS
# 16. Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# 17. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
# 18. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
# 19. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
FIREWALLS
# 20. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
Force SYN Packet Check iptables -A INPUT -p tcp -m state --state NEW -m
recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
FIREWALLS
Don’t forget to save!