Information Security Team

Cross-training Session - Networking Essentials

By: Irving Griffith

Date: 10/2/23
 Objectives

• Networking Concepts
• OSI model & Attacks different layers
• Packet Delivery host to host
• RFC 1918
• Planning and design examples
• Data Flow Scenarios
 Networking Concept
Describe your understanding of the following:
• Bridge vs. Switch
• VLAN
• VTP
• Trunk
• Routed Protocols
• Routing protocols
• NAT
• Classful vs. Classless route
OSI model
 Physical Layer Threats and Countermeasures

What do you think are some Threats and counter measures?

 Data Link Layer Threats and Countermeasure
Key threats at this layer involve the following:
•MAC address spoofing or cloning (to redirect traffic)
•MAC flooding (sending large numbers of Ethernet frames with bogus MAC source address values)
•VLAN hopping (also called 802.1Q attacks)
•Broadcast storms (similar to MAC flooding but attempting to overload the network segment)
•Reconnaissance probes can use MAC sniffing (to capture copies of frames as they go by)
As with attacks at Layer 1, these techniques can be used to build a fingerprint of the target network segment and
the machines on it, to disrupt or degrade its operation (as a denial-of-service attack), or to gain access to higher
layers or other resources on the network. A Layer 2 MITM attack, if successful, paves the way for intercepting all
traffic between the two targeted devices.
Any or all of this can also further the attacker’s needs to establish persistent command and control capabilities
within their targets’ systems.

Countering these threats requires attention to details:

•Ensure proper NIC configuration
•Proper VLAN configuration
•Service monitoring (ARP, DHCP)
•Proper VLAN configuration
•Layer 2 intrusion detection / prevention
 Network Layer threats and Countermeasures
Threats at Layer 3 can exploit protocol or network vulnerabilities by means of:
•Routing (RIP) attacks
•ICMP attacks
•Ping flooding
•Smurf attacks (using multiple attack platforms to attempt to overwhelm the target with echo
requests)
•IP address spoofing
•Packet sniffing
Such attacks can seek to disrupt the organization via denial of services, or to further support an
attacker’s objectives by gaining access to higher layer functions or resources. Any of these might
also provide insight necessary to an attacker to establish a persistent foothold in the target’s
networks and systems, as a prelude to further attack operations. Savvy attackers are constantly
collecting information that can help them establish these command and control capabilities
when they wish to.

Countermeasures at Layer 3 can include the following:

•Securing ICMP
•Proper router configuration
•Better packet filtering and inspection (NGFW, perhaps)
•Use router access control lists (ACLs) more effectively
•Proper VLAN configuration
•Layer 2 Intrusion detection/prevention
•Move toward zero trust architecture
•Microsegmentation of LAN
 Transport Layer Threats and Countermeasures
Attacks on the Transport Layer of the Open Systems Interconnection (OSI) model (Layer 4) seek to
manipulate, disclose, or prevent delivery of the payload. This can, for instance, happen by reading the
payload (as would happen in a sniffer attack) or changing it (which could happen in a man-in-the-
middle attack). While disruptions of service can be executed at other layers as well, the Transport
Layer has become a common attack ground via ICMP.

Threats at this layer can include:

•Routing protocol attacks (such as against RIP)
•ICMP attacks, such as ping floods
•Network Time Protocol (NTP) desynchronization attempts
•Fraggle (UDP broadcast flood)
•TCP sequence prediction
•IP address spoofing, packet sniffing, and port scanning

Countermeasures should include:

•TCP intercept and filtering
•DoS prevention services
•Using allowed and blocked lists for IP addresses, URLs, and URIs
•More complete, properly configured use of TLS
•Secure versions of all protocols for file transfer and shell program access (i.e., SFTP instead of file
transfer protocol (FTP), SSH instead of Telnet)
•Fingerprint scrubbing
 Session Layer Threat and Countermeasures
Attacks against Session Layer activities are on the increase, as attackers seek to find additional
paths across their target’s threat surfaces. These include but are not limited to:
•Session hijack, man-in-the-middle (MITM)
•ARP, DNS, and poisoning of local hosts files
•SSH downgrade attempt
•Man-in-the-Browser (MITB): Trojans in browser helpers, add-ons or other software
Attacks at Layer 5 continue to facilitate an overall attack strategy that makes use of
eavesdropping and reconnaissance to identify resources worthy of further hostile action. Denial
of Service, along with attacks that attempt session or transaction replay, can enable an attacker
to corrupt data en route or otherwise make use of information they discover.

Countermeasures at the Session Layer include:

•Replace weak password authentication protocols
•Migrate to strong identity management and access control
•Use PKI
•Verify DNS is correctly configured
•Active monitoring and alarm of Session Layer
•More robust IDS, IPS (and SIEM alarms)
 Presentation Layer Threats and Countermeasures
Attacks at this layer primarily are focused on causing a data breach or compromise of the integrity or value of
an organization’s information. Attacks can also seek to gain access to other systems and resources, or to
facilitate their ongoing attacks. Network Basic Input Output Systems (NetBIOS), Server Message Blocks (SMB),
and SSL have been favorite targets of attackers.
Many data breach attacks use the inherent capabilities of the target system to encrypt data for exfiltration,
which could be by using a Layer 6 service. Deep packet inspection and effective end user behavioral
modeling could reveal that a connection that normally does not send much encrypted data has started to do
so.
Other notable threats include exploiting vulnerabilities in cross-layer protocols, injecting SQL queries,
attempts to downgrade session encryption to a lower, more easily broken type, and path traversal attacks.
Cross-site scripting attacks can also take place in this layer.

Countermeasures might include:

•Replace/upgrade apps using weak authentication or protection
•Deep inspection of application traffic for:
o Signs of attack?
o Policy violations?
•Migrate to more secure applications protection:
o Web Application Firewall (WAF)
o Applications Delivery Platform (ADP)
•Migrate to zero trust architecture
 Application Layer Threats and Countermeasures
The Application Layer enables the transport of mobile code and executable content, which brings great
power and flexibility but also great risk. The Application Layer demonstrates that the systems we build and
use are complex; the ways in which we use them are even more complex. The more complex a system
becomes, the greater the likelihood that its inherent vulnerabilities in design, construction, and use can be
discovered and exploited by a hostile party.
Threats at this level include:
•SQL injection
•Encryption downgrade attempts
•Rogue DHCP service, DNS poisoning, Lightweight Directory Access Protocol (LDAP) injection, or other
attacks on address and name resolution services
•Simple Network Management Protocol (SNMP) abuse
•HTTP floods, DDoS, parameter tampering, or malformed input attacks on applications and web pages
•Cross-site scripting attacks, session hijacks, malware (including drive-by malware attacks)

Countermeasures should include at a minimum:

•Monitor and block access to suspicious or hazardous sites
•Block known or suspected bots
•Implement stronger access control (multifactor)
•Perform deep inspection of application traffic
•Migrate to more secure applications protection:
o Web Application Firewall (WAF)
o Applications Delivery Platform (ADP)
•Migrate to zero trust architecture
•Strengthen end users’ security skills and attitudes
 Host to Host Communication
How does it Work?
 Planning and Design Exercise

Application vlan – ( 4 servers so far)

User Vlan – (Small business, management does not expect

head count to grow more than 64.

WAN Vlan - link to reach external network

Describe traffic flow via the depicted architecture.

Will the vlans communicate with each other with this
architecture?
Why or Why not?
Where will the gw ip be applied?
Architecture Designs
Firewall
Thank you!