4.3 Given a scenario, apply network hardening techniques
- Best Practices
- Secure SNMP
- Router Advertisement (RA) Guard
- Port Security
- Dynamic ARP Inspection
- Control Plane Policing
- Private VLANs
- Disable Unneeded Switchports
- Disable Unneeded Network Services
- Change Default Passwords
- Password Complexity/Length
- Enable DHCP Snooping
- Change Default VLAN
- Patch and Firmware Management
- Access Control List
- Role-Based Access
- Firewall Rules
- Explicit Deny
- Implicit Deny
- Wireless Security
- MAC Filtering
- Antenna Placement
- Power Levels
- Wireless Client Isolation
- Guest Network Isolation
- Preshared Keys (PSKs)
- EAP
- Geofencing
- Captive Portal
- IoT Access Considerations
Now that we’ve described some of the bad things out there, how can we keep them from getting into our network? We will talk about physical security later, but let’s look at some software configuration
- Use the most secure version of the protocol that is available. For example, use secure SNMP instead of normal SNMP; use secure FTP instead of regular FTP, etc.
- Use Router Advertisement (RA) Guard. Remember that when we connect a bunch of routers together, they start communicating and figure out who each other’s neighbors are? That way, we can build a network with multiple routers regardless of the make or model.
The problem is that a malicious user could- send out rogue router advertisement messages to our legitimate router which would confuse our routers and disrupt our network
- install a rogue router that listens to the router advertisement guard messages
Thus, we can configure a guard on the router that filters the messages based on their source IP address, source MAC address, and other factors.
- Use Port Security. Remember that a switch remembers the MAC address of every device that is connected to each port? We can force the switch to block traffic from devices with MAC addresses that it doesn’t recognize. Some ideas
- We can force the switch to accept traffic from only one MAC address per port. This makes sense if a security camera, wireless access point, or other fixed device is connected to that port.
- We can limit the number of unique MAC addresses per port to a specific quantity. For example, we might allow up to five unique MAC addresses on a port that is used by multiple people. We can set a timer so that if the switch doesn’t see traffic from a unique MAC address for some time, then that MAC address stops counting towards to the total.
- We can decide whether the switch shuts down the port (blocks all traffic) after detecting a violation, or whether it just logs the issue.
- We can configure the setting and response on a port by port basis.
- The specific way that this setting is configured depends on the make and model of the switch.
- We can force the switch to accept traffic from only one MAC address per port. This makes sense if a security camera, wireless access point, or other fixed device is connected to that port.
- Enable DHCP Snooping. Remember that a hacker could install a rogue DHCP server on our network and give out invalid IP addresses or force devices to forward their external traffic to the wrong gateway?
That is because when a device requires an IP address, it sends out a DHCP message. If the rogue DHCP server responds with IP address information prior to the legitimate DHCP server, then the device will be compromised.
What we do is tell the switch which port is connected to the legitimate DHCP server. This is known as a trusted port. All the other ports are untrusted. The switch will assume that any DHCP Offer messages entering an untrusted port have originated from a rogue DHCP server, and it will not forward them.
On an untrusted port, the switch will accept DHCP messages from clients. These messages include the DHCP Discover message. Thus anybody can ask for an IP address, but only the legitimate DHCP server can reply.
The switch creates a table called the DHCP Snooping Binding Table. Each time a client accepts a DHCP Offer, the switch creates an entry in that table. It records the MAC address of the client and the IP address that was assigned to it. It also records the VLAN and interface that the client is connected to.
Say your computer’s IP address is 10.5.5.5, and I’m a hacker. I want to kick you off the network, so I send the DHCP server a release message saying, “release IP address 10.5.5.5”. The DHCP server will normally release the IP address and try to assign it to somebody else, which will disrupt your network connection.
DHCP snooping can protect against this kind of attack as well. When the switch sees a new DHCP Release message, it checks that message’s sender’s MAC address against the table. It will see that the request to release 10.5.5.5 came from my MAC address instead of yours. It knows that the message isn’t valid and doesn’t let it through.
A hacker might try to lease many hundreds or thousands of DHCP addresses so that nobody else can get any. The switch can protect against this as well. If a client sends a Discover or Request DHCP message, the switch checks its MAC address (the MAC address inside the Ethernet header) against the MAC address inside the actual message. Remember that a DHCP message is something like “hey, my MAC address is aa:bb:cc:dd:ee:ff, can I please have an IP address”. This message is encapsulated inside an IP packet which is encapsulated inside an Ethernet frame. If the MAC address sending the message is different from the MAC address inside the message, then the switch knows something is wrong, and doesn’t let it through.
- Control Plane Policing. Remember that a switch or router sends traffic through the “data” plane and management traffic through the “control” plane. A hacker wanting to disrupt the device might attempt to send a large amount of traffic through the control plane.
Control Plane Policing allows us to protect the switch and router control planes from attacks. It does so by reducing the amount of traffic that the control plane can accept through a QoS policy. When the switch receives, on its data plane, a packet with a destination of the control plane, it will decide whether to forward or drop that packet.
- Change Default VLAN. The default VLAN should always be changed. This prevents VLAN hopping.
- Private VLANs. A private VLAN is an idea where we can break a single VLAN into multiple sub VLANs. The main VLAN is called the primary VLAN. A port belonging to the primary VLAN is known as the promiscuous port and can talk to all other ports. The sub VLANs can be of two types
- Isolated VLAN – a port assigned to an isolated VLAN can not talk to any other port except the promiscuous port
- Community VLAN – a port assigned to a community VLAN can talk to any other port in that same community and with the promiscuous port
- Isolated VLAN – a port assigned to an isolated VLAN can not talk to any other port except the promiscuous port
The advantage of the private VLAN is that we can separate traffic from devices within the same VLAN. It also reduces the number of VLANs and IP subnets that are required.
- Disable Unneeded Switchports. It goes without saying that if a switch port is not used (not physically connected to a device), then we should turn it off. That way, if somebody tries to connect a device to it, no traffic will flow.
- Disable Unneeded Network Services. Many services may be enabled by default on your switch, router, computer, or server. Turn off any services that you aren’t using such as DHCP servers, web servers, FTP, SMTP, etc. Sometimes these services are installed and operational by default.
Every running service is a potential for a security vulnerability because if you aren’t using it, then you likely aren’t monitoring or patching it. - Change Default Passwords. I mentioned this many times. It is important to change the default username and password on every device, and to not use devices that do allow you to change the default password.
- Password Complexity/Length. You must enforce a password that is complicated so that it cannot be easily guessed. Some rules for password complexity
- Includes at least eight characters
- Includes special characters, capital letters, and numbers
- Does not include the user’s name or other personally identifying information
- Does not reuse old passwords
- Includes at least eight characters
- Patch and Firmware Management. You should make sure to patch all devices when patches become available. Some devices are configured to automatically download and install patches. When there are many devices of many makes and models, an automated system should be used. The system will
- Determine when a patch is available for a given device
- Automatically deploy the patch onto the device
- Verify that the device has been successfully patched or report the failure to patch to an administrator
- Determine when a patch is available for a given device
- Access Control List. The Access Control List is a set of rules for what traffic is permitted to pass and what traffic is not permitted. There are many types of rules, based on
- Source IP address. Where is the traffic coming from? The source IP address could be on the LAN or on the WAN. It could be a specific IP address or a range of addresses.
- Destination IP address. Where is the traffic going? The destination IP address could be on the LAN or on the WAN. It could be a specific IP address or a range of addresses.
- Source Port Number. What is the port number of the source traffic? The source port could be on the LAN or on the WAN. It could be a specific port or a range of ports.
- Destination Port Number. What is the port number of the destination traffic? The destination port could be on the LAN or on the WAN. It could be a specific port or a range of ports.
- Username. Access Control Lists can be user-based. Permissions can be granted or denied to specific users based on their needs in the organization. For example, guests can be permitted to access only the internet and not resources such as remote desktop or SQL servers.
- Rules can be specific or could combine a combination of parameters
- For example, a rule could say ‘Allow traffic from 10.1.1.1, port 5 to the range of IPs 192.168.3.0 to 192.168.3.255’. All traffic received from 10.1.1.1 port 5 will be permitted to access destinations in the range of 192.168.3.0 to 192.168.3.255. Traffic from other source IP addresses and/or ports will be rejected. Traffic from 10.1.1.1 to destinations outside of 192.168.3.0 and 192.168.3.255 will be rejected.
- Always Allow. An Always Allow rule allows all traffic matching a rule. For example, “always allow traffic from the source IP 10.1.1.1”. All traffic from 10.1.1.1 will be permitted regardless of the port number or destination.
- Always Deny. An Always Deny rule denies all traffic matching a rule. For example, “always deny traffic from the source IP 10.1.1.1”. All traffic from 10.1.1.1 will be denied regardless of the port number or destination.
This is also known as an Explicit Deny. If we create a bunch of rules to allow traffic from specific sources, and then tell the firewall to block any traffic that doesn’t match those rules, that is known as an Implicit Deny. In other words, Implicit Deny means that the traffic is blocked until another rule is created to allow it, whereas Explicit Deny blocks the traffic regardless of any other rules.
- For example, a rule could say ‘Allow traffic from 10.1.1.1, port 5 to the range of IPs 192.168.3.0 to 192.168.3.255’. All traffic received from 10.1.1.1 port 5 will be permitted to access destinations in the range of 192.168.3.0 to 192.168.3.255. Traffic from other source IP addresses and/or ports will be rejected. Traffic from 10.1.1.1 to destinations outside of 192.168.3.0 and 192.168.3.255 will be rejected.
- Order of Operations
- A firewall could have dozens or thousands of rules. The rules are ranked in order of priority.
- When the firewall receives a piece of traffic, it starts checking the rules in order until it finds one that matches the traffic’s source and destination. It then applies that rule to the traffic.
- The firewall will only apply one rule to a piece of traffic. Once that rule is applied, the firewall stops checking additional rules.
- It is important to put the rules in logical order so that traffic is not accidentally accepted or rejected. When a firewall receives a piece of traffic that does not match any rules, it will either allow or reject the traffic based on its configuration.
- Many firewalls are preconfigured with two default rules
- Always allow traffic with a source inside the network (LAN)
- Always reject traffic with a source outside the network (WAN)
- Always allow traffic with a source inside the network (LAN)
- The two default rules should be put at the bottom of the list.
- The first rule (allowing all traffic from inside the LAN) is dangerous because users cannot be trusted to access only safe resources on the internet. It should be modified (broken down) into two rules.
- Always allow traffic with a
- Source inside the network (LAN)
- Destination outside the network (WAN)
- Limited to specific ports outside the network (port 80, port 443, port 3306, etc.). The specific ports should be based on resources that users need to access.
- Source inside the network (LAN)
- Always deny traffic
- Source inside the network (LAN)
- Destination outside the network (WAN)
- This rule applies second; any traffic not matching the previous rule will be denied
- Source inside the network (LAN)
- Always allow traffic with a
- The first rule (allowing all traffic from inside the LAN) is dangerous because users cannot be trusted to access only safe resources on the internet. It should be modified (broken down) into two rules.
- A firewall could have dozens or thousands of rules. The rules are ranked in order of priority.
- Source IP address. Where is the traffic coming from? The source IP address could be on the LAN or on the WAN. It could be a specific IP address or a range of addresses.
- Role-Based Access – Permissions are not assigned to individual users or to objects. Instead, permissions are assigned to operations/actions (known as roles)
- A user can be assigned to a specific group (the user is given a role); the user inherits the permissions assigned to the role
- The organization can define the operations and actions that are relevant to their organization. For example:
- Sales person (can access sales data)
- Accountant (can enter data into the accounting system)
- Sales person (can access sales data)
- Accounts payable clerk (can approve invoices and issue payments)
- A user can be assigned to a specific group (the user is given a role); the user inherits the permissions assigned to the role
How can we enforce security on wireless networks?
- MAC Filtering. We can enforce a rule where only devices with specific MAC addresses are permitted on our wireless network.
This rule works if we have an accurate inventory of all the wireless devices that may connect. It is not practical if we allow users to bring their own devices and connect them to the wireless network. It can also be bypassed by a hacker who spoofs his device MAC address to match that of one that is authorized. - Antenna Placement. We can adjust the position and type of antennas so that our wireless signal does not exit our building. This would prevent hackers outside the building from connecting.
- Power Levels. We can adjust the power level on the device so that the wireless signal does not propagate outside of our building. This would prevent hackers outside the building or in neighboring suites from connecting.
- Wireless Client Isolation. A wireless client can normally communicate with another wireless or ethernet client (and vice versa) provided they are on the same VLAN or WLAN. Traffic from a wireless device destined to another device on the same VLAN travels through the wireless access point to the switch and then back through the switch (or another switch) or wireless access point as applicable.
Wireless Client Isolation prevents different wireless clients from communicating with each other, even though they are on the same VLAN and subnet (and possibly connected to the same wireless access point).
This is important when we have a wireless network open to guests or unrelated users. For example, devices connected to the guest Wi-Fi at a hotel or student Wi-Fi at a University should not be able to reach to each other. A guest in one hotel room should not be able to see devices belonging to a guest in another hotel room.
The isolation may be enforced by the router. - Guest Network Isolation. If we have a guest Wi-Fi and a corporate Wi-Fi, we should physically or logically isolate the guest Wi-Fi network.
- Physically isolating the network requires us to construct and configure a physically separate guest network. That means separate wireless access points, switches, routers, and wiring. This measure might be too expensive for most customers.
- Logically isolating the network allows us to map the guest Wi-Fi SSID to a separate VLAN that can reach the internet, and no other devices. This VLAN should also enforce wireless client isolation.
- Physically isolating the network requires us to construct and configure a physically separate guest network. That means separate wireless access points, switches, routers, and wiring. This measure might be too expensive for most customers.
- As mentioned earlier, we can use Preshared Keys and EAP to enable wireless security. Extensible Authentication Protocol (EAP) is a system for authenticating with a wireless network.
- EAP is a framework for providing authentication, but there are more than 40 possible methods that can be used, depending on the specific vendor of the equipment.
- Each vendor may have more specific requirements and new protocols are being developed all the time
- Within EAP are several methods, including
- LEAP
- Lightweight Extensible Authentication Protocol
- Developed by Cisco
- LEAP is not supported by Windows but is supported by many third-party applications
- Cisco does not recommend using LEAP anymore because it does not protect user credentials
- Lightweight Extensible Authentication Protocol
- PEAP
- Protected Extensible Authentication Protocol
- Originally, EAP assumed that communications would be secure; therefore, it did not provide a mechanism to secure the data being transmitted.
- PEAP corrects this by providing a secure TLS tunnel
- A server-side certificate is used to create a PKI tunnel
- Protected Extensible Authentication Protocol
- EAP-NOOB
- Nimble out-of-band authentication for EAP
- Used by devices that do not have preloaded authentication information such as Internet of Things devices
- The user must assist the device in connecting via an out of band channel
- There are different connection options including QR codes and NFC
- Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) exchange takes place over the in-band EAP channel. The user then provides the out-of-band channel message from the server to the device or from the device to the server, depending on what is required.
- Nimble out-of-band authentication for EAP
- EAP-FAST
- Flexible Authentication via Secure Tunneling
- Designed by Cisco to replace LEAP
- Three parts
- In band provisioning via Diffie-Hellman. The client is provided with a shared secret.
- Tunnel establishment. A tunnel is established between the server and the client.
- Authentication. The user is authenticated
- In band provisioning via Diffie-Hellman. The client is provided with a shared secret.
- Flexible Authentication via Secure Tunneling
- EAP-TLS.
- EAP – Transport Layer Security
- Uses TLS (Transport Layer Security) as its protocol.
- All wireless manufacturers support EAP-TLS
- Considered very secure
- EAP-TLS requires a client-side certificate. When a system is authenticated with a certificate, a password is not required. Even if a hacker obtained the username/password, without a certificate, the hacker would not be able to connect to the Wi-Fi.
- EAP is not implemented as widely as it should be because it requires the certificate
- EAP – Transport Layer Security
- EAP-TTLS
- EAP Tunneled Transport Layer Security
Extends TLS so that the client does not require a certificate. Instead, the server creates a tunnel with the client. The client can then authenticate to the server using a legacy password or other authentication method. The tunnel protects the client from eavesdropping.
- EAP Tunneled Transport Layer Security
- LEAP
- EAP is a framework for providing authentication, but there are more than 40 possible methods that can be used, depending on the specific vendor of the equipment.
- Geofencing. Geofencing allows us to track the physical location of a wireless device and send an alert if it leaves the building or if it is taken to a portion of the building where it is nor permitted. This ensures that secure devices such as laptops or mobile readers are not removed from the building.
- Captive Portal. A Captive Portal is a web page that a user sees when they first connect to the wireless network. The Captive Portal allows the user to authenticate with the wireless network. It may also inform the user of the terms and conditions that he must adhere to when using the network. Captive Portals are common on guest Wi-Fi networks.
What about IoT devices? What if IoT devices such as HVAC sensors, alarm sensors, etc. need to connect to our network?
- We should determine how we will identify each IoT device uniquely
- We should determine how we will authenticate that IoT device. How do we know that the connected device is legitimate?
- Can we ensure that the device will establish a secure end-to-end communication with the server?
- Can we ensure that the device will securely connect to the network?
- Can we encrypt the data that is stored on the device?
- Can we ensure that the device is not compromised by hackers?