Chapter 6. Network Design Elements


This chapter covers the following subjects:

Image Network Design: This section discusses network design elements such as switches and routers, and how to protect those devices from attack. It also talks about network address translation, private versus public IP addresses, and the private IP ranges. You then learn about network zones and interconnections—for example, intranets and extranets, demilitarized zones, LANs, and WANs. Finally, you learn how to defend against attacks on your virtual local area networks, IP subnets, and telephony devices.

Image Cloud Security and Server Defense: As time moves forward, more and more organizations transfer some or all of their server and network resources to the cloud. This creates many potential hazards and vulnerabilities that must be addressed by the security administrator and by the cloud provider. Top among these concerns are the servers, where all data is stored and accessed. Servers of all types should be hardened and protected from a variety of attacks in an effort to keep the integrity of data from being compromised. However, data must also be available. And so, the security administrator must strike a balance of security and availability. In this section, we’ll discuss cloud-based threats as well as server vulnerabilities, and how to combat them effectively.


Up until now we have focused on the individual computer system. Let’s expand our security perimeter to now include networks. Network design is extremely important in a secure computing environment. The elements that you include in your design can help to defend against many different types of network attacks. Being able to identify these network threats is the next step in securing your network. If you apply the strategies and defense mechanisms included in this chapter, you should be able to stave off most network-based assaults. The security of the servers and network infrastructure of an organization is the job of the security administrator, but with the inclusion of the cloud the areas of responsibility might vary. This depends on how much of the cloud is provided by a third party, and how much of the cloud is held privately within the organization’s domain. Whether dealing with cloud providers, onsite cloud-based resources, locally owned servers and networks, or a mixture of all of them, the security administrator has a lot of duties and must understand not only security but how computer networking really functions. To save time and be more efficient, this chapter and the following three chapters assume that you have a working knowledge of networks and that you have the CompTIA Network+ certification or commensurate experience. Hereafter, this book will work within that mindset and will refer directly to the security side of things as it progresses. So, put on your networking hat and let’s begin with network design.

Foundation Topics

Network Design

Proper network design is critical for the security of your network, servers, and client computers. You need to protect your network devices so that they and the clients that they connect together will be less subject to attack. Implementing network address translation and properly employing standard private IP ranges can further protect all the computers in a standard network. A thorough knowledge of network zones—for example, local area networks and demilitarized zones—is also important when designing a secure network. Finally, by utilizing subnetworks, virtual local area networks (VLANs), network access control, and secure telephony devices, you can put the final touches on your network design.

We start with a quick review of the OSI model, which most of the topics in Chapters 6 through Chapter 9 (and beyond) relate to. This is not a full discourse on the OSI model, which is a prerequisite concept for the Security+ exam, but should help to stimulate your brain and help get you thinking from an “OSI” point of view.

The OSI Model

The Open Systems Interconnection (OSI) reference model was created and ratified by the International Organization for Standardization (ISO), and is represented in the United States by the American National Standards Institute (ANSI). This model was created to do the following:

Image Explain network communications between hosts on the LAN or WAN.

Image Present a categorization system for communication protocol suites (such as TCP/IP).

Image Show how different protocol suites can communicate with each other.

Remember, network communications existed before the OSI model was created. This model is an abstract way of categorizing the communications that already exist. The model was devised to help engineers understand what is happening with communication protocols behind the scenes. It is broken down into seven layers, as shown in Table 6-1. They are listed numerically, which would be considered from the bottom up.

Table 6-1 OSI Model Layers

Layer # Name Usage Unit of Measurement
Layer 1 Physical layer Physical and electrical medium for data transfer. Bits
Layer 2 Data link layer Establishes, maintains, and decides how data transfer is accomplished over the physical layer. Frames
Layer 3 Network layer Dedicated to routing and switching information between different hosts, networks, and internetworks. Packets
Layer 4 Transport layer Manages and ensures error-free transmission of messages between hosts through logical addressing and port assignment (connection-oriented). Also manages streaming connections, where n number of errors are permitted (connectionless). Segments (TCP)
Datagrams (UDP)
Layer 5 Session layer Governs the establishment, termination, and synchronization of sessions within the OS over the network and between hosts. Messages
Layer 6 Presentation layer Translates the data format from sender to receiver and provides mechanisms for code conversion, data compression, and file encryption. Messages
Layer 7 Application layer Where message creation begins. End-user protocols such as FTP, HTTP, and SMTP work on this layer. Messages

Note

The “units of measurement” in the table are also referred to as protocol data units, or PDUs.


We could fill a book on the OSI model, but again, understanding this model is a prerequisite for the Security+ exam, so it will not be covered in depth here. However, at the very least you should know the layers, their order, and their basic descriptions. In Chapter 7, “Networking Protocols and Threats,” we will apply different protocols to their respective OSI layers.

If you feel you need to brush up on the OSI model more, then consider computer networking books (for example, Network+ textbooks), online articles, and networking training classes.


Note

For a short primer about the OSI model and its layers, see the following link:

http://www.davidlprowse.com/articles/?p=905

Also, consider one of the many CompTIA Network+ books available, or see the following links:

http://www.cisco.com/cpress/cc/td/cpress/fund/ith/ith01gb.htm#xtocid166844

https://support.microsoft.com/en-us/help/103884



Note

You’ll also see the TCP/IP model (a.k.a. Internet protocol suite). This is similar to the OSI model with slightly different names for the layers: application, transport, Internet, and link. Compared to the OSI model, it disregards much of the physical layer, and the application layer equates to the OSI’s application, presentation, and session layers.


Network Devices

Let’s begin with the network devices common on today’s networks. Central connecting devices such as switches need to be secured and monitored; it makes sense because these devices connect all the computers on your local area network. Attacks aimed at these devices could bring down the entire LAN. And of course, routers are extremely important when interconnecting LANs and subnets. Because many routers have visible IP addresses on the Internet, you should expand your line of thinking to include the act of securing these devices from attackers that might come from outside and inside your network. It is more common that attackers will be situated outside your network, but you never know!

Switch

Ethernet switching was developed in 1996 and quickly took hold as the preferred method of networking, taking the place of deprecated devices such as hubs and older-style bridges. This is due to the switch’s improvement in the areas of data transfer and security. A switch is a central connecting device to which all computers on the network can connect. The switch regenerates the signal it receives and (by default) sends the signal to the correct individual computer. It does this by mapping computers’ MAC addresses to their corresponding physical port. This can effectively make every port an individual entity, thus securing the network, and exponentially increasing data throughput. Switches employ a matrix of copper wiring instead of the standard trunk circuit, and intelligence to pass information to the correct port. The CompTIA Security+ exam focuses on layer 2 and layer 3 switches. Layer 2 switches deal with MAC addresses only. But layer 3 switches work with MAC addresses and IP addresses. Most of the attacks we discuss are layer 2 based, but not all. Be ready to secure on both layers.

Although the switch is an excellent star-based topological solution, some security implications are still involved with it. These include but are not limited to the following:

Image

Image MAC flooding: Switches have memory set aside to store the MAC address to the port translation table, known as the Content Addressable Memory table, or CAM table. A MAC flood can send numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch changes state to what is known as fail-open mode. At this point, the switch broadcasts data on all ports the way a hub does. This means two things: First, that network bandwidth will be dramatically reduced, and second, that a mischievous person could now use a protocol analyzer, running in promiscuous mode, to capture data from any other computer on the network. Yikes!

Some switches are equipped with the capability to shut down a particular port if it receives a certain amount of packets with different source MAC addresses. For example, Cisco switches use port security, which can act as a flood guard (among many other things). This restricts a port by limiting and identifying MAC addresses of the computers permitted to access that port. A Cisco switch defines three categories of secure MAC addresses as part of a policy on the switch. Other providers have like policies that can be implemented. Other ways to secure against MAC flooding and constrain connectivity include using network access control (NAC) and 802.1X-compliant devices, dynamic VLANs, and network intrusion detection systems (NIDSs), and consistently monitoring the network. We speak more to these concepts later in this chapter and in future chapters.

Image MAC spoofing: MAC spoofing is when an attacker masks the MAC address of their computer’s network adapter with another number. This can allow a user to disguise their computer as another system on, or off, the network, thus fooling a switch and possibly gaining access. Cisco’s port security feature and NAC systems or other application layer solutions can help to prevent this, but in the case of an insider attempting this, a router should also be configured to only accept a certain amount of static MAC addresses. This attack can be enhanced by initiating a DHCP starvation attack, which works by broadcasting DHCP requests with spoofed MAC addresses, which can ultimately exhaust the address space available to DHCP servers. To help prevent against this, enable DHCP snooping. Also, close off any untrusted switch interfaces—meaning, ones that connect outside the network or firewall. Finally, another related attack is ARP spoofing, which is when an attacker can make a system appear as the destination host sought by the sender, with obvious repercussions. This can be prevented by: reducing the time an entry stays in the ARP cache—on the switch and on the clients; checking/removing static ARP entries; using dynamic ARP inspection; and also using the aforementioned DHCP snooping.


Note

When making changes to Cisco switches, or any other switches, always remember to save (and back up) the appropriate config files. Keep a log of what changes were applied to which backup files.


Image Physical tampering: Some switches have a dedicated management port. If this is accessible, a person could perpetuate a variety of attacks on the network. Even if a single port of the switch is accessible, a person could attempt the aforementioned MAC flooding attack and move on from there. In addition, if a person were to get physical access to the switch, that person could attempt looping, which is when both ends of a network cable are connected to the same switch; or, when two cascading switches are connected to each other with two patch cables instead of just one. Plus, the potential for inadvertent looping grows with each additional switch. To avoid cable loops, consider a hierarchical switched environment; for instance, one where all LAN switches connect to a the “master” switch, also known as an aggregation switch. Some switches come with the ability to enable loop protection within the firmware. For example, you should enable the Spanning Tree Protocol (STP)—that is, if it isn’t enabled by default. STP—as well as Rapid STP and multiple STP—builds a logical loop-free topology for the Ethernet network and can recognize and bypass improper connections. However, it’s preferable to prevent the problem from physically happening in the first place. So, remember that the switch needs to be physically secured, most likely in a server room with some type of access control system, and all switches should be checked for internal cable loops. It sounds so simple, but it is commonly overlooked by many companies. Also, disable any unused ports on the switch, if the switch has that capability. Finally, employ good cable management: label ports and cables and organize patch cables as necessary.

Bridge

A bridge is used to separate a physical LAN (or WLAN) into two logical networks, or to connect two networks together. You do this by physically connecting the device to both sections of the network. The device will then seek out MAC addresses on both sides and keep that information stored in a table. If a person on one side of the bridge wants to communicate on the network, the bridge will decide whether the information should cross to the other side. This eliminates some broadcasting. A bridge often resides on the data link layer. Note that since the advent of switching, bridges have become much less commonplace. However, you may see them connecting two network sections together. That said, security becomes vital. For example, in a wireless bridged environment, you might opt for an IPsec tunnel between devices. However, if you find yourself in a bridged environment, then you should probably consider a newer, more secure solution.

Router

A router connects two or more networks to form an internetwork. Routers are used in LANs, in WANs, and on the Internet. This device routes data from one location to another, usually by way of the IP address and IP network numbers. Routers function on the Network layer of the OSI model.

Routers come in several forms: SOHO routers, those four-port devices used in homes and small offices to connect to the Internet; servers, which can be configured for routing if they have multiple network adapters and the proper software; and, most commonly, black-box devices such as Cisco routers. Routers are intelligent and even have their own operating system; for example, Cisco routers use IOS (Internetwork Operating System). Often, a DMZ will be set up within a router, especially SOHO router devices; we speak more about the DMZ later in this chapter.

Routers can be the victim of denial-of-service attacks, malware intrusions, and other attacks (covered in more depth later in this chapter) and can spread these attacks and malware to other sections of the network. Routers can be protected from these attacks in the following ways:

Image Secure router configuration: Most routers are inherently insecure out-of-the-box. This means that they might have a blank default password, easily guessable username, known IP addresses, default routing tables, and so on. The first line of defense is to configure the username and password so that it is hard to guess and hard to crack. This means very complex passwords. Go through all possible default configurations and lock them down before putting the router on a live network.

Image Firewalls: Firewalls protect against and filter out unwanted traffic. A firewall can be an individual device or can be added to a router. For example, most SOHO routers have a firewall built in, and Cisco Integrated Services Routers (ISR) include the Cisco IOS Firewall. Regular routers, and routers with firewall functionality, have the ability to block certain kinds of traffic. For example, if ICMP has been blocked, then you would not be able to ping the router. You can find more information on firewalls in Chapter 8, “Network Perimeter Security.”

Image Intrusion prevention systems (IPSs): An IPS will not only detect but also prevent directed attacks, botnet attacks, malware, and other forms of attacks. An IPS can be installed as a network-based solution or on a particular computer and some routers. More information on network-based IPS (and IDS) solutions can be found in Chapter 8.

Image Secure VPN connectivity: Instead of connecting directly to a router, virtual private networks enable for secure connections utilizing IPsec and SSL. Secure VPN connectivity can be implemented with SOHO routers (for smaller organizations), VPN concentrators (for larger organizations), advanced routers like ones offered by Cisco, or with a Windows Server. You can find more information about VPNs in Chapter 10, “Physical Security and Authentication Models.”

Image Content filtering: Content filtering blocks or restricts access to certain websites. This provides protection from malicious websites. Content filtering can be installed as a server, as an appliance (for example, a web security gateway), or on some routers. You can find more information about content filters in Chapter 8.

Image Access control lists (ACLs): Access control lists enable or deny traffic. These can be implemented on a router and within firewalls; in some cases the two will be the same physical device. For example, an ACL can be configured to deny any connections by computers that have IP addresses outside the network number. ACLs are instrumental in blocking IP spoofing attacks. You can find more information about ACLs in Chapter 11, “Access Control Methods and Models.”


Note

The CompTIA Security+ objectives also refer to the channel service unit (CSU) and data service unit (DSU). These two devices—often combined as a CSU/DSU—are within the realm of data communications equipment (DCE). They connect data terminal equipment (DTE) such as a router to a digital circuit such as a T-1. Today, the functionality of these devices (or device) is often incorporated into a router in the form of a WAN interface card (WIC) or otherwise. Cable and DSL modems are also considered to be CSU/DSUs. It’s important to update the firmware on these devices periodically and replace old hardware with new devices.


Network Address Translation, and Private Versus Public IP

Network address translation (NAT) is the process of changing an IP address while it is in transit across a router. This is usually implemented so that one larger address space (private) can be remapped to another address space, or single IP address (public). In this case it is known as network masquerading, or IP masquerading, and was originally implemented to alleviate the problem of IPv4 address exhaustion. Today, NAT provides a level of protection in IPv4 networks by hiding a person’s private internal IPv4 address—known as the firewall effect. Basic routers only allow for basic NAT, which is IPv4 address-translation-only. But more advanced routers allow for PAT, or port address translation, which translates both IPv4 addresses and port numbers. Commonly, a NAT implementation on a firewall hides an entire private network of IPv4 addresses (for example, the 192.168.1.0 network) behind a single publicly displayed IPv4 address. Many SOHO routers, servers, and more advanced routers offer this technology to protect a company’s computers on the LAN. Generally, when an individual computer attempts to communicate through the router, static NAT is employed, meaning that the single private IPv4 address will translate to a single public IPv4 address. This is also called one-to-one mapping.

It is also important to know the difference between private and public addresses. A private address is one not displayed directly to the Internet and is normally behind a firewall (or NAT-enabled device). Typically, these are addresses that a SOHO router or DHCP server would assign automatically to clients. A list of reserved private IPv4 ranges is shown in Table 6-2. Public addresses are addresses displayed directly to the Internet; they are addresses that anyone can possibly connect to around the world. Most addresses besides the private ones listed in Table 6-2 are considered public addresses. Figure 6-1 shows an example of a router/firewall implementing NAT. The router’s public address is 207.172.15.50, and its private address is 10.0.0.1. Computers to the left of the router are on the LAN, and all their IP addresses are private, protected by NAT, which occurs at the router. Servers on the Internet (within the cloud) have public IPv4 addresses (for example, 208.96.234.193) so that they can be accessed by anyone on the Internet.

Image
Image

Figure 6-1 Example of Public and Private IPv4 Addresses

Table 6-2 Private IPv4 Ranges (as Assigned by the IANA)

IP Class Assigned Range
Class A 10.0.0.0–10.255.255.255
Class B 172.16.0.0–172.31.255.255
Class C 192.168.0.0–192.168.255.255

Keep in mind that most internal networks—meaning LANs—are either subnetted or are classless in nature. It’s important to know the private IP ranges and their classes, but just remember that classless is very common, especially in larger networks.

You should also know the categories of IPv6 addresses. Table 6-3 provides a review of these types. Keep in mind that the standard “private” range for IPv6 is FE80::/10, which spans addresses that start with FE80, FE90, FEA0, and FEB0. This is the default reserved range of IPv6 addresses that computers on a LAN (and behind a firewall) will be assigned from.

Table 6-3 Types of IPv6 Addresses

IPv6 Type Address Range Purpose
Unicast Global unicast starts at 2000
Link-local ::1 and FE80::/10
Address assigned to one interface of one host.
Anycast Structured like unicast addresses Address assigned to a group of interfaces on multiple nodes. Packets are delivered to the “first” interface only.
Multicast FF00::/8 Address assigned to a group of interfaces on multiple nodes. Packets are delivered to all interfaces.

There are risks involved with IPv6 auto-configured addresses. Once a computer is physically connected to a network, it can easily obtain an IPv6 address without any user interaction and begin communicating with other hosts on the network, perhaps in an insecure manner. To avoid this, consider using 802.1X authentication, which stops IPv6 traffic until the host is authenticated to the network. You can read more on 802.1X in Chapter 10. Also, consider using encrypted tunnels, and network adapters that are certified for secure wired and/or wireless transmissions.

A last word about IP security—both IPv4 and IPv6 have security issues, and both have various ways that they can be secured. Don’t be fooled; both types of IP networks need to be designed with security in mind. For example, IPv6 has IPsec support built in, but that might not be the best method of security for your organization. IPv4 also can make use of IPsec, and in that aspect can be just as secure as IPv6, but the support isn’t built in, so you might choose to implement alternative security methods for IPv4. Many networks use both protocols, and though one is working in a secure manner, that doesn’t mean the other protocol is protected. Remember to design both types of IP networks to address all security concerns, and test them thoroughly on multiple platforms.

Network Zones and Interconnections

When designing your network, think about all the pieces of the network and all the connections your network might make to other networks. Are you in charge of a single local area network? Or are you responsible for more than one local area network that perhaps form a wide area network? What kind of, and how many Internet connections do you have? Will you have servers that need to be accessed by users on the Internet? Is the cloud or virtualization involved? And will you need to share information with company employees who work from home or with other organizations, while securing that information from the average user on the Internet? The more interconnections and network zones that you have, the more security risk you are taking on. Keep this in mind as you read through the section.

LAN Versus WAN

A local area network, or LAN, is a group of networked computers contained in a small space such as a small office, a school, or one or two close-knit buildings. Generally, the computers in the LAN are all assigned private IP addresses and are behind a firewall. Although computers on a LAN do not have to connect to the Internet, they usually do, but do so via a router that acts as an IP proxy and employs NAT. (NAT is far more common on IPv4 networks, but not unheard of on IPv6 networks.) It is important to secure computers on the LAN by placing them behind the router, assigning private IP addresses if necessary, and verifying that anti-malware programs are installed.

A wide area network, or WAN, is one or more LANs connected together. The big difference between a LAN and a WAN is that a WAN covers a larger geographic area. This implies that the services of a telecommunications or data communications provider are necessary. The security implications of a WAN are great; the more connections your network has, the more likely attacks will become. All connections should be monitored and firewalled if possible. Consider that there might be connections to other states or countries...and, to the biggest WAN of them all—the Internet.

Internet

The Internet is the worldwide interconnection of individual computers and computer networks. Because it is a public arena, anyone on the Internet can possibly be a target, or an attacker. All types of sessions on the Internet should be protected at all times. For example, voice calls should be done within a protected VoIP system; data sessions should be protected by being run within a virtual private network; and so on. Individual computers should be protected by firewalls and anti-malware programs. Networks should be protected by firewalls as well. But what about systems that need to access the LAN and also need to be accessed by clients on the Internet? Well, one option is to create an area that is not quite the LAN, and not quite the Internet; this is a demilitarized zone, or DMZ.

Demilitarized Zone (DMZ)

In computer security, a demilitarized zone (DMZ) is a special area of the network (sometimes loosely referred to as a subnetwork) that houses servers that host information accessed by clients or other networks on the Internet. Some of these servers might include web, FTP, mail, and database computers. It’s important that each server is configured with the proper default gateway IP address so that users on the Internet can access it. These servers might also be accessible to clients on the LAN in addition to serving the Internet. There are several ways to set up a DMZ; a common way is the 3-leg perimeter DMZ, as shown in Figure 6-2. Notice the third “leg” that branches off the firewall to the right. This leads to a special switch that has WWW and FTP servers connected to it. Also note that the DMZ is on a different IP network than the LAN, although both the LAN and DMZ are private IP network numbers.

Image
Image

Figure 6-2 3-Leg Perimeter DMZ

The firewall can (and usually will) be configured in a secure fashion on the DMZ connection (192.168.100.200) and an even more secure fashion on the LAN connection (172.29.250.200). The DMZ connection in Figure 6-2 needs to have only inbound ports 80 (WWW) and 21 (FTP) open; all other ports can be closed, thus filtering inbound traffic. The LAN connection can be completely shielded on the inbound side. Although DMZs can be created logically, they are most often found as physical implementations. There are several other implementations of a DMZ. For example, a DMZ can be set up with two firewalls that surround it, also known as a back-to-back perimeter network configuration; in this case the DMZ would be located between the LAN and the Internet. A DMZ might also be set up within a router, especially in small organizations that use basic SOHO router devices. It all depends on the network architecture and security concerns of the organization.

Intranets and Extranets

Intranets and extranets are implemented so that a company (or companies) can share its data using all the features and benefits of the Internet, while keeping that data secure within the organization, select organizations, and specific users. In the case of an intranet, only one company is involved; it could be as simple as an internal company website, or a more advanced architecture of servers, operational systems, and networks that deploy tools, applications, and, of course, data. In the case of an extranet, multiple companies can be involved, or an organization can opt to share its data and resources with users who are not part of the organization(s). This sharing is done via the Internet, but again, is secured so that only particular people and organizations can connect.

Whether you have an intranet or an extranet, security is a major concern. Proper authentication schemes should be implemented to ensure that only the appropriate users can access data and resources. Only certain types of information should be stored on an intranet or extranet. Confidential, secret, and top secret information should not be hosted within an intranet or extranet. Finally, the deployment of a firewall(s) should be thoroughly planned out in advance. An example of a company that hosts an intranet and an extranet is shown in Figure 6-3. Note that data commuters from Company A can access the intranet because they work for the company. Also note that Company B can access the extranet, but not the intranet. In this example, the company (Company A) has created two DMZs, one for its intranet and one for its extranet. Of course, it is possible to set this up using only one DMZ, but the access control lists on the firewall and other devices would have to be planned and monitored more carefully. If possible, separating the data into two distinct physical locations will have several benefits, namely, being more secure; although, it will cost more money to do so. This all depends on the acceptable risk level of the organization and its budget!

Image

Figure 6-3 Example of an Intranet and an Extranet

Network Access Control (NAC)

In this chapter, we have mentioned several types of networking technologies and design elements. But whichever you choose to use, it needs to be controlled in a secure fashion. Network access control (NAC) does this by setting the rules by which connections to a network are governed. Computers attempting to connect to a network are denied access unless they comply with rules pertaining to levels of antivirus protection, system updates, and so on...effectively weeding out those who would perpetuate malicious attacks. The client computer continues to be denied until it has been properly updated, which in some cases can be taken care of by the NAC solution automatically. This often requires some kind of preinstalled software (an agent) on the client computer, or the computer is scanned by the NAC solution remotely—which would be known as agentless. When agents are used, there is usually a posture or health check at the host or the endpoint. Often this is tied into role-based access. There are two types of agents: persistent and dissolvable. Persistent agents are installed on the target device and can be used over and over again. Dissolvable agents provide for one-time authentication and are then deleted. Agentless NAC systems are also available but they offer less control and fewer inspection capabilities.

Some companies (such as Cisco) offer hardware-based NAC solutions, whereas other organizations offer paid software-based NAC solutions and free ones such as PacketFence (https://packetfence.org), which is open source.

The IEEE 802.1X standard, known as port-based network access control, or PNAC, is a basic form of NAC that enables the establishment of authenticated point-to-point connections, but NAC has grown to include software; 802.1X is now considered a subset of NAC. See the section “Authentication Models and Components” in Chapter 10 for more information about IEEE 802.1X.

Subnetting

Subnetting is the act of creating subnetworks logically through the manipulation of IP addresses. These subnetworks are distinct portions of a single IP network.

Subnetting is implemented for a few reasons:

Image It increases security by compartmentalizing the network.

Image It is a more efficient use of IP address space.

Image It reduces broadcast traffic and collisions.

To illustrate the first bullet point, examine Figure 6-4. This shows a simple diagram of two subnets within the 192.168.50.0 IPv4 network using the subnet mask 255.255.255.240; this would also be known as 192.168.50.0/28 in CIDR notation (covered shortly). You can see that the subnets are divided; this implies that traffic is isolated—it cannot travel from one subnet to another without a route set up specifically for that purpose. So, computers within Subnet ID 2 can communicate with each other by default, and computers within Subnet ID 8 can communicate with each other, but computers on Subnet 2 cannot communicate with computers on Subnet 8, and vice versa.

Image

Figure 6-4 Example of a Subnetted Network

As a security precaution, using subnet 0 (zero) is discouraged, and instead a network administrator should start with subnet 1, which in the preceding example would be 192.168.50.16. This avoids any possible confusion regarding the actual network number (192.168.50.0) and its subnets. If a network administrator were to use the first subnet and then inadvertently use a default subnet mask (such as 255.255.255.0), this would create a security vulnerability—the hosts on that subnet would have access to more of the network than they normally should. This kind of mistake is common when using the first subnet and is the main reason it is discouraged.

Another common example of an organization subnetting its network is to take what would normally be a Class A network (with the 255.0.0.0 subnet mask) and make it classless by changing the subnet mask to, for example, 255.255.255.224. This is called classless interdomain routing, or CIDR, which is based on variable-length subnet masking (VLSM). For instance, we could use 10.7.7.0 as the network number. Normally, it would simply be referred to as the 10 network if it was Class A. But the subnet mask 255.255.255.224 makes it function as a subnetted Class C network, which effectively makes it classless. In CIDR notation this would be written out as 10.7.7.0/27, because there are 27 masked bits in the subnet mask. The subnet mask’s “224” is the key. When we calculate this, we find that we can have 30 usable hosts per subnet on the 10.7.7.0 network. The first range of hosts would be 10.7.7.1–10.7.7.30, the second range would be 10.7.7.33–10.7.7.62, and so on. A host with the IP address 10.7.7.38 would not be able to communicate (by default) with a host using the IP address 10.7.7.15 because they are on two separate subnets.


Note

You can check the preceding statements by searching for and using a free online subnetting calculator. I highly recommend you practice this!


When compartmentalizing the network through subnetting, an organization’s departments can be assigned to individual subnets, and varying degrees of security policies can be associated with each subnet. Incidents and attacks are normally isolated to the subnet that they occur on. Any router that makes the logical connections for subnets should have its firmware updated regularly, and traffic should be occasionally monitored to verify that it is isolated.


Note

For a short primer about subnetting, see the following link: www.davidlprowse.com/articles/?p=1185


Virtual Local Area Network (VLAN)

A VLAN is implemented to segment the network, reduce collisions, organize the network, boost performance, and, hopefully, increase security. A device such as a switch can control the VLAN. Like subnetting, a VLAN compartmentalizes the network and can isolate traffic. But unlike subnetting, a VLAN can be set up in a physical manner; an example of this would be the port-based VLAN, as shown in Figure 6-5. In this example, each group of computers such as Classroom 1 has its own VLAN; however, computers in the VLAN can be located anywhere on the physical network. For example, Staff computers could be located in several physical areas in the building, but regardless of where they are located, they are associated with the Staff VLAN because of the physical port they connect to. Due to this, it is important to place physical network jacks in secure locations for VLANs that have access to confidential data.

Image

Figure 6-5 Example of a VLAN

There are also logical types of VLANs, such as the protocol-based VLAN and the MAC address–based VLAN, that have a whole separate set of security precautions, but those precautions go beyond the scope of the CompTIA Security+ exam.

The most common standard associated with VLANs is IEEE 802.1Q, which modifies Ethernet frames by “tagging” them with the appropriate VLAN information, based on which VLAN the Ethernet frame should be directed to.

VLANs restrict access to network resources, but this can be bypassed through the use of VLAN hopping. VLAN hopping can be divided into two categories, as shown in Table 6-4.

Image

Table 6-4 Types of VLAN Hopping

VLAN Hopping Method How It Works How to Defend
Switch spoofing The attacking computer must be capable of speaking the tagging and trunking protocols used by the VLAN trunking switch to imitate the switch. If successful, traffic for one or more VLANs is then accessible to the attacking computer. Put unplugged ports on the switch into an unused VLAN.
Statically configure the switch ports in charge of passing tagged frames to be trunks and to explicitly forward specific tags.
Disable Dynamic Trunking Protocol (DTP) if necessary.
Avoid using default VLAN names such as VLAN or VLAN1.
Double tagging In a double-tagging attack, an attacking host attaches two VLAN tags to the frames it transmits. The first, proper header is stripped off by the first switch the frame encounters, and the frame is then forwarded. The second, false header is then visible to the second switch that the frame encounters. Upgrade firmware or software.
Pick an unused VLAN as the default VLAN (also known as a native VLAN) for all trunks, and do not use it for any other intent.
Consider redesigning the VLAN if multiple 802.1Q switches are used.

MAC flooding attacks can also be perpetuated on a VLAN, but because the flood of packets will be constrained to an individual VLAN, VLAN hopping will not be possible as a result of a MAC flood.

VLANs can also be the victims of ARP attacks, brute-force attacks, spanning-tree attacks, and other attacks, all of which we discuss in later chapters.


Note

So far, the virtual LANs we have discussed use physical switches to make the connectivity between computers. However, in a completely virtualized environment—one where all of the operating systems are virtual—it is possible to use a virtual switch to connect the systems together. In this case, everything is virtual, from the servers to the network infrastructure. It is often used in testing environments, and gives new meaning to the term “virtual LAN.”


Telephony

Telephony aims at providing voice communication for your users and requires various equipment to accomplish this goal. Older devices such as modems can be the victim of an attack, but nowadays computers are also heavily involved in telephony; this is known as computer telephony integration, or CTI. What does this mean for you, the security administrator? Well, for one thing, special telephones and servers require particular security, for a whole new level of attacks and ways of targeting this equipment. The telephone, regardless of what type, is still one of the primary communication methods and therefore needs to be up and running all the time.

Modems

In networking environments such as a network operations center (NOC) or server room, modems are still used by network administrators to connect to servers and networking equipment via dial-up lines. Often, this is a redundant, worst-case scenario implementation—sometimes, it is the default way for admins to access and configure their networking equipment. In some cases, this is done without any authentication, and to make matters worse, sometimes admins use Telnet to configure their equipment. Of course, this is insecure, to say the least. A modem can be the victim of war-dialing, which is the act of scanning telephone numbers by dialing them one at a time. Computers usually pick up on the first ring, and the war-dialing system makes a note of that and adds that number to the list. Besides the obvious social annoyance this could create, a hacker would then use the list to attempt to access computer networks. Now think back to the system that has no authentication scheme in place!

So to protect modem connections, a network admin should 1) use the callback feature in the modem software and set it to call the person back at a preset phone number; 2) use some type of username/password authentication scheme and select only strong passwords because war-dialers will most likely try password guessing; and 3) use dial-up modems sparingly, only in secure locations, and try to keep the modem’s phone number secret. And by the way, a quick word on Telnet: it is not secure and should be substituted with SSH or another, more secure way of configuring a remote device.

For the typical user who still uses a modem on a client computer, set the modem to not answer incoming calls, and be sure not to use any remote control software on the system that houses the modem. Finally, consider upgrading to a faster and more secure Internet access solution!

PBX Equipment

A private branch exchange (PBX) makes all of an organization’s internal phone connections and also provides connectivity to the public switched telephone network (PSTN). Originally, PBXs were simple devices, but as time progressed they incorporated many new features and along the way became more of a security concern. For example, an attacker might attempt to exploit a PBX to obtain free long distance service or to employ social engineering to obtain information from people at the organization that owns the PBX. To secure a standard PBX, make sure it is in a secure room (server room, locked wiring closet, and so on); usually it should be mounted to the wall but could be fixed to the floor as well. Also, change passwords regularly, and only allow authorized maintenance; log any authorized maintenance done as well. PBX computers often have a remote port (basically a built-in modem or other device) for monitoring and maintenance; ensure that this port is not exploited and that only authorized personnel know how to access it. Today’s PBX devices might act as computer-telephony integration servers on the network, and/or might incorporate VoIP, which is also known as an IP-PBX.

VoIP

Voice over Internet Protocol (VoIP) is a broad term that deals with the transmission of voice data over IP networks such as the Internet. It is used by organizations and in homes. In an organization, IP phones can be the victim of attacks much like individual computers can. In addition, VoIP servers can be exploited the same way that other servers can; for example, by way of denial-of-service attacks. When securing VoIP servers—also known as VoIP gateways or media gateways—security administrators should implement many of the same precautions that they would make for more traditional servers, such as file servers and FTP servers. Some VoIP solutions, especially for home use, use the Session Initiation Protocol (SIP), which can be exploited by man-in-the-middle (MITM) attacks. To help reduce risk, VoIP systems should be updated regularly and use encryption and an authentication scheme.

Another concern with VoIP is availability. If there are multiple types of network traffic competing for bandwidth, you could use the Quality of Service (QoS) configuration to prioritize traffic on a router, and to ultimately increase the availability of IP telephony. We could talk about VoIP for days, but luckily for you, the exam requires that you have only a basic understanding of what VoIP is and how to protect it in a general sense. Most of the ways that you will mitigate risk on a VoIP system are the same as you would for other server systems, and these are covered later in this chapter as well as in Chapter 7.

Cloud Security and Server Defense

Historically, the “cloud” was just a name for the Internet—anything beyond your network that you as a user couldn’t see. Technically speaking, the cloud was the area of the telephone company’s infrastructure—it was everything between one organization’s demarcation point and the demarcation point of another organization. It included central offices, switching offices, telephone poles, circuit switching devices, packet assemblers/disassemblers (PADs), packet switching exchanges (PSEs), and so on. In fact, all these things, and much more, are still part of the “cloud,” in the technical sense. Back in the day, this term was used only by telecommunications professionals and network engineers.

Today, the “cloud” has a somewhat different meaning. Almost everyone has heard of it and probably used it to some extent. It is used heavily in marketing, and the meaning is less technical and more service-oriented than it used to be. It takes the place of most intranets and extranets that had existed for decades before its emergence.

We talked about basic computer protection in Chapter 2, “Computer Systems Security Part I,” the hardening of operating systems (including virtual operating systems) in Chapter 4, “OS Hardening and Virtualization,” and secure programming in Chapter 5, “Application Security.” In this section, we’ll build on those knowledge sets and describe some server defense. I place servers in this section of the chapter because they are at the heart of networking. Servers control the sending and receiving of all kinds of data over the network, including FTP and websites, e-mail and text messaging, and data stored as single files and in database format. A great many of these servers are now in the cloud, with more moving there every day. And the cloud, however an organization connects to it, is all about networking. So, the cloud, virtualization, and servers in general are all thoroughly intertwined.

Cloud Computing

Cloud computing can be defined as a way of offering on-demand services that extend the capabilities of a person’s computer or an organization’s network. These might be free services, such as personal browser-based e-mail from various providers, or they could be offered on a pay-per-use basis, such as services that offer data access, data storage, infrastructure, and online gaming. A network connection of some sort is required to make the connection to the “cloud” and gain access to these services in real time.

Some of the benefits to an organization using cloud-based services include lowered cost, less administration and maintenance, more reliability, increased scalability, and possible increased performance. A basic example of a cloud-based service would be browser-based e-mail. A small business with few employees definitely needs e-mail, but it can’t afford the costs of an e-mail server and perhaps does not want to have its own hosted domain and the costs and work that go along with that. By connecting to a free web browser–based service, the small business can obtain near unlimited e-mail, contacts, and calendar solutions. But, there is no administrative control, and some security concerns, which we discuss in just a little bit.

Cloud computing services are generally broken down into several categories of services:

Image Software as a service (SaaS): The most commonly used and recognized of the three categories, SaaS is when users access applications over the Internet that are provided by a third party. The applications need not be installed on the local computer. In many cases these applications are run within a web browser; in other cases the user connects with screen sharing programs or remote desktop programs. A common example of this is webmail.


Note

Often compared to SaaS is the application service provider (ASP) model. SaaS typically offers a generalized service to many users. However, an ASP typically delivers a service (perhaps a single application) to a small number of users.


Image Infrastructure as a service (IaaS): A service that offers computer networking, storage, load balancing, routing, and VM hosting. More and more organizations are seeing the benefits of offloading some of their networking infrastructure to the cloud.

Image Platform as a service (PaaS): A service that provides various software solutions to organizations, especially the ability to develop applications in a virtual environment without the cost or administration of a physical platform. PaaS is used for easy-to-configure operating systems and on-demand computing. Often, this utilizes IaaS as well for an underlying infrastructure to the platform. Cloud-based virtual desktop environments (VDEs) and virtual desktop infrastructures (VDIs) are often considered to be part of this service, but can be part of IaaS as well.

Image Security as a service (SECaaS): A service where a large service provider integrates its security services into the company/customer’s existing infrastructure. The concept is that the service provider can provide the security more efficiently and more cost effectively than a company can, especially if it has a limited IT staff or budget. The Cloud Security Alliance (CSA) defines various categories to help businesses implement and understand SECaaS, including: encryption, data loss prevention (DLP), continuous monitoring, business continuity and disaster recovery (BCDR), vulnerability scanning, and much more.


Note

Periodically, new services will arrive, such as monitoring as a service (MaaS)—a framework that facilitates the deployment of monitoring within the cloud in a continuous fashion. There are many types of cloud-based services. If they don’t fall into the previous list, then they will often fall under the category “anything as a service” (XaaS).


A cloud service provider (CSP) might offer one or more of these services. Between 2005 and 2010, cloud services were slow to be adopted by organizations. One of the reasons for this is the inherent security issues that present themselves when an organization relegates its software, platforms, and especially infrastructure to a CSP. After 2010, however, implementation of cloud services has grown dramatically, with most companies either already running cloud services or in the planning stages. Similar to the CSP is the managed service provider (MSP), which can deliver network, application, system, and management services using a pay-as-you-go model.

There are different types of clouds used by organizations: public, private hybrid, and community. Let’s discuss each briefly.

Image Public cloud: When a service provider offers applications and storage space to the general public over the Internet. A couple of examples of this include free, web-based e-mail services, and pay-as-you-go business-class services. The main benefits of this include low (or zero) cost and scalability. Providers of public cloud space include Google, Rackspace, and Amazon.

Image Private cloud: Designed for a particular organization in mind. The security administrator has more control over the data and infrastructure. A limited number of people have access to the cloud, and they are usually located behind a firewall of some sort in order to gain access to the private cloud. Resources might be provided by a third party, or could come from the security administrator’s server room or data center.

Image Hybrid cloud: A mixture of public and private clouds. Dedicated servers located within the organization and cloud servers from a third party are used together to form the collective network. In these hybrid scenarios, confidential data is usually kept in-house.

Image Community cloud: Another mix of public and private, but one where multiple organizations can share the public portion. Community clouds appeal to organizations that usually have a common form of computing and storing of data.

The type of cloud an organization uses will be dictated by its budget, the level of security it requires, and the amount of manpower (or lack thereof) it has to administer its resources. While a private cloud can be very appealing, it is often beyond the ability of an organization, forcing that organization to seek the public or community-based cloud. However, it doesn’t matter what type of cloud is used. Resources still have to be secured by someone, and you’ll have a hand in that security one way or the other.

Cloud Security

Cloud security hinges on the level of control a security administrator retains and the types of security controls the admin implements. When an organization makes a decision to use cloud computing, probably the most important security control concern to administrators is the loss of physical control of the organization’s data. A more in-depth list of cloud computing security concerns includes lack of privacy, lack of accountability, improper authentication, lack of administrative control, data sensitivity and integrity problems, data segregation issues, location of data and data recovery problems, malicious insider attack, bug exploitation, lack of investigative support when there is a problem, and finally, questionable long-term viability. In general, everything that you worry about for your local network and computers! Let’s also mention that cloud service providers can be abused as well—attackers often attempt to use providers’ infrastructure to launch powerful attacks.

Solutions to these security issues include the following:

Image Complex passwords: Strong passwords are beyond important; they are critical, as I will mention many times in this text. As of the writing of this book, accepted password schemes include the following:

Image For general security: 10 characters minimum, including at least one capital letter, one number, and one special character

Image For confidential data: 15 characters minimum, including a minimum two each of capital letters, numbers, and special characters

When it comes to the cloud, a security administrator might just opt to use the second option for every type of cloud. The reasoning is that public clouds can be insecure (you just don’t know), and private clouds will most likely house the most confidential data. To enforce the type of passwords you want your users to choose, a strong server-based policy is recommended.

Image Powerful authentication methods: Passwords are all well and good, but how the person is authenticated will prove to be just as important. Multifactor authentication can offer a certain amount of defense in depth. In this scenario, if one form of authentication is compromised, the other works as a backup. For example, in addition to a password, a person might be asked for biometric confirmation such as a thumbprint or voice authorization, for an additional PIN, or to swipe a smart card. Multifactor authentication may or may not be physically possible, depending on the cloud environment being used, but if at all possible, it should be considered.

Image Strong cloud data access policies: We’re talking the who, what, and when. When it comes to public clouds especially, you should specifically define which users have access, exactly which resources they have access to, and when they are allowed to access those resources. Configure strong passwords and consider two-factor authentication. Configure policies from servers that govern the users; for example, use Group Policy objects on a Windows Server domain controller. Audit any and all connected devices and apps. Consider storing different types of data with different services—some services do better with media files, for example. Remember that cloud storage is not backup. Approach the backing up of data as a separate procedure.

Image Encryption: Encryption of individual data files, whole disk encryption, digitally signed virtual machine files...the list goes on. Perhaps the most important is a robust public key infrastructure (PKI), which we discuss further in Chapter 15, “PKI and Encryption Protocols.” That is because many users will access data through a web browser.

Image Standardization of programming: The way applications are planned, designed, programmed, and run on the cloud should all be standardized from one platform to the next, and from one programmer to the next. Most important is standardized testing in the form of input validation, fuzzing, and white-, gray-, or black-box testing.

Image Protection of all the data!: This includes storage area networks (SANs), general cloud storage, and the handling of big data (for example, astronomical data). When data is stored in multiple locations, it is easy for some to slip through the cracks. Detailed documentation of what is stored where (and how it is secured) should be kept and updated periodically. As a top-notch security admin, you don’t want your data to be tampered with. So, implementing some cloud-based security controls can be very helpful. For example, consider the following: deterrent controls (prevent the tampering of data), preventive controls (increase the security strength of a system that houses data), corrective controls (reduce the effects of data tampering that has occurred), and detective controls (detect attacks in real time, and have a defense plan that can be immediately carried out).


Note

We’ll discuss security controls in more depth in Chapter 12, “Vulnerability and Risk Assessment.”


What else are we trying to protect here? We’re concerned with protecting the identity and privacy of our users (especially executives because they are high-profile targets). We need to secure the privacy of credit card numbers and other super-confidential information. We want to secure physical servers that are part of our server room or data center, because they might be part of our private cloud. We desire protection of our applications with testing and acceptance procedures. (Keep in mind that these things all need to be done within contractual obligations with any third-party cloud providers.) And finally, we’re interested in promoting the availability of our data. After all of our security controls and methods have been implemented, we might find that we have locked out more people than first intended. So, our design plan should contain details that will allow for available data, but in a secure manner.

Customers considering using cloud computing services should ask for transparency—or detailed information about the provider’s security. The provider must be in compliance with the organization’s security policies; otherwise, the data and software in the cloud becomes far less secure than the data and software within the customer’s own network. This concept, and most of the concepts in the first half of this chapter, should be considered when planning whether to have data, systems, and infrastructure contained on-premises, in a hosted environment, on the cloud, or a mix of those. If there is a mix of on-premises infrastructure and cloud-provider infrastructure, a company might consider a cloud access security broker (CASB)—a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure.

Server Defense

Now we come down to it. Servers are the cornerstone of data. They store it, transfer it, archive it, and allow or disallow access to it. They need super-fast network connections that are monitored and baselined regularly. They require an admin to configure policies, check logs, and perform audits frequently. They exist in networks both large and small, within public and private clouds, and are often present in virtual fashion. What it all comes down to is that servers contain the data and the services that everyone relies on. So, they are effectively the most important things to secure on your network.

Let’s break down five types of servers that are of great importance (in no particular order), and talk about some of the threats and vulnerabilities to those servers, and ways to protect them.

File Servers

File server computers store, transfer, migrate, synchronize, and archive files. Really any computer can act as a file server of sorts, but examples of actual server software include Microsoft Windows Server, macOS/OS X Server, and the various types of Linux server versions (for example, Ubuntu Server or Red Hat Server), not to mention Unix. File servers are vulnerable to the same types of attacks and malware that typical desktop computers are. To secure file servers (and the rest of the servers on this list), employ hardening, updating, anti-malware applications, software-based firewalls, hardware-based intrusion detection systems (HIDSs), and encryption, and be sure to monitor the server regularly.

Network Controllers

A network controller is a server that acts as a central repository of user accounts and computer accounts on the network. All users log in to this server. An example of this would be a Windows Server system that has been promoted to a domain controller (runs Active Directory). In addition to the attacks mentioned for file servers, a domain controller can be the victim of LDAP injection. It also has Kerberos vulnerabilities, which can ultimately result in privilege escalation or spoofing. As mentioned in Chapter 5, LDAP injection can be prevented with proper input validation. But in the specific case of a Windows domain controller, really the only way to keep it protected (aside from the preventive measures mentioned for file servers) is to install specific security update hot patches for the OS, even if the latest service pack has been installed. This also applies to Kerberos vulnerabilities.


Note

An example of a Microsoft Security Bulletin addressing vulnerabilities in Kerberos can be found at the following link. You can see that even with the latest update, a server can still be vulnerable.

https://technet.microsoft.com/library/security/ms11-013


E-mail Servers

E-mail servers are part of the message server family. When we make reference to a message server, we mean any server that deals with e-mail, faxing, texting, chatting, and so on. But for this section we’ll concentrate strictly on the e-mail server. The most common of these is Microsoft Exchange. An Exchange Server might run POP3, SMTP, and IMAP, and allow for Outlook web-based connections. That’s a lot of protocols and ports running. So, it’s not surprising to hear some Exchange admins confess that running an e-mail server can be difficult at times, particularly because it is vulnerable to XSS attacks, overflows, DoS/DDoS attacks, SMTP memory exploits, directory traversal attacks, and of course spam. Bottom line, it has to be patched...a lot.

An admin needs to keep on top of the latest vulnerabilities and attacks, and possibly be prepared to shut down or quarantine an e-mail server at a moment’s notice. New attacks and exploits are constantly surfacing because e-mail servers are a common and big target with a large attack surface. For spam, a hardware-based spam filter is most effective (such as one from Barracuda), but software-based filters can also help. To protect the integrity and confidentiality of e-mail-based data, an admin should consider DLP and encryption. Security could also come in the form of secure POP3 and secure SMTP, and we’ll talk more about the specific secure e-mail protocols in Chapter 7. But also, security can come as encrypted SSL/TLS connections, security posture assessment (SPA), secure VPNs, and other encryption types, especially for web-based connections. Web-based connections can be particularly insecure—great care must be taken to secure these connections. For example, push notification services for mobile devices are quite common. While TLS is normally used as a secure channel for the e-mail connection, text and metadata can at times be sent as clear text. A solution to this is for the operating system to use a symmetrical key to encrypt the data payload. Vendors may or may not do this, so it is up to the e-mail admin to incorporate this added layer of security, or at least verify that push e-mail providers are implementing it.

Thinking a little outside of the box, an admin could consider moving away from Microsoft (which is the victim of the most attacks) and toward a Linux solution such as the Java-based SMTP server built into Apache, or with a third-party tool such as Zimbra (or one of many others). These solu139tions are not foolproof, and still need to be updated, but it is a well-known fact that historically Linux has not been attacked as often as Microsoft (in general), though the difference between the two in the number of attacks experienced has shrunk considerably since the turn of the millennium.

Web Servers

The web server could be the most commonly attacked server of them all. Examples of web servers include Microsoft’s Internet Information Services (IIS), Apache HTTP Server (Linux), lighttpd (FreeBSD), Oracle iPlanet Web Server (Oracle), and iPlanet’s predecessor Sun Java System Web Server (Sun Microsystems). Web servers in general can be the victim of DoS attacks, overflows, XSS and XSRF, remote code execution, and various attacks that make use of backdoors. For example, in IIS, if basic authentication is enabled, a backdoor could be created, and attackers could ultimately bypass access restrictions. An IIS admin must keep up to date with the latest vulnerabilities by reading Microsoft Security Bulletins, such as this one which addresses possible information disclosure: https://technet.microsoft.com/library/security/ms12-073.

In general, a security administrator should keep up to date with Common Vulnerabilities and Exposures (CVE) as maintained by MITRE (http://cve.mitre.org/). The latest CVE listings for applications and operating systems can be found there and at several other websites.

Aside from the usual programmatic solutions to vulnerabilities such as XSS (discussed in Chapter 5), and standard updating and hot patching, a security admin might consider adding and configuring a hardware-based firewall from Cisco, Juniper, Check Point, or other similar company. And, of course, HTTPS (be it SSL or, better yet, TLS) can be beneficial if the scenario calls for it. Once a server is secured, you can prove the relative security of the system to users by using an automated vulnerability scanning program (such as Netcraft) that leaves a little image on the web pages that states whether or not the site is secure and when it was scanned or audited.

Apache can be the casualty of many attacks as well, including privilege escalation, code injection, and exploits to the proxy portion of the software. PHP forms and the PHP engine could act as gateways to the Apache web server. Patches to known CVEs should be applied ASAP.


Note

A list of CVEs to Apache HTTP Server (and the corresponding updates) can be found at the following link: http://httpd.apache.org/security/.


When it comes to Apache web servers, security admins have to watch out for the web server attack called Darkleech. This takes the form of a malicious Apache module (specifically an injected HTML iframe tag within a PHP file). If loaded on a compromised Apache web server, it can initiate all kinds of attacks and deliver various payloads of malware and ransomware. Or, it could redirect a user to another site that contains an exploit kit such as the Blackhole exploit kit mentioned in Chapter 2. Though Darkleech is not limited to Apache, the bulk of Darkleech-infected sites have been Apache-based.


Note

So much for Microsoft being less targeted than Linux. As time moves forward, it seems that no platform is safe. A word to the wise—don’t rely on any particular technology because of a reputation, and be sure to update and patch every technology you use.


As far as combating Darkleech, a webmaster can attempt to query the system for PHP files stored in folders with suspiciously long hexadecimal names. If convenient for the organization, all iframes can be filtered out. And, of course, the Apache server should be updated as soon as possible, and if necessary, taken offline while it is repaired. In many cases, this type of web server attack is very hard to detect, and sometimes the only recourse is to rebuild the server (or virtual server image) that hosts the Apache server.


Note

Another tool that some attackers use is archive.org. This website takes snapshots of many websites over time and stores them. They are accessible to anyone, and can give attackers an idea of older (and possibly less secure) pages and scripts that used to run on a web server. It could be that these files and scripts are still located on the web server even though they are no longer used. This is a vulnerability that security admins should be aware of. Strongly consider removing older unused files and scripts from web servers.


FTP Server

An FTP server can be used to provide basic file access publicly or privately. Examples of FTP servers include the FTP server built into IIS, the Apache FtpServer, and other third-party offerings such as FileZilla Server and Pure-FTPd.

The standard, default FTP server is pretty insecure. It uses well-known ports (20 and 21), doesn’t use encryption by default, and has basic username/password authentication. As a result, FTP servers are often the victims of many types of attacks. Examples include bounce attacks—when a person attempts to hijack the FTP service to scan other computers; buffer overflow attempts—when an attacker tries to send an extremely long username (or password or filename) to trigger the overflow; and attacks on the anonymous account (if utilized).

If the files to be stored on the FTP server are at all confidential, the security administrator should consider additional security. This can be done by incorporating FTP software that utilizes secure file transfer protocols such as FTPS or SFTP. Additional security can be provided by using FTP software that uses dynamic assignment of data ports, instead of using port 20 every time. We’ll discuss more about ports and secure protocols in Chapter 7. Encryption can prevent most attackers from reading the data files, even if they are able to get access to them. Of course, if not a public FTP, the anonymous account should be disabled.

But there are other, more sinister attacks lurking, ones that work in conjunction with the web server, which is often on the same computer, or part of the same software suite—for instance, the web shell. There are plenty of variants of the web shell, but we’ll detail its basic function. The web shell is a program that is installed on a web server by an attacker, and is used to remotely access and reconfigure the server without the owner’s consent.

Web shells are remote access Trojans (RATs), but are also referred to as backdoors, since they offer an alternative way of accessing the website for the attacker. The reason I place the web shell attack here in the FTP section is because it is usually the FTP server that contains the real vulnerability—weak passwords. Once an attacker figures out an administrator password of the FTP server (often through brute-force attempts), the attacker can easily install the web shell, and effectively do anything desired to that web server (and/or the FTP server). It seems like a house of cards, and in a way, it is.

How can we prevent this from happening? First, increase the password security and change the passwords of all administrator accounts. Second, eliminate any unnecessary accounts, especially any superfluous admin accounts and the dreaded anonymous account. Next, strongly consider separating the FTP server and web server to two different computers or virtual machines. Finally, set up automated scans for web shell scripts (usually PHP files, lo and behold), or have the web server provider do so. If the provider doesn’t offer that kind of scanning, use a different provider. If a web shell attack is accomplished successfully on a server, the security admin must at the very least search for and delete the original RAT files, and at worst re-image the system and restore from backup. This latter option is often necessary if the attacker has had some time to compromise the server. Some organizations have policies that state servers must be re-imaged if they are compro141mised in any way, shape, or form. It’s a way of starting anew with a clean slate, but it means a lot of configuring for the admin. But again, the overall concern here is the complexity of, and the frequency of changing, the password.

That’s the short list of servers. But there are plenty of others you need to be cognizant of, including: DNS servers (which we cover in Chapter 7), application servers, virtualization servers, firewall/proxy servers, database servers, print servers, remote connectivity servers such as RRAS and VPN (which we will discuss more in Chapter 10), and computer telephony integration (CTI) servers. If you are in charge of securing a server, be sure to examine the CVEs and bulletins for that software, 142and be ready to hot-patch the system at a moment’s notice. This means having an RDP, VNC, or other remote connection to that specific server ready to go on your desktop, so that you can access it quickly.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Chapter Summary

Designing a secure network is more than just setting up a Microsoft Visio document and dragging a firewall onto the LAN. This might have been good security planning in 1998, but today we need a plan that includes many layers of protection, allowing for defense in depth. For instance, today’s networks require specially secured devices such as switches, routers, and telephony equipment. And those networks might need demilitarized zones (DMZs), intrusion prevention systems (IPSs), content filters, network access control (NAC), subnetting, virtual local area networks (VLANs), and of course...firewalls.

Keep in mind that some of these technologies might exist on, or be moved to, the cloud. This opens up Pandora’s box when it comes to security. The security administrator needs to be sure not only that resources are secured properly, but also that the cloud provider is reputable, and will take care of its end of the safety of the organization’s data and infrastructures.

An organization has a lot of choices when it comes to the cloud. Software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), and security as a service (SECaaS) are some of the main types of cloud offerings. SaaS is probably the most common, and is used to run web-based applications remotely. IaaS offloads the network infrastructure of a company to the cloud and utilizes virtual machines to store entire operating systems. PaaS enables organizations to develop applications in a powerful virtual environment without using internal resources. SECaaS incorporates security services to a corporate structure on a subscription basis in an efficient way that many small/midsize companies cannot provide. Some organizations will opt to use more than one of these solutions.

Once the type of cloud solution is selected, an organization must select whether its resources will be kept publicly, privately, or a mixture of the two (hybrid or community-oriented). This will be based on the budget and manpower of the organization in question, but each option has its own set of security concerns.

Besides loss of administrative power, an organization going to the cloud might encounter data integrity issues, availability issues, and, worst of all, potential loss of confidentiality. That’s the entire CIA triad right there, so making use of the cloud should be approached warily. To reduce the chance of data breaches on the cloud, organizations make use of complex passwords, password and cloud data access policies, strong authentication methods, encryption, and protection of data and applications on several levels.

It’s the servers that are of greatest concern. They are attacked the most often, as it is they who contain the data. The common victims are the e-mail servers, web servers, and FTP servers, because they are so readily accessible, and because of the plethora of ways they can be compromised. Patching systems is an excellent method of protection—and keeping up to date with the latest Common Vulnerabilities and Exposures (CVE) is the best way to know exactly what needs to be patched.

As a final remark, a good security administrator has to remember that any platform is susceptible to attack, in one form or another. Every single server and networking device, either on the local network or on the cloud, should be secured accordingly.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 6-5 lists a reference of these key topics and the page number on which each is found.

Image

Table 6-5 Key Topics for Chapter 6

Key Topic Element Description Page Number
Bulleted list Description of switch security implications 121
Figure 6-1 Example of public and private IPv4 addresses 124
Figure 6-2 3-leg perimeter DMZ 126
Table 6-4 Types of VLAN hopping 131

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

MAC flooding

CAM table

fail-open mode

MAC spoofing

Spanning Tree Protocol (STP)

network address translation

port address translation

static NAT

one-to-one mapping

demilitarized zone (DMZ)

3-leg perimeter

back-to-back perimeter

network access control (NAC)

VLAN hopping

war-dialing

cloud computing

software as a service (SaaS)

infrastructure as a service (IaaS)

platform as a service (PaaS)

security as a service (SECaaS)

Common Vulnerabilities and Exposures (CVE)

Complete the Real-World Scenarios

Complete the Real-World Scenarios found on the companion website (www.pearsonitcertification.com/title/9780134846057). You will find a PDF containing the scenario and questions, and also supporting videos and simulations.

Review Questions

Answer the following review questions. Check your answers in Appendix A, “Answers to the Review Questions.”

1. Which of the following would you set up in a multifunction SOHO router?

A. DMZ

B. DOS

C. OSI

D. ARP

2. Which of the following is a private IPv4 address?

A. 11.16.0.1

B. 127.0.0.1

C. 172.16.0.1

D. 208.0.0.1

3. Which of these hides an entire network of IP addresses?

A. SPI

B. NAT

C. SSH

D. FTP

4. Which of the following statements best describes a static NAT?

A. Static NAT uses a one-to-one mapping.

B. Static NAT uses a many-to-many mapping.

C. Static NAT uses a one-to-many mapping.

D. Static NAT uses a many-to-one mapping.

5. Which of the following should be placed between the LAN and the Internet?

A. DMZ

B. HIDS

C. Domain controller

D. Extranet

6. You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?

A. Switch

B. Hub

C. Router

D. Firewall

7. You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?

A. Loop protection

B. DMZ

C. VLAN segregation

D. Port forwarding

8. You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used?

A. IPv4

B. ICMP

C. IPv3

D. IPv6

9. Which of the following cloud computing services offers easy-to-configure operating systems?

A. SaaS

B. IaaS

C. PaaS

D. VM

10. Which of the following might be included in Microsoft Security Bulletins?

A. PHP

B. CGI

C. CVE

D. TLS

11. Which of the following devices would most likely have a DMZ interface?

A. Switch

B. VoIP phone

C. Proxy server

D. Firewall

12. Your network uses the subnet mask 255.255.255.224. Which of the following IPv4 addresses are able to communicate with each other? (Select the two best answers.)

A. 10.36.36.126

B. 10.36.36.158

C. 10.36.36.166

D. 10.36.36.184

E. 10.36.36.224

13. You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this?

A. Use a virtual switch.

B. Remove the virtual network from the routing table.

C. Use a standalone switch.

D. Create a VLAN without any default gateway.

14. Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing?

A. PaaS

B. IaaS

C. SaaS

D. Community cloud

15. A security analyst wants to ensure that all external traffic is able to access an organization’s front-end servers but also wants to protect access to internal resources. Which network design element is the best option for the security analyst?

A. VLAN

B. Virtualization

C. DMZ

D. Cloud computing

16. In your organization’s network you have VoIP phones and PCs connected to the same switch. Which of the following is the best way to logically separate these device types while still allowing traffic between them via an ACL?

A. Install a firewall and connect it to the switch.

B. Create and define two subnets, configure each device to use a dedicated IP address, and then connect the whole network to a router.

C. Install a firewall and connect it to a dedicated switch for each type of device.

D. Create two VLANs on the switch connected to a router.

17. You ping a hostname on the network and receive a response including the address 2001:4560:0:2001::6A. What type of address is listed within the response?

A. MAC address

B. Loopback address

C. IPv6 address

D. IPv4 address

18. Analyze the following network traffic logs depicting communications between Computer1 and Computer2 on opposite sides of a router. The information was captured by the computer with the IPv4 address 10.254.254.10.

Computer1 Computer2
 [192.168.1.105]------[INSIDE 192.168.1.1 router OUTSIDE
   10.254.254.1] -----[10.254.254.10] LOGS
7:58:36 SRC 10.254.254.1:3030, DST 10.254.254.10:80, SYN
7:58:38 SRC 10.254.254.10:80, DST 10.254.254.1:3030, SYN/ACK
7:58:40 SRC 10.254.254.1:3030, DST 10.254.254.10:80, ACK

Given the information, which of the following can you infer about the network communications?

A. The router implements NAT.

B. The router filters port 80 traffic.

C. 192.168.1.105 is a web server.

D. The web server listens on a nonstandard port.

19. Your organization uses VoIP. Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic?

A. NAT

B. QoS

C. NAC

D. Subnetting

20. You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. Which of the following network design elements would most likely be used?

A. VLAN

B. DMZ

C. NAT

D. Routing

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset