Network Security 2
Network Segmentation
- Dividing computer networks into smaller parts
- Granular policies
- Damage control, containment
- Separation can be physical
- Distinct routers/switches
- Or logical
- VLAN
- Software-defined networks SDNs
- Physical resources are shared but distinct logical networks
Zero Trust
- In the past, internal network considered "trustworthy"
- Threats can very much originate from internal network
- Or "lateral" movement if perimeter breached
- In a Zero Trust Architecture, no implicit trust
- "Never trust, always verify"
- Penetrating the perimeter is no longer enough
- It is the current mindset for networks
- Explicit and mutual authentication, context-aware, attribute/role-based access control, least privilege, segmentation etc
WiFi Security Protocols
- Wired Equivalent Privacy (WEP)
- Weak, password cracked in minutes
- 40-bit keys!
- Deprecated since 2003
- WiFI Protected Access (WPA)
- Current standard is WPA2
- 128-bit keys
- Personal (PSK) or Enterprise
- WPA3 in development
Common Threats
- Packet sniffing/eavesdropping
- Rogue AP/Evil Twin
- Password Cracking
- KRACK 2017 WPA2 Attack
- Exploiting weakness in handshake
Good Practise
- Strong auth
- Updates
- Turn off WPS
- Mac filtering
- Segment to IoT/legacy devices
- WIPS/WIDS
DOS (Denial of Service)
- A denial of service attack is an attempt to make a machine or network resource unavailable to its authorised/intended users
- Will usually involve flooding a machine with enough requests that it cant serve its legitimate purpose
- A DDoS occurs where there is more than one attacking machine
Simple Attack Example
TCP Syn Flooding
- Attacker initiates a genuine connection but then immediately breaks it
- Attacker never finishes 3-way handshake
- Victim is busy with the timeout
- Attacker initiates large number of syn requests
- Victim reaches its half-open connection limit
- DoS
Application Attacks
- Regular attacks are your bandwidth vs your targets
- Amplification attacks utilise some aspect of a network protocol to increase the bandwidth of an attack
Smurf & Fragile attacks
Smurf attacks broadcast an ICMP Ping request to a route, but with a spoofed IP belonging to the victim A Fraggle attack is identical in principle, using UDP echo packets
DNS Amplification
- Recursive resolvers respond to DNS queries then return a response
- This response can be many times larger than the query
- Many DNS servers are set up incorrectly, and will happily amplify your traffic - Open Resolvers
- Botnets maintain lists of misconfigured open resolvers, and there are projects attempting to shut them down
NTP Amplification
- NTP is a protocol for synchronising time between machines
- Extremely similar to DNS amplification
- MON_GETLIST request returns the list of the last 600 contacts
Slowloris
- Open numerous connections to a server
- Begin an HTTP request, but never actually finish it
R-U-Dead-Yet?
- Similar to Slowloirs
- Begin an extremely long HTTP POST, send tiny amounts at time