Skip to main content

Network Security 2

Network Segmentation

  • Dividing computer networks into smaller parts
  • Granular policies
  • Damage control, containment
  • Separation can be physical
    • Distinct routers/switches
  • Or logical
    • VLAN
    • Software-defined networks SDNs
    • Physical resources are shared but distinct logical networks

Zero Trust

  • In the past, internal network considered "trustworthy"
  • Threats can very much originate from internal network
    • Or "lateral" movement if perimeter breached
  • In a Zero Trust Architecture, no implicit trust
    • "Never trust, always verify"
    • Penetrating the perimeter is no longer enough
    • It is the current mindset for networks
  • Explicit and mutual authentication, context-aware, attribute/role-based access control, least privilege, segmentation etc

WiFi Security Protocols

  • Wired Equivalent Privacy (WEP)
    • Weak, password cracked in minutes
    • 40-bit keys!
    • Deprecated since 2003
  • WiFI Protected Access (WPA)
    • Current standard is WPA2
    • 128-bit keys
    • Personal (PSK) or Enterprise
    • WPA3 in development

Common Threats

  • Packet sniffing/eavesdropping
  • Rogue AP/Evil Twin
  • Password Cracking
  • KRACK 2017 WPA2 Attack
    • Exploiting weakness in handshake

Good Practise

  • Strong auth
  • Updates
  • Turn off WPS
  • Mac filtering
  • Segment to IoT/legacy devices
  • WIPS/WIDS

DOS (Denial of Service)

  • A denial of service attack is an attempt to make a machine or network resource unavailable to its authorised/intended users
  • Will usually involve flooding a machine with enough requests that it cant serve its legitimate purpose
  • A DDoS occurs where there is more than one attacking machine

Simple Attack Example

TCP Syn Flooding

  • Attacker initiates a genuine connection but then immediately breaks it
  • Attacker never finishes 3-way handshake
  • Victim is busy with the timeout
  • Attacker initiates large number of syn requests
  • Victim reaches its half-open connection limit
  • DoS

Application Attacks

  • Regular attacks are your bandwidth vs your targets
  • Amplification attacks utilise some aspect of a network protocol to increase the bandwidth of an attack

Smurf & Fragile attacks

Smurf attacks broadcast an ICMP Ping request to a route, but with a spoofed IP belonging to the victim A Fraggle attack is identical in principle, using UDP echo packets

DNS Amplification

  • Recursive resolvers respond to DNS queries then return a response
  • This response can be many times larger than the query
  • Many DNS servers are set up incorrectly, and will happily amplify your traffic - Open Resolvers
  • Botnets maintain lists of misconfigured open resolvers, and there are projects attempting to shut them down

NTP Amplification

  • NTP is a protocol for synchronising time between machines
  • Extremely similar to DNS amplification
  • MON_GETLIST request returns the list of the last 600 contacts

Slowloris

  • Open numerous connections to a server
  • Begin an HTTP request, but never actually finish it

R-U-Dead-Yet?

  • Similar to Slowloirs
  • Begin an extremely long HTTP POST, send tiny amounts at time