Professional Documents
Culture Documents
Fundamentals
Based on Security+
Hello!
I am Abdulrahman AlDaej
2
Part 2 . Technology
and Tools
PERIMETER SECURITY
Small Tip:
Keep in mind that each organization
has different needs and might use
additional tools for perimeter defense
3
Firewall
• A device or application that analyzes packet headers
and enforces policy based on protocol type, source
address, destination address, source port, and/or
destination port. Packets that do not match policy are
rejected
Firewall Rules
• Access control lists (ACLs) Allow or disallow traffic
based on Source IP, Destination IP, port number, time
of day, application.
Implicit deny:
• Most firewalls include a deny at the end of the list Even
if you didn’t put one.
• Unless you explicitly permit it, traffic cannot pass.
4
5
Stateless firewall
• Access Control List (ACL) firewall
• Does not keep track of traffic flows
• Each packet is individually examined,
regardless of past history
• Faster and perform better under heavier traffic
loads
Stateful Firewall
• Remembers the “state” of the session
• Watch traffic streams from end to end
• Everything within a valid flow is allowed
• Better at identifying unauthorized and forged
communications
6
VPN Concentrators
• A VPN concentrator is a type of networking
device that used to allow multiple external
users to access internal network resources
using secure features that are built into the
device (VPN)
• Often integrated into a firewall
Site-to-Site VPN
• Always-on or almost always
• Firewalls often act as VPN concentrators
Probably already have firewalls in place
7
IP Sec (Internet Protocol Security)
• A set of protocols that provides security
for Internet Protocol (layer 3)
• Authentication and encryption for every
packet
• Confidentiality and integrity/anti-replay
Encryption.
• Common to use multi-vendor
implementations
IPSec protocols
Authentication Header (AH):
• Hash of the packet and a shared key
using MD5, SHA-1, or SHA-2 (Integrity)
9
IDS/IPS Detection technologies
10
Passive Monitoring
• Examine a copy of the traffic
• Port mirror (The switch sends a copy of all
network packets seen on one port)
• No way to block (prevent) traffic
Out-of-band response
• When malicious traffic is identified, IDS/IPS
sends TCP RST (reset) frames
• After-the-fact
Inline monitoring
• IDS/IPS sits physically inline
• All traffic passes through the IDS/IPS
In-band response
• Malicious traffic is immediately identified
• Dropped at the IPS
• Does not proceed through the network
11
Routers
SWITCH
A switch is a device in a computer network
that connects together other using ports.
• layer 2 device
• Forwards traffic based on MAC address
12
Port Security
Enables individual switch ports to be configured
to allow only a specified number of source MAC
addresses to come in through the port.
• MAC addresses can be spoofed
• Port security can provide useful network
security functionality.
Loop Prevention
• Connect two switches to each other
• They’ll send traffic back and forth forever
• There’s no “counting” mechanism at the MAC
layer
• This is an easy way to bring down a network
• Easy to resolve using Spanning Tree Protocol
13
Proxy
A Server or an application sits between the users
and the external network.
• Receives the user requests and sends the
request on their behalf (the proxy)
• Useful for caching information, access
control,
• URL filtering, content scanning
• Transparent, Users will not notice it
Forward Proxy
Destination server thinks the requests coming from
the proxy (to protect the internal users)
Reverse Proxy
Users thinks the response coming directly from the
server. (To protect the internal servers)
14
LOAD BALANCER
A load balancer is a device that acts as a reverse
proxy and distributes network or application
traffic across a number of Servers
Round-Robin scheduling
• Sending each new request to the next server
• All requests are sent to servers in equal.
Affinity scheduling
• Designed to keep a host connected to the same
server across a session.
• Web applications, can benefit from affinity-based
scheduling.
15
Active-Passive Load Balancing
First load balancer is actively doing the
balancing while the secondary load balancer
passively observes and is ready to step in at any
time the primary system fails.
16
Wireless Access Point (WAP)
Networking hardware device that allows a Wi-
Fi device to connect to a wired network
• WAP is an OSI layer 2 device
Signal Strength
• Set it as low as you can, How low is low?
• Require some additional study
• Location, location, location
17
Wi-Fi Band Selection
• 2.4-GHz band used for older standards
such as 802.11a/b/g is crowded and
subject to interference
• Newer standards such as 802.11n and
802.11ac use the 5-GHz band
Antenna types:
Omnidirectional antennas:
• Included on most access points
• Signal is evenly distributed on all sides
• No ability to focus the signal
Directional antennas:
• Focus the signal
• Increased distances
• Send and receive in a single direction
18
SIEM
• Security Information and Event Management
• Tools collect, correlate, and display data feeds that
support response activities
• The purpose of SIEM is to turn a large amount of
data into knowledge that can be acted upon
• One of the challenges is in determining what to log
and what not to log
Aggregation
• Collecting of information in a central place in a
common format, to facilitate analysis and decision
making.
Correlation
• Linking of events based on some common basis.
Events can correlate based on time, based on
common events, based on behaviors
19
Automated Alerting and Triggers
• SIEMs have the ability through a set of rules
and the use of analytical engines to identify
specific predetermined patterns and either
issue an alert or react to them
Time Synchronization
• Switches, routers, firewalls, servers.
• Synchronizing the clocks becomes critical
• Log files, authentication information, outage details
• Automatic update with NTP (Network Time
Protocol)
Event de-duplication
• Filter out the noise
• Focus on the real problems
20
21
Data Loss Prevention (DLP)
DLP technology can scan packets for specific
data patterns. Secrets, specific markers, or files.
When specific data elements are detected, the
system can block the transfer
(DATA EXFILTRATION)
22
Network Access Control (NAC)
NAC can protect the network from malicious
machine by policy enforcement that helps ensure
that computers are connected only after they
properly configured.
MAIL GATEWAY
A mail server that receives email but passes it on
23
SSL accelerators
A device that plugs into the server and contains a
co-processor that performs part of the SSL/TLS
processing, relieving the load on the web server’s
main processor
SSL Decryptor
A device that has the ability to view inside of
Secure HTTP traffic (SSL)
24
Hardware Security Modules (HSMs)
A device used to manage or store encryption keys.
It can also assist in cryptographic operations such
as encryption, hashing, or digital signatures.
• HSMs have tamper protection mechanisms to
prevent physical access
25
Time for Testing ourselves and answering
some questions!
26
Protocol Analyzers
(hardware or software) used to capture and
analyze signals and data traffic over a
communication channel. Ex Wireshark, tcpdump
27
WIRELESS SCANNERS/CRACKER
• Wireless monitoring - Packet capturing
• Wireless attacks: Rogue access point,
deauthentication attacks, etc.
• Cracking using Dictionary brute force, rainbow
tables
• Examples of wireless scanners: Kismet,
NetStumbler, Airodump
• Cracking password tools: John the Ripper ,
AirCrack
28
EXPLOITATION FRAMEWORKS
• Tool sets designed to assist hackers/pen tester in
the tasks associated with exploiting vulnerabilities
in a system.
• The most commonly used framework is Metasploit
29
STEGANOGRAPHY TOOLS
• The science of hidden writing, or more specifically
the hiding of messages in other content.
HONEYPOT
A honeypot is a server that is designed to act like
the real server on a corporate network, but rather
than having the real data, the data it possesses is
fake.
30
Command Line Security Tools
ping
• Test reachability
• Internet Control Message Protocol (ICMP)
netstat -a
• All active connections and listening ports
traceroute/tracert
• Determine the route a packet takes to a
destination
• tracert (Windows) or traceroute (Linux)
31
Nslookup/ dig
• Lookup names and IP addresses
• nslookup (Windows) on dig (Linux)
ipconfig/ifconfig
• Troubleshooting starts with your IP address
• Ping your local router/gateway
• network adapter information
• ipconfig (Windows) or ifconfig (Linux)
netcat
• A tool that can do port scanning, monitoring,
and file copying.
• Netcat is Linux based, but available for
Windows machines.
32
Time for Testing ourselves and answering
some questions!
33
Common Security Issues
Unencrypted credentials
• Authentication is a critical process
• All data must be protected
• But some protocols aren't encrypted Like :
Telnet, FTP, SMTP, IMAP, http
Permission issues
Ensuring that the list of users and associated
rights is complete and up to date is a challenging
task.
Access Violation
• User is unauthorized and is either making a
mistake or attempting to get past security.
• The other option is that permissions are set
inappropriately (Requires SIEM)
34
Personnel issues
• The weakest link - People make mistakes
• Always so willing to help someone
• User should agree to Acceptable Use Policy
(AUP) before access to a corporate network
Unauthorized Software
• Removing users’ ability to add software,
• The use of whitelisting
Baseline Deviation
• Everything should be well documented
Hardware, software, data storage
• Any changes to the norm should be identified If
something deviates from the baseline, You
must fix it
• Anti-virus and signature version, OS patches
35
License compliance violation
• Operating systems, applications, Hardware
appliances they all license with different
methodologies
• Availability get infected when license is not valid
• A missing/bad license may cause problems with
data integrity
Asset management
• Identify and track computing assets
• Usually an automated process
• Respond faster to security problem
• You know who, what, and where
• Keep an eye on the most valuable assets
• Both hardware and data
36
Antivirus
A software that detects, prevents, and removes any
malware from a computer.
• Signatures (Database)
• Heuristic looks for instructions or commands that
are not normal (Huge false positives )
Facts from Kaspersky:
in Q1 2017:
• 479,528,279 malicious attacks blocked
• 79,209,775 malicious URLs identified
• 240,799 blocked ransomware attacks
37
File integrity checker
38
UTM
Unified threat management (UTM) describes network
solutions that integrates the capabilities of several
security products into one all-inclusive security
console.
• Antivirus
• Antimalware
• Firewall
• Intrusion prevention
• Virtual private networking (VPN)
• Web filtering
• Data loss prevention
• Popular among small businesses because it
provides an affordable alternative to purchasing
each security solution separately
39
Web application firewall (WAF)
• Hardware firewall for HTTP that applies a set of
rules to an HTTP conversation. Generally, these
rules cover common attacks such as cross-site
scripting (XSS) and SQL injection.
WAF vs IPS
40
Mobile Device Connection Methods
Cellular networks
(4G) or LTE in nature, although some 3G services still
exist
Wi-Fi
These systems exist on 2.4- and 5-GHz frequency
41
Bluetooth
A short-range, low-power wireless protocol that
transmits in the 2.4-GHz band
42
Near-field communication (NFC)
A set of wireless technologies that enables
smartphones and other devices to establish radio
communication where they are close to each other
ANT
technology is wireless sensor (2.4 GHz) enables you to
view fitness and health monitoring data in real time
on your mobile device
IR (Infrared)
• Included on many smartphones, and
smartwatches
• It cannot penetrate solid objects
43
Time for Testing ourselves and answering
some questions!
44
Mobile device management (MDM)
45
Mobile Content Management (MCM)
46
Geolocation
• Precise tracking details (uses GPS)
• Tracks within feet
• Find your phone or Find you
• May be managed by the MDM
Remote wipe
• Remove all data from your mobile device
• Even if you have no idea where it is
• Often managed from the MDM
• Connect and wipe from the web
Geofencing
• Some MDMs allow for geofencing (uses GPS)
• Restrict or allow features when the device is in a particular
area
• The camera might only work when outside the office
• Only allow logins when the device is located in a particular
area
47
Time for Testing ourselves and answering
some questions!
48