BASIC NETWORK SECURITY CONCEPTS

CCST CYBERSECURITY
DURATION: 3 MONTHS
AMEER HAMZA
GOVERNMENT COLLEGE OF TECHNOLOGY, SAMANABAD,
FAISALABAD

1
CONTENTS
 TCP, UDP and HTTP  Honeypot, Proxy Server

 ARP, ICMP, DHCP and DNS  IDS and IPS

 IPv4 and IPv6 Addresses  MAC Address Filtering

 MAC Addresses and Network Segmentation  Encryption Standards

 CIDR Notation  Encryption Protocols

 NAT and Public vs. Private Network  SSID

 Network Security Architecture and DMZ  ACL and Firewall

 Virtualization and Cloud  VPN and NAC

2
TCP, UDP and HTTP
 Network protocols are sets of rules that computers and devices connected
to a network, often called nodes, use to exchange message across a
network
 A protocol defines each message’s format and contents
 For any two nodes to communicate across a network they must both agree
to use specific protocols so they can understand each other
 To understand how attackers can use protocol vulnerabilities to launch
cyberattacks, it is important to be familiar with the most common network
protocols
 Three most common protocols in use in today’s networks are Transmission
Control Protocol (TCP), User Datagram Protocol (UDP) and Hypertext
Transfer Protocol (HTTP). 3
TCP, UDP and HTTP
 TCP and UDP provide the transport mechanism for most network
communication across LANs and the internet. HTTP is the most common
protocol for web browsers and servers to communicate.
 The problem is that all three of these protocols are made up of cleartext
contents. In other words, anything you put into a TCP, UDP or HTTP message
can be read by anyone who has access to a node on the network.
 Many protocols have been around for decades and were designed long
before security was an issue. These protocols, while functional, often need
helper protocols to add security to network communication.
 The good news is that the layered design of networking protocols makes it
possible to add security to existing protocols without having to replacing
ingrained protocols.
 The lack of encryption is not the only vulnerability of these protocols. 4
TCP, UDP and HTTP
 Since TCP is a connection-oriented protocol, before two nodes can
exchange TCP data, they must negotiate a session. This process is
called a TCP handshake.
 The initiator sends a message with the SYN flag in the message
header to request a connection to the receiver.
 The receiver should then respond with a TCP message that has the
ACK flag set to acknowledge the request.
 The initiator acknowledges receipt of the receiver's response and the
session gets created. This process is called a three-way handshake.
5
TCP, UDP and HTTP
 Attackers know that they can trick nodes into thinking they are setting up a large number
of connections by sending many packets with the SYN flag set without ever responding to
the acknowledgments.
 This strategy causes the recipient to fill the connections table with half-open connections.
The result is that the recipient cannot accept any new connection requests and
essentially becomes unavailable.
 The UDP protocol does not have this vulnerability because it does not rely on connections.
 UDP is often used to send packets to all nodes in a network, a process called
broadcasting a message.
 However, there are plenty of ways to use UDP messages for denial of service attacks as
well.
 Although HTTP operates at a different layer than TCP or UDP, it also is a frequent target
for attackers. Malicious HTTP messages can leverage vulnerabilities in Web servers or
web browsers to attack confidentiality, integrity or availability of services or servers. 6
ARP, ICMP, DHCP and DNS
 To properly secure a network from attack, cybersecurity professionals should have a
working knowledge of common networking protocols and their vulnerabilities.
 ARP (Address Resolution Protocol) translates an IP address into a physical address, called
a Media Access Control (MAC) Address.
 The ARP command at work using PowerShell in Windows. Type, arp -a <IP Address> and
get the MAC address corresponding to the IP address
 LAN network switches keep internal tables of connected devices with each one's IP and
MAC addresses. Whenever a switch receives a packet with an unknown IP address, it
broadcasts an ARP request to find the MAC address for the unknown node.
 Attackers sometimes respond to ARP requests with their own MAC address and can
intercept network traffic that is not addressed to them.
 Type the command arp -a with no IP address to list the entire ARP table.
7
ARP, ICMP, DHCP and DNS
 ICMP (Internet Control Message Protocol) is a protocol designed to help
administrators troubleshoot network problems. ICMP supports sending queries to
targets and then collecting return information from devices along the way.
Administrators can use the received status information to determine the cause of
many network problems
 Attackers and security professionals often use ICMP to determine what nodes are
active on a network
 The most widely recognized ICMP packet is the ping packet, which is used to
determine whether network nodes are active
 Type, ping <IP Address> to see a ping command in action. Successful replies tell
us that a node with the IP address is alive and responding to ping requests. Just
because a ping command fails does not mean the host is down
 Many hosts are configured to ignore ICMP packets 8
ARP, ICMP, DHCP and DNS
 DHCP (Dynamic Host Configuration Protocol) allows nodes to move from
network to network.
 When a node wants to connect to a network it sends a DHCP request to the
published DHCP server on a network and the server responds with an IP
address that the node uses to identify itself.
 DHCP can be vulnerable to attacks that assign malicious IP addresses, which
could segment networks and redirect traffic away from legitimate nodes.
 TP-Link hosts emulators for many of their networking devices. Open a web
browser and navigate to https://emulator.tp-link.com/Emulator_ArcherC2_US_v5/index.htm
 This page is the same administration page you would see if you were
changing the configuration of a TP-Link Archer C2 wireless router. 9
ARP, ICMP, DHCP and DNS
 DNS is similar to ARP but a higher level. While ARP translates an IP address into a
MAC address, DNS translate a domain name into an IP address.
 DNS allows users to enter addresses such as microsoft.com in a web browser and
the browser can find the IP address of Microsoft's web server.
 DNS caries out the lookup and returns the IP address.
 Attackers that can compromise a DNS server can replace valid IP addresses with
their own malicious servers.
 A corrupt DNS could redirect unsuspecting users directly to an attacker's
computer.
 The nslookup command issues a DNS query and returns the IP address
associated with a hostname. 10
IPv4 and IPv6 Addresses

11
IPv4 and IPv6 Addresses
 A new version of IP has been
released with a much larger
address.
 The latest version of IP, IPv6 has a
128-bit addresses.
 Currently, only about 20% of the
address space is defined, which is
enough to allocate about 4,000
IPv6 addresses to each person on
the earth!
 We should not run out of IPv6
addresses anytime soon. 12
MAC Addresses and Network Segmentation
 Central themes in networking is properly identifying nodes and
the services they support.
 Domain names are convenient, and recognizable labels for
devices.
 IP addresses are identifiers that networks use to route traffic.
 Domain names and IP addresses are easily transferrable
identifiers that can move from node to node.
 To deliver packets to the right physical destination, networks
need a physical address to identify where packets should go.
 To provide a physical device address, networks use media access
control (MAC) addresses. 13
MAC Addresses and Network Segmentation
 A MAC address is a 48-bit address that identifies a network interface
controller (NIC).
 A NIC is a hardware device that connects a node to network media.
 The NIC's vendor assigns a unique MAC address to each device during
manufacturing.
 Although a hard-coded address sounds like an address you can trust, it is
not hard to change a device's MAC address to any other value.
 Attackers use MAC address changes to make their devices appear to be
trusted nodes.
 Using PowerShell in Windows, enter the ipconfig /all command, to see a
complete picture of all network interfaces, including each interface's MAC
address, which is labeled Physical Address.
14
MAC Addresses and Network Segmentation

15
MAC Addresses and Network Segmentation

 For example, PCI DSS requires that any devices that handle
payment data be separated from devices that do not.
 Part of a PCI DSS assessment is validating proper network
segmentation. 16
Classless Inter-Domain Routing (CIDR) Notation
 Introduced to help define public networks of different sizes
 Understanding what the CIDR notation means makes it easy to express and
interpret a network's scope in a compact form.
 An IP address is actually made up of at least two parts, the Network
Address and the Host Address.
 The first part of an address identifies a network of multiple hosts, and the
rest of the address identifies unique hosts connected to a single network.
 For example, let's assume Food Fresh hosts a network in their corporate
headquarters with around 150 devices connected to it.
 While they plan on modest growth, they do not expect to add more than
another 50 devices in the foreseeable future. 17
Classless Inter-Domain Routing (CIDR) Notation
 Food Fresh applies for a network address that supports 256 hosts and
requires 8 bits in the host part of the address
 Remember that each bit in an address doubles the values of the rightmost
bits, so a 7-bit host address would be too short since it can only address
128 hosts
 That means Food Fresh's IPv4 address will have a network space of 24 bits
and a host address space of 8 bits
 Assume that the assigned IPv4 address for the first node on the Food Fresh
network is 172.14.33.1. The CIDR notation for Food Fresh network would be
172.14.33.0/24
 This notation shows that the leading 24 bits in the address identify the
network and the remaining bits identify hosts connected to the network. 18
NAT and Public vs. Private Network
 The world has been out of IPv4 addresses for years. There are many
more devices are connected to the internet today than possible IPv4
addresses. How can this be, you might ask?
 Fortunately, the IPv4 designers set aside several address ranges that
are not part of the public address pool.
 Public IP addresses are addresses that network devices use to route
packets from network to network until the packet reaches its
destination.
 A private address is non-routable, meaning that routers will not
forward a packet with a non-routable address to another network. 19
NAT and Public vs. Private Network

20
NAT and Public vs. Private Network

21
NAT and Public vs. Private Network

 NAT makes it possible to nodes with private addresses to communicate with

external nodes.
 The protocol also makes it easier to hide true IP addresses from the outside world.
 NAT makes continued use of IPv4 possible, in spite of the lack of unique addresses.
22
Network Security Architecture

 Basic networks include nodes and media. Nodes can include endpoints, servers
and network devices. Media can be wired or wireless and many networks include
both.
 Networks that include security components will also contain network security
devices, segmented networks and redundant media to fulfill the resilience to
interruption goal. 23
Demilitarized Zone (DMZ)

 The goal is to make the website easily accessible to the public, but not
the internal database. 24
Demilitarized Zone (DMZ)
 A DMZ is a network segment with at least two firewalls.
 One firewall allows access to the web server from the
internet and the second firewall blocks internet access to the
internal network.
 The web server lives between the two firewalls and is
permitted to connect to the internal database by the second
firewall.
 A DMZ is a common solution to the need to provide internet-
facing services without exposing sensitive internal network
resources. 25
Virtualization
 Virtualization is the practice of running multiple operating
systems simultaneously on a single physical computer.
 Historically, an operating system provided an interface between
users and computing hardware.
 In virtualized systems, a software program called a hypervisor
simulates the physical hardware and allows operating systems to
run as if they were running on physical hardware.
 Virtualization allows organizations to utilize physical hardware
investment by running multiple virtual machines, perhaps even
running different operating systems, at the same time without
having to invest in additional dedicated hardware.
26
Virtualization
 Organizations can focus IT investment on capable hardware that can
support multiple simultaneous virtual machines, each of which can
dynamically use just the physical resources needed and leave the rest
for other virtual machines running on the same physical hardware.
 Virtualization technology also makes it easy to suspend a virtual
machine and restart it at a later time, perhaps even running it on a
different physical computer.
 The ease of creating, moving and managing images of running systems
is also convenient for building standardized virtual machines, reducing
the need to load new computers with layers of software and data before
use.
 Example of virtualization is VMware Workstation and Oracle VirtualBox. 27
Cloud Computing

28
Honeypot, Proxy Server, IDS and IPS
 The main goal in building secure IT environments is to place
enough obstacles between attackers and resources to make it
difficult to carry out a successful attack.
 There are many types of controls stand in the way of an attack.
 Several types of network devices serve special purposes in
securing networks.
 Honeypots, proxy servers, intrusion detection and intrusion
prevention systems provide layers of control to networks.
 Learning about these special devices is important to any security
professional wanting to build a comprehensive security plan. 29
Honeypot
 A honeypot is a deliberately insecure computer that is connected
to your network.
 The purpose of a honey pot is to distract an attacker with what
appears to be an easy target.
 Honeypots are often configured to collect more detailed logging
info to help track an attacker's actions and origin.
 As long as the attacker is busy exploiting the honeypot, other
systems may be protected.
 As helpful as honeypots are, they are never substitutes for
controls to protect other valuable resources. 30
Proxy Sever
 A proxy server is a network device that exists between two entities that
are communicating across a network.
 The proxy server receives messages from one entity and then forwards
the message to its destination.
 Since the proxy server has access to each message, it can examine the
messages and take action based on its analysis.
 Proxy servers often use rules to determine the best action to take for a
message.
 One type of proxy server, a firewall, separates approved traffic from
unapproved traffic.
 The firewall will forward approved traffic to its destination and either
reject or silently drop unapproved traffic. 31
IDS and IPS
 An intrusion detection system (IDS) is a passive network device that
examines packets and compares each one to a database of malicious
patterns
 If the IDS finds a match, it triggers an alert to investigate further.
 An IDS can be help detect potential malicious network activity, but it does
not do anything about a possible attack.
 An intrusion prevention system (IPS) does the same thing as an IDS, except
that an IPS can take action.
 Instead of only triggering an alert, an IPS can block an IP address or close a
port, or take other actions to stop suspected malicious activity.
 Security professionals should study the different types of controls and
deploy the ones that provide the best mix of protection in their
organization's IT environment. 32
MAC Address Filtering
 Unsecured wireless networks can be easy entry points for
attackers.
 A little effort invested in hardening your wireless networks
can go a long way toward reducing your attack surface.
 One of the most effective techniques to secure a wireless
network used by known clients is MAC address filtering.
 Let's see how to set up MAC address filtering using a TP-Link
Archer C2 wireless router emulator. Open a web browser and
navigate to
https://emulator.tp-link.com/Emulator_ArcherC2_US_v5/index.htm
33
Encryption Standards, Protocols and SSID
 Since wireless networks are favorite targets for attackers, security professionals
should pay close attention to hardening each wireless network.
 Limiting the options through the wireless access point administration portal can
make your wireless network more secure and less likely to be access points for
attackers.
 Wireless networks without encryption are open doors for attack. Anyone who
connects to an unencrypted wireless network can view what other wireless users
sending and receiving. Without encryption, wireless networks are not secure at all.
 There are several options for wireless security protocols that most of today's
wireless network devices support. Let's set up wireless security using a TP-Link
Archer C2 wireless router emulator. Open a web browser and navigate to
https://emulator.tp-link.com/Emulator_ArcherC2_US_v5/index.htm
34
Encryption Standards, Protocols and SSID
 Wi-Fi Protected Access (WPA) was introduced to address the weaknesses of WEP.
It is far better than WEP but has been superseded by two more secure versions.
 WPA2 is the first successor for WPA and the first wireless security protocol to use
the AES algorithm to provide very secure encryption.
 WPA and WPA 2 commonly work in personal mode, which uses a pre-shared key
that clients must know or enterprise mode, which uses a RADIUS server to
manage connections.
 WPA3 is the latest iteration of the WPA family and adds additional security
features to WPA2.
 When configuring wireless networks, WPA2 is considered a good choice for most
applications.
 For those that may require enhanced security, WPA3 is a good option if
connecting devices support the latest standard.
35
Encryption Standards, Protocols and SSID
 Another recommendation to harden a wireless network is to disable
the Service Set Identifier (SSID) broadcast.
 Let's see how to disable the SSID broadcast for the Archer C2 wireless
router.
 In normal operation, the wireless access point broadcasts the SSID to
let any nearby devices know that an available wireless network exists.
 SSID broadcast is a practice of convenience to advertise a wireless
network.
 Disabling the SSID broadcast is not a sure-fire approach to hiding a
network, but each step to reduce a wireless network's visibility is a
step in the right direction. 36
ACL and Firewall
 One of the most well-recognized network security devices is the
firewall.
 In the security world, a firewall is a network device or software that
inspects packets and determines whether or not to allow those
packets to continue on their way.
 Deploying one or more hardened firewalls in a network infrastructure
provides a solid layer of defense from attacks.
 Let's see how to set up ACL rules in a firewall using a TP-Link Archer
C2 wireless router emulator. Open a web browser and navigate to
https://emulator.tp-link.com/Emulator_ArcherC2_US_v5/index.htm 37
VPN

 In today's digital networking environment, security is much more important

since remote connections are more vulnerable to eavesdropping and attack.
38
 VPN
 Wireless networks may provide encrypted communications between the endpoint
and the wireless access point and secure websites encrypt web traffic between the
endpoint and Web servers, many exchanges across a network remain unencrypted
and targets for attacks.
 A virtual private network (VPN) provides an attractive solution to remote connections
using in the clear communication.
 A VPN establishes an end-to-end connection between an endpoint and a server
inside an organization's internal network and provides the ability to secure all traffic.
 The VPN ensures that all network traffic gets encrypted before it is transmitted
along the tunnel and the remote end decrypts the received data.
 The encryption and decryption process is transparent to the user and their server.
 Any attacker that intercepts VPN traffic will only see encrypted packets.
39
VPN

40
VPN

41
 NAC
 Today's IT infrastructure is that the demand for secure remote access is continually growing.
 Network Access Control (NAC) is a layer of security controls that limits access to protected
network resources.
 NAC implements controlled remote access through authentication and setting minimum
device requirements.
 For example, to use a smartphone connect to the Food Fresh internal network, NAC requires
that the device have antivirus software installed and that all storage on the device is
encrypted.
 Other NAC requirements for remote and mobile devices may include establishing a login
passcode for the device and relinquishing some or all management control to the
organization.
 The overall purpose of NAC is to define and enforce policies that restrict remote access to
internal network resources.
 Along with a VPN, NAC can help reduce the possibility of attacks using remote access
vector. 42