What the CISSP Won't Teach You Part Deux

Thursday, June 30, 2011

Boris Sverdlik


What the CISSP Won't Teach You Part One HERE

Hey we have SSL we are good! Uhm No you are not. Network basics for "security guys"...

If you have been following me, you might notice I tend to use “ACK” a lot when I respond. If you don’t know what this is, then we have a lot to learn. The CISSP study guide focuses on the OSI model, as they should for foundation.

I’m just going to go over the basics that I feel every security professional must know. I suggest you go out and read Wileys Understanding TCP/IP  & Gene Spaffords Building Internet Firewalls.

The books are fairly old, but will teach you all you need to know about networking for our profession with the exception of IPV6 (I’m still learning).

imageWith that said, why do we need to know networking as Security Professionals? Well, if you don’t understand how systems talk to each other, how can you do the whole GRC thing? You won’t be able to inject security into the SDLC, nor will you be able to identify fluff.

While I firmly agree that the term “IT Security” must go away, I also believe you must have a deep understanding of technology to be security professional.
Let’s start with the very basics…

Layer 1. The Physical Layer

The physical connection is one commonly overlooked when designing security. I don’t need to go into Cat5/6, Fiber, Coax, etc. to a great length, but you do need to understand the differences.

Virtualization, has added additional complexity, as now some feel comfortable using a single ESX Server and traversing networks of different security levels. In the past this was unheard of, as all it took was an overworked IT guy who moves a cable and now your core was exposed. Fun stuff ;).

The security professional needs to be aware of the risks associated with each physical medium. The easiest and cheapest to physically attack is Cat6, there are several devices available that allow you to splice the connection while keeping it active. Keep in mind that any unencrypted traffic can be picked up on the wire with this attack.
You need to ensure that physical connections are limited to known nodes. You can have a bulletproof firewall, but a physical drop in a shared area can be an attackers best friend. I have conducted several pen tests, where the client was so sure they couldn’t be breached because they didn’t have an Internet presence.

The way in was almost always the same. A network drop in a shared area is extremely common. You will have card readers, cameras and telephone drops. A small autosensing dumb hub is an easy quick solution. In most cases Port Security will not be enabled, and with any luck you will be plugged directly into the core. Start your discovery here...

How do we protect against this you ask??? Use dedicated VLANs for your physical security. A VLAN will is layer 2 technology which provides a separate collision domain. What this means is, an attacker will only be able to sniff the traffic on the segment that he has plugged into.

Additionally you need to ensure that systems on that network are not allowed to initiate connections. The attacker could potentially initiate a layer 2 attack to capture credentials, however that would end up in a race condition so more than likely might fail.

Layer 2 The Data Link Layer

This layer focuses on the delivery of frames between devices in the same collision domain. It doesn’t provide any routing functionality, but what it does do it maps the MAC address of the device to the port, which it is plugged in to. Hubs run on Layer 1 as they send packets to every system that will listen for it, switches run on layer 2.

They provide the store and forward functionality. Packets are only sent to the port that the switch has mapped the end device too. When you try to establish an outgoing connection, the first thing your system does is send and ARP request to every port asking if this machine is on the local network, if it is not the packets are forwarded onto the gateway address which the system will also request.

Layer 2 provides the functionality to logically separate network segments by creating VLANS. A VLAN allows you to segregate by floor, function, etc. It creates a separate collision domain, which in the old days provided a false sense of security against eavesdropping of data. Don’t get me wrong, VLANS are our friends, but use them wisely not just because they are cool. Combined with Layer 4 ACLS, you can at least potentially weed out the casual attacker.

The Demilitarized zone (DMZ) you keep hearing about, is just a VLAN that is hopefully separated by a layer 4 device and not just an access list. DMZs come in all forms, but the most common is an Internet Services DMZ (web servers, mail servers, dns, etc) and a Partner DMZ (Market Data, Vendors, partners, etc.) Don’t broadcast routing to these guys. Make sure that you don’t allow funky connections initiating from these segments. just saying...

Multicast is another fun layer two protocol you should be aware off. It pretty much forwards packets to every port. Market data applications typically use multicast to reduce latency. You could just plug in and listen ;) Fun Fact.. some older IP CCTV implementations will broadcast to pretty much anyone listening. UPnP is a form of a layer 2 protocol.

Old school security guys still are of the mindset that “hey you can’t sniff our network, we run a switched environment”. That is a sad delusion for anyone that still believes this is the case. An attacker can start an ARP spoof attack where his node will start flooding the segment with ARP Response packets claiming to be the gateway. Now whenever a node requests the gateway address, before the legitimate gateway has a chance to respond, it will have already received the forged response.  

Now all the attacker has to do is forward your packets on their merry way to the final destination and you’d have no idea. A malicious attacker can make things even more fun for you by not forwarding packets. Can you say DoS? You need to ensure you use strong encryption, and keep in mind that SSL is not the end all be all. Your users are stupid, and will not always be cognizant of the fact that the little lock is broken.

How do we protect ourselves??? You can implement a Network access control solution, which authenticates nodes prior to letting them on to the network. This will deter a casual attacker, however it is false hope if you bridge your VOIP phones to the same port as the machine. In most instances the VOIP devices are added to the bypass list.

You should use a layered security model. Port Security should be enabled; IDS Response rules should trigger a port shutdown on multiple ARP responses past a certain threshold. Are you seeing yet how attackers think?? The CISSP will not teach you to think outside the box.

Layer3 The Network Layer

Now we get into some of the Sexy I had talked about earlier.  Routing is handled by this sexy layer, it answers the How do the hell do I get there question. IP, RIP, BGP, ICMP, IGMP and more run at this layer.

IP is connectionless, it doesn’t care if you packet got to it’s final destination, it just tells it how to get there, and sometimes it throws a big “You can’t get there from here” (also known as FU No in technical terms).

The biggest threats against these protocols in the past have been the ability to inject false routing information thereby allowing data leakage or Denial of service. I’m not going to get into each one of these, as this is not a network tutorial.

All I will say is forget RIP! RIP is the easiest routing protocol to implement as it pretty much just broadcasts its routes all over the place. The latest version has authentication built, but sadly it can still be breached. Some organizations still like to do the whole static route thing, however this leads to administrative nightmares.

Network address translation (NAT) also happens at Layer 3. NAT is the process of mapping one IP address to another. I would hope that most organizations use private address schemes, but I know better. You implement NAT as a way to allow your internal addresses to access public networks. This is where you can be of help and kill the 10 class C’s your boss bought for absolutely no reason back in the day. Most companies do not need that many external connections.

Finally most encryption happens at higher layers, while IPSec runs at Layer 3. It essentially tunnels all of the above layers through an encrypted channel established at layer 3.

Security professionals tasked with looking at options to mitigate the whole DDoS thing should know that BGP is the NEW black. What it essentially does is provide a route to your systems using multiple ISPs as opposed to load balancing with round robin DNS records. Of course, you should also build load balancing into your infrastructure, but we’ll talk about that later.

Threats??  IP Spoofing is always fun. Also, attackers are really crafty at using ICMP to tunnel traffic. Most organizations allow ICMP for testing connectivity, attackers love to use ICMP to map out your network and locate active filtering devices. You can make their lives more difficult by turning it off.

Layer4 The Transport Layer

Does Port 23 sound fun to you??? Do you get excited when 3128 responds? You do? Then you will know what I’m rambling about. TCP and UDP both run on the transport protocol. They map services to sockets.

Ports 1-1024 are privileged and used by known applications. IANA keeps a list of all registered port numbers, but keep in mind with root access you can run anything you want on any port. TCP provides a connection-oriented experience, which guarantees that the recipient will always receive the message based on acknowledgment of receipt.

A Three-way handshake is how a connection is established. You send a SYN(hello you there) to a destination port, the end node responds with an ACK from a random source port(Yeh, I’m here what do you want), and then the SYN/ACK (ok let’s chat). It is a connection oriented, so you can set up most firewalls (outside of the pix) to only allow outbound, without requiring a return rule. The firewall knows that the SYN is waiting for a response and listens for a response from a random source port.

TCP and UDP both have sequence numbers in the header. Attacks against TCP have included sequence injection where an attacker sitting on the wire can take over the connection by sending an Reset packet to the originating source. TCP hijacking has been around for years, and for clear text protocols is still valid.  USE STRONG ENCRYPTION at lower layers!

In order to bypass certain IDS implementations, an attacker as part of his network mapping activities will typically initiate a SYN scan which will leave the connection half open. This isn’t as reliable as a full scan, but it can cover the whole 65K ports fairly quickly and provide a refined target port list for later.  Our world essentially revolves around Layer 4. Learn everything about it!  

You will find that most firewalls operate at Layer 4. This is tons of fun for your average attacker, because once he exploits a vulnerability in an exposed system, he can use the connection to traverse your protected segments. If layer 7 filtering is not feasible than implement proxy solution. Your proxies should be configured to rewrite, not ROUTE! Remember the difference, you don’t want any direct connections in or out of a private segment.

Disable services that you don’t use… Period. A listening socket is a open path. Don’t be dumb. Men in the middle attacks are commonplace these days. Connection hijacking is all the rage. SSL will not protect you from this.

I’m going to go over layers 5-7 later, as I think they should be covered more in depth within the Application Security piece (part 4 maybe)...

If you enjoyed this stay tuned for more... All I ask if you can buy a shirt (still looking for sponsors as well) and please submit "What The CISSP won't teach you, by JadedSecurity" for CPEs.

So where does Lulz fit into this picture???? Huh ISC2?


Cross-posted from Jaded Security

Possibly Related Articles:
Security Training
Information Security
Certification CISSP Virtualization Training Network Access Control IDS/IPS Layered Defense
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.