Layered Security

Layer 1

(Physical Inspection/Access)

Threats

• Rogue Device

• Bad USB

• Pentest Dropbox

• HID Attacks

• Physical Damage

Mitigations

• Cabinets

• Closets

• Physical Authentication & Authorization

Wireless (802.11)

Threats

• Dual-homed devices (2 or more interfaces)

• Protocol Attacks

• BYOAP (bring your own access point)

Mitigations

• WIPS (wireless Intrusion Prevention System)

• Disable Obsolete Protocols (WEP)

• Disable Flawed Control Mechanisms (WPS)

• Enable PMF (Protected Management Frames) if possible - available in 802.11w to block spoofing, deauth, disass and replay attacks

• Guest Management (no auth for guests, internet access only, WPA2-PSK)

• Station/Client Isolation (clients cant access other clients on the same AP)

• WPA2 Enterprise (use unique encryption key for each client and authenticate with RADIUS servers)

Wireless (RFID badges)

Threats

• Cloned Cards/Tags

Mitigations

• Use cards that support rolling codes (code change on each use) or challenge-response

• Use protective sleeves if using old RFID cards

Layer 2 & 3

Switches

Threats

• MAC flooding

• 802.1Q and ISL Tagging

• Double Encapsulated 802.Q / VLAN hopping

• ARP Poisoning

• Private VLAN attack

• VLAN Tunneling Protocol Attack

• Multicast Brute Force

• Spanning-tree Attack

• Random Frame Stress

• Rogue DHCP

• DHCP Starvation

• NTP Amplification

• NTP Spoofing

• STP Spoofing

• Sniffing

Mitigations

• Disable CDP to prevent credential spoofing

• Setup port security to prevent MAC flood or hardcode system MAC address

• Disable unused ports, services, protocols, interfaces, etc.

• Setup MAC limitation and sticky MAC address

• DHCP Snooping

• Dynamic ARP Inspection (DAI)

• ARP IDS (arpwatch)

• Configure trusted interface for DHCP

• Use private VLANs

• use SSHv2

• Enable logging

• Use Cisco type 8 or 9 password hashes

• Configure banner correctly

• Always use SNMP v3 with secure community strings

Routers

Threats

• DoS

• IP spoof

• IP Source Routing

• ICMP Flood

• Smurf Attack

• Routing Table Poisoning

• IPv6 Router Advertisement

• Unauthorized Routing Updates

• Wormhole Attack (Unauthenticated Tunneling)

Mitigations

• Cisco Autosecure

• DISA STIGs

• CIS Cisco Benchmark

• Use audit tools (Nipper Studio, nipper-ng)

• Set logon filters on the outermost external router

• Block non-routed IPs

IPv6

Threats

• IPv6 MitM

• DHCPv6 Takeover

• Neighbor Impersonation

• NDP Spoofing

Mitigations

• Dynamic ARP Inspection

• Secure Neighbor Discovery

• Private VLANs

• Port Security

• 802.1x

• Use IPsec if possible

• Block protocol 41 to prevent IPv6 tunneling (Cisco IOS ACL)

• Use rogue advertisement (RA) guard

Layer 7

Application Proxy

Forward Proxy : remote access through proxy, hides the identity of client.

• Web Proxy

  • SSL Inspection

  • Block sites by categories

  • Website whitelisting

  • Authentication

• SMTP Proxy (spam application)

  • per-email encryption

  • modify/auto-route mail (add custom header/footer or remove attachments)

  • anti-spam/anti-spoof (SPF/DKIM/DMARK)

  • sender authentication

  • rate limiting

  • sender blocking

Reverse Proxy : for security analysis, hides the identity of server (WAF, three-tier model, etc.)

Placement

• DMZ proxy (between DMZ and internal network)

• Internal proxy (betwwen clients and internet)

• VPN access (for remote connection)

• Cloud proxy (systems directly connect to cloud infrastructure)

WAF

Web Application Firewall (proxy) : strong focus on mitigating OWASP Top 10.

Capabilities

• SSL offloading (client connects to reverse proxy with SSL/TLS and reverse proxy connects to web server with http)

• content decoding

• HTTP attack vector mitigations

• virtual patching (mitigation without recoding the web app)

• CAPTCHA & rate limiting

• add HSTS header

• error page control

• dynamic action based on risk level

• dynamic traffic routing for load balancing

Deployment:

• Automatic Learning (traffic goes through WAF for a period of time so it can learn the patterns, after learning can flip to deny)

• manual (all settings are manually tuned, many templates are available based on OS, programming language and back-end database )

Firewall

Internal Network Design

Break up internal network into separate segments based on :

• Business & regulation requirements

• Criticality of assets

• Threats

• Risk appetite

Segmentation Principles

classify systems and data in different levels (tiers):

• tier 1 - critical components (DCs, exchange server, etc.)

• tier 2 - internal systems

• tier 3 - external facing data-providing systems

Best Practices:

• Define port-based rules first

• Block geolocations

• Authenticate all outbound traffics

• Use both host-based and network-based

DMZ

DMZ is usually implemented in one of these models:

• Three Legged DMZ Model (Single Firewall) : uses a single firewall with at least three network interfaces to make the architecture that holds a DMZ.

• Dual Firewall DMZ Model : the DMZ is placed between 2 firewalls and traffix is filtered in both sides.

DMZ + Active Directory

In case of using Active Directory connected servers in the DMZ (such as a public website or domain), the DMZ should not be directly connected to primary/root domain controllers. in this scenario, a read-only domain controller (RODC) is placed in DMZ for authentication and authorization.

IDS vs IPS Design

IPS should be implemented in in-line mode so that all the traffic can pass through and be analyzed.

IDS should be implemented out-of-band with a network tap or port mirroring to prevent speed drop.