1
Content
Secure Network Design
The following are some weaknesses to mitigate in a network design/architecture
Single points of failure
Complex dependencies
Availability over confidentiality and integrity
Lack of documentation and change control
Overdependence on perimeter security
Zones
Zones are isolated segments that have the same security requirements.
Traffic between zones are subject to filtering but a firewall.
Main Types of zones:
Intranet (private)
Extranet
Internet (public)
Demilitarized Zones
DMZs isolate hosts that are Internet-facing, acts as an public facing gateway
Ideally used to rebuild packets for forwarding
The easiest way to set this up is using bastion hosts
There are many different types of DMZs for different functions
Bastion Hosts
Run minimal services
Do not store local network account credentials
Not fully trusted by internal network
Topology #1 - Screened Subnet DMZ
Uses 2 firewalls placed on either side of the DMZ, one being the internal firewall, and the other being the edge firewall
Internal firewall has more rules than the edge firewall, as the internal firewall filters communications between hosts in the DMZ (Extranet) and hosts on the LAN
Internal firewall is also described as the choke firewall, which facilitates: βοΈ Better Access Control βοΈ Easier Monitoring
Topology #2 - Triple-Homed Firewall DMZ
Manages 3 interfaces - One firewall, three network interfaces
One interface is public facing one, another is the DMZ and the last interface connects to the LAN
Can achieve the same sort of configuration as a screened subnet using routing and filtering rules to determine what forwarding is allowed between the interfaces
Topology #3 - Dual-Homed Firewall DMZ
Uses a firewall/router to connect a dual-homed proxy/gateway server to the internet
Dual-homed gateway
System fitted with two network interfaces (NICs) that sits between an untrusted network and a trusted network to provide secure access
Summary of the Topologies
Screened Subnet
Secure as monitoring and access control is centralized
Requires two firewalls, meaning that cost might be an issue
Triple-Homed,
Dual-Homed
Requires only one firewall
Single Point of Failure due to having one firewall
Proxies and Gateways
Forward Proxy Server
Proxy opens connections with external servers on behalf of internal clients
Reverse Proxy Server
Proxy open connections with internal servers on behalf of external clients
Cyber Attack Lifecycle
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Act on Objective
1.Reconnaissance
In this phase, attackers research, identify and select vulnerable network, service or application targets to exploit. OSINT is also conducted at this stage.
2.Weaponization
In this phase, attackers choose their method of attack and develop the malware used to exploit the vulnerability discovered in the previous stage , so as to initiate the attack. At this stage, network or security administrators cannot act as these activities cannot be detected.
3.Delivery
In this phase, malware created in the previous stage is sent to the victim using various methods - by phishing/impersonation..etc At this stage, end users can act on these and be the first layer of defence. A firewall can also be another form of first layer defence to prevent the delivery from reaching end users.
4.Exploitation
In this phase, the malware runs the attack code that exploits the vulnerabilities on the victims devices. The code may also include opening an entry point for other intrusive code to be installed and increase the scale of the damage. At this stage, a firewall can discover and prevent the delivery of detected malware that passes through its network stack. If a trusted user brings the malware into the company knowingly/unknowingly (eg. through an infected USB), the detection and blocking of this malware is left to any endpoint protection (eg. anti-virus)
5.Installation
In this stage, attackers will seek to establish privileged operations. One way in doing so is to install a backdoor to allow attackers to obtain permanent access to the device even if passwords are changed/services are disabled. Back doors are likely created through use of a kernel, firmware-based rootkit or remote administration tool. At this point, network/ security administrators can definitely see the impacts of the attacker's actions. As such, detection, containment and prevention actions can be executed at this stage.
6.Command & Control (C2)
In this phase, attackers establish a command channel back to the victim via a specific server so that data or more malicious code can be passed over and back between the infected devices and the attacker's server. The C2 channel can also be used to update the malware with new functionality if the attackers objective change, and further maintain persistence on the infected device.
7.Act on Objective
Attackers in this phase may resort to data exfiltration, destruction of critical infrastructure, deface web property, ...etc. These actions lie in what motivations the attackers has planned for the attack - the victim device might not be a target of the attacker, but a point of attack to the intended target.
Implement Firewalls
There are two types of firewalls (very high level) that can be implemented:
Firewall appliances - Routed (Layer 3) - Bridged/transparent (layer 2) - Router/firewall
Application-based firewalls - Host-based (personal) - Application firewall - Network operating system (NOS) firewall - A software-based firewall running under a network server OS, such as Windows or Linux. - Server would function as a gateway or proxy for a network segment
Packet Filtering Firewalls
Enforces a network access control list (ACL) that is configured on principle of least access
This means that only the minimum amount of traffic that is required for any valid network service operation is allowed, and no more
Act to deny (block/drop), log or accept a packet
Works by inspecting headers of individual inbound, outbound or both packets for either :
Source/Destination IP address
Protocol ID/type
Source and destination port numbers
Its operation is considered a stateless operation
This means that the firewall does not preserve information about any network session
Each packet is analyzed independently with no record of previously processed packets.
βοΈFiltering requires least processing effort
Use iptables to edit rules enforced by Linux kernel firewall
Next-generation firewall architecture
Zero Trust Architecture
Conventional security models assume that everything inside an organization's network can be trusted, protecting the perimeters of the architecture
Insider threats are not secured against, meaning the possibility of compromise to sensitive, valuable business data is high
This architecture is based on the principle of "never trust, always verify"
Each step a user makes through the infrastructure must be validated and authenticated across all locations
Accomplish inbound and outbound inspection by locating a firewall between LAN and WAN.
Accomplish internal traffic inspection by locating a firewall between your internal subnets and VLANs.
Initial Access to the Firewall
Performed using either:
Dedicated out-of-band management ethernet interface (MGT interface)
Serial console connection
Local admin password is stored in the firewall's XML configuration file, encrypted using firewall's master key
Reset to Factory Configuration
From CLI with known admin user password
The above erases all logs, resets all settings, including IP addressing (causes loss of connectivity
Saves a default configuration after the MGT IP address is changed
During bootup with an unknown admin user password:
Type the following command from the console port during bootup:
Choose 'Reset to Factory Default'
Configuration Management
Last updated