CYB. Cybersecurity Fundamentals (part 3) PDF

Summary

This document provides an outline of cybersecurity fundamentals, specifically focused on network security in a Master's program in Artificial Intelligence. It covers different aspects of cybersecurity, such as perimeter protection, network vulnerabilities, and secure protocols like TCP/IP and virtual private networks. The information is presented in a structured format suitable for a graduate-level course or a professional training.

Full Transcript

CYB. Cybersecurity Fundamentals (part 3)

Master in Artificial Intelligence
2024/25
ESEI – University of Vigo
Table of Contents

Network Security
TCP/IP Network Model
TCP/IP Vulnerabilities, Threats and Attacks
Secure Protocols
Perimeter Protection
Access control: Firewalls

Remote Access: Virtual Private Networks (VPN)

Network monitoring: Intrusion Detection Systems

1
Network Security
Network Security

Set of measures and strategies to secure the network infrastructure

ˆ Protects wired and wireless networks, routers, switches, firewalls,
servers and endpoints (devices connected to the network)

Key responsabilities/tasks
Access Control only authorized users and devices can access network resources
Data protection encryption protocols (IPSec, SSL/TLS,..) to protect data in
transit and ensure that sensitive information is secure
Network Monitoring and Logging continuous monitor network traffic
ˆ detect security incidents, monitor network activity, analyze logs to detect
anomalies
ˆ intrusion detection and prevention systems (IDS/IPS) → block/alert
suspicious activities and potential threats

2
Network Security (II)

Perimeter defense security controls at the network perimeter
ˆ filter incoming and outgoing traffic (firewalls and demilitarized zones)
ˆ Virtual Private Networks (VPN) for remote access
ˆ monitor and intrusion detection (IDS/IPS) of external threats
Network vulnerability management regularly assess the network for
vulnerabilities
ˆ ensure network devices configured securely (patches and updates)
ˆ conduct security assessments (penetration testing) to identify and
remediate weaknesses

Other Network incident respose, Security policies and procedures, Network
security training,...

3
Network Security (III)

Network Security Activities in NIST Framework Core Functions (partial list)

Identify
- Asset Management [ID.AM] (inventory of network hardware, software, data that needs protection)
- Risk Assessment [ID.RA] (identify vulnerabilities, threats and potential impacts in network)
- Network Security Governance [ID.GV] (policies and procedures for managing network security)

Protect
- Access Control [PR.AC] (restrict unauthorized access to network resources)
- Network Segmentation [PR.AC-5] (secure zones to limit lateral movement of attackers)
- Encryption [PR.DS-2] (protect data in transit and at rest)
- Endpoint Protection [PR.PT] (security measures on network endpoint)
- Security Training [RP.AT] (train network users to recognize and respond to security threats)

Detect
- Network Traffic Analysis [DE.AE] (network traffic patterns → detect unusual/malicious behavior)
- Log and Event Monitoring [DE.CM] (continuously monitor, identify anomalies or sec. incidents)
- Intrusion Detection [DE.DP] (IDS/IPS to detect and respond to suspicious network activity)

4
Network Security (IV)

Network Security Activities in NIST Framework Core Functions (partial list) (cont.)

Respond
- Network Incident Response Plan [RS.RP] (actions in the event of a network security incident)
- Security Incident Investigation [RS.AN] (analyze incidents → understand scope and impact)
- Mitigation and Containment [RS.MI] (measures to contain/mitigate the effects of incident)
- Communication and Reporting [RS.CO] (report incidents to relevant people/authorities)
- Forensics [RS.AN-3] (gather evidence and learn from incidents to improve network security)

Recover
- Business Continuity (BC) Planning [RC.RP] (BC/disaster recovery plans → network resilience)
- System Restoration [RC.RP] (restore network services and systems to normal operations)
- Lessons Learned [RC.IM] (identify lessons learned and update security policies and procedures)
- Post-Incident Review [RC.IM] (evaluate the effectiveness of the response and recovery efforts)

5
TCP/IP Network Model

Source: Wikimedia Commons

Key points: stacked protocol layers and data encapsulation

6
TCP/IP Network Model (II)

Network Layer point-to-point communication between network devices (final
devices and routers)
Transport Layer end-to-end com. between network devices (final devices)
Application Layer end-to-end com. between applications (clients and servers)

7
TCP/IP Vulnerabilities, Threats and Attacks

Main weakness: Lack of built-in security
ˆ Protocols initially designed without strong security considerations
ˆ Lack of native encryption, integrity and authentication mechanisms
ˆ TCP/IP network communications vulnerable to eavesdropping,
interception and tampering

Generic threats/attacks

1. Sniffing Unauthorized interception/monitoring of network traffic
(exploits lack of encryption) (see Mitre ATT&CK Network Sniffing)
ˆ Goals: eavesdrop network communications, capture
sensitive/confidential data
ˆ Techniques: Passive (read-only) vs. active (inserting data) sniffing
ˆ Countermeasures: encryption, network segmentation, IDS to detect
active sniffing, monitor for unauthorized devices

8
TCP/IP Vulnerabilities, Threats and Attacks (II)

2. Spoofing Masquerading as something or someone else in a network
communication (exploits lack of authentication)
ˆ Goals: impersonate trusted network devices/users to
steal/manipulate info. or bypass control access (spoofing possible at
different layers/applications)
ˆ Techniques: IP spoofing, MAC spoofing, DNS spoofing
ˆ Countermeasures: cryptographic based authentication, access
control policies, IDS and network monitoring, traffic filtering
3. Hijacking (session hijacking, session theft) Attacker takes control of
an established network session/connection between two parties
(exploits lack of authentication/integrity and weaknesses in session
management)
ˆ Goals: gain unauthorized access to resources, manipulate data
transmitted during the session, impersonate legitimate users

9
TCP/IP Vulnerabilities, Threats and Attacks (III)

ˆ Techniques: session fixation, stealing session tokens, session replay
attacks
ˆ Countermeasures: robust session management, secure tokens,
session data encryption, force reauthentication, IDS/IPS
4. Man-in-the-Middle (MitM) Attacks Attacker intercepts (and
potentially alters) communication between sender and receiver without
their knowledge (see Mitre ATT&CK Adversary-in-the-middle)
ˆ Goals: eavesdrop sensitive information, manipulate the
communication, impersonate one of the parties
ˆ Techniques: sniffing, ARP spoofing, DNS spoofing SSL stripping,
session hijacking (MitM hijacking an established session)
ˆ Countermeasures: traffic encrytion, traffic and end-point
authentication,...

10
TCP/IP Vulnerabilities, Threats and Attacks (IV)

5. Denial of Service (DoS) Make network resources, services or
applications unavailable to legitimate users by overwhelming with
excessive traffic/requests (see Mitre ATT&CK Network Denial of
Service)
ˆ Goals: disrupt the availability of networked resources, service
degradation, forced downtime
ˆ Techniques: flooding attacks (ICMP flood, SYN flood,UDP flood),
resource exhaustion, specific application layer attacks, DDoS
(distributed DoS)
ˆ Countermeasures: firewalls and IDS/IPS solutions, rate limiting
(restrict the number of incoming requests), load balancing and CDN
(Content Delivery Networks), anomaly detection

11
TCP/IP Vulnerabilities, Threats and Attacks (V)

6. Hostile network activity Actions taken by attackers or malicious
actors to compromise network security, gain unauthorized access or
disrupt network operations.
ˆ Port scanning Systematically probing a network or system to
identify open ports and services.
ˆ Find potential vulnerabilities and entry points (first stage of
attacks, see Mitre ATT&CK Reconnaissance)
ˆ Firewall rules, IDS/IPS to detect/block scanning attempts
ˆ Brute force attacks Attempting combinations of usernames and
passwords to discover valid credential and gain unauthorized access
(see Mitre ATT&CK Brute Force)
ˆ Mitigated by strong password policies, account lockout,
multi-factor authentication (MFA)
ˆ Detected by Host-based IDS/IPS
ˆ Other: Phishing attacks, Malware activity, Botnets,...

12
Example: MitM using ARP Spoofing

ARP (Address Resolution Protocol)

ˆ Helps network devices find each other’s physical hardware addresses

ˆ Resolves the mapping IP address ↔ MAC address (RFC 826)
(
ARP-Request: Who has IP aaa.bbb.ccc.ddd?
ˆ Messages
ARP-Reply: IP aaa.bbb.ccc.ddd is at MAC xx-xx-xx-xx-xx-xx

ˆ Devices keep a record of these mappings (local ARP cache)

Weaknesses of ARP that make MitM attack possible

ˆ Lack of authentication for ARP-Reply

ˆ It is possible to send ARP-Reply without prior ARP-Request

ˆ Any device on the network with requested info. can send ARP-Reply

13
Example: MitM using ARP Spoofing (II)

Spoofed/fake ARP responses ⇒ impersonation attacks (Man In The Middle)

ˆ Malicious actor send spoofed ARP messages to confuse devices on the local
network

ˆ Network devices can be tricked (local ARP cache poisoning) into
communicating with the wrong device

ˆ Malicious device masquerades as both sides of the connection
ˆ Collecting data and sending it back to maintain the connection

14
Secure Protocols

”Secure protocols” address several security concerns and threats
that can compromise the confidentiality, integrity and authenticity
of data and communications

ˆ Expand and improve the functionalities of ”classic” TCP/IP
protocols
ˆ Can be implemented at different layers of the protocol stack and
have specific characteristics
ˆ Apply cryptographic techniques to provide confidentiality, integrity
and authentication services for both messages and endpoints

15
Secure Protocols

IPsec (Internet Protocol Security) – Network Layer (Layer 3)
Suite of protocols used to secure IP communications at the network layer
(transparent to final applications)
Provides IP packet authentication and (optionally) encryption
Elements/Protocols

ˆ Authentication Header (AH): authentication and integrity using HMAC
(hash-based Message Authentication Code)

ˆ Encapsulating Security Payload (ESP): adds encryption using symmetric
algorithms

ˆ Internet Key Exchange (IKE): secret key exchange, using asymmetric en-
cryption (Diffie-Hellman algorithm) and Digital Certificates

Use cases: securing site-to-site and remote access VPNs (in tunnel
mode) and in-transit data protection (in transport mode)
16
Secure Protocols

TLS (Transport Layer Security) – Transport Layer (Layer 4)
Secure communication channel between a client and server at transport
(socket) layer
Provides data integrity, confidentiality and authentication at packet level
and final entity authentication
Elements/Protocols See Interactive TLS 1.3 Connection

ˆ Handshake Protocol: authenticates endpoints (using digital certificates), es-
tablishes secure connection and negotiates encryption parameters

ˆ Record Protocol: Encrypts (symmetric) and authenticates (HMAC) data
transferred between client and server

Use cases: secure HTTPS websites, email (SMTP, IMAP, POP3), and
other application-layer protocols

17
Secure Protocols

SSH (Secure Shell) – Application Layer (Layer 7)
Provides end-to-end encryption for interactive sessions
Similar to TLS, adds several user authentication methods (password,
public-key)

Use cases: secure remote access to network devices and servers

Other ”secure protocols”
SFTP (SSH File Transfer Protocol) secure file transfer protocol over en-
crypted SSH
DNSSEC (Domain Name System Security Extensions) adds cryptographic
security to DNS queries and responses (protection against DNS spoofing)
FTPS (File Transfer Protocol Secure) an extension of traditional FTP that
adds TLS/SSL encryption
OpenVPN open-source VPN that uses TLS/SSL for encryption
18
Perimeter Protection

Objective: Securing an organization’s network by protecting the outer
boundary (perimeter) from external threats/attacks.
ˆ Threat actors from outside the organization (hackers, cybercriminals,
malware, botnets)
(
breach the network perimeter
ˆ Attempt to
gain unauthorized access to internal resources

Countermeasures
ˆ Firewalls and Network Segmentation

ˆ Virtual Private Networks (VPNs)
(
Intrusion Detection and Prevention Systems (IDS/IPS)
ˆ Monitoring
Security Information and Event Management (SIEM) Systems

ˆ Web Applicaton Firewalls (WAF), Content Filtering (SPAM, Anti-Phishing)

19
Firewalls
Network access control devices/mechanisms
(
organization’s internal network (trusted devices)
Barrier between
untrusted external network (potentially hostile)

ˆ Filtering and controlling incoming and outgoing network traffic

ˆ Based on predefined security policies and rules

Principles of operation

ˆ All traffic (incoming and outgoing) must pass through the firewall
ˆ Firewalls permit only authorized traffic, as defined by the
organization’s security policies
ˆ Firewalls must be immune to intrusions → reliable operating
system and software

20
Types of Firewalls

(a) Packet Filtering Firewalls Inspect incoming and outgoing network
packets and check if they match predefined rules
- Operate at the network (IP) and/or transport (TCP, UDP) layers
ˆ Application/service control based on blocking standard ports

- Filtering is performed on a per-packet basis (”stateless”)
- Packet headers are inspected to match a static list of rules
ˆ Rules are checked sequentially, one by one (order of rules
( matters)
accept, drop,
ˆ When a match is found, corresponding action invoked
reject, log
ˆ If no rule matches, the default action is applied
→ Deny by default vs. Accept by default

(+) Simple and efficient for basic access control
(–) Lack of advanced inspection capabilities
(useless for some application-layer attacks)

21
Types of Firewalls (II)

(b) Stateful Inspection Firewalls (Stateful Firewalls) Improve ”stateless”
firewalls by keeping track of the state of active connections

ˆ Understand the state of established connections
ˆ Can make filtering decisions based on the context of the traffic
(+) Easier to define complex rules than ”stateless’ FW
(–) Not inspect application-layer content deeply

22
Types of Firewalls (III)

(c) Application-Level Filters (Proxy Firewalls) Act as intermediaries
between clients and servers at the application layer
ˆ Intercept and inspect client-server traffic, making requests to servers
on behalf of clients
ˆ Can inspect and filter content at the application layer
ˆ ”Understand” application layer protocols
ˆ Prevent misuse and allow the limitation of specific protocol aspects
(
internal client – proxy (acting as a server)
ˆ Two connection:
proxy (acting as a client) – external server
ˆ Proxy receives, examines, and relays bidirectional traffic, making all
decisions regarding the transmission of messages

(+) Deep inspection and granular control over application traffic
(–) Can introduce latency due to traffic redirection
May not support all application protocols

23
Firewalls Topologies

(
Traffic filtering logic
Key Decisions: Location of
Public services

Typical set-up: Demilitarized Zone (DMZ) [also Perimeter Network]

ˆ Segment network into security zones: DMZ, internal net, external net
ˆ Specific security policies applied to different network segments

DMZ Role: Offer services to the external network

ˆ Hosts servers that are accessible from the external network
ˆ Optionally, host application proxies used by the internal network

24
Firewalls Topologies (II)

Bastion Hosts: DMZ typically contains ”bastion hosts”

ˆ Only machines accessible from the external network
ˆ Potentially vulnerable → require careful administration
ˆ Minimal software services installed, regular security updates, log
monitoring

Purpose: Isolate services exposed to the external network
Prevent unauthorized access to the protected network in case these
services are compromised by attackers

ˆ Firewall controls traffic between the DMZ and the internal network
ˆ Internal devices should not trust or directly communicate with DMZ
hosts

25
Firewalls Topologies (III)
DMZ with Three interfaces Firewall

DMZ with Double Firewall

26
Virtual Private Networks (VPN)
Extension of a private local network over an uncontrolled public network
infrastructure
ˆ Usually encrypted links to establish secure connections → maintains the
confidentiality of traffic

ˆ Typically rely on tunneling
ˆ creating and maintaining a logical connection between two endpoints
ˆ encapsulating one protocol’s traffic within packets of another protocol

Common Use Cases
ˆ Secure Interconnection. Between two portions of the same organization,
using an insecure public network
[point-to-point VPN: host-to-host, network-to-network])

ˆ Remote Access. Remote access for users to connect to the internal
network from devices located outside the organization’s network
[remote access VPN: host-to-network]

27
Virtual Private Networks (VPN) (II)

VPN Examples

IPsec Tunnels Network layer VPN encapsulating IP packets into IPsec

Encapsulating PPP PPTP(Point to Point Tunneling Protocol) and
L2TP (Layer 2 Tunneling Protocol) encapsulate PPP(Point-to-Point
Protocol) frames into UDP/IP packets

Transport Layer VPN OpenVPN, encapsulates IP or Ethernet into a
TLS/SSL connection
Wireguard offers transport layer VPN with its own encryption over
UDP

Application Layer VPN SSH tunnels allow port redirection on
encrypted SSH connection between client and server

28
Intrusion Detection/Prevention Systems

Intrusion Detection System (IDS)
ˆ Monitor network traffic and system activities for signs of unauthorized ac-
cess, attacks or abnormal behavior

ˆ Passive operation: detect suspicious activity and alert on potential threats

Intrusion Prevention System (IPS)
ˆ Same detection methods as IDS, taking automated actions to prevent or
mitigate detected threats

ˆ Proactive operation: can take measures to block or prevent threats in
real-time
ˆ blocking traffic to/from a specific IP addresses
ˆ dropping malicious packets, resetting connections

29
Intrusion Detection/Prevention Systems (II)

IDS/IPS can be deployed as network-based or host-based systems

Network-Based IDS/IPS (NIDS) NIDS sensors monitor network
traffic at ”relevant” points in the network
ˆ ”Relevant” points to monitor: DMZ, internal net, firewalls, etc
ˆ Examples: SNORT, Suricata, Zeek

Host-Based IDS/IPS (HIDS) HIDS agents are installed on individual
devices (hosts, servers) and monitor system-level activities and logs
ˆ System and application logs (for detecting security incidents and
abnormalities)
ˆ File system modifications (maintaining the integrity of sensitive files)
ˆ System calls (unusual/suspicious system calls → malware, unauthorized
access, security incidents)
ˆ Examples: Fail2Ban, OSSEC

30
IDS/IPS Detection Methods

Signature-Based Detection This method uses predefined patterns or
signatures to identify known attack patterns and vulnerabilities
(+) Easy to implement and very efficient
Good at detecting known threats
(–) Poor performance with new or never seen threats
Anomaly-Based Detection Anomaly-based IDS/IPS establishes a
baseline of normal network behavior and triggers alerts or alarms
when deviations from this baseline are detected
Behavioral Analysis Generalization of Anomaly-Based Detection, looks
for behaviors that might indicate an attack but don’t match specific
signatures or cannot be identifies as anomalies, making it useful for
detecting new or unknown threats

31
IDS/IPS Detection Methods (II)
Example: SNORT/SURICATA rules (signature-based NIDS)

Rule format: ()

ˆ : alert, pass, drop, reject,...
ˆ : [protocol] [source] [src-port] {->|} [dest.] [dst-port]

 metadata (msg, sid,...)

ˆ : protocol header tests (http, ip, tcp,...)

 tests/pattern on payload (content, pcre,...)

alert tcp $EXT_NET any -> $HOME_NET 3306 (msg:"GPL MYSQL root login attempt";
flow:to_server,established;
content:"|0A 00 00 01 85 04 00 00 80|root|00|";
classtype:protocol-command-decode;
sid:2101775; rev:4;)

Details: https://suricata.readthedocs.io/en/suricata-6.0.1/rules/intro.html

32