Platform-Security-Tools.pdf

Full Transcript

PLATFORM
SECURITY TOOLS
PLATFORM SECURITY
TOOLS

NMAP
UFW
FIREWALL
WIRESHARK
WHAT IS NMAP?
Nmap, also known as Network Mapper, is a
strong, free tool used to discover networks
and check their security. It helps users scan
networks to find devices, services, open
ports, and potential vulnerabilities.

Nmap is widely used by network
administrators, cybersecurity professionals,
and IT personnel to monitor, secure, and
troubleshoot networked devices.

Essentially, Nmap is like a radar for
networks, allowing you to see what's
happening and identify potential issues.
 PURPOSE AND
CAPABILITIES OF
NMAP
NETWORK DISCOVERY

Nmap is used to explore and map
large or small networks, helping to
identify what devices are present,
their IP addresses, and how they are
connected. This can include
systems like servers, routers,
switches, and IoT devices.
SECURITY AUDITING
Nmap aids in detecting security
weaknesses, such as open ports or
misconfigured devices, that could
expose a network to threats. By
identifying vulnerable services and
outdated software versions, it
enables proactive defense against
potential cyberattacks.
HOW TO USE
NMAP?
 BASIC NETWORK
SCANNING
Using Nmap (Network Mapper) to
scan networks, identify open ports,
and detect services and
vulnerabilities is a straightforward
but powerful process.
BASIC NETWORK SCANNING
Nmap can scan a network to identify active
hosts and devices.

Command:
nmap

Example:
To scan a single host:
Command: nmap 192.168.1.10

To scan a range of IP addresses (e.g., entire
subnet):
Command: nmap 192.168.1.0/24

This will show which devices are live and
responding on the network.
 PORT SCANNING
Port scanning checks a system for
open, closed, or filtered ports,
helping identify available services
and potential vulnerabilities. Nmap
is a popular tool for this task.
 PORT SCANNING
Nmap can scan for open ports on devices, allowing you
to see which services are accessible.

Command:
nmap -p

Example:
To scan a specific port (e.g., SSH on port 22):
Command: nmap -p 22 192.168.1.10

To scan a range of ports (e.g., ports 20-80):
Command: nmap -p 20-80 192.168.1.10

To scan all 65,535 ports (full scan):
Command: nmap -p- 192.168.1.10

Nmap will return a list of ports that are open, closed, or
filtered, providing insight into what services might be
accessible.
 DETECT SERVICES
To detect services running on a
networked device, Nmap can
identify which ports are open and
attempt to determine what services
are running on those ports.
 DETECT SERVICES
To gain more information about the services
running on the open ports (like their version), use
Nmap’s service detection feature. This can reveal
potential vulnerabilities if services are outdated.

Command:
nmap -sV

Example:
Command: nmap -sV 192.168.1.10

This scan will not only list the open ports but also
try to identify the exact services and their
versions (e.g., Apache 2.4.41 on port 80). This is
useful for discovering services that may be
running outdated or vulnerable versions.
 SCANNING FOR
VULNERABILITIES
Nmap's Scripting Engine (NSE)
enables vulnerability scans by
running scripts that detect
weaknesses in services,
applications, or network
configurations, helping identify
security issues in your systems.
SCANNING FOR VULNERABILITIES
Nmap has a powerful scripting engine (NSE),
which allows you to run scripts to detect
specific vulnerabilities.

Command:
nmap --script

Example:
To run a script that checks for common
vulnerabilities like Heartbleed:
Command: nmap --script ssl-heartbleed
192.168.1.10

Or, to run a set of default scripts for common
vulnerabilities:
Command: nmap -sC 192.168.1.10
SCANNING FOR VULNERABILITIES

You can also run multiple scripts or a script
suite:
Command: nmap --script=vuln 192.168.1.10

This will run all the vulnerability-related
scripts to identify weaknesses like outdated
services, weak passwords, and more.
WHAT IS UFW?
UFW (Uncomplicated Firewall) is a user-
friendly interface for managing firewall rules
on Linux systems. It is designed to simplify
the process of configuring firewalls, making
it easier for beginners by using a
straightforward syntax instead of complex
commands. UFW is commonly used on
Ubuntu and other Debian-based systems.

By using UFW, you can effectively manage
your network's security and protect your
systems from unauthorized access.
 PURPOSE OF UFW
The main goal of UFW is to manage
firewall settings and ensure network
security by controlling access to
ports and services on a system. It
simplifies firewall rule configuration
without the need for direct
interaction with the more complex
iptables system.
 UFW ROLE IN
MANAGING
FIREWALL ON LINUX
SYSTEMS
1. Simplified Firewall Rule Configuration:
UFW simplifies iptables, allowing users to manage
firewall rules easily with simple commands. This
enables users to:
Allow or block specific ports or services
Filter traffic based on IP addresses or ranges
Control both inbound and outbound traffic

2. Default Policies:
A key aspect of firewall management is setting
default policies. UFW simplifies establishing global
rules for handling incoming and outgoing
connections:
Default Deny Incoming: Blocks all incoming
traffic except what is explicitly allowed.
Default Allow Outgoing: Allows all outgoing
connections by default (unless restricted).
3. Port and Protocol Control:
UFW allows granular control over which ports and
protocols are accessible. You can specify:
Port Numbers: Control traffic on specific ports
(e.g., HTTP on port 80, HTTPS on port 443).
Protocols: Define whether rules apply to TCP,
UDP, or both.

4. Service-Based Rules:
Instead of specifying individual port numbers, UFW
supports service names. Many common services
(e.g., SSH, HTTP, Apache, etc.) are predefined,
allowing you to set rules quickly by service name.

5. Managing Traffic by IP or Subnet:
UFW can manage network traffic not just by ports
but also by IP address or range of addresses
(subnet). This is especially useful for securing a
server by limiting access to trusted IP ranges.
6. Enabling and Disabling the Firewall:
UFW makes it easy to enable or disable the firewall
without losing your configured rules. This is useful
when performing maintenance or troubleshooting.

7. Logging:
UFW includes logging capabilities to help monitor
network traffic and firewall activity. This is essential
for diagnosing issues, identifying security threats,
and auditing connections.

8. Status and Active Rule Monitoring:
UFW provides clear outputs to check the status of
the firewall and view active rules. This helps users
to verify that the firewall is running as expected and
that the correct rules are in place..9 Integration with iptables:
UFW simplifies firewall management by
translating user-defined rules into
iptables commands, offering ease of
use without sacrificing iptables' power
and flexibility.
HOW TO CONFIGURE
UFW?
1. Install UFW (if not already installed)
UFW is included by default in most Linux
distributions. If it's not installed, you can
easily install it using the package manager.

For Debian/Ubuntu:
sudo apt update sudo apt install ufw

For CentOS/RHEL:
sudo yum install epel-release sudo yum
install ufw
2. Enable UFW
Before you enable UFW, it’s a good
practice to set up your rules first to avoid
locking yourself out.

Command:
sudo ufw enable

You can check the status with:
sudo ufw status
3. Set Default Policies
UFW operates on a principle of least
privilege. By default, you should deny all
incoming traffic and allow all outgoing
traffic.

Command to set defaults:
sudo ufw default deny incoming
sudo ufw default allow outgoing

This configuration means:
All incoming connections will be
blocked unless explicitly allowed.
All outgoing connections will be
allowed.
4. Allow Specific Incoming Traffic
You can allow specific services or ports based on
your requirements. Common examples include
SSH, HTTP, and HTTPS.

Allow SSH (port 22):
sudo ufw allow ssh

Allow HTTP (port 80):
sudo ufw allow http

Allow HTTPS (port 443):
sudo ufw allow https

Allow a specific port (e.g., custom application on
port 3000):
sudo ufw allow 3000

Allow a range of ports:
sudo ufw allow 5000:6000/tcp
5. Deny Specific Incoming Traffic
If you want to deny specific traffic, you can do so
with a deny command.

Example:
sudo ufw deny 23 # Deny Telnet (port 23)

6. Allow Outgoing Traffic (Optional)
If you need to control outgoing traffic, you can
specify rules similar to incoming traffic.

Example:
Allow outgoing traffic on a specific port:
sudo ufw allow out 12345

7. Limit Connections for Specific Services
To enhance security, you can limit the number of
connections to certain services. This helps prevent
brute-force attacks.
Example: Limit SSH connections to 5 attempts:
sudo ufw limit ssh
8. Check UFW Status and Rules
You can view the current status and the rules you’ve
configured with:

sudo ufw status verbose

9. Logging
Enabling logging can help you monitor connections
and see if any attempts are made to access
restricted services.

Command:
sudo ufw logging on

You can view logs (usually found in /var/log/ufw.log):
sudo less /var/log/ufw.log

10. Disable UFW (if necessary)
If you need to disable UFW temporarily:

sudo ufw disable
11. Advanced Configuration (Optional)
For more advanced configurations, you can
specify rules by IP address or subnets.

Allow a specific IP:
sudo ufw allow from 192.168.1.100

Allow traffic from a subnet:
sudo ufw allow from 192.168.1.0/24
WHAT IS FIREWALL?
A firewall is a fundamental security device or
software used to protect networks and
systems by monitoring and controlling
incoming and outgoing network traffic. It
acts as a barrier between trusted internal
networks and untrusted external networks,
such as the internet, enforcing security
policies to safeguard sensitive information.
KEY CONCEPTS
OF FIREWALLS
1. Traffic Monitoring:
Firewalls inspect data packets on a
network, analyzing their contents—
such as IP addresses, ports, and
protocols—to decide whether to
allow or block the traffic.

2. Traffic Control:
Firewalls control network traffic
based on predefined security rules,
allowing administrators to specify
which applications, services, or
users can communicate.
3. Predetermined Security Rules:
Firewalls operate based on rules set
by network administrators, which
can allow or deny traffic from
specific IP addresses, permit or
block certain ports, or filter by
protocol type (e.g., TCP, UDP).

Rules can also be dynamic,
adjusting based on the context of
the traffic, such as distinguishing
between established connections
and new requests.
FUNCTIONS OF
FIREWALLS
1. Access Control:
Firewalls enforce access policies by
allowing or blocking traffic based on
established rules. This helps protect
the network from unauthorized
access and potential attacks.

2. Intrusion Prevention:
Many firewalls include features to
detect and prevent unauthorized
access or attacks. They can block
suspicious activity and alert
administrators to potential threats.
3. Connection State Tracking:
Stateful firewalls track active
connections, allowing them to identify
packets belonging to established
sessions and enhancing security by
permitting only legitimate traffic.

4. Logging and Reporting:
Firewalls log network activity,
recording allowed and blocked traffic,
which is valuable for monitoring
security incidents, conducting audits,
and analyzing network usage.
5. User Authentication:
Some firewalls require user
authentication before allowing access
to certain network resources, ensuring
that only authorized individuals can
connect.

6. Support for VPNs:
Firewalls often provide support for
Virtual Private Networks (VPNs),
facilitating secure remote access to
internal networks while encrypting
data transmitted over the internet.
DIFFERENT
TYPES OF
FIREWALLS
1. Hardware Firewalls
Hardware firewalls are physical devices
that serve as gatekeepers between a
network and the internet, typically
installed at the network perimeter.

Use:
Network Protection: Hardware firewalls
protect entire networks by filtering traffic
before it reaches individual devices.

Performance: They can manage large
traffic volumes without significantly
impacting network performance.
Centralized Management:
Administrators can manage rules and
settings for all network-connected
devices from a single location.

Common Examples:
Dedicated appliances from vendors
like Cisco, Fortinet, and Palo Alto
Networks.
2. Software Firewalls
Software firewalls are applications
installed on individual devices that
monitor and control network traffic.

Use:
Device-Level Protection: Software
firewalls offer tailored protection for
individual devices, making them ideal for
personal computers and mobile devices.

Granular Control: They enable users to set
rules for specific applications or services
on the device.
User-Friendly: They are often easier
for non-technical users to configure
and manage than hardware firewalls.

Common Examples:
Built-in firewalls in operating systems
(e.g., Windows Firewall, macOS
Firewall) and third-party solutions like
ZoneAlarm and Norton.
3. Cloud Firewalls
Cloud firewalls, or Firewall as a Service
(FWaaS), are hosted in the cloud and
protect cloud-based resources and
applications.

Use:
Scalability: Cloud firewalls can easily scale
to adapt to changing traffic patterns and
growing data needs.

Remote Protection:
They protect applications and data
accessed from various locations, ideal for
businesses with remote employees or
distributed networks.
Integration: They are often integrated
with other cloud services and security
solutions, offering a comprehensive
security posture for cloud
environments.

Common Examples:
Cloud-based firewall services offered
by providers like AWS (AWS WAF),
Microsoft Azure (Azure Firewall), and
Google Cloud (Cloud Armor).
WHAT IS WIRESHARK?
Wireshark is a powerful open-source
network protocol analyzer used for
troubleshooting, analysis, software
development, and education. It allows
users to capture and browse network
traffic in real-time.
 ROLE OF
WIRESHARK
1. Packet Capture
Real-Time Monitoring: Wireshark
captures live network traffic from
various interfaces (e.g., Ethernet, Wi-
Fi), allowing users to view all
transmitted packets in real-time.

Selective Capture: Users can set
filters to capture only traffic that
meets specific criteria (e.g., IP
addresses or protocols), reducing
noise and highlighting relevant data.
2. Protocol Analysis
Detailed Inspection:
Wireshark supports thousands of
protocols and offers detailed information
about each packet's structure and
content, helping users understand data
transmission over the network.

Layered Analysis: Users can analyze
packets at different OSI model layers,
enabling a comprehensive understanding
of network interactions.
3. Filtering and Searching
Powerful Filters:
Wireshark provides strong filtering
capabilities, allowing users to apply
capture filters (before capturing) and
display filters (after capturing) to isolate
specific traffic, which is essential for
addressing particular issues or protocols

Search Functions: Users can search
captured data for specific terms or
patterns, facilitating quick identification of
relevant packets.
4. Visualization and Statistics
Graphical Representations: Wireshark
offers graphical representations of traffic
data, like flow graphs and protocol
hierarchy statistics, to visualize network
performance and identify anomalies.

Traffic Statistics: Users can generate
statistics like packet counts, throughput,
and protocol distributions to assess
network health and performance.
5. Troubleshooting and Debugging
Identifying Issues: Network administrators
use Wireshark to troubleshoot issues like
packet loss, latency, and connectivity
problems by examining packet flow to
identify problem areas.

Protocol Debugging: Developers use
Wireshark to debug applications, ensuring
network communications follow expected
protocols and identifying transmission
errors.
6. Security Analysis
Anomaly Detection: Security professionals
use Wireshark to detect unusual patterns
or malicious activity, like unauthorized
access or data exfiltration.

Incident Response: In a security incident,
Wireshark helps forensic analysts
investigate by providing detailed logs of
network activity.
7. Educational Tool
Learning Resource: Wireshark is widely
used in education to teach networking
concepts, protocol structures, and packet
analysis, making it a valuable resource for
students and trainees.
HOW TO USE
WIRESHARK?
1. Setting Up Wireshark
Installation: Download and install
Wireshark from its official website; it's
available for Windows, macOS, and Linux.

Permissions:
Ensure you have the necessary
permissions to capture network traffic;
administrative or root access may be
required on some systems.

2. Capturing Network Traffic
Select Network Interface: Open Wireshark
and select the network interface to
monitor (e.g., Ethernet, Wi-Fi) for
capturing data packets.
3. Monitoring Network Activity
Real-Time Analysis: Wireshark displays
captured packets in real-time, showing
source and destination IP addresses,
protocols, and packet lengths.

4. Troubleshooting Network Issues
Identify Problematic Packets: Look for
error messages or unusual behaviors in
packet details, like retransmissions or
timeouts.
5. Identifying Potential Security Issues
Monitor for Anomalous Traffic:Look for
unusual patterns, like unexpected traffic to
external IPs or high volumes to a specific
port.

Detect Unauthorized Access: Analyze
login attempts, particularly failed ones, as
they may indicate unauthorized access
attempts.

6. Saving and Analyzing Captured Data
Save Captures: After capturing the
required data, save the capture file for
later analysis.
7. Generating Reports
Statistics: Utilize Wireshark’s built-in
statistics tools to generate reports on
packet counts, protocol distribution, and
other metrics. This can help in
understanding network health and
performance trends.
THANKYOU