Platform-Security-Tools.pdf

Full Transcript

PLATFORM SECURITY TOOLS PLATFORM SECURITY TOOLS NMAP UFW FIREWALL WIRESHARK WHAT IS NMAP? Nmap, also known as Network Mapper, is a strong, free tool used to discover networks and check their security. It helps users scan networks to find devices, services, open ports, and potentia...

PLATFORM SECURITY TOOLS PLATFORM SECURITY TOOLS NMAP UFW FIREWALL WIRESHARK WHAT IS NMAP? Nmap, also known as Network Mapper, is a strong, free tool used to discover networks and check their security. It helps users scan networks to find devices, services, open ports, and potential vulnerabilities. Nmap is widely used by network administrators, cybersecurity professionals, and IT personnel to monitor, secure, and troubleshoot networked devices. Essentially, Nmap is like a radar for networks, allowing you to see what's happening and identify potential issues. PURPOSE AND CAPABILITIES OF NMAP NETWORK DISCOVERY Nmap is used to explore and map large or small networks, helping to identify what devices are present, their IP addresses, and how they are connected. This can include systems like servers, routers, switches, and IoT devices. SECURITY AUDITING Nmap aids in detecting security weaknesses, such as open ports or misconfigured devices, that could expose a network to threats. By identifying vulnerable services and outdated software versions, it enables proactive defense against potential cyberattacks. HOW TO USE NMAP? BASIC NETWORK SCANNING Using Nmap (Network Mapper) to scan networks, identify open ports, and detect services and vulnerabilities is a straightforward but powerful process. BASIC NETWORK SCANNING Nmap can scan a network to identify active hosts and devices. Command: nmap Example: To scan a single host: Command: nmap 192.168.1.10 To scan a range of IP addresses (e.g., entire subnet): Command: nmap 192.168.1.0/24 This will show which devices are live and responding on the network. PORT SCANNING Port scanning checks a system for open, closed, or filtered ports, helping identify available services and potential vulnerabilities. Nmap is a popular tool for this task. PORT SCANNING Nmap can scan for open ports on devices, allowing you to see which services are accessible. Command: nmap -p Example: To scan a specific port (e.g., SSH on port 22): Command: nmap -p 22 192.168.1.10 To scan a range of ports (e.g., ports 20-80): Command: nmap -p 20-80 192.168.1.10 To scan all 65,535 ports (full scan): Command: nmap -p- 192.168.1.10 Nmap will return a list of ports that are open, closed, or filtered, providing insight into what services might be accessible. DETECT SERVICES To detect services running on a networked device, Nmap can identify which ports are open and attempt to determine what services are running on those ports. DETECT SERVICES To gain more information about the services running on the open ports (like their version), use Nmap’s service detection feature. This can reveal potential vulnerabilities if services are outdated. Command: nmap -sV Example: Command: nmap -sV 192.168.1.10 This scan will not only list the open ports but also try to identify the exact services and their versions (e.g., Apache 2.4.41 on port 80). This is useful for discovering services that may be running outdated or vulnerable versions. SCANNING FOR VULNERABILITIES Nmap's Scripting Engine (NSE) enables vulnerability scans by running scripts that detect weaknesses in services, applications, or network configurations, helping identify security issues in your systems. SCANNING FOR VULNERABILITIES Nmap has a powerful scripting engine (NSE), which allows you to run scripts to detect specific vulnerabilities. Command: nmap --script Example: To run a script that checks for common vulnerabilities like Heartbleed: Command: nmap --script ssl-heartbleed 192.168.1.10 Or, to run a set of default scripts for common vulnerabilities: Command: nmap -sC 192.168.1.10 SCANNING FOR VULNERABILITIES You can also run multiple scripts or a script suite: Command: nmap --script=vuln 192.168.1.10 This will run all the vulnerability-related scripts to identify weaknesses like outdated services, weak passwords, and more. WHAT IS UFW? UFW (Uncomplicated Firewall) is a user- friendly interface for managing firewall rules on Linux systems. It is designed to simplify the process of configuring firewalls, making it easier for beginners by using a straightforward syntax instead of complex commands. UFW is commonly used on Ubuntu and other Debian-based systems. By using UFW, you can effectively manage your network's security and protect your systems from unauthorized access. PURPOSE OF UFW The main goal of UFW is to manage firewall settings and ensure network security by controlling access to ports and services on a system. It simplifies firewall rule configuration without the need for direct interaction with the more complex iptables system. UFW ROLE IN MANAGING FIREWALL ON LINUX SYSTEMS 1. Simplified Firewall Rule Configuration: UFW simplifies iptables, allowing users to manage firewall rules easily with simple commands. This enables users to: Allow or block specific ports or services Filter traffic based on IP addresses or ranges Control both inbound and outbound traffic 2. Default Policies: A key aspect of firewall management is setting default policies. UFW simplifies establishing global rules for handling incoming and outgoing connections: Default Deny Incoming: Blocks all incoming traffic except what is explicitly allowed. Default Allow Outgoing: Allows all outgoing connections by default (unless restricted). 3. Port and Protocol Control: UFW allows granular control over which ports and protocols are accessible. You can specify: Port Numbers: Control traffic on specific ports (e.g., HTTP on port 80, HTTPS on port 443). Protocols: Define whether rules apply to TCP, UDP, or both. 4. Service-Based Rules: Instead of specifying individual port numbers, UFW supports service names. Many common services (e.g., SSH, HTTP, Apache, etc.) are predefined, allowing you to set rules quickly by service name. 5. Managing Traffic by IP or Subnet: UFW can manage network traffic not just by ports but also by IP address or range of addresses (subnet). This is especially useful for securing a server by limiting access to trusted IP ranges. 6. Enabling and Disabling the Firewall: UFW makes it easy to enable or disable the firewall without losing your configured rules. This is useful when performing maintenance or troubleshooting. 7. Logging: UFW includes logging capabilities to help monitor network traffic and firewall activity. This is essential for diagnosing issues, identifying security threats, and auditing connections. 8. Status and Active Rule Monitoring: UFW provides clear outputs to check the status of the firewall and view active rules. This helps users to verify that the firewall is running as expected and that the correct rules are in place..9 Integration with iptables: UFW simplifies firewall management by translating user-defined rules into iptables commands, offering ease of use without sacrificing iptables' power and flexibility. HOW TO CONFIGURE UFW? 1. Install UFW (if not already installed) UFW is included by default in most Linux distributions. If it's not installed, you can easily install it using the package manager. For Debian/Ubuntu: sudo apt update sudo apt install ufw For CentOS/RHEL: sudo yum install epel-release sudo yum install ufw 2. Enable UFW Before you enable UFW, it’s a good practice to set up your rules first to avoid locking yourself out. Command: sudo ufw enable You can check the status with: sudo ufw status 3. Set Default Policies UFW operates on a principle of least privilege. By default, you should deny all incoming traffic and allow all outgoing traffic. Command to set defaults: sudo ufw default deny incoming sudo ufw default allow outgoing This configuration means: All incoming connections will be blocked unless explicitly allowed. All outgoing connections will be allowed. 4. Allow Specific Incoming Traffic You can allow specific services or ports based on your requirements. Common examples include SSH, HTTP, and HTTPS. Allow SSH (port 22): sudo ufw allow ssh Allow HTTP (port 80): sudo ufw allow http Allow HTTPS (port 443): sudo ufw allow https Allow a specific port (e.g., custom application on port 3000): sudo ufw allow 3000 Allow a range of ports: sudo ufw allow 5000:6000/tcp 5. Deny Specific Incoming Traffic If you want to deny specific traffic, you can do so with a deny command. Example: sudo ufw deny 23 # Deny Telnet (port 23) 6. Allow Outgoing Traffic (Optional) If you need to control outgoing traffic, you can specify rules similar to incoming traffic. Example: Allow outgoing traffic on a specific port: sudo ufw allow out 12345 7. Limit Connections for Specific Services To enhance security, you can limit the number of connections to certain services. This helps prevent brute-force attacks. Example: Limit SSH connections to 5 attempts: sudo ufw limit ssh 8. Check UFW Status and Rules You can view the current status and the rules you’ve configured with: sudo ufw status verbose 9. Logging Enabling logging can help you monitor connections and see if any attempts are made to access restricted services. Command: sudo ufw logging on You can view logs (usually found in /var/log/ufw.log): sudo less /var/log/ufw.log 10. Disable UFW (if necessary) If you need to disable UFW temporarily: sudo ufw disable 11. Advanced Configuration (Optional) For more advanced configurations, you can specify rules by IP address or subnets. Allow a specific IP: sudo ufw allow from 192.168.1.100 Allow traffic from a subnet: sudo ufw allow from 192.168.1.0/24 WHAT IS FIREWALL? A firewall is a fundamental security device or software used to protect networks and systems by monitoring and controlling incoming and outgoing network traffic. It acts as a barrier between trusted internal networks and untrusted external networks, such as the internet, enforcing security policies to safeguard sensitive information. KEY CONCEPTS OF FIREWALLS 1. Traffic Monitoring: Firewalls inspect data packets on a network, analyzing their contents— such as IP addresses, ports, and protocols—to decide whether to allow or block the traffic. 2. Traffic Control: Firewalls control network traffic based on predefined security rules, allowing administrators to specify which applications, services, or users can communicate. 3. Predetermined Security Rules: Firewalls operate based on rules set by network administrators, which can allow or deny traffic from specific IP addresses, permit or block certain ports, or filter by protocol type (e.g., TCP, UDP). Rules can also be dynamic, adjusting based on the context of the traffic, such as distinguishing between established connections and new requests. FUNCTIONS OF FIREWALLS 1. Access Control: Firewalls enforce access policies by allowing or blocking traffic based on established rules. This helps protect the network from unauthorized access and potential attacks. 2. Intrusion Prevention: Many firewalls include features to detect and prevent unauthorized access or attacks. They can block suspicious activity and alert administrators to potential threats. 3. Connection State Tracking: Stateful firewalls track active connections, allowing them to identify packets belonging to established sessions and enhancing security by permitting only legitimate traffic. 4. Logging and Reporting: Firewalls log network activity, recording allowed and blocked traffic, which is valuable for monitoring security incidents, conducting audits, and analyzing network usage. 5. User Authentication: Some firewalls require user authentication before allowing access to certain network resources, ensuring that only authorized individuals can connect. 6. Support for VPNs: Firewalls often provide support for Virtual Private Networks (VPNs), facilitating secure remote access to internal networks while encrypting data transmitted over the internet. DIFFERENT TYPES OF FIREWALLS 1. Hardware Firewalls Hardware firewalls are physical devices that serve as gatekeepers between a network and the internet, typically installed at the network perimeter. Use: Network Protection: Hardware firewalls protect entire networks by filtering traffic before it reaches individual devices. Performance: They can manage large traffic volumes without significantly impacting network performance. Centralized Management: Administrators can manage rules and settings for all network-connected devices from a single location. Common Examples: Dedicated appliances from vendors like Cisco, Fortinet, and Palo Alto Networks. 2. Software Firewalls Software firewalls are applications installed on individual devices that monitor and control network traffic. Use: Device-Level Protection: Software firewalls offer tailored protection for individual devices, making them ideal for personal computers and mobile devices. Granular Control: They enable users to set rules for specific applications or services on the device. User-Friendly: They are often easier for non-technical users to configure and manage than hardware firewalls. Common Examples: Built-in firewalls in operating systems (e.g., Windows Firewall, macOS Firewall) and third-party solutions like ZoneAlarm and Norton. 3. Cloud Firewalls Cloud firewalls, or Firewall as a Service (FWaaS), are hosted in the cloud and protect cloud-based resources and applications. Use: Scalability: Cloud firewalls can easily scale to adapt to changing traffic patterns and growing data needs. Remote Protection: They protect applications and data accessed from various locations, ideal for businesses with remote employees or distributed networks. Integration: They are often integrated with other cloud services and security solutions, offering a comprehensive security posture for cloud environments. Common Examples: Cloud-based firewall services offered by providers like AWS (AWS WAF), Microsoft Azure (Azure Firewall), and Google Cloud (Cloud Armor). WHAT IS WIRESHARK? Wireshark is a powerful open-source network protocol analyzer used for troubleshooting, analysis, software development, and education. It allows users to capture and browse network traffic in real-time. ROLE OF WIRESHARK 1. Packet Capture Real-Time Monitoring: Wireshark captures live network traffic from various interfaces (e.g., Ethernet, Wi- Fi), allowing users to view all transmitted packets in real-time. Selective Capture: Users can set filters to capture only traffic that meets specific criteria (e.g., IP addresses or protocols), reducing noise and highlighting relevant data. 2. Protocol Analysis Detailed Inspection: Wireshark supports thousands of protocols and offers detailed information about each packet's structure and content, helping users understand data transmission over the network. Layered Analysis: Users can analyze packets at different OSI model layers, enabling a comprehensive understanding of network interactions. 3. Filtering and Searching Powerful Filters: Wireshark provides strong filtering capabilities, allowing users to apply capture filters (before capturing) and display filters (after capturing) to isolate specific traffic, which is essential for addressing particular issues or protocols Search Functions: Users can search captured data for specific terms or patterns, facilitating quick identification of relevant packets. 4. Visualization and Statistics Graphical Representations: Wireshark offers graphical representations of traffic data, like flow graphs and protocol hierarchy statistics, to visualize network performance and identify anomalies. Traffic Statistics: Users can generate statistics like packet counts, throughput, and protocol distributions to assess network health and performance. 5. Troubleshooting and Debugging Identifying Issues: Network administrators use Wireshark to troubleshoot issues like packet loss, latency, and connectivity problems by examining packet flow to identify problem areas. Protocol Debugging: Developers use Wireshark to debug applications, ensuring network communications follow expected protocols and identifying transmission errors. 6. Security Analysis Anomaly Detection: Security professionals use Wireshark to detect unusual patterns or malicious activity, like unauthorized access or data exfiltration. Incident Response: In a security incident, Wireshark helps forensic analysts investigate by providing detailed logs of network activity. 7. Educational Tool Learning Resource: Wireshark is widely used in education to teach networking concepts, protocol structures, and packet analysis, making it a valuable resource for students and trainees. HOW TO USE WIRESHARK? 1. Setting Up Wireshark Installation: Download and install Wireshark from its official website; it's available for Windows, macOS, and Linux. Permissions: Ensure you have the necessary permissions to capture network traffic; administrative or root access may be required on some systems. 2. Capturing Network Traffic Select Network Interface: Open Wireshark and select the network interface to monitor (e.g., Ethernet, Wi-Fi) for capturing data packets. 3. Monitoring Network Activity Real-Time Analysis: Wireshark displays captured packets in real-time, showing source and destination IP addresses, protocols, and packet lengths. 4. Troubleshooting Network Issues Identify Problematic Packets: Look for error messages or unusual behaviors in packet details, like retransmissions or timeouts. 5. Identifying Potential Security Issues Monitor for Anomalous Traffic:Look for unusual patterns, like unexpected traffic to external IPs or high volumes to a specific port. Detect Unauthorized Access: Analyze login attempts, particularly failed ones, as they may indicate unauthorized access attempts. 6. Saving and Analyzing Captured Data Save Captures: After capturing the required data, save the capture file for later analysis. 7. Generating Reports Statistics: Utilize Wireshark’s built-in statistics tools to generate reports on packet counts, protocol distribution, and other metrics. This can help in understanding network health and performance trends. THANKYOU

Use Quizgecko on...
Browser
Browser