=================================================
ADVANCED NETWORKING
Locigal Networks
=================================================
A physical network describes how devices are physically connected together with cables and interconnected devices (switches/routers etc)
A logical network describes how devices communicate and are controlled by network services (authentication, authorisation, accounting)
Workgroup
Is the default network location for a windows computer
May also be referred to as a 'Local' or 'Peer-Peer' network
Limited to 20 concurrent connections
Ideally used in Small Office/Home Office networks
Commonly found in Domestic/Home networks
Microsoft Workgroup:
A user has a unique Username
A Computer has a unique Hostname
The user logs on to the computer using a local authentication process with the local SAM/Registry
Local profile is set for each user on the computerUsers will need a separate account on each computer withing the Workgroup
Data may be stored locally or on network shares
Data may be stored locally on each machine or shared across the network
Windows Workgroup information can be seen by going to:
Winows 10 -> Control Panel -> System and Security -> System -> Command Prompt
Type = "systeminfo"
Look for = "Domain" & "Logon Server"
Workgroup Considerations
Domain (Microsoft Domain)
This is a logical network which allows for the centralisation of assets, primarily to enhance security.
They are used for large/enterprise networks
Very large enterprises may include several Domains which are broken into a 'Tree' structure.
Multiple 'Trees' in Active Directory are referred to as a 'forest'
(However a single Domain or Tree is also generalyl referred to as a Forst).
Small Businesses may utalise the benefits of a Domain
Domain Example:
1st Domain = police.uk
2nd Domain = pnn.police.uk
3rd Domain = thamesvalley.pnn.police.uk
User = [email protected]
Email = [email protected]
A Domain Controller (DC) exists to control the network:
AAA - KERBEROS system
All accounts (Users and Computers) and groups are centrally controlled and stored
Uses Mocrosoft Active Directory Services
Uses Domain Naming Services (DNS)
Domain members (computers) use Fully Qualified Domain Names (FQDN)
(fileServer1.Cyber.Com)
Domain users are User Principle Names (UPN)
([email protected]) - Sometimes this is used as the email address as well
Security Logs and Auditing are centralised.
When a computer joins a network it goes through the DC through the Global Catalogue (GC)
The applications are installed on the DC and run through the local computer
When a user logs in it will also go through the DC which uses the GC.
Authentication is run through the DC
The Key Distribution Centre (KDC).
This will issue the user with a ticket (KERBEROS ticket)
On the ticket is stamped his:
A larger network which:
Has a Domain Controler -The trusted device
Server file share - The resource
Ticket - The requester
This is using a KERBEROS system
AD - Active Directory:
This allows admins to centrally control and administer users and computers within the Domain.
Each User/Computer is placed in a container or Organisational Unit. This may be organised by department, location or role.
Users and Computers may be placed into groups which are used to allow access to resources across the Domain.
Groups are controlled using procedural and technical controls to ensure that the correct permissions are allocated to each other.
Domain Logon Procedure:
The Computer account 'logs on' first by contacting the local DC and joining the Domain.
Once Authenticated the Computer allows the User to input their credentials (Username & Password).
Through the SAM database (Security Account Management) located in the local registry.
The credentials are checked and authenticated by the DC which confirms the authentication by issueing a Kerberos authentication ticket (TGT)
The Domain Controller records this process in the Security Logs and provides a very accurate record of when a user accesses the system and all subsequent activity.
Domain Administration:
The highest level of Administration on a Domin network is keld by the Enterprise Administrator who is able to access every aspect of Active Dirctory across the Forest.
It is best practise to limit the number of Enterprise Administrators to a bare minimum.
Domain Administrators are responsible for all assets in a Domin.
Once again, best practise is to restrict the number of Domain Admins on a network - however in reality this is reality this is rarely observed.
Once administrative groups exist in Active Directory but these are rarely used as the roles and responsibilities are covered being a member of Enterprise or Domin Admins.
Enterprise and Domain Administrators can be of great assistance in an investigation.
Enterprise and Domain Administrators can be of great concern if suspected in an investigation.
Domain Considerations:
Multiple Domain Controllers are often used byt there are all identical (for the purpose of Activity Directory)
Accouts and associated logs are stored on the DC
May require specialist assistance
Does the User still have 'local' rights?
Where does the User store his/her data?
Is specific auditing enabled?
What group doees the user belong to?
Does the company use a BYOB policy or Federation Services?
Widley used in larger organisations, including:
=================================================
Physical Networks
OSI
=================================================
Open System Interconnectin (OSI) model describes how data and network information are communicated from an applicatoin on one computer through the network media to an application on another comptuer
Key Layers:
OSI
7. Application
6. Presentation
5. Session
------------------------------
4. Transport
------------------------------
3. Network
------------------------------
2. Datalink
1. Physical
TCP/IP
___________________________________
Application layer (7)
Provides connectivity between users and applicatin proceses to access network services.
This layer contains a variety of commonly needed functions: Resources sharing NFS FTP HTTP Network management SNMP TELNET Directory services LDAP Electronic messaging (such as mail) SMTP, POP3
___________________________________
Presentation Layer (6)
Formats the data to be presented to the application layer.
It acts as the 'translator' for the network
The presentation layer provides: Character code translation Data conversion Data compression: reduces the number of bits that need to be transmitted on the network. Data encryptoion: encrypt data for security purposes. for example, password encryption
___________________________________
Session Layer (5)
Allows session establishment between running on different stations.
This layer provides:
___________________________________
Transport Layer (4)
This ensures that messages are deivered error-free, in sequence, with no losses or duplications.
It provides:
Transission Control Protocol (TCP) / User Datagram Protocol (UDP)
Both work at this layer
TCP handshake
TCP allows for reliable end to end data communications
TCP is susecptible to
Ports are associated with Layer 4
The Firewall will open the ports depending on its setup
Recognition of well known ports are useful when analysing the results of the following data:
Useful ports to know:
20 FTP File Transfer Protocol
21 FTP File Transfer Protocol
22 SSH Secure Shell
23 TELNET
25 SMTP Simple Mail Transfer Protocol
53 DNS Domain Name Service
80 HTTP HyperText Transfer Protocol
110 POP3 Post Office Protocol 3
143 IMAP Internet Message Access Protocol 4
443 HTTPS HyperText Transfer Protocol Secure
___________________________________
Network Layer (3)
This controls the operation of the subnet, deciding which physical path the data should take cased on network conditions, priority of service and other factors.
It provides:
Routing
Internet Protocol (IPv4 / IPv6)
IP addresses are logical addresses which are alloacted to a network device.
They are required to connect to a resource and must be resolved from teh FQDN.
This is achieved by severl means.
They may be:
Statically assigned (fixed IP addresses)
Automatically Assigned (DHCP = Dynamic Host Configuration Protocol)
Public (to gain access to the internet)
Private (used on internal networks)
IPv4 (32 Bits)
IPv6 (128 Bits)
Examples:
Address Resolution Protocol (ARP) - See Layer 2
DNS:
FQDN = Fully Qualified Domain Name --> IP
The reverse of this is an I.P. lookup
The DNS server is known as a ZONE
A record - FQDN (Fully Qualified Domain Name) --> IPv4
AAAA - FQDN (Fully Qualified Domain Name) --> IPv6
PTR - Pointer Record IP --> FQDN
SOA - Start of Authority gives another server authority
NS record - Name Server shows the SOA
MX - Mail eXchanger
CNAME - Canonical Name record maps one domain name to another
ALIAS - Another name for CNAME
___________________________________
Data Link Layer (2)
Provides error-free transfer of data frames from one node to another over the Physical Layer (1)
This Layer provides:
Link establishment and termination
Frame traffic control
Frame sequencing
Frame scknowledgment
Frame error checking
MAC Addressing
Devices include:
Address Resolution Protocol (ARP):
___________________________________
Physical Layer (1)
Deals with the transmission and reception of the unstructed raw bit stream over a physical medium.
It provides:
Devices include:
=================================================
Physical Networks
Security
=================================================
The four main attacks against a network:
Securing the Network:
Security of a network incorporates many different tachniques and controls.
These are broken down into:
Below given an overview of some of the controls and dovetail in with some of the Networking features and technologies we have already discussed.
Firewalls:
The primary function of a firewall is tp provide protection for a network by preventing unwanted traffic entering from other networks
Most commonly used at the perimeter of a private network to protect if from the public Internet.
Firewalls may be software and/or hardware based
In simple terms a firewall is a device with two (or more) network interfaces that can examine the traffic between two networks and only allow traffic through that has been defined as allowable.
The basic form of firewall is a packet filter that looks at source and destination information such as addreses, port numbers, protocols and makes forwarding decisions on that information
A packet filter examines the information contained in TCP and IP packet headers.
A packet filter works at layer 3 & 4
Circuit level gatways include layer 5 of teh OIS model and base the forwarding decisions on the connections between the two endpoints as well as address information
Application level gateway work at layer 7 and are application specific as in web gateway that examines HTTP traffic
Application gateways can examine the data packets so can filter on HTTP requests and content returned
Another term for appliction gateway is proxy server.
Very useful logs produced
Stateful multilayer Inspection Firewall:
These conbine the functions of the previous firewall types and works from layers 3 to 7 and examines all aspects of packets, headers and data.
This also looks at the state of the TCP flags to ensure the connection is valid and has been setup in the right direction
i.e. it will allow a connection from inside to out but not from outside to in
Proxy Servers:
These may be referred to as a 'Caching NAT' service
They provide logs of activity and can be enabled to filter activity based on content, URL ,keywords, etc.
VPN Gateways:
Virtual Private Networks are widley implemented to allow availability for remote workers.
User logs in from anywhere with the benefit of a secure connection over the Internet.
The remote VPN connections are terminated at the destination on a VPN concentrator or gateway.
This terminates the encrypted connection and forwards the unencrypted traffic to its true destination within the network.
IDS - Intrusion Detection Systems:
***PASSIVE***
-This is the guard at the gate to the network-
-The will look for suspicious activity and call the control (IPS) room if it does-
These are placed on segments of a network so they can detect unauthorised activity or malicious traffic.
They are passive devices in that they can detect the presence of malicious traffic and raise an alert but they do not prevent the traffic from reaching its destination
IDS can be networed based - (NIDS) - where it monitors segments for malicious traffic or it can be host based - (HIDS) - where it is installed on a host and monitors traffic coming into the host, and also local activity on the host.
IDS uses several methods to detect malicious traffic:
-Signature based - IDS has a database of the signatures of known malicious traffic, a bit like anti-virus.
-Anomaly based - IDS can be trained to know what is normal traffic so when different traffic patterns are seen it raises an alert.
-Behaviour based - IDS reaching reacting to activity above/below baseline behaviour
-Heuristics - the ability to make "an educated guess" as to whether traffic is malicious or not.
Very useful logs produced
IPS - Intrusion Prevention System:
***PROACTIVE***
-This is the control room the guard(IDS) calls when they see something suspicious-
-The control room will take action against the suspicious activity-
This is where the traffic has to go through the device which has the ability to be proactive and bock the suspect traffic.
They can be network based (NIPS), or host based (HIPS) and work in a similar way to IDS
NIPS placed at the edge of a network is replacing the role of the traditional firewall because the firewall works on fixed rule sets whereas the IPS can react dynamically to threats.
Very useful logs produced
=================================================
Network Security
=================================================
All-In-One security appliances (AKA Security Gateways or UTM (Unified Threat Management) system) are designed to sit between the Internet and internal LAN.
They can implement the following technologies:
SPAM filters:
These are software or hardware based tools which identify and subsequently block/filter unwanted email traffic.
They do consome bandwidth and may lessen productivity and may be used to carry malware in the form of attachments.
Most email client software has some form of SPAM filtering built into it or this service is provided at source by the email provider.
=================================================
Network Design Elements
=================================================
DMZ - Demilitarised Zone (AKA Transitonal Subnet)
This acts as a buffer between the Internet (untrusted) and a private LAN (trusted)
Implemented between 2 Firewalls or a Multihoned device
Incorporates part of the Layered Security / Defence in Depth approch to network security
NAT - Network Address Translation
This converts private 'internal' IP addresses into public 'external' addresses for external routeing
It also provides a layer of security by masquerading internal addressing systems from public viewing
Serves as a basic Firewall
PAT - Port Address Translation
Is similar to NAT but connects a single Public IP address to internal TCP Port Numbers used by the internal hosts
Variations of NAT included NAT - Traversal (NAT-T) which supports IPSEC and other tunnelling VPN protocols and Protocol Translation systems which allow IPv4 - IPv6 networks to use NAT in the interim between IPv4 becoming mainstream.
Remote Access / remote Access Servers (RAS)
Support VPN / Terminal Service connections
Different technologies supported by Servers or dedicated devices:
VPN
Dial-up Modem
Remote Desktop Connections (Terminal Services)
Wireless
Support by Local or Remote Authentication, Authorisation and Accounting (AAA) services as such:
Older systems use POTS/PSTN services
Newer systems use:
Network Access Control (NAC)
This is a way of controlling client access to a network that goes beyond authentication and looks at the connecting device.
NAC is used to:
Reduce Zero Day attacks
Enfore Network Security Policies
Use identities to perform access controles
NAC can be configured for the following examples:
Firewall Policy settings
Anti-Virus / Anti-Spyware definitions
Updates (patches)
Computer/Device identity (visiting mobile devices etc).