Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Practical Network Scanning
Practical Network Scanning

Practical Network Scanning: Capture network vulnerabilities using standard tools such as Nmap and Nessus

Arrow left icon
Profile Icon Singh Chauhan
Arrow right icon
€18.99 per month
Paperback May 2018 326 pages 1st Edition
eBook
€8.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Singh Chauhan
Arrow right icon
€18.99 per month
Paperback May 2018 326 pages 1st Edition
eBook
€8.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€8.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Practical Network Scanning

Fundamental Security Concepts

In  an ever-evolving world of technology, security and data privacy are of paramount importance. This chapter will address some of the basic concepts of IT infrastructure security. In order to secure a system, the key task is to identify and classify the information assets and define a security framework.

This chapter will cover what security means to network and system administrators. It will also explore how to build a secure network, incorporating the security principles defined in your framework. 

Let's get started with network infrastructure security. We will cover the following topics in this chapter:

  • Why security?
  • Building blocks of information security
  • Computer security
  • Network security
  • Internet security
  • Security issues, threats, and attacks

Why security?

As the internet grows and technology evolves for modern computer networks, network security has become one of the most crucial factors for everyone. This includes everyone from end users and small and medium-sized businesses (SMBs) to cloud service providers.

Due to a growing volume of network attacks, network security should be a priority when designing network architecture. To understand the importance of this, imagine what could happen if there was a network integrity breach at a bank, stock exchange, or other financial database.

The importance of network security is not just limited to the IT industry. It is also important within industries such as health care. Health records contain some of the most valuable information available, including Social Security numbers, home addresses, and patient health histories. If this data is accessed by unauthorized persons, it can be stolen or sold to the black market.

Security awareness is important for everybody and not just the IT department. If you work with internet enabled devices, it's your responsibility too. However, you can only control information security once you know how to secure it.

No one can get into your system until something is compromised. Similarly, if your door is locked from the outside, nobody can enter your house unless they gain access to a duplicate key or have a similar key built by getting physical access to the lock. A few examples of how a system might be compromised are as follows:

  • A targeted email could be sent to random users with an attachment (Drive by Download). If a user opened that attachment, their system would be compromised.
  • An email is received which poses as a domain such as banking and asks you to change your password through a provided link. Once you do this, your username and password can be stolen.
  • If a small typo is made when typing a website address into a browser, a similar page may open (Phishing) which is not genuine, and your credentials can be stolen.
  • Features provided by websites for resetting forgotten passwords can also be very risky. Let's say somebody knows my email ID and attempts to access my account by selecting a forgotten password option. If the security question asks for my date of birth, this can easily be found on my resume.
  • A password for an Excel file can easily be broken by a brute-force attack.
  • The most widespread types of ransomware encrypt all or some of the data on your PC, and then ask for a large payment (the ransom) in order to restore access to your data.
  • During DNS hijacking, an online attacker will override your computer's TCP/IP settings so that the DNS translation gets altered. For example, typing in abc.com will translate it into this IP: 140.166.226.26. However, a DNS hijacker will alter the translation so that abc.com will now send you the IP address of a different website.
  • Denial of Service network attacks disrupt the normal volume of traffic sent to targeted services with excessive amounts of traffic. This can be damaging in various ways. One example could be if a company has a Friday sale, and a competitor launches an attack on them in order to shut their services down and consequently increase their own sales.

According to research by British insurance company Lloyd's, the damage from hacks cost businesses $400 billion a year.

To further explore the cost of cybercrimes, visit the following webpage:  https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#612db25c3a91.

The market research firm Gartner estimates that global spending on cybersecurity is somewhere around $96 billion in 2018. By 2020, companies around the world are expected to spend around $170 billion—a growth rate of nearly ten percent in the next five years.

Building blocks of information security

Your data can be easily separated into the following three categories. This is especially important to know in order to determine the value of your data before planning for security:

  • Low Business Impact (LBI): If LBI data is disclosed, limited information loss could occur. Examples of this kind of data include name, gender, and/or the country of residence.
  • Moderate Business Impact (MBI): If MBI data is disclosed, disastrous information loss could occur, which directly damages the reputation of an organization. Examples of MBI data include first and last name, email ID, mailing address, and phone number.
  • High Business Impact (HBI): If HBI data is disclosed, serious information loss could occur. Access and permission must be controlled and limited to a need-to-know basis. Examples of HBI data include government IDs, credit card information, medical health records, passwords, and real-time location.

Proper security control measures are required to ensure tight security. The following flowchart helps us to understand the security process:

  • Risk Management Process: This is particularly important when designing a secure network. Risk management analysis must be done in advance as this aids designing secure infrastructure. Steps should include risk identification, risk analysis, risk ranking, and mitigation plans. For example, an ISP link can be a public or private Wide Area Network (WAN) connection. Data transfer between two sites over public infrastructure can be secured by implementing VPNs. Data transfer between two sites over private links can be future encrypted by link device. The purpose and funding of connection must be identified, and a proper risk assessment must be carried out before installing or activating any links.
  • InfoSec Design Process: Perimeter boundaries must be defined and documented. For example, connecting to WAN internet or connecting to another location over WAN must be defined. When I say boundaries, we should always take a layered approach. There is no ideal situation to ensure 100% security, but by implementing security on every layer, you can ensure tight security. A layered security method encompasses both technological and non-technological safety measures.

    For example, perimeter security can be protected by firewalls. Infrastructure details, such as server type and services running on the system, must be identified. Software and operating system bugs should be documented. IP space and security zones should be defined. System admin access should be controlled by security groups.

  • Verification process: The purpose of the verification process for each extranet/intranet connection is to generate all audit evidence documented in the compliance procedures of the security design. This will have information about users, remote IP, and tasks performed by them. Network scanning, penetration testing, and scorecard reporting provide an in-depth view of infrastructure security.

    A periodic audit is always required in order to know if there is unexpected activity.  Firewall logs, TCP/IP headers from load balancers on IIS, and two-factor authentications are examples of a verification process.

  • Security implementation process: At this stage you should have the following items ready to be implemented:
    • Security policies—password policies and access control
    • Disaster recovery plan
    • Backup and recovery plan
    • WAN recovery plan
    • Network security zones
    • Database security
    • IIS or web security
    • Data and asset classification
    • Data encryption
    • Resource control for application users
    • Operating system security
    • Incident management and response
    • Change management and version control

Computer security

Computer security is not all about end user computing, it also includes server/application infrastructure. For any data transfer between server and client, both ends should be secure. Even the communication channel should be secure enough to avoid data theft.

We know that professionals understand network security, but how about end users? We can force users to implement security strategies, but is that enough? For better security, awareness is key. Security issues are constantly being found with the software we use every day, including common and reliable programs such as Windows, Internet Explorer, and Adobe's PDF Reader. It is therefore very important that we take some simple steps towards becoming more secure.

People often think of computer security as something technical and complicated, but that is not strictly the case. In the following, we will explore the most basic and important things you should do in order to make yourself safer online:

  • Use antivirus and antimalware and know which links are safe to click in emails
  • Be careful about programs you download and run; don't trust your pop-up notifications
  • On the server level, encryption chips can be used just to avoid physical theft of hardware

Most computer facilities continue to protect their physical assets far better than their data, even when the value of the data is several times greater than the value of the hardware.

Since awareness is especially important, we should also consider how much awareness we have within the organization. This can simply be achieved by sending a few emails that look genuine and getting the statistics of how many users opened such an email. Activities can be tracked in terms of number. For example, the statistics can be viewed for how many users shared their password and how many downloaded an attachment.

Network security

With today's complex network architecture and constantly growing networks, protecting data and maintaining confidentiality play a very important role. Complex networks consist of network traffic flowing between enterprise networks, data center networks and, of course, the cloud as well. A secure network helps us to protect against data loss, cyber-attacks and unauthorized access, thus providing a better user experience. Network security technologies equip multiple platforms with the ability to deal with the exact protection requirements.

Firewalls

A firewall is a network security appliance that accepts or rejects traffic flow based on configured rules and preconfigured policies. Placement of a firewall totally depends on the network architecture, which includes protection for network perimeters, subnets, and zones. Perimeter firewalls are always placed on a network's edge to filter packets entering the network. Perimeter firewalls are the first layer of security, and if malicious traffic has managed to bypass, host-based firewalls provide another layer of protection by allowing or denying packets coming into the end host device. This is called the multilayer security approach. Multiple firewalls can be set up to design a highly secure environment.

Firewalls are often deployed in other parts of the network to provide proper segmentation and data protection within enterprise infrastructure, on access layers and also in data centers.

Firewalls can be further classified as the following:

  • Simple packet filtering
  • Application proxy
  • Stateful inspection firewalls
  • Next-Generation Firewall

A traditional firewall provides functions such as Packet Address Translation (PAT), Network Address Translation (NAT), and Virtual Private Network (VPN). The basic characteristic of a traditional firewall is that it works according to the rules. For example, a user from subnet (10.10.10.0/24) wants to access Google DNS 8.8.8.8 on a UDP port 53.

A typical firewall rule will look like this:

Source IP

Destination IP

Protocol

Port

Action

10.10.10.0/24

8.8.8.8/32

UDP

53

Permit

However, Next-Generation Firewall works based on application and user-aware policies. Application-level control allows you to set policies depending on the user and the application.

For example, you can block peer-to-peer (P2P) downloads completely or disable Facebook chat without even blocking Facebook.

We will discuss firewalls in detail in upcoming chapters. The following diagram reflects zones and connectivity, which shows how firewall zones connect to multiple businesses:

  • Demilitarized zone (DMZ): Internet-facing applications are located in DMZ. Other services on other zones remain inaccessible to the internet. The most common services placed in DMZ include email services, FTP servers, and web servers.
  • Inside zone: The inside zone is known as the trusted zone to users. Applications in that area are considered highly secure. In the trusted area, security is maintained by denying all traffic from less trusted zones in any given firewall by default.
  • Cloud and internet zone: Let's not focus on naming these. They are standard segments we see on an enterprise network. These zones are considered to be below security zones.

Intrusion detection systems / intrusion prevention systems

There is a high chance that attacks may enter a network. Intrusion prevention system (IPS) / Intrusion detection system (IDS) is a proactive measure to detect and identify suspicious or undesirable activities that indicate intrusion. In IDS, deployment can be online or offline, and the basic idea is to redirect traffic you wish to monitor. There are multiple methods like switch port SPAN or fiber optic TAP solution, which can be used to redirect traffic. Pattern matching is used to detect known attacks by their signature and anomalies. Based on the activity, monitoring alerts can be set up to notify the network administrator.

As the following diagram shows, SPAN port is configured on a switch in order to redirect traffic to the IDS sensor. An actual SPAN port creates a copy of data flowing for a specific interface and redirects it to another port on the switch:

IPS offers proactive detection and prevention against unwanted network traffic. In an inline placement of IPS, all the traffic will travel via IPS devices. Based on the rules, actions can then be taken. When a signature is detected on an IPS device it can be used for resetting, blocking, and denying connections, as well as logging, monitoring, and alarming. A system admin can also define a policy-based approach with defined policy violation rules and actions to keep in mind when well-known signatures are released. Actions should be defined by the system admin.

The following diagram shows a topology for inline setup of IPS. All the traffic travels through IPS devices for traffic inspection. This is a bit different to doing a port SPAN, since all data goes through an IPS box. Consequently, you should be aware of what type of data has to be inspected:

There are a number of different attack types that can be prevented using an IPS, including:

  • Denial of Service
  • Distributed Denial of Service
  • Exploits
  • Worms
  • Viruses

Multitier topology

Multitier topology gives you flexibility to segment resources based on role and access policies. In a typical three-layer application, architecture that has web, app, and DB servers can be distributed based on location. Since web/app zone is something always exposed to end users, Demilitarized Zone (DMZ) IP space is always public. Subnet and database servers should not be directly accessible, hence why we should always allocate private IP space from RFC 1918.


This offers gradual access to control, based on IPs and resource locations. When designing a network, you can introduce a multi-layer firewall approach. In a multiple layer design approach, the basic idea is to isolate resources from each other, considering the fact that if one layer is compromised then others are not impacted.

Cross-premises IPsec tunneling provides you with a way to establish secure connections between two networks and multiple on-premises sites, or other virtual networks in Azure/AWS. This can secure data transfer by encrypting your data via the IPsec encryption using the IPsec framework. Virtual networks in AWS are called VPC and, in Azure, VNET.

Distributed Denial of Service: A Denial-of-Service (DoSattack or Distributed Denial-of-Service (DDoSattack  is an attempt to make a network resource out of service to its targeted users.

The real-world target would be online services such as e-commerce and the gaming industry, preventing the shop from doing any business by making front resources unavailable for end users. Just think about a situation during big billion-day sales hours if someone launches a DDOS attack and makes your e-commerce portal shut down.

The two most basic types of DDoS attacks are as follows:

  • WAN attacks: WAN DDoS attacks utilize available bandwidth on physical links with a high volume of packets with bigger payloads, or a high volume of packets with smaller payloads. Bigger payload network resources such as router or firewalls will process packets and consume all the bandwidth. With smaller payload network resources like routers, firewalls will try to process all the packets. However, due to limited CPU, cycle hardware resources won't be able to process genuine packets from end users and can fail under the load.
  • For example, let's assume you have a 10 Mbps WAN link and during attack BW, utilization is just 5 Mbps. However, a number of small packets can reach one million packets per second. In this case, assume that your network gear has no CPU cycle to process all tiny packets

    Another example would be if someone launched a DDOS attack using a large ICMP packet. This can choke your bandwidth and leave no space for the rest of the application.

  • The most common form of bandwidth attack is a packet-flooding attack, in which a large number of legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a targeted or aimed destination. Such attacks become more difficult to detect if attackers use techniques such as spoofing source addresses.
  • Application attacks: These DDoS attacks use the expected behavior of protocols such as TCP and HTTP. Application attacks are disruptive but small and silent in nature and extremely hard to detect since they use expected behavior. Application-layer attacks are easy to generate and require fewer packets with a small payload to achieve out of services for targeted applications. Application attacks are focused on web-application layers. For a small HTTP request, the actual server has to execute a lot of resources on the web server to fetch the content or resources. Every such server resource will have limited CPU and memory and can be easily targeted. In this example, I am not considering cloud-based web applications, where you have elasticity features enabled and with growth in the number of requests, server resources are automatically created to accommodate such requests.

 

Let us understand more about this with the help of an example:  

  • HTTP Floods: These are simple attacks in nature that try to access the same web page again and again in an automated fashion. They typically use the same range of IP addresses. Based on the trend, as this is being originated from the same source, the source pool can be blocked to mitigate attacks.
  • Randomized HTTP Floods: These are complex attacks that use a large pool of IP addresses from multiple locations and randomize the URLs. Since these kind of attacks originate from multiple locations, it is not easy to block the source IP. However, the rate limit can be fixed on server resources.

To simplify, DDoS is a form of attack where multiple compromised networks/hosts are used to target a single system. This is like a zombie attack and it is very tough to identify genuine users. Once infected, the internet-connected devices become part of a botnet army, driving malicious traffic toward a given target.

Internet security

These are the basic things you need to understand when you are working with online systems. When working with them day to day, we expose ourselves to risks.

Let's jump into the basic components of internet security.

Password

Since we own internet enabled devices, we are responsible for our own security. So, let's begin with our passwords. As users, we must choose a strong password. Alternatively, organizations should encourage users to choose one.

Password analysis shows that quite a common password used by users is 123456 and other similar, simple patterns. Most users choose the same password across multiple platforms. If a server or database is compromised by hackers, it would be easy to crack passwords such as this.

Few common web portals contain personal information. However, if an employee is required to create a username consisting of their first and last name or employee ID, and this is combined with a simple default password such as abcX123, then their information is easy to guess.

System upgrade and updates

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 triggered by the WannaCry ransomware crypto worm. This attack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Such infection happens because people are running outdated software and attackers exploit this. This is not limited to PCs but also to mobile devices and other internet enabled devices.

Phishing

Phishing is a form of online fraud where you receive an email that looks similar to a trusted source. The message may ask you to validate, confirm, or update your account information by logging into fake websites. Targets are contacted via telephone, email, and text message, which are used to extract credit card details and passwords.

This is my own email box, which contains a message stating that I am supposed to get 13,17422 INR, and I need to update my details. While the attacker is using money as a temptation tool, it is important to think instead about your IT return. Is this type of mail really to be expected from the IT department? You can easily guess that this is not a genuine domain just by looking at the email header. Following the instructions of this message can consequently have disastrous consequences:

Beware of phishing phone calls

Attackers might call you on the phone and offer to solve your computer problems by selling you a software license or by obtaining your personal information in order to update your details in a backend system.

Once they've gained your trust, cybercriminals might ask for your username and password or ask you to go to a website to install software that will let them access your computer in order to fix it. Once you do this, your computer and your personal information is hijacked.

In the same way, a banking fraud can take place. This includes cybercriminals calling you and trying to persuade you to share your credit card and banking details.

Some signs of phishing phone calls include:

  • You have been specially selected for any offering
  • You have won money in a lottery
  • You have income tax refund
  • Someone asking about credit card CVV and other details to update a banking database

Phishing protection

Phishing attack protection requires steps to be taken by both users and enterprises. For users, awareness is the key. A spoofed message often contains some mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they're even receiving such an email or phone call.

You should report such emails to authorities so that appropriate actions can be taken.

Security issues, threats, and attacks

Every day we use our computers and phones to connect to the internet, open emails, do online transactions, check our social media, create files, take photos of our friends, family or favorite places.

IoT security risk

The next big thing, which is going to play a big role in our life, is going to be Internet of Thing (IoT). Everything will be connected to the internet—fans, tube lights, refrigerators, doors, cars, even in medical terms, our heart—could be connected to an IoT sensor. This list will be long. Think about the situation if a person's heart rate controlled by an IoT sensor is hacked.

One of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything.

Computer security risk

Computer security risks are events that may damage or steal data or allow unauthorized access to a computer without notifying the user. Your computer is all about operating systems and applications, the majority of such attacks come along with malicious applications, or bad software, in other words. It is commonly believed that all damages are only done by computer viruses, but in reality there are several types of bad software. Features such as back door, dialer, spyware, virus and worm, key logger, adware, and many more can result in a computer security risk.

Security Risk-Border Gateway Protocol

In the networking world, imagine a situation where attackers plug their cable into your network, establish a Border Gateway Protocol (BGP) session, and sniff all the data going into the wire. This is not limited to sniffing your information, but you can cause a lot of trouble for others.

For example:

  • YouTube blockage by PTA:
    • Scenario: Pakistan telecom was connected to the global internet via PCCW telecom
    • Problem: PCCW did not validate a prefix advertised by Pakistan telecom and there was no built-in mechanism in the BGP protocol to authenticate information
    • Impact: DoS to customers, traffic redirection, prefix hijacking, and AS hijacking
  • On 24 February 2008, Pakistan Telecom Authority (PTA) began to advertise a specific prefix of YouTube. PTA intended to block access to YouTube in Pakistan and advertised the specific prefix 208.65.153.0/24. This was part of the prefix used by YouTube 208.65.152.0/22-208.65.155.255. The intention was that YouTube's traffic would be forwarded to Null0 interface and, consequently, YouTube would get blocked within Pakistan. However, the same route was advertised to upstream ISP (PCCW AS number 3491). PCCW presented this information to other peers as well. YouTube then initiated a more specific prefix (208.65.153.128/25) to recover traffic.

 

  • MAN in the Middle (MITM): This is another example. Think about a situation in which someone from your organization can do the sniffing inside your network by configuring SPAN for switch where all finance employees are connected. All username and password information can be extracted if they are not using a secure way to access the finance portal. This is the reason I say there should be HTTPS for everything. Even hackers can gain access to sniff data, but they cannot decode encrypted data from the system. All these types of hacking come under MITM where attackers have access to data wire or are able to divert traffic.
  • Address Resolution Protocol (ARP): Spoofing can be a similar kind of attack. For local area network-address resolution protocol, it is required to know the computer identity on Local Area Network (LAN). Let's assume you are internet gateway configured in your LAN and all the internet traffic travels via that device. The attacker can do the ARP-spoofing and advertise a new system as an internet gateway. Now all the traffic for internet goes through the attacker's system, and they can sniff your data. There are many tools available on the market for spoofing, which do nothing but change the MAC address of your machine.

MITM attacks can be further divided into two categories: WAN and LAN.

Security and threats

In a growing connected world, security threats are constantly evolving to find new ways to steal or damage data. For any organization and any individual who has an internet enabled system, it becomes very important to protect that information. Malicious or ignorant human activity are major threats to computers. Malicious action always has a goal to achieve and a specific target to be attacked.

Attackers generally have motives or goals. These motives and goals usually abide by the following formula:

Motive + Method + Vulnerabilities = Attack:

As the following diagram shows, security threats are driven either by humans or natural disasters. Threats driven by humans can be further categorized into external or internal threats, or can be put down to user ignorance. We will discuss each of these in detail:


Natural disasters

A natural disaster is a major adverse event resulting from the natural processes of the earth. Examples include floods, hurricanes, tornadoes, volcanic eruptions, earthquakes, tsunamis, and other geologic processes. Nobody can prevent nature from taking its course. Such events can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and Business Continuity Plans (BCP) in place.

Human threats

Human threats consist of inside attackers or outside attackers. Insiders can be employees, vendors, or contractors with privileged access to systems. They can also be organizations and outside attacks by non-employees or groups of individuals just looking to harm and disrupt an organization due to a motive or aim.

The most dangerous form of attackers are usually insiders, because they have access to the system and know security measures that are already in place. Insider attacks can be malicious or negligent and can also be accidental.

All companies in this world have to deal with employee work force reduction and expansion. Consequently, controlling and changing the permission on system assets is a very important action item. Lack of process and failure to remove access to sensitive assets for employees who no longer have a business requirement increase an asset's exposure to unauthorized access. This can be a common cause of insider attacks, which is often overlooked.

Since there is usually a trust between employee and employer, most employees are not out to harm them. However, there's no way to ensure that this is the case with all employees, so the best practice is to be cautious and take the appropriate measures to prevent inside threat.

Here is one classic example:

A company's important application was operated by the personal credentials of an employee who had been working there for many years. However, one day the company laid that employee off. The next day, the IS department deleted his credentials. The application then stopped working. An issue like this can cause major damage to a system, and it will definitely take time to identify and fix the problem.

Human security threats can be something as simple as a person opening an attachment loaded with malicious script or malware that opens the system's back door and allows outsiders to extract information. The worst-case scenario often isn't a hacker breaching internal systems, but an employee that loses his smartphone or has his laptop stolen. The best defense lies in securing the data, not just the devices. This means encrypting at the file-level, so confidential information is protected even it is stolen.

Security vulnerabilities

A malicious attacker uses a method to find the resources of a target, finds known vulnerabilities of targeted resources, and then exploits vulnerabilities in order to achieve a goal. Vulnerabilities are weaknesses, misconfigurations or loopholes in security that an attacker exploits in order to gain access to the network or resources on the network.

Security vulnerabilities are not limited to web, SQL DB, or operating systems. The same approach goes for any infrastructure networking gears.

These are the three main categories:

  • Technology weaknesses
  • Configuration weaknesses
  • Security policy weaknesses

Technology weaknesses

These include TCP/IP protocol weaknesses, operating system weaknesses, software weaknesses running on operating systems and network equipment weaknesses.

TCP/IP is a protocol suite, which is used to transfer data through networks. The most important part of the suite is IP, which is the user identity on a network. The main protocols associated are:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP)

TCP ports numbers identify an application. For example:

  • Port 21: FTP
  • Port 23: Telnet
  • Port 80: HTTP
  • Port 443: HTTPS

TCP/IP was meant to provide a reliable connection between two hosts but does not provide any inbuilt security functions, such as encryption or authentication. Protocols like HTTP, FTP, TFTP, and TELNET are insecure since all the information is in clear text.

A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a targeted victim in an attempt to utilize all available server resources to make the system unavailable to legitimate traffic.

This is normal behavior for TCP three-way handshake. The SYN packet is sent by a user who is then acknowledged by the server and, finally, by ACK.

In the case of SYN, flood systems are unavailable to process SYN packets. Attackers in green send a series of SYN packets and get ACK as well. Meanwhile, attackers consume all server resources, hence real users in violet do not even get SYN-ACK.

The UNIX, Linux, Macintosh, Windows, and OS/2 operating systems all have security problems. Security updates and bug fixes are released by these companies from time to time.

Network equipment such as routers, firewalls, optical equipment, and switches have security weaknesses that must be recognized and protected.

In upcoming chapters, we will discuss these kind of attacks in detail, looking at how to deal with them in a live network.

Configuration weaknesses 

As a network/system administrator, we should know what configuration weaknesses are and what the corrective measures are for their computing and network devices.

User account information might be transmitted in clear text across the network, exposing usernames and passwords to an intruder. For example, if you manage your devices over Telnet, your username and password can be sniffed. The same thing is also applicable when you manage devices using GUI on HTTP.

Misconfigurations of the devices can cause significant network equipment security problems and open doors for unauthorized access. For example, misconfigured access lists, routing protocols, or SNMP community strings can open large security holes. Misconfigured encryption, lack of encryption, or low encryption ciphers for remote-access controls can also cause significant security issues.

Authentication and authorization is a major concern. If you are interested in knowing who is doing what on a piece of network equipment or system, then you might want to centralize authentication with a single authentication platform by accounting logs enabled to perform an audit regularly.

To reduce the threats to your network, the best option is to disable any unused services on all your networking devices and computing system. For instance, if you have a web server, you should disable FTP, SMTP, and other services. Another example would be if you are managing your devices with SSH, you can disable Telnet, HTTP, and FTP running on the same box.

You should only run the applications that are necessary on a device. All unnecessary applications and services should be disabled, to minimize exposure to the outside world.

Security policy weaknesses

Security policy weaknesses can create unforeseen security threats. The network infrastructure can pose security risks to itself if the system administrator does not follow the security policy, and best practices being used in the industry. Every organization must have a security policy and that should be enforced to all users/admin/infrastructure. Security weaknesses emerge when there is no clear-cut or written baseline security policy document.

Always follow a baseline for all infrastructure gears and networks for compliance with the policy. Systems should be in place to verify non-compliance devices. For example, if you have millions of devices in a network, it's very hard to check if all of them are matching compliances or not. However, a system like HPNA and other tools can scan a baseline set of configuration for all devices and reports can be generated.

Single password verification: There are three basic methods for authentication:

  • Username and password
  • One-time password
  • Certificates

In the first methods, passwords are basically user defined, and certificates are computer generated and based on keys. Brute-force attacks can easily crack passwords; passwords are easy to forget and are often reused on multiple services or applications. These passwords are like symmetric keys and are stored somewhere within the service. It is the duty of the service provider to protect your password. However, on the news we also often hear that password databases are hacked and millions of passwords are leaked. The third method is based on keys and strong algorithms, but even they are not 100% foolproof as private keys can be stolen as well.

Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides password information by combing two methods to verify that users are who they say they are. Two-factor authentication provides an additional layer of security by keeping half of the part of a password static in nature and the rest of the part dynamic, constantly changing after a given interval. This makes it harder for attackers to gain access to a person's devices and online accounts; knowing the victim's password alone is not enough to pass the authentication check, because a combined password is dynamic in nature and has an expiry associated with it. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have sniffed or stolen a password.

Best practices are being followed by companies like Google. Even if you change your smartphone or browsers you get notified immediately. Companies follow methods of smart card authentication along with phone authentication in order to validate the identity of users. The banking sector distributed RSA tokens for 2FA.

Using unencrypted or weak encryption for a website

Protocols such as Telnet, HTTP, or FTP opens doors for MITM attacks. The main reason behind that is that these protocols do not offer end-to-end encryption. File transfer protocol is used for data transfer between two hosts, and every time you need to enter usernames and passwords, which are in clear text, and it is very easy for attackers to sniff credentials and data being transferred. To protect information from attackers, we should not use any protocol that does not support encryption. For example, for management purposes, we should use SSH instead of Telnet on any device. All websites must offer HTTPS, and instead of FTP data transfer should be done using SCP or SFTP. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

SSL SHA1, an extremely popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared almost 10 years ago. In 2012, some calculations showed that breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. 

Protect Domain Controller: Eliminates use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos. Kerberos is a token-based system. Refresh time is so fast that even if someone hacked your session, you would get new tokens as refresh time makes it more reliable.

In the same way, you should float guidelines for the secure management of assets. All the servers and assets should be managed by domain controller security groups. Using interactive logon with a service account can cause major damage too, hence interactive logon for service accounts should be disabled. The reason behind this is that if a system is compromised, attackers can gain access to the domain controller as well.

Connect to unsecured Wi-Fi network access: Connecting through a public Wi-Fi network or hotspot can compromise your computer/mobile security and put your information at risk. Whether you are on your computer or your mobile device, it's relatively easy for hackers to access the information you type and send over an unsecured Wi-Fi network, including your login and password information.

Users need to be educated on how to use Wi-Fi with their computer devices. Here are some important tips that every company employee should know:

  • If possible, make sure that you connect to secure networks only 
  • Use strong passwords for all your online accounts and change them often
  • Use VPN for accessing corporate resources

Summary

So far, we discussed why infrastructure is an absolute requirement for today's internet world and what this means for system admins and internet users. We also learned how to build secure IT infrastructure and policy frameworks to protect information.

One of the major weaknesses in information security today is the human element. The everyday behavior of employees and end users represents one of the greatest risks to organizations and customers. IT technology is evolving faster than ever before. We are seeing new security controls, policies, and best practices put in place within organizations, but every day security breaches continue to take place. Nobody is 100% protected from small to large organizations. It only takes a simple mistake from an uneducated end user to leave a back door open in your information security. Organizations need to be aware of the people they work with, within the organization and outside as well. Developing adequate training and security frameworks for employee and end users becomes very important for protecting systems, especially considering the fact that it's not just technology which plays an important role, but also its users. I again repeat: if you have internet enabled devices, it is also your responsibility to secure them.

In 2017, Ransomware such as WannaCry, NotPetya, and Bad Rabbit have demonstrated the dangers of this threat and the potential impact on almost any industry. In 2018, it is predicted that IOT will be a big target for attackers in upcoming years, as well as Cloud infrastructures, Artificial Intelligence (AI), and of course the rise of mobile attackers increases daily.

In our next chapter we will discuss how to design secure infrastructure, keeping common risk factors in mind. This starts with placement of firewall and DDoS protection techniques.

Here is a famous quote to keep in mind:

“If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked”
― Richard Clarke

Questions

  1. What are the different types of firewalls?
    1. Simple packet filtering
    2. Application proxy
    3. Stateful inspection firewalls
    4. Next-Generation firewalls
    5. All of above
  1. What kind of attacks can be prevented using IDS/IPS?
    1. Denial of Service
    2.  Distributed Denial of Service
    3. Exploits
    4. Worms
    5. Viruses
  1. Which of the following pieces of information can be found in the IP header?
    1. Source and destination address of the IP packet
    2. Source and destination port of the IP packet
    3. Sequence number of the IP packet
    4. Both (1) and (2) only.
  1. What is the standard port number used for requesting HTTPs?
    1. 80
    2. 53
    3. 443
    4. 25
  1. Which of the following is not considered an external threat to a network?
    1. Human ignorance
    2. Virus
    3. Hackers
    4. Malware

Further reading

Left arrow icon Right arrow icon

Key benefits

  • Learn to choose the best network scanning toolset for your system
  • Implement different concepts of network scanning such as port scanning and OS detection
  • Adapt a practical approach to securing your network

Description

Network scanning is the process of assessing a network to identify an active host network; same methods can be used by an attacker or network administrator for security assessment. This procedure plays a vital role in risk assessment programs or while preparing a security plan for your organization. Practical Network Scanning starts with the concept of network scanning and how organizations can benefit from it. Then, going forward, we delve into the different scanning steps, such as service detection, firewall detection, TCP/IP port detection, and OS detection. We also implement these concepts using a few of the most prominent tools on the market, such as Nessus and Nmap. In the concluding chapters, we prepare a complete vulnerability assessment plan for your organization. By the end of this book, you will have hands-on experience in performing network scanning using different tools and in choosing the best tools for your system.

Who is this book for?

If you are a security professional who is responsible for securing an organization's infrastructure, then this book is for you.

What you will learn

  • Achieve an effective security posture to design security architectures
  • Learn vital security aspects before moving to the Cloud
  • Launch secure applications with Web Application Security and SQL Injection
  • Explore the basics of threat detection/response/ mitigation with important use cases
  • Learn all about integration principles for PKI and tips to secure it
  • Design a WAN infrastructure and ensure security over a public WAN

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : May 24, 2018
Length: 326 pages
Edition : 1st
Language : English
ISBN-13 : 9781788839235
Languages :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : May 24, 2018
Length: 326 pages
Edition : 1st
Language : English
ISBN-13 : 9781788839235
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 102.97
Mastering Metasploit
€36.99
Practical Network Scanning
€32.99
Mastering Wireshark 2
€32.99
Total 102.97 Stars icon
Banner background image

Table of Contents

14 Chapters
Fundamental Security Concepts Chevron down icon Chevron up icon
Secure Network Design Chevron down icon Chevron up icon
Server-Level Security Chevron down icon Chevron up icon
Cloud Security Design Chevron down icon Chevron up icon
Application Security Design Chevron down icon Chevron up icon
Threat Detection and Response Chevron down icon Chevron up icon
Vulnerability Assessment Chevron down icon Chevron up icon
Remote OS Detection Chevron down icon Chevron up icon
Public Key Infrastructure-SSL Chevron down icon Chevron up icon
Firewall Placement and Detection Techniques Chevron down icon Chevron up icon
VPN and WAN Encryption Chevron down icon Chevron up icon
Summary and Scope of Security Technologies Chevron down icon Chevron up icon
Assessment Chevron down icon Chevron up icon
Other Books you may enjoy Chevron down icon Chevron up icon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.