2. Proprietary & Confidential
@GoCyberSec | January 2020
Introduction
• Exploring advanced security devices
• Securing wireless networks
• Understanding wireless attacks
• Using VPNs for remote access
3. Proprietary & Confidential
@GoCyberSec | January 2020
Understanding IDSs and IPSs
• Intrusion Detection System (IDS)
–Detective control
–Attempts to detect attacks after they occur
• Firewall is a preventive control
–Attempts to prevent the attacks before they occur
• Intrusion Prevent System (IPS)
–A preventive control
–Will stop an attack in progress.
4. Proprietary & Confidential
@GoCyberSec | January 2020
Packet Sniffing
• Also called protocol analyzer
• Captures and analyzes network traffic
• Wireshark – free packet sniffer
• IDSs and IPSs include packet sniffing capabilities
5. Proprietary & Confidential
@GoCyberSec | January 2020
Host- and Network-Based IDS
HIDS
• Additional software on a workstation or server
• Can detect attacks on the local system
• Protects local resources on the host such as operating system
files
• Cannot monitor network traffic
6. Proprietary & Confidential
@GoCyberSec | January 2020
Host- and Network-Based IDS
NIDS
• Installed on network devices, such as routers or firewalls
• Monitors network traffic
• Can detect network-based attacks such as smurf attacks
• Cannot monitor encrypted traffic and cannot monitor traffic on
individual hosts.
8. Proprietary & Confidential
@GoCyberSec | January 2020
IDS Detection Methods
Signature-Based
• Also called definition-based
• Use a database of predefined traffic patterns (such as CVE list)
• Keep signature files up-to-date
• Most basic form of detection
• Easiest to implement
9. Proprietary & Confidential
@GoCyberSec | January 2020
IDS Detection Methods
Heuristic-, behavior-based
• Also called anomaly-based
• Starts with a performance baseline of normal behavior
• IDS compares activity against this baseline
• Alerts on traffic anomalies
• Update the baseline if the environment changes
https://www.youtube.com/watch?v=RwWM0srLSg0
10. Proprietary & Confidential
@GoCyberSec | January 2020
IDS Considerations
• Data sources and trends
• Reporting
• IDS thresholds
• False positives
• Increase administrator’s workload
• False negatives
• No report during an incident
11. Proprietary & Confidential
@GoCyberSec | January 2020
IDS Considerations
Passive
• Notifies
• Pop-up window
• Central monitor
• E-mail
• Page
• Text message
Active
• Notifies
• Modifies environment
–Modify ACLs
–Close processes
–Divert the attack
Counterattacks
• Don’t do it
–Attackers are dedicated
–Attackers have unlimited time
12. Proprietary & Confidential
@GoCyberSec | January 2020
IDS vs IPS
• IPS is a preventive control
–Can actively monitor data streams
–Can detect malicious content
–Can stop attacks in progress
• IPS is placed in line with traffic
–IDS is out-of-band
13. Proprietary & Confidential
@GoCyberSec | January 2020
SSL / TLS Tools
• SSL decryptors
–Placed in DMZ between users and Internet
–Allows inspection of content
14. Proprietary & Confidential
@GoCyberSec | January 2020
Other Tools
• Honeypots and Honeynets
–Used to divert an attacker
–Allow IT administrators an opportunity to observe
methodologies
–Can be useful to observe zero day exploits
• 802.1x port security
–Provides port-based authentication
–Prevents rogue devices from connecting
16. Proprietary & Confidential
@GoCyberSec | January 2020
Securing Wireless Networks
• WAPS and wireless routers
• All wireless routers are WAPs
• Not all WAPs are wireless routers
18. Proprietary & Confidential
@GoCyberSec | January 2020
Access Point SSID
• Network name
• Change default SSID
• Disabling SSID broadcast
– Hides from some devices
– Does not hide from attackers
20. Proprietary & Confidential
@GoCyberSec | January 2020
Network Architecture and Zones
• Wireless
–Provides wireless devices access to wired networks
• Guest
–Typically provides Internet access to guests
–Rarely gives access to network resources
• Ad hoc
–Network between two or more wireless networks
–As needed
21. Proprietary & Confidential
@GoCyberSec | January 2020
Wireless Cryptographic Protocols
• WPA – Interim replacement for WEP
–Deprecated
• WPA2 – Current standard
–Provides best security when used with CCMP
• TKIP
–Older encryption protocol used with WPA
• CCMP
–Based on AES
–Recommended to be used with WPA2
22. Proprietary & Confidential
@GoCyberSec | January 2020
Enterprise Mode
• Adds strong authentication
• Uses an 802.1X server (implemented as a RADIUS server) to add
authentication
• RADIUS server
– RADIUS port
– Shared secret
– Similar to a password
24. Proprietary & Confidential
@GoCyberSec | January 2020
Wireless Attacks
• Disassociation attack
– Removes a wireless client from a wireless network
• WPS
– Streamlines process of configuring wireless clients
• WPS attack
– Brute force method to discover WPS PIN
– Reaver
25. Proprietary & Confidential
@GoCyberSec | January 2020
Wireless Attacks
• Rogue access points
– Unauthorized AP
• Evil twins
– Rogue AP with same SSID as legitimate AP
26. Proprietary & Confidential
@GoCyberSec | January 2020
Bluetooth Wireless
• Bluejacking
– Unauthorized sending of text messages from a Bluetooth device
• Bluesnarfing
– Unauthorized access to or theft of information from a Bluetooth
device
• Bluebugging
– Allows an attacker to take over a mobile phone
27. Proprietary & Confidential
@GoCyberSec | January 2020
Wireless Attacks
• Wireless replay attacks
– Captures data
– Attempts to use to impersonate client
• RFID attacks
– Sniffing or eavesdropping
– Replay
– DoS
• Misconfigured Access Points
– Use WPA2 with CCMP
– Disable WPS
29. Proprietary & Confidential
@GoCyberSec | January 2020
VPN Tunnel Comparisons
• Split tunnel
– Encrypts only some traffic (such as traffic going to private network)
• Full tunnel
– Encrypts all traffic from client
– Can route client traffic through UTM in private network for
monitoring and protection
33. Proprietary & Confidential
@GoCyberSec | January 2020
Network Access Control
• Health agents
– Inspects clients for predefined conditions
– Restricts access of unhealthy clients to a remediation network
– Used for VPN clients and internal clients
34. Proprietary & Confidential
@GoCyberSec | January 2020
AAA Protocols
• Provide authentication, authorization, and accounting
– Authentication verifies a user’s identification
– Authorization provides access
– Accounting tracks user access with logs
35. Proprietary & Confidential
@GoCyberSec | January 2020
Chapter 4 Summary
• Exploring advanced security devices
• Securing wireless networks
• Understanding wireless attacks
• Using VPNs for remote access