Hardening

avatar
Created by
EarlyHorse17571

Subdecks (3)

Cards (202)

  • Difference between Network Devices and Endpoint Devices
    • Before proceeding with our actual topic, it is imperative to understand the difference between network devices and endpoint devices. Endpoint devices refer to any device that can generate or consume data on a network, such as Laptops, Desktops, Smartphones, Tablets, Printers, Servers, and IoT Devices. They are typically located at the edge of a network and interact directly with users. The figure below shows the difference between endpoint and network devices based on their functionality, traffic, and configuration.
  • Difference between Network Devices and Endpoint Devices
  • Common Threats and Attack Vectors of Network Devices
    • The unprecedented growth in today's Information and Communication Technology (ICT) networks has transformed the world into a global village. On the other hand, it has also given rise to multifarious malicious activities by cyber attackers. As we have already studied, the various network devices are the backbone of modern ICT networks.
  • Common Threats and Attack Vectors of Network Devices
    • To ensure confidentiality, integrity, and availability (CIA) in our networks and systems, it is imperative that we implement security hardening measures to these devices. Some common goals of hardening include protection from unauthorised access & attacks/exploits, enforcement of access policies, prevention of data theft, and continuous availability of critical systems.
  • Common Threats and Attack Vectors of Network Devices
    Unauthorised access Gain unauthorised control of a network device, and then the complete network.
    Attack Vector
    • Password attacks (brute force, dictionary & hybrid)
    • Exploit known vulnerabilities, e.g. RCE
    • Social Engineering/Phishing attack to trick network administrators into disclosing sensitive information such as usernames and passwords of devices
  • Difference between Network Devices and Endpoint Devices
    Denial of Service (DoS)
    • Disruption of critical devices and services to make them unavailable to genuine users
    Attack Vector
    • Flooding devices with fake requests
    • Exploiting vulnerabilities in logical or resource handling
    • Manipulating network packets
  • Common Threats and Attack Vectors of Network Devices
    Man-in-the-Middle Attacks
    • Intercept the network requests between two parties by masquerading as each other to steal sensitive information or alter/manipulate the requests.
    Attack Vector
    • ARP spoofing
    • DNS spoofing
    • Rogue access points
  • Common Threats and Attack Vectors of Network Devices:
    Privilege escalation: Gaining higher-level privileges or rights to perform restricted actions, e.g. accessing sensitive information or executing malicious code.
    Attack Vectors:
    • Weak passwords or use of the same passwords for user and admin accounts
    • Exploiting vulnerabilities
    • Misconfigurations
  • Common Threats and Attack Vectors of Network Devices-Bandwidth theft/ hotlinking: Linking a bandwidth-intensive resource (image or video) from an external website to its original website, without permission. This can cause increased traffic to the original website.
    • Attack Vectors:
    • Scraping large volumes of data
    • DoS attacks
    • Malware attacks
  • Hardening Network Devices:
    • Updating & Patching: Ensuring the latest version of the Operating System and underlying applications of all devices and systems and installing regular security patches is the core hardening measure. Outdated OS and applications contain vulnerabilities that attackers can exploit.
    • Disabling unnecessary services & ports: Turn off all unnecessary services and block all ports (physical and virtual) that are not needed for system functionality. This will reduce the attack surface by minimising the number of entry points an attacker can exploit.
  • Hardening Network Devices:
    • Principle of Least Privilege (POLP): Restrict users and processes to only the minimum necessary permissions required to perform their functions.
    • Logs Monitoring: Implement a log monitoring system to monitor for unusual activity or security events.
    • Backup regularly: Take routine backups of systems and configurations as they can help recover from a security incident or system failure.
  • Hardening Network Devices:
    • Enforcing Strong Passwords: Change default login passwords and use strong passwords that are at least ten characters long with a combination of small letters, capital letters, special characters, and numbers. These types of passwords protect against dictionary and brute-force attacks.
    • Multi-Factor Authentication (MFA): MFA is an additional security layer requiring two or more types of identification before accessing the account or system. The two factors are generally something we know (like passwords) and something we have (like biometrics).
  • Importance of Secure Protocols
    • Secure protocols play a critical role in network device hardening by protecting against unauthorised access and data breaches. They ensure that sensitive data transmitted between devices is encrypted and cannot be intercepted by malicious actors. Moreover, secure protocols also help prevent man-in-the-middle attacks and other network-based exploits. Using secure protocols, network administrators can ensure that only authorised personnel can access sensitive information and perform system administration tasks.
  • Importance of Secure Protocols:
    • Necessary security protocols include HTTPS, SSH, SSL/TLS, and IPsec.
  • Removal/Blocking of Insecure Protocols 
    • In addition to using secure protocols, removing and blocking access to those insecure protocols is equally essential, which will decrease an attacker's attack surface. Most important are the protocols that transmit data in clear text without encrypting them, like FTP, HTTP, Telnet, SMTP, and more. Moreover, there are inherently secure protocols (e.g. LDAP, RDP, SIPS); however, they can allow attackers to exploit the network if configured incorrectly.
  • Implementation of Monitoring and Logging Controls:
    • Syslog: A protocol to standardise the transfer of log messages, with the purpose of storing and analysing log messages to a central server.
    • SNMP: Traps a notification sent by a network device to a management system when a predefined event occurs.
    • NetFlow: A protocol used to collect and analyse network traffic data for monitoring and security analysis.
    • Packet Captures: Capturing network traffic and storing it for analysis using a tool like Wireshark.
  • Virtual private networks (VPNs) are now needed in the age of remote work and online communication to protect sensitive data and preserve privacy. Yet, hardening VPNs is crucial to ensure their efficiency as cyberattacks continue to develop. Hardening VPNs entails adopting additional security measures, such as multi-factor authentication and encryption techniques, to make it more challenging for hackers to access the network. 
  • Standard Hardening Practices: System administrators must understand the file's content and edit it as per best security practices.
    • The OpenVPN server config file is located at /etc/openvpn/server/server.conf. Once the machine is loaded, open the terminal and load the file by issuing the command sudo nano /etc/openvpn/server/server.conf. 
    • Once you made the desired changes in the file, press Ctrl+O and hit Enter, then press Ctrl+X to exit.
    • The command sudo systemctl restart openvpn-server@server.service can restart the OpenVPN service. 
  • VPN Hardening:
    • Use strong encryption algorithm: Configure the VPN gateway to use strong encryption to protect data in transit. The cipher directive in the config file can be used to select the encryption scheme. The possible options for cipher include AES, Blowfish, Camellia, and more. For example, AES-128-CBC mode means to use the AES encryption algorithm with a key size of 128-bit in Cipher Block Chaining (CBC) mode, as seen below. AES-256-CBC is typically considered one of the strongest cipher encryption nowadays.
  • VPN Hardening:
    • Keep VPN gateway software up-to-date: Ensure that the VPN gateway software is always updated with the latest security patches and updates. Every VPN software has a different method for it. You can use sudo apt upgrade openvpn to update OpenVPN (please note that the attached VM does not have an internet connection).
  • VPN Hardening:
    • Implement strong authentication: Use strong authentication mechanisms such as a combination of Transport Layer Security (TLS) and a secure hashing algorithm. We can use the auth directive to specify the exact algorithm in the OpenVPN configuration file to ensure that a secure hashing algorithm will be used for packet authentication. Some of the options for auth directive are SHA1, SHA128, SHA256, SHA512 and MD5. You can set the auth directive through the following command:
  • VPN Hardening:
    • Change default settings: Change the default usernames and passwords to something unique to reduce the risk of unauthorised access to the VPN gateway.
  • VPN Hardening:
    • Enable Perfect Forward Secrecy (PFS): Perfect Forward Secrecy (PFS) in OpenVPN generates unique session keys for each session to strengthen the security of the VPN connection. Because of this, even if a hacker successfully obtained a session key, they could not use it to decode more sessions. For each session, PFS generates a new set of encryption keys, preventing the possibility of remotely decrypting previously acquired material. As a result, it is far more challenging for an attacker to spoof the VPN connection and steal sensitive data. 
  • VPN Hardening:
    • Enable Perfect Forward Secrecy (PFS): We can use the tls-crypt directive in the OpenVPN configuration file to enable PFS. The tls-crypt directive requires a key that can be generated using the command sudo openvpn --genkey --secret my.key and should be placed in the same directory on the server. Choosing the appropriate cipher and auth, like cipher AES-256-CBC and auth SHA 256, supports PFS if combined with tls-crypt. The exact configuration is mentioned below:
  • VPN Hardening:
    • Dedicated Users for VPN Server: Limit user access by creating a dedicated user account and group with restricted permissions specifically for running the OpenVPN server.
  • Routers and switches must be hardened for the network infrastructure to be secure and reliable. Every network needs routers and switches, often the first line of defence against potential security risks and attacks. By hardening these devices, we can lower the possibility of unauthorised access, avoid data breaches, and ensure network service availability. Improved network performance, increased resilience against cyberattacks, and regulatory compliance are a few of the main advantages of hardening routers and switches.
    • We will be using a router that has OpenWrt installed, which is a free and open-source Linux-based operating system for embedded devices. We know that a router configuration varies from product to product; however, a few standard techniques can be applied to protect from potential attacks. 
  • Hardening Routers, Switches & Firewalls
    • Setting up the device: While setting up any network device, it is necessary to fill in all relevant details like hostname, timezone, logging, and more. These features assist in conducting incident handling in case of a compromise. For example, logging must be enabled to log all the events with the default alert level Debug. Similarly, timezone and time synchronisation must be set accurately to properly correlate events with their occurrence time. You can enable and modify these settings through System > System and select the desired option.
  • Hardening Routers, Switches & Firewalls
    • Change default credentials: Usually, the admin web interface is protected through a username and password, and people tend to ignore changing the default. A threat actor can access the router's admin interface and compromise the whole network using default credentials. We can change the default password in OpenWrt through System > Administration, enter a new password, and click the Save button.
  • Hardening Routers, Switches & Firewalls
    • Enable secure network protocols:  For a network device to maintain the confidentiality, integrity, and availability of network traffic, secure protocols must be enabled. Secure protocols like HTTPS, SSH, and SSL/TLS offer encrypted authentication mechanisms and communications to stop unauthorised access and eavesdropping. By enabling secure protocols on a router, you can reduce the risk of data breaches, man-in-the-middle attacks, and other security threats.
  • Hardening Routers, Switches & Firewalls
    • Enable secure network protocols:  You can enable SSH in OpenWrt through System > Administration > SSH Access, then select the interface and port number and click Save & Apply. Moreover, you can also add specific public SSH-Keys for passwordless login.
  • Hardening Routers, Switches & Firewalls
    • Disabling unnecessary scripts: Almost every network device executes some startup scripts to provide a better user experience to a user. For example, crontab is executed on startup to verify and execute any cron job. Threat actors try to gain persistent access on a network device by adding their malicious scripts on the startup. We can add/remove startup scripts and set the priority through System > Startup. 
  • Hardening Routers, Switches & Firewalls
    • Securing Wi-Fi: If the router has Wi-Fi capabilities, securing the Wi-Fi by enabling strong encryption like WPA2/WPA3, disabling SSID broadcast, changing default passwords, and more.
  • Hardening Routers, Switches & Firewalls
    • Manage traffic rules: Network devices allow you to create and implement traffic rules that accept/deny network traffic. For example, we notice that the data of users connected with our network device is being exfiltrated to a command and control server IP address. We can create a rule to block all traffic where the destination IP matches the attacker's command and control server. We can add/edit traffic rules through Network > Firewall > Traffic Rules, and click Add to create a new rule.
  • Hardening Routers, Switches & Firewalls
    • Monitor traffic: As a network administrator, keeping track of network traffic, like uploads and downloads of data at different intervals, is essential. For example, you have excessive data uploaded from one of the email servers to an unknown IP address. Such alerts enable you to take remedial measures and stop data pilferage timely. Usually, network devices provide real-time graphs to monitor the traffic. We can view real-time traffic statistics through Status > Realtime Graph > Traffic.
  • Hardening Routers, Switches & Firewalls 
    • Configuring port forwarding
    • A firewall's port forwarding capability enables inbound traffic from the internet or other sources to be routed to a particular device or service on the internal network. The firewall can send incoming traffic to the appropriate device or service on the internal network by establishing port forwarding rules while blocking any other incoming traffic that does not comply with the rules. This feature helps host applications that need outside access, granting remote control of internal devices.
  • Hardening Routers, Switches & Firewalls 
    • Monitoring scheduled tasks: It is important to monitor scheduled tasks to confirm that the original scheduled tasks lists are not modified by a threat actor. To add or remove scheduled tasks, which in our case are handled by cron, navigate to System > Scheduled Tasks, add the new cron job, and click Save.
  • Hardening Routers, Switches & Firewalls 
    • Update firmware: It is essential to update the firmware and installed packages on a regular basis to avoid any know/unknown attacks. We can update the firmware through System > Software.
  • Additional Router Security Hardening Techniques in an Enterprise Environment:
    • Configuring port security: This includes limiting the number of MAC addresses registered on a switch port and taking particular action whenever unauthorised access is detected. Enabling port security enables an administrator that data is coming from a valid source and will be forwarded to a legitimate receiver.
  • Additional Router Security Techniques in an Enterprise Environment
    • Preventing ARP spoofing: ARP spoofing is one of the most common vectors for launching man-in-the-middle attacks on the network. The threat can be mitigated by enabling static ARP tables and implementing MAC address filtering. You can learn more about mitigating ARP spoofing here.