Sec+ preparation #11 (cloud computing and firewalls)

Jonas SatkauskasJonas Satkauskas
10 min read

Table of contents

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

About Security+

If you have this certification you say that you're serious about cyber security.

It’s challenging and very good for the beginning of career in cybersecurity.

Cloud Computing

  • On-demand self-service

  • Broad network access

    • Capabilities available over the network

  • Resource pooling

    • Flexible

    • Good example is Amazon AWS

    • Location Independence - that means that you can access it from anywhere on the planet

    • Customer has no control of exact location of resources

    • Resources could be storage, processing, memory, network bandwidth and virtual machines.

  • Rapid elasticity

    • In some cases automatically, to quickly scale out or in

    • Appears to be unlimited to the customer

  • Measured service

    • They keep track on how many resources you use. It can be according to storage usage, processing usage, bandwidth usage and active user accounts

    • Metering is usually done using pay-per-use model.

    • Transparency is when you know exactly for what are you being charged. Usually cloud computing does that.

Thin client - it’s a standard computer. Laptop or PC.

SaaS (Software as a service) model (this topic is always in the exam)

  • Software resides in the cloud. People can use it.

  • Accessible through a thin client interface such as a browser.

PaaS (Platform as a service)

  • Customer can deploy onto the cloud infrastructure

  • Only compatible apps can be deployed

  • Customer has control on application deployed

  • Customer can control hosting environment configuration

Iaas (Infrastructure as a service)

  • Similar to a dedicated server

  • Customer can install an OS that he wants, also apps

  • Customer does not control underlying cloud infrastructure

  • May have limited control on network component

Providers has to offer:

  • Facility

  • Hardware

  • Virtualized infrastructure

Deployment models (will be in exam)

  • Private Cloud

    • For one company only

    • May be managed by company

  • Community Cloud

    • Shared by multiple companies

    • Usually companies with shared concerns

    • May be managed by company

    • May be on premise or off premise

  • Public Cloud

    • Cloud is made available to general public

    • Cloud is available to large industry group

    • Cloud is owned by the organization selling cloud services

    • Amazon EC2 is a good example

  • Hybrid cloud

    • Composed of two or more clouds

    • Could be a mix of private, community, or public clouds

    • Each of the cloud are unique entities

Cloud computing advantages

  • Qualified Staff

  • Platform Strength

  • Availability of resources

  • Backup and Recovery

  • Mobile Endpoints

  • Data concentration

  • Data Center and Cloud oriented

Also an advantage that if you get hacked, vendor of the cloud will pay you, it’s their responsibility to defend your structure. They did not protect you.

Disadvantages

  • System complexity

  • Shared Multi-Tenant environment

  • Internet facing service

    • All of the things are done via the web.

  • Loss of control

    • Lost control over physical aspects

    • Security and privacy can be a challenge

Infrastructure security

Authorization

  • Access criteria

    • Roles, groups, location, time

    • Transaction types

  • Default to no access - that means that in the beginning you have no access and the access is gathered only when a person needs it. You start with - nobody has access to everything.

    • Access is explicit

    • Access could be implicit as well

    • Must fail safe

  • Fail safe in the logical context is no access

    • People have access ONLY if they need it for real. This is THE SAFEST MODEL TO BUILD ORGANIZATION.

  • The Need to Know applies

  • The principle of Least privilege applies as well

Hardening / Bastion Host

Hardening is a process to make the system “harder”. More secure.

  • Disable Unnecessary Services

  • Protecting Management Interfaces

  • Default Passwords Removed

    • It’s a common method to get into the system

  • Password Protection

    • NEVER STORE IN CLEAR TEXT

  • PATCH

  • Disabling unnecessary accounts

  • Hardening the TCP/IP Stack

Why to do hardening?

  • OS’s are very insecure out of the box

  • Lower the amount risks

  • Allow only what is needed for the system role

  • Remove ALL non essential service

  • Might require some trail and errors

  • Will pay off in the long run

Turn off the service and see what breaks.

Checklist for saving time

  • Based on a consensus of experts

  • NIST has a National Checklist Program

  • Security Content Automation Protocol (SCAP)

    • Checklist are being converted to SCAP

  • Can be applied to a large range of Hardware(HW) and Software(SW)

Checklist are nice because you know what are the best practices. If something happens, you can say that you’ve followed best practices.

Do not reinvent the wheel

There are already some organizations who made checklists and needed information:

Hardware Security

  • Cable locks

  • Safe

  • Locking Cabinet

  • Vault

Host security on Mobile Devices

  • Screen lock

  • Strong password

  • Device encryption

  • Remote wiping/sanitation

  • Voice Encryption

  • GPS Tracking

  • Virtualization for testing to avoid host infection

    • Good malware knows if you’re testing it in virtual system

Firewall Topics

  • Rule Based Management

    • Keep it Simple

      • Less Rules you have, the easier it is

    • You must have security policies

    • Convert the policies to a security architecture

    • Ockham's Razor (RULE) - principal that the simplest explanation is the best explanation

    • Rule order will greatly affect performance

    • Comment your rules for others to understand

    • Backup your rule base & regularly audit

  • ACL (Access Control List)

    • Should be as granular(fine) as possible

    • Drop unwanted packets instead of Rejecting

    • Beware of default global properties

    • Allow Admin access only from trusted IP’s

    • Give the attacker as little information as possible

    • Ensure logging is properly configured

    • Also check what’s leaving your network

  • Types of Firewalls & Proxies

    • Personal firewall

      • Class of firewalls for users workstation

      • Offers protection from threats

      • Prevent inbound connections

      • Protects only one computer versus a network

      • Can provide integrity checking mechanisms

      • Allow for very detailed rule base to be created

      • Should be part of your baseline requirements

    • Generations of enterprise firewalls

      • First is Packet filters

      • Then proxies

      • Stateful Firewall

    • Application Firewalls

    • Network Access Control (NAC) or Network Acces Protection (NAP)

    • NAP determines who can access the network

  • Firewall

    • It can be implemented in HW or SW

    • Enforces your security policies on traffic

    • Similar to a Dumb security guard

    • Some firewalls inspect all 7 layers of the OSI model

      • Of course for a good price

    • Controls the flow of traffic

    • You must understand their limitation

  • What does Firewall do?

    • Controls flow of traffic between networks or hosts

    • Restrict data flow to & from the internal networks. Also from the internet

    • Acts as a “traffic cop”

    • Can provide extensive logging

    • Could be used as a NAT device

    • Can be used as a VPN device

    • Could be a Unified Threat Management (UTM) - that means it is a master of all trades.

    • New types:

      • Web Application Firewall

      • Application Firewall

  • Network Access Control (NAC)

    • Also called Network Access Protection (NAP)

    • A common requirement for firewalls

    • Inspect incoming connections

    • NAC Health checs

      • Latest updates

      • Configuration settings of security tools above

      • Elapsed time since the previous malware scan

  • Packet Filters

    • Most basic type of firewall

    • Filter one packet at the time

    • Fast & Inexpensive

    • It is not going to tell you if the packet is malicious

    • Packet filters limitations

      • Does not detect IP spoofing

      • Does not provide source authentication

      • Does not detect IP framentation

      • Does not detect strange combination of flags

        • SYN and FIN together

  • Flood guards

    • Defense agains DoS or DDoS

    • Detects ongoing attacks

    • Automatically attempts to block such attacks

    • Checks if there are too much traffic

    • Can identify and attempt to stop SYN flood, Ping flood, Port flood

    • Offering these services can make you a lot of money

    • Tools of flood guards:

      • DDoS mitigation appliances

      • Traffic anomaly detectors

      • QoS

      • Intrusion Prevention System

      • Access Control Lists (ACL)

      • SYN flood protection

      • RFC 2827 (must be complied with it)

      • Network Ingress Filtering

      • Defeating IP source Spoofing DoS attack

  • Network Segregation

    • Used for SCADA systems

      • Supervisory Control and Data Acquisition

      • Electricity, Oil and Gas Pipelines, Water utilities

        • This is the most dangerous part in cyber warfare

    • Use by the Department of Defense (DoD)

    • Should be internally by companies

Proxy Servers

  • Creates a gap between internal users & public network

  • Act as a middle man

  • Still known as the most secure type of firewall

  • Users MUST go through the proxy

  • Proxy is a server which inspects all of the connections.

Application level proxy

  • It is the smartest type of proxy

  • Operates at the Application Layer (7)

  • Understands the inner working of protocols

  • Understand syntax

  • Can be used as an access control tool

    • May require password
Circuit Level Proxy

  • Also called Generic Proxy

  • Used when an application proxy cannot be used

  • Mostly SOCKS as a protocol today

  • Supported by a limited number of applications

    • Browsers

    • Email client

  • Can act as VPN

Stateful Packet inspection (SPI)

  • Intercept packets at the network layer

  • Monitor the state of connections

    • SYN, ACK, FIN flags

  • Can enforce proper three way handshake

  • Can track connectionless protocols such as UDP

  • Fast and efficient on inbound traffic

  • No need to read the whole rule base

  • Can prevent some probes and attacks

  • Can restrict commands within protocols

Application firewall

  • Newer trend in Stateful Packet Inspection

    • AKA Deep Packet inspections

    • Adds basic intrusion detection to SPI

  • It is next generation firewall

  • It’s an IDS

  • Inspects protocols at the application layer

    • Allow or deny access based on how an application is running
Web Security Gateways

  • Newer technolgy

  • A for of specialized Application Firewall

  • Reside in front of web server

  • Minimize attacks through web browsers

  • Protect against some of the phishing attempts

Unified Threat Management (UTM)

All in one Security device

  • What could go wrong?

  • It’s a bad idea

Limitation of Firewall Inspection

  • Can only work effectively on traffic they can inspect

    • Cryptography hides the contents of the traffic

    • SSH, TLS, SSL, IPSEC

  • Cannot read application data that is encrypted

  • Sometimes it does not understand tunneled traffic

  • May not be able to detect internal threats

Recommendations

  • NAT is a form of routing and not a type of firewall

  • Perform granular (very fine) Egress Filtering

  • Choose a firewall that blocks harmful traffic

  • Assess your need carefully before choosing

  • Management of firewalls should be centralized

  • Change Control must be in place

  • Always have backup copies of rule base

Filtering

  • URL filtering

    • User will visit malicious or offensive website

    • Make a whitelist of sites you can visit

    • You must monitor surfing habit

    • This is even more important in school with kids

    • Can filter specific categories

    • Can enforce policies

    • Tools

      • Websense

      • SurfPatrol

  • Spam filtering

  • Antivirus

    • Software that look for and detect viruses

    • Viruses distributed via:

      • Files that are downloaded

      • Emails

    • Does not understand high level attacks

  • Pop-Up blocker

    • Tool to prevent pop up windows from opening

    • Feature built within most of browsers today

    • Allow the user to specifically allow site popup

  • Content Inspection

  • Malware inspection

5
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

learningLearning JourneylearnSecurity#cybersecuritycybersecurityCyberSeccybrcyber securitycomptia security+securityplus

Written by

Jonas Satkauskas
Jonas Satkauskas