ch10

10_secure_network_design.md

@@ -0,0 +1,164 @@
+# Secure network design
+
+## General best practices
+
+### MFA and encryption
+
+* use password regime with 2FA/MFA
+    * if MFA not possible, set strong passwords
+    * provide backup solution for 2FA
+* advanced OS security practices
+    * **CredentialGuard**: isolate secrets via virtualisation isolation
+      techniques (TPM 2.0)
+    * **BitLocker**: Windows full disk encryption
+        * 48-bit recovery key
+* harden os
+    * [Center for Internet Security](https://www.cisecurity.org/) provides
+      benchmarks/guidelines
+    * detailed guides on how to harden Linux/Windows/...
+
+### Network
+
+* segregate network
+    * Virtual Local Area Network (VLAN)
+    * different clearance levels
+    * prod / staging / testing
+    * guest network
+    * VLAN config must be synced between switches
+        * VLAN Trunk Protocol (VTP) allows configuring on single device (VTP
+          server) and have changes pushed through network (VTP clients)
+* whitelist MAC addresses
+    * prevent rogue devices from being plugged in (MAC addresses can be spoofed
+      though)
+    * only connect sockets that are going to be used, don't cable everything
+* use a firewall
+    * deny everything by default
+    * close all ports by default
+    * lock it down
+    * log all config changes including who did it
+    * clean up / optimize rules
+    * patch firewall software / host
+* use VPN for internal access from outside network
+* utilize demilitarised zone (DMZ) for (untrusted) public facing services
+    * ideally 2 firewalls
+    * internet - firewall - DMZ - firewall - internal network
+* airgap hosts with very sensitive information
+* have procedures to rapidly isolate hosts when needed
+
+### Patch management
+
+* use centralized system for pushing patches
+* sysadmins don't push patches immediately; wait to see if they're stable and
+  needed
+* Windows Software Update Services (WSUS) allows managing distribution of
+  Microsoft's product updates to org devices
+    * schedule and perform updates on many devices
+    * can use central server inside company network for distribution of update
+* similar tools for Linux
+    * Red Hat Satellite
+    * Canonical Landscape
+    * SUSE Manager
+    * sometimes Ansible
+
+### Other
+
+* centralised inventory and patch management system
+    * ability to push security patches to all devices
+* proper backup and restore policies
+* detection systems to monitor hosts and networks for anomalies
+    * should only report important/meaningful events, not everything
+* log important events for analysis
+* application whitelists: only allow certain software
+* MS Intune
+    * management software for companies that have both org-owned and personal
+      devices being used
+    * access determined based on trust in user/device
+* privileged access workstations (PAW)
+    * computer with locked-down configurationn only used for server
+      administration tasks
+    * practices
+        1. allow only authorized and signed software
+        2. use Credential Guard to protect credentials
+        3. use BitLocker
+        4. don't connect it to internet
+        5. don't sign in using root/admin on PAW
+        6. only allow specific accounts
+        7. configure servers to only allow connections from PAW
+        8. use config management tools to monitor PAW
+        9. forward audit logs to secure location
+        10. disable unauthorized storage/usb devices
+        11. block unsolicited inbound traffic
+* jump box
+    * hardened host meant to forward SSH connections
+    * block direct SSH connections via firewall
+    * usually replicated for resiliency
+    * can be combined with PAW
+* monitoring
+    * Prometheus / Grafana
+    * Nagios
+    * Zabbix
+    * Splunk
+
+## Zero trust networks
+
+* don't trust anything
+* verify everything
+* core principles
+    1. assume breach: encourage continuous verification
+    2. least privilege access
+    3. micro-segmentation
+        * divide network into smal isolated segments
+        * each segment requires separate authentication/authorization
+    4. continuous monitoring
+    5. device and user authentication
+        * authenticate everything
+        * MFA, health checks, everything
+    6. encryption everywhere
+* architecture: 4 components
+    1. enforcement: authenticates clients and passes context of each request to
+    control place / poly engine
+    2. policy engine: user trust score and compliance policies
+        * e.g. "allow requests during office hours"
+    3. trust engine: risk analysis by computing risk score
+        * e.g. ML system that judges validity of request
+    4. data stores: stores full context of request
+* benefits
+    * enhanced security
+    * reduced attack surface
+    * improved compliance: helps companies meet regulatory requirements
+    * adaptability: well-suited for modern distributed IT environments
+* drawbacks
+    * complexity
+    * cost
+    * requires mindset shift for everyone
+
+## Internet of Things
+
+* botnets
+    * swarm of infected IoT devices
+    * used for massive DDoS
+    * command and control or P2P
+* [Mirai](https://github.com/jgamblin/Mirai-Source-Code)
+    * leaked botnet code
+    * created by US students as an extortion scheme
+    * stages
+        1. scanning
+            * syn port scan probing targets
+            * brute force authentication
+        2. infection
+            * identify architecture of device
+            * load/run malware for architecture
+        3. attack
+            * issue attack command
+            * each node sends packets as quickly as possible
+
+## Industrial control systems
+
+* **SCADA**: Supervisory Control And Data Acquisition systems
+    * used for controlling, analyzing and monitoring industrial devices and
+      processes
+    * very common
+    * networks recommended to be airgapped -> less focus on intrusion attacks
+    * often not patched often to not disrupt operation
+* Stuxnet: famous virus targetting Iran's uranium enrichment plants running
+  SCADA