Chewing_Bever
/
net-sec-samenvatting
1
0
Fork 0
Code Issues Pull Requests Activity
net-sec-samenvatting/10_secure_network_design.md

5.8 KiB
Raw Blame History

Secure network design

General best practices

MFA and encryption

  • use password regime with 2FA/MFA
    • if MFA not possible, set strong passwords
    • provide backup solution for 2FA
  • advanced OS security practices
    • CredentialGuard: isolate secrets via virtualisation isolation techniques (TPM 2.0)
    • BitLocker: Windows full disk encryption
      • 48-bit recovery key
  • harden os

Network

  • segregate network
    • Virtual Local Area Network (VLAN)
    • different clearance levels
    • prod / staging / testing
    • guest network
    • VLAN config must be synced between switches
      • VLAN Trunk Protocol (VTP) allows configuring on single device (VTP server) and have changes pushed through network (VTP clients)
  • whitelist MAC addresses
    • prevent rogue devices from being plugged in (MAC addresses can be spoofed though)
    • only connect sockets that are going to be used, don't cable everything
  • use a firewall
    • deny everything by default
    • close all ports by default
    • lock it down
    • log all config changes including who did it
    • clean up / optimize rules
    • patch firewall software / host
  • use VPN for internal access from outside network
  • utilize demilitarised zone (DMZ) for (untrusted) public facing services
    • ideally 2 firewalls
    • internet - firewall - DMZ - firewall - internal network
  • airgap hosts with very sensitive information
  • have procedures to rapidly isolate hosts when needed

Patch management

  • use centralized system for pushing patches
  • sysadmins don't push patches immediately; wait to see if they're stable and needed
  • Windows Software Update Services (WSUS) allows managing distribution of Microsoft's product updates to org devices
    • schedule and perform updates on many devices
    • can use central server inside company network for distribution of update
  • similar tools for Linux
    • Red Hat Satellite
    • Canonical Landscape
    • SUSE Manager
    • sometimes Ansible

Other

  • centralised inventory and patch management system
    • ability to push security patches to all devices
  • proper backup and restore policies
  • detection systems to monitor hosts and networks for anomalies
    • should only report important/meaningful events, not everything
  • log important events for analysis
  • application whitelists: only allow certain software
  • MS Intune
    • management software for companies that have both org-owned and personal devices being used
    • access determined based on trust in user/device
  • privileged access workstations (PAW)
    • computer with locked-down configurationn only used for server administration tasks
    • practices
      1. allow only authorized and signed software
      2. use Credential Guard to protect credentials
      3. use BitLocker
      4. don't connect it to internet
      5. don't sign in using root/admin on PAW
      6. only allow specific accounts
      7. configure servers to only allow connections from PAW
      8. use config management tools to monitor PAW
      9. forward audit logs to secure location
      10. disable unauthorized storage/usb devices
      11. block unsolicited inbound traffic
  • jump box
    • hardened host meant to forward SSH connections
    • block direct SSH connections via firewall
    • usually replicated for resiliency
    • can be combined with PAW
  • monitoring
    • Prometheus / Grafana
    • Nagios
    • Zabbix
    • Splunk

Zero trust networks

  • don't trust anything
  • verify everything
  • core principles
    1. assume breach: encourage continuous verification
    2. least privilege access
    3. micro-segmentation
      • divide network into smal isolated segments
      • each segment requires separate authentication/authorization
    4. continuous monitoring
    5. device and user authentication
      • authenticate everything
      • MFA, health checks, everything
    6. encryption everywhere
  • architecture: 4 components
    1. enforcement: authenticates clients and passes context of each request to control place / poly engine
    2. policy engine: user trust score and compliance policies
      • e.g. "allow requests during office hours"
    3. trust engine: risk analysis by computing risk score
      • e.g. ML system that judges validity of request
    4. data stores: stores full context of request
  • benefits
    • enhanced security
    • reduced attack surface
    • improved compliance: helps companies meet regulatory requirements
    • adaptability: well-suited for modern distributed IT environments
  • drawbacks
    • complexity
    • cost
    • requires mindset shift for everyone

Internet of Things

  • botnets
    • swarm of infected IoT devices
    • used for massive DDoS
    • command and control or P2P
  • Mirai
    • leaked botnet code
    • created by US students as an extortion scheme
    • stages
      1. scanning
        • syn port scan probing targets
        • brute force authentication
      2. infection
        • identify architecture of device
        • load/run malware for architecture
      3. attack
        • issue attack command
        • each node sends packets as quickly as possible

Industrial control systems

  • SCADA: Supervisory Control And Data Acquisition systems
    • used for controlling, analyzing and monitoring industrial devices and processes
    • very common
    • networks recommended to be airgapped -> less focus on intrusion attacks
    • often not patched often to not disrupt operation
  • Stuxnet: famous virus targetting Iran's uranium enrichment plants running SCADA