165 lines
5.8 KiB
Markdown
165 lines
5.8 KiB
Markdown
# Secure network design
|
|
|
|
## General best practices
|
|
|
|
### MFA and encryption
|
|
|
|
* use password regime with 2FA/MFA
|
|
* if MFA not possible, set strong passwords
|
|
* provide backup solution for 2FA
|
|
* advanced OS security practices
|
|
* **CredentialGuard**: isolate secrets via virtualisation isolation
|
|
techniques (TPM 2.0)
|
|
* **BitLocker**: Windows full disk encryption
|
|
* 48-bit recovery key
|
|
* harden os
|
|
* [Center for Internet Security](https://www.cisecurity.org/) provides
|
|
benchmarks/guidelines
|
|
* detailed guides on how to harden Linux/Windows/...
|
|
|
|
### Network
|
|
|
|
* segregate network
|
|
* Virtual Local Area Network (VLAN)
|
|
* different clearance levels
|
|
* prod / staging / testing
|
|
* guest network
|
|
* VLAN config must be synced between switches
|
|
* VLAN Trunk Protocol (VTP) allows configuring on single device (VTP
|
|
server) and have changes pushed through network (VTP clients)
|
|
* whitelist MAC addresses
|
|
* prevent rogue devices from being plugged in (MAC addresses can be spoofed
|
|
though)
|
|
* only connect sockets that are going to be used, don't cable everything
|
|
* use a firewall
|
|
* deny everything by default
|
|
* close all ports by default
|
|
* lock it down
|
|
* log all config changes including who did it
|
|
* clean up / optimize rules
|
|
* patch firewall software / host
|
|
* use VPN for internal access from outside network
|
|
* utilize demilitarised zone (DMZ) for (untrusted) public facing services
|
|
* ideally 2 firewalls
|
|
* internet - firewall - DMZ - firewall - internal network
|
|
* airgap hosts with very sensitive information
|
|
* have procedures to rapidly isolate hosts when needed
|
|
|
|
### Patch management
|
|
|
|
* use centralized system for pushing patches
|
|
* sysadmins don't push patches immediately; wait to see if they're stable and
|
|
needed
|
|
* Windows Software Update Services (WSUS) allows managing distribution of
|
|
Microsoft's product updates to org devices
|
|
* schedule and perform updates on many devices
|
|
* can use central server inside company network for distribution of update
|
|
* similar tools for Linux
|
|
* Red Hat Satellite
|
|
* Canonical Landscape
|
|
* SUSE Manager
|
|
* sometimes Ansible
|
|
|
|
### Other
|
|
|
|
* centralised inventory and patch management system
|
|
* ability to push security patches to all devices
|
|
* proper backup and restore policies
|
|
* detection systems to monitor hosts and networks for anomalies
|
|
* should only report important/meaningful events, not everything
|
|
* log important events for analysis
|
|
* application whitelists: only allow certain software
|
|
* MS Intune
|
|
* management software for companies that have both org-owned and personal
|
|
devices being used
|
|
* access determined based on trust in user/device
|
|
* privileged access workstations (PAW)
|
|
* computer with locked-down configurationn only used for server
|
|
administration tasks
|
|
* practices
|
|
1. allow only authorized and signed software
|
|
2. use Credential Guard to protect credentials
|
|
3. use BitLocker
|
|
4. don't connect it to internet
|
|
5. don't sign in using root/admin on PAW
|
|
6. only allow specific accounts
|
|
7. configure servers to only allow connections from PAW
|
|
8. use config management tools to monitor PAW
|
|
9. forward audit logs to secure location
|
|
10. disable unauthorized storage/usb devices
|
|
11. block unsolicited inbound traffic
|
|
* jump box
|
|
* hardened host meant to forward SSH connections
|
|
* block direct SSH connections via firewall
|
|
* usually replicated for resiliency
|
|
* can be combined with PAW
|
|
* monitoring
|
|
* Prometheus / Grafana
|
|
* Nagios
|
|
* Zabbix
|
|
* Splunk
|
|
|
|
## Zero trust networks
|
|
|
|
* don't trust anything
|
|
* verify everything
|
|
* core principles
|
|
1. assume breach: encourage continuous verification
|
|
2. least privilege access
|
|
3. micro-segmentation
|
|
* divide network into smal isolated segments
|
|
* each segment requires separate authentication/authorization
|
|
4. continuous monitoring
|
|
5. device and user authentication
|
|
* authenticate everything
|
|
* MFA, health checks, everything
|
|
6. encryption everywhere
|
|
* architecture: 4 components
|
|
1. enforcement: authenticates clients and passes context of each request to
|
|
control place / poly engine
|
|
2. policy engine: user trust score and compliance policies
|
|
* e.g. "allow requests during office hours"
|
|
3. trust engine: risk analysis by computing risk score
|
|
* e.g. ML system that judges validity of request
|
|
4. data stores: stores full context of request
|
|
* benefits
|
|
* enhanced security
|
|
* reduced attack surface
|
|
* improved compliance: helps companies meet regulatory requirements
|
|
* adaptability: well-suited for modern distributed IT environments
|
|
* drawbacks
|
|
* complexity
|
|
* cost
|
|
* requires mindset shift for everyone
|
|
|
|
## Internet of Things
|
|
|
|
* botnets
|
|
* swarm of infected IoT devices
|
|
* used for massive DDoS
|
|
* command and control or P2P
|
|
* [Mirai](https://github.com/jgamblin/Mirai-Source-Code)
|
|
* leaked botnet code
|
|
* created by US students as an extortion scheme
|
|
* stages
|
|
1. scanning
|
|
* syn port scan probing targets
|
|
* brute force authentication
|
|
2. infection
|
|
* identify architecture of device
|
|
* load/run malware for architecture
|
|
3. attack
|
|
* issue attack command
|
|
* each node sends packets as quickly as possible
|
|
|
|
## Industrial control systems
|
|
|
|
* **SCADA**: Supervisory Control And Data Acquisition systems
|
|
* used for controlling, analyzing and monitoring industrial devices and
|
|
processes
|
|
* very common
|
|
* networks recommended to be airgapped -> less focus on intrusion attacks
|
|
* often not patched often to not disrupt operation
|
|
* Stuxnet: famous virus targetting Iran's uranium enrichment plants running
|
|
SCADA
|