🔹Layered Security
Layer 1
(Physical Inspection/Access)
Threats
Rogue Device
Bad USB
Pentest Dropbox
HID Attacks
Physical Damage
Mitigations
Cabinets
Closets
Physical Authentication & Authorization
Wireless (802.11)
Threats
Dual-homed devices (2 or more interfaces)
Protocol Attacks
BYOAP (bring your own access point)
Mitigations
WIPS (wireless Intrusion Prevention System)
Disable Obsolete Protocols (WEP)
Disable Flawed Control Mechanisms (WPS)
Enable PMF (Protected Management Frames) if possible - available in 802.11w to block spoofing, deauth, disass and replay attacks
Guest Management (no auth for guests, internet access only, WPA2-PSK)
Station/Client Isolation (clients cant access other clients on the same AP)
WPA2 Enterprise (use unique encryption key for each client and authenticate with RADIUS servers)
Wireless (RFID badges)
Threats
Cloned Cards/Tags
Mitigations
Use cards that support rolling codes (code change on each use) or challenge-response
Use protective sleeves if using old RFID cards
Layer 2 & 3
Switches
Threats
MAC flooding
802.1Q and ISL Tagging
Double Encapsulated 802.Q / VLAN hopping
ARP Poisoning
Private VLAN attack
VLAN Tunneling Protocol Attack
Multicast Brute Force
Spanning-tree Attack
Random Frame Stress
Rogue DHCP
DHCP Starvation
NTP Amplification
NTP Spoofing
STP Spoofing
Sniffing
Mitigations
Disable CDP to prevent credential spoofing
Setup port security to prevent MAC flood or hardcode system MAC address
Disable unused ports, services, protocols, interfaces, etc.
Setup MAC limitation and sticky MAC address
DHCP Snooping
Dynamic ARP Inspection (DAI)
ARP IDS (arpwatch)
Configure trusted interface for DHCP
Use private VLANs
use SSHv2
Enable logging
Use Cisco type 8 or 9 password hashes
Configure banner correctly
Always use SNMP v3 with secure community strings
Routers
Threats
DoS
IP spoof
IP Source Routing
ICMP Flood
Smurf Attack
Routing Table Poisoning
IPv6 Router Advertisement
Unauthorized Routing Updates
Wormhole Attack (Unauthenticated Tunneling)
Mitigations
Cisco Autosecure
DISA STIGs
CIS Cisco Benchmark
Use audit tools (Nipper Studio, nipper-ng)
Set logon filters on the outermost external router
Block non-routed IPs
IPv6
Threats
IPv6 MitM
DHCPv6 Takeover
Neighbor Impersonation
NDP Spoofing
Mitigations
Dynamic ARP Inspection
Secure Neighbor Discovery
Private VLANs
Port Security
802.1x
Use IPsec if possible
Block protocol 41 to prevent IPv6 tunneling (Cisco IOS ACL)
Use rogue advertisement (RA) guard
Layer 7
Application Proxy
Forward Proxy : remote access through proxy, hides the identity of client.
Web Proxy
SSL Inspection
Block sites by categories
Website whitelisting
Authentication
SMTP Proxy (spam application)
per-email encryption
modify/auto-route mail (add custom header/footer or remove attachments)
anti-spam/anti-spoof (SPF/DKIM/DMARK)
sender authentication
rate limiting
sender blocking
Reverse Proxy : for security analysis, hides the identity of server (WAF, three-tier model, etc.)
Placement
DMZ proxy (between DMZ and internal network)
Internal proxy (betwwen clients and internet)
VPN access (for remote connection)
Cloud proxy (systems directly connect to cloud infrastructure)
WAF
Web Application Firewall (proxy) : strong focus on mitigating OWASP Top 10.
Capabilities
SSL offloading (client connects to reverse proxy with SSL/TLS and reverse proxy connects to web server with http)
content decoding
HTTP attack vector mitigations
virtual patching (mitigation without recoding the web app)
CAPTCHA & rate limiting
add HSTS header
error page control
dynamic action based on risk level
dynamic traffic routing for load balancing
Deployment:
Automatic Learning (traffic goes through WAF for a period of time so it can learn the patterns, after learning can flip to deny)
manual (all settings are manually tuned, many templates are available based on OS, programming language and back-end database )
Firewall
Internal Network Design
Break up internal network into separate segments based on :
Business & regulation requirements
Criticality of assets
Threats
Risk appetite
Segmentation Principles
classify systems and data in different levels (tiers):
tier 1 - critical components (DCs, exchange server, etc.)
tier 2 - internal systems
tier 3 - external facing data-providing systems
gateways are the control points with egress/ingress inspection and ACL.
Best Practices:
Define port-based rules first
Block geolocations
Authenticate all outbound traffics
Use both host-based and network-based
DMZ
DMZ is usually implemented in one of these models:
In case of having multiple systems/servers in the DMZ, its highly recommended to separate them or split them into multiple DMZs (or trust zones).
In DMZ, segmentation is done using VLANs, VRFs or physical separation.
DMZ + Active Directory
In case of using Active Directory connected servers in the DMZ (such as a public website or domain), the DMZ should not be directly connected to primary/root domain controllers. in this scenario, a read-only domain controller (RODC) is placed in DMZ for authentication and authorization.
IDS vs IPS Design
IPS should be implemented in in-line mode so that all the traffic can pass through and be analyzed.
IDS should be implemented out-of-band with a network tap or port mirroring to prevent speed drop.
Last updated
