Data center manual (2): Security

Security has the following concepts:

• Threat: Threat
• Vulnerability: Security Risks
• Attack: Attack

Threat

The following are common threats:

DoS (Denial of Service attack)

Breach of Confidential Information cracking confidential information

Data theft or alteration data theft and tampering

Unauthorized use of compute resources unauthorized access

Identity theft identity theft

Security risks

Security risks often come from the following aspects:

• Software and Protocol Defects
• Configuration problems
• Insufficient security design

For example, use expired Software

Some software has some well-known defects that some worm worms will exploit.

These defects will be removed from subsequent updates. If they are not updated in time, they may be infected.

For example, the worms CodeRed, Nimda, and SQL Slammer use software defects to launch attacks.

CodeRed and Nimda attack IIS in windows, while SQL Slammer attacks a well-known bug in ms SQL 2000.

Another example is to use the default software configuration.

Some default configurations include the default username and password.

Attack Scanning/probing

This is to view the system or network information before the attack, through one or more detection

Port Scan is used to check whether TCP ports are enabled. If yes, it will prepare for future attacks.

DoS attack

A large amount of data is used to occupy a large amount of resources. If network bandwidth, CPU, and memory are used, normal users cannot access them.

SYN flood is to generate a large number of TCP connection requests, but does not establish a connection, but the server will occupy resources because of the connection, and eventually the resources will be exhausted.

Smurf generates a large number of ICMP packets, which are broadcast, but the source address is the server to attack. In this way, all machines that receive ICMP packets will want the server to return ICMP packets.

 

 

Pod ping of Death sends an icmp echo packet, but tampered with the Max size field. When the server receives this packet, the old TCP/IP stack does not check the package size, therefore, we try to create a memory space for the entire size, and eventually out of memory

Most DoS attack sends a large amount of data to the attacked node, resulting in network congestion and service suspension.

DDoS (Distributed Denial of Service)

DDoS is a special version of the DOS system.

It controls a large number of machines and simultaneously accesses the target.

DDoS attacks are generally divided into multiple layers: clients, handlers, and agents.

The client is directly controlled by hackers, intrude into some systems, and install a special program on it. As handler, the client can send commands to handler. Handler invades more systems and installs agents on them. All handler and agents can be controlled by the client and attack a target machine at the same time.

Such as Trinoo, Tribe Flood Network, Stacheldraht

Unauthorized access

Attackers can intrude into an account and use its permissions to perform operations.

Use a backdoor, that is, an embedded Trojan, to operate resources.

Such as network intrusion

Eavesdropping

Obtain the username and password information by listening to packet on the network.

Viruses and worms

The virus is copied only after being triggered by the user.

Completely self-replication by worms

CodeRed, Nimda, and SQL Slammer are both worms.

Internet infrastructure attachs

It mainly attacks key components of the Internet, such as DNS, border router, cache cluster, and access server.

Trust Exploitation

When two computer systems trust each other, they can access the other system by attacking one system.

Session hijacking

By intruding into a normal session, the operation is performed as a legal identity.

IP spoofing is common among them. In many cases, authentication is based on IP addresses. If hackers pretend to use the trusted system IP address as the source IP address and send packets to the attacked system, may be received and replied.

TCP isn guessing is another method. Hackers can capture or guess the initial segment exchange in tcp syn, and then use isn + 1 to reply in tcp syn/ack, then the real response will be deemed to have repeatedly reported and discarded, thus receiving invalid packets.

Buffer overflow attacks

This uses the bug of the program. The program is allocated with a cache, but does not check the access boundary. Hackers can use this to write too much content to crash the system or execute illegal commands.

Layer 2 attacks

ARP Spoof is ARP spoofing. When a machine in the network sends an ARP request to find the gateway address, the hacker pretends to be an ARP reply and tells his MAC address to become the gateway.

Mac flooding utilizes this principle. When the MAC address table of the switch is full, when it is subject to a MAC address that has never been seen before, it uses the flooding method to forward packets. The hacker fills the MAC address table of the switch into many fake source MAC addresses, so that the subsequent packages are flood, then the malicious machine will be able to receive all the packets.

VLAN hopping if a machine on Vlan A sends a vlan B packet, it is forwarded to vlan B from the second layer, thus bypassing the ACL on the router.

Network security infrastructure ACLs

An ACL is a packet header-Based Filtering Policy that contains a list of rules. Each packet matches these rules one by one, and the matching rule allows or rejects the operation, the last rule is usually deny all.

ACL usually exists on the border router and AZ Aggregation Router.

Standard ACL is the most basic type of ACL. It is only based on the source IP address and used to control the access of those machines.

Extended ACL can be filtered Based on Source IP and destination IP, L4 protocal, L4 port, ICMP type, code, TOS, etc.

The router ACLs (racls) ACL is applied to a router interface, which can be a physical interface or a VLAN interface. Only packets through the ACL can be forwarded according to the routing table.

VLAN ACLs (vacls) is applied to L2. It does not have the in/out direction concept, but detects all packets.

Dynamic ACLs (lock and key)

After the lock and key are configured, the user first needs to open a telnet session for authentication. If the city management is complete, a dynamic ACL entry is added, allowing the user to temporarily access the router. this dynamic ACL entry is based on a template and contains the user's IP address as the source IP address.

The lock and key can be used together with the powerful authentication method tacaca +.

Reflexive ACLs

Filters IP packets based on sessions.

Reflexive ACLs only allows sessions initiated from the security network segment, and rejects sessions initiated by the non-security network segment.

Whenever a TCP/UDP connection is established, some temporary entries will be created based on this session.

The above ACL filters TCP connections from the Intranet to the Internet, and uses outboundfilters

The reflect tcptraffic statement indicates that when there is a TCP connection from the Intranet to the Internet, the ACL inboundfilters will add some access list entries.

The connection from the Internet to the Intranet is blocked by inboundfilters, unless it is BGP or it belongs to a TCP connection.

The evaluate tcptraffic statement allows a TCP connection initiated from the Intranet to pass through.

Firewils

Firewall is used for different types of LAN, and is often placed in an important position to prevent unauthorized access to key resources.

As a good firewall, you must have good performance, process more packets per second, and support more applications. If telnet, FTP, HTTP

Packet filtering firewils

According to the packet header filtering package, the router with ACLs is such a firewall, and its functions are relatively basic. Access rules is static. If protocal dynamically discusses the port, it cannot be processed.

This type of firewall does not save the connection status. Therefore, it cannot block a connected package, detect changes in the packet sequence, or detect whether a protocal is violated.

This type of firewall cannot go to payload to view more detailed information, but cannot modify the information, so it cannot perform Nat

Proxy firewils

Is an application-level proxy used to protect known ports such as SMTP, HTTP, telnet, and FTP. Check whether the package meets the protocol standards.

The client needs to be configured. When an external connection is initiated, the proxy is connected first.

When the client establishes a connection with the internet, it uses the public IP of the proxy instead of the real private IP of the client.

The advantage of firewall is that it has a higher level, more intelligent, can dynamically identify connections, can modify payload, can Nat, can authentication, content filtering, caching and Accounting

The disadvantage is poor performance. You need to configure the client.

Stateful firewils

This type of firewall maintains the connection status and is dynamically updated in a connection table. Both TCP and UDP are saved. Includes protocal, source and destination IP address, source and destination UDP/TCP ports, TCP sequence numbers, TCP flags, connection duration

Because the connection status is saved, more probability avoids spoofing attack.

This type of firewall can be used for application level detection, so you can check whether payload has been tampered.

This type of firewall can protect against DoS attack such as tcp syn floods. This attack attempts to establish many connections but does not reach the established State. Because of this state, firewall can limit the number of connections established by each server unless the previous connection is hacked, becomes the established status.

You can also use tcp syn cookies to avoid DoS attack.

The principle of syn cookies is: when a TCP connection is established, the client initiates a SYN to the server, the server returns a SYN + ACK to the client, and then waits for the ACK of the client in the queue. However, the DoS policy is to stop sending the ACK to the server so that the TCP connection remains in the queue for a long time. When the client initiates multiple times, the queue is full. Syn cookies are generated to generate a special initial sequence number and place the number in SYN + ACK to the client, at this time, the SYN queue entry will be deleted from the queue immediately. In this way, no matter how many such connections there are, the queue will not be fully filled. When the real TCP connection returns ACK, there will be a sequence number in it. According to this number, re-create the SYN queue entry from syn cookies and put it in the queue.

The disadvantage of firewall is that it is difficult to establish a connection between different attack events. For example, CodeRed intruded into the buffer overflow bug in IIS through the HTTP protocol. However, HTTP requests are valid. Once a system is intruded, the compromised system generates a worm to scan other systems, firewall cannot associate the two.

Second, the firewall configuration should not be based on the active response of the attack, but should be based on the established rules.

Idss

IDS is a real-time system that detects intrusion intrusions and syspicious suspicious operations and reports them to the monitoring system to mitigate and prevent attacks.

It contains two components:

Sensors: appliance or agents are used to analyze traffic and resource usage to identify intrusion or suspicious operations. It can be divided into network based and host based.

IDS Management: Used to Manage Sensors and collect all alarm info

Network-based IDS are often connected to a LAN to detect intrusion and suspicious behavior. It can be deployed on the router, firewarll, or a separate appliance.

Host-based IDS runs on the system as an agent, which can identify suspicious behaviors, protect some applications, and update the system.

The IDS system detects intrusions and suspicious behaviors in two ways:

Anomaly-based is an exception-based system. Through a period of learning, we define the normal traffic distribution of each protocol based on some parameters, such as how many connections a protocol should have per second, if a large deviation statistical value is returned, an exception is warned.

Signature-based is a feature-based system. It is considered suspicious when it first defines traffic and resource usage features to meet these features. Each package is compared with the feature, and features may be distributed in multiple packages of the same session.

Signature is divided into the following types:

Embedded signature defines known attack features. The IDS system is built in and cannot be modified.

Connection signature User-Defined Protocol-based features

String Matching signatures matches with a regular expression based on the value of a part of payload.

ACL signature logs when an ACL is violated, and logs are parsed to identify intrusions.

 

Layer 2 Security

Port Security

You can configure a switch port to only receive packets from some trusted MAC addresses. If it is not in this set, it will be discarded.

You can also configure the maximum number of recognizable MAC addresses for the switch port. If the number is within the range, you will learn by yourself. If the number is exceeded, you will discard it.

ARP Inspection

You can specify a mapping from the default gateway to its MAC address. If the switch finds that the ARP ing relationship in an ARP packet is incorrect, it will be discarded to solve the ARP spoofing attack.

Set security acl ip arp-Inspection

Set security acl arp-inspection match-Mac enable

Set security acl arp-inspection address-validation enable

Set port ARP-inspection MOD/port drop-threshold rate shutdown-threshold rate

When a port receives ARP too frequently, an error is reported.

Private VLANs

It is intended to isolate ports in the same VLAN.

There are three ports:

Promiscuous ports, which can communicate with any port

Isolated ports, which can only communicate with promiscuous ports and cannot communicate with each other

Communitry ports, which can communicate with the promiscuous port or the same Community port

There are three VLANs

Primary VLAN, which forwards the promiscuous port packets to other isolated, community, and promiscuous ports.

The isolated VLAN can only forward packets from the isolated port to the promiscuous port. machines in this VLAN cannot access each other and can only go out to the gateway.

Community VLAN. The same community can access each other and can access promiscuous ports.

 

802.1Q tag all

Ethernet interfaces can be configured either as access ports or a trunk ports, as follows:

? An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.

? A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously.

A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. when you assign a default port vlan id to the trunk port, all untagged traffic travels on the default port vlan id for the trunk port, and all untagged traffic is assumed to belong to this VLAN. this VLAN is referred to as the native vlan id for a trunk port. the native vlan id is the VLAN that carries untagged traffic on trunk ports.

If the untagged packet is allowed and can be set to the native vlan id, the following problem occurs: an access port with a tag of 10, it thinks that the packets from this port should not contain tags, but all of them belong to VLAN 10. As a result, a package of tag 20 is included, access Port considers this packet to belong to VLAN 10, so it finds port forwarding of VLAN 10. At this time, there is a trunk port, and its native VLAN is 10, so it is forwarded to it, as a result, this trunk port is generated. When it reaches the host, it is detected that it is VLAN 20, which generates VLAN hopping.

We can set the dot1q tag native through the VLAN. All VLANs appearing on the trunk port must carry tags. If tags are not included, the native tag is forcibly tagged.

Data Center Security Framework

Establish strict security policies ies, organization and Process

Security Life Cycle

Assess vulnerability identification

Design solutions

Deployment deployment

Maintenance

Physically or logically isolated Management Network

Encrypt all control data

Use a dynamic password and a digital certificate