Network Protocols for Security Professionals E-Book

Network Protocols for Security Professionals

Probe and identify network-based vulnerabilities and safeguard against network protocol breaches

Yoram Orzach

Deepanshu Khanna

BIRMINGHAM—MUMBAI

Network Protocols for Security Professionals

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Mohd Riyan Khan

Publishing Product Manager: Rahul Nair

Senior Editor: Tanya D’cruz

Content Development Editor: Nihar Kapadia

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Manager: Neil Dmello

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Aparna Bhagat

Marketing Coordinator: Ankita Bhonsle

First published: October 2022

Production reference: 1111022

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-78995-348-0

www.packt.com

To my parents, Sh. Rajesh Khanna and Smt. Saveena Khanna, and my brother, Himanshu Khanna, for their sacrifices and for exemplifying the power of determination.

– Deepanshu Khanna

Contributors

About the authors

Yoram Orzach is a senior network and network security advisor, providing network design and network security consulting services to a range of clients. Having spent thirty years in network and information security, Yoram has worked as a network and security engineer across many verticals in roles ranging from network engineer, security consultant, and instructor. Yoram gained his BSc from the Technion in Haifa, Israel. Yoram’s experience ranges from corporate networks and service providers to Internet service provider networks. His customers include Motorola Solutions, Elbit Systems, 888, Taboola, Bezeq, PHI Networks, Cellcom, the Strauss group, and many other high-tech companies.

I would like to thank my loving and patient wife and son first and foremost for their continued support, patience, and encouragement throughout the long process of writing this book. Thanks also to the Masters of Pie and Method teams for their generosity with their equipment – obviously a critical component for this book.

Deepanshu Khanna is a 29-year-old information security and cybercrime consultant and a pioneer in his country. The young and dynamic personality of Deepanshu has not only assisted him in handling information security and cybercrimes but also in creating awareness about these things. He’s a hacker who is appreciated by the Indian government, including the Ministry of Home Affairs and Defence, police departments, and many other institutes, universities, globally renowned IT firms, magazines, and newspapers. He started his career by presenting a popular hack of GRUB at HATCon. He also conducted popular research in the fields of IDS and AIDE and demonstrated MD5 collisions and Buffer overflows, among other things. His work has been published in various magazines such as pentestmag, Hakin9, e-forensics, SD Journal, and hacker5. He has been invited as a guest speaker to public conferences such as DEF CON, ToorCon, OWASP, HATCon, H1hackz, and many other universities and institutes.

Email: [email protected]

Facebook profile: https://www.facebook.com/deepanshu.khanna17

LinkedIn Profile: https://www.linkedin.com/in/deepanshukhanna/

I want to thank the people who have been close to me and supported me, especially my parents and my brother.

About the reviewers

Ron Cowen has been in the network security industry for over a decade, spanning roles at AT&T, Juniper Networks, and his current position as a systems engineer for Palo Alto Networks. He is based in Seattle, WA.

I’d like to acknowledge and thank all of those who have supported, and those who continue to support, my growth as a network security professional, as well as my wife and our two daughters.

Dhananjay Choubey has been working in the field of cybersecurity for over 10 years and has dedicated 6 years to defensive security and blue teaming. He has provided SOC and blue teaming services to different industries, such as banking, the petrochemical industry, mining companies, the healthcare sector, and media houses across the globe. He graduated with a B. Tech in Information Technology from MDU (India). In his current role, he is working at ATOS as a senior security consultant and primarily helps clients to deploy use cases on EDR, SIEM, and SOAR for quick detection. In his spare time, he works on enhancing his skills by performing malware reverse engineering on open malware and publishing it on open threat intel portals, and designing playbooks for incident response.

Sanjeev Kumar Verma is a CISSP-, GCIH-, and OSCP-certified security professional and has an enriching 15 years of experience in the security domain. He is currently working as a practice head of offensive and defensive security in the global digital security consulting team at Atos. Sanjeev has a solid technical background and a highly analytical mind, and he has helped hundreds of organizations identify and understand cybersecurity risks to allow them to make better and more informed business decisions. Sanjeev is very passionate about offensive cybersecurity, training, and mentoring and loves to take on challenges, which has led to him being a driving force in multiple key cybersecurity initiatives in his current and past organizations.

Reviewing a book is harder and more time-consuming than I thought and it wouldn’t have been possible without my family’s support. I am thankful to my whole family for providing all the support and tolerating my busy schedule without any complaint.

Table of Contents

Preface

Part 1: Protecting the Network – Technologies, Protocols, Vulnerabilities, and Tools

1

Data Centers and the Enterprise Network Architecture and its Components

Exploring networks and data flows

The data center, core, and user networks

Switching (L2) and routing (L3) topologies

Switching (L2) and routing (L3)

L2 and L3 architectures

L2 and L3 architecture data flow

L2 and L3 architecture data flow with redundancy

L2 and L3 topologies with firewalls

L2 and L3 topologies with overlays

The network perimeter

The data, control, and management planes

The data plane

The control plane

The management plane

SDN and NFV

Software-defined networking (SDN)

Network function virtualization (NFV)

Cloud connectivity

Type of attacks and where they are implemented

Attacks on the internet

Attacks from the internet targeting organizational networks

Attacks on firewalls

Attacks on servers

Attacks on local area networks (LANs)

Attacks on network routers and routing protocols

Attacks on wireless networks

Summary

Questions

2

Network Protocol Structures and Operations

Data network protocols and data structures

Layer 2 protocols – STP, VLANs, and security methods

The Ethernet protocols

LAN switching

VLANs and VLAN tagging

Spanning tree protocols

Layer 3 protocols – IP and ARP

Routers and routing protocols

Routing operations

Routing protocols

Layer 4 protocols – UDP, TCP, and QUIC

UDP

TCP

QUIC

Vulnerabilities in layer 4 protocols

Encapsulation and tunneling

Summary

Questions

3

Security Protocols and Their Implementation

Security pillars – confidentiality, integrity, and availability

Encryption basics and protocols

Services provided by encryption

Stream versus block ciphers

Symmetric versus asymmetric encryption

Public key infrastructure and certificate authorities

Authentication basics and protocols

Authentication types

Username/password with IP address identification authentication

Encrypted username/password authentication

Extensible authentication protocol (EAP)

Authorization and access protocols

Hash functions and message digests

IPSec and key management protocols

VPNs

IPSec principles of operation

IPSec tunnel establishment

IPSec modes of operation

IPSec authentication and encryption protocols

IPSec AH protocol

IPSec ESP protocol

SSL/TLS and proxies

Protocol basics

The handshake protocol

Network security components – RADIUS/TACACS+, FWs, IDS/IPSs, NAC, and WAFs

Firewalls

RADIUS, NAC, and other authentication features

Web application firewalls (WAFs)

Summary

Questions

4

Using Network Security Tools, Scripts, and Code

Commercial, open source, and Linux-based tools

Open source tools

Commercial tools

Information gathering and packet analysis tools

Basic network scanners

Network analysis and management tools

Protocol discovery tools

Vulnerability analysis tools

Nikto

Legion

Exploitation tools

The Metasploit Framework (MSF)

Stress testing tools

Windows tools

Kali Linux tools

Network forensics tools

Wireshark and packet capture tools

Summary

Questions

5

Finding Protocol Vulnerabilities

Black box, white box, and gray box testing

Black box and fuzzing

Enterprise networks testing

Provider networks testing

Fuzzing phases

Common vulnerabilities

Layer 2-based vulnerabilities

Layer 3-based vulnerabilities

Layer 4-based vulnerabilities

Layer 5-based vulnerabilities

Layer 6-based vulnerabilities

Layer 7-based vulnerabilities

Fuzzing tools

Basic fuzzing

Breaking usernames and passwords (brute-force attacks)

Fuzzing network protocols

Crash analysis – what to do when we find a bug

Summary

Questions

Part 2: Network, Network Devices, and Traffic Analysis-Based Attacks

6

Finding Network-Based Attacks

Planning a network-based attack

Gathering information from the network

Stealing information from the network

Preventing users from using IT resources

Active and passive attacks

Active attacks

Passive attacks

Reconnaissance and information gathering

Listening to network broadcasts

Listening on a single device/port-mirror

Network-based DoS/DDoS attacks and flooding

Flooding through scanning attacks

Random traffic generation flooding

Generating and defending against flooding and DoS/DDoS attacks

L2-based attacks

MAC flooding

STP, RSTP, and MST attacks

L3- and ARP-based attacks

ARP poisoning

DHCP starvation

Summary

Questions

7

Detecting Device-Based Attacks

Network devices' structure and components

The functional structure of communications devices

The physical structure of communications devices

Attacks on the management plane and how to defend against them

Brute-force attacks on console, Telnet, and SSH passwords

Brute-force attacks against SNMP passwords (community strings)

Brute-force attacks against HTTP/HTTPS passwords

Attacks on other ports and services

SYN-scan and attacks targeting the management plane processes' availability

Attacks on the control plane and how to defend against them

Control plane-related actions that influence device resources

Attacks on the data plane and how to defend against them

Protection against heavy traffic through an interface

Attacks on system resources

Memory-based attacks, memory leaks, and buffer overflows

CPU overload and vulnerabilities

Summary

Questions

8

Network Traffic Analysis and Eavesdropping

Packet analysis tools – Wireshark, TCPdump, and others

Network analyzers

Network packets

Python/Pyshark for deep network analysis

Advanced packet dissection with LUA

ARP spoofing, session hijacking, and data hijacking tools, scripts, and techniques

ARP protocol

ARP poisoning

Packet generation and replaying tools

Summary

Questions

9

Using Behavior Analysis and Anomaly Detection

Collection and monitoring methods

SNMP

NetFlow and IPFIX

Wireshark and network analysis tools

Establishing a baseline

Small business/home network

Medium-size enterprise network

Typical suspicious patterns

Scanning patterns

Summary

Questions

Part 3: Network Protocols – How to Attack and How to Protect

10

Discovering LAN, IP, and TCP/UDP-Based Attacks

Layer 2 attacks – how to generate them and how to protect against them

Attacks on the switching discovery mechanisms

Attacks on a VLAN mechanism and VLAN flooding

ICMP-based attacks, ping scans, the ping of death, and L3 DDoS

Ping scans and L3 DDoS

The ping of death and malformed packets

IP fragmentation and teardrop attacks

Layer 4 TCP and UDP attacks

UDP flooding attacks

SYN flooding and stealth scan attacks and countermeasures

TCP RST (reset) and FIN attacks

Various TCP flag combination attacks

TCP sequence attacks and session hijacking attacks

Summary

Questions

11

Implementing Wireless Network Security

Wireless standards, protocols, and encryption standards

Wireless standards – IEEE 802.11

Wireless lab setup

Sniffing wireless networks

Sniffing packets on the target AP

Packet injection

Discovering hidden SSIDs

Compromising open authentication wireless networks

WLAN encryptions and their corresponding flaws and attacks

Network jamming – DOS/DDOS wireless network attacks

Evil twin attack – honeypots

Person-in-the-Middle (PITM) attacks

Implementing a secure wireless architecture

Summary

Questions

12

Attacking Routing Protocols

IGP standard protocols – the behaviors RIP (brief), OSPF, and IS-IS

RIP protocol behavior

OSPF protocol behavior

IS-IS protocol behavior

Dual IS-IS

CLNP

IS-IS levels

Falsification, overclaiming, and disclaiming

DDOS, mistreating, and attacks on the control plane

Planes

DOS and DDOS

Reflection attacks

Routing table poisoning and attacks on the management plane

Traffic generation and attacks on the data plane

Attacks on the data plane

How to configure your routers to protect

BGP – protocol and operation

BGP hijacking

BGP mitigation

Summary

Questions

13

DNS Security

The DNS protocol, behavior, and data structure

The DNS protocol

DNS behavior and structure

DNS attack discovery – tools and analysis

DNS enumeration

Vulnerability scanning

Attacks on DNS resources – DNS flooding, NX records, and subdomains

NX record attacks

DNS flooding

Attacks on a service – domain spoofing and hijacking, or cache poisoning

Using DNS to bypass network controls – DNS tunneling

DNS protection

Summary

Questions

14

Securing Web and Email Services

HTTP and HTTP2 protocol behavior, data structure, and analysis

HTTP behavior, data structure, and analysis

Proxy servers

HTTP request formation

HTTP versions

HTTPS protocol behavior, data structure, and analysis

What is HTTPS?

TTP hacking tools – scanners, vulnerability checkers, and others

Web vulnerabilities and exploitation

SQL injection

Remote code execution

Cross-Site Scripting (XSS)

Buffer overflow

Session hijacking

Email protocols and loopholes

SMTP protocol loopholes

Phishing

Countermeasures and defense

Summary

Questions

15

Enterprise Applications Security – Databases and Filesystems

Microsoft network protocols – NetBIOS, SMB, and LDAP operations, vulnerabilities, and exploitation

NetBIOS

SMB operations, vulnerabilities, and exploitation

LDAP operations, vulnerabilities, and exploitation

Database network protocols – TDS and SQLNet operations

TDS

SQLNet

Attacking SQL databases

Enumeration of SQL servers in a domain

Misconfiguration audit

SQL server exploitation

Countermeasures to protect network protocols and databases

Summary

Questions

16

IP Telephony and Collaboration Services Security

IP telephony – protocols and operations

VoIP

SIP and its operations

RTP and its operations

IP telephony penetration testing lab setup

IP telephony penetration testing methodology

Enumeration

IP telephony penetration testing

IP telephony security and best practices

Securing the IP telephony network

Securing the IP telephony device

Securing the media layer

Securing the signaling layer

Summary

Questions

Assessments

Index

Other Books You May Enjoy

Preface

This book talks about the in-depth analysis of network designs and protocols, the corresponding attacks made on them, and the appropriate security measures with a completely practical approach. The first few chapters will talk in depth about the network architectures and how are they designed or monitored. In later chapters, the corresponding attacks on network protocols (such as routing protocols and ARP), device-based attacks (such as on routers or switches), attacks on various technologies such as VOIP and email gateways, web-based attacks, CnC, and data ex-filtrations over network protocols (such as DNS) are demonstrated practically. At the end of each chapter, the steps to protect against such attacks are given.

Who this book is for

This book is written for network security professionals or network administrators, security analysts, system administrators, and quality assurance personnel who are planning to change their profession from network to security. We have kept the language of this book as simple as we can so that any reader can understand it in a much simpler way and can implement security in their environment. This book is also for those who have cleared the CCNA and CCNP certifications and now are planning to advance their career in network security.

What this book covers

Chapter 1, Data Centers and the Enterprise Network Architecture and its Components, provides a preview of the data network structure and its weaknesses, describing the hardware, software, and protocols involved in the network and their potential vulnerabilities. In the chapter, we will start with traditional enterprise data centers and enterprise networks, talk about connectivity to the cloud, and end with Software Defined Networks (SDNs), Network Function Virtualization (NFV), and potential breaches.

Chapter 2, Network Protocol Structures and Operations, introduces networking protocols, from Layer 2 up to application protocols, including the way each layer is structured, encapsulated, and, in some cases, tunneled. We will describe the networking protocols that work in and between the network components, understand their objectives and operation, and what the risks are when they are compromised.

Chapter 3, Security Protocols and Their Implementation, will teach us about encryption, authorization and authentication principles, protocols, and security components. We talk about the practical aspects of the protocols and which parts of the network can be used in order to establish a secure network.

Chapter 4, Using Network Security Tools, Scripts, and Codes, provides the practice for network security tools, Linux scripts, and programming skills for testing and securing communication networks. The chapter describes tool families, functionality, and recommendations of what to work with.

Chapter 5, Finding Protocol Vulnerabilities, details the tools and scripts for discovering protocol vulnerabilities, using data injection on network protocols, and trying to find bugs that will allow us to modify or hijack information. The tools and scripts provided here will be used in each one of the protocols in the following chapters.

Chapter 6, Finding Network-Based Attacks, talks about how networks can be tampered with and various types of network-based attacks and explains and provides examples for each type.

Chapter 7, Detecting Device-Based Attacks, explains attacks that can be performed on the hardware and software of network devices. The chapter talks about the structure of these devices and how they can be compromised.

Chapter 8, Network Traffic Analysis and Eavesdropping, covers how we can listen to the network, gather information through passive and active actions, perform man-in-the-middle operations to attract traffic in our direction, and decode the data at our disposal.

Chapter 9, Using Behavior Analysis and Anomaly Detection, explores how, due to the evolution of the IoT and industrial networks, behavior analysis is becoming common for threat analysis. This chapter talks about behavior analysis as a method of collecting data from network traffic and how to identify any threat patterns in this traffic. We also talk about methods, tools, and scripts that can be used to analyze this data.

Chapter 10, Discovering LAN, IP, and TCP/UDP-Based Attacks, talks about Layer-2- and 3-based attacks – that is, Ethernet LANs and ARP- and IP-based attacks and how to generate, identify, and protect against them. This chapter also talks about TCP and UDP client and server programs and their vulnerabilities, what the common attacks on them are, and how to generate, discover, and protect against them in the places they accrue.

Chapter 11, Implementing Wireless Network Security, describes wireless (as in, Wi-Fi) networks and protocols with an emphasis on security, providing the tools and methods for hacking and protecting them.

Chapter 12, Attacking Routing Protocols, talks about Interior Gateway routing protocols, including RIP, OSPF, and ISIS, how they work, what the threats and common attacks against them are, how to identify them, and how to configure our routers to protect against them.

Chapter 13, DNS Security, details the Domain Name Service (DNS) protocol, attacks against it, how it is used to break into users’ networks, and how to discover these attacks and protect against them.

Chapter 14, Securing Web and Email Services, talks about HTTP and HTTPS, attacks against HTTP and HTTPS servers and services, and how to generate, discover, or protect against them. Another part of the chapter talks about web-based attacks such as SQLI, XSS, buffer overflows and email gateways, and exchange-related vulnerabilities.

Chapter 15, Enterprise Applications Security – Databases and Filesystems, explains how there are various applications in every enterprise network: databases, Active Directory servers and services, filesystems, file servers, and more. In this chapter, we will introduce these application behaviors, potential hacks, how to discover them, and how to protect against them

Chapter 16, IP Telephony and Collaboration Services Security, covers the fact that voice and video over IP, along with collaboration applications, have become a critical part of every organization. In this chapter, we explain the protocols involved, their vulnerabilities, how attacks are done, and how to defend against attacks and penetration attempts to these applications.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/NzMIA.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

$ mkdir css

$ cd css

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select System info from the Administration panel.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you’ve read Network Protocols for Security Professionals, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a Free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781789953480

Part 1: Protecting the Network – Technologies, Protocols, Vulnerabilities, and Tools

Upon completion of this part, readers will understand the structure of data network protocols and devices, understand breaches, and be familiar with the attacking tools and scripts that take advantage of these breaches.

This part of the book comprises the following chapters:

1

Data Centers and the Enterprise Network Architecture and its Components

Communication networks have long been a critical part of any organization. Protecting them against risks of all kinds, especially security risks, is critical to the operation of the organization. Understanding the structure of data networks will help you understand network vulnerabilities, where they exist, and where and how we can protect against them.

This chapter provides a preview of a data network's structure and weak points. We will also describe the hardware, software, and protocols involved in the network, as well as their potential vulnerabilities. We will talk about the traditional structure of enterprise networks and data centers, network components and their connectivity, and understand the data flows in the network. Finally, we will explain the evolving Software-Defined Networking (SDN) and Network Function Virtualization (NFV) technologies and their impact on data networks, along with the networking and security considerations of cloud connectivity.

In this chapter, we're going to cover the following main topics:

Exploring networks and data flows

Network architecture is about how the building blocks of the networks are connected; data flows are about the information that flows through the network.

Understanding the network architecture will assist us in understanding the weak points of the network. Data flows can be manipulated by attackers to steal information from the network. By diverting them in the attacker's direction, the attacker can watch information running through the network and steal valuable information.

To eliminate this from happening, you must understand the structure of your network and the data that flows through it. A typical data network is built out of three parts:

These parts are illustrated in the following diagram:

Figure 1.1 – Typical enterprise network

In the top-left corner, we can see the main data center, DC-1. The user's network is located in the data center site; that is, USERS-1. In the top-right corner, we can see a secondary data center, DC-2, with a user's network located on the secondary data center site. The two data centers are connected to the internet via two firewalls, which are located in the two data centers.

In the center of the diagram, we can see the Wide Area Network (WAN) connectivity, which includes the routers that connect to the Service Provider's (SP's) network and the SP network that establishes this connectivity.

In the lower part of the diagram, we can see the remote sites that connect to the center via the SP network.

Now, let's focus on the protocols and technologies that are implemented on each part of the network.

The data center, core, and user networks

First, let's see what the areas in the organization's data network are. The data center is the network that holds the majority of the organization's servers. In many cases, as shown in the following diagram, we have two data centers that work in high availability mode; that is, if one data center fails, the other one can fully or partially take its place.

The user networks depend on the size, geographical distribution, and the number of users in the organization. The core network is the backbone that connects the users to the data center, remote offices, and the internet. The distribution switches will be in central locations in the campus and the access switches are located in buildings and small areas.

The data center, core, and user networks are illustrated in the following diagram, which is of a typical mid-sized network:

Figure 1.2 – The data center, core, and user networks

At the top, we can see the data center switches, when every server is connected via two cables. This connectivity can be implemented as port redundancy for redundancy only or Link Aggregation (LAG) for redundancy and load sharing. A typical connection is implemented with two wires, copper or fiber, when heavy-duty servers on server blades can be connected with 2-4 wires or more.

In the center, we can see the core switches. As the name implies, they are the center of the network. They connect between the data center and the user network, and they connect to remote sites, the internet, and other networks. The connectivity between the core switches and the data center switches can be implemented in Layer 2 or Layer 3, with or without an overlay technology, as we will see later in this chapter.

The user network holds the distribution and access areas. The access layer holds the switches that connect to the users, while the distribution layer aggregates access switches. For example, in a campus network, there will be a distribution switch for every building or group of buildings, while the access switches are connected to the nearest one. Distribution switches are usually installed in a redundant topology – that is, two switches per site – when the access switches are connected to both.

In the next section, we will learn about Layer 2 and Layer 3 by examining the data flow and how data passes through the network. We will describe various design options and describe the pros and cons from a security point of view.

Switching (L2) and routing (L3) topologies

In this section, we will talk about the structure of a campus network.

Switching (L2) and routing (L3)

Layer 2 switches are devices that switch packets between ports, while Layer 3 switches or routers look at the Layer 3 header of the packet and make routing decisions. This can be seen in the following diagram.

At the top left, we can see a single LAN switch. We can see that a frame arrives at the switch. Then, the switch looks at the destination MAC address, makes a forwarding decision, and forwards the frame to the destination port; that is, port 3.

At the bottom left, we can see how a frame crosses a network of switches. The frame enters the left switch, which makes a forwarding decision and forwards it to port 3. Port 3 is connected to port 1 on the right switch, which looks at its MAC address and forwards it to the right switch; that is, port 4. The decision on how to forward the frames is done locally; that is, the decision is made on every switch without any connection to the other.

In routing, as shown to the right of the following diagram, a decision is made at Layer 3. When a packet enters the router, the router looks at the Layer 3 destination address, checks if the packet's destination is valid in the routing table, and then makes a routing decision and forwards the packet to the next hop:

Figure 1.3 – The data center, core, and user network

Important Note

In the packets shown in the preceding diagram, D stands for destination address and S stands for source address. Although in Ethernet the destination address comes before the source, for convenience, it is presented in the same order – D and S for both L2 and L3.

While the basic building blocks of data networks are Layer 2 switches that the users connect to, we can also use Layer 3 switches in the higher levels – that is, the distribution, core, or data center level – to divide the network into different IP networks. Before we move on, let's see what Layer 3 switches are.

The following diagram shows a traditional router to the left and a Layer 3 switch to the right. In a traditional router, we assign an IP address to every physical port – that is, Int1, Int2, Int3, and Int4 – and connect a Layer 2 switch to each when devices, such as PCs in this example, are connected to the external switch.

In a Layer 3 switch, it is all in the same box. The Layer 3 interfaces (called Interface VLAN in Cisco) are software interfaces configured on the switch. VLANs are configured and an L3 interface is assigned to each. Then, the external devices are connected to the physical ports on the switch:

Figure 1.4 – The data center, core, and users network

Dividing the network into different IP subnets provides many advantages: it provides us with more flexibility in the design in that every department can get an IP subnet with access rights to specific servers, routing protocols can be implemented, broadcasts will not cross routers so that only a small part of the network can be harmed, and many more.

L2 and L3 architectures

L3 can be implemented everywhere in the network. When we implement Layer 3 in the core switches, their IP addresses will be the default gateways of the users; when we implement Layer 3 in the data center switches, their addresses will be the default gateways of the servers.

The design considerations for a data network are not in the scope of this book. However, it is important to understand the structure of the network to understand where attacks can come from and the measures to take to achieve a high level of security.

The following diagram shows two common network topologies – L3 on the core and DC switches on the left, and L3 on the DC only on the right:

Figure 1.5 – L2/L3 network topologies

On the left, we have the following configuration:

On the right, we can see a different topology, which is where all the Interface VLANs are on the DC switches:

L2 and L3 architecture data flow

For the data flow, let's look at the following diagram:

Figure 1.6 – L2/L3 network topologies

In the left topology, we can see the following:

In the right topology, we can see the following:

L2 and L3 architecture data flow with redundancy

Now, let's see how packets flow through the network. This example is for the case when the user's L3 Interfaces are on the core switches.

In the following diagram, a PC with an address of 10.60.10.10/16 is sending information to the server on 10.20.1.100/16. Let's look at the main and redundant flows:

Figure 1-7 – Data flowing through the network

In a network under regular conditions – that is, when all the network components are functioning – the data flow will be as follows:

When a failure occurs, as in the example in Figure 1.4, when the left DC switch (DC-SW-1) fails, the following happens:

L2 and L3 topologies with firewalls

A common practice in network design is to add firewalls to two locations of the enterprise network – data center firewalls and core firewalls. Data center firewalls are more common and are used to protect the data center, while the core firewalls protect different users and areas in the network.

A typical network is illustrated in the following diagram:

Figure 1.8 – The data center, core, and users network (with firewalls)

In this case, we have firewalls with the following functionality:

Important Note

Packet filtering is a term that refers to filtering packets according to Layer 3 (IP) and Layer 4 (TCP/UDP) information. Stateful inspection is a mechanism that watches the direction of traffic crossing the firewall and allows traffic to be forwarded in the direction where the session started. Intrusion prevention is a mechanism that protects against intrusion attempts to the network. Application filtering is a mechanism that works on Layer 7 and filters sessions based on the application and its content. Further discussions on these mechanisms and others, as well as how to use them and harden them, will be provided later in this book.

The data flow in a firewall-protected network is as follows:

Figure 1.9 – Data flowing through the network (with firewalls)

Data can flow in several directions, with several levels of protection:

L2 and L3 topologies with overlays

When building a traditional enterprise network, the network structure ensures one thing: that packets are forwarded from the source to the destination as fast as possible.

Important Note

As fast as possible, in terms of a data network, can be achieved with four parameters: bandwidth, delay, jitter, and packet loss. Bandwidth is defined as the number of bits per second that the network can provide. Delay is the Round-Trip Time (RTT) in seconds that it will take a packet to get to the destination and the response to arrive back to the sender. Jitter is defined as variations in delay and measured in percent. Packet loss is the percent of packets that were lost in transmission. Different applications require different parameters – some require high bandwidth; others are sensitive to delay and jitter, while some are sensitive to packet loss. A network attack on a communications line can cause degradation in the performance of one or all these parameters.

Overlay technologies provide additional functionality to the network, in the way that we establish a virtual network(s) over physical ones. In this case, the physical network is referred to as the underlay network, while the virtual network is referred to as the overlay network, as illustrated in the following diagram:

Figure 1.10 – Underlay/overlay network architecture

Here, we can see a standard network that is made up of routers with connectivity between them. The overlay network is made up of end-to-end tunnels that create a virtual network over the real one.

There are various overlay technologies, such as VxLAN, EVPN, and others. The principle is that the packets from the external network that are forwarded through the overlaid tunnels are encapsulated in the underlying packets, forwarded to the destination, and de-capsulated when exiting to the destination.

Since bits are eventually forwarded through the wires, attacks on both the underlay network and the overlay connectivity can influence and cause downtime on the network.

Now that we've talked about the organization network, let's talk about connectivity to the world; that is, the perimeter.

The network perimeter

The network perimeter is the boundary between the private locally managed enterprise network and public networks such as the internet.

A network perimeter, as shown in the following diagram, includes firewalls, Intrusion Detection and Prevention Systems (IDPSes), application-aware software, and sandboxes to prevent malware from being forwarded to the internal network:

Figure 1.11 – The perimeter architecture

There are three zones on the perimeter that act as boundaries between the organization's private network and the internet:

Usually, the architecture is more complex; there can be several DMZs for several purposes, several SZs for different departments in the organization, and so on. The firewall's cluster may also be distributed when each firewall is in a different location, and there can be more than two firewalls.

In the Zero-Trust architecture, created by John Kindervag from Forrester Research, we talk about deeper segmentation of the network, which is when we identify a protected surface made from the network's critical Data, Assets, Applications, and Services (DAAS), and designing the firewall topology and defenses according to it. In this architecture, we talk about the trusted area, which is for users and servers, the untrusted area, which is for external connections such as the internet, and the public areas, which is for frontend devices and services that are being accessed from the external world.

Additional software can be implemented in the perimeter: intrusion detection and prevention systems, sandboxes that run suspicious software that's been downloaded from the internet, web and mail filters, and others. These can be implemented as software on the firewall or as external devices.

Attacks from the perimeter are common. There will be malicious websites, emails with malicious attachments, intrusion attempts, and many others.

Data networks attacks can focus on the network itself or network components. Now that we've talked about the network topology, let's learn how the network components are built.

The data, control, and management planes

Network devices perform three different operations:

The following diagram shows how these three planes function:

Figure 1.12 – The data, control, and management planes

Here, we can see the objectives of the data, control, and management planes.

The data plane

The data plane is responsible for forwarding information. It receives instructions from the control plane, such as routing tables, and forward packets from port to port. The forwarding tables can learn from various control plane functions. For example, several routing protocols can run in the control plane, while the result of them will be a single routing table in the control plane that is translated into a single forwarding table on the data plane.

The data plane is responsible for processing and delivering packets, so it is implemented on network interfaces and device CPUs.

Attacks on the forwarding table can be achieved by overloading the network, such as link flooding attacks and Distributed Denial of Service (DDoS) attacks.

The control plane

The control plane is where we determine how data should be forwarded in the data plane. The control plane includes routing protocols that exchange information between routers, multicast protocols, Quality of Service (QoS) protocols, and any other protocol that the network devices use to exchange information and make forwarding decisions. These protocols are running in the control plane, and their result is a forwarding table that is built in the data plane.

The control plane is part of the network device software, and it runs in the device's CPU.

Several types of attacks can be performed on the control plane. Some of them simply try to load the device resources (such as CPU and memory), while others try to confuse the protocols running on the device by sending fake routing updates and trying to divert traffic, to flood the device's ARP caches so that packets will be forwarded in the wrong direction, and so on.

The management plane

The management plane is responsible for interacting with the network device, whether these are interactions with the management system via protocols such as SNMP or NetFlow, REST APIs, or any other method that the device can work with or via human interactions with a Command-line Interface (CLI), web interface, or a dedicated client.

The management plane is implemented entirely by software. Attacks on the management plane mostly try to break into the network device to log in, by human or by machine, and make settings in violation of the enterprise policy with the intent to disrupt or break into network activity.

Now that we've talked about network devices and their structure, let's talk about the new designs in data networks; that is, SDN and NFV.

SDN and NFV

SDN and NFV are technologies from the early 2010s that virtualize network operations. While SDN is a technology that came from the enterprise network and data centers, NFV came from the Network Service Provider (NSP) world. Let's see what they are and the security hazards for networks that implement them.

Software-defined networking (SDN)

SDN separates the data plane from the control plane, creating software-programmable network infrastructure that can be manually and automatically adapted to application requirements.

While in traditional networks, network devices exchange information between them, learn the network topology, and forward packets, in SDN, the switches are simple devices that forward packets according to commands they receive from the network controller.

Let's take, for example, a network of routers. The following happens in traditional networks:

The following diagram shows an example of an SDN network:

Figure 1.13 – SDN

In this network, we have a central controller, which is the network's brain. This controller acts as the control plane for the entire network. When a new session is opened and packets are sent through the network, every switch receiving the first packet will send a request to the controller, asking how to forward it. Upon receiving the response, the switches will store it in their forwarding table. From now on, every packet will be forwarded according to it. This is done through the southbound interface using protocols such as OpenFlow or Netconf. Connections from the controller to the switches are established over the Transport Control Protocol (TCP), preferably with Transport Layer Security (TLS).

On the northbound interface, the controller sends and receives information to and from SDN applications via standard APIs such as RESTful. SDN applications can be applications that implement network functionalities such as routers, firewalls, load balancers, or any other network functionality. An example of an SDN application is a Software-Defined – Wide Area Network (SD-WAN), which provides connectivity between remote sites over private and internet lines.

An SDN domain is all the devices under the same SDN controller. A network orchestrator is used to control multiple SDN domains. For example, when enterprise LANs are connected through a private SD-WAN service, there will be three controllers – two controllers for the two LANs and one controller for the SD-WAN. The orchestrator controls its end-to-end connectivity.

Several security breaches can be used on an SDN network:

Later in this book, we will discuss these risks in more detail.

Network function virtualization (NFV)

NFV takes the concept of computing virtualization to the networking world. The concept is that instead of using dedicated hardware for every networking function, we use standard Off The Shelf (OTS) hardware, along with standard Virtual Machines (VMs), when the network functions are software running on these VMs. First, let's have a look at the platforms that host these applications:

Figure 1.14 – VMs and hypervisors

The preceding diagram shows how the networking applications are installed. In the case of Linux containers, the virtual machines are implemented as Linux containers, while the applications are installed on the containers together or separately.

A Type 1 Hypervisor is installed directly over the hardware. Here, we can find the most common Hypervisors, such as VMWare ESX/ESXi, Microsoft Hyper-V, and Citrix XenServer.

A Type 2 Hypervisor is installed over the host operating system. Here, we can find PC-based Hypervisors such as VMWare workstations, Microsoft Virtual PC, and Oracle Virtual Box.

Important Note

A VM is an emulation of a computer system that provides the functionality of a physical computer. A Hypervisor is a piece of software that runs the VMs. There are two types of Hypervisors – Type 1, which runs directly over the system hardware, and Type 2, which runs over the host operating system. The first Hypervisor was developed in the 1960s by IBM, iVMWare ESX (later ESXi) came out in 1999, XEN from Citrix came out in 2003, and a year later, Hyper-V from Microsoft came out. In the Linux world, it started with traditional UNIX platforms such as Sun-Solaris before coming out as Linux KVMs and Dockers. The purpose of all of them is simple – to effectively carry many applications over different OSes that run independently over the same hardware.

Linux containers dominate the networking market in NFV. These can be routers, switches, firewalls, security devices, and other applications in the data center network. They can be also cellular network components that are installed on the same hardware. The NFV model is shown in the following diagram:

Figure 1.15 – NFV

The NFV architecture is comprised of the following:

When considering NFV application security hazards, we should consider potential attacks on the entire software stack, from the operating system to the Hypervisor, the VMs, and the applications.

SDN and NFV are about taking the transitions from hardware-based areas to virtual networks. Now, let's take this one step forward by going to the cloud and seeing how we can implement the network in it.

Cloud connectivity

There are various types of cloud services. The major ones are illustrated in the following diagram:

Figure 1.16 – Cloud-based services

Let's look at the cloud computing services mentioned in the preceding diagram in detail:

Now that we've covered the network structure and topologies, network virtualization and how it is implemented, and the different cloud service types and how we connect to the cloud, let's talk about the risks and what can go wrong in each part.

Type of attacks and where they are implemented

Now that we've learned about network structures and connectivity, let's have a look at potential threats, types of attacks, and their potential causes. Let's look at the following diagram and see what can go wrong:

Figure 1.17 – The data, control, and management planes

The risks can be categorized as follows:

Various types of attacks can cause unavailability, while other types can damage the data. In the next section, we will look at a critical point in any organization's IT environment and what the results of such an attack are.

Attacks on the internet

Let's start with the internet. Every once in a while, we hear that "A third of the internet is under attack" (Science Daily, November 1, 2017), "China systematically hijacks internet traffic" (ITnews, October 26, 2018), "Russian Telco Hijacked Internet Traffic of Major Networks - Accident or Malicious Action?" (Security Week, April 7, 2020), "Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others. Ros Telecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers." (ZDNet, April 5, 2020), and many more.

What is it? How does it work? Attacks on the internet network itself are usually attacks that deny or slow down access to the internet, along with attacks that divert traffic so that it will get to the destination through the attacker network or not get there at all.

In the first case, when the attacker tries to prevent users from using the internet, they will usually use DoS and DDoS types of attacks.

Important Note

DDoS attacks are a very wide range of attacks that intend to prevent users from using a service. A service can be a network, a server that provides several services, or a specific service. A DDoS targeting the network can be, for example, a worm that generates traffic that blocks communication lines, or sessions that are generated for attacking the routers that forward the traffic. A DDoS targeting a specific server can be, for example, loading the server interfaces with a huge amount of TCP sessions. A DDoS targeting a specific service can be traffic generated to a specific TCP port(s) of the service itself.

DDoS attacks on the internet can involve, for example, generating traffic to specific IP destinations, both from devices controlled by the attackers (referred to as direct attackers) and from third-party servers that are involuntarily used to reflect attack traffic (referred to as reflection attackers).

Another type of attack that can be performed on the internet is diverting traffic from its destination. This type of attack involves making changes to the internet routers so that traffic is diverted through the attacker network, as shown in the following diagram:

Figure 1.18 – Traffic diversion

Here, we can see traffic being sent from Alice to Bob being diverted through Trudy's network. Normally, when Alice sends traffic to Bob, it will go through region A to region B and get to Bob. Under the attack, Trudy configures the routers in region B to pull the traffic in their direction, so that traffic from router A4 will be sent to B1. Inside region B, traffic will be forwarded to the point where it can be recorded and copied, and then it will be sent to router C3 in region C on the way to its destination.

Important Note

Bob, Alice, and Trudy (from the word intruder) are the common names of fictional characters commonly used for cyber security illustrations. Here, Bob and Alice are used as placeholders for the good guys that exchange information, while Trudy is used as a placeholder for the bad guy that tries to block, intrude, damage, or steal the data that's sent between Bob and Alice.

To divert the data that should be forwarded from A4 to C3 so that it can be sent to B1 in area B, router B1 must tell router A4 that it has a higher priority so that router A4 will see that the best route to the destination is through B1 and not through C3. In the case of the internet, it is configured in the Border Gateway Protocol (BGP), which we will look at in more detail in Chapter 12, Attacking Routing Protocols.

The traffic in this example is forwarded in two directions. I used an example with single-direction traffic for simplicity.

Attacks from the internet targeting organizational networks

Attacks from the internet can be of various types. They can be intrusion attempts, DDoS, scanning, and more. Let's look at some examples.

Intrusions attempts are discovered and blocked by identifying anomalies or well-known patterns. An anomaly is, for example, a sudden increase in traffic to or from an unknown source, while an intrusion pattern is, for example, port scanning. Further discussion on suspicious traffic patterns will be provided in Chapter 6, Finding Network-Based Attacks.

A nice website called Digital Attack Types provides a daily DDoS attacks world map. It can be found at https://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18419&view=map.

Attacks on firewalls

Attacks on firewalls usually take place when the attacker tries to penetrate the network. Penetrating the network can be done in several ways. It can be done by scanning the firewall to look for security breaches, such as ports that were left open so that we can open a connection through them to the internal network. Another method is to crash the firewall services so that the firewall will only continue to work as a router. We can also generate user login attempts to log in to the firewall as a VPN client and break into the secured network.