Network Security - Deep Dive ReplaySep 12, 2023
Hello, welcome everyone to our
security. My name is Kevin Wallace and I want to say a big thank you for taking a good chunk of his time today to join us for this
dive. This is what is happening. We are recording this. in September 2022, if you're watching this on repeat and this is our 8th anniversary of being in business, I thought you know what I'm going to do in this big massive marathon and I can't think of a better topic than safety for our In fact , a marathon training session, let me give you an idea from the beginning of what is coming today.
Taking a look at our agenda, we'll start by looking at
security, whether or not you're focused on your work. You have to know it. If there's a tremendous demand for security right now and it's unprecedented, it's not like any other skill set. We'll take a look at some stats and then get into a sort of high-level overview. Look at Nick's three main goals of network security and we'll look at how we can accomplish some of those different goals, then we'll address some common network attacks because we want to know what we need to defend against. and we're going to talk about how we can put up some defenses and I should say right from the start that in this session we're going to talk about some tools that malicious users could use to gain access to a network so let me give you a Disclaimer at this time I don't support nor do I condone malicious or illegal use of any of these tools.
I want to give you this information to help you defend yourself against the bad actors out there and because today is going to be a very long session, rest assured. I'll give you a few breaks throughout the process. We will probably have a couple of big breaks during today's session, just a guess, and this could vary a bit. This is just a guess. I'm guessing today's session will last about five hours. So you might want to think about that and what's in store for you in the next few hours, but in module four we'll get into wireless security.
There are all kinds of wireless security standards and not just wireless in terms of Wi. -Fi, but here's a Bluetooth, it's called Uber Tooth, here's a Bluetooth adapter that we can hack a little bit, uh, with Bluetooth, we'll talk about that and we'll talk about how we can protect against that and then we'll spend. We've been talking about session hijacking for quite some time. You see, here's the deal instead of trying to guess or crack someone's password to log into something they have access to. What if we wait for them to gain access on their own?
They log in. they give their credentials, they're talking back and forth, they have that session established and then we, well, not us, but a malicious user, how they hijack that session which allows them to bypass the entire authentication process, we'll talk about how to hijack the session . can happen and how we can protect against session hijacking, we'll talk about physical security because we can have all these great protocols and systems in place, but if someone can just walk up and get to the console, here's a I have a Cisco Catalyst switch right here which we will use for a demonstration later, if someone can gain access to the console, they can own your device and can pretty much recover the password, so we also want to have physical security and We will talk about some of the emerging security threats in the that traditionally we haven't thought much about or at least I haven't and that's with Internet of Things devices and for the cloud, how do we protect as we move our resources and our data from centralized on-premises data centers from our site to a cloud service provider and we will see a way to bring that security to the cloud and we are using it more and more is VPN technology Virtual private network virtual private networks we will talk about the different types of protocols that can be used , how we could use some of them together and I think you'll really enjoy that discussion on VPNs and we'll conclude it with a discussion on dynamic multipoint VPNs.
So today we're posting a ton of great security content. I hope you're excited. I hope you take lots of notes. And again I realize this is going to be a marathon session, so we'll give you a couple breaks and my recap. bio because we're going to be spending a lot of time together this is where I'm coming from as I approach this topic my name is Kevin Wallace I have a couple of ccie's I got my first ccie back in 2001. it was the rerouting CCA and I've since updated it or I upgraded it to ccie Enterprise infrastructure.
I also got in 2012. I received a bill from CCI and since then I upgraded it to CCA in collaboration and now I am ccia. For over 21 years I have achieved life emeritus status, so I don't have to take anything again. I get to keep my CCA for life and that really makes me happy, but I've really been working with Cisco equipment since the first Cisco. router in the late 80's. The Cisco AGS plus router which was the first router I worked on and I have been working with Cisco equipment since I taught courses for Cisco learning partners for about 14 years before starting my own business .
About eight years ago and I started teaching these online courses in the real world. One of my favorite jobs. Well, it was my favorite job in the real world because my family and I were huge Disney fans. You can probably see some little Disney artifacts on the shelves. behind me, but I got to be one of the five Network designers at Walt Disney World in Florida, and it was an incredible experience. I had the opportunity to design the network that linked Magic Kingdom and Epcot at the studios, Animal Kingdom and a lot of resorts we just had a great time there and I wrote a lot of books, I did a lot of video courses for the people at Cisco Press and I had the privilege of speaking with a couple of Cisco wives and each time I got the Distinguished Speaker Award.
The bottom line is that I have been doing this for a while and I am passionate about it. I love this stuff and I can't wait to add some value to it today because we're going to touch on the security concepts that come up. In a bunch of different exams from Cisco and others, let's start here in module one, just to get a sense of the incredible demand we have in the industry for network security skills. I attended Cisco live earlier this summer in Las Vegas, yeah, let's see. It was June, actually June 2022 and I met a lot of people after being closed and doing it virtually for a couple of years.
It was great to see people face to face. I met a lot of people and I attended the keynotes and one of the main statements that really caught my attention was that it was from G2 Patel, he is the executive vice president and general manager of security and collaboration at Cisco and when he said this it startled me and I thought: wow! It is true that he said that the war begins with cyber before moving to the land of Aaron. Think about that when there is war between countries, instead of launching some kind of offensive missile attack or something, the first attack will probably be cyber.
We want to protect ourselves against those types of attacks, it is so critical, in fact, we see that it is reflected in this year's list of the 15 most in-demand certifications, this is from CI CIO magazine and one of the great security certifications that exist is ceh the certified ethical hacker certification I would like you to notice that it appears as number five on this list, it actually surpasses Cisco ccnp and Cisco ccie, they are also on the list in the top ten, but certified ethical hacking surpasses these certifications Top-tier Cisco for search that will be in demand in 2022 and again in uh, at the end of June of this year, Fortune magazine published this article that I was reading and I love the headline that says that companies are desperate for workers from cybersecurity currently there.
There are over 700,000 jobs right now that need to be filled and if you're seeing this on repeat a month or two from now, it may be even more than that, but the forecast is for the rest of this decade, every year. We're not going to make up that shortfall, there will continue to be this lack of cybersecurity professionals, so this is something we need to know if we want to consider it as our main focus in our IT careers or if we want to make it our main focus in our IT careers. YOU. I myself am a collaborative person.
I love collaboration. I love the usual business technologies, but in all of that there is security, no matter what your approach is, you have to know about security. I have never been doing this for over 30 years yes 33 years now I have never seen a demand in the industry like we have today for security professionals so this will be critical to know and I hope I have convinced you what this is It's very important for your career whether you focus on security or not you still need to have a basic understanding of it so you can be familiar with other people in the industry but let's get into the big three goals of security security, and when?
I say we are securing a network, what exactly does that mean? What objectives do we have? First, I'm talking about confidentiality. I don't want anyone to read my email. I don't want someone to be able to access my server and look at my files. I don't want them printed on my printer if they capture traffic passing over the cable or over the airwaves through an antenna. I don't want them to be able to read it. I want it to be confidential. community communication and confidential storage we also want to make sure that our data hasn't been tampered with we want to verify the integrity of that data and one of the things we have to defend against is someone just dropping our system, no doubt you've heard that. about denial of service dos or DDOS attacks, that's where an attacker just floods a system with so much traffic that the system can't do its normal job because it's dealing with that flood of junk data coming in and that can bring our system down .
We are denied service to our system; In other words, we want our systems to be available, and we're going to talk first about what metric defines high availability, but let's focus on confidentiality. One way to have confidentiality is through a variety of security devices. that we can use on our network, we'll talk about those here in a moment, but other than that on our Cisco routers, as an example, we can use ACLS access control lists and I'll show you the syntax. And I'm going to challenge you with some ACLS troubleshooting scenarios that will come up here in a moment and we're also going to encrypt our traffic, we're not saying encrypted traffic, we're going to take our string of data and we're going to encrypt it and as part of that encoding we are using a mathematical algorithm and that algorithm will probably use something called a key, it could be 128 bits long, it could be 109, it could be a variable number of bits, but this key is something that maybe will be secret depending on how we do it and if I use a key and you use a key and we use the same key to encrypt and decrypt our data if someone catches it in the middle and they don't If they don't have that key they won't be able to read our data we'll talk about some different encryption options, but let's start by taking a look at a few different security devices, one you've probably heard a lot about is the concept of a firewall now, a firewall will typically stand guard at the perimeter of your network when you access the internet or enter a network area wide or maybe you just go into a different area of your own network with a different level of security but a firewall is basically a set of rules stating what traffic can go in, what traffic can go out and let's talk about a few different types of firewalls, one of which may be running on your operating system. on your desktop or laptop right now, if you're running Microsoft Windows or Mac OS or Linux almost any operating system, you probably have the option of using a software-based or host-based firewall so that if someone tries to access your computer.
Specifically, you can set up some firewall rules to allow or deny that kind of activity now that it's at the micro level and reaching out to individual devices, but we often think of firewalls as a device that will sit at the edge of our network. and a very rudimentary type of firewall and I hesitate to even call it a firewall, but I want you to know because it might show up on an exam one day. It is a packet filtering firewall. When I say packet filtering firewall, I'm talking about a Access control is actually a set of rules to say that this section of the network or this IP address or these IP addresses can go out or can't go out or can't come in, For example.
This would not be a good use of a packet filtering firewall. Let's say we set up a router at the edge of our network to access the Internet and we think, "Well, I trust the people inside my network. I'm going to let them do that." came into merouter and go out to the internet, but I don't trust the internet because there are a lot of bad actors out there, so we set up our access control list to block traffic on the internet from reaching us. Think about what that would be like. works or how that wouldn't work, let's say you're indoors, you're a trusted person, and you're trying to go to a website on the Internet, and that packet comes into the router and says, "Oh, they're good." People who are inside the network allow them to go out to the Internet. and you go to the Internet website, the Internet website is trying to send you the page you requested, but when that page comes back to the router, the broker says no, no, no, you're coming from the Internet, I don't trust you and you're going to drop, you'll see we're not getting two-way communication, so sitting on the edge of our network is not a good place to use a packet filtering firewall, which we could to do instead is use a stateful firewall, now here we are.
Overcoming that problem I just described we remember the state of a session again. I'm inside. I'm trying to access a device on the Internet somewhere and when I go into the router or this stateful firewall, it's going to take note of this, it's going to say oh, I see this IP address on the inside of the network goes to this other IP address. On the outside of the network, they are using this source and this destination port number. to remember that when the web server in this example returns that web page, the source and destination IP addresses and the source and destination port numbers will be transposed, but the router will realize that and say oh, that's web traffic. return from a session the key here is a session that originated inside the network, so I'm going to allow the traffic to return.
It's a stateful firewall and that's what we actually used for decades, but in recent years it's been improved even further. You may hear about a next-generation firewall or a layer 7 firewall here. The firewall device can examine more than just the IP address information it can access, as the name suggests, it can get into layer 7 information and can understand how different protocols work together, for example, here is the first one that comes to mind I do a lot of things collaboratively and when I'm setting up an IP phone call with a Cisco IP phone, I may be using a protocol called sip, the session initiation protocol, to set up the session and have the phone Call, but once I start talking, that SIP session will allow me to start transmitting my voice and that will be done using the RTP protocol, the real-time transport protocol, well, a stateful firewall was just the first example that comes up.
The mind is going to understand that, oh yeah, if a session starts using sip, then it could go to RTP and it'll realize that okay, it's still part of the same session so we can look at protocol-specific things in our streams. and allow or deny traffic depending on that. About that, we might want to do something else and this is what we did at a university where I used to work years ago: we can divide the network into different security zones. What we had at the University was that we had an Internet connection and a firewall port pointed to the Internet.
We had another section of the University that contained the residence halls where the students lived and we had another section that contained the faculty and staff, the classrooms that we wanted to prevent someone from sitting in their dorm. room at night to avoid breaking into maybe a faculty computer we wanted to put that in a different security zone, so what we did was create what some people call a DMZ or a demilitarized zone, we had a firewall port that went out to the Internet, we had another firewall port that goes to the faculty and staff within the university and another firewall port connected to the residence halls within the University, another example in the corporate environment, in the corporate environment we may have servers that we want to be available on the Internet, maybe we have our own web server that we host locally we have our own email server that we host locally it's in our data center people on the Internet need to be able to access those servers at least on certain ports , so what we could do is make them publicly available servers in a DMZ we can still limit some things, we could limit what ports are going to be used, but if someone were to compromise that web server, we don't want it to become a starting point to break into. and compromise something on the inside of the Network so we can create this DMZ that won't have permission to log into the DMZ and then get into the internal Network so we can have these different layers of security, so a firewall is a device we could have another.
The device is called identification sensor, intrusion detection system sensor. Here you will notice that my idea sensor is connected to an Ethernet switch and when a packet from the Internet arrives at that switch, the switch is making a copy of it, a copy of you. sent ok, the original package is sent to its destination, the customer sees in the upper left corner of the screen, but the copy he made, did you see it, went down to the IDS sensor, so the idea sensor is monitoring flowing traffic. that switch and is monitoring it for malicious patterns, there is what is called a signature database that the IDS sensor has and if it sees potentially malicious traffic coming in, it can alert us that in fact some ID sensors can even go out and talk to the firewall and say: we are being attacked from this network or from this IP address.
I want you to create a rule that says block that IP address from entering, but look at the original packet which could have been a malicious packet that originally came in. reached the client, there are some attacks which are called atomic attacks in which an attacker can damage a system with just one or two packets, in a case like that the idea sensor might realize that we were attacked but we were not . To prevent the attack, to overcome that problem, what we can do is use a different type of sensor called IPS sensor and an IPS sensor is an intrusion prevention system sensor, so again an ID inspects the traffic and can react to a copy of the receipt. traffic, but an intrusion prevention system sensor will be placed in line with the traffic, so that when that traffic comes in from the Internet, if it detects, based on its signature database, that it is malicious traffic, it will be able to react and potentially eliminate that traffic. online, take a look that says oh, you match this type of known attack in my signature database, as a result, I'll let you and sometimes, just like we can have a host-based firewall, sometimes we can have a host-based firewall.
IPS system, an IPS sensor where we can, where we can honor our host, block traffic coming into our network interface card before it can harm our system, so that's the distinction between an IPS sensor and an ID, so firewalls have ideas of sensors, IPS sensors. are some of the security devices that we could use another line of defense is an access control list or an ACL if you have done your CCNA studies or maybe Encore studies then you have probably learned about these access control lists let's do a little To start, many people think that an access control list is basically a traffic cop holding up a go or stop signal based on the traffic entering or leaving a router interface and that's true, you can do that. that an access control list is a list of rules each rule is called an ace an ace an access control entry and that Ace is going to be able to say yes allow this or deny this and in addition to allowing or denying traffic I want you We understand that when we send traffic to a router or when traffic leaves a router, we can apply it incoming or outgoing, so when we configure these access control entries as part of our access control list, we should think about which direction the traffic is coming from, whether it enters the router or leaves the router, and in addition to simply allowing or denying traffic, we can also use it, and this is a concept that is often overlooked, we can also match traffic if I am doing something like a quality of service or a network address translation.
You may want to match traffic coming from a certain subnet. I could do it with an access control list and to do that I would say I want to allow this network address with this wildcard mask, just because I'm allowing it doesn't mean I'm blocking everything else in the context of using this with quality of service or such as network address translation. I am using it to match traffic so it is not always used to block or drop traffic or allow traffic to pass it can be used to match traffic and it is a list and is processed from top to bottom.
If let me give you an example, let's say I have a rule that says everyone on this subnet is denied access to this particular corporate server because of sensitive information on that server, so no one on this subnet gets access to the server with one exception: we have a network administrator who lives on that subnet. What we can do is set up a The rule is to say well, I want to allow the IP address of that network administrator to reach that system to reach that server that is on my list if I first say deny the subnet and then I say allow that network administrator that belongs to the subnet they go to. to be denied because we are processing top down as soon as we look and evaluate that first As that says deny the entire subnet, well the manager is part of the subnet ding ding ding we have a match and traffic from that manager is going to be removed, so we need to move the entry that says allow the specific network administrator user, we need to move them above the line that says deny subnet traffic, so as a general principle we need to put more specific entries in our access control list. higher up in our list because these are top-down processes and once we have a match, we will ignore the rest of the entries in that list, but let's say we go through the entire list and we don't have a map. doesn't match anything, we didn't have a single access control entry that matched a particular packet, what happens in a case like that, at the end of our access control list of each access control list, we didn't create this, it's there by default, we can't remove this, there's an implicit deny all rule that says if a previous access control entry didn't allow it, it will be implicitly denied, so we need to take that into account and when the let's configure, you can use numbered ACLS. you can use named ACLS personally.
I'm a bit of a fan of named ACLS and they can be standard or extended and I'll give you an example of each in a moment. In fact, let's go and take a look at standard ACL right now here I have a couple of subnets of this router pc1 PC2 belong to subnet 10.1.1.0 24 I have a couple of servers 192.168.1.024 and the goal of our ACL here is I want to avoid Traffic from PC1 from reaching the subnet that contains the servers, in other words, PC2 should be allowed and notice what we are doing first. I mean, if you notice the configuration syntax on the screen, I'm saying script list access 2.
Yes, now the numbers are in the range 1 to 99 will be used for our standard ACLS, now a standard ACL, by the way, it will only match the source IP address, not a source TCP port number, not a destination address, it will only match the source IP address which is I'll probably use a standard ACL every time I configure Nat because I'm trying to match addresses that come from a subnet, so I don't need anything else, but here I am. I'm saying I want to allow the host of 10.1.1.102, which is PC2, then I follow up with the next Ace which says access to script list two.
Notice that I am giving the same number, it is part of the same list. I'm saying I want We negate the entire subnet that contains pieces one and two 10.1.1.0 and instead of a subnet mask we give the reciprocal the wildcard mask and it will be 0.0.0.255. which necessarily had to have given that that second access control list entry is actually not, it is denying the traffic, well, if the traffic is not implicitly, if it is not implicitly or should I say explicitly allowed, it will be implicitly denied, so I could have skipped that second rule and it would have been fine now let's apply it, let's go to interface gig0 one which is the interface facing the PCS and say IP access script group and give it the group number of two or the list number of two and we say n, so as the traffic comes into that router, that's where we will evaluate the packets and that will meet our goal.
Let's take a look at an extended ACL here. The goal is for pc1 connect to be able to connect. Server one that uses tftp, the trivial PC2 file transfer protocol,you should be able to connect to server 2 using FTP and I assume everything else will be denied. Still, look at our access list to 101 entries, starting from 100 to 199. those can be used for extended ACL numbers, so access to list 101 allows that and here I don't have to match an entire subnet or an entire subnet, eh, not a subnet, but matching an entire protocol suite as IP. I can match particular protocols here.
I'm going to match the trivial file transfer protocol which is based on UDP, so I say allow UDP and later on this line you will see that I specify the UDP port number, but I wanted to allow the host of 10.1.1 10.1.1.101 , which is pc1, works. to a destination we couldn't specify a destination with standard ACLS but we can't listen, we're going to go to a destination of 192.168.1.2 and that will be server one and then we say EQ 69 which is equivalent to the UDP port. 69 i.e. tftp we do something similar on the next line we say access list 101 allow TCP this time for FTP from the host PC2 and the destination is a server two and we say EQ FTP and I did this to illustrate that sometimes we can specify a individual port number, but Cisco iOS knows the names of a wide variety of protocols.
Check it sometime with context sensitive help so you don't necessarily have to give a port number. I can give a protocol name like FTP and I didn't say deny anything else, although I said everything else should be denied. Do you remember why the reason was that everything else will be implicitly denied if I don't do it? I don't explicitly allow it, so I go into interface gig01 and say ipx script group N, so I'm specifying to go into router R1 from the subnet that contains the PCS. Now let me challenge you with some examples. Here you see the syntax.
Currently on router R1 and the goal is to prevent traffic from PC1 from reaching the subnet that contains the servers, but the symptom we are having, interestingly, PC2 cannot reach the 192.168.1.024 network, so It should deny PC1, but the symptom is both PC1. and PC2 are denied, in fact, so you can see the syntax a little better. I'm going to create this full screen for you that will allow you to see it better and I would like you to tell me in the chat. If you would, we have incoming chats on different interfaces here, so I need to look at more than one interface, but by the way, there is a delay from the time I speak something to the time you hear it, there may be a delay. a 15 second delay, so I'll try not to make it too long, but I want you to go ahead and chat if you want.
What's wrong with this? What's wrong with this syntax on screen? I'll give you a few seconds and you can chat when you spot the problem, okay, starting to get some answers, let's go over it here first, it says access list one, deny host 10.1.101 our 10.1.1.101, that's pc1, we're denying all the traffic from bc1, that's what we want to do awesome, so we go to interface gig0 slash one and say block traffic coming into this interface that matches access list one that is blocking PC one, it looks like we're doing the what they told us How come it doesn't work and yes many of you are getting this right?
It's um, it's that implied denial at the bottom. I wanted to allow PC2 to access that subnet and it's not because that implicit deny of anything at the bottom of our ACL works amazing on that, let's look at another one on this example traffic, in fact, it's the same goal and pc1 must be prevented from reaching the server's subnet. PC2 can't reach it either and we can't. We don't want PC2 to be able to get there and if you notice in the syntax I did what you said, you said we should explicitly allow PC2, so I checked, it's that second line that I added. a line that said allow host 10.1.1.102 which is PC2 so chat again if you want, how come that doesn't work?
Yes, great job, it is because this is an access control list and this list is processed from top to bottom, so the first As that denies the entire subnet of 10.1.1.024 matches both PC1 and PC2 , so before we explicitly said that PC2 is allowed, we explicitly said block the entire subnet that PC2 belongs to, because we are processing from top to bottom, we never get to the rule that allows PC2 and therefore, was blocked, okay, let's move on to a now slightly more challenging extended ACL, here's the goal: pc1 should be able to connect to server 1 using tftp.
PC2 should be able to connect to server 2 using FTP and PC2 is fine, it is working fine. but pc1 cannot communicate with the server via tftp. This is kind of like what we saw in our example a few moments ago and I'll give you a few seconds to carefully read the syntax and chat in your answer about what's wrong here, yes. This was a little more complicated, wasn't it? In this example, everything looks great, except that we need to know that tftp is a UDP protocol, not a TCP protocol, and remember that a standard ACL will match a full protocol suite like IP, but ex, but with a Extended ACL we can match specific ports and a port will typically be a TCP or UDP port and here that first line says TCP, it should have said UDP, you guys are doing amazing, let's do one more here we want. to allow PC1 to reach server 1 and server two and we want to prevent PC2 from reaching any of the servers, so PC1 goes to the servers.
PC2 does not go to the servers. The symptom is that none of the PCs can leave the server and let's take a look. in the syntax here is an extended ACL access list 150 which is in that range of 100 to 199 that allows IP, so I'm allowing all IP TCP and UDP traffic to be included. I'm saying allow host 10.1.1.101, which is pc1, to go to that subnet. which contains servers 192.168.1.0 with a wildcard mask of 0.0.0.255 which looks fine, then I am explicitly denying PC2. I'm saying deny host 10.1.1.102 to go to that same subnet that looks good and you'll see that I'm coming in and I'm applying it.
What's wrong here looks pretty good but it doesn't work. Can anyone know what? I don't even need to pause here. A fantastic job. Many people are noticing that I have applied it to the wrong end. Well, actually. I applied it to the wrong interface. I can solve it that way. Note that I am saying that I want to apply this inbound inbound to the router on gig02. Well, the zero two portion is the port that points to my servers so I can apply it. for gig0 cut two, that's an option, but if I did, I'd have to apply it to the output address when I exited router R1, so one solution would be to just change the address, change the input and output, the other solution would be to change my interface to gig0 one because I'm coming from PC so either one would have fixed that problem so we need to apply the access list in the right direction on the right interface.
Next, let's talk about encryption. We said that encryption is. We are going to encrypt our data so that if someone intercepts it they can read it and we have two basic types of encryption: symmetric encryption and asymmetric encryption. Now symmetric encryption, let me give you some examples. A really old example that we definitely don't want to use today. In fact, let me put my face back on the screen and we're not looking at our syntax anymore. A standard that we don't want to use today was developed in the 1970s: des, that's the data encryption standard, it's a 56, it uses a key of 56 or a key length of 56 bits.
There is actually hardware that you can build yourself or buy that will decrypt a decrypted string that you don't want to use. That is now better. that Des is uh triple Des, they call it 3des and it uses three of those keys and there are different ways to implement this. You can use 56 bits for a key. You can use 64. There are different ways to do it. You can combine keys. The bottom line is it's a lot better than Des, but you know what's better than triple Des AES, the advanced encryption standard, and that's really today the flagship symmetric encryption algorithm out there.
We'll see it on our wireless network, so we'll see it. in our VPN setups ipsec, AES, that's probably what we want to use today, when I say symmetric encryption, that's where we have a shared key, in other words, we're sending data back and forth to you and me and we want to encrypt the data that we are sending so that each of us has this secret key and we have the same one, the key is symmetric, in other words that means that we both have the same key, this symmetric key will be used in the algorithm as AES is going to encrypt our data and if someone intercepted that data, they would not be able to interpret it because they do not know our secret, they do not have our secret key, that is what gives us confidentiality. through encryption, another option is asymmetric encryption and by the way, the standard you will find is RSA, which means the people who developed it are Shamir and Adelman, but with asymmetric keys we have keys that you and I use to communicate, but they are different, they are called public private key pair, this is the idea, if we want to communicate asynchronously or asymmetrically, I will have a private key and I will give you my public key now, here is the way this works, it is possible You may want to put this in your notes.
If I encrypt something with my public key or if you have my public key. If I encrypt something with the public key or you encrypt something with my public key, it can only be decrypted with my private key, that means if you encrypt something with the public key that I gave you, I'm the only one who can decrypt it because I don't give you my private key to anyone, I will give my public key to anyone. that wants it, so let's say I gave you my public key and I gave a bad actor, a malicious user, my public key and you want to send me some data confidentially, well, you use my public key to mix things up, and if that?
A malicious user intercepted his traffic which he encrypted with the public key I gave him. Well, they also have my public key. That's bad? Does that mean that because they have the same key as you, they can now decrypt the data just fine? be true with symmetric but not with asymmetric with asymmetric everything encrypted with the public key can only be decrypted with the private key that only I have so even if they intercept the traffic they couldn't decrypt it and the reciprocal of that rule is also true , if something is encrypted with my private key, it can only be decrypted with my public key.
Let me give you some examples to make this world more real for us, let's say we are trying to communicate from a client to a server. or maybe a wireless access point to a wireless client would also use this, maybe symmetric encryption, we have a shared key, we put it on the client, we put it on the server and as they send data back and forth, encryption algorithm that we're running, whoever you're going to use as part of that calculation, they're going to use that shared key and if someone were to intercept that data, they wouldn't be able to interpret it unless they also had the shared key.
We want to make sure this key is kept secret, but this doesn't really fit very well. Could you think of this if you had 5,000 users in the company and we gave everyone the same shared key on their device? What would happen if we had a discontent? employee who left and they took his key and maybe they knew what key they had set on his PC, suddenly we have to go and change the keys on all of our thousands of devices, that's not fun, so this is not going to be the case . something we want us to be able to really scale to a large scale if we have to go to Each Device individually and configure it with a key.
Well, couldn't we just use asymmetric encryption? Yeah, here's the deal with that. Something I didn't mention asymmetric encryption. it compares to slow symmetric encryption, I mean it's slow, like you're talking a hundred times slower or it takes 100 times longer to do asymmetric encryption compared to symmetric encryption, so we can scale it a little bit better, since we will discuss that is what I use it on the Internet often, but it is much slower than the symmetric one, so let's consider the asymmetric one and a common example. I buy things on Amazon almost daily, uh, with the Prime truck stopping in my driveway very, very often, in fact, probably before class. ended today, I'm probably going to get a delivery, so if you hear a ring, it's probably Amazon, but let's say we're going to go to Amazon and we want to buy something and we're going to give our credit. card information, so yes, I want it to be secure.
Here's what Amazon has: they have something called a digital certificate, and technically a digital certificate will probably be called an x.509 version three digital certificate, but this is something that proves that I'm really Amazon, so when I send them my information, I know I'm actually talking to Amazon. Now you'll notice on the screen that we also have this server, this entity on the Internet called CA and it depends on the literature that you have. read ca is sometimes said to stand for Certification Authority or Certification Authority. The bottom line is that it is a trustworthy third party.
The first company thatVerisign comes to mind. If Amazon wants to have this digital certificate to prove its identity on the Internet, it can. contact verisign and say hey I want a digital certificate that you have approved and given to me so if I give it to someone else, one of my clients, they'll know what it really means so here's what What happens in various sciences? Okay, Amazon, here's your digital certificate and here's your private key that I'm giving you, so we're using a key pair. Here we are using the public private key pair. Now as part of that digital certificate, we have the Amazon public key.
We will freely give our public key to whoever wants it, but we don't give our private key, our private key, so Verisign says okay, here's your private key, don't tell anyone what it is, here's your digital certificate that contains your public key. give it to your customers and then when I want to go buy something from Amazon, you see it depends on your browser, but if you see that little lock icon in your URL bar, that says that this data is encrypted or that it is a secure communication , this is what happens Amazon sends us your digital certificate your digital certificate contains your Pro your public key the question is how do I know that this digital certificate that I just received is really from Amazon.
I mean there could be a malicious user on the internet pretending to be Amazon that I was redirected to and they said I'm Amazon here's my proof here's my digital certificate well the way I know it's really Amazon is that this certificate was signed by a trusted third party in my example, I just chose verisign. I don't know if Amazon uses verisign or not, but verisign has signed the digital certificate to say that it is valid. This is really Amazon. You are dealing with what it means to sign a digital certificate. Well, the sign of the bear. or the ca have encrypted that digital certificate with their private key remember the rule if something is encrypted with someone's private key it can only be decrypted with their public key and we have versions of a public key, let's see this step by step then Amazon has a public and private key pair verisigna said here is your private key don't tell anyone here is your public key put that in your certificate give it to whoever you want and I want to go to Amazon to buy something so I say I want to establish a secure connection to being able to submit my credit card information and Amazon says okay, here is my digital certificate and this digital certificate contains Amazon's public key.
I've highlighted it here on the screen, now how do I know? This is actually from Amazon. Note that it says it is signed by Verisign and integrated into my browser. Depending on the browser you use, you can probably drill down into some of the security settings and actually be able to see if they are digital certificates from these trusted third parties. like Verisign, they are literally built into your browser, so when you install your browser, you are given the public key for Bear Sign and Verisign has signed this Amazon certificate, they have encrypted it with their private key.
Verisign's public key, so if you can decrypt this certificate coming from Amazon, you'll realize that based on Vera Science's public key, you'll realize that oh yeah, this is actually from Amazon because I used Verisign's public key. Veriscience to unlock it because they locked it or signed it with their private key, so now I know for sure that this really came from Amazon and I have Amazon's public key in my possession right now, but I don't want to use symmetric encryption like I said, it's slow, so let's set up a shared key just for session duration what I'm going to do is generate my PC is going to generate a big string, a big random string and I want to use it as a symmetric key that Amazon and I will use during this session so What I'm going to do is take this string of data and I'm going to encrypt it using Amazon's public key and if I do that, if someone intercepts it, that's a problem, it's not a problem because if I encrypt it with Amazon's key public, it can only be decrypted with your private key and they don't give it to anyone, so we send it to Amazon and if someone intercepts it, they don't have Amazon's private key, it's still safe, but Amazon has a private key so Amazon can decipher this big random string that my computer came up with and based on that it will say "oh, here's the key that I see you want to use for this session" so now I have the same session key that does Amazon during the session and just me, Amazon and I are going to use it to do symmetric encryption, so you see what we're saying here, it's really the best of both worlds, we don't have to do it.
Give everyone on the Internet a symmetric key to talk to Amazon. We use this public-private asymmetric key pair and then based on that key pair I can generate a symmetric key. That's right, I think it's surprising how it works, but another. The security goal you said was Integrity, we want to make sure that the data has not been modified or encrypted and when I say Integrity we can run a mathematical check, it's called a hashing algorithm and a lot of people confuse hashing with encryption so let me. let me distinguish between them for a moment, hashing and encryption are quite different if I have a big book, if I take one of those Cisco press books off my bookshelf for example, behind me and encrypt it, it will be a big book and thick about like well, it's going to be huge because I'm encrypting like 600 pages, but if I run the hash algorithm like the md5 algorithm, the five message digest algorithm in one of the Cisco press books will generate a result of 125 bit, excuse me, 128 bit. that's called a hash digest think of that as a fingerprint it's not an encryption that can be extracted or decrypted it's a fingerprint and a hash algorithm is a digest of md5 five messages and the idea is that if I take the fingerprint and I say here is the summary of messages.
I calculated and send you the data, you run the same algorithm and get the same fingerprint, if the fingerprints match that is a good indication that the data has not been modified in transit if I picked up a book instead of a book let's say I took a three letter word like cat and did a hash algorithm like md5 on the word cat, it would also result in 128 bits. Look, it doesn't matter how big the string we're hashing is if we use md5 in the result. It will always be a 128-bit hash digest, so this isn't something we're going to crack, it's just to make sure the fingerprints match md5 pretty well.
Cisco has used it for decades, but even better than md5 is Shaw, which stands for secure hashing algorithm, so you have the option. I would probably use Shaw, it is considered safer. Here's a challenge we have, although let's say you're sending me some data and you said, "Oh, by the way, here it is." the md5 hash that I have calculated for this file that you are downloading, so give me your string and give me your file. Well, I'm going to run the md5 algorithm on that file and generate my own. string and if my string or if my md5 hash matches your string, your hash, then that's a good indication that things haven't been modified, however what if I send this file halfway to through that stream?
A malicious user obtains that file and changes it. and then they run the md5 algorithm themselves, whether they have a key or not, they have a hash summary based on that altered file and they send it to me saying here is the file and here is the summary of your message, well, I'm going to run my algorithm md5 into the same file they altered and I'll get the same hash summary they got. You see that someone encrypted it or someone altered it in transit and they changed the summary. What I do? what to do to fight well to overcome that limitation, there is something called hmac hash based mesh.
Let's try again that hash-based message authentication code that adds a secret key to the mix, so that when that hash is calculated with uh hmac, that secret key will be used. and someone who intercepts our file and tries to run the algorithm on the file does not know the secret key we are using, so they will not be able to create a credible or valid hash. digest and I will detect that when I receive the file and its string and finally, as we are talking about the three big security objectives, there is high availability, we do not want to be denied access to our systems, we want our systems to be highly available, but which is highly available really means I heard some, I forget what it was, some service the other day I heard an advertisement and they said something like you know we have 99.9 availability and I thought 99.9 that's really not that good.
That's a lot of downtime over a period of one year. Actually, the gold standard for availability is called the five nines of availability, which means we are up 99.99 of the time and if you translate that into amount of time, we could be down. per year it's about five minutes, it's really difficult to achieve, by the way, it can be very expensive, but that's actually the gold standard. You may have also heard the six nines of availability, which means you're up 99.9999 of the time and that's it. We're going to give you only about 30 seconds of downtime per year that's for your very high availability systems but generally five 9s that's what we're looking for and some things that could get in the way are malicious users who could send. poorly formatted data that can cause an operating system to crash, we will talk later today about dos and DDOS attacks and to avoid this, we want to make sure that the security patches for our operating system are up to date. use some of those firewall devices like we talked about, in fact, Cisco uses this term, I love the metaphor, they talk about deep security, they talk about overlays of security.
I use the metaphor of I am in bed on a cold winter night. and it's really cold in the room and I have a blanket over me but my feet are sticking out so I put another blanket over my feet and oh I got an elbow over here that's sticking out and I'm sorry I tucked it under another blanket I've got these overlapping blankets so so there are some areas that are covered by multiple blankets some of them might be covered by just one blanket but by providing overlapping layers of protection I'm fully protected the same goes for the network I don't just buy a firewall and say that we are protected.
I have a security device. No, we want to have layered layers of network security and we talked about some of those, we'll talk more as the day goes on, but that's over. top module two the big three goals of network security in module three we want to take a look uh just again at a high level some common network attacks and how we might defend against some of those attacks and let's start with why I would say that one of the most popular attacks you hear about in the news is the dos or denial of service and distributed denial of service DDOS attacks.
First let's talk about a Dos attack, a denial of service, this is where we have an individual malicious user and he's trying to deny service to a system, so here we have our malicious user on the I. I'm trying to avoid using the word hacker as much as i can because i realize hackers are not inherently bad there are wide hat hackers they are good people who are hackers uh hackers the term hacker can take on different meanings and different contexts so I don't want to give the impression that all hackers are bad, that's not the case.
In the case, I'm trying to say malicious user, but if I make a mistake and say hacker, I'm probably running into a malicious user, but we have a malicious user on the left side of the screen and it's pointing to this victim at an IP address from 192.0.2.123 and there are different ways we can do this, but this attacker will send what's called a death ping, which is a dramatic name, isn't it? He will send a death ping to this victim. specifically, the attacker is going to lie about who they are, they're going to spoof their IP address and they're going to claim it's our victim's IP address, they're going to claim it's 192.0.2.123 and they're going to ping, not an IP address specific, they will ping an entire subnet using directed broadcast of a subnet. remember that a directed broadcast address goes to everyone within that subnet, so they say that they are forging, that they are lying. their source IP address they're saying it's 192.0.2.123 and they're pinging the broadcast, that network's broadcast address, they're pinging 198.150 or point 51.100.255 and when they go to that address, they broadcast the response . from every device on that subnet goes out and bam they all hit that victim at once and this can go on and on and that poor victim machine is so busy trying to deal with that onslaught of ping replies that they may not be able to make their usual job now, i.e. with an attacker trying to flood a victim with a lot of traffic and they were leveraging a directed broadcast to do it, but we hear a lot that probably a more destructive type of attack than a DOS is a DDOS or a distributed. denial of service attackhere, instead of just one malicious user trying to flood a victim with a lot of traffic, over time they can infect devices all over the world, maybe tens of thousands of devices around the world and they will be able to infect them with malware maybe and they will be under the control of our attacker.
Now these infected machines are sometimes called bots, sometimes they're called zombies and this attacker, when he prepares to launch the attack against his intended victim, is going to talk to a server that they've called their command and control server that will coordinate the instructions going out from that command and control server to these infected bots or these zombies, it's literally the rise of the zombies here we're talking from the command and control server to these infected computers all over the world and simultaneously make all get up and start attacking our intended victim, to maybe put some malware into the hands of users all over the world pretending to be maybe a game, some kind of other application. or maybe we have some malicious code on a web page that infects them and then weakens them or the attacker can control them and say "all good, attack" and simultaneously they all attack the victim and we have tens of thousands of computers on the internet, which It is more likely. to hurt a single user trying to generate a lot of traffic targeting a system how do we protect against that? sounds nice sounds nice not right here are some general guidelines and this is some content that i have taken from ceh charles taught some of those modules.
I taught some of the modules. This is from a module I taught and it talks about how we can defend against DOS and DDOS attacks and we'll talk about each of these TCP routers have a TCP intercept feature. We have already talked about the IPS sensor. There are some detection algorithms that we may want to give more bandwidth than we need to handle the excess traffic during an attack. what are we going to do in response to the attack with an incident response plan and we may want to pay someone to attack our network that we know about so they can spot any weaknesses before bad actors spot any weaknesses but let's talk about these , one at a time, starting with this TCP intercept function, remember how TCP works, it's a three-way handshake, if I want to establish a conversation with you, I'll send you a synchronization message, a s-and-n message, a without and I say: Hello.
I want to talk to you and you respond with an acknowledgment saying ok I'm willing to let that happen you can talk to me oh by the way I want to talk to you too so you can send me a sin of your own so I send you a sin saying let's talk you send me an act of sin saying i want to talk to you and yes i acknowledge your sin and then i will acknowledge your sin with my own deeds so here is the no ACH three way handshake yes this is how a TCP session is set up now the attacker sends a message synchronization to router R1 and with the TCP intercept function R1 before the traffic passes to the destination server, one option to configure this is to have the router participate in that handshake so that the destination server, anyone within the network, don't even get involved until the router has confirmed that this session is fully established, so on behalf of our server, in this example, the router responds with a sync and the attacker responds with an acknowledgment and once the three way handshake is set up then the message or then a session is set up between the router and the destination server and they are linked so that the attacker or the person on the internet we don't know if they are bad or not yet then they are talking to the target server, but what that malicious user could do is send a sync flood or send messages saying hey let's set up a session, let's set up a session, they just got flooded. over and over and every time they do what the poor router says, okay here's my cynic, okay here's my synack.
We will be if we flood this router with all these sending messages, but we never respond to the sinful act that they said the writer sends. Coming back to the attacker, then the router resources are being consumed. They have what are called half-open connections or sometimes in the literature they will be called embryonic connections. They are not fully formed connections. And these connections, if there are enough of them. it will consume our router resources, giving us a denial of service attack on the router, so here's something he used to do years ago in college, where he was a network engineer.
We configure this TCP intercept function and there are two modes in which we can operate. in Intercept mode is what we saw in the animation a moment ago, that's where the router will make sure it's a valid session before we engage anyone within the network, it will respond to sending messages. on behalf of the internal users and if it is not configured we don't have to make the internal server deal with all these half open connections, the router will take care of that or we could be more passive, the router could be in a watchdog mode and in surveillance mode we are, we are watching what is happening, we are watching the traffic, we see the sending message, I see you send the message, you go to that destination server inside, we make a note. of that and we'll let it happen until we get past some threshold where too many messages have been sent within a certain period of time, at which point the router gets involved and starts blocking things, another way to prevent or mitigate those two and attacks DDOS, something we've already talked about, an IPS sensor where we can have this signature of known attacks and those known attacks, if they match a signature in that signature database, we can block them online and this signature database .
It could be something we rarely update as part of our weekly routine or sometimes we can integrate our IPS sensor with an online service that keeps up-to-date information on threats like zero-day attacks that are emerging on the Internet. Cisco has something called Cisco Taos and we can integrate our Cisco IPS sensor with Cisco Talus and it will tell us and give us information about these hot spots around the world that are having security breaches and we can see what the current signatures are. What we're trying to protect against is one of the hardest things to block with a Dos or DDOS attack is called a zero-day attack.
This is where a first time user, our malicious user, first launched an attack and it's not in our signature database, how do we detect something that we have no record of? Well, there are zero-day attacks that can be mitigated somewhat by integrating with an online system like Talus that will give us very fast updates when they are detected. but even beyond what Cisco can use as part of their Firepower series of firewalls, they can use machine learning to detect what they estimate to be malicious traffic, even if it has never been detected long before it is not in our database of signatures.
Yes, Cisco Firepower might be able to do it through the machine. learning again how to detect what is suspected to be malicious traffic and then isolate it to block that traffic and that is available in the 9300 series as an example, the Cisco Firepower firewall. Cisco also recommends that to protect against a Dos or DDOS attack, we can over-provision our bandwidth because when we are being attacked with an avalanche of incoming traffic, that avalanche of traffic will consume more energy entering our network, so even if Our router keeps a log of all those messages sent and we are blocking things, By recognizing malicious traffic it still comes to us through the pipe, so during the time we detect and respond to that attack, it might be a good idea have some extra bandwidth on that link, so if we have that flood of traffic coming. we're better able to handle that and we're not getting a denial of service on our internet link as an example and when we're under attack it's great if we know what we're going to do in response because sometimes honestly I see there's a lot of excitement on the networks when things go wrong or when attacks occur some people may become scared.
Ah, we are under attack. What do we do now? Let's disconnect everything now. It's much better to instead try to find an answer. In the heat of the moment, under the pressure of we're under attack, if you've previously documented with a clear mind what you're going to do in response, you have a plan of action, then oh we're under attack, let's execute this plan bam let's do this this and notify these people we're going to configure this we're going to make this rule we're going to update this we're going to have a step-by-step plan of how we've previously decided to respond to any future attacks it's going to make things go much, much faster more fluid and with much less stress, and another option to protect yourself against these dos and DDOS attacks is to recognize any vulnerabilities before the bad. people recognize your vulnerabilities, you can see this in a movie or on a tv show, sometimes in a bank, maybe sometimes a bank pays someone to see if they can break into their bank and if they can, they break into the conference room they put in.
He puts down the big canvas bag and it's full of this money. Yes, I got all this from Revolt and this is what I did to get in. You may want to bypass these security violations. The same goes for our networks. We can pay someone to do penetration testing. in fact, there is a uh pin Test Plus certification from CompTIA that trains you to be a pen tester, but this is an authorized attack on a system. We know that someone is attacking our system and it is not to do bad things to our system, but to assess our current posture our current level of security and to identify any vulnerabilities that we may need to address another type of attack is it an en route attack or otherwise Sometimes this used to be called a man-in-the-middle, you'll hear it called an en-route or a Principal in the middle, but the idea is that we have someone sitting between the source and destination of our communication stream and here I have a couple of computers talking to each other, no problem, but what if an attacker arrives?
If an attacker shows up and connects to this switch and starts getting copies of the traffic between those PCs, they might be able to decrypt that traffic, maybe that traffic isn't even sending clear text, maybe they can get a system to send them their traffic. they modify it or capture it and then send it to the destination, but how would that work? I mean, think about this. One of the great things we love about a Cisco jack or an Ethernet switch in general is that the switch is built. a table of mac addresses will learn what mac addresses are available on different ports and then when traffic comes in, say from one of these laptops, it will look at the destination and the destination is the other laptop, it will say "oh that lives". this port so I'm only going to send traffic out of that port we're not going to send anything to this attacker who just connected how would that work how can that attacker inject himself into this conversation when a switch by its nature prevents that That's what we're going to talk about.
I want to talk about three different ways an attacker could throw a man down the middle or a route attack. One option is to flood the MAC address database on this. switch just to give you a preview, this switch I think contains a little over 8,000 Mac addresses in its Mac address table. What if it was full? That would make the address table completely full and someone connected would know their Mac address. No, there is no room to store the Mac address of that newly connected machine, so if I'm sending traffic to that new machine that just connected and I didn't learn your Mac address, how can I get to that machine?
I do not know where you live. By flooding it, the switch will flood that traffic out of all ports except the port that frame arrived at, so that's one way an attacker could inject itself: it fills up a switch's MAC address table so that a device just connected that traffic going to that newly connected device will be flooded on all ports, including the port the attacker is connected to. We'll also talk about ARP poisoning, where we might convince an internal system and convince a router that they should forward our traffic. to us instead of the router or that end system and if we can use our DHCP server to tell a client about IP address information and DNS information and default gateway information, we can direct them to us as their default gateway or we can direct them to our DNS server, so if they're trying to go to a social networking site, maybe we direct them to what looks like a social networking site, but it's actually something under our control and We are capturing their credentials when they try to log in. so let's talk about each of themthese first.
I talked about how we can populate a switch's MAC address table and if we do that, the MAC address of a newly connected device will not be known. This is what an attacker could do. they could send from their single pc a series of frames to the switch but using a mackov app mac overflow is shorthand but using an app like that or when we just write ourselves that attacker can just send thousands and thousands of frames within just it's a matter of seconds after the change and we'll claim that each frame is coming from a different Mac address and we'll think there are like 8000 Mac addresses living on this port, which is possible.
I mean, if that port is connected to a switch that connects it to a lot of other switches that connects it to a lot of other switches and they have PCS, yeah, we could have a thousand, not likely, but we can have 8,000 devices from a single port. in a case like that, but an attacker could use this application called macov that comes integrated with Kali Linux. I think here's a little video of me doing it on Kali Linux and in about three seconds I populated the Mac address table of this very switch and here's a mac address table count I did after about three seconds of this flood using makov and says that this switch was capable of storing 8 170 Mac addresses and at this moment how many are available in zero.
In about three seconds I said over 8000 frames on that switch, each one claiming to be from a different Mac address, and by the way, it completely saturated and populated that Mac address table. I'm about to show it to you in a live demo. How can we fight that using a feature called Port Security? Another thing that could happen is a DCP attack with the DHCP attack. We are trying to convince a user to access our rogue DHCP server and get information from us if we can send it to them. information that says here is your IP address and here is your default gateway.
What happens if we hit if we are the attacker? What happens if we give our IP address as the default gateway? Well, suddenly, that poor unsuspecting victim, all the traffic coming out of your shipment is being sent to us. we could capture it we could alter it and then send it to its intended destination so they don't notice because it arrives at the destination after we captured it so we don't want it to be created on a rogue dtp server but here's a way an attacker could launch a DHCP starvation attack, something like using the entire MAC address space in the Mac address table with the Mac OV utility.
The attacker could use a utility called yersenia that comes with Kali Linux and this is his utility movie theater can just send a flood of DHCP sniff broadcasts out of the network and those might get to the corporate DHCP server and they say yes, I'm a DHCP server and we can say, "Okay." give me an ip address and here's my mac address kind of like that mac address flood attack we're sending a lot of traffic back to that dhcp server saying give me an ip address give me an ip address because i'm giving all these Fake Mac tackles that corporate DHCP server well it only has a limited number of addresses in a pool to distribute and in a matter of a few seconds we could completely exhaust that pool so now if someone uh if the attacker adds a server Rogue DHCP to the network, what will happen when a laptop boots up, it will send that DHCP discover broadcast saying, "Hey, are there any DHCP servers out there?
Well, the corporate d8 CPU server won't respond because it's full, it has no addresses to distribute but the attackers recently introduced the Rogue DHCP server, it's going to respond and that will be a problem for us and then the victim may be asked to go to the attacker first before, as the default gateway, the attacker captures the traffic and the attacker forwards the traffic. to the internet one defense against this and I'm going to show you a defense against this is port security port security which will also be how we defend against the Mac flood attack another type of DHCP attack is the DHCP spoofing, this is similar and can be used in conjunction with the DHCP starvation attack, but let's take a moment and review, just to make sure we're all on the same page, how DHCP works.
If you ever saw Dora the Explorer on I think it was on Nickelodeon my daughter used to watch that when they were young but Dora had a backpack and a map and recently I saw on TV there was a new Dora like some kind of temples of gold lost. I don't remember the name, but there's a live action door from the Explorer movie that came out and I thought, oh, I bet that would be cool, it's like Indiana Jones only with Dora the Explorer. I know my kids love it, it would be fun to watch, oh, I did good, here's my movie. review don't watch it i made it for about 10 minutes and it was so boring i couldn't stand it maybe it's made for kids maybe that was my bad but i didn't enjoy the movie but in general i have good memories of my little ones Looking at the door in the past and I think of Dora everything every time I think of DHCP because Dora d-o-r-a that reminds me of the four step process of how we get an IP address, the D is the discoverer, we send out a broadcast saying, Hello, you're there are DHCP servers and every DHCP server that listen to the discovery broadcast it will respond with the owner and offer saying yes I am a DHCP server and whatever offer we receive first, if there are multiple responses, that is what the client will use.
Then it will send Endor a request saying: could you give me IP address information? and then that server responds with the A and/or acknowledgment saying yes, here's all your IP address information, here's your address, here's your subnet mask, here's your default gateway. here's your DNS server and so on and typically the client will send the broadcast Discover will go to the corporate DHCP server and say yes, I'm a valid DHCP server, feel free to Use me for your IP address needs. The client will say it's okay. I would like to formally request information about the IP address and the server will give it to us in the form of a confirmation message, but what if an attack by an attacker attaches your Rogue device? server to this switch, when the client sends its DHCP broadcast it will go everywhere within the subnet or if we have a DHCP relay agent configured it could go to a different subnet but the rogue server connects to the same subnet as The corporate DHCP server is connected and receives the discoverer broadcast, now not always, but a percentage of the time that is all for the message may reach the client before the offer message from the legitimate corporate DHCP server and since in this case the client received Rogue DHCP servers offer a message first that will say "Okay", I choose you because you are fast at work, we will ask you to give me information and they give us false information, how do we protect ourselves?
Well, we can configure a feature called DHCP snooping on our Cisco cattle switches. What we do there is say which port is trusted and which port or ports are untrusted. We will say that a port is trusted if it connects to our legitimate DHCP server, so here is the first port on the switch that connects to my legitimate corporate DHCP server and we will say that it is trusted, all the others will be untrusted now, right? what does unreliable mean? means untrusted if I receive a DHCP offer message on this port it will be dropped if it is not trusted so in this case the Discover broadcast is turned off.
DHCP is both good and bad, they both respond, but when the attacker's offer message tries to enter the switch, bam, it will be dropped because it is trying to enter an untrusted port and I will show it to you on an interface in I live in just a few moments. In fact, we'll configure it on this switch. I'll show you how to configure DHCP, uh, spying. I think you'll enjoy that another way an en-route attack could be launched is with ARP poisoning. Remember how ARP works when a PC gets its IP address information and wants to connect to the Internet, for example.
In this case, you know that the victim's laptop knows that its default gateway is 10.1.1.1, but the first time it tries to talk to 10.1.1.1 it doesn't know the MAC address of 10.1.1.1, how does it learn it? by using an ARP broadcast and address resolution protocol, it says Hey, can someone tell me the MAC address of 10.1.1.1 and the router says, oh yeah, that's me. I have the MAC address of all the A's that will pretend and, by the way, that plot that came. From the victim's laptop, it came from the Mac address of all C's on the victim's laptop, so the router simply updated its ARP cache to know that the victim's laptop at 10.1.1.100 has a MAC address of all C and router responses are yes.
I am the old Mac address of A. I am 10.1.1.1 and the PC says thank you very much and the PC updates its ARP cache, so now the laptop and the router know each other's Mac address and the laptop sends a frame to the MAC address of your default gateway which will then take you to the Internet. What if an attacker appears and that attacker is able to convince both the PC and the router that traffic should be sent to it? This is what I mean. The attacker will send what are called free ARP responses, in other words, the PC does not ask for MAC address information, okay, it's complete, it's uh ibr, it's ARP cache, everything is fine, but the attacker sends unsolicited responses or free ones that say "um", like you. knowing that 10.1.1.1 is kind of all the bees' Mac address, that's the attacker's MAC address and the victim's laptop gets it and says oh, thank you very much.
I was going to think it was stupid. I thought it was the Mac address of All Bees. I update my ARP cache to reflect that when I want to go to 10.1.1.1 I'm going to go to the Mac address of All Bees and see what just happened here when the victim tries to exit to their Default Gateway. to the attacker now the attacker also wants to convince the router that it is the laptop so he will send a free Arc to the router saying 10.1.1.100 that's me. I have all of B's Mac addresses and the router says oh thanks for the update and the updates are our cache so now by just lying about this the attacker has logically injected himself into this route and the traffic going between the PC and the router, as you can see, flows through the attacker's laptop, where it could be capturing the traffic. could be altering traffic, this is called an ARP poisoning attack and I'm going to show you that there is a feature that works hand in hand with DHCP snooping called dynamic ARP inspection that can prevent this type of thing from happening.
In fact, let's go out and live. interface right now I'll make this full screen so you can see it a little better and here we are sitting on switch sw1, which is the Cisco Catalyst 2960 CG that I've been showing you during today's session and let's configure these three functions. First of all, port security will help us defend against the Mac flooding attack, it will help us defend against the d8cp starvation attack, and what it does, it will limit the number of Mac addresses that can be learned. of a single interface, let's go to global configuration mode and configure the first port on the switch, let's go to gig 0 interface, slash one and there is a requirement of one port to do port security, that port must be a gig port access, so I'm going to say change access to port mode instead of dynamic or instead of trunk;
It will be an access port. Now I can enable port security with the change Port command. Port scripted security. Now with port security we said we could specify the maximum number of Mac addresses that can be learned from a single port, set it to I don't know, sometimes we are running virtual machines. I run a lot of virtual machines on my Mac if I want to run like Microsoft Windows 11, for example, I like to give myself about four or five Mac addresses per port just to account for things like that, so let's set this up to allow, say, four Mac addresses I will say change port.
Port security is still in the interface configuration. mode and I will say maximum um no, let's say maximum four. I will allow four Mac addresses to be learned and now that we have said that we are going to learn a maximum of four Mac addresses on this port, the next decision we make what we need to do is what happens if a fifth Mac address appears, how do we respond to that, what we have options, we could say what our infringement action is going to be and I'll show it to you just for a moment, but I want to show you. something else first, the maximum number of Mac addresses, do they have to be specific Mac addresses?
Well, they could let me show you. You could say switch to port script security and you could give a series of Mac addresses. You could say Mac script address and you could set a Mac address. You could enter the commandagain to set another and another and another. That's a lot of work. You probably don't want to do it manually. What I can do instead is say fixed if let's say fixed then it will dynamically learn the first four Mac addresses it sees on this port and put them into the running configuration so later after that has happened maybe come back the next day and save my settings.
The first four Mac addresses that were learned so we're going to assume that those are the four macular ones are the four Mac addresses that should be on this port for us to set manually we could either learn them directly or we could just let whoever the first four are A. the first or be the four that are allowed, but a moment ago I was implying that I would make a decision on how we respond to a violation. What happens if a fifth Mac address appears? What are our infringement options? Let's say change port. Security breach with port script and we have three options protect restrict and shutdown first of all let's talk about protect now protect says in this case I'm learning a maximum of four Mac addresses if a fifth Mac address appears and tries to send traffic to that switch.
From that fifth Mac address we are going to eliminate traffic from it. All others from the previous Mac addresses will leave them undisturbed so that nothing is interrupted. We will simply block traffic from that fifth Mac address that shows the restrict restriction option. very similar to protect with restriction, we're still going to drop frames coming from Mac address number five or Mac address number six, we're still doing that, we're not interrupting anyone else yet, but we're going to increase something called switches. security breach counter, so there will be a record that a breach occurred. We're not going to break the first four legitimate Mac addresses, but at least we'll have a record that a breach occurred.
I'll show you how to see that here in just a moment, but actually let me show you that well, I'll show you after I give you the rape option, but I'm going to say that my rape option is restrictive. I want to make a record but not interrupt. the first four addresses of Mac or I can be very restrictive and say I can say turn off close says if there is a violation then something must be happening something that is not good in the neighborhood right now so I'm going to block everyone I'm going to We're going to put this port into what's called an air kill state and we're going to stay in that state until, after a period of time, we try to get out of that state or someone bounces the interface.
Now I'm going to say restrict, that's my go-to and I could say show the switch port or actually show the port script security and here's the security breach counter that I was talking about so if we had a breach someone would try to exceed the four Macaddresses on Port gig01 that would register here in the security violation counter, so again, that's how easy it is to configure Port security and that could defend us against that Mac flooding attack, it could defend us against the following DHCP failure attack. Is it DHCP snooping? Remember that by DCP snooping we mean which port is trusted or untrusted and if a port is untrusted we will drop any DHCP offer packets arriving on that port so here I will enable it globally.
I'll say ipdhcp snooping and that turns it on globally, but the thing is, even though I've turned it on globally, it's still not active for any of our VLANs, you have to turn it on for one VLAN at a time, in my case. We only have one VLAN, it's VLAN one, so I'll say ipd CP spying VLAN one and let's go back into the gig zero slash one interface that we were using and I'll say ipd8cp spying Trust, let's assume gig01 is the disabled port. which my legitimate corporate DHCP server resides on. I can, um, then I can start dropping traffic coming in on any other port.
I can say show IP DHCP snooping and you can see that I trust gig0 one, all the others will be untrusted, which means that I'm going to drop any traffic that reaches any specific Deets to offer messages that try to reach any other port that don't be gig0. By the way, there is another feature that will help combat the dtb spoofing attack, but remember the uh, the ARP poisoning attack, let's see how we can defeat it or to better defend against that, we can use something called d-a-i Dynamic ARP inspection and with Dynamic ARP inspection we are actually leveraging a table that is built with our DHCP snooping configuration, I mean the The DCP snooping configuration that I configured was pretty simple.
I turned it on, enabled it for a VLAN, and said which port was trusted. We're done, but in addition to blocking offer messages coming to other ports, there is a table being built in the background and that table tells what is snooping on these DHCP messages. You are not just looking for offer messages, you are actually reading the content of these DTV messages. You know that a specific IP address with a specific Mac address lives off of this. specific port so you can do it with dynamic ARP inspection, if you start receiving information that is not consistent with what has been learned through DHCP, you can drop that traffic.
Let me show you how to activate it. Let's go back to global configuration mode and I'll say I want to turn on IPR inspection for VLAN one and let's say I want to trust only that first port again. I'll say interface gig0 one, so don't examine the traffic on this port. I will say that the IPR inspection trust everyone. everything else will be untrusted, so now DHCP snooping will create that table and if information or packet appears on a particular port that is not consistent with the IP MAC address assignments that the DHCP server has delivered, it's like if someone was spoofing your Mac address then it will be denied, it will be blocked, so let's look at three different tools that we can use to better defend against these types of attacks, these en route attacks, we take a look at how to configure the port. security, we take a look at how to configure DCP snooping and based on that, we first configure DHCP snooping, but from that, we then configure Dai Dynamic ARP inspection.
Next, let's take a look at some other attacks and we'll take our The first break here will come in a moment. I realized we've been working on it for a while, but first I want to take a look at some other attacks and the next one is a VLAN hopping attack with a VLAN hopping attack that could be an attacker. trying to get access to a VLAN that I can tell might contain some secure server that you shouldn't have access to, so there is a security that says a person on VLAN one is not allowed to get to VLAN 5 here.
One way to gain access to a prohibited VLAN is to do switch spoofing; In other words, the attacker's machine can pretend to be a switch. Remember the protocol a Cisco Catalyst switch uses to dynamically form a trunk? Come and chat if you remember. what protocol does a Cisco Catalyst switch use that can dynamically form a trunk and remember a trunk by default allows traffic from all VLANs to flow through that trunk, yes it is dtp, the dynamic trunk protocol, great job, the dynamic trunk protocol, so a tool is used. or use a tool like su conia which is another one of those tools that are available on Kali Linux or you can install it on other versions of Linux but using su cenia the attacker could send dtp frames and convince switch one in this case that it's a switch switch one says I'm talking to another switch, they just sent me a dtp announcement so we form a DOT 1q trunk over that switch which gives me access to VLAN 5.
I'll just tag my VLAN or tag my frame with a VLAN 5 goes to switch one sends it through switch two Switch two says oh yeah I'll send this to my VLAN 5 ports and we get to the victim another option is to do something called double tagging so even if I'm not uh even if I don't claim to be a switch, maybe dtp is disabled on a particular port for security, maybe we should, but we could do something or the attacker could do something called double tagging if they know the native market, the native VLAN which should say between switch sw1 and switch sw2 remember on a DOT 1q what is a native VLAN on an adult trunk 1q a native VLAN is the only VLAN that is not tagged Now by default it is VLAN one but for every other VLAN there will be four tag bytes added to each frame and there are some bits in those tag bytes that identify our VLAN membership except the VLAN that we distinguish and that we call our native VLAN and again, by default, that is VLAN one What if we did this?
If the attacker knows the native VLAN between switch sw1 and sw2 or is guessing that you left it at the default, we should probably change our native Elan, but they may be assuming that one's default VLAN is being used. So what they're going to do is take their frame and tag it with VLAN 5. That's the destination we want to go to VLAN five and that's where the victim lives, but we'll put another tag on the outside. that says VLAN one so here's what happens this goes to switch sw1 it says oh I see you're tagged with VLAN one you know it's actually a native VLAN of this port that goes to switch sw2 so let me take it off.
Don't we tag VLAN 1 traffic? We didn't add them, we didn't add those four extra tag bytes, so now that exposes the VLAN 5 tag coming to the victim system now, in this case, as opposed to the switch. spoofing, there is no return path, there is no way that if we try to get information from the victim, double tagging won't do it for us, double tagging may get us to that VLAN, but it won't allow return traffic to arrive . Back, this could be used for a denial of service attack if we are trying to flood the victim's system, the victim belongs to VLAN 5, we don't have access to VLAN 5, the attacker could double tag his frames, maybe if you can correctly determine the native VLAN between a pair of switches and they can start flooding the victim with tons of traffic.
Another very, very common type of attack is a social engineering attack, this is where someone basically uses social skills to obtain information and access it. They shouldn't have access to, in fact, one of my favorites, in fact, it's my favorite book that talks about phone hacking and tampering. It's by Kevin Mitnick. I have it on audio. I've heard it. Maybe not. three times it's called uh it's called Main and the wires oh no or ghosts in the wires actually you know what let me look for that I want to make sure I get it right yeah I think it's a ghost in the wires let me open this up real quick yeah I'm a big fan of Kevin Mitnick, I have some of his books, let's see, let me go to Amazon real quick here and let's say I think he's a ghost in the wires, yeah.
That's it, a ghost in the wires. I would recommend that book if you just want to hear some real life war stories, so to speak. He was known as the world's number one most wanted hacker for a time. He has become good now that he has cyber security. company, but yeah, there are some really interesting stories in there, the reason I thought of him was simply an enormous amount of attacks he was able to carry out were based on social engineering, he would have good social skills to convince someone to leave him . he acts, is given physical access to a room that he should not have access to or was simply given a certain amount through social engineering techniques.
One type of social engineering attack we see a lot is fishing. You may have received an email that said something like this is your bank and we are going to reset your password or maybe it is your media or your social networking service we are going to reset your password, you will log back in and they will give you a link to reset your password and you go to a page that looks like the bank's page, but it's actually not, it's a page that the attacker has and they see that you entered your old password and suddenly they have your username information and password, that's fishing, we want to be very cautious about that.
When clicking on any link that comes within an email, we should not do so physically. One way to gain physical access to an environment could be through close monitoring, say there is a secure door where people have to enter, perhaps to enter a data site. Center and or maybe enter a building, this is something Kevin Mitnick would do. When I had access to buildings I would do something like this, I would pretend to be insurance, our delivery driver was carrying a large box, you are potentially heavy and see? Someone walks in, so you jump out of your car and start carrying this box.
You say, "Hey, buddy, can you hold the door for me?" And they, theHumans are good people. Many people are good and just trying to help is our nature. So oh yeah let me help you let me get that door for you and they'll hold the door open while the malicious user walks in with this box that doesn't actually contain anything but has access to it. building that is called piggybacking another way we could do or an attacker could do social engineering is called shoulder service here they are looking over the shoulder of someone entering a password or entering the pen now personally probably not I am I have not practiced on the one hand, but if I see someone typing a password on the keyboard, I don't know what they typed, but some people who have practiced this are really very good, they can see you type something and eight.
The characters do, they know what you're typing just by looking at your fingers on the keyboard, so you may have to be very careful who's around when you're entering password or PIN information, another common type of attack, for example. it's malware, malware, it's different from a virus often a virus gets infected with a virus and maybe destroys things in our system. Malware could do that or malware could be used for other purposes. I gave the example of malware earlier when we were talking about a DDOS attack with a Distributed Denial of Service Attack. We said that maybe through some kind of game app that people downloaded, we infected computers all over the world with malware.
Well, one feature of that malware in that example was the ability for someone to get in through a backdoor from that command. and control the server and get access to these PCS or smartphones or wireless routers that live all over the world because they have been infected with malware. An attacker could also poison DNS if they can convince us to go to their DNS server, which they can do if they can send us information from their DHCP server, we can poison DNS when they try to go to popular social networking sites, but instead they're redirected to our site, which looks like that social media site, and we capture your password information.
One type of malware that is really ugly is ransomware. A few years ago there was a very popular one in the news called Wannacry virus. Wannacry made you want to cry because it would literally hold your data for ransom. You will get this. Big red screen saying your computer data has been encrypted and they weren't lying they encrypted the data on your computer and said if you want if you want to unlock your data we will give you the key. but you need to send us this amount of Bitcoin and it got so bad that people were losing their data and they went to the authorities.
The response from the authorities reached the point where they said our only option is to pay. i can't decrypt your data if you want any chance of getting your data back you'll have to pay the ransom now, a percentage of the time people would pay the ransom, get your key, sometimes pay the ransom. They still lost their data, they never got a key, so yeah, I'm a big proponent of having malware scanners or ransomware scanners and virus scanners on our devices to better protect ourselves. Another type of attack is us and we saw that this is a phishing attack. where an attacker claims to be coming from an IP address that it's not actually coming from this is where we were launching that attack two earlier the attacker was claiming to be the victim's IP address when he sent that directed broadcast when we pinged the directed broadcast .
Yes, they were spoofing his IP address. By the way, it might prevent us on our Cisco routers from using a feature called RPF Reverse Path Forwarding. What RPF is going to do is make sure that we are not coming from an IP address where it should not be seen, but rather from a particular router. interface by looking at the source IP address of packets coming into an interface and comparing it to the router's IP routing table and the router says if it were to send traffic back to that IP address which interface it would use and it's oh I would use gig02 if that ip address came in gigabit zero size five that's inconsistent with the ip routing table and if we're running reverse path forwarding on the router it will block that traffic, authentication is something we could use on a wireless network. access point for example here is a cisco wireless access point and although this is better with Wi-Fi 6 most access points don't run Wi-Fi 6 we are still running as point 11 AC, which is Wi-Fi five, but come on. lets say i have my here is my smartphone let's see i have my connected smartphone authenticated with this wireless access point and as an attacker i can send deauthentication frames to this access point to disable that smartphone and it will try. to re-authenticate, in fact, if you join us for our certified ethical hacker training, I show you how to do it on Kali Linux.
I have Kelly Linux send a bunch of deauthentication frames to a wireless access point and it shuts down my phone when my phone tries to reconnect it tries to reauthenticate it goes through a four way not a three way handshake. I capture what happens with that four-way handshake in the demo I do that I think is called our pro. ethical hacking course, but it prepares you for the certified ethical hacker exam. I take that information captured in that four-way handshake and I run a Brute Force attack against the password list of like 14 million company passwords and sure enough, that was one.
Of the commonly used passwords, I think in that demo I use my favorite Star Wars Sith Lord Darth Bane. If you've ever read the Darth Bane Trilogy, it was actually a good read, but Darth Bane was the password I used in that example and it wouldn't. You know? That was one of the commonly used passwords on that list that I used for my Brute Force attack and in about 20 minutes I was able to get into that access point in that one, it was an isolated lab and it was mine. team You were not accessing someone else's network.
I was doing it for demo purposes only on my own machine, but that's what we can do with authentication frameworks, and again, that gets better with Wi-Fi version 6, which we'll talk about later. nowadays but also some of the Cisco APs even before IP version 6 could also bypass those deauthentication frames and I mentioned if we get some data we get a hash string or encrypted string or we look at it. four-way handshake with a wireless network, we could run a brute force attack against that capture data, uh, md5, for example, our hash that we talked about earlier.
You could take a bunch of different commonly used passwords, run the md5 hash on them to see if they match. that string that I have, if so, is probably the password, so even though we can't crack something that has a hash, we can run a brute force attack on a list of passwords and see if that hash matches the hash that we have and that we are trying to figure out. that's a brute force attack, how do we defend against some of these different threats that are out there? Just some best practices. Many of them are common sense, but do we do them as Brendan Bouchard says?
Common sense is not always common practice. We have things like ours. ID or IPS sensors and I mentioned that they have a signature database, we need to keep that signature database up to date, so let's make sure we do good signature management. There is also a collection of best practices for hardening a device, such as turning this on, turning this off. Cisco has a macro that you can use on some Cisco routers. Do this on a non-production network when you're first experimenting with it, but you can go into global configuration or not even global configuration mode.
You can just say you can say car. secure and guide you through a wizard that allows you to apply a set of security best practice recommendations to your Cisco router. We should probably change the native VLAN as well. I showed you a VLAN hopping attack earlier that relied on the attacker knowing the native VLAN that was being used on the adult 1q trunk, which would probably change that to something other than one, maybe change it to 20 as an example and another One thing we should do is not give users too much access to things. they may not need access;
In other words, we want to define the privileges given to different user accounts and when we talk about users, we might want to send users if we send them if they are now learning a file. From just downloading that file, we might also want to send them a hash digest or we could use hmac to say that you should be able to calculate this same hash digest by running it on this file to make sure the integrity of the file hasn't been compromised. We modify the following Transit and when we are configuring users, let's give them different roles, let's not give them more permission than they need.
We can also protect our networks by installing distractions. We can install a server called Honey Pot and Honeypot. It's a server that's very weakly protected, so if an attacker tries to scan our network for weaknesses, they're likely to pop up in this honey pot and say "oh, they have these ports open, they don't." They have this patch update applied to their operating system and the attacker breaks into that Honeypot system. Once they're there exploring, we have data that may seem important, but it's actually not, it's not secure data, it's a distraction while we're there, number one, we can see what kind of tools the attacker is using to get into our network so we can defend ourselves better against those approaches and we are also wasting time, they spend all their time looking through a pointless system while we are watching them and on a larger scale you could have an entire network that is a distraction and it is called a network of honey and something we mentioned earlier, pin testing, it might be worth having someone internal or external do a penetration test on our network to define any weaknesses or identify any weaknesses and before I gave the university example of segmenting our network into different security zones, yes maybe in the university example we want to protect students from bad people on the internet, but we want to protect our teachers and staff from students who are curious and try to log in and maybe change their grade It's the classic thing you see in the movies.
Other ways that we could defend against these attacks is to use what I talked about above. Cisco calls defense in depth Give the metaphor of a blanket on a pile of blankets on a cold winter night we don't just install a firewall we don't just install an IPS sensor we don't just install malware detection software We do it We all have layers of security overlapping, we want security in our defense in depth and when we add it, we're talking about users again. When we add a user, we probably don't mean that a user will have this default set. of permissions to access some things, but we will have to give them additional permissions to access other things.
Many people in high security environments recommend using something called zero trust when adding a new user by default, it has no use. For uh, they don't have access to a default set of resources, they have access to zero resources, we don't trust them at all until we explicitly give them permission and let's say a user belongs to two different groups, this group is not allowed. to reach this server, this other group can reach this server if we use the less privileged approach, the group that is more restrictive, that will be the rule that will be applied, even though the user belongs to these two groups and one group says that yes, you can access the server with the least privilege.
We won't be able to access the server because the user also belongs to a group that shouldn't have access to that server. We also want to be able to authenticate our users and prove that they are who they say they are and we can set up a database on a router, for example, or a switch where someone will have to give a username and password to log in to that switch, but that's not very scalable and if we had this on let's say 20 routers and someone left our networking department, maybe we fired them, they know the password to our routers, we're going to have to change it on all the routers that are not scalable, so, what can we do? instead, use AAA, now AAA, which is an acronym that stands for Authentication, Authorization, and Accounting.
Authentication is US, proving we are who we say we are. Giving credentials, authorization is asking what we are allowed to do once we are authenticated and accounting is a kind of audit. The trace tells what you did once you logged in. This reminds me of when I went to work at UH Walt Disney World at Walt Disney World. They had more than 600Cisco routers and thousands of Cisco Catalyst switches. Well, they didn't want to. give me a password, enable secret password for 600+ routers, what they did instead was they gave me an account on AAA server. I had a username and password and they gave me authorization to access the routers once I logged in and then when I ended up leaving Disney they didn't have to reset the password on 600 routers it just deleted my account so that's a lot more scalable in an enterprise environment and there are two basic types of AAA servers that you could find tacx plus servers with. and Radius servers and in some exams you might want to know the difference between these, first of all tacx plus the plus means it is a Cisco proprietary implementation of the industry standard tacx radio which is an industry standard.
Interesting that tacx plus is based on TCP while radio is based on UDP and UDP is connectionless, if we drop a packet it will not be retransmitted. Something to note there and with tacx Plus, authentication authorization and accounting, they're treated as separate entities, separate workers doing those three separate jobs with Radius are all lumped into one big thing and with tacx Plus, the server Not only does it authenticate the user, the user authenticates the server, so we know we're not talking to a rogue server with Radius. only one-way authentication, so I'm arguing that attack access is better in many cases, but there are still plenty of times I'm going to use radius.
The radio is often used in wireless networks to authenticate something other than tacx. we're going to encrypt the whole packet but Radius only encrypts the password that's sent when we give our credentials and the user authentication could be multi-factor authentication with multi-factor authentication it's more than just knowing a password it would be single factor authentication. it could be something we know, like a password, but it could also be something we have, like some kind of badge or access card or some kind of smart card, maybe what a user is biometric scanners or maybe it's where you are a user based on geolocation. we can have geofencing or what they do let me give you an example with my smartphone maybe I have to know a PIN to get into my phone or if I'm trying to go to uh if I'm trying to go to let's say a bank for example , or some other online account and I have multi-factor authentication set up on that account, in addition to knowing a password, I may have to provide some sort of code that I have. the Google Authenticator app on my phone and the Google Authenticator app shows up with I think it's a six digit string for these different sites that I have passwords for and if I try to connect to one of these sites in addition to giving a correct password I have only a few seconds to enter the six digit code that my authenticator app says I need to use, in other words I have to have a phone with that app so that's what a user has.
The user is: I can do a face ID. I could look at this and it will scan my lidar sensor, it will scan my face and that's who I am or on my laptop I have a fingerprint scanner where a user is, yeah. I have GPS on my phone. Could. I don't think I have a system like this now that I'm using, but we could restrict people to only using one service. Well, I'll give you a perfect example, not long ago. uh, last month in August, yeah, in August, that was last month, my family and I went on a Disney cruise.
I thought they were big Disney fans and we went on the new boat to wish you the best when you get on when you're getting on. in wish, once you're there, you'll be able to get access to resources that you wouldn't have access to outside the ship, so when you go to the app it says "oh, we see you're at the border, we see you." Basically, in that case there is not so much geolocation, but rather access to your Wi-Fi network, but as an example, one of the things that is difficult to get is access to your Star Wars Lounge, it is called hyperspace. the lounge and reservations go very, very fast, so as soon as we go through security we enter the terminal, as soon as we are located in Geo next to the ship, I can access their hotspot and I can make reservations for have the whole family go to the Hyperspace Lounge, which is really cool, by the way, check out their five thousand dollar Kyber Crystal drink, that's another story, but yeah, it could be that you only have access to certain resources depending on where Wherever you are or maybe what a user does on some devices, you have to like draw a star or make some kind of pattern with your finger, maybe on a keyboard on a touch screen to show who is who. you claim to be and one acronym or security standard you'll hear a lot about is 802.1x.
This can be used a lot with wireless networks and in companies it can also be used with wired networks, basically, a user has to authenticate first. they get access to a network, so we could set this up on a switch or we can set this up on a wireless access point. Network access control goes a little further, it checks, it does what's called posture validation, it checks the PC or the phone. checks the device to make sure that, for example, its operating system has a certain patch applied or that the anti-version or antivirus software is running a certain version.
We ensure that the device that is about to enter our network has a sufficient level of protection and if they do so, they will be allowed to access the network, if not, they will not be allowed to access the network. We could leak Mac addresses so someone can enter a fraudulent machine and we don't let them. enter our network or maybe we have a captive portal, this is what you often see in a hotel or maybe on an airplane, if I'm flying Delta, they have their Delta Wi-Fi. You connect to access Wi-Fi on the plane and when you try to go to a not so fast website you have to go to their captive portal, they redirect you to one of their pages where you can pay for access.
On the Internet or in a hotel, you may see a page that says Give me your last name and your room number, if that matches their database, then you can access the network, as well as AAA, another type of firewall . The one we have out there is called Kerberos or some people pronounce Cerberus named after the multi-headed dog that belongs to Hades in Sten's guard at the gates of Hades, but it's actually a little more complicated than AAA. have a ticket to be able to try to authenticate with the fake Arc to be able to get access to the file server metaphorically you are saying that I have a ticket to access you, to get that ticket you must first authenticate yourself, so we first authenticate with an authentication server that provides whatever credentials we are using, assuming we are authenticated, then we are given permission to talk to the server granting the ticket and if the ticket or the server granting the ticket gives us a ticket, then we can take it. ticket and we're going to talk to our file server and say we have a ticket, we can talk to you and in some cases this will use those public certificates or those digital certificates that we were talking about before with the public and the private. key pairs that will make it a little more scalable and when we talk about users who log in years ago, we would have a database.
I remember that for email users there will be another database to access servers or share files. on one network there may be another database for some other service on the network that is difficult to keep up with. We have multiple user databases for the same user and if they change their password in one it will now not match the other. systems to prevent too many people from using single sign-on. We will perform single sign-on. We can use an ldap server which stands for lightweight directory access protocol and can be a single repository on our network to get access to everything. send emails to fake servers whatever to access VPN services we have to authenticate only once to that ldap server and I have asked my students over the years what ldap server they are using and I would say More than 90 percent of my students have told me that they are using Microsoft Active Directory for their LDAP server.
By the way, I have a video on YouTube. If you want to see how to set it up for free in a Microsoft Active Directory test environment, you can just search, I think Kevin Wallace on Active Directory and it should come up if you want to see how it's set up and IP phones. I said I do a lot in the collaboration world, yes, iPhones can also use those servers back and that's a look at some. Common network attacks and common defenses to predict against those attacks. In your module number four, we want to talk about a few different aspects of how we can better protect these things.
There are wireless access points, so when we communicate from, let's see, here's my, here's a wireless tablet. I am communicating and someone intercepts that communication. We want to make sure they can't read it. We have basically the same type of goals that we had as we talked about before. We want things to be confidential. We don't want someone to gain access to a wireless network if they shouldn't have access to that wireless network and that will be our focus. First, let's consider some different threats we might have in the wireless environment. One is when someone walks into an environment. and they turn on the radio on their laptop, for example, and just start scanning the radio waves to see what's out there.
This is sometimes called passive footprinting, they don't actively send traffic or try to do malicious things, they just sit back. and observe, listen and understand the terrain of the wireless network, what the access points are, what the Mac addresses or bssids of the different access points are, what channels are being used and, by collecting that fingerprint information, they could formulate the attack they want. for the launch, they could also make an active footprint. This is where they're still trying to get a lay of the land, so to speak, but they're pretty much sending traffic to an access point and getting responses from that access point to try to speed things up. a bit, we could also have an attacker spoof their Mac address, maybe we have wireless security set up so that specific Mac addresses can enter the network and other Mac addresses cannot enter the network.
Well, the attacker could set things up in such a way that We are lying about the IP address he today we talked about spoofing an IP address. Well, they could be spoofing their Mac address and if they see a user going to a hotspot and they detect that traffic, they say, "Oh, this user has this MAC address." on your wireless network card, well, I'm going to say that I have that Mac address. Now I saw that the user had the Mac address of the old A. I'm going to say that I have the Mac address of Ole and then if we are using the address Mac.
Based on security, the attacker will be able to access the network. Another thing you could do is insert your own Rogue access point, you could hide it behind a desk or something where it's not obvious but you can get it, or maybe a wiring closet but get connectivity to the corporate network and then they can go to another place in Note noticed and get access to that wired network, maybe they are in their car in the parking lot but they put that access point on the second floor and they can still get to that from their car, yes they have inserted a point fraudulent access point that gives them another way in to try to do dastardly things on the network, they could insert a wireless access point and have that wireless access point claim that its SSID is the same as the corporate SSID that way when someone goes to join the network and sees that you are trying to join the to this evil twin that advertises the same SSID as the legitimate corporate network, so what we could do or what an attacker could do is send deauthentication frames to that access point to override the legitimate authentication. the users force them to re-authenticate and retry to get back into the network and the percentage of the time you guessed it they will connect not to the actual corporate access point, they will connect to our evil twin and associate with that where the attacker can then capture those frames that we talked about earlier, uh, deauthentication, where we could also capture that four-way handshake which is another deauthentication threat and we could run a Brute Force attack against that four-way handshake. and determine what the password is for a user, they could also attempt to hijack an existing session.
Session hijacking will be done when someone is already authenticated with an access point to which you have already provided your username and password credentials or whateveris providing and Since they're already at that point, the attacker could just hijack that existing session instead of trying to figure out what the password is on their own and one thing we can do is better protect our access points that we don't want. To use default passwords, we don't want to say Linksys Linksys, for example, on our home router, as a username and password combination, we want to use strict security standards.
Strong passwords, we'll talk about them in this module, but in addition to wireless hacking in the context of Wi-Fi we also have Bluetooth hacking. I showed you earlier this little Uber Tooth One adapter. This is something that allows me to communicate from my PC using Bluetooth and in that professional ethical hacking course that I told you about, I actually do a demo where I have this connected to a machine that It's running Kali Linux and I'm sniffing the Bluetooth environment around me and to my surprise it picked up my uh my Ember coffee mug. I have a coffee cup in my kitchen that can be controlled. with an app that keeps the temperature at a certain level and I was able to detect it showing up on Bluetooth so there are a few different types of Bluetooth hacking and we'll talk about some of them but Bluetooth in general. uses the 2.4 gig band and is usually a one-to-one communication where one device, like my game controller, talks to another device, like my game console, or maybe my phone talks in my car and talks to the my car audio system via Bluetooth.
Examples of connecting Bluetooth devices include things like your mobile phone or here you are. I have my Apple Airpods Pro that I put in my ear when I work out and they connect to my exercise equipment via Bluetooth. We mentioned game consoles. We have speakers. I have some external speakers and yes I use Bluetooth for that and I have noticed that if I have those external speakers they turn off in our pool area if I place my phone too far away like on the other side of the pool or place it under a pile of things that block the Bluetooth signal.
The Bluetooth signal doesn't reach that far and yes, it does start to cut out the audio when I do this. Most security concerns are the good news, usually with older Bluetooth devices where we could do some things that maybe we shouldn't do, but let's take a look at some of the threats we could have with Bluetooth and, by the way, the range is not that big, normally it is about 30 feet, about 10 meters. more or less, but one type of Bluetooth hacking is called Blue uh blue jacking and with blue jacking the attacker sends information to a device, for example, I want to insert maybe a new contact card in someone's contact list, Well, that would be an example of blue jacking. blue snarfing that's where we are learning information about a device, we are doing some reconnaissance on that device and collecting information about that device, we could also now launch a service attack on that device with uh with blue smacking blue bugging as the name suggests, it allows us to eavesdrop on maybe a phone conversation and the blue print is a kind of passive inspection, we're just getting a Bluetooth landscape shot.
Bluetooth no, no pun intended, but I'm learning what it is. out there with Blueprinting, but those are some of the things where we can inject data into a device like a phone with a blue jack, collect information about that device with blue snarfing, blue swipe, launch a denial of service platform , a blue microphone, eavesdropping on a blue print, simply. Kind of an environment study, now let's talk about how we can defend against different types of wireless attacks and going back to our discussion about Wi-Fi, let's say we have a goal of not wanting someone to spy on our data or not.
I don't want them to get access to the network if they shouldn't have access to the network and let's say I have this access point in my building, could you let me ask you this? Would you ever put an Ethernet port on the outside of your building and let someone drive up in their car and maybe plug into that Ethernet jack. No, I wouldn't be safe with it, but that's essentially what we're doing if we have a secure, poorly located weekly hotspot where the signal could spread. In the parking lot, someone could come up and have access to the corporate network to prevent us from wanting to reposition the access point, we might want to reduce its power level so that the coverage area doesn't have as much of a radius, but we want to make sure that someone will have to authenticate before they can gain access to the network, rather than just having access to the signal and once we are transmitting data on the network, if someone could listen in and capture that data we don't want them to be able to do anything with it, so that we want to encrypt it much like we talked about before and there are a number of different wireless security standards.
Let's go back to the original security standard for wireless networks in the original 802.11 specification. it was something called Web which stands for wired equivalent privacy. Now the name is a bit misleading. I think wired equivalent privacy sounds to me like we're saying this is equivalent to being on a wired network, that's the level of privacy you get. It's nowhere near the level of privacy you get on a wired network, in fact this is a very very weak security standard, it uses the rc4 encryption algorithm and that means Ron's Code 4 and the problem is with Ron's Code 4 , the problem is how it's implemented, you'll see that rc4 will take the data string that we're trying to protect, it'll take our pre-shared key and it'll take something called an initialization vector and IV and it'll mathematically mash all that stuff up.
Together again, the string we are trying to encrypt the pre-shared key and the initialization vector and the problem with rc4 is that it uses a very short initialization vector, it is only 24 bits long and that may seem like a lot, but you can in a around. With a decent amount of traffic on a web network, if you capture the traffic for about eight minutes, there are utilities on the Internet that can take those capture packets and determine what the pre-shared key is in about eight minutes, that's just great. What I think now was with the pre-shared key.
I remember earlier we talked about having a symmetric key. That's something like a pre-shared key. We go to the client, we go to the access point and we give them both the same key. If you want to add a new device to your wireless network, someone gets a new phone. You enter the pre-shared key that everyone uses and that pre-shared key will be used with whatever encryption algorithm we use to encrypt the data again. this isn't going to scale very well if we had an enterprise environment with hundreds or maybe thousands of users, we don't want to give everyone the pre-shared key which could be lost or someone could reveal it, that's not a nice thing that in a large environment we don't want to use pre-shared key or personal mode, we want to use something called enterprise mode.
Here we have an authentication server like the typical Radius server we talked about earlier which is actually 802.1. x that we mentioned 802.1x that we could use with the switch or we could use with an access point, it actually has three roles that are played here, one of them is the device that is trying to gain access to the network which is called supplicant to supplicant . is asking for something, so the requester is asking for permission to access the network, the authenticator, and I think that name is a little misleading too, that's the switch or in this case the access point, the authenticator is just a kind of broadcast that is taking. these messages come from the requester and it transmits them to our Radius server and to the Radius server which is our authentication server, so the requester tells the authenticator that I would really like to join the network.
The authenticator sends it to the Radius server and to the Radius. server, if we have provided the appropriate credentials, the Radius server will create a key just for me and only for that session and give a copy of that key to the authenticator, the access point, and me, the client, and for the duration of that session the client and access point will use that symmetric key pair to encrypt their data, but again we don't want to use rc4 with 24 bit initialization vectors, that will be very weak, well an improvement to that is tkip, which stands for Temporal Key Integrity Protocol, this became popular after it was determined that the web was incredibly weak with tkip.
We are still using rc4, but don't be discouraged, we are using a better version of rc4. making it much more secure than whip, specifically we are using a 48 bit initialization vector, now you could say, well we went from 24 to 48, does that mean we are twice as secure now? It will take 16 minutes instead of eight to break it. on the network it is not seen at all, when we go from 24 bits to 25 bits, that doubles the security, we go to 26 bits, that doubles it again, so if we go from 24 to 48 bits, we are orders of magnitude more secure what we were. before and tkip doesn't require much processing on the part of the wireless network card, so it was a great compromise for older devices that didn't have a lot of power on their wireless interface card while still giving us better security. than WEP, but remember that we mentioned AES earlier.
I said that's really the flagship encryption algorithm that we want to use today. Yes, it is better if we use AES. It will be better than tkip and incredibly better than WEP, but AES takes some time. extra horsepower, it takes a few extra processor cycles for clients or access points or any wireless devices to process that encryption, so when you're configuring your access point you may be presented with a set of WPA security standards WPA2 and wpa3 now WPA which stands for Wi-Fi Protected Access and the original wwpa used tkip which was good because it supported some older devices that didn't have much processing power but it was better than the web so we were able to preserve our investment in existing ones. hardware and remember that tkip uses that better 48-bit Vector initialization instead of 24-bit, but still tkip is still much weaker than AES, which is why Wi-Fi or Wi-Fi Protected Access or WPA2 appeared and for more or less a decade. that was the end of all wireless security standards, you're setting up an access point, you better use WPA2, in fact, the Wi-Fi Alliance that allows providers to put the Wi-Fi label on your device in 2006 they said it's a requirement if you're going to get Wi-Fi Alliance certified your WPA2 must or your device must support WPA2 so they take this very seriously and a requirement for WPA2 was that it had to support AES is a better encryption standard but notice the wording here had to support AES it didn't necessarily mean we had to run AES and this could vary depending on our hardware and provider but in some cases it could be running WPA2 but it said "I have all these old devices I don't want to have to run AES my devices can't handle it well On some systems I could tell wpe2 not to use AES even though I could support it and use tkip instead I could say just use AES or I could say use either, let the client decide which one we're going to use, but AES requires more processing power than WPA, but over the years I mean this has been around for a while.
Over the years more and more people will get more and more modern hardware with better processing and as I said for a decade this was the gold standard for wireless security until 2016. In 2016 a vulnerability was discovered with wpe2 called crack. vulnerability so yeah now we have wpa3 is what will be preferred this will use only AES without t-kip and if we are in personal mode we will use 128 bit AES keys but for an enterprise mode with a server radius and Dot 1X we have keys 192-bit, so we're even more secure with AES and remember we talked about those deauthentication frames that we could send or an attacker could send to get someone out of an access point that we're protected against. than with wpa3 and we're also going to be more secure on publicly available networks like if you're going to the airport or a coffee shop and you're on a public Wi-Fi network yes instead of someone just listening to you you'll be better protected with wpa3 and there also used to be a button on the back of a lot of these uh these home wireless access points that you could get at your big box store it was labeled WPS you would press that WPS button and that was a way to easily go add another device to the network without having to enter a bunch of password information.
Well, there was a weakness in that too, so I don't mean automatic configuration, but assisted configuration. I guess it's better. To tell you, there was a different assisted setup process that was introduced with a wpa3 replacing WPS and it's called DPP device provisioning protocol. Another thing we could do is have a separate guest network forthe people who join our organization and who do not. have permission to be on the corporate network, we are isolating them on their own guest network or we may not want anyone to see what another guest is doing, so we can even provide additional protection to those guests by isolating the clients individual wireless on that guest network so that a guest client cannot spy on another guest client we could also do MAC address filtering now this is not very strong but it is a layer remember the blankets on the cold winter night it is a layer of security we can have a MAC address filter that says that for a wireless device to connect to this access point it has to match one of the Mac addresses on this list and if it doesn't show a big stop sign and say no, you won't pass and We'll be Let's reduce that traffic again, it's not super secure because we can pretty easily spoof what Mac address we're using.
We also talked about authenticating based on where we are. We mentioned the term geofencing, that's what we could do, maybe in an environment that has a lot of different vendors, like in the mall, we have all these different stores and maybe they'll give you a coupon based on your proximity to a store. This has happened to me. I've been like in a big shopping area and I get a popup saying there's some kind of discount coupon at this store I'm in front of at the time, so maybe depending on our geographic location we may or may not be able to access it. certain things or before we can, I think I mentioned the example of checking in on a cruise.
I had to be very close to that cruise ship to be able to get up there and be able to get there. In your network we also talk about a captive portal. You may see that I gave the example on Delta Airlines and when connecting to their Wi-Fi or at a hotel, you may be asked to provide your account name, your real name, and your password. or your room number as an example, now for something else, just another collection of best practices we can use to better protect ourselves. Let's not use the default wireless network names that come with our access points, like links, this used to be the one, I think they've changed it since then, but you would go down and buy a router at a big box store and it was Linksys and the password was Linksys or admin admin or manager manager or something like that and those were well known.
It was very easy for people to access computers that had those default credentials, so let's change the default wireless network names, the ssids, let's change the default username and passwords. In fact, again, this is not a high level of security, but it is a layer that we could disable our SSID broadcasts, we may not even announce that this network is available now let's say it is not a very high level of security because someone , an attacker who has knowledge will be able to sniff out the radio waves and still be able to see that SSID even if it wasn't broadcasting and we talked earlier about how an attacker could introduce an unauthorized access point into the network, well there are scanners that have many of the major enterprise-grade wireless cable providers that will scan the networks that Cisco does. this can detect Wireless if someone inserts the access point from provider we have access points from strange providers on our network and use strong encryption and authentication, at least WPA2, preferably wpa3.
If we can, we can do other things, we could use wireless intrusion prevention system sensors. That's right, what this could do is detect those evil twins where someone is advertising the same network as the corporate network, it will try to detect someone who is doing a wireless denial of service or main attack in the middle or in the way, it can collect and analyze data that gives us a lot of analysis. Some examples of wireless IPS systems include Aruba's Wireless IPS with RF Shielding and Cisco has one called Cisco Adaptive Wireless EPS or excuse me IPS and that's a high-level overview of some things we can do to better protect our wireless networks.
Next I want to talk about session hijacking and I've already hinted at it a couple of times with session hijacking where the attacker allows the user to go ahead and authenticate with any target system, once they've done that, once that we have bypassed that authentication stage. the attacker simply takes control of that existing session, he doesn't have to authenticate because the user already did and we just hijack the session from him. That is an active attack where we are going to take control of a user session or we could do a passive attack here we are monitoring the traffic in a session but we are not actually interrupting the flow but we have still hijacked the session we are doing that the session flows through us as the attacker and we are monitoring it, although we are not raising any red flags, we are not disturbing anything so active and passive, so after the session is established, there is often a session that identifies the session and, in some cases, depends. in the implementation, but in some cases, if the attacker knows the session ID, he can join that session and says here is my session ID, let me come in and he can be part of that session because he has learned that session ID.
So after authentication happens, the attacker joins the network, finds out the session ID and we will talk about ways to find out the session ID and then he can be part of the session and can establish a new session using that Session ID there. it's application level session hijacking and at the application level it's often web attacks that use HTTP or https and usually those session IDs that we talked about are used. There is also hijacking at the network level. Here we're more concerned with TCP and UDP stuff at the transport and network level, and this will usually involve intercepting packets, not just finding a session ID.
Now when I say session ID, I mean something that will uniquely identify a session, so it will be used for TCP. Because it is a connection-oriented protocol, it will not be used for UDP, which is connectionless, and will generally be a long, big string of seemingly semi-random alphanumeric characters, so let's think about how the attacker obtains a session ID and is injected into it. session so they can block something like a man-in-the-middle attack where traffic starts flowing through the attacker on the way from the user to the server, well one thing is they could use a man-in-the-browser attack, A man-in-the-browser attack is where there is some sort of Trojan horse that is added to the browser software on the user's system and then when they try to, say, use that browser and go to their bank, the man-in-the-browser software Trojan will redirect you to the attacker they are going to. that website and maybe they want to transfer a thousand dollars from your checking account to your savings account, but that Trojan horse in the browser software forces traffic through the attacker's machine and the attacker says, let me change that a little bit , let's transfer five thousand dollars from their account to my account and then they can send confirmation to the user saying everything is fine when in reality they just lost five thousand dollars and it was transferred to the attacker.
Sometimes session IDs are delivered in a somewhat predictable way. Manner and an attacker could guess which session ID you are going to use. If they detect multiple sessions, they could run some algorithms to determine or estimate which one they think will be next. see how you do on this one lets say first session id is abc102 next session id is abc104 and next IDE session is abc108 give them that info. Could you guess the next session ID? Go ahead and chat about what he thinks of Buuh obviously I'm not being terribly sure here this uh sure here this is just a simple example yeah a lot of people say uh abc116 I agree because you'll notice the rightmost number doubles every time, so two duplicates is four four doubles eight eight duplicates, yes, that will be 16.
That could be the next session key. It could also be that the attacker can also sniff out packets in a session that is established that have all the correct information and then they come. they come back later and use those packets they capture they can use the session id family in those capture packets they can use that same session key as if the session was still going on assuming the user walked away from their computer we still have your session id the session is still active from the server's perspective hey tiger just takes over now session fixation here the attacker is going to initiate the connection to the server they say i would like to set up a secure session and the server says it is ok, here's the session id we're going to use, but not so fast, you'll still need to authenticate yourself, so the attacker says, "Okay, I'll contact you and the attacker." he takes the session id that he just received from the server and then sends a link, maybe in an email, maybe a text message or something, to the user telling him that he needs to reset his password.
Go to this link and that link connects the user to the server using the session id provided by the attacker, so once the user authenticates to the server using that session id, you guessed it, the attacker is now authenticated on the server because it already had the session ID initially, so it gets access to the server cross-server. Site scripts that you may have heard of here is where a user will have a link that they will click on that may come in an email and this will be a malicious link that will generate a valid session ID that the user is using. to send that session ID to the attacker and the attacker can again use that session ID to talk to the server, which is similar to cross-site request forgery here, instead of getting an email with some kind of malicious code , there will be some malicious code installed on a site that the user connects to and when they click a link on the site similar to cross-site scripting, it will cause the user to send that session I key uh session key to uh to a website that is controlled by the attacker actually i said that backwards i went ahead sorry we are the one who get the user to be authentic or the user to visit the attacker website and the malicious code on that website is what which extracts the session id I said that backwards excuse me and that will be given to the attacker at that point and then the attacker can use that session id to communicate with the server.
Next, let's consider hijacking at the network level. Network-level hijacking is the hijacking of TCP and IP sessions that we can do. a reboot we may be dealing with encrypted traffic that we can't even interpret but we can hijack it anyway it's called blind hijacking and UDP hijacking is almost a misnomer because UDP is connectionless we're not actually setting up a session but we can still do it. we'll talk about something called UDP hijacking in a bit but here with TCP hijacking you remember all the back and forth sin synac and ACT is the three way handshake on top of that there's an initial, an initial sequence number to which an Isn is assigned and sent back with the synack and the user responds with that number plus one if the attacker is monitoring traffic coming and going when they receive that Isn sent from the server if they are fast . your feet, the attacker will be able to respond to the server before the user and will configure that session instead of the legitimate user.
A reset is where the user will force the user to submit. they will send a reset command telling the user that they need to re-authenticate and when they re-authenticate, the attacker is using the spoofed server ID, so the user sends that username and password combination to the attacker, who then uses to get on the server blind hijacking is where we can inject traffic between a user and a server that's encrypted it's called Blind because it's encrypted we can't read it but we can still alter it we still can or the attacker can still alter the data injecting traffic going to the server we also mentioned UDP hijacking oh yeah I have an animation here showing that the encrypted traffic could still flow through the attacker even though the attacker isn't reading it they could alter it and they could add some extra traffic now UDP hijacking that term bothers me a bit, we are not actually hijacking a session because there is no such thing as a UDP session, however we do have protocols that use UDP like DNS.
UDP hijacking means we are going to respondto something using UDP faster than what the legitimate user does let's say um or faster than the server let's say the user makes a DNS query and the attacker sees that query looking for a certain website and responds with a fake IP address for that fully qualified domain name, it responds with the DNS IP address faster than the DNS server. That's one way the attacker can redirect the user to their own malicious server that looks like the bank's server, but we actually have one set up. to copy the bank server so we can capture the username and password combination against this this sounds pretty serious well one big thing is user training training your users doesn't click anything in a mail email from unknown sources and sometimes even from known sources if it's your bank don't click the link in the email open a browser and go directly to your bank's website you want to keep your software up to date all your security software you want to delete periodically check your browser history and don't visit untrusted websites, certainly don't click on links that come in text messages or emails.
We may also want to use secure session IDs where an attacker can't look at a bunch of session IDs and then say "well, the next one will probably be this time". two now let's use encrypted session IDs let's use session IDs that are not valid for the entire session we can, depending on your system, sometimes you can use session keys that expire after a certain period of time or you may have to re- do it periodically the logins like things run out, I go to my doctor's office for example and they log in, they check my records, we sit there and talk for a bit, they go to update my records, they go offline, Yes, you may need to log in repeatedly afterwards. a certain amount of time and we want our session IDs to be as random as possible so they will be harder to predict.
Other things we can do is use secure web servers like https instead of HTTP. It might be better to use a certificate authority, a trusted third party rather than a self-assigned certificate. Sometimes you'll see a URL, you'll copy and paste a URL into a notepad or something and you'll see this big long message. string and you're thinking what's all this gibberish it's a session id let's not use session ids that appear in the url that could be really bad let's keep our security patches up to date and just do basic network security like we talked about earlier I showed how to set all this up, set up port security, d8cp snooping and IPR snooping, what else can we do right?
As I already mentioned, let's use secure protocols like HTTP instead of https, let's use secure FTP or secure FTP, and let's use um, let's do that instead of FTP, let's use SSH instead of telnet, let's use ipsec instead of GRE as a couple of examples. and we may want to use an ipsec VPN tunnel, so if I'm traversing an untrusted network like the internet, if someone on the big untrusted internet catches my packets, they won't be able to do anything with it because it's all encrypted thanks to ipsec and by the way we'll talk about ipsec and vpns at the end of today's session but that's Let's take a look at session hijacking and now we're going to get into module 6 and we've already hinted at this earlier.
We're talking about physically protecting our network equipment so that no one takes it, alters it, or compromises it in any way. break into it and one of the things we are concerned about is detecting an intruder like the old video game intruder alert intruder alert and one thing that we can pretty basic do these days we even have it in our homes many times actually they can have motion detection, they are motion detection system sensors to detect any movement, we can put our passive RFID tags as inventory tags on our equipment and we can have portals around the doors so that if someone brings a piece of equipment with one of these inventory tags on it trigger an alert or give a notification, we may have video surveillance in the old movies where people are breaking into a casino or something or a bank, they may have video that they play on loop and it's not so easy to reproduce. do that with IP cameras, so if we have IP-based video surveillance that will go a long way in physically protecting our equipment, we can also have something that provides evidence of any tampering.
You can get these, these kind of metallic stickers. or even cable ties that a computer chassis could be closed off with, maybe in a server farm or data center, and if someone were to open it up to try and insert something into it or take out a drive or something, it would be obvious that it's going to be evidence that it was tampered with because that seal is going to break or look stretched or give some evidence of it or that maybe that cable tie is broken as an example to prevent people from accessing these areas I think it's a great idea to have people come into areas maybe use something like a fingerprint scanner or retina scanner and make sure your users are trained on what to look out for if maybe in front of the data center don't do it.
I don't want someone wandering into a data center taking advantage of someone else. Remember earlier we said, "I'm carrying this box." Can you hold the door for me as I walk through the door and could someone let you in? something called an access control lobby or mantrap is sometimes called. This is a room that has two doors and it's set up so that if one door is open the other door has to be closed, so there's no way someone would just watch you walk into the data center and just follow behind you because before Before you open that door to get into the data center and you're in this lobby, the attacker if you go into the data center, the door that the attacker would go through to get into the lobby is locked, the only way to do that is to be in the lobby with you at the same time and you're going to like who you are so, sometimes there's a security guard there and you have to show them credentials before you can get into a data center and at least let's lock our stuff for a personal confession time I'm a big uh I'm a big fan of physical security after an incident I went through when I was working at a university that we used in those days we had a lot of ATM equipment, asynchronous transfer mode equipment along with Ethernet and we had a lot of of extra equipment, like maybe a hundred thousand dollars worth of extra ATM equipment, in a server farm.
Now, to get to the server farm, you had to go through this computer training room that we had set up and to get into that computer training room, you had to go through a hallway and through a door, and there's another door to get into. that hallway, so you had to go through a hallway to get to another door, another door. I have to go through a door. to get to the hall, then you go through a door to get to the training room, then you have to go through another door to get to the server farm, so I thought no one was going to wander there, our stuff is safe in the server.
No need to lock the farm because who's going to go through three doors and wander to get that? Someone did it because it's my fault. I will take responsibility because I was a network administrator. I didn't have all the doors locked. and someone came out with a bunch of ATM equipment, so, boy, that one is done. I don't want you to be in that position and when it's time to get rid of the equipment you don't want to just say "okay", I did a format on my C drive, it's done and you put it somewhere, not just because you like to format on your C drive, that doesn't mean you've wiped all the data, you've wiped the uh, you've basically wiped the index. of the files on that hard drive, so you want to erase any settings you have.
If you have a device where you can reset to factory defaults, you should do that. You need to sanitize the device now if I'm getting rid of a computer. and no one else is going to use it. I'm just throwing it away. I have done this so many times. I'll find a nice concrete floor, find a big hammer, and put the hard drive on the floor. and I'll just hit it until it beeps and that's one way to make sure nobody's going to read that data, but let's say you want to transfer a system to someone else and you want them to be able to use it. that hard drive you don't want to hit it with a hammer, what can you do again?
Simply formatting it, that's what doesn't work. I like to use something called uh dbn, it's called Derek's uh Boot and nuclear and you can boot. on this usb key or on a dvd or cd, you can boot it up and it will not only erase your hard drive, you can do multiple passes over that hard drive where it will just write some as random ones and zeros. So it's not just like formatting where we wipe the index of what's there, no, it actually overwrites everything that's there and it can override it multiple times and, yeah, if I'm reusing a system, I'll carry it over.
For someone else, I'll be frequently using a dbn Derek's Boot and a nuke, so let's take a look at physical security. Next up is the Internet of Things and cloud security things that we didn't really think about. I didn't think about this 10 years ago. a lot, but we have today, if you see IoT devices, think about the ones you have in your house, you might want to talk about what kind of IoT devices you have. I'll give you a sample at my house. i have doorbells we have video cameras uh i have a tv my fridge can let me know if i finally turned it off it was annoying if someone leaves the fridge or the door open for too long a message would appear on my tv the stove all sorts of things i have a Dyson fan it just turns on and off the bulbs we have which are internet of things devices it's super convenient I love that we can set schedules for how the lights come on and I can see everything around the house if I'm out from home, but do you know what all those devices are?
Do you know much about them? Have you ever done a firmware update on your iot bulb for example, maybe it can't? There will be many security holes when we introduce them. We're poking holes when we introduce these IoT devices because in a lot of these devices their security wasn't in the designer's mind when they were made and we talked about processing power and encryption power. Yeah, a lot of those devices, if they're encrypted, use a weak encryption algorithm just so they don't have to put a more powerful processor in that device and drive the call through, and a lot of those devices have default passwords like yours. your video cameras or even your wireless routers and sometimes people don't update the software, they may not be implemented automatically and do you really plan to update your light bulbs very often?
I don't think about that one, one of the most famous. Examples of someone taking advantage of an IoT security vulnerability was a distributed denial of service attack that happened in October 2016 and remember where we talked about how an attacker could use malware on a bunch of computers and they turned into bots or zombies. . In this case, the attacker searched the Internet for IP-based video cameras such as home surveillance cameras and wireless routers that were configured with their default credentials, so many people simply unpacked them, plugged them in, and left them with their default credentials. so that the attacker would simply By trying all these video cameras and all these wireless routers by trying to log in with the default credentials, I was able to log into many of them, so at his beck and call this attacker had all these cameras and all these wireless routers all over the world and the attacker had them simultaneously attack this DNS server, which of the DNS uh one of the sites that that DNS server served was Twitter.
It actually brought down Twitter in a large part of the world in October 2016 because someone just logged into everyone. These IoT devices use default credentials, so what should we do? Definitely don't leave things at their default passwords and when you change the password, make it a strong password. Something I recommend is putting your IoT devices on their own VLAN, so here's the thing. even if i have a firewall setup and the firewall will not let anyone on the internet into my network if the session is started on the internet. I have all these IoT devices. I don't know these manufacturers.
I didn't buy my Cisco bulb. I bought it from another vendor I've never heard of, who knows, could that vendor create malware inside that bulb or someone might have maliciously pre-injected malware inside that bulb that's now dangling? outside my garage, if they did, it's inside my network and I could go out on the internet and start reporting information and start trying to track the rest of my network. It's in theinterior, so you have permission to have two-way communication. with the Internet, my lightbulb might I don't want my lightbulb to scan and try to get into my Linux filesystems, so what do we do?
We put them on their own VLAN. It's almost like having a guest wireless LAN just for iot. devices, this is something I'll do frequently when I'm setting up Wi-Fi, put them on their own Wi-Fi network, not just a different name, but a different subnet, so you can have this demarcation point. between your iot devices and the rest of your network devices Cloud security is a big concern these days that I didn't used to think about because the networks I grew up on had servers, farms or data centers, the data was stored locally but over In the past, really, over the last decade, there has been this mass exodus of data going from our on-premise data centers to the cloud, after all, we move our data to servers in the cloud, those can Being virtual machines, we can spin up servers as we need them We don't have to buy the hardware We don't have to maintain the hardware We don't have to provide redundant power to the hardware We only pay for the processing power and storage resources we need at any given time , that's great, except we have all of our data flowing back and forth between our site and the cloud and we want to make sure that that data is safe if I'm browsing the Internet, perhaps using a web browser. we want to do it securely and one way to do it with a security feature that we can have in our web browser is TLS transport layer security which will encrypt the data that is sent between our browser and whoever our cloud provider is.
Speaking of VPNs here in a moment, we might want to set up a virtual private network between our site and our cloud provider so that as we browse the Internet, if someone were to intercept our traffic, they wouldn't be able to understand it. because it's all encrypted inside that VPN, maybe we have a private cloud where we're using something like Metro Ethernet or maybe mpls, but we have this private connection that doesn't use the internet and maybe we have we have some dedicated servers in the cloud where we don't share resources in a physical location, we don't have a virtual machine on the same physical server that someone says their virtual machine on.
I mean in theory they will be isolated but we might want to have some just for added security some dedicated servers physical servers that no one else is using something else we can do is use a feature or this function that we can get from different vendors called casby casby means cloud access security agent, something like that is going to be the agent that sits in the middle between the users on the corporate side and the cloud resources and can monitor the traffic going back and forth between the enterprise and the cloud provider to make sure everything looks good, no one is doing anything suspicious and if there is malicious activity you can report it to us, so let's look at how to better protect the internet and our internet of things devices we have and our cloud and in our final module, that's right, we finally get to the final module, let's see that I was estimating that It will take about five hours today.
I'm just doing a projection. We'll be here maybe just a hair's breadth in four hours. It looks like four to five hours seems like where we'll land today, but let's take a look. our final module on vpn virtual private networks first let's distinguish between remote access and side-to-site vpn a remote access vpn is where we have, let's see, here's my laptop, i have my laptop, this is one of the new ones, uh MacBook Air in this color, they say it has serious problems with fingerprints. I don't know if you can see it, but they're not kidding, I'm sure they are, but I love my laptop and if I'm traveling and I want to communicate. securely with another system.
I have a VPN software here. I can set up a VPN. My home device has a built-in VPN server so I can set up a secure connection between any hotel room I'm in. and the security device in my house and yes everything is encrypted over the internet but I need to have software on my laptop to do it but if I have it I mean it's a great solution. I am not limited by a physical location and can be encrypted. I can send encrypted traffic over the Internet and it doesn't even necessarily have to be software that I install.
You could use clientless SSL where you go to a portal and log in through a web interface that you get secure access to. selected resources on one site, but typically we're installing VPN software on a system and that's a bit of extra work, so what could we do if we just want to connect two offices? We have a branch in the main office. At headquarters, what we can do is have the routers at those sites act as endpoints in this VPN tunnel so that all the devices at the different sites this is transparent to them, they don't have to install it, they don't have to install VPN software . just talk normally to your router, they want to go back to headquarters, no problem, the router will take them there, but there is a setting on their routers that will encrypt the data going back and forth between those sites, which is a site. to site VPN and I remember I used to, back in the '90s, when I was working with a client who wanted to connect sites together, you're probably looking for something like get a VPN, not a VPN, but a frame relay connection which I've worked up.
There are more of them than I'd like to think about a Frame Relay connection or maybe an ATM connection if you're really bougie in the past or maybe it's a direct T1 link between a couple of sites. All of those options were really expensive now. I have access to the Internet at a fairly low cost. I mean, I think I pay a hundred dollars a month at my house for ATT fiber and it's a concert, it's a concert with ups and downs that wasn't heard when I was connecting these businesses. during the day, yes, yes, it is very cheap and very fast to get to many placesInternet, let's use that, but let's do it securely with a VPN and that's what we can do with site-to-site VPN and again, this will be transparent to our end devices.
What I want to do now and you might want to take. some want to take some notes on this. I'll just tell you that I want to talk about two different VPN protocols, GRE Generic Write Encapsulation and ipsec, short for IP security. Let's first consider the jiri protocol, a jury tunnel, a jiri tunnel is super. flexible in the sense that almost any type of packet that we can send from a router interface, we can put it in a GRE tunnel, there will be a GRE packet that will wrap around it. I don't care if it's unicast streaming. multicast I don't care if it's I don't care if it's the old novel ipx or Apple talk, it doesn't matter if you can send it from a router interface, you'll be able to encapsulate it inside a packet jiri is super flexible, incredible bad news, it's not secure on Absolutely, there's no encryption with GRE, it's not completely secure, so oh, that kills our whole idea of being safe on the Internet, doesn't it?
Oh, here's another one. a protocol that is very secure is in the name it is IP security or ipsec this is a super secure protocol that will give us confidentiality in the form of encryption like AES that you can use it will give us hashes maybe Shaw can do it authentication with pre-shared keys or digital signatures and if someone tries to capture packets as part of a valid login sequence and
replaythem later to log in, someone works because ipsec is giving quasi-sequential numbers to the packets as they are sent, so if I go back later and try to
replayvalid packets before, the sequence numbers will be out of control and you won't believe it, so it's very safe, incredibly bad news, and the bad news is that it's not. flexible while GRE could do unicast multicast, whatever we wanted, ipsec is limited to only unicast IP packets, it's a problem, you can bet it's a problem because most of our Rowdy protocols will use multicast.
If I try to do ospf then I want to send traffic to the multicast addresses of 126.96.36.199 and 188.8.131.52 with uh with rip version 2 184.108.40.206 eigrp 220.127.116.11 I just removed all of that if I try to send it over an IPC tunnel, OK we will. We'll come back to that issue, but there are so many interesting things about IPsec. Let me give you a few more features and then I'll tell you how we can address that limitation first. I want you to understand that there are two different modes of communication: transportation. mode and there is tunnel mode, now this is a trade-off: you can have a little more security but you have more overhead or you can have a little less security and less overhead, so it's a balancing act, which is The most important thing for you is the mode of transportation.
We will keep the original packet header intact so that the original source and destination IP addresses are still there and visible; However, with tunnel mode we are encapsulating the entire packet, including the original source and destination IP. addresses, meaning that if someone were to capture that packet and look at the source and destination IPS, they wouldn't see the actual IPS of the actual systems involved in the conversation, they would see the IP addresses of the endpoints of the VPN tunnel like the routers as an example, um, yeah, we're adding header information so there's more overhead but a little bit better security.
We could also use authentication or authentication and encryption and we have a couple of options here, we could do something. called authentication header, it does not perform encryption, but authenticates the entire IP packet, including the outer header. Compared to the encapsulated security payload it does perform encryption but it won't authenticate the header it will only authenticate the packet so also important for you I'm usually going to use ESP that's what I normally use now when we set up an ipsec tunnel , there are two steps involved, there is Ike phase one and Ike phase two, now Ike which means internet key exchange and in the first phase it is a metaphor, have you ever seen the old TV show or now a few years ago it came out as a movie with Steve Carell, hey, be smart, have you seen that one I was a big fan of, be smart on TV?
I go back to the old days and I love the movie, if you haven't seen Get Smart with Steve Carell, it's hilarious, it's fantastic and whether you watch the movie or the TV shows, there's usually a scene where Max uh, Maxwell Smart, he wants to talk to the control boss and he wants to talk to the boss using something called the cone of silence and then the old TV show was like a big plastic thing that fell on them. their heads and it's like a kind of virtual bubble in the movie, but in the cone of silence the idea is that the two sides will be able to talk to each other and no one else will be able to listen.
I'm going to be able to eavesdrop on that conversation because now they're under the cone of silence in movies and on TV shows, you know, in the comedy aspect it never works well, but that's what's happening here. In the second phase, also known as the isocamp phase, we are metaphorically lowering the cone of silence on these two endpoints and that will give them a private communication channel. Now, what will be communicated through that private communication channel is the data that we. I want to send not yet, we're going to use the security of that cone of silence, the ACT phase one tunnel to negotiate the parameters of the ACT Phase 2 tunnel, which is the actual ipsec tunnel, so we can say, "Okay, support, support this". feature set, this transformation set and um, I support this encapsulation or I support this encryption protocol, I support this authentication protocol or all the things that you support, the Diffie-Hellman group one two, whatever, all the parameters They will be negotiated within Ike's protection. phase one tunnels and then once the two parties agree on what they are going to use for encryption and integrity, they will configure the phase two yak tunnel, which is the ipsec tunnel where the actual data will be sent, but Coming back to the great paradox, we have on one hand we have GRE which is super flexible, not secure, on the other hand we have ipsec, super secure, not flexible, it only supports unicast IP traffic, so what do we do and if we make? both, why don't we do GRE and ipsec?
This is what I mean: we can take our original package. I don't care if it's unicast multicast transmission, whatever, we're going to take that original packet and encapsulate it inside a GRE packet. a GRE packet is a unicast IP packet, see where I'm going with this? I'm going to take that unicast IP packet and then I'm going to protect it with the security of an ipsec tunnel so we take whatever it is and wrap it into a unicast IP packet a GRE packet that can then be placed inside the ipsec tunnel so we'll use both, we're going to use the best of both worlds here and that's called GRE over ipsec and I was originally planning to demonstrate creating a GRE. about the ipsec tunnel with you today and then I realized that our session wasit's going to be closer to five hours and if I add a couple of extra demos, we'll see another hour and then I remembered, you know, I have a I have a YouTube video where I'm setting this up, so I created a little link for you that will take you to a page with a couple of demos that I didn't want to spend class time on today, but if you go to the kwtrain.com VPN scripted demos, the first video on that page will be GRE over ipsec and I show you step by step how to set up what we just talked about in theory and we will test it, the other video will be about the last topic that we will cover in a moment and that is dynamic multipoint VPNs.
I set it up from scratch and I talk about how we check for that type of VPN connection that appears dynamically, actually, let's talk about that, our final topic. of the day are dynamic multipoint vpns or dmvpns, the idea is this, if I have a point to multipoint topology like this, maybe I have all these direct connections, maybe they are, I don't know if they are Metro Ethernet. connections maybe mpls connections but virtually I have a connection from headquarters to branch a I have a connection from headquarters to branch b and a connection from headquarters to branch C o from time to time although most of the communication goes between the branch and the headquarters, there may be times when you want to go from branch C directly to branch b and at this time it is going to be a curve, I will go back to the headquarters and then you have to go to branch b.
It would be great if you could do that over the Internet directly with the speed of your brain, right? But I don't want to pay to have a permanent virtual circuit set up all the time between our two sites, but when I need it. Sure I would like to open a dynamic multipoint VPN over the internet, let's make it dynamic when we need it and when we don't need it, let's take it down again, that's what dmvpns allow us to do. on the Fly dynamically shows a tunnel between these two sites and it's going to use something called multipoint GRE again in that video and I'll give you that link again here in a moment, but that video walks you through how we set up a multipoint GRE interface and the idea is that we're going to use the next highest resolution protocol to determine the publicly available IP address with which to configure this dynamic tunnel.
You see, the problem we face is something like this. I have inside the branch a. I have a private network, maybe it's the 10 point address space in branch b. I have maybe the address space 172.16 and I see, maybe I have the 24 address space 192.168.1.0. I have private IP addresses within my sites and if I'm advertising maybe as ospf or eigrp I'm advertising to the hub here are the networks that I have and then the hub broadcasts them to the other remote sites and says here are the networks that Brent C has a branch Branch b might say wow, I would really like to talk to that network at Grant C, but it's a private IP address and I have to access it over the public internet, how is that going to work?
I can't route to network 192.168.1.0 24 over the internet it's private your private IP address RFC 1918 isn't going to work it can't be routed over the public internet so what we do is use the following protocol higher resolution and here I'm actually using a different set of I private IP addresses in this example, but what we're going to do is tell this database at headquarters. Hey, if anyone wants to set up a tunnel with me, here's my publicly routable IP address. on the outside of my router going out to the internet, here is my publicly routable ip address if you want to set up a tunnel with that ip address.
Yeah, I'm willing to dynamically set up a tunnel and then they'll be able to reach the private IP addresses within my network, so here's the database on that Hub router, we see the IP address that's going to be at the other end of the tunnel, the address private ip and we see the physically routable publicly routable ip address use it to set up that tunnel let's look at an example let's say that R4 on Brick C wants to talk to this network of 10 or wants to talk to the ip address of 10.0.0.2 which I think it was branch B. router wants to setup a tunnel with that, however it doesn't know the publicly routable ip address to use, so it sends the next higher resolution protocol in the hrp query saying what is the public ip address that can i use to get to 10.0? 0.2 and the Hub says oh you want to talk to uh 203.0.113.1 R3 which is a publicly roundable IP address so R4 will dynamically set up this link to R3 and dynamically form that tunnel which will then allow users in the brain C to access the private IP address space within branch b again through that dynamic tunnel.
If you want to see step by step how all that is set up, just go to kwtrain.com's VPN script demos and I've got them. There are two VPN demos for you, the first from GRE on ipsec and another on how to set up dynamic multipoint VPNs. It probably would have added over an hour to have done all that live for you today, so we're already getting along. We'll go ahead and let you see them as homework. Alright folks, that's going to wrap it up for our webcast and for those of you watching on the YouTube replay.
I want to say a big thank you. Thank you for your great investment of time. Hope it was worth it. We'll talk to you next time.
If you have any copyright issue, please Contact