LPIC 3 security Summary

The goal of security:

                Confidentiality
                     / \
                    /   \
                   /     \
  Auditing &      /       \  Non-Repudiation
  Accountability /         \
                /           \
               /             \
              /_______________\
       Integrity             Availability

Physical security

• RFT (radio frequency interference)
• EMI (electromagnetic interference)
• electromagnetic discharge

Security Controls

types:

• Administrative (Managerial)
• Technical (Logical)
• Physical (Operational)

In depth types:

• Mandatory Vacation
• Job Rotation
• Multi-person Control
• Separation of Duties
• Principle of Least Privilege
• Layered Security

Laws and Regulations

• H1PPA
• Standards
• Best Practices

• Common Sense and Experience

• Policies : what you can and can't do.

Example: Employees should have a strong password.

• Organization Standard : Organization more specific rules.

Example: A password should have an Uppercase, numbers and a special character.

• Procedure : This tells how to apply the policies / rules.
• Guidelines : Optional procedures.

Risk Management

• Assets : Any part of the infrastructure that we are worried about getting harmed (also people, reputation, door, ...).
• Vulnerability : Weakness to an asset.
• Threat : Negative action that exploits a Vulnerability.
• Threat agents : Does the action of the threat.
• likelihood : Level of certainty that threat will occur.

• Impact : Harm caused by a threat.

• Risk mitigation : Reduce the risk.
• Risk transference : Use 3rd parties.

• Risk acceptance : Likelihood and impact is less than the actual cost of mitigating.

• Asset value : Is the total cost of an asset (work, buy value, how much it would've made/period).
• Exposure factor : Percentage of an asset that's lost as the result of an incident (water in server room, 0.25 exposured).
• Single loss expectancy : Asset value * Exposure factor.
• Annualized rate of occurence : What are the chances / year incident taken place.
• Annualized loss expectancy : SLE * ARO
• MTTR : Mean time to repair.
• MTTF : Mean time to failure.

Network Security

Switch security

• VLANS
• STP (spanning tree protocol): prevents loop floods.

Router security

• Gateway public <-> private addresses with firewall.

DOS / DDOS

Types:

• Volume based attacks
  • UDP flood
  • ICMP flood
• Protocol attacks
  • SYN flood
  • Ping of death
  • Amplification attacks (NTP)
  • Smurf (a lot of ICMP, broadcast spoofed victim IP)
• Application layer attacks
  • HTTP flood (GET / POSt)

IPSEC

A bunch of protocols securing a connection point2point.

2 types of IPSEC:

• Authentication header
• Encapsulating security payload

Authentication header

This only provides integrity. It will add an AH header to am ip packet and hash it (HMAC).

AH TCP DATA IP_ADDRESS

Encapsulating security payload

Encrypting the full ip packet with DES, 3DES or AES. and then put a header on it.

Transport mode:

AH TCP DATA IP_ADDRESS

There is also something called tunnel mode it will add a new ip address left to AH, this is used most of the time when talking about IPSEC.

NEW_IP_ADDR AH TCP DATA ORIGINAL_IP_ADDRESS

The protocol that makes all this security work is ISAKMP (internet security association and key management protocol).

IPSEC is used in VPN, RADIUS and TACACUS+.

RAID

• RAID 0 - Striping: increases speed by spliting the file over different disks (no data integrity).
• RAID 1 - Mirroring: data is copied to different disks (low performance).
• RAID 2/3/4 - Pairing.
• RAID 5 - Pairing: distribute the pairity check (you can only lose 1 drive).
• RAID 6 - Pairing: 2 pairity disks (you can lose 2 drives).
• RAID 01 - Mirror of stripes.
• RAID 10 - Stripe of mirrors.

Proxy server

Works at the application layer.

Web proxy

• Squid
• WinGate

Web proxies speed up web traffic by caching, they can block websites, monitor the traffic, etc.

Web security gateway

Is kind of a proxy except the feature set is different and more focussed on anti-malware.

IDS / IPS

• Intrusion detection system
  • Detect and report possible attacks in a network.
• Intrusion prevention system
  • Runs inline with a network and act to stop detected attacks.

A IPS runs between a switch and a router this is what I mean with inline. An IDS runs just inside the network and mostly on servers.

Summary: A firewall filters, IDS notifies and an IPS acts to stop.

EAP

Extensible authentication protocol is an authentication framework frequently used in wireless networks and PPP.

Well known EAP's:

• EAP-MD5
• EAP-TLS
• EAP-PSK
• PEAP (standard wpa2 with mschapv2 auth)
• LEAP

Wireless security

• SSID
• BSSID

• ESSID

• WEP
• WPA

• WPA2 (802.11i)

• HSTS (HTTP Strict Transport Security)

VPN

2 things needs for VPN:

1. Set up tunnel.
2. authentication and encryption.

Types:

• Remote access.
• Site to Site.

Protocols:

• PTPP (1723), oldest not used anymore.
• L2TP (500, 4500), uses L2TP for tunnel and IPSEC for encryption.
• IPSEC VPN (500, 4500) IPSEC for tunnel and encryption.
• SSL/TLS VPN (443), relies on a virtual network driver tunnel.
• OpenVPN (1194) uses SSL/TLS.

SNMP

Simple network management protocol.

Access Control / Identity Management

MAC (mandatory access controls)

Data is controlled by the administrator, data is controlled by labels.

DAC (discretionry access controls)

The owner of the data defines the access.

RBAC (role-based access controls)

access to resources is defined by a set of rules defined by an admin.

Cryptography

Cryptography is the the practice of taking information and obscuring it / hiding it in such a way that a third party can't read it.

You always have an algorithm and a key.

Hashes

Types:

• MD5 128 bit hash
• SHA (secure hash algorithm) 160 bit hash (sha 256 / sha 512)
• ripemd 128. 160 . 256. 320 bit hash

Hash-based message authentication code

Symmetric algorithms

Both parties share the same key.

2 kind of Symmetric algorithms:

1. Block ciphers:

Cut off a block of data, encrypt it send it, take the next block.

Examples:

• DES (data encryption standard)
• Blowfish

• Triple DES

• key size
• rounds
• block size

AES (advanced encryption standard) (ssl, ssh intern)

2. Streaming encryption:

1 bit at a time

• rc4

Asymmetric algorithms

public key and different private keys.

RSA

ECC (eliptic curve Cryptography)

Diffie helman -> key exchange protocol

ssh is a protocol not a math function

encrypting on the internet -> TLS protocol

Steganography

Hiding text inside other things where you normally don't look, fe. images

Digital signature

In terms of website security, there is also a private and public key. The server will send you a public key to send and receive data from the server but how do you as a client know for sure it's the right public key?

The server will encrypt the webpage with its private key and then hash it. You will get the public key, the hash and the webpage. You can encrypt and hash the webpage to and compare the hash (also known as the digital signature.)

Digital certificate

• servers public key
• digital signature (hash)
• third party digital signature that says they are trusted

So it's all based on trust:

You can do this 3 ways:

1. unsigned certificate, make your own
2. Web of trust
3. PKI (public key infrastructure)

TODO lookup PKI

How does public key infrastructure works:

based on hierarchy:

CA (issues certs)

is an Organization they will have a root certificate.

        o               root cert

    0   0   0           interneddiate

0   0   0   0   0       client

the thing is B trust A, C trust B so you will get a secure chain.

interneddiate (to take the load of CA) clients

How to check bad cert:

CLR OSCP

Online certificate status protocol replaces certifacte revocation list