My 1stNull Puliya session

My 1^st Null Puliya session

As a student’s  we face a major drawback in the industry as our knowledge is considered inadequate to face the real life challenges and to take administrative  decisions in the industry thus we orient our lives to jobs made available in the industry and restrict our talents to a nutshell of our possibilities. I am an individual   who thrives and grows on research . Currently I am working with a cyber security firm as a threat analyst .Ever since my college days I have been attending conferences and have been following social media and search engines to get solutions to problems faced by the industry . No denying that it’s a real hard task to make any sense with the immense competition and technology revolution. This is exactly what I had been feeling as I started my career  but determined to succeed I focused my self by  understanding my job role  and growing through research  . My certifications gave me the technical know how but still it felt inadequate. The puzzle was yet to be solved. My understanding for my domain had to increase “how will I ever face an incident “ is the though revolving in my head . Finally I got a mail saying that there was a seminar on incidence response   which is a domain that peeks my interest to my luck the seminar was at hop skip and jump from my house so I decided to attend it .This invitation was of a null meet. Upon attending it, I meet a similar group of enthusiast who presented their work of excellence . The PPT had such a great impact on me that it got me motivated and energized . I decided to get a stronger and more intelligent   grip on my domain. In between the session we were briefed about null and its cause . Null is a community platform that breaks the barrier of silos driven in the industry it gives a common forum across the industry to showcase your research or real life experience in the field of security . In this age of technology revolution experts in forensics , penetration testing , incident response , etc… come together to catch up and share insights on the industry . Attacks , tactics , procedures , hardening , compliance , hacker groups , real life experiences with hackers ,research papers ,news bytes, malware forensics are some of the  topic of interest in the community. Community is not only for developing technical know how, but it also a tool for skill development and platform for excellent research work. I have regularly been attending the sessions even if I face hardships in my office as my job is a 24/7 commitment and I follow an un usual calendar . I have worked ,studied for my masters  and attended null in the last year . This has sufficed my thirst and evolved me to a real solid foundation in my industry. I decided that I will conduct a puliya  session in null : https://null.co.in/event_sessions/1664-network-device-security (for complete details and ppt please visit above link ) The session covered Attack scenarios for network attacks and  its  mitigations It was divided in 3 Parts: CAM overflow attacks, ARP spoofing ,V LAN hopping attack, STP attacks, Dos attacks, DHCP snooping It also included security controls for authentication : AAA, Radius ,TACTACS+,802.1x, ACLs,port security,syslog,Control plane policing, URPF Best practices in implementing Security It’s a famous Saying in the industry :” Security is only as strong as your weakest link” Part1 CAM overflow attack: Attacker floods CAM table of the switch by sending more mac addresses than a switch can handle a switch cam table  can handle about 5096 addresses after which a switch works as a hub and starts forwarding traffic to every port except the receiving port . The attacker then sniffs the traffic. If we are using KALI  to exploit this the below command is used Command :macof –I eth0 Mitigation: Port Security

• Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port
• Upon detection of an invalid MAC block only the offending MAC or just shut down the port

Smart CAM table

• Never overwrite existing entries
• Only time-out inactive entries
• Active hosts will never be overwritten

Speak first

• Deviation from learning bridge: never flood
• Requires a hosts to send traffic first before receiving

ARP spoofing: The attacker wants to trick the victim in believing he is the forwarding gateway by spoofing its mac address and sending arp replies  if the victim receives the broadcast of the  attacker before the legitimate gateway it believes that the attacker is the gateway. If we are using KALI  to exploit this the below command is used

• Echo l>proc/sys/net/ipv4/ip_forward (broadcast arp replies)
• Iproute (to find ip address of the gateway)
• Ifconfig(to get mac address of interface)
• Arpspoof –I eth0 –t 192.168.1.86

 Mitigation:

• ARP spoofing works only within one VLAN
• static ARP table on critical stations (but dynamic ARP override static ARP on most hosts!)
• ARP ACL: checking ARP packets within a VLAN
  • Either by static definition
  • Or by snooping DHCP for dynamic leases
• No direct communication among a VLAN: private VLAN
  • Spoofed ARP packet cannot reach other hosts

Part 2 Security controls AAA(authentication authorization accounting) AAA authentication(who is allowed ?)

• User has authenticated and a session has been established to the AAA server.
• When the user attempts to enter privileged EXEC mode command, the router requests authorization from a AAA server to verify that the user has the right to use it.
• The AAA server returns a “PASS/FAIL”

AAA authorization(what he is allowed to do ?)

• Provides the method for remote access control.
• Including one-time authorization or authorization for each service, per-user account list and profile, user group support, …
• Once a user has authenticated, authorization services determine which:
• Resources the user can access.
• Operations the user is allowed to perform.
• g., “User ‘student’ can access host serverXYZ using Telnet only.”
• As with authentication, AAA authorization is configured by defining a “named” list of authorization methods, and then applying that list to various interfaces.

AAA accounting (what did the user do ?)

• Provides the method for collecting and sending security server information.
• Used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands, number of packets / bytes, …
• With AAA accounting activated, the router reports user activity to the TACACS+ security server in the form of accounting records.
• Accounting is configured by defining a “named” list of accounting methods, and then applying that list to various interfaces.

802.1x 802.1x is an IEEE Standard for Port Based Network Access Control EAP based Improved user authentication: username and password Can work on plain 802.3 or 802.11 What does it do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) - Preferred Method Of Authentication. Above is just a gist to sum up the session. The session was 4 hours long with 101 slides the content was widespread research work I put together in the last 3 months my motivation is been the moderators , professors and my love for my job . The session was  published on all social media platforms the content is for display on the above mentioned link .Conducting this session has instilled confidence in me  and I am thankful to the audience who see to  make it for the session even if it means on sacrificing their  weekend, also being attentive  and interactive . It gives me a feeling of accomplishment . Also it’s transformed to  a medium which makes my mentors , family members and friends proud with  joy for my research . The community is growing and i hope to do my best for it. Last but not the least I would thank every person who has been a part of this journey with me .