Many technologies and protocols can have impacts on security monitoring. Access Control Lists (ACLs) are among these technologies. ACLs can give a false sense of security if they are overly relied upon. ACLs, and packet filtering in general, are technologies that contribute to an evolving set of network security protections.
The figure illustrates the use of ACLs to permit only specific types of Internet Control Message Protocol (ICMP) traffic. The server at 192.168.1.10 is part of the inside network and is allowed to send ping requests to the outside host at 22.214.171.124. The outside host’s return ICMP traffic is allowed if it is an ICMP reply, source quench (tells the source to reduce the pace of traffic), or any ICMP unreachable message. All other ICMP traffic types are denied. For example, the outside host cannot initiate a ping request to the inside host. The outbound ACL is allowing ICMP messages that report various problems. This will allow ICMP tunnelling and data exfiltration.
Attackers can determine which IP addresses, protocols, and ports are allowed by ACLs. This can be done either by port scanning, penetration testing or through other forms of reconnaissance. Attackers can craft packets that use spoofed source IP addresses. Applications can establish connections on arbitrary ports. Other features of protocol traffic can also be manipulated, such as the established flag in TCP segments. Rules cannot be anticipated and configured for all emerging packet manipulation techniques.
In order to detect and react to packet manipulation, more sophisticated behaviour and context-based measures need to be taken. Cisco Next-Generation firewalls, Advanced Malware Protection (AMP), and email and web content appliances are able to address the shortcomings of rule-based security measures.
The figure shows a user at a workstation 209 dot 165 dot 201 dot 3 that connects to the internet. The internet connects throughs 0 / 0 / 0 on router R 1. A numbered 1 arrow goes from the internet to r 1. 1. Rules on R1 for i c m p traffic from the internet and commands: access-list 112 permit i c m p any any echo-reply, access-list 112 permit ICMP any any source-quench, access-list 112 permit i c m p any any unreachable, access-list 112 deny ICMP any any, access-list 112 permit i p any any. Router r 1 connects to g 0 / 0 to the 192 dot 168 dot 1 dot 10 server and a numbered 2 arrow goes from the server to r 1. 2. rules on r 1 for i c m p traffic from inside the network. access-list 114 permit i c m p 192 dot 168 dot 1 dot 0 0 dot 0 dot 0 dot 255 any echo, access-list 114 permit i c m p 192 dot 168 dot 1 dot 0 0 dot 0 dot 0 dot 255 any parameter-problem, access-list 114 permit i c m p 192 dot 168 dot 1 dot 0 0 dot 0 dot 0 dot 255 any packet-too-big, access-list 114 permit i c m p 192 dot 168 dot 1 dot 0 0 dot 0 dot 0 dot 255 any source-quench, access-list 114 deny i c m p any any, access-list 114 permit i p any any
Mitigating ICMP Abuse
NAT and PAT
Network Address Translation (NAT) and Port Address Translation (PAT) can complicate security monitoring. Multiple IP addresses are mapped to one or more public addresses that are visible on the internet, hiding the individual IP addresses that are inside the network (inside addresses).
The figure illustrates the relationship between internal and external addresses that are used as source addresses (SA) and destination addresses (DA). These internal and external addresses are in a network that is using NAT to communicate with a destination on the internet. If PAT is in effect, and all IP addresses leaving the network use the 126.96.36.199 inside global address for traffic to the internet, it could be difficult to log the specific inside device that is requesting and receiving the traffic when it enters the network.
This problem can be especially relevant with NetFlow data. NetFlow flows are unidirectional and are defined by the addresses and ports that they share. NAT will essentially break a flow that passes a NAT gateway, making flow information beyond that point unavailable. Cisco offers security products that will “stitch” flows together even if the IP addresses have been replaced by NAT.
Network Address Translation
Encryption, Encapsulation, and Tunneling
As mentioned with HTTPS, encryption can present challenges to security monitoring by making packet details unreadable. Encryption is part of VPN technologies. In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic. The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities. Encryption makes the traffic unreadable to any other devices but the VPN endpoints.
Similar technology can be used to create a virtual point-to-point connection between an internal host and threat actor devices. Malware can establish an encrypted tunnel that rides on a common and trusted protocol, and use it to exfiltrate data from the network. A similar method of data exfiltration was discussed previously for DNS.
Peer-to-Peer Networking and Tor
In peer-to-peer (P2P) networking, shown in the figure, hosts can operate in both client and server roles. Three types of P2P applications exist: file-sharing, processor sharing, and instant messaging. In file-sharing P2P, files on a participating machine are shared with members of the P2P network. Examples of this are the once-popular Napster and Gnutella. Bitcoin is a P2P operation that involves the sharing of a distributed database, or ledger, that records Bitcoin balances and transactions. BitTorrent is a P2P file-sharing network.
Any time that unknown users are provided access to network resources, security is a concern. File-sharing P2P applications should not be allowed on corporate networks. P2P network activity can circumvent firewall protections and is a common vector for the spread of malware. P2P is inherently dynamic. It can operate by connecting to numerous destination IP addresses, and it can also use dynamic port numbering. Shared files are often infected with malware, and threat actors can position there malware on P2P clients for distribution to other users.
Processor sharing P2P networks donate processor cycles to distributed computational tasks. Cancer research, searching for extraterrestrials, and scientific research use donated processor cycles to distribute computational tasks.
Instant messaging (IM) is also considered to be a P2P application. IM has legitimate value within organizations that have geographically distributed project teams. In this case, specialized IM applications are available, such as the Webex Teams platform, which are more secure than IM that uses public servers.
The figure shows three phones connected to each other. One of the cell phone connects to two laptops and a p c. The pc also connects to the laptops and another laptop as well as a cell phone. One of the laptops connects to three other laptops. One of those laptops connects to a cell phone and another p c. Bottom words: unstructured P 2 P logical connections through which file sharing and other services may occur.
Tor is a software platform and network of P2P hosts that function as internet routers on the Tor network. The Tor network allows users to browse the internet anonymously. Users access the Tor network by using a special browser. When a browsing session is begun, the browser constructs a layered end-to-end path across the Tor server network that is encrypted, as shown in the figure. Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay. The layers contain encrypted next-hop information that can only be read by the router that needs to read the information. In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it. Finally, at the end of the Tor path, the traffic reaches it’s internet destination. When traffic is returned to the source, an encrypted layered path is again constructed.
Tor presents a number of challenges to cybersecurity analysts. First, Tor is widely used by criminal organizations on the “dark net.” In addition, Tor has been used as a communications channel for malware CnC. Because the destination IP address of Tor traffic is obfuscated by encryption, with only the next-hop Tor node known, Tor traffic avoids blacklists that have been configured on security devices.
The figure shows a p c with a textbox: User’s Tor software constructs a random path through the network of Tor relays. Purple arrows indicate encrypted packet contents. To the right of the p c is a cloud of p c’s (four rows of four p c’s to each row). Under the cloud words: internet accessible computers. To the right of the cloud is a server with the words: traffic unencrypted from Tor exit node to destination anywhere on the internet. Some of the p c’s have a T for Tor Relay on the screen. In row 1, p c 1, 2, and 4 have the T, row 2 p c 3 has the t, row 3 p c 1 and 3 have the t, and row 4 pc 1, 2, and 4 have the t. A purple arrow goes from the pc to row 1 p c 1. A purple arrow goes from this p c to row 2 p c 3; another purple arrow down to row 3 p c 3; another purple arrow goes down to row 4 p c 4.
Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic. If redundant resources exist, a load balancing algorithm or device will work to distribute traffic between those resources, as shown in the figure.
One way this is done on the internet is through various techniques that use DNS to send traffic to resources that have the same domain name but multiple IP addresses. In some cases, the distribution may be to servers that are distributed geographically. This can result in a single internet transaction being represented by multiple IP addresses on the incoming packets. This may cause suspicious features to appear in packet captures.
In addition, some load balancing manager (LBM) devices use probes to test for the performance of different paths and the health of different devices. For example, an LBM may send probes to the different servers that it is load balancing traffic to in order to detect that the servers are operating. This is done to avoid sending traffic to a resource that is not available. These probes can appear to be suspicious traffic if the cybersecurity analyst is not aware that this traffic is part of the operation of the LBM.
The figure shows a PC on the right with 1. user wants to visit www.example.com. d n s query sent. An arrow labelled d n s query www.example.com points to a server labelled ns.locallsp.com. Under the server: 2. local d n s server lacks record for example.com, queries other servers. There are two servers to the right of the server and an arrow pointing to each of them. The server in the top right has 3. request reaches authoritative d n s server for a domain. N S record delegates request to load balancer at www.example.com.
An arrow goes back to the ns.locallsp.com server. The other server to the right labelled loadBalance.example.com and 4. load balancer returns ip address for the server in the server pool depending on load. An arrow also goes back to the ns.locallsp.com server. Another arrow goes from the ns.locallsp.com server to the client and that arrow has words: IP address of www.example.com load-balanced server.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
CEHNigeria On Google Playstore
Download Our Blog App On Google Playstore.
GET SEOPOZ. OUTSMART YOUR BLOG COMPETITORS
Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.
Join Our Whatsapp Group Here
Join Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.