security.md 5.2 KB
title: Network Security breadcrumbs:
- title: Networking --- {% include header.md %}
TODO: Distribute this into relevant pages. Maybe the theory section.
Hosts
- Smurf and Fraggle attacks:
- DDoS where the adversary uses sends an ICMP/UDP echo packet (or similar) to a broadcast/multicast address using a spoofed source address, causing all reply traffic to be sent toward the user of the spoofed address.
- Linux hosts:
- Ignore broadcast/multicast ICMP echo and timestamp:
net.ipv4.icmp_echo_ignore_broadcasts=1(Ignored (1) by default) - Ignore UDP echo etc.: Firewall it.
- Ignore broadcast/multicast ICMP echo and timestamp:
- ICMP redirects (IPv4):
- Should be blocked or ignored for IPv4 since they can act as attack vectors and are basically never used in network designs.
- Allows attackers to change the default gateway or inject bogus routes.
- For IPv6, it is a more central functionality and should not be disabled.
- Can be blocked by the firewall or ignored through configuration.
- Linux:
- Linux has a secure variant (
secure_redirects) that specifies that the host will only accept redirects from hosts in its gateway list. - Disable reception of "insecure" ICMP redirects:
net.ipv4.conf.<all+default>.accept_redirects=0(enabled (1) for hosts and disabled (0) for routers by default) - Disable reception of secure ICMP redirects
net.ipv4.conf.<all+default>.secure_redirects=0(enabled (1) by default) - Disable sending ICMP redirects:
net.ipv4.conf.<all+default>.send_redirects=0(enabled (1) by default)
- Linux has a secure variant (
- SYN cookies:
- Should be enabled on servers.
- Prevents TCP DDoS attacks.
- When the connection queue is filled up, SYN cookies are used for new connections. Connections using SYN cookies must have all TCP options rejected, thus violating TCP.
- Linux:
- Enable:
net.ipv4.tcp_syncookies=1(enabled (1) by default)
- Enable:
Switches
TODO (see switch pages, personal notes and papers on my desk)
Routers
- ICMP redirects:
- See the Hosts section.
- Source routing:
- Should generally be disabled unless required. May be used in certain mobility scenarios.
- Allows attackers to send packets to unintended paths/destinations.
- For IPv4, there is the Strict Source Route (SSR) option and the Loose Source Routing (LSR) option. Both are considered insecure.
- For IPv6, there is the type 0 routing header, type 2 routing header and type 4 Segment Routing Header.
- Linux:
- Enabled by default on routers.
- Disable IPv4 SSR and LSR:
net.ipv4.conf.<all+default>.accept_source_route=0(disabled (0) for hosts and enabled (1) for routers by default) - Disable IPv6 type 0 routing headers only:
net.ipv6.conf.all.accept_source_route=0(type 2 only allowed (0) by default)- (Optional) Disable both IPv6 type 0 and 2 routing headers:
net.ipv6.conf.all.accept_source_route=-1
- (Optional) Disable both IPv6 type 0 and 2 routing headers:
- Cisco IOS:
- Disable source routing:
no source-route(enabled by default)
- Disable source routing:
- Source verification:
- Should be handled somehow if possible.
- May prevent spoofed IP addresses, especially
- Can be done with firewall rules, reverse path forwarding (RPF), DHCP snooping-based verification, etc. based on scenario.
- Reverse path filtering (RPF):
- Should be enabled for downlinks, but probably not for uplinks and transit links. For the latter two, use ACLs/firewall rules instead. Be especially careful for links with a default route pointing to it.
- Use strict mode most of the cases, but loose mode if assymmetrical routing may happen.
- Filters packets from sources that are not reachable by the FIB (loose mode); or filter packets from sources that are not received on the interface that would be used to reach the source (strict mode).
- Linux:
- Enable for IPv4 globally or per interface:
net.ipv4.conf.all.rp_filter=<0|1|2> - Status for IPv6: Unknown.
- Disabled (0), strict (1) or loose (2).
- Enable for IPv4 globally or per interface:
- Cisco IOS:
- Enable per interface:
<ip|ipv6> verify unicast source reachable-via <any|rx> - Loose ("any") or strict ("rx").
- Enable per interface:
- VyOS (global):
- Enable globally:
firewall source-validation strict - TODO: Status for IPv6.
- Enable globally:
- Directed broadcast forwarding:
- Should be disabled.
- Exploited by e.g. smurf and fraggle attacks.
- Linux routers:
- Always disabled.
- Cisco IOS:
- Disable
no ip directed-broadcast(disabled by default)
- Disable
- Bogin filtering:
- Should be enabled if appropriate.
- Blocks packets from fake/invalid addresses such as from unused or unallocated prefixes.
- May include RFC 1918 addresses.
- Can be done by explicitly blacklisting all stable bogon prefixes.
L4 Firewalls
- NAT traversal protocols:
- E.g. Universal Plug and Play (UPnP), NAT Port Mapping Protocol (NAT-PMP), Port Control Protocol (PCP), Session Traversal Utilities for NAT (STUN).
- Should generally be turned off unless explicitly needed. It's typically used by multiplayer games and other peer-to-peer applications.
- Can function as attack vectors as an adversarial program may be able to exploit it to allow external connections to internal devices.
L7 Firewalls
Empty.
Intrusion Detection Systems (IDSes)
Empty.
{% include footer.md %}