Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1
1. Lecture-01: Common Network Security Terms.
I going to start from basic terminology, network security terms, and we will go forward slowly.
So, network security terms are Asset, Vulnerability, Exploit, Threat, Attack, Risk and Countermeasures. These are the common network security terms.
What is an asset? The asset means anything, which the organization invest, anything which belongs to the organization, anything which is really valuable to the organization. An example of assets may be properties, may be vehicles, may be equipment, plants, buildings, employees, computers, data. Anything. So, in network security, we call them assets. And I give you an example of assets. These may be our devices and may be an implied computer. Anything.
The second term is vulnerability. What is the vulnerability? Any weaknesses in the system. We call it vulnerability. Weakness means it can be in the system, it can be by design, it can be by nature, and it can be application-based, it can be brought to the whole base, and it can be in an operating system. So, we call them vulnerability. You know, some humans, suppose, you and me, very soon they become angry. By nature, this is their vulnerability, their weaknesses. Some people are very cool-minded. Whenever you say, whatever you tell them, they will say nothing. So, this is called vulnerability. So, vulnerability cab be by design, may be when they want to display something and they forget to put something there. So, later on, the hacker uses that design and hack your server and hack your network to get access. So, this is called like an endeavor as well. Every week they have new pages to install because there are so many weaknesses like LTM as well. Last week, there is a new vulnerability. They say there is a vendibility. You have to purchase them to secure the device.
And by protocol as well. So, I will give you an example by protocol. I can give you an example, but just to show you how and what vulnerability is. So, let me go to… So, this is my web server and also Telnet server. Okay. And these are my two clients here. Let me put Wireshark here. Start capture. Just to show you a vulnerability. Don’t worry about the setup. What I’ve done is not our point to learn. So, and let me link from here. The IP address of the server is 192.168.12.0/24.100. Okay. So, I start capturing here by Wireshark. And from the client side, let me do a Telnet. Because by nature, Telnet is a vulnerability. It sent and received the traffic and clear text. So, this is we call a vulnerability. Okay, Telnet 192.168.12.100 is our server. And username is admin. I put VR and password as well, 123, and show running supports. And let me go here. So, we capture Telnet traffic here. Let me type Telnet only. So, we can filter them easily. Click on any traffic and go to follow PCP stream. Look. Our user name is admin, our password is 123, and show running. Everything is reasonable. Why? Because Telnet is unsecured and sending and receiving traffic and clear text. So, this is the vulnerability by protocol.
Another example is HHTTP. Let me send the HHTTP traffic from this client. And let me type our webserver IP which is 12.100. So, admin is the user and the password is 123. So, this is my server. I use HHTTP traffic. Let me go the Wireshark and this this time, I say I don’t need HHTTP Telnet, I need HHTTP traffic. So, this this HHTTP from 12.2. 12.2 is this client. 12.100 as server, 12.1 is this one and 12.2 is this one.
So, when I click here, this HHTTP traffic, right-click and hold to this time Follow and HHTTP Stream. And look, everything is visible here whatever. This one server1 and everything is visible here. Authentication. Okay, let me take the second packet. Because it’s showing in the second packet. Follow, HHTTP stream. And it will show you the username and password as well. Why? Because HHTTP by nature and Telnet by nature are sending and receiving their traffic unencrypted and clear text.
So, this is called vulnerability. And these two protocols, they are held by nature, vulnerability.
Now, going to the third one – exploit. What is an exploit? The exploit is the method techniques’ formula which you use to get the detail, and use the vulnerability and they make the server. So, which tool do I use to recognize that the password of Telnet is 123 and admin is the use? I use Wireshark. Before I use the Telnet. Because it’s more visible. So, let me show you this one. Follow, TCP stream. There is 123 and admin is the user. So, this Wireshark is called exploit. I use Wireshark, which is an application, and I exploit the Telnet and HHTTP to get the detail of the server.
So, I am taking HHTTP and Telnet. Use the vulnerability because these two protocols have the vulnerability. I’ll give an example. There are so many variabilities in everything. There is a special website which I can show you and you will find every vulnerability there. But the key word we call them is exploit.
So, now we know exploit, we know vulnerability, and we know asset.
Let’s go to another network security term. That is a threat. The threat means anything which is danger to your asset and asset, as we know, is anything related to organization. We call them assets. It can be accidentally triggered or it can be intentionally or unintentionally. So, we call them threats. There are so many threats. Spyware, hacker, virus, so many key loggers (we will see key logger as well), lost data, Trojan… So, many things which is threatened like the threat, may be, you are facing. Like nowadays, you cannot go out due to Coronavirus. This is a threat to you. If a huge traffic is going in the road, so you cannot cross the road. This is a threat for you. So, so many things. The same case is in your system, your design, your network, and everything. There are so many threats to your organization. So, any potential act that includes dangers to your asset, we call them threats.
Okay, we know threats. And there are so many things. There can be worms, viruses, Trojan and so many things which we will discuss later on.
Now, another terminology is attack. Attack is defined as action you take to attack other assets to harm them. Now, I know the user name and password of their server. So, now I can attack on their server. There are so many attacks: flooding attacks, UPD-flooding attacks, SYN-flooding attacks, make-them-down, service-down, DoS attacks, DDoS attacks. You can capture the data; you can go to the system. So, many things you can do. So, these things, we call them attacks. An action which you tend to down the server, the network, whatever, we call it attack.
Another thing is risk which is another network security term. Any potential loss, either compromise or damage which disrupts your network, we call it risk. Like using Telnet. It’s a risky job in your organization if you are using Telnet to access your device. And Telnet is, basically, a utility when you access your device remotely, just like a TeamViewer either AnyDesk. So, potentially when viewing something using Telnet, you can use SSH and any many other methods either VPN to make Telnet traffic encrypted. So, this type of thing, we call them it a risk.
And now the last network security term is countermeasure. What is a countermeasure? The countermeasures are initiated when you tend to secure your organization, your network, your services, your devices to mitigate the threat, and we have just seen the threat, what is threat. How can we put it? In this same case what can I do? Everybody can see my telnet traffic. What is the countermeasure? So, the countermeasure is rather than to use the Telnet more to the server and configure SSH, which is the alternative of the client. So, rather than to use Telnet, now I can go to the blind because this is SSH available there. And I will say SSH –l admin 192.168.12.100 and password is 123. Now rather than to use a Telnet, and this time I’m using SSH. And let’s see the traffic again. But this time I will set to show me the traffic for SSH. Why isn’t that okay? Maybe, I stop them. So, let’s move… Stop. We can state Wireshark from here. Okay, and let me do, let me close this open free time. So, it’s okay. Okay, let me close this session and connect again. 12.100, 123. Okay, and here we will see SSH is there. Okay, so it’s not showing me SSH. 12.100 is my server IP… Show ip int br. Yeah, 12.100. Okay, let me go back just to show you, I don’t know for some reason it’s not showing me 12.100. Okay, let me see other terrific. So, Telnet is there. Okay, so and basically due to this Wireshark sometime it will not show you. So, let me off this one. On my server sometimes it’s showing like this. And let me on this one again. Okay, and start. So, the countermeasure is … And I just give me an example. Rather than to use the Telnet, use SSH; and rather than to use HHTTP, use HHTTPS. So, in this way, you can secure your network.
Okay, so, let me go back now and we will go to console. And from blindly let me do SSH but before doing SSH let me capture the traffic again. No need from here, let me capture from here. And let me start the Wireshark. Okay, this time it is correct. So, let’s go to client. ssh –l admin (as the user) 192.168.12.100 (the IP address). So, this is saying the destination is down. So, let me go to server. Okay, it’s not yet on. Okay, so, just wait a while. Let them on, then I will check from here. So, this technique is called countermeasure and this way as a security professional you have to mitigate all the threats that can be anything.
But I’m giving you an example of telnet and HTTP. Okay. Oh, it’s taking too much time…
So, let’s to go…So, basically, a common security is not a one-time job. Keep in mind. This network security terminology, which I told you, is like a circle. Because, maybe, you protect SSH but there is a vulnerability in SSH agent as well. So, it means you have to use SSH agent too. And it’s not that you say, “Okay, I have a firewall, I have WPS and I have everything so now I’m protected and I will sit aside and everything will be done by devices. No. Every day, and every minute, and every second there is a vulnerability, there is a weakness, there is a way to attack. It means this is a fight between you as a security engineer and hackers. You protect the device, and they have another solution. You protect with that method and they have another solution to attack a new.
So, my main theme is… This is like a circle. There are so many threats which they can use the vulnerability and you are exposed due to this vulnerability and they will exploit and there is a risk that you didn’t measure them. So, the way is to take a countermeasure after everything second, and after every week, after every month to protect your assets. Again it will be compromised by another way, and then they will attack again. There is a vulnerability. And again, you have to protect in the same way as like a circle to move around.
Okay, my server is okay now. And let me go to a SSH. 123. And this time, I will say, rather than to Telnet, show me SSH. This is SSH agent too, and I follow, TCP stream. Look at this garbage data, you can see nothing. This is a countermeasure. Why to use the Telnet? Because everybody can have their data and can see anything which you are sending and receiving. So, we use SSH.
And the other client rather than to use HTTP, there is HTTPS as well this time and I will say 192.168.12.100. Okay. So, as securely, maybe, the server is not over something, but I think I can show you here. Now this time I will say, “I don’t need HTTP, I need TLS traffic. TLS is basically HTTPS. But this time, if I see follow, TLS stream. Okay, you will see nothing. Maybe, garbage data. It will be encrypted. Maybe, my server is for some reason down. So, let me see. I can enable ip http secure-server. Okay. So, it’s already there, by the way. And ip http authentication local. And user I’ve already created. So, let me try again now. Okay, this time is okay at a glance. And let me go to Add Exception because this is asking the certificate. Admin is my user which I created and 123 is the password. Now, I access the server but this time with HTTPS, not an HTTP. And when you go to here and say tls, okay, and try now any. We have so many traffic now exchange. And if you go to Follow, TLS stream. Why for some reason is not showing? We go to another page. So, it will be garbage data. That is the main point to show you. So, let me try again. It’s better to use TCP as well. Okay. TSL. Okay. For some reason, it’s not showing me, it has to show me, by the way. Yeah, it will be like this. It’s a garbage data. But, anyway, I need to see TLS. Okay, for some reason, it’s not showing me, but it will be encrypted, just like SSH as well which I show you here, Encrypted packet. So, this is called a countermeasure.