# Securing Hardware on Setup

Some considerations for or steps to use when setting up basic PC hardware security
1. BIOS Boot Password
    - Set up a password through the BIOS which requires login on every bootup
    - This will prevent anyone from getting to the OS software by having to login at BIOS step
    - If needing reset due to forgotten password:
        - Will require a second computer with internet access
            - After three failed logins, the option to send password to a secondary computer on the network will be available
        - If no secondary computer present: Remove MB battery for ~15 minutes (will cause battery to lose all power)
            - Reinsert battery and all MB settings will be reset including the password
2. If using a data center with server cabinets
    - Having physical access to servers/computers would allow someone to take advantage of the above vulnerability
    - Make sure to lock cabinets using a lock requiring a key (preferably physical key)
3. Lock down boot order BIOS as well to stop users from changing the BIOS settings
4. Drive encryption 
5. TLM or Trusted Platform Module (TPM)

### Demilitarized Zone (DMZ)
- A network that isn't public or local "halfway between the two"
- Where you find HTTP, DNS service, email and other internet-type corporate servers
- People outside your network primarily access your web servers, FTP servers etc. and because that's what hackers usually target, it's a good idea to place them behind the DMZ
- Security zone that allows public traffic but the traffic is isolated from a company's network

### Firewalls
- Combination of hardware and software
- The hardware is usually a router but it could also be a computer or dedicated piece of hardware called a black box that has 2 NIC's in it
    - One NIC for private and the other for public
- Firewall setup will determine permit, deny, encrypt, decrypt and proxy rules for traffic
- Network based firewalls will protect packets entering a network, usually through hardware
- Host based firewalls protect a single host, usually through software
**Dynamic Packet Filtering**
- Can be activated on a firewall to filter packets and check for suspicious packet activity within a network
    - Things like expected packet orders, type of packet, etc. can be checked for
**Content Filtering**
- Blocking based on the content of the data rather than the source of the data
- Commonly used in mail and web traffic to stop things like urls, .exe, phrases, language
**Signature Identificiation**
- Many viruses and malware may have signatures of data patterns within them that can be identified and removed by the firewall
**IP Proxy**
- Allows a user to hide their IP by exchanging its IP for the address of any requesting station
**Web Proxy**
- Handle HTTP requests on behalf of the sending workstation, client's web browser asks a web server on the internet for a web page using an http request
**Access Control List (ACL)**
- First line of defense on a network, controls which machines are allowed to use routers on a network and on what direction
- Threats mitigated by ACL
    - IP address spoofing, inbound & outbound
    - DOS TCP SYN Attacks
    - DoS Smurf Attacks
    - Filtering ICMP messages inbound & outbound
    - Filtering traceroute
- Setting up an ACL
```
Access List made up mostly of if-then type statements
 if _condition_ is met
    then something
    else do nothing
```
- Types of ACLs
    - Standard: uses source IP address in an IP packet as the condition test, decisions based on source IP
        - Permits or denies an entire suite of protocols without distinguishing type of IP traffic
    - Extended: Evaluates many fields in the layer 3 and 4 headers of an IP packet
        - Source and destination IP addresses, protocol field of network layer header, port number, transport header
    - Inbound: Packets processed by ACL before being routed to outbound interface
        - Packets that are denied won't be routed and are discarded before routing is complete
    - Outbound: Access controls applied to outbound packets on an interface are routed to outbound interface and processed by ACL before being queued

```
BASIC RULES
1. Deny any addresses from your internal networks
2. Deny any local host addresses 127.0.0.0/7
3. Deny any reserved private addresses
4. Deny any addresses in the IP multicast range (224.0.0.0/4)
```
**Intrusion Detection and Prevention Systems**
- Helps to detect attacks and intrusions on the system by looking for fingerprints of strange or malicious things going on in the network
- Network IDS
    - Seperate device attached to the network via a switch
    - Can responsd passively or actively
        - Activity is logged, notifications are sent as alerts
        - Shunning - choose to ignore certain types of attacks (for attacks that won't affect your network)
        - Can close a port being attacked (ex. port 21 (FTP) being attacked, can close for 60 seconds)
            - Would be bad for any service that needs to be up 24/7
        - Can create a honeypot
            - Intended to deceive attacker long enough to gather identification information on the attacker
    - Host based IDS
        - Typically implemented on servers to run on a single system to detect abnormalities on that system alone by monitoring applications, system logs, and event logs
        - [Snort is an open-source host-based IDS](https://www.snort.org/)
        
### Principles
- Implicit deny
    - If a user isn't mentioned in the .allow file they are implicitly denied
    - Grant few people access rather than manage long lists
- Least-priveledged mode
    - Users get bare minimum of resources they need access to
    - access level is always lowest possible
- Separation
    - Sepearate administrative duties to know which admin has access to what part of the network
- Rotate
    - Cross train people in various jobs
    
**Access Control Models**
1. Mandatory Access Control (MAC)
- Everyones role regarding the network and related information access is set in stone
- users can't share information unless explicitly allowed
- Strictest and least flexible, which gives admins the most control
2. Discretionary Access Control (DAC)
- Users have a say about who can access what data
- Basically the opposite of a MAC and can result in a completely open system
3. Role-Based Access Control
- Access to resource is based on the *ROLE* of the individual within a company
- Users get access based on who they are and what they do
4. Rule-Based Access Control
- Predefined security policies based on specific *RULES* are used to determine network access
- Assumes users with the same roles may actually have different needs