DEV Community: Pradheepa P

Security 101 - Phishing

Pradheepa P — Thu, 07 Dec 2023 11:10:31 +0000

Introduction

Phishing is a deceptive technique employed by cyber-criminals to trick individuals into revealing sensitive information, such as login credentials, financial details, or personal data. The Anti-Phishing Working Group (APWG) report publishes statistics about phishing every quarter, and it's more concerning to find that the attack has been increasing every year and this type of attack targets both individuals and companies. According to the latest report from APWG , financial institutions take the major brunt of this attack.

In this blog, we will explore the various phishing tactics and essential strategies to protect yourself from these malicious attacks.

Types of Phishing

The methods of deception vary, ranging from a plain redirect link to malicious websites to more advanced strategies targeting specific individuals or organizations. Following are the broadly-classified categories of Phishing.

Email Phishing:

Attackers send deceptive emails posing as legitimate entities to trick recipients into providing sensitive information.

Smishing (SMS Phishing):

Phishing attacks conducted through text messages, tricking individuals into clicking on malicious links or providing sensitive information.

Vishing (Voice Phishing):

Phishing attacks over phone calls, where attackers use social engineering to manipulate individuals into divulging sensitive information.

Pharming (Page Hijacking):

Redirects website traffic to fraudulent sites using malicious software, aiming to collect sensitive information.

Clone Phishing:

Attackers create replicas of legitimate emails, with minor modifications, to deceive recipients into disclosing sensitive information.

Search Engine Phishing:

Creation of fake websites optimized for search engines to lure users and extract sensitive information.

Recognizing Phishing Attempts

Though these attacks are often widespread, the victims ignore some common red flags. Learning how to differentiate between legitimate communication and potential threats is essential to identify the phishing attempts. Following are some of the common red flags in the phishing message.

A Sense of urgency or threat
The malicious link that prompts to enter the password
Request for financial transaction on clicking of the link
Prompting to provide full access to your laptop or your mobile phone
Offer or Promotion in the message that is too good to be true.

Protecting Yourself Against Phishing

Enable Multi-Factor Authentication.
Change Passwords Regularly to reduce the window of the attack.
Don't give out any financial data or personal information to unsafe or http websites.
Stay informed of similar attacks in your region.

VPC Peering

Pradheepa P — Sun, 20 Jun 2021 14:15:11 +0000

Introduction

Often times, one logical group of virtual network (VPC) would want to interact with the other. AWS has provided options to connect between VPCs of the same region and also different regions.

VPC Peering

VPC Peering is a networking connection provided by AWS to connect two VPCs. The VPCs can be from the same or different accounts. Since VPC is a region based entity, VPC Peering can also be established between VPCs from different regions in the same account. Once the peering is established, the instances in either of the VPCs can connect with each other as if they are in the same account.

VPC Peering - Same Region

To create a Peering Connection, go to VPC dashboard and click on Create Peering Connection. The wizard looks like as below. We need to provide the local VPC which we are interested to peer with and its CIDR block. If we are connecting to the same region in the same account, then we can select My Account and This region and provide the VPC and its CIDR to be connected to.

After creating, the peering connection looks like below, and shows the peering connection status as Active.

The next step after creating the VPC peering connection is to update the route table of the subnets in both the VPCs.

VPC peering is a one-to-one connection between VPCs. So, to connect to another VPC, another peering connection has to be created and the route tables to be updated.

If VPC A has a connection with VPC B and VPC C, this does not mean that a peering connection is automatically available between VPC B and VPC C since B is connected to A. Another peering connection has to be created to establish this relationship.

Things to know

VPC Peering allows to reference security groups from the peer VPC in the same region.
Supports DNS hostname resolution to return private IP address.
Supports peering of both IPv4 and IPv6 addresses.
The VPCs cannot have overlapping IP addresses.
No redundant Peering connection can be made between the same VPCs. Only one peering connection is supported.

Can you answer the following questions?

Can NACL be accessed among VPCs?
How to health check the VPC Peering Connection?

References

https://d1.awsstatic.com/events/reinvent/2019/REPEAT_2_AWS_networking_fundamentals_NET201-R2.pdf

Amazon VPC - An Overview

Pradheepa P — Mon, 14 Jun 2021 09:45:50 +0000

Introduction

Amazon VPC (Amazon Virtual Private Cloud) is used to launch AWS resources into a virtual network. The various components inside the Amazon VPC defines the traffic, security, routing configurations etc.

Regions and Availability Zones

AWS Global Infrastructure at the high level were distributed as Regions. Region is a physical location in the world like Ireland, London, Singapore etc. Each region is further composed of Availability Zones (AZ). Availability Zones (AZ) are nothing but discrete data centers. For example, if Singapore is the region, then within that region, then AWS might have 3 different data centers located in the East, West, South of Singapore, that are isolated from one another. So if there is a power outage or accidental fire in one data center, the other data center will continue to operate without causing any disruption.

Amazon Virtual Private Cloud

Having defined the regions and availability zones, the following diagram helps to fit VPC in the global infrastructure. Amazon VPC is the virtual network is created in a specific region that spans across multiple Availability Zones.

So when an instance has to be created inside the VPC, it can be chosen to host them in any of the availability zones inside the region. The instance is the physical server that has an IP address and are physically placed inside a data center (Availability Zone).

To visualize it, imagine placing your laptop (instance) in one of your office premises at location A(Availability Zone-a). If you are visiting another branch at location B(Availability Zone - b) of your office on the next day to resume your work. The instance you placed at location A cannot be physically accessible to you. But, if the data inside your laptop (instance) at location A can be copied to another laptop at location B, then you would be able to resume your work. You usually don't care about the physical location as long as we were able to perform the same function as you did with the laptop (instance) at A.

The availability zones though might seem redundant, often most real world applications are hosted in more than one availability zones for the resiliency. So when we define our virtual network (VPC), it has the option to span across multiple availability zones within the same region.

CIDR Block

To create a VPC, we need to define the CIDR Block IP range. This defines the number of instances that a VPC can have. Since this is at the VPC level, the IP addresses can span across multiple AZ.

Let us consider the default VPC's IP CIDR Block which is 172.31.0.0/16. The /16 means the first 16 bits (172.31 segment) had to remain unchanged and hence the first two IP segments cannot take any other value. This provides us with the room to change the last two IP segments to any number between (0-255). So the default VPC can take 65536 IP addresses.

Subnets

We can further segment the IP address (Subnets) at the AZ level. Let us consider the CIDR values for the two AZs 172.31.0.0/24 and 172.31.1.0/24. This could mean that the range of IP addresses were grouped as (172.31.0.0 - 172.31.0.255), (172.31.1.0 - 172.31.1.255) each with 256 IP addresses. Now I am assigning these two IP ranges to two different Availability Zones. The first AZ will take the range as (172.31.0.0 - 172.31.0.255) and the second as (172.31.1.0 - 172.31.1.255). Let us consider only one availability zone, because the other is going to be an exact replica.

I can use the entire 256 range as one logical group or can further divide them into multiple groups. These logical groups are called subnets (sub-networks). Let us consider two subnets within an AZ, then the CIDR range of the subnets can be 172.31.0.0/24 and 172.31.128.0/24 as 128 IP addresses each.

Security Groups

The picture shows that in an availability zone, we have created two subnets (private and public). As the name suggests, one subnet will allow internet access and the other will not. The traffic configuration has to be defined to make them public and private.

It a very common real-world scenario for hosting a web application. The instances acting as web-servers are public and should be reachable via HTTP (Port 80) and HTTPS (Port 443) traffic, but the database instances or application servers will not be accessible to internet but only to web-servers. As shown in the diagram below, we can define two security groups namely Web Server Security Group and App Server Security Group.

A security group is used to control inbound and outbound traffic. The Security Groups act at the instance level in a VPC. Following is the wizard for creating a security group. We need to define the allowed inbound traffic and outbound traffic and associate with the VPC which this security group needs to be part of.

Summary

Act at the instance level.
Security group rules enable us to filter traffic based on protocols and port numbers.
The rules are stateful. For example if a port 443 is enabled for inbound, then 443 is enabled for outbound as well regardless of the outbound rules.
There is no deny rule. Only allow.
Instances associated with a security group can't talk to each other unless the rules allowing the traffic has been added.

NACL (Network Access Control List)

It is similar to the security group which defines network access inside the VPC but this operates at the subnet level. If we were to define common traffic rule across the subnet, we define in NACL. Following is the configuration for the default NACL created inside the default VPC. Here we can see the subnet associations in the third tab.

This wizard says that these are all the allowed inbound and outbound rules and these are the subnets associated with this NACL rules. This is unlike the security group where we just define the inbound and outbound rules. We don't have to define the instances associated with the security group while creating it. The security groups are associated with the instances only in the instance creation wizard. But with NACL, it had to define the subnets associated with it.

Summary

Operate at the subnet level.
Inbound and Outbound rules had to explicitly defined. For example, a port 80 allow inbound rule in NACL does not mean port 80 outbound rule like security group. If it's not configured it will be automatically denied.
We can define the rules to both allow and deny.

Route Tables

Route tables is like a traffic controller to the subnet in the VPC and contains rules for which packets to go where. It is more like a directory of what are all the possible routes that can happen within the subnet. Often times, I confuse route table with NACL because both are associated with the subnet.

A sample route table looks like below for a public subnet. If the VPC was set up to have the address space of 172.16.0.0/16, the local route defined as 172.16.0.0/16 allows all of the resources created within the VPC to talk to each other without any additional configuration. The next configuration is the IPv6 config inside the VPC to talk to each other. Creating a config 0.0.0.0/0 and attaching the target to the Internet Gateway (This has to be created ahead of configuring it in the route table) makes any subnet that is attached to this route table public because it has access to internet.

To get to the internet, go via Internet Gateway

To get to anything inside the VPC - stay local. No route anywhere else

Summary

Each subnet can have only one route table.
Route table can be shared across subnets.
All the routes for the subnet based on this route table.
NACL and Security Groups are meant for securing the instances found under SECURITY section of the VPC create wizard and not meant primarily for routing.
If we look at the diagram below, we can see the first point of contact for any traffic is the route table attached to the subnet and then NACL and security group.

Internet Gateway

As the name suggests, this is the gateway to the public internet access. If we are hosting a web application, the web servers are usually public facing and be reachable via internet. In order to achieve this, we should first create an Internet Gateway and define the route in the route table. This allows internet traffic both to and from the instance.

Network Address Translation (NAT) Gateway

A NAT gateway is a Network Address Translation (NAT) service. The NAT gateway can be used so that the instances in a private subnet can connect to services outside the VPC but external services cannot initiate a connection with those instances. For example to patch security updates. There are two types of NAT Gateway, Public and Private. Public as the name says will be connected to the internet (one-way) and Private Gateway is used to connect other VPCs. A public NAT gateway is created in a public subnet and will be associated with an elastic IP address.

Can you answer the following questions?

Can a subnet exists without the route table?
What is the difference between NACL and route table?
What is a CIDR Block IP range?
If the route table is associated with the subnet, why it's shown in the VPC console as part of VPC configuration?
How many route tables can a VPC have?
What is a main route table in VPC and can you edit the main route table?
Is it possible to create another route table and make that as a main route table?

Networking Series - CIDR Block

Pradheepa P — Sat, 05 Jun 2021 13:46:47 +0000

Introduction

Before working in serverless technologies, most of the applications I worked on were hosted on-prem. I used to interact with the infrastructure team and the questions they ask were sometimes not understandable to the application developers. The talk about firewall, ip addresses, ssl, ftp, connect direct connections are too much to comprehend initially. With serverless applications development though the application developer need not have to know about these terminologies, it's good to understand what's behind the scenes.

AWS opens the doors for the application developers to know about the networking configuration used by their application. Usually in an on-prem applications the networking services are managed by a different team and the developers are not aware of the configuration. The interaction typically happens where the network team share the snippets of the logs whenever an error occurred connecting to our application. But with more applications being developed on cloud services, developers can at least access the lower environment configurations (dev or staging) which is usually mimicked to production. Let us start the series by getting to know what is a CIDR Block.

CIDR Block (Classless Inter-Domain Routing)

While creating VPC in AWS, the second step is to provide the IP CIDR block i.e the range of IP addresses to be allocated to this VPC. It is of the format 10.0.0.0/16 (IP address followed by / and a number). Most of us knew the IP address format but what does this number signify in CIDR Block.

CIDR is an industry standard.
The number is the number of bits in an IP address that must match to be considered as part of the selected CIDR block.
Each IP Segment i.e the number between the dots is of eight bits that makes the entire segment consisting of 32 bits.
Let us take the ip address 10.0.0.0 and represent them in binary as 0000 1010. 0000 0000. 0000 0000. 0000 0000.
Let us take the CIDR block notation as 10.0.0.0/16. The number here mentions that any ip address that has the first 16 digits matched is part of this CIDR IP block. Since the first 16 bits has to remain unchanged, it leaves room for the rest of the 16 digits to take any value. Hence 2¹⁶ 65536 ip addresses are available in this range.

Additional Resources

https://www.colocationamerica.com/ip-calculator