Download CISSP – Chapter 7

Document related concepts

Peering wikipedia , lookup

TCP congestion control wikipedia , lookup

Computer security wikipedia , lookup

AppleTalk wikipedia , lookup

Zigbee wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Net bias wikipedia , lookup

IEEE 1355 wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Wireless security wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Zero-configuration networking wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Transcript
CISSP – Chapter 7
Telecommunications and Network
Security
Chapter 7
• This chapter is HUGE and honestly you are not
going to understand all of it unless you’ve done
a lot of network or network security in your life.
Don’t get too stressed, try to follow along I will
try to point out the most important things to
understand. If you have questions ASK ME,
luckily this is my area of expertise so I should be
able to help you out. Some questions may have
to be directed to after class or in between breaks
if they go to in depth.
Chapter 7 – OSI/Internet Model
483
• There is something called the “OSI” model that
lays out functional levels/different distinct
services that a network should provide. It’s not
actually used in real life but serves as a
reference. The “Internet (TCP/IP)” model is used
and maps directly to the OSI model, but is
simpler.
• The layered model defines that functionality a
certain layer should provide and provides
“Services” to the layer directly above it that that
layer can use. Each layer generally uses the
resources and functionality of the layer below it.
OSI model 484
• 7 layers
• A P S T N D P… “All People Seem to Need Data
Processing”… say that 10 times
–
–
–
–
–
–
–
Application
Presentation
Session
Transport
Network
Data link
Physical
OSI model – layer 1 physical 494
• Layer 1 Physical – simply put is concerned with
physically sending electric signals over a
medium. Is concerned with
– specific cabling,
– voltages and
– Timings
• This level actually sends data as electrical
signals that other equipment using the same
“physical” medium understand – ex. Ethernet
OSI model – layer 2 data link 492
• Layer 2 Data Link – data link goes hand in hand with
physical layer. The data link level actually defines the
format of how data “Frames”* will be sent over the
physical medium, so that two network cards of the same
network type will actually be able to communicate. These
frames are sent to the “physical” level to actually be
turned into the electronic signals that are sent over a
specific network. (layer 2 uses the services of layer 1)
• Two network cards on the same LAN communicate at
the data link layer.
• Data Link and Physical layers really go together to define
how a specific network type operates, in fact Layer 1 & 2
of the OSI model = layer 1 of the “TCP/IP model”
(Network Access)
(more)
OSI model – layer 2 - 492
• Protocols that use the data link layer
– ARP
– RARP
– PPP
– SLIP
– Any LAN format (Ethernet)
OSI model – layer 3 network - 491
• Layer 3 Network – For the Internet this is “IP”
which defines how “packets” are sent across
different physical networks/LANs. Layer 2 is
concerned with defining unique hosts on a
network, and routing packets between distinct
networks.
– Layer 3 protocols
• IP
• IPX/SPX
• Apple Talk
(more)
OSI model layer 3 network - 491
• For IP other protocols that “work” on this
layer are
– ICMP – IP “helpers” (like ping)
– IGMP – Internet Group Message Protocol
– RIP – routing protocol
– OSPF – routing protocol
– BGP – routing protocol
(more)
OSI Model Layer 3 - 491
• OSI layer 3 Network = Internet model layer
2 (Network)
• Layer 3 actually uses to services of the
data link layer to move data between two
computers on the same LAN.
OSI model Layer 4 Transport - 490
• OSI Layer 4 Transport – Provides “end-to-end”
data transport services and establishes a logical
connection between 2 computers systems”
• Virtual connection between “COMPUTERS”
• Protocols used at layer 4
– TCP
– UDP
• In the Internet Model this is layer 3
(transport/host to host)
• Layer 4 user the services of layer 3 to move data
between 2 different networks/hosts
OSI Model Layer 5 Session - 489
• OSI Layer 5 Session – responsible for establishing a
connection between two APPLICATIONS! (either on the
same computer or two different computers)
• Create connection
• Transfer data
• Release connection
• Protocols that work at this layer
– NFS
– SQL
– RPC
• Remember Session is setting up a conversation between
two applications rather than comptuers, however the
session layer uses the services of the layer beneth it
(transport) to move data between 2 computers
• OSI lay 5 = Internet model layer 3 (transport/host to host)
OSI model Layer 6 – Presentation 487
• OSI Layer 6 – present the data in a format
that all computers can understand
– Concerned with encryption, compression and
formatting
• Maps to layer 4 of the Internet Model
OSI model Layer 7 – Application 487
• This defines a protocol (way of sending data)
that two different programs or protocols
understand.
– HTTP
– SMTP
– DNS
• This is the layer that most software uses to talk
with other software.
• This maps to the Internet model Layer 4
(application)
Quick OSI review
• What layer is creates a connection between 2
applications?
• What layer turns the frames sent to it into the proper
voltages and timings to send across a wire?
• What layer is concerned with finding paths between
different networks?
• What layer is concerned with the formatting of the data?
• What layer is concerned with communicating between
two of the? same interface types on computers on the
same LAN?
• What layer creates a connection between two
computers?
• What layer is concerned with the data/protocol that the
application you are using uses?
Some network equipment and what
layers they generally work on
We will talk about these later on.
• Hub/repeater – physical
• Switch – data link
• Router – network
• firewall – can be one of many levels above
network
• Application proxy firewall – application
TCP/IP model
• Network Access = OSI layers 1 & 2, defines LAN
communication, what do I mean by that?
• Network = OSI layer 3 – defines addressing and
routing
• Transport/Host to Host = OSI layer 4, 5 – defines
a communication session between two
applications on one or two hosts
• Application = OSI layers 6,7 the application data
that is being sent across a network
OSI vs. TCP/IP model
TCP/IP (497)
• TCP/IP is a suite of protocols that define IP
communications.
• IP is a network layer protocol, and handles
addressing and routing
• We use IP version 4
• The main components of an IP address
– IP address
– Netmask
– What is the netmask used for?
– Host part, network part, like street address and zip
code.
(more)
TCP/IP class networks - 504
• Class A
– IP ranges 0.0.0.0 – 127.255.255.255
– Implied Netmask 255.255.255.0
– Lots of hosts (about 16 million)
• Class B
– IP ranges 128.0.0.0 to 192.255.255.255
– Implied netmask 255.255.0.0
– About 65,000 hosts
(more)
TCP/IP class networks - 504
• Class C
– IP ranges 192.0.0.0 to 223.255.255.255
– Implied netmask 255.255.255.0
– 254 hosts
• Class D
– IP ranges 224.0.0.0 to 239.255.255.255
– Reserved for multicast, not normal IP addresses
• Class E
– IP ranges 240.0.0.0 to 255.255.255.255
– Reserved for research
TCP/IP Classless networks
• Classes are not really used anymore, we
now use CIDR, which is just an IP address
and a netmask or /
– Ex. 172.16.1.0/24 = 172.16.1.0 with a
netmask of 255.255.255.0
TCP/IP - 504
• We currently use IPv4 with has 2^32
addresses (about 4 billion IP addresses)
however we are running out. IPv6 has
2^128 addresses (4 billion x 4 billion…
(NOT 16 billion))
• IPv6 also has a simplified format and
additional features such as IPSEC. (talk
about IP SEC later)
TCP/UDP - 498
• TCP/UDP handle the transport and session
layers. They setup a communications channel
between two programs talking over the network
• Programs talk via “ports” which are numbers that
generally define what program/services you
want to talk to (talk about this in a couple slides)
More on TCP/UDP in the next slides
TCP - 502
• Reliable connection-oriented protocol
– Has a true connection
– Starts with a 3-way handshake, (SYN, SYNACK, ACK) talk about this
TCP - 499
– Keeps state, and will guarantee delivery of
data to other side (or inform the application of
the inability to send) does this with sequence
and acknowledgement numbers, these
numbers also provide ordering to packets
– Has some security due to the state of the
connection
– Nice to program with, but slower/more
overhead because of the work done to
guarantee delivery.
UDP - 499
•
•
•
•
•
•
•
•
Like a postcard, each packet is separate
No guarantee on delivery
Best effort
Fast, little overhead
No sequence numbers (ordering)
No acknowledgements
No connection
Security issues due to lack of a connection
Ports - 501
• Both TCP and UDP use “ports” as the end points
of conversations. Ports for services that are
defined and static are called “well known ports”
some well know ports are
–
–
–
–
–
–
–
–
telnet TCP/23
Email (SMTP) TCP/25
Email (POP) TCP/110
Email (IMAP) TCP/143
Web (HTTP) TCP/80
Web (HTTPS) TCP/443
DNS TCP & UDP 53
FTP TCP/21 & 20
Random Networking Terms - 507
•
•
•
•
•
Latency
Bandwidth
Synchronous – synchronized via a time source
Asynchronous – not timed
Baseband – use the entire medium for
communication
• Broadband – slide the medium into multiple
channels for multiple simultaneous
communications
Random Networking Terms
• Unicast (524)
• Multicast (524)
• Broadcast (524)
Network Topologies (509)
•
•
•
•
Ring
Bus
Star
Mesh
• Talk about each of these
• Perhaps memorize chart at bottom of 511
Ethernet - 513
• Most common form of LAN networking,
has the following characteristics
– Shares media (only one person talks at a time
(at least without a switch)
– Broadcast and collision domains
– CSMA/CD
– Supports full duplex with a switch
– Defined by IEEE 802.3
Ethernet media types - 514
• 10Base2
– Thin net, coaxial cable (like TV cable, but
different electrically)
– Max length about 200 meters
– 10 Mbs second
– Requires a BNC connector
– BUS/Shared medium (security problems?)
– obsolete
(more)
Ethernet Media Types - 514
• 10base5
–
–
–
–
–
–
–
–
Thick net, thicker coax
Max length about 500 meters
10Mbs
Uses vampire taps
More resistant to electrical interference
BUS/shared medium
Used to be used as backbone
Obsolete
(more)
Ethernet Media Types - 514
• 10BaseT
– Length about 100 Meters
– 10Mbs second
– Twisted pair (like phone wire) (CAT 3)
– Use RJ-45 connector
– Use in star topology
– Susceptible to interference
– Mostly obsolete
(more)
Ethernet Media Types - 514
• 100BaseTX
– Length about 100 Meters
– 100Mbs
– Twisted pair (like phone wire) (CAT 5, 6)
– Use RJ-45 connector
– Use in star topology
– Susceptible to interference
(more)
Ethernet Media Types - 514
• 1000BaseT
– Length about 100 Meters
– 1000+Mbs
– Twisted pair (like phone wire) (CAT 5e,6)
– Use RJ-45 connector
– Use in star topology
– Susceptible to interference
Token Ring (516)
• Briefly describe token ring
– Ring topology, though using a HUB
– HUB = Multistation access Unit (MUA)
– Token passing for control of network
– Beaconing for failure detection
• Pretty much not used except legacy
networks
FDDI - 517
•
•
•
•
Similar to token ring but uses fiber.
High Speed
Used to be used as backbone networks
2 rings to create a “wrap” if one goes down
Cabling - 519
• Coaxial – copper core surrounded by a
shielding layer and a grounding wire.
– More resistant to EMI than UTP
– Note used much anymore
– Can be baseband (one channel Ethernet) or
broadband (multiple channels, cable TV)
Twisted Pair - 520
•
•
•
•
•
•
•
•
Like phone wire, but more wires.
RJ-45 connector
Two main “types” UTP, and STP
STP is shielded and better if you have EMI
issues
UTP is unshielded and susceptible to EMI and
crosstalk
UTP also gives off signals which could be picked
up if you have sufficient technology. (tempest
stuff)
“least secure vs. coax and fiber”
Chart on 521 (for your own study)
Fiber - 522
• Glass tubes
• High speed, long haul
• NOT effected by EMI, doesn’t “lose” signal
either (attenuation)
• Does NOT radiate energy, better security
• Expensive
• Difficult to work with
• Used in backbones
Media Access Technologies (526)
• Token Passing
• CSMA/CD – waits for clear, then starts talking,
detect collisions
• CSMA/CA – signals intent to talk
Collision Domain – where collisions can occur. (i.e.
two people try to talk at the same time) (how do
we make the collision domain smaller?)
What is a security impact of collision domains?
sniffing, DoS
LAN Protocols - 529
• ARP – Network Adapters have 2
addresses, and IP address, and a MAC
address. (what is each used for? How do
they relate? which “layer” does each exist
on?)
– ARP is the glue for relating the IP and the
MAC addresses
• Attacks
– ARP table poisoning – what is this how does it
happen, what would it do?
DHCP - 530
• DHCP – what is it what is it used for?
– Precursors
• RARP – what did it do?
• BOOTP – what did it do?
ICMP - 531
• ICMP – “IP helper”
– Echo request/reply
– Destination unreachable
– Source quench
– Redirect
– Trace route
• Security problems? Anyone?
• LOKI – sending data in ICMP messages.
(stealthy!)
Basic Networking Devices (536)
• There are different types of networking
devices that exist we will look at
• Repeaters
• Hubs
• Bridges
• Switches
• Routers
Repeaters - 536
• Layer 1 device
• No intelligence
• Simply repeats and electrical signal from
an input to an output.
• Used to increase range (ex. Put a repeater
200 meters down a 10Base2 run to double
the length)
Hub
• Multiport repeater
• The initial way to connect computer
together in a STAR configuration, using
twisted pair wiring
• Layer 1 device
• No intelligence
• Just repeats a signal down ALL the wires
Bridge (537)
• Layer 2 device, splits a LAN into 2 segments.
• A bridge builds a table of the layer 2 (MAC) addresses
on each side of the bridge and only forwards
communication if communication is between MAC
addresses on each side of the bridge
• Reduces collision domain by ½
• Does not affect broadcast domain (doesn’t affect
broadcast storms)
• Recreates the signal
• Can combine two network types into one LAN (i.e.
translate between LAN types)
• Uses “Spanning Tree algorithm” to detect loops.
Switch - 541
• Multi-port bridge (all the bridge attributes hold
true)
• Modern form of connecting computer together
on a LAN
• Allows full duplex communication (what do I
mean by this?)
• Each link is a separate collision domain
• Does not alter broadcast domains
• Can be used to create VLANS (talk about in a
few slides)
VLANs - 544
•
•
•
•
•
•
Virtual Lan
What is it
Why would it be used?
Do you still have to route between VLANS?*
Two different VLAN protocols
802.1Q*, or Cisco ISL* for trunking between
switches
• see picture on next slide
VLAN - 544
Routers - 539
• Work on layer 3 – Network layer
• Uses IP addresses to best route between
networks, is NOT used to create a LAN. You
must use hubs or switches to create a LAN,
routers go between LANS/networks to allows
communications between different
LANS/networks.
• Routers do NOT care about layer 2 (MAC
addresses)
• When would you use a router, when would you
use a switch?
• Routers can perform firewall functionality.
• Does not forward on broadcasts!*
Routers vs. Switches - 540
• You should understand the different
between a router and a switch. Also
memorize the table at the bottom of 540.
Now we need to talk about some routing
protocols
Routing Protocols (532)
• Routing is the dynamic updating and
sharing of routes to networks with other
routers in your company and thought the
internet. You can setup routes either
– Statically
– Dynamically
(discuss pros/cons of each, not too in-depth)
Routing Protocols (532)
• Some Dynamic routing protocols use the concept of an
“AS” Autonomous System, which groups a bunch of
networks together for an organization, and only advertise
the networks that can be reached in the AS, not the
details of the individual networks inside. These are
generally called “Exterior Routing Protocols” and are
used to connect different organizations together
• Other routing protocols try to advertise and track each
individual network separately. These are generally called
“Interior Routing Protocols” and are for use within an
organization
• A company can run IGP and EGPs at the same time,
how?
Dynamic Routing Protocols (533)
• Distance vector
– Builds a TABLE of all routes and a “distance”
to get to them along with the next hop router
– Susceptible to route-flapping
– Long “convergence” times
– Examples
• RIP
• IGRP
Dynamic routing protocols (533)
• Link State
– Actually builds a graph/map of all networks and the
ways to reach them. So the router can “see the entire
topography”
– Has quick convergence times
– Can take link speeds and other factors into
consideration
– Slow to build initially
– Requires a lot of resources
– Examples
• OSPF
Specific Routing Protocols (534+)
RIP
• DV algorithm used only in small networks, sends
entire route table every 30 seconds*.
• Max number of hops to a networks = 16*
• Slow convergence
• Only cares about hops, not network speed or
reliability etc.
• Original RIP could only use “Classful routing”, v2
allows classless (CIDR) routing*
Specific Routing Protocols (534)
• IGRP – DV protocol designed to solve
problems with RIP.
• Examines bandwidth and delay
• Converges faster than RIP
• No max hop limit
• New version is EIGRP (enhanced IGRP)
OSPF (534)
• Open Shortest Path First – Link State protocol
developed as a replacement for RIP.
• Supports Autonomous systems
• Builds a graph rather than a table
• Fast convergence
• Slow to start
• Requires high resources to build and maintain
map.
• Only sends link changes to other routers.
BGP (535)
• BGP is an exterior routing protocol
• Uses AS
• Used by ISPs and large companies as
their Internet Routing protocol. (to connect
to the internet)
Advanced Networking Devices
• These are devices that are beyond the
“basic” fundamental networking devices,
they generally provide some specific
advanced functionality.
• Let the slides begin!
Gateway - 545
• Generic Term for something that connects two
separate things together (can be any level).
• Default gateway = router to get you off your
network
• Application gateways – work at the application
level and help translate between two different
applications. (Ex. Windows and Unix file sharing)
• Email Gateway – translate between different
email types. (Exchange and SMTP)
PBX 547
• Private Branch Exchange – phone system
– Old systems “analog”
– New systems digital and VoIP
• Crackers that hack phone systems used to
be call “phreakers”
– Free calls (long distance)
– Masquerade as other people/hide calls
– Often this goes un-noticed as companies
often do not audit their phone bills closely
Firewalls - 548
• Enforce network policy.
• Generally firewalls are put on the perimeter of a network
and allow or deny traffic based on company or network
policy.
• MUST have IP forwarding turned off*
• Firewalls are often used to create a DMZ.
• Generally are dual/multi homed* (What do I mean by
this?)
• 5 types of firewalls (more in depth about each next
slides)
–
–
–
–
–
Packet filtering
Statefull
Proxy
Dynamic packet filtering
Kernel Proxy
Packet filter
• Uses Access control lists (ACLs), which
are rules that a firewall applies to each
packet it receives.
• Not statefull, just looks at the network and
transport layer packets (IP addresses,
ports, and “flags”)
– Do not look into the application, cannot block
viri etc.
– Generally do not support anything advanced
or custom
Statefull firewall
• Like packet filtering, however the router keeps
track of a connection. It knows which
“conversations” are active, who is involved etc.
• It allows return traffic to come back where a
packet filter would have to have a specific rule to
define returned traffic
• Keeps a state table which lists the state of the
conversations.
• More complex, and can launch DoS against by
trying to fill up all the entries in the state
tables/use up memory.
• If rebooted can disrupt conversation that had
been occurring.
Dynamic packet filtering
• Like a statefull firewall but more advanced.
Can actually rewrite rules dynamically.
• Some protocols such as FTP have
complex communications that require
multiple ports and protocols for a specific
application, packet and statefull filter
cannot handle these easily, however
dynamic packet filter can as they can
create rules on the fly as needed.
Proxy firewall – 552
• Works as a middleman
• Works only with the applications it understands.
• Inspects the data that is being past to look for
dangerous data (like viri) or incorrect usage of a
protocol.
• Also rewrites the address so the external hosts
only see the proxy. (stops direct access between
two computers, hides the internal network
structure) why is this good?
(more)
Proxy firewall - 552
+ looks at data at all levels, (though usually
concentrates on applications layer)
+ can provide very specific security tailored to
specific protocols and vulnerabilities
+ hides internal network
- Slow
- Can be a bottleneck
- Breaks the traditional client/server application
model which can cause issues on some
applications. Can make troubleshooting harder
(more)
Proxy firewalls - 552
• Two types of proxies
– Circuit level
– Application
• Talk about each of these on next slides
Application level proxies - 552
• Proxies only specific applications (ex.
HTTP, SMTP)
+ these can strongly protect and be aware of
specific vulnerabilities and protocol
violations, or dangerous data
+ can have logging or authentication
features
- Only work with the protocols that they
specifically understand
Circuit Level proxies - 554
• Works at a lower level (transport/session level)
to generically be a middle man between two
computer.
+ generally works with all network protocols, as it
doesn’t understand the actual applications
involved
- Cannot protect against, violations in the protocol
or bad data being passed around, main purpose
is to hide internal network and stop direct
communications between external machines
and internal machines.
- Example SOCKS, NAT, PNAT
NAT (577)
• Network address translation
– a type of generic network proxy
– Hides internal networks by rewriting internal
addresses
– Allows you to use “private” network addresses and
still have internet connectivity
– Protects internal machines from being accessed.
– Requires a pool of IP addresses to use. (mapping is
1-to-1)
(example next page)
NAT (577)
NAT (577)
Example: 10.0.0.1 want to talk to 175.56.28.03
– SRC = 10.0.0.1
– Dest = 175.56.28.03
Router at 215.37.32.203 intercepts request and changes
SRC to be 175.56.28.03
– SRC = 215.37.32.203
– DEST= 175.56.28.03
Destination send response
– SRC=175.56.28.03
– DEST = 215.37.32.203
Router accepts packet rewrites
– SRC = 175.56.28.03
– DEST = 10.0.0.1
Send packet to original requestor (10.0.0.1)
NAT (577)
• See handout for normal IP traffic and NAT
traffic
PNAT (577)
• Similar to NAT but only requires a single IP
address, rather than map IPs one to one, we
actually remap port numbers.
• Much more commonly used that NAT, a bit more
secure, as only established connections can
respond back to the sender, whereas in normal
NAT once a machine is using a temporary IP, the
outside world can establish connections back to
the originating computer.
Example next 2 slides
PNAT (577)
PNAT (577)
1. Client computer creates packet


SRC: 10.0.0.1:TCP:10000
DEST: 130.85.1.3:TCP:80
2. Router rewrites the SRC portion to be


SRC: 208.254.31.1:1026
Makes an entry in the PNAT table
3. End server accepts packet
4. End server creates return packet


SRC: 130.85.1.3:TCP:80
DEST: 208.254.31.1:1026
5. Router receives packet, rewrites destination to
be
–
DEST: 10.0.0.1:TCP:10000
6. Client receives the return packet
Basic Firewall best practices (563)
•
•
•
•
•
•
•
Block ICMP redirects
Keep ACLS simple
Implicit deny * what is this?
Disallow source routed packets* explain
Only keep open necessary ports/services
Block directed IP broadcasts
Block packets where the addresses seem
spoofed (how can you tell?)
• Enable logging
• Drop fragments, or re-assemble fragments…
Anyone know why?
Firewall issues
• Potential bottleneck
• Can restrict valid access
• Often mis-configured (not the firewalls
fault)
• Except for certain types (application
proxies) generally don’t filter out
malevolent data (viri etc)
• Don’t protect against inside attacks!*
Firewall architecture - 560
• Now that we understand firewalls, how do
we lay them out
DMZ
DMZ - 560
• A zone between the Internet and your
companies internal network where you put
your Internet accessible servers. A DMZ
usually has
– A of firewall between it and the Internet that
blocks access except to “Internet accessible
services”.
– A firewall between it and the internal company
network, usually a much more “locked down”
firewall that doesn’t allow any access into the
company
Bastion Host (560)
• Bastion Host – a server that is highly
locked down (hardened). Usually put in a
DMZ. These machines can be directly
accessed by the internet (though usually
though one layer of firewall) so they are
“hardened” (what do I mean by that?)
Dual Homed Firewall
• Pretty much any firewall, dual homed
means there are two network interfaces,
one on the “Internet” one on the “Internal
network”
• Multi-homed just means 2 or more
interfaces. Multi-homed firewalls may be
used to setup a DMZ with a single firewall.
(see next slide)
• On any dual/multi-homed machine, “IP
forwarding” should be disabled.*
Multi-homed firewall
Screened Subnet - 561
• A type of DMZ, where there is a “middle”
network where internet services reside
before the “Internal” network (see next
slide). In a screen subnet, there is usually
a router performing packet filtering before
the “first firewall”
Screen Subnet
Multiple interface firewalls - 560
• You may have a firewall that protects
internal networks from each other!
End of firewalls
Other Technological security
concepts (566)
• Honey pot – a machine left open for
attackers to try to hack.. Why?
• Honey net – same concept, but an entire
network, again why?
• What is the difference between
entrapment and enticement?*
NOS (568)
• NOS is just a term you should understand,
a Network Operating System. All modern
OSes are NOS. This just means they
manage more than just the local computer,
they usually provide or use network
services in a client server architecture.
Some features a NOS provides are on the
following slide
NOS (568)
• NOS features
– Directory services
– Remote access
– Clustering (sometimes)
– Authentication, authorization, Access Control,
Auditing
– File and printer sharing
– User management
– “redirector services” *what is this?
DNS - 569
• Network software uses IP addresses,
however these are difficult for users to
remember (especially in IPv6). So DNS is
used to help map “names” that we use
such as www.paladingrp.com to addresses
that computers use like 63.251.179.13
(more)
DNS - 569
• DNS uses a hierarchical model. Starting with the “.” then
the top level domains “com, edu, org” etc. “Sub domains”
are broken out into zones, and organizations can be
assigned authority for their own zones and run their own
DNS servers to provide DNS lookups for their own zone.
• A name server that is “authoritative for a zone” is called
an “authoritative name server” for example.
Paladingrp.com runs is authoritative for it’s own DNS
and has it’s own group of name servers that provide
DNS “resolution” to the rest of the Internet for names
ending in paladingrp.com
• Name server can be “primary” or “secondary” and
perform “Zone transfers” to each other
See next slide for example DNS hierarchy
DNS (also example on 571)
DNS
• Common top level domains are
– .COM
– .EDU
– .MIL
– .GOV
– .ORG
– .NET
• You should be aware of these above
DNS cache poisoning - 572
• Besides authoritative name servers
organizations also have “Caching” name
servers that simply do DNS resolution on
behalf of clients.
• One common attack is DNS cache
poisoning* – describe how that works and
the purpose of it.
DNS SEC
• DNS sec tries to ensure integrity of DNS
queries by signing them.* This will defeat
cache poisoning.
• authoritative DNS servers should NOT
also provide the “caching service”.
NIS - 573
• Network information System (NIS) – originally
called “YP” Yellow Pages. Provides shared
network information (ex user accounts, hosts
entries) for many computers in a “domain” (NOT
DNS domain or Windows domain) using “RPC”
– ypserv
– ypbind
• Files are sent clear text! Bad. Why?
NIS+ (574)
• Improved upon NIS performance
(hierarchal rather than flat namespace)
• Incremental updates
• Improved upon NIS security concerns.
(secure RPC), provides authentication,
authorization and encryption)
Intranet, Extranet - 579
• Intranet – internal IP network, though often
used to define a set of resources made
available through a web interface for
INTERNAL use
• Extranet – a set of network resources
(usually web based) for two companies to
collaborate or share resources, may or
may not make use of VPNs
LAN, WAN, MAN - 581
• LAN – local area network
– High speed
– Small physical area
• WAN – wide area network
– Used to connect LANS
– Generally slow, using serial links
• MAN – metropolitan area network
– Connect sites together within a medium range
area (like a city)
Types of links for WANs and MANS
• Dedicated/leased/point to point – a link that is
pre-established and used ONLY for
communications between 2 locations, it is
DEDICATED (see next slide) to their use
– Expensive, cost per distance
– Types
•
•
•
•
•
•
T1 - about 1.5Mbs
T3 - about 45 Mbs
Fractional T – some fraction of a T1/T3
T1s are time division multiplexed (what does this mean?)
T1s are annoying, because the “local loop portion” often fails
T1/T3 can also be used in shared/frame relay
Dedicated
Frame Relay - 592
• Data link protocol
• Not a point to point connection, but a
connection into a “cloud” (see next slide)
• CIR
• Uses virtual circuits (PVC)
• Uses DLCIs
• Still uses T1/T3 but rather than going all
the way, they just go to the nearest
“carriers” frame relay cloud POP.
Frame relay / cloud
WAN terms
Multiplexing
•
•
•
•
Time Division
Frequency Division
Wavelength Division
CDMA – speak multiple
“languages”/mathematic multiplexing
CSU/DSU - 589
• Channel Service Unit / Data service Unit –
effectively the “modem” for serial lines.
Circuit vs. Packet Switching - 590
• Packet-based networking vs. circuit based
– Packets are small, quick to send
– Routes vary
– Route determined after computer begins to send the
packet
– Can arrive from different routes in different order than
sent.
– Can introduce delays as packets traverse network,
where as with circuit switching the delays is before
data is sent (circuit/setup)
– Circuit switching – connection oriented/dedicated
resources and circuit
– Circuit switching has fixed delays.
ATM - 594
• A type of packet based switching used to
emulate circuit switching
– Used by telcos
– 53 byte packets
– Sets up a virtual circuit
– Guarantees resources once a circuit is setup
– Guarantees QoS
QoS - 595
• What is Qos, why is it needed?
VoIP - 598
• What is VoIP
• What are some concerns with VoIP
– Technical
• Latency, Jitter, dropped packets QoS
– Security
• Eavesdropping
• Caller id Spoofing and vishing
• Long Distance calls
• What is SIP?
• What is a call processor?
– Sets up calls, terminates calls.
(more)
VoIP
•
•
•
•
What is a voicemail server?
What is “convergence”
VoIP and VLANS/Priority?
What is an h.323 gateway?
Remote Access
Remote Access - 603
• Home users/remote users need a way to
access work (though some high security
places don’t allow offsite work)
– Dial Up
– ISDN
– DSL
– Cable Modems
Dial up - 603
• Advantages
– Reduce networking costs (use internet) as
opposed to dedicated connections
– Allows work from home
– Streamlines access to information
– Provides a competitive advantage
(more)
Dial Up - 603
• Disadvantages
– Back door into networks (bypass firewall)
– Often forgotten about
– Slow
• Attacks
– War dialing
• Defenses
–
–
–
–
Dial Back /
Caller ID restrictions
Use authentication
Answer after 4 or more rings (why/war dialing)
ISDN - 604
• Uses same lines as phone lines, directly
dial into company
– BRI
• 2 B Channels (64Kbits x 2)
• 1 D Channel (control channel) Out of Band
– PRI
• 23 B Channels
• 1 D Channel
• Not for personal use
DSL - 606
• MUCH faster than IDSN (6-30 times
faster)
• Must live very close to the DSL equipment
(a few miles)
• Symmetric and Asymmetric
• Always on (security concerns)
• Doesn’t connect directly to company / use
VPN
Cable Modem - 606
• High speed access up to 50Mbps via
cable TV lines.
• Shared bandwidth
• Always on (security concerns)
• Doesn’t connect directly to company,
require VPN
VPNs - 608
• Securely connect to companies network/extend
company network
• Private, usually encrypted connection
• Usually use tunneling
• Can be host to server or server to server
• Can provide internal IP addresses
• Can encrypt actual IP addresses
• Protocols
– PPTP
– L2TP
– IP Sec
(more)
Tunnels - 609
• Tunnel – a virtual path across a network
the encapsulates network packets within
OTHER IP packets
• Can use to tunnel non-IP protocols (like
IPX, NetBEUI)
• Can encrypt encapsulated packets for
extra security.
PPTP - 612
• Microsoft
• User gets connection to ISP
• Setups PPTP connection to server at
company
• Setup a tunnel
• Generally encrypt traffic
• Only works over IP networks*
• Designed for use in software*
L2TP - 613
• Same general functionality of PPTP but works
over other type of networks (non-IP) (ex. Frame
relay, X.25, ATM)
• Does not provide encryption or authentication!
Ouch, need to use IPSEC if wanting to do this
• Supports TACACS+, RADIUS, PPTP does not
• Meant to be implemented in hardware
• More of a carrier concept.
IPSEC (749 (chapter 8))
IPSEC a protocol providing a method for VPNs
between to sites
• Designed for IPv6
• Extended for use for IPv4
• Not a strict protocol, allows for extensibility with
encryption and authentication algorithms
• A “Framework”
• 2 main protocols AH and ESP (next slide)
• 2 modes “Tunnel and Transport” (2 slides away)
IPSEC
• AH - authentication header
– Protocol number 51
– Authentication only
• ESP – Encapsulating security payload
– Protocol number 50
– Encryption
Transport and Tunneling
• Transport does not actually tunnel IP
within IP. It only encapsulates the transport
layer and above
• Tunnel actually encapsulates IP within IP
an entirely new IP packet is encapsulated
within an external IP packet
See next slide
Transport vs. Tunnel
Example of transport
Example of Tunneling
IPSEC
• Each device in IPSec will have at least 1 security
association for each VPN connection it uses. A
SA is a set of parameters used for
communication and includes
–
–
–
–
Authentication and encryiption keys
Algorithms choosen
IP ranges
SAs are unidirectional, so usually you have at least 2
for each tunnel that exists (one for sending, one for
receiving)*
– An SPI (security parameter Index) is used to label
which SA that any packet is associated with
– Use “IKE/ISAKMP” on port 500 UDP for key
negotiations/SA setup*
Authentication Protocols - 614
• PAP
• CHAP
• EAP – framework not actual protocol
Remote Access Best Practices
•
•
•
•
•
•
•
Always authenticate users
Use multi-factor authentication
Audit access
Answer modems after 4 rings (modems)
Use caller id (modems)
Use callback (modems)
use VPNs
Wireless
Wireless (619)
• Wireless, very common now.
– No wires
– Easy to use
– Shared Medium (like Ethernet with Hubs…
what’s wrong with this? From security and
performance?)
– Uses CSMA/CA
Spread Spectrum - 619
• Spreads communication across different
frequencies available for the wireless device.
– Frequency Hopping Spread Spectrum
• Hop between frequencies (helps if other devices use same
frequencies) (doesn’t use the entire “bandwidth of
frequencies)
• Harder for eavesdroppers (if everybody didn't know the
sequence.. Which they actually do)
– Direct Sequence Spread Spectrum
• Sends data across entire bandwidth, using “chipping code”
along with data to appear as noise to other devices.
Wireless Components - 621
• Access points are like wireless “hubs”,
they create a “infrastructure WLAN”
• If you use just wireless cards of computers
to communicate together that is called an
“Ad-Hoc” network.
• Wireless devices must use the same
“channel”
• Devices are configured to use a specific
SSID (often broadcasted)
802.11 standard
•
•
•
•
Wireless networking
2.4, 3.6, 5 GHz
Data Link layer specifications
Access point (a type of bridge)
802.11 family
• 802.11a
– 54Mbps
– 5Ghz
– 8 channels
• 802.11b
– 11Mbs
– 2.4Ghz (same as other home devices)
• 802.11g
– 54Mbs
– 2.4Ghz
• 802.11n
– 100Mbs
Wireless security problems
•
•
•
•
Unauthorized access
sniffing
War driving
Unauthorized access points (Man in the
middle)
Wireless Authentication types - 623
• Open System Authentication
– Doesn’t actually require authentication
– can be sniffed
• Shared Key Authentication
– Requires each device use the same key, and
before access is granted a “challenge” occurs
Transmission encryption - 626
There are many different types of wireless
encryption protocols
• WEP
–
–
–
–
Shared passwords (why is this bad?)
64 or 128 bit
Easily crack able
Only option for 802.11b
• WPA Personal
–
–
–
–
Shared password
128 bit key
TKIP (what is TKIP?)
Implements a portion of 802.11i standard (later)
Transmission Encryption
• WPA2
–
–
–
–
more compliance with 802.11i standard
AES based algorithm
Also uses TKIP
Should use WPA2 as WPA can be cracked like WEP
• WPA Enterprise
– Uses 802.1X authentication to have individual
passwords for individual users
• RADIUS – what was radius again?
• 802.11i – the official IEEE wireless security
spec, officially supports WPA2
802.1X - 627
• Authenticated port based access control.
• Provides distinct user authentication
• Has “supplicant” (client), Authenticator
(AP) and Authentication Service (usually
radius)
Bluetooth (634)
• What is Bluetooth, what is the purpose?
– Blue jacking
– Blue snarfing
– Blue bugging
(next slides)
Mobile device security
• Blue jacking
– Sending forged message to nearby Bluetooth devices
– Need to be close
– Victim phone must be in “discoverable” mode
• Blue snarfing
– Copies information off of remote devices
• Blue bugging
–
–
–
–
More serious
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls
WAP (636)
• Wireless Application Protocol
– What is it
– What is the purpose?
– WML (wireless markup language)
– WTLS ( wireless transport layer security)
– Requires a “gateway”
• Between WTLS and HTTPS there is an encryption
gap.
– Authentication
• Class 1 – none
• Class 2 – server authenticates to wireless
• Class 3 – mutual authentication
Some attacks against
software and systems
Root Kit
• What is a root kit?
MAC flooding
• What is it, what is the purpose?
Smurf
• Describe Smurf
– Forge source address
– Ping broadcast address
• Countermeasures
– Disable directed broadcasts at perimeter
routers
– Configure routers to drop forged packets
– Employ and IDS
Fraggle (like Fraggle rock)
• Like Smurf, but uses UDP (echo and
chargen)
• Countermeasures
– Disable directed broadcasts on perimeter
– Disable address forging
– Disable echo and chargen services
– Block echo and chargen ports on router
– Use an IDS
SYN flood
• Describe 3 way handshake (not too in-depth)
• Describe listen queue
• Describe SYN flood
• What does it accomplish
Countermeasures
• Decrease connection-establish timeout
• Increase listen queue size
• Patch
• Use and IDS
• Use a Firewall
Tear Drop
Overlapping fragments, cause OS to get
confused and crash.
Countermeasures
• Patch the OS
• Drop fragments (problems?)
• Use a firewall that does fragment reassembly.
DDoS
• What is it, why is it hard to defend against
• What previously discussed thing is used in
DDoS attacks?
Countermeasures
• Good luck.
Buffer Overflows
• What are they? What are the attributes of
a buffer overflow?
From Chapter 5
• Maintenance Hooks
• Time of Check/ Time of Use Attacks