Chapter 9: Network Fundamentals
Campus Area Network (CAN)
A network connecting any number of buildings in an office or university complex.
Metropolitan Area Network (MAN)
A network designed for a specific geographic locality such as a town or a city.
Asynchronous Transfer Mode (ATM)
A protocol based on transferring data in fixed-size packets. The fixed sizes help ensure that no single data type monopolizes (dominates) the available bandwidth.
The importance of understanding TCP/IP protocols
A security professional must understand how the various TCP/IP protocols operate. For example, if you are looking at a packet capture of a suspected port scan, you need to know how "normal" TCP and UDP traffic works so you will be able to spot "abnormal" traffic.
X.25A Protocol
Developed by the Comite Consultatif International Telephonique Et Telegraphique (CCITT) for the use in packet switched networks. was disbanded in 1992.
Trunking (isolation)
IEEE 802.1Q is the process of spanning a single VLAN across multiple switches.
Local Packet Delivery
Each network card or network device is supposed to have a unique hardware address (Media Access Control (MAC)) so that it can be specifically addressed for network traffic. make sure to know the difference between Mandatory Access Control (Access Control Policy) and Media Access Control (MAC/Layer 2 address)
Internet Protocol (IP)
The internet protocol encompasses a suite of protocols for managing and transmitting data between packet-switched computer networks, originally developed for the department of defense. Most users are familiar with IP protocols such as email, FTP, Telnet, and HTTP.
Token Ring
A LAN protocol developed by IBM that requires systems to posses the network "token" before transmitting data.
Star Topology
Network components are connected to a central point.
Conduit (isolation)
a path for the flow of data between zones
Proxies
are servers that acts as a go-between between clients and other systems. They act on a client's behalf.
Storage Area Network (SAN)
A high-speed network connecting a variety of storage devices such as tape systems, raid arrays, optical drives, file servers, and others.
Fibre Channel (FC)
A high-speed storage network protocol that can transmit up to 16 gigabits per second. it is used to connect storage to computer systems
Virtual Local Area Network (VLAN)
A logical network allowing systems on different physical networks to interact as if they are connected to the same physical networks
Logical (VLAN) (isolation)
a virtual LAN is a logical implementation of a LAN and allows computers connected to different physical networks to act and communicate as if they are on the same physical network. VLANs are good if done properly
control systems
are computers used to control physical processes. example: traffic lights, refineries, manufacturing plants, critical infrastructure, etc..
Airgaps (isolation)
is a network that is not physically connected to another.
Honeynets
is a network used to lure/deceive attackers. aka decoy also provides insight into the attacker's methods and tools.
VPN Concentrator
is a specialized piece of equipment used to encrypt/decrypt many VPN connections.
DDOS Mitigator
should be placed on the perimeter network so that it can detect and mitigate a DDoS attack must exist outside the area they are protecting
Site to Site
site to site communication links are network connections that link two or more networks across an intermediary network layer (internet) usually done through VPN connections
ICMP message codes IPv4
type ICMPv4 0 Echo reply 1 Reserved 2 Reserved 3 Destination unreachable 4 Source quench (deprecated) 5 Redirect 8 Echo request 11 Time exceeded 13 Timestamp 30 Traceroute (deprecated)
Filters
use the process of passing or blocking packets at a network interface based on the source and destination address, ports, or protocols.
Domain Name System (DNS)
was created to translate IP addresses into names that we can remember (i.e www.google.com/web address/FQDN) you can use the tracert command to verify a IP address.
TCP Packet Flags
there are 8 different flags in a TCP packet and when a flag is "set", it is set with a value of 1. The 8 flags are: CWR (Congestion Window Reduced) - This is set by a host to indicate that it received a packet with the ECE flag set and is taking action to help reduce congestion. ECE (ECN-Echo) - Indicates that the TCP peer is ECN capable when used during the three-way handshake. During normal traffic, this flag means that a packet with a congestion experienced flag in its IP header was received by the host sending this packet. URG (Urgent) - When set, the urgent pointer in the packet should be read as valid and followed for additional data. ACK (Acknowledgement) - Indicates that the data in the ACK field should be processed. PSH (Push) - Indicates that data delivery should start immediately rather than waiting for buffers to fill up first. RST (Reset) - Resets the current connection. This is a start-over feature often used by IPS/IDS (Prevention/Detection) devices to interrupt sessions. SYN (Synchronize) - Used to help synchronize sequence numbers. FIN (Finish) - Indicates the sender is finished and has no more data to send. ICMP is a connectionless protocol. It was designed to carry small messages quickly with minimal overhead or impact to bandwidth. ICMP is vulnerable to denial of service attacks.
IP Packet:
To better understand packet structure, let's examine the packet structure defined by the IP protocol. an IP Packet has two main sections: 1. Header - this section contains all of the information needed to describe the packet 2. the data section (aka Payload) In IPv4, there are common fields to describe the following options: -what kind of packet is it (Protocol Version Number). -how large is the header (Packet Header Length). -how to process this packet (a type of service telling the network whether or not to use options such as minimize delay, maximize throughput, maximize reliability, and minimize cost). -how large the entire packet is (overall packet length) because this is a 16-bit field, the maximum size of an IP packet is 65,535 bytes, but in practice, most packets are around 1,500 bytes. -a unique identifier so that this packet can be distinguished from other packets. -whether or not this packet is part of a longer data stream and should be handled relative to other packets. -flags that indicate whether or not special handling of this packet. -a description of where this packet fits into the data stream as compared to other packets (fragment offset). -a "time to live" field that indicates the packet should be discarded if the value is zero. -a protocol field that describes the encapsulated protocol -a checksum of the packet header (to minimize the potential for data corruption during transmission) -where the packet is from (source IP address) -where the packet is going (destination IP address) -option flags that govern security and handling restrictions, whether or not to record the route this packet has taken, whether or not to record time stamps, and so on. -the data the packet carries
IPv6 top security concerns:
-lack of IPv6 security training/education -security device bypass via IPv6 -Poor IPv6 security -Address notation makes grepping through logs difficult if not impossible -IPv6 complexity increases operational challenges for correct deployment
Peer to Peer
A network in which every system is treated as an equal, such as a home network.
Client/Server
A network in which powerful, dedicated systems called servers provide resources to individual workstations, or clients
ICMPv6 Error Messages (0-127)
Type Error Message 0 Reserved 1 Destination unreachable 2 Packet too big 3 Time exceeded 4 Parameter problem 5 Reserved 8 Reserved 11 Reserved 13 Reserved 30 Reserved
Encapsulation and Security:
A packet is created by aggregation. Working down the OSI stack, the entire datagram becomes the data segment for the next layer, getting a new header. When the TCP header is added, one of the elements is the TCP handshake, which is added to the first packet. The handshake is done by setting bits in the TCP header. This does not prevent the data from being transmitted in the first packet, and this has been used by hackers to avoid detection by some security tools. The reason is that many applications wait until the handshake is complete before processing data, but this is not correct because even the data within the SYN packet should be processed. It is important to understand how information is embedded in the encapsulation process, both in the header and the datagram.
Systems Network Architecture (SNA)
A set of network protocols developed by IBM, originally used to connect IBM's mainframe systems.
Aggregation Switches
A switch that provides connectivity for several other Layer 2 switches. Think of one to many. It's the one switch that many other switches will be connecting to.
FCoE (Fibre Channel over Ethernet)
A technology that encapsulates Fibre Channel frames over Ethernet networks allowing FC to use 10 Gigabit Ethernet networks (or higher) while preserving the Fibre Channel protocol.
ARP Attacks
Address Resolution Protocol (ARP) operates in a simplistic and efficient manner: It sends out a broadcast request and receives a unicast reply. This method leaves ARP open to attack, which in turn can result in the loss of Integrity, Confidentiality, and Availability. There are a wide range of ARP-specific attacks, but one can classify them into types based on effect such as: ARP Poisoning - it is a man-in-the-middle attack in which false entries are inserted into a machine's ARP cache. The attacker can use this method to inject himself into the middle of a communication, hijack a session, sniff traffic to obtain passwords or other sensitive items, or block the flow of data, creating a denial of service. Higher level packet protections such as IPSEC can be employed so that the packets are unreachable by interlopers. This is one of the security gains associated with IPv6, because when security is employed at the IPSEC level, packets are protected below the IP level, making layer 2 attacks less successful.
ICMPv6 Informational Messages (128-255)
Type informational message 128 echo request 129 echo reply 130 Multicast listener query 131 Multicast listener report 132 Multicast listener done 133 Router solicitation (NDP) 134 Router advertisement (NDP) 135 Neighbor Solicitation (NDP) 136 Neighbor advertisement (NDP) 137 Redirect Message (NDP) 138 Router renumbering 139 ICMP Node Information Query 140 ICMP Node Information Response 141 Inverse Neighbor Discovery Solicitation Message 142 Inverse Neighbor Discovery Advertisement Message 143 Multicast listener discovery (MLDv2) reports (RFC3810) 144 Home agent address discovery request message 145 Home agent address discover reply message 146 Mobile prefix solicitation 147 Mobile prefix advertisement 148 Certification Path Solicitation (send) 149 Certification Path Advertisement (send) 151 Multicast Router Advertisement (MRD) 152 Multicast Router Solicitation (MRD) 153 Multicast Router Termination (MRD) 155 RPL control message 255 Reserved for expansion
Dynamic Host Configuration Protocol (DHCP)
When an administrator sets up a network, they usually assign IP addresses in one of two ways: 1. Statically = manually 2. DHCP = Dynamically/automatically assigned When a system boots up and is connected to a network, it sends a DHCP query looking for a DHCP server. The DHCP server then assigns the system with an IP address from its pool of available addresses. If the DHCP server has assigned all of the IP addresses within its pool, it would not be able to assign one to the system. The DHCP server leases the IP addresses from its pool with a limited lifespan. Once the time is up the system must renew or request another IP.
Maximum Transmission Unit (MTU)
When packets are transmitted across a network, there are many intervening protocols and pieces of equipment, each with its own set of limitations. The Maximum Transmission Unit (MTU) is the largest packet that can be carried across a network channel. Default MTU size = 1500/1514 The value of the MTU is used by TCP to prevent packet fragmentation.
Remote Packet Delivery:
While packet delivery on a LAN is usually accomplished with MAC addresses, packet delivery to a distant system is usually accomplished using Internet Protocol addresses (IP) IPv4 addresses are 32-bit numbers that are expressed as a group of four numbers (octets) Example: 127.0.0.1
Wireless:
Wireless network is the transmission of packetized data by means of a physical topology that does not use physical links. Wireless networks use radio waves as their medium to transmit packets, and those radio waves don't stop at the walls of your house or your organization. Anyone within range can "see" those radio waves and attempt to either sniff your traffic or connect to your network. Encryption, MAC address filtering, and suppression of beacon frames are all security mechanisms to consider when using wireless networks. The topology of wireless networks is either hub-and-spoke or mesh. With tuning and proper antenna alignment and placement of the access points, the desired areas of coverage can be achieved and interference minimized.
Intranet
a "private" network that is accessible only to authorized users. Many large corporations host an intranet to facilitate information sharing within their organization.
Guest
a guest zone is a network segment that is isolated from systems that guests would never need to access.
Extranet
an extranet is an extension of a selected portion of a company's intranet (a specialized type of DMZ) to external partners. This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of internet protocols to facilitate operations. implies both privacy and security
Intranet
an intranet describes a network that has the same functionality as the internet for users but lies completely inside the trusted area of a network and is under the security and control of a system and network administrators. aka private internal network.
Sensors
are devices that capture data and act upon it. Sensors can be divided into two types: 1. Network - can provide coverage but are limited by traffic engineering. (senses network) 2. Host - provide more accurate info but it is limited to the host (blind to network occurrences)
Flat networks
are network designs which avoid packet looping issues through an architecture that does not have tiers. aka network fabric
Firewalls
are policy enforcement engines that determine whether or not traffic can pass based on a set of rules
Collectors
are sensors that collects data for processing by other systems.
Storage Area Network (SAN)
are systems that provide remote storage of data across a network connection.
ICMPv4 type 3 Message codes
code name/description 1 Net unreachable 2 Host unreachable 3 Protocol unreachable 4 Port unreachable 5 Fragmentation needed and DF bit set 6 source route failed 7 Destination network unknown 8 Destination host unknown 9 Source host isolated 10 Communication with destination network is administratively prohibited 11 Communication with destination host is administratively prohibited 12 Destination network is unreachable for TOS 13 Destination host is unreachable for TOS
Zone (isolation)
is a grouping of elements that share common security requirements zones are created through firewall rules or routing
Broadcast domain (isolation)
is a logical division of a computer network. systems connected to a broadcast domain can talk as if they are a part of the same physical network.
Network
is a means to connect two or more computers together for the purpose of sharing information. A network can be a group of friends or associates, a series of interconnected tunnels, or, from a computer-oriented perspective, a collection of interconnected devices.
Tunneling
is a method of packaging packets so that they can traverse a network in a secure, confidential manner. tunneling involves encapsulating packets within packets, enabling dissimilar protocols to co-exist in a single communication stream, as in IP traffic routed over an Asynchronous Transfer Mode (ATM) network. (encapsulation) examples: IPSEC, TLS, PPPoE, L2TP, VPN, etc..
Different Approaches For Implementing NAT:
Although the concept of NAT remains the same, there are actually several different approaches to implementing it: Static NAT - maps an internal private address to an external public address. The same public address is used for the same private address. This technique is often used when hosting something you wish the public may be able to reach such as a web server behind a firewall. Dynamic NAT - maps an internal private address to a public address selected from a pool of registered IP addresses. This technique is often used when translating addresses for end-user workstations and the NAT device must keep track of internal/external address mappings. Port Address Translation - Allows many different internal private addresses to share a single external IP address. Devices performing PAT replaces the source IP address with the NAT IP address and replaces the source port field with a port from an available connection pool. PAT devices keep a translation table to track which internal hosts are using which ports so that subsequent packets can be stamped with the same port number. When response packets are received, the PAT device reverses the process and forwards the packet to the correct internal host. PAT is a very popular NAT technique and it is used at many organizations.
DNSSEC
Because of the critical function DNS Performs and its security implications, a cryptographically signed version of DNS was created. DNSSEC is short for DNS security extension. DNSSEC was designed to protect DNS client resolvers from accepting forged DNS data, such as sent in a DNS cache poisoning attack. DNS answers in DNSSEC are digitally signed, providing a means of verifying integrity. DNSSEC adds new records to the DNS protocol, as well as a new header flag. the records are: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC/NSEC2). the new flags are: Checking Disabled (CD) and Authenticated Data (AD) When a DNS request is received, DNS provides a signed response, enabling the receiver of the response to have trust that the answer came from a reliable source.
Benefits of IPv6:
Changing from IPv4 to IPv6 is not a simple task because it will have an effect on every networked resource. IPv6 has many security features built into the base protocol series -has better routing capabilities due to its smaller routing table and faster packet processing. -allows bandwidth-intensive multimedia streams to be sent simultaneously to multiple destinations.
Enclaves (isolation)
Enclaves is the most commonly used term to describe sections of the network that are logically isolated by networking protocols. (zones)
Network architures:
Every network has an architecture, whether by design or by accident. Defining or describing a specific network's architecture involves identifying the network's physical configuration, logical operation, structure, procedures, data formats, protocols, and other components.
Should you block ICMP?
ICMP is a protocol that is used for troubleshooting, error reporting, and a wide variety of associated functionality. This functionality expands in ICMPv6 into multicasting. ICMP got a bad name because of issues associated with ping and traceroute commands (DOS), but these represent a tiny minority of the protocol's functionality. There are numerous, important uses associated with ICMP, and blocking it entirely is considered a bad practice that will lead to network inefficiencies. Blocking specific commands and sources makes sense. Blocking ICMPv6 in its entirety will block a lot of IPv6's functionality because ICMP is an integral part of the protocol suite.
Internet Protocol Suite Components:
IPv4 = Transport layer = TCP, UDP Network layer = TCP, ICMP, IGMP IPv6 = NDP, MLD
IP addresses and Subnetting:
IPv4 = a 32 bit address with 4 groups of 8 bits called octets Subnetting = is the process that is used to divide those 32 bits in an IP address and tell you how many of the 32 bits are being used for the Network ID and how many bits are being used for the Host ID. Subnet Mask = Tells exactly how much of the space is the network portion and how much is the host portion. you must convert the subnet mask and IP into binary and perform a bitwise AND operation to determine the network address.
Neighbor Discovery
IPv6 introduces the Neighbor Discovery Protocol (NDP) which is useful for auto-configuration of networks. NDP can enable a variety of interception and interruption threat modes. the function of ARP has been replaced by Neighbor Solication (NS) messages. DHCPv6 has undergone a similar rework so that it can interface with NDP and allow the auto-configuration of devices.
IPv6 and Fragmentation
In IPv6, to avoid fragmentation, hosts are required to determine the minimal path MTU before the transmission of packets to avoid fragmentation en route. Any fragmentation requirements in IPv6 are resolved at the origin, and if fragmentation is required, it occurs before sending.
Private Use IPs:
In addition, certain subnets are reserved for private (Intranet/Local LAN) use and are not routed across public networks such as the internet (WAN). Private use IPs: Class A = 10.0.0.0 - 10.255.255.255 Class B = 172.16.0.0 - 172.31.255.255 Class C = 192.168.0.0 - 192.168.255.255
ISCSI
Internet Small Computer System Interface is a protocol for IP based storage. economical.
Topology
Is how the network components are physically or logically arranged
Internet Control Message Protocol (ICMP)
Is probably the third most commonly used protocol. It is used as a mechanism for managing the overall infrastructure (handling connection status, traffic flow, availability, and errors)
Ethernet
Is the most widely implemented Layer 2 protocol. It is IEEE 802.3 and works by forwarding packets on a hop-to-hop basis using MAC addresses Layer 2 addressing can have numerous security implications such as: ARP Poisoning, Spanning tree algorithms can be attacked, VLANs can be hopped, etc.... Because of its near ubiquity, Ethernet is a common attack vector. Wireless connections are frequently considered to be weak from a security point of view, but so should ethernet unless you own the network, you should consider the network to be at risk.
Packet Fragmentation
Is the splitting of a packet while in transit into two packets so that they fit past an MTU bottleneck. Built into the internet protocol is a mechanism for the handling of packets that are larger than allowed across a hop (router/gateway) Under ICMPv4, a router has two options when it encounters a packet that is too large for the next hop: 1. break the packet into two fragments, sending each separately, 2. drop the packet and send an ICMP message back to the originator, indicating that the packet is too big.
SSL/TLS Accelerators
Is used to provide SSL encryption/decryption at scale, removing the load from web servers.
Wireless
It is good practice to have them in a separate zone. isolating the traffic to allow inspection before allowing it to interact with more critical resources.
Transmission Control Protocol (TCP)
Known as a connection-oriented protocol that offers reliability and guaranteed delivery of packets.
User Datagram Protocol (UDP)
Known as a connectionless oriented protocol that does not offer guarantees of packet delivery.
Mixed Topology
Larger networks, such as those inside an office complex, may use more than one topology at the same time.
Segregation/Segmentation/Isolation:
Network can segregate traffic through the use of addressing schemes that limit traffic to an enclave within the larger environment.
Ring Topology
Network components are connected to each other in a closed loop with each device directly connected to two other devices.
Bus Topology
Network components are connected to the same cable, often called "the bus" or "the backbone"
Packets
Networks are built to share information and resources, but like other forms of communication, networks and the effective protocols they use have limits and rules that must be followed for effective communications. For example, large chunks of data must typically be broken up into smaller, more manageable chunks before they are transmitted from one computer to another.
Network Function Virtualization (NFV)
Offers many of the same advantages that server virtualization offers.
Network Topology:
One major component of every network's architecture is the network's topology.
OSI Model
Open Systems Interconnection Model the OSI model is an International Organization for Standardization (ISO) standard for worldwide communications that defines a framework for implementing protocols and networking components in seven distinct layers. Layer 1 = Physical (Cables, Network Interface Cards) Layer 2 = Data link (MAC addresses, Switches) Layer 3 = Network (Routers, L3 switch, IP) Layer 4 = Transport (TCP, UDP) Layer 5 = Sessions Layer 6 = Presentation Layer 7 = Application (Port Numbers, and Services) acronym = All People Seem To Need Data Processing Control is passed down from one layer to another Top (7) - down (1) before it exits one system and enters another, where control is passed up bottom-up to complete the communication cycle.
Fiber Distributed Data Interface (FDDI)
Protocol for sending digital data over fiber optic cabling
Network Protocols:
Protocols are commonly accepted methods for communicating
Packet Delivery:
Protocols are designed to help information get from one place to another, but in order to deliver a packet, we must know where it is going. Packet delivery can be divided into 2 sections: 1. Local = Ethernet packet delivery (local network) 2. Remote = IP packet delivery (Internet) The biggest difference in local versus remote delivery is how the packets are addressed. Network systems have addresses, not unlike office numbers or street addresses, and before a packet can be successfully delivered, the sender needs to know the address of the destination system.
TCP vs UDP
Protocols are typically developed to enable a certain type of communication or solve a specific problem there are two protocols that have grown so much in popularity and use that without them, the internet as we know it would cease to exist. These protocols are: 1. Transmission Control Protocol 2. User Datagram Protocol These protocols run on top of the IP network protocol. As separate protocols they each have their own packet definitions, capabilities, and advantages. TCP performs a 3-way handshake (SYN, SYN-ACK, ACK) before establishing a connection. tearing down a TCP connection can be done by sending a packet with the TSP RST flag set or by performing a Four-way handshake (sending a TCP FIN packet) UDP provides speed and is usually used for video, audio, and DNS.
Samples of DNS record types:
Record Type Use: A IPv4 address AAAA IPv6 address MX mail exchange server for a DNS domain name TXT holds arbitrary text, such as SPF for email verification CNAME canonical name records for aliases NS specifies an authorititave name server for a given host PTR Used to lookup domain names based on an IP address SOA specifies core information about a DNS zone. RRSIG DNSSEC signature
Taps and Port Mirror
TAP (testing access point) or port mirroring is a passive signal copying mechanism between two points on the network. copies a port over to another for network sniffing/analyzing.
Load Balancer
Takes incoming traffic from one network location and distributes it across multiple network operations.
VPN Concentrators
Takes multiple individual VPN connections and terminates them into a single network point.
Wide Area Network (WAN)
Tends to be larger, covering a more geographic area, and consists of two or more systems in geographically separated areas connected by any of a variety of methods such as leased lines, radio waves, satellite relays, microwaves, or even dial up connections. With the advent of wireless networking as well as optical and cellular technology, the lines between LAN and WAN sometimes seem to merge seamlessly into a single network entity.
Internet
The "global network" connecting hundreds of millions of systems and users.
Ethernet
The LAN protocol developed jointly by Xerox, DEC, and Intel- the most widely implemented LAN standard (802.3)
Transmission Control Protocol/Internet Protocol (TCP/IP)
The collection of communications protocols used to connect hosts on the internet. TCP/IP is by far the most commonly used network protocol and is a combination of the TCP and IP protocols.
AppleTalk
The communications protocol developed by apple to connect Macintosh computers and printers.
Expanded address space (IPv6)
The expansion from the address space from 32 bits to 128 bits is a significant change. The IPv6 protocol was designed to allow for a hierarchical division of the address space into several layers of subnets, to assist in the maintaining of both efficient and logical address allocations. there is more than just an expanded address space in size. Each interface has three addresses: Link-Local - are used for a variety of communications, including mandatory addresses for communication between two IPv6 devices (like ARP but at layer 3). they begin with FE80 Unique-local - are non-routable addresses on the internet and are used for local communications they begin with FC00 Global - These addresses are good globally and are structured hierarchically. IPv6 no longer uses the concept of a broadcast message. There are 3 types of messages: Unicast - one to one delivery to a single interface Multicast - one to many delivery to all interfaces Anycast - One to one of many delivery to a single interface in the set that is closest.
Security Zones
The first aspect of security is a layered defense. Just as a castle has a moat, an outside wall, an inside wall, and even a keep, so too does a modern secure network has different layers of protection. Different zones are designed to provide layers of defense with the outer most layer providing basic protection and the inner most layer providing the highest level of protection. Between the inner, secure corporate network and the internet is an area where machines are considered to be at risk. This zone is considered to be the DMZ, where neither side has specific controls.
Internet
The internet is a worldwide connection of networks and it is used to transport emails, files, financial records, and remote access - you name it - from one network to another.
IPv4 vs IPv6
The most common version of IP in use is IPv4, but the release of IPv6, was spurred by the depletion of the IPv4 address space, and has begun a typical logarithmic adoption curve. IPv6 has many similarities to the previous version, but it also has significant new enhancements, many of which have significant security applications.
Internetwork Packet Exchange (IPX)
The networking protocol created by Novell for use with Novell Netware Operating Systems.
Security Device/Technology Placement:
The placement of security devices is related to the purpose of the device and the environment it requires.
Routing
The process of moving packets from one network to another. This is done via a network gateway called a router.
Signaling System 7 (SS7)
The telecommunications protocol used between Private Branch Exchanges (PBX) to handle tasks such as call setup, routing, and teardown
Rogue Device Detection:
There is always a risk of a unauthorized device being inserted on the network. Maintaining a list of all authorized MAC addresses can help detect these devices. Although MAC addresses can be spoofed, it will cause a conflict if the original device is present.
Automatic Private IP Addressing (APIPA)
These addresses are assigned when a host cannot find the DHCP server. 169.254.0.0 - 169.254.255.255 (something is wrong on the network)
Demiliterized Zone (DMZ)
is a military term for ground separating two opposing forces, by agreement and for the purpose of acting as a buffer between the two sides. In a computer network the DMZ works much in the same way; it acts as a buffer zone, where no controls exists a DMZ is usually separated by 2 firewalls This is done when hosting a web or FTP server and keeping your corporate network hidden/protected. Special attention should be paid to the security settings of network devices placed in the DMZ, and they should be considered at all times to be at risk of compromise by unauthorized use. A common industry term, hardening operating systems, applies to machines whose functionality is locked down to preserve security - unnecessary services and software are removed or disabled, functions are limited, etc... Many types of servers belong in this area, including web servers, remote access servers, and external email servers. In general any server directly accessed from the outside, untrusted internet zone needs to be in the DMZ. other servers should not be in the DMZ such as DNS for your inner trusted network and database servers that house corporate information should not be accessible from the outside. The idea behind the use of the DMZ topology is to provide publicly visible services without allowing untrusted users access to your internal network. If the outside user makes a request for a resource from the trusted network, such as a data element from an internal database that is accessed via a publicly visible web page in the DMZ, then this request must follow this scenario: 1. A user from an untrusted network (internet) requests data via a web page from a web server in the DMZ. 2. The web server in the DMZ requests the data from the application server, which can be in the DMZ or in the inner, trusted network. 3. The application server requests data from the database server in the trusted network. 4. The database server returns the data to the requesting application server. 5. The application server returns the data to the requesting web server. 6. The web server returns the data to the requesting user from the untrusted network. By having intermediaries do the requesting, this layered approach allows significant security levels to be enforced.
AD HOC
is a network where the systems on the network direct packets to and from their source and target locations without using a central router or switch. advantages: cheap means of client-to-client communication. disadvantages: harder to manage in an enterprise setting. examples: Zigbee, Wifi-Direct
Software Defined Networking (SDN)
is a relatively new method of managing the network control layer separate from the data layer and under the control of computer software. SDN can increase the attack surface, and there are currently no good tools to monitor the SDN software for misuse or corruption.
Internet Protocol (IP)
is a suite of protocols there are differences between IPv4 and IPv6. One of these differences is the replacement of the Internet Group Management Protocol (IGMP) with the Internet Control Message Protocol (ICMP) and Multicast Listener Discovery (MLD) in IPv6.
Protocol
is an agreed-upon format for exchanging or transmitting data between systems. they define a number of agreed-upon parameters such as the data compression method, type of error checking to use, and mechanisms for systems to signal when they have finished either receiving or transmitting data. Most networks are dominated by Ethernet or Internet protocol.
Local Area Network (LAN)
is typically smaller in terms of size and geographic coverage and consist of two or more connected devices.
Address Resolution Protocol (ARP)
is used to find another system's MAC address. It resolves a layer 3 address (IP) to layer 2 (MAC)
Network Address Translation (NAT)
is used to translate a private (Intranet/Local LAN) non-routable IP address into public (WAN) routable IP addresses.
Remote Access
is when a user requires access to a network and its resources but is not able to make a physical connection. protocols to use: SSH, RDP, RAS, PPP, PPTP, PPPoE, SLIP
Virtualization (isolation)
offers server isolation logically while still enabling physical hosting.
Physical (isolation)
physical separation is where you have separate physical equipment for the packets to use: switches, routers, and cables
Correlation Engines
takes sets of data and matches the patterns against known ones.
Network Address Classes:
the value of the 1st octet determines the class of the IP address Class A = 0-126 default subnet = 255.0.0.0 subnet range = 255.0.0.0 - 126.255.255.255 supports 16,777,214 hosts on each network Class B = 128-191 default subnet = 255.255.0.0 subnet range = 128.0.0.0 - 191.255.255.255 supports 65,534 hosts on each network Class C = 192-223 default subnet = 255.255.255.0 subnet range = 192.0.0.0 - 223.255.255.255 supports 253 hosts on each network Class D = 224-239 (Multicast group addresses) default subnet = not defined subnet range = 224.0.0.0 - 239.255.255.255 Class E = 240 - 255 (experimental for future use) Loopback address = 127.0.0.0 - 127.255.255.255