Domain 4 - Communications and Network Security
IDS
Alert admin in regards to SQL injections, malformed packers, unusual logins, botnet traffic. IPS/IDS: Signature or Anomaly (behavior) detection systems
Firewalls
A method of guarding a private network by analyzing the data leaving and entering. Firewalls can also provide network address translation, so the IP addresses of computers inside the firewall stay hidden from view. Packet-filtering firewalls (layer 3/4) - use rules based on a packet's source, destination, port or other basic information to determine whether or not to allow it into the network. Stateful packet filtering firewalls (layer 7) - have access to information such as; conversation, look at state table and context of packets; from which to make their decisions. Application Proxy firewalls (layer 7) (3-7 actually)- which look at content and can involve authentication and encryption, can be more flexible and secure but also tend to be far slower. Circuit level proxy (layer 5)- looks at header of packet only, protects wide range of protocols and services than app-level proxy, but as detailed a level of control. Basically once the circuit is allowed all info is tunneled between the parties. Although firewalls are difficult to configure correctly, they are a critical component of network security. SPF, Static Packet Firewall (layer 3) - Rules Management is important: Shadowed Rules (rule doesn't execute due to it not being ordered properly in rule list). Promiscuous Rules - Allow more than necessary (violate least principle rule). Orphaned Rules - Allow access to decommuio Implicity Deny rule.
Session -layer 5
Inter-host communication, logical persistent connection between peer hosts, a conversation, simplex, half duplex, full duplex. Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP, PPTP, RPC Technology: Gateway PAP - Password Authentication Protocol PPTP - Point-to-Point Tunneling Protocol RPC - Remote Procedure Call Protocol NFS, Network File System - protocol that supports file sharing between two different file systems NetBIOS - SSL/TLS -
Network Access Control (NAC)
Intercepts network traffic coming from unknown devices and verifies that the system and user are authorized before allowing further communication (with other users or systems). -801.1x - auth -User and Device auth -Role based access -Posture checking (A/V, F/W, and patches), quarantine VLAN if fail. -EAP (Extensible Authentication Protocol) Auth framework (wireless and point to point connections)
VPN Devices
Is hardware or software to create secure tunnels IP-sec compatible: - Encryption via Tunnel mode (entire data package encrypted) or Transport mode (only datagram encrypted) - Only works with IP at Network layer of OSI NON IP-sec compatible: - Socks-based proxy servers Used to reach the internal network from the outside. Also contains strong encryption and authentication methods - PTP used in windows machines. Multiprotocol, uses PAP or CHAP Dial-up VPN's remote access servers using PPTP commonly used by ISP's - Secure Shell SSH2 not strictly a VPN product but opens a secure encrypted shell session from the internet through a firewall to a SSH server
network cabling naming convention
"XXyyyyZZ" -XX: max speed the cable offers -yyyy: baseband or broadband aspect of the calbe (ex: 10Base2) -ZZ: represents either the max distance or the tech of the cable (ex: 100Base-T)
DISA (direct inward system access)
"security" improvement to PBX systems -designed to help manage external access and external control of a PBX by assigning access codes to users -vuln to phreaking, once phreaker has the access codes they can abuse the telephone network
Network Layers OSI MODEL
(later succeeded by TCP/IP) HINT: All People Seems to Need Data Processing It encapsulates data (Data encapsulation, also known as data hiding), when going through the layers
Access Control Methodologies Remote Access Authentication Systems
*******Decentralized Access Control********** Collection of nodes, make access control decisions individually. Distributed/Shared database/Robust/Scalable *******Centralized Access Control********** Relies on a single device as the security reference monitor. Authorization and access control decisions are made here. CALLBACK; system calls back to specific location (danger in user forwarding number) somewhere you are CHAP (part of PPP) supports encryption XTACACS separates authentication, authorization and accounting processes TACACS+: stronger through use of tokens Terminal Access Controller Access Control System TACACS: User passwords are administrated in a central database instead of individual routers. A network device prompts user for a username and static password then the device queries a TACACS server to verify the password. TACACSs does not support prompting for password change or use of dynamic password tokens. Port 49 TACACS: user-id and static password for network access via TCP TACACS+ Enhanced version with use of two factor authentication, ability to change user password, ability of security tokens to be resynchronized and better audit trails and session accounting Remote Authentication Dial-In User Service RADIUS: Client/server protocol, often leads to TACACS+. Clients sends their authentication request to a central radius server that contains all of the user authentication and network ACL's RADIUS does not provide two way authentication, therefore it's not used for routerto-router authentication. Port 1812. Contains dynamic password and network service access information (Network ACLs) NOT a SSO solution, TLS over TCP - to encrypt, Default UDP, PW encrypted, supports TCP and TLD if set, Remote connectivity via dial in (user dials in to access server, access server prompt for redentials, user enters credentials and forwards to radius server, radius server accepts or rejects). USES UDP. Incorporates an AS and dynamic/static password user can connect to any network access server, which then passes on the user's credentials to the RADIUS server to verify authentication and authorization and to track accounting. In this context, the network access server is the RADIUS client and a RADIUS server acts as an authentication server. The RADIUS server also provides AAA services for multiple remote access servers. DIAMETER - remote connectivity using phone wireless etc, more secure than radius, cordless phone signal is rarely encrypted and easily monitored
mesh topology
-connects systems to other systems using numerous paths -"anagram" looking structure -provide redundant connections to systems, allowing multiple segment failures w/o seriously affecting connectivity
analog comm
-continuous signal that varies in freq, amplitude, phase, voltage, etc. -the comm occurs by variances in the constant signal -poor quality over long distances/interference
TCP Ports (65,535)
- TCP 20 & 21; TCP - UDP 21; not used for any common file transfer protocol - TCP 21 & UDP 21; ftp - TCP 22; SSH (SFTP operates oevr SSH) - TCP 23; telnet: TCP 515; LPD - print (shell, no encryption) - TCP 25; SMTP (Simple Mail Transfer Protocol) - TCP 53; DNS; TCP 110; POP3 - TCP 80; HTTP - no confidentiality - TCP 110; POP - TCP 143; IMAP (Internet Message Access Protocol) - TCP 389; unsecure LDAP - TCP 636; LDAP-S over SSL or TLS - TCP 9100; network printers - UDP 69; TFTP (Trivial FTP) - 6000-6063; X Windows, Linux - TCP 443; HTTPS - Nikto to scan - TCP 445; Active Directory - TCP; 1433; Microsoft SQL, Db - TCP 1521; Oracle: TCP 3389; RDP - TCP 3268/3269; global catalog (unsecure/secure) - TCP/UDP; 137-139; NetBIOS services 0-1,023= well known ports 1,024-49,151= registered ports 49,152-65,535 = dynamic ports
switches
-"intelligent hub"- superior to hubs -know the addresses of the systems connected on each outbound port -repeats traffic only out of the port on which the destination is known to exist -offer greater efficiency for traffic delivery -usually operate at OSI 2 -when these have more features like routing, they operate at OSI 3 as well.
private IP address ranges
-10.0.0.0 - 10.255.255.255 (full class A) -172.16.0.0 - 172.31.255.255 (16 class B ranges) -192.168.0.0 - 192.168.255.255 (256 class C ranges)
UDP header
-8 bytes (64 bits) long, divided into four sections/fields: 1) source port 2) destination port 3) message length 4) checksum
WPA2
-802.11i -new enc scheme called Counter Mode Cipher Block Chaining Message Authentication Code P (CCMP), which is based on AES. -secure at the moment -supports 802.1X/EAP
L2F (layer 2 forwarding)
-Cisco tech that is a mutual auth tunneling mechanism -does not offer enc -not widely deployed and replaced by L2TP -L2TP
ethernet
-LAN tech -allows numerous devices to comm over the same medium but requires the devices take turns comm'ing and performing collision detection and avoidance -employs broadcast and collision domains -supports full-duplex comm -usually used on star/bus topologies -based on IEEE 802.3 std -individual units of ethernet data are called frames
SAN
-Looks like raw storage and not file systems like NAS -Dedicated network: -----Fiber channel (FC) $$$ and requires dedicated connections. -----FC over ethernet --> Use existing infrastructure, not as fast. -----iSCSI - Talk directly to storage over network. -Virtual SAN is optional
TCP VPN links
-TCP/IP can be secured using these b/t systems -links are enc'd to add privacy, confidentiality, and authentication and maintain data integrity -PPTP -L2TP -IPsec
IPsec
-Unlike TLS, provides security to the entire payload of a packet. -Encapsulating security: Confidentality and integrity protection for packet payloads. -Authentication headers: Provides integrity protection for packet headers and payloads. 1. Site to Site VPN - Connect two networks together. 2.End users VPNs- Remote access for individual systems. *TLS/SSL VPN easier to setup than IPsec.
circuit switching
-a dedicated physical pathway is created b/t the two comm'ing parties -once a class is established, the links b/t the two parties remain the same throughout the convo
physical layer (layer 1)
-accepts the frame from the data link layer and converts the frame into bits for transmission over the connection medium -also responsible for receiving bits and converting them into a frame to be used by the data link layer -manages synchronization, manages line noise, medium access, digital/analog/light pulses determination
thinnet coaxial cables
-aka 10Base2 -spans 185 meters -10 Mbps throughput
thicknet coaxial cable
-aka 10Base5 -spans 500 meters -10 Mbps throughput
bluetooth
-aka IEEE 802.15 -personal area networks (PAN's) -devices connect together as pairing -do not leave devices in discovery mode
ports
-allow a single IP address to be able to support multiple simultaneous communications, each using a different port number.
IGMP (internet group mgmt P)
-allows systems to support multicasting- transmission of data to multiple specific recipients -used by IP hosts to register multicast group membership, and connected routers to discover these groups. -with this, a server can transmit a single data signal for the entire group rather than many individual signals. -IP header P field value: 2 (0x02)
disadvantages of tunneling
-compounds the overhead required to comm a single msg -creates larger packets -not designed to handle broadcast traffic -makes it difficult to monitor the content of the traffic in some circumstances
ring topology
-connects each system as points on a circle -conn medium acts as a unidirectional transmission loop -only one system can transmit data at a time -traffic mgmt performed by a token
WEP (wired equivalent privacy)
-defined by IEEE 802.11 std -provides protection from packet sniffing and eavesdropping against wireless transmission -can prevent unauthorized access -uses predefined shared secret key -uses RC4 for enc, but re-uses keys so WEP is not secure
SLIP (serial line internet P)
-developed to support TCP/IP comm over async serial connections -only supports IP, requires static IP's, offers no error detection, no compression -replaced by PPP
brouter
-device comprising a router and a bridge -attempts to route first, but if that fails will default to bridging -operates primary at OSI 3 but can operate at OSI 2
token ring
-employs a token passing mechanism to control which systems can transmit data over the network medium -token travels in a logical loop among all members -can be used on ring/star topologies -rarely used today bc of perf problems, higher cost, mgmt difficulties
PEAP (protected extensible auth P)
-encap's EAP within a TLS tunnel that provides auth and potentially enc -this can provide enc for EAP methods
ARP (address resolution P)
-essential to interoperability of logical and physical addressing schemes -this P resolves IP addresses into MAC addresses -checks if needed info is in the ARP cache first
stateful inspection firewall (aka "dynamic packet filtering firewalls")
-evaluate the state/context of network traffic -able to grant a broader range of access for authorized users and actively block unauthorized users. -operate more efficiently than app-level gateway fw's -"third generation" fw's -operate at OSI 3 and 4 (network and transport)
twisted pair cabling
-extremely thin, flexible compared to coax cables -4 pairs of wires that are twisted around each other and sheathed in a PVC insulator
static packet-filtering firewall (aka "screening routers" or "common routers")
-filters traffic based on its source, destination, and the port it is sent from or going to (that info is all in msg header) -unable to provide user auth -unable to determine whether packet came from inside or outside of network -easily spoofed -"first generation" fw's -operate at OSI 3 (network)
FCoE (fibre channel over ethernet)
-form of data-storage solution that allows for high speed file transfers -used to encap fibre channel comm over ethernet networks -works at OSI 3, or network
TCP protocol
-full-duplex, connection oriented P -65,536 ports (aka sockets) -works at OSI 4 -reliable bc of the 3-way handshake procedure
single tier fw
-fw is placed in front of private network, which is connected thru a router to the internet -useful against generic attacks only, offering only minimal protection
coaxial cable
-has a center core of copper wire surrounded by insulation, which is surrounded by a conductive braided shielding and encased in an insulation sheath -popularity has declined due to twisted-pair wiring -copper core and braided shielding act as two independent conductors, allowing for two-way comm -resistant to EMI -supports high bandwidths -requires use of segment terminators -bulkier and has a larger minimum arc radius than twisted pair cables
FDDI (fiber distributed data interface)
-high speed token passing tech that employs two rings with traffic flowing in opposite directions -often used as a backbone for large enterprise networks -has a dual ring design to allow for self-healing -expensive, less common today bc of ethernet
PVC (permanent virtual circuits)
-like a dedicated leased line; here the logical circuit always exists and is waiting for the customer to send data -predefined virtual circuit that is always available -"two way radio"
WAN (wide area network)
-long distance connections b/t geographically remote networks
dynamic NAT
-mode to be used to grant multiple internal clients access to a few leased public IP's. -a large internal network can still access the internet w/o having to lease a large block of public IP's
SVC (switched virtual circuits)
-more like dial-up connection -"shortwave or ham radio"
IPSec (IP security)
-most commonly used VPN P -both a stand alone VPN P and teh sec mechanism for L2TP -can only be used for IP traffic -has two primary components: 1) authentication header (AH)- provides auth, integrity, nonrep -used as transport or tunnel mode 2) encapsulating sec payload (ESP)- provides enc to protect the conf of transmitted data, and can perform limited authentication -op Authentication header operates at OSI 3 -used as transport or tunnel mode a) transport mode- IP packet data is enc'd but header is not b) tunnel mode- entire IP packet is enc'd and a new header is added to the packet to govern transmission thru the tunnel
multi-homed firewall
-must have at least two interfaces to filter traffic -should have IP forwarding disabled
SAN (storage area network)
-network tech that combines multiple individual storage devices into a single consolidated network-accessible storage container
digital comm
-occur through the use of a discontinuous electrical signal and a state change or on-off pulses -more reliable than analog over long distances bc of definitive storage method -creates stream of binary data
MAC address conflict
-occurs when 2 devices have the same MAC address on the same local ethernet broadcast domain -each should be unique
HDLC (high level data link control)
-refined version of SDLC designed specifically for serial sync connections -supports full-duplex comm and supports both p2p and multipoint connections -OSI 2
LAN extender
-remote access, multilayer switch used to connect distant networks over WAN links -creates WAN's, but are called LAN's
CMSA/CD (carrier-sense multiple access with collision detection)
-reponds to collisions by having each member of collision domain wait for a short, random period of time before starting the process again -results in about 40% loss in potential throughput
RARP (reverse-ARP)
-resolves MAC addresses into IP's
DoS (denial of service)
-resource consumption attack that has the primary goal of preventing legitimate activity on a victimized system -renders victim unable to respond to legit traffic -two types: 1) exploits a vuln in hardware/software 2) flood the victim's comm pipeline with garbage traffic
network layer (layer 3)
-responsible for adding routing and addressing info to the data -accepts the segment from the transport layer and adds info, creating a packet (includes source/destination IP) -responsible for providing routing/delivery info, but not guaranteed delivery -manages error detection and node data traffic (i.e, traffic control)
session layer (layer 5)
-responsible for establishing, maintaining, and terminating comm sessions b/t two computers -manages dialogue discipline or dialogue control (simplex, half-duplex, full-duplex) -re-transmits PDU's (packets) that have failed
data link layer (layer 2)
-responsible for formatting the packet from the network layer into the proper format for transmission -adds the hardware source (MAC) and destination addresses to the frame -contains two sublayers: 1) LLC (logical link control) 2) MAC sublayer
application layer (layer 7)
-responsible for interfacing user app's, network services or the OS with the P stack -*allows app's to communicate with the P stack* -determines whether a remote comm partner is available and accessible -the app is not located here, but the P's and services required to transmit files, exchange msg's, connect to remote terminals, etc.
transport layer (layer 4)
-responsible for managing the integrity of a conn and controlling the session -it accepts a PDU (i.e a packet) from the session layer and converts it into a segment -controls how devices on the network are addressed or referenced -establishes comm b/t nodes -defines the rules of a session -establishes a logical connection b/t two devices and provides end-to-end transport services to ensure data delivery
presentation layer (layer 6)
-responsible for transforming data received from the app layer into a format that any system following the OSI model can understand -imposes standardized structure and formatting rules onto the data -resp for enc and compression -most file and data formats operate here (images, video, sound, documents, email, web pages, control sessions, etc)
non-IP protocols
-serve as an alternative to IP at OSI network layer -not common anymore -most firewalls are unable to perform packet header address, or payload content filtering bc the protocols are so rare, posing a sec problem -these P's can be encapsulated in IP to be sent across the internet 1) IPX 2) AppleTalk 3) NetBEUI
UDP protocol
-simplex connectionless P -65,536 ports -"best effort" approach -has low overhead and can transmit data quickly. -should be used only when data is not essential (ex: audio/video streaming)
blue box (phreaker tool)
-simulate 2600 Hz tones to interact directly with telephone trunk systems (backbones). -could be whistle, tape recorder, or digital tone generator
TCP flags
-total of 8 bits for 8 flags 1) CWR- congestion window reduced (rarely used) 2) ECE- ECN-echo explicit congestion notification (rarely used) 3) URG- urgent 4) ACK- acknowledgement 5) PSH- push 6) RST- reset 7) SYN- synchronize 8) FIN- finish "unskilled attackers pester real security folk"
modems
-traditional land-line modem (modulator-demodulator) -device that covers/modulates b/t an analog carrier signal and digital info in order to suport comm of public switched telephone network (PSTN) lines -recently been replaced by digital broadband tech like ISDN, cable modems, DSL modems, 802.11 wireless, and wireless modems
VLAN (virtual LAN)
-used for hardware imposed network segmentation -used to logically segment a network w/o altering it physical topology -created by switches
SDLC (sync data link control)
-used on perm physical connections of dedicated leased lines to provide connectivity for mainframes -OSI 2 -bit-oriented sync P
hubs
-used to connect multiple systems and connect network segments that use the same P -repeat inbound traffic over all outbound ports -multiport repeater -outdated tech and not secure -operate at OSI 1
bridges
-used to connect two networks together in order to connect network segments that use the same P -forwards traffic from one network to another -"store and forward" device will connect networks using diff transmission speeds -operate at OSI 2
white box (phreaker tool)
-used to control the phone system -dual tone multifrequency (DTMF) generator (i.e, a keypad) -can be custom built or telephone repair equipment
router
-used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two -operate at OSI 3
ICMP (internet control msg P)
-used to determine the health of a network or a specific link -utilized by ping, traceroute, pathping, etc. -often used in DoS attacks
circuit-level gateway firewall (aka "circuit proxies")
-used to establish comm sessions b/t trusted partners -SOCKS (from socket secure) is a common implementation -manage comm based on the circuit, not the content of traffic -permit/deny based solely on the endpoint designations of the comm circuit -"second generation" fw's (modification of app-level gateway fw) -operate at OSI 5 (session)
repeaters, concentrators, amplifiers
-used to strengthen the comm signal over a cable segment and connect network segments that use the same P -can be used to extend the max length of a cable -operate at OSI 1
CIDR (classless inter-domain routing notation)
-uses mask bits rather than a full dotted decimal notation subnet mask ex: instead of 255.255.0.0, a CIDR is added to the IP address after a slash, as in 172.16.1.1/16
internet P (IP)
-works at OSI 3 (network) -provides route addressing for data packets, provides a means of identity and prescribes transmission paths -considered connnectionless and unreliable, no guarantee of packet delivery -you must employ TCP on IP to gain reliable and controlled comm sessions
port number categories
0-1023: well-known ports or service ports 1024-49151: registered software ports, each # registered with IANA 49152-65535: random, dynamic, ephemeral ports bc they are often used randomly and temporarily by clients as a source port.
IEEE 802.11ac
1 Gbps; 5 GHz
application layer protocols
1) *HTTP (port 80)* 2) *FTP (20 and 21)* 3) LPD (line print daemon) (515) 4) *SMTP (simple mail transfer P) (25)* 5) telnet (23) 6) TFTP (trivial file transfer P) (UDP port 69) 7) EDI (electronic data interchange) 8) POP3 (post office P version 3) (110) 9) IMAP (internet msg access P) (143) 10) SNMP (simple network mgmt P) (UDP 161, 162 for trap msg's) 11) NNTP (networks news transport P) 12) S-RPC (secure remote procedure call) 13) SET (secure electronic transaction)
transport layer protocols
1) *TCP (transmission control P)* 2) *UDP (user datagram P)* 3) SPX (sequenced packet exchange) 4) *SSL (secure sockets layer)* 5) *TLS (transport layer security)*
presentation layer format standards/protocols
1) ASCII (American standard code for info interchange) 2) EBCDICM (extended binary-coded decimal interchange mode) 3) TIFF (tagged image file format) 4) JPEG 5) MPEG (moving picture experts group) 6) MIDI (musical instrument digital interface)
LAN media access tech's used to avoid collisions (5)
1) CSMA 2) CSMA/CA 3) CSMA/CD 4) token passing 5) polling
physical layer protocols
1) EIA/TIA-232 and EIA/TIA-449 2) X.21 3) HSSI (high speed serial interface) 4) SONET (synchronous optical network) 5) V.24 and V.35
network layer protocols
1) ICMP (internet control message P) 2) RIP (routing information P) 3) OSPF (open shortest path first) 4) BGP (border gateway P) 5) IGMP (internet group mgmt P) 6) *IP (internet P)* 7) *IPsec (IP security)* 8) IPX (internetwork packet exchange) 9) *NAT (network address translation)* 10) SKIP (simple key mgmt for internet P's)
session layer protocols
1) NFS (network file system) 2) *SQL* 3) RPC (remote procedure call)
physical layer hardware devices
1) NIC's (network interface cards) 2) hubs 3) repeaters 4) concentrators 5) amplifiers *these devices all interact with hardware*
common VPN protocols (4)
1) PPTP 2) L2F 3) L2TP 4) IPSec -operate at OSI 2 (data link)
data link protocols
1) SLIP (serial line internet protocol) 2) PPP (point-to-point protocol) 3) *ARP (address resolution protocol)* (resolves IP's into MAC's) 4) *RARP (reverse address resolution protocol)* (MAC's into IP's) 5) L2F (layer 2 forwarding 6) L2TP (layer 2 tunneling protocol) 7) PPTP (point-to-point tunneling protocol) 8) ISDN (integrated services digital network)
eavesdropping tools
1) T-Sight 2) Zed Attack Proxy (ZAP) 3) Cain & Abel
TCP/IP model (aka DARPA or DoD model)
1) application (OSI layer 5-7) 2) transport (OSI 4) 3) internet (OSI 3) 4) link (OSI 1-2)
benefits of network segmentation
1) boosting perf 2) reducing comm problems 3) providing sec
data link hardware devices
1) bridges 2) switches
benefits of NAT
1) can connect an entire network to the internet using only a single leased public IP's 2) can use private IP's and connect to the internet 3) NAT hides the IP addressing scheme and network topography from the internet 4) restricts connections so that only traffic stemming from connections originating from the internal protected network -most intrusion attacks are automatically repelled
TCP 3-way handshake process
1) client sends a SYN flagged packet to server 2) server responds with a SYN/ACK flagged packet back to client 3) client responds with an ACK
3 types of LAN tech?
1) ethernet 2) token ring 3) FDDI
data link technology
1) ethernet (IEEE 802.3) 2) token ring (IEEE 802.5) 3) ATM (asynchronous transfer mode) 4) FDDI (fiber distributed data interface) 5) CDDI (copper DDI)
application layer network devices
1) gateway 2) app-level firewalls
remote access sec mgmt potential issues
1) remote connectivity tech 2) transmission protection 3) authentication protection 4) remote user assistance
network layer hardware
1) routers 2) bridge routers ("brouters")
4 types of remote access techniques?
1) service specific: remotely connect to and manipulate a single service, like email 2) remote control: grants a remote user the ability to fully control another system 3) screen scraper/scraping: can be thought of as remote control, and also virtual app's or virtual desktops -allows an automated tool to interact with a human interface 4) remote node operation: another name for dial up connectivity
firewall deployment architectures (3)
1) single tier 2) two tier 3) three tier (multi-tier)
ICMP details
1) the IP header P field value is 1 (0x01) 2) the type field in ICMP header defines the purpose of the msg
TCP disconnection process (2 ways)
1) use of FIN flagged packet (most common): a) each side transmits a FIN, triggering the opposing side to respond with an ACK. 4 packets total 2) use of RST (reset) packet. causes an immediate session termination.
problems with twisted pair cabling (3)
1) using wrong category of twisted pair cable for high throughput networking 2) deploying a twisted pair cable longer than its max recommended length 3) using UTP in environments w/ significant interference
VoIP vulnerabilities
1) vishing 2) SPIT (spam over internet telephony) 3) MitM (man in the middle) attacks by spoofing call managers 4) VoIP hopping (jumping across auth channels) 5) listening to unenc'd traffic
sniffing tools
1) wireshark 2) NetWitness
Network Monitoring
1. Firewall logs (attempted connections, time stamps, and firewall rule). 2. Netflow data - Doesn't capture what was communicated. Useful for capturing info about systems that didn't transverse firewall aka inside LAN. -Who -When -How Much 3. SIEM Logs - F/W, network devices, servers, and apps (rapid analysis). 4. Full packet capture - Not much storage needed.
Network IPv6
1. IPv4 address exhaustion 2. Eight groups of 4 hexadecimal numbers: fd02:ed03:gd03:hd03:id03:jd03:kd03:ld03
Wi-Fi Antennas
1. Omni - All directions 2. Directional - one way, extend network. 3. Beforming - can shift omni antenna to beam into different areas. *Best AP placement, use a site survey. *Change power levels of AP broadcast
Wireless Network Auth
1. Preshared key (PSK) - Require password (routers, common use) -64 hexadecimal character strings (uncommon) --> encode 256 bit encryption key. -password, 8-13 ASCII passwords --> converted 256 bit encryption key PBKDF2 -limitations = changing key is a burden on a large network, can't identify users or revoke access. 2. Enterprise Auth -Username and password (RADIUS). -EAP (use with TLS, variant) or PEAP (EAP inside TLS session) 3. Captive Portal -->Redirect to auth page
Multi-layer Protocol
1. TCP-IP 2. Distributed Network Protocol (DNP3) -->SCADA systems (automation - water and electric)
IEEE 802.11b
11 Mbps; 2.4 GHz
IEEE 802.11n
200+ Mbps; 2.4 or 5 GHz
IEEE 802.11g
54 Mbps; 2.4 GHz
IEEE 802.11a
54 Mbps; 5 GHz
OSI layers
7) application 6) presentation 5) session 4) transport 3) network 2) data link 1) physical "Please do not throw sausage pizza away"
Multipoint Control Unit/Controller
A Multipoint Control Unit (MCU) represents an endpoint on a LAN that provides the capability for three or more terminals and gateways to participate in a multipoint conference. It controls and mixes video, audio, and data from terminal devices to create a video conference. An MCU can also connect two terminals in a point-to-point conference that can later develop into a multipoint conference. The collection of all terminals, gateways, and multipoint control units managed by a single gatekeeper is known as an H.323 Zone. Multipoint Controller A multipoint controller that is H.323 compliant provides negotiation capacity with terminals to carry out different communications. The multipoint controller can also control conference resources, such as video multicasting.
Virtual Private Networks VPN
A VPN is created by dynamically building a secure communications link between two nodes, using a secret encapsulation method via network address translation (NAT) where internal IP addresses are translated to external IP addresses. Cannot double NAT with the same IP range, same IP address cannot appear inside and outside of a NAT router.
Security Modems
A security modem represents a special type of modem that allows remote access from trusted locations, may encrypt data, and may support Caller ID to verify the calling telephone number. When security modems first appeared on the market, they were configured with a list of allowable callback numbers and passwords. A remote user who wished to gain access to the corporate LAN would first dial the telephone number associated with the dial-in security modem. Upon establishing a connection, the person would be prompted to enter his or her callback number and a password associated with the callback phone number. If the password is correct, the security modem would disconnect the connection and dial back the callback number.
Attacks, Malware, and Bad Stuff
ARP Spoofing - Malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. Bluejacking - when attackers send unsolicited messages via Bluetooth Bluesnarfing - targets the data or information on Bluetoothenabled devices Cain & Abel Attack - Man in the middle. DNS Spoofing - when an attacker sends false replies to a requesting system, beating valid replies from the real DNS server DNS Poisoning - when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternative systems RDP - provides terminal sessions w/out Screenscraper - copy actual screen, subset of remote control SPIT attacks - Spam over Internet Telephony and targets VoIP systems
DATA NETWORK SIGNALS
Analog signal - Infinite wave form, continuous signal, varied by amplification Digital signal - Saw-tooth form, pulses, on-off only, digital signals are a means of transmission that involves the use of a discontinuous electrical signal and a state change or on‐off pulses. Asynchronous - sends bits of data sequentially. Same speed on both sides. Modems and dial-up remote access systems. Asynchronous communications, broadband connections, and half‐ duplex links can be digital or analog. Synchronous very high speed governed by electronic clock timing signals
Remote Access Technologies
Asynchronous Dial-Up Access: This is how everyone connects to the internet. Using a public switched telephone network to access an ISP Integrated Serviced Digital Network (ISDN): Communication protocol that permits telephone line to carry data, voice and other source traffic. Two types: BRI Basic rate interface and Primary Rate Interface (PRI) xDSL uses regular telephone lines for high speed digital access Cable Modems Via single shared coaxial cable, insecure because of not being filtered or firewalled
LAN Topologies
BUS - all transmissions have to travel the full length of the cable RING - Workstations are connected to form a closed loop STAR - nodes are connected to a central LAN device TREE - bus type with multiple branches MESH - all nodes interconnected **Know total connections.**
Terms
Broadband Technologies - ISDN, cable modems, DSL, and T1/T3 lines that can support multiple simultaneous signals. They are analog and not broadcast technologies. Broadcast Domain - set of systems that can receive a broadcast from each other CHAP - Challenge-Handshake Authentication Protocol, used by PPP servers to authenticate remote clients. Encrypts username and PW and performs periodic re authentication while connected using techniques to prevent replay attacks. CIR - (committed Information Rate) minimum bandwidth guarantee provided by service provider to customers Collision Domain - set of systems that could cause a collision if they transmitted at the same time, more number of systems in domain increases likelihood of network congestion due to more collisions Data Streams - occur at Application, Presentation, and Session layers. EAP, Extensible Authentication Protocol - an authentication framework. Effectively, EAP allows for new authentication technologies to be compatible with existing wireless or point-topoint connection technologies, extensible was used for PPP connections FCoE - Fiber Channel Over Ethernet, allows existing high-speed networks to be used to carry storage traffic FDDI - Fiber Distributed Data Interface, token-passing network uses a pair of rings with traffic flowing in opposite directions, uses tokens FTP - File Transfer Protocol Gateway - translates between protocols ICMP - Internet Control Message Protocol, means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network, ping. Other functions include trace route (hops, time --->redirects, time exceeded, unreachable address etc.) iSCI - Internet Small Computer Interface, Converged protocol that allows location-independent file services over traditional network technologies. Cost less than Fiber. Standard for linking data storage sites ISDN - PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, faster than BRI's 144 Kbps MAC - Machine Access Control, hardware address of machine, can tell manufacturer, Multilayer Protocols - allow encryption at various layers, support a range of protocols at higher levels. Bad - conceal covert channels, filters can be bypassed, sometimes logical boundaries can be bypassed MPLS - Multiprotocol Label Switching, high performance networking, uses path labels instead of network addresses, wide area networking protocol, label switching, finds final destination and then labels route for others to follow PAP - Password Authentication Protocol, sends PW unencrypted PEAP - provides encryption for EAP methods and can provide authentication, does not implement CCMP, encapsulates EAS in a TLS tunnel Port Based Authentication - 802.1x, can be used with EAP PPP - Point-to-Point Protocol, most common, used for dial up connections, replaced SLIP Proxy - form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems PVCs - Private Virtual Circuits, RST flag - used to reset or disconnect a session, resumed by restarting the connection via a new three-way handshake Converged Network - carries multiple types of traffic like voice, video, and data SDN - Software designed networking, defined and configured as code or software, quickly change the network based on organizational requirements Hypervisor-based Network - may be software defined, but it could also use traditional network devices running as virtual machines SSID - normally disabled for secure networks Site Survey - identify areas where wireless network may be accessible SONET - protocol for sending multiple optical streams over fiber SUBNET - logical division of a network Supernet - made up of two or more networks UDP - User Datagram Protocol, lightweight service for connectionless data transfer without error detection and correction WAF - Web Application Firewall Wired Extension Mode - uses WAP to link wireless clients to a wired network AMP - Asymmetric multiprocessing - used in applications that are dedicated, such as embedded systems, when individual processors can be dedicated to specific tasks at design time. SMP - Symmetric Multiprocessors, hardware and software architecture where two or more identical processors are connected to a single, shared main memory, have full access to all I/O devices, and are controlled by a single operating system instance that treats all processors equally, reserving none for special purposes.
Screen scraping
Can be used to interface mainframe with web, can enter limited commands.
LAN Transmission Protocols
Carrier Sense Multiple Access CSMA - for Ethernet. Workstations send out packet. If it doesn't get an acknowledgement, it resends CSMA with Collision Avoidance workstations - are attached by 2 coax cables. In one direction only. Wireless 802.11 CSMA with Collision Detection - Only one host can send at the time, using jamming signals for the rest. Polling - Host can only transmit when he polls a secondary to see if its free Token-passing - Used in token rings, Hosts can only transit when they receive a clear to send token.
UTP categories
Cat 1: voice only Cat 2: 4 Mbps Cat 3: 10 Mbps Cat 4: 16 Mbps Cat 5: 100 Mbps Cat 6: 1000 Mbps Cat 7: 10 Gbps
LEAP (lightweight extensible auth P)
Cisco proprietary alt to TKIP for WPA -created to address problems in TKIP before WPA2 -not secure, use EAP-TLS instead
Switched Networks
Coaxial - many workstations, length. 1000Base-T - 100 M Twisted pair to long. Cat 5 better than cat3 for interference Fiber optics immune to EMI, can be broken and high cost/expertise Topology failures Ethernet twisted pair - more resistant than coaxial Token Ring because a token is passed by every station, a NIC that's is set to wrong speed or error can take all network down Fiber Distributed Data Interface - form of token ring that has second ring that activates on error Leased lines use multiple lines and/or multiple vendors Frame Relay WAN - over a public switched network. High Fault tolerance by relaying fault segments to working. Speeds; T-1 - 1.544 Mbps, T-3 - 44,736 Mbps (45) ATM - 155 Mbps, ISDN - 64 or 128 Mbps CAT 3 UTP; 10 Mbps, CAT 5;100 Mbps CAT 5e/6 - 1,000 Mb
Converged Protocols
Converged Protocols - are the merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/ IP suite. The primary benefit of converged protocols is the ability to use existing TCP/ IP supporting network infrastructure to host special or proprietary services without the need for unique deployments of alternate networking hardware. Fibre Channel over Ethernet (FCoE) - a form of network data- storage solution (SAN or NAS) that allows for high-speed file transfers at upward of 16 GBps. It was designed to be operated over fiber-optic cables; support for copper cables was added later to offer less-expensive options. Fibre Channel over Ethernet (FCoE) can be used to support it over the existing network infrastructure. FCoE is used to encapsulate Fibre Channel communications over Ethernet networks. Fibre Channel operates as a Network layer or OSI layer 3 protocol, replacing IP as the payload of a standard Ethernet network. MPLS - (Multiprotocol Label Switching) is a high-throughput high- performance network technology that directs data across a network based on short path labels rather than longer network addresses. MPLS is designed to handle a wide range of protocols through encapsulation. iSCSI - Internet Small Computer System Interface (iSCSI) is a networking storage standard based on IP. This technology can be used to enable location-independent file storage, transmission, and retrieval over LAN, WAN, or public Internet connections. It is often viewed as a low-cost alternative to Fibre Channel. VoIP - Voice over IP - a tunneling mechanism used to transport voice and/ or data over a TCP/ IP network. VoIP has the potential to replace or supplant PSTN because it's often less expensive and offers a wider variety of options and features. SDN - a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (i.e., hardware and hardware-based settings) from the control layer (i.e., network services of data transmission management). Furthermore, this also removes the traditional networking concepts of IP addressing, subnets, routing, and so on from needing to be programmed into or be deciphered by hosted applications. SDN offers a new network design that is directly programmable from a central location, is flexible, is vendor neutral, and is open-standards based.
Security Modes (used in MAC)
Dedicated security mode : - All users can access all data. - Clearance for all information. - Need to know for ALL data system high security mode: - All users can access some data, based on need to know - Clearance for all information - Need to know for SOME data compartment security mode: - All users can access some data, based on their need to know and approval. - Clearance for all information they access - Need to know for SOME data - Use of information labels Multi-level: - All users can access some data, based on their need to know, approval and clearance. - Clearance for all information they access - Need to know for SOME data Others: controlled type of multilevel security where a limited amount of trust is placed in the system's hardware/software along with classification limited access: minimum user clearance is not cleared and the maximum data classification is unclassified but sensitive
Network layers TCP/IP Model
Developed by Department of Defense in the 1970s to support the construction of the internet HINT: AHIN Application - layer 4 application/Presentation/Session) Applications and processes that uses the network Host-to-Host - Layer 3 (Transport) End-to-end data delivery Protocols: TCP and UDP Internet - Layer 2 (corresponds to OSI network layer) Defines the IP datagram and handles routing of data across networks. Protocols: IP, ARP, RARP, ICMP. Network access - Layer 1 (Data link, Physical) Routines for accessing physical networks and the electrical connection LPD, Line printer daemon for printing and spooling X Windows graphical user interface
Subnets
Divide up network into 65,000 possible hosts to 256 possible subnets with 254 hosts each. 255.255.255.0 /24 255.255.0.0 /16 255.0.0.0 /8 192.168.1.100 192.168.1.0 /24 (slash notation)
Encapsulating Security Payload
Encrypts IP packets and ensured integrity. - ESP Header - contains information showing which security association to use and the packet sequence number. Like the AH, the ESP sequences every packet to thwart replay attacks. - ESP Payload
Transport - layer 4
End-to-end data transfer services and reliability. Technology: Gateways. Segmentation, sequencing, and error checking at this layer. Datagrams TCP Three-way Handshake - SYN, SYN-/ACK, ACK Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP Secure Shell (SSH-2) - Authentication, compression, confidentiality and integrity. Uses RSA certificates for authentication and triple DES for encryption TCP, Transmission control protocol - reliable, sequences and works with acknowledgements. Provides a manageable data flow to avoid congestions overloading and data loss. (Like having a telephone conversation with someone). Connection Oriented. User UDP, Datagram protocol - unreliable, scaled down version of TCP, no error correction, no sequencing. Less overhead. (Like sending a letter to someone). Connectionless.
LAN Media Access
Ethernet IEEE 802.3 using CSMA with an BUS-topology Thinnet: 10base2 with coax cables up to 185 meters Thicknet: 10Base5, coax up to 500 meters UTP: 10BaseT=10MBps 100baseT=Fast Ethernet =100MBps 1000BaseT=Gigabit Ethernet=1GBps Ethernet networks were originally designed to work with more sporadic traffic than token ring networks ARCnet - uses token passing in a star technology on coax Token Ring IEEE 802.5 - IBM created. All end stations are connected to a MAU Multi Access Unit. CAU: Controlled Access Units - for filtering allowed MAC (Extended Unique Identifier) addresses. FDDI, Fiber Distributed Data Interface - token-passing dual token ring with fiber optic. Long distances, minimal EMI interference permits several tokens at the time active
Spread Spectrum
FHSS - Frequency Hopping Spread Spectrum, The entire range of available frequencies is employed, but only one frequency at a time is used. DSSS - Direct Sequence Spread Spectrum, employs all the available frequencies simultaneously in parallel. This provides a higher rate of data throughput than FHSS. DSSS also uses a special encoding mechanism known as chipping code to allow a receiver to reconstruct data even if parts of the signal were distorted because of interference. OFDM - Orthogonal Frequency-Division Multiplexing, employs a digital multicarrier modulation scheme that allows for a more tightly compacted transmission. The modulated signals are perpendicular and thus do not cause interference with each other. All use spread spectrum techniques to transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal modulation, while multiplexing describes combining multiple signals over a shared medium of any sort. Wi-Fi may receive interference from FHSS systems but doesn't use it.
Application - layer 7
FTP, SNMP, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SMB, NDS, AFP, SAP, NCP, SET, LDAP. Technology: Gateways. User data Secure HTTP, S-HTTP - encrypting HTTP documents. Also overtaken by SSL SSL, Secure Socket Layer - encryption technology to provide secure transactions like credit card numbers exchange. Two layered: SSL record protocol and handshake protocol. Same as SSH it uses symmetric encryption for private connections and asymmetric or public key cryptography for peer authentication. Secure Electronic Transaction (SET) - authentication for credit card transactions. Overtaken by SSL Also uses message authentication code for integrity checking. Telnet - terminal emulation enables user to access resources on another machine. Port 23 FTP, File Transfer Protocol - for file transfers. Cannot execute remote files as programs. Authentication. Port 20 and 21 TFTP, Trivial File Transfer Protocol - stripped down, can only send/receive but not browse directories. No authentication thus insecure. Port 69 SMTP, Simple Mail Transfer protocol - email queuing. Port 25 SNMP (use version 3), Simple Networking Management Protocol collection of network information by polling the devices from a management station. Sends out alerts -called traps- to an database called Management Information Bases (MIBs)
Perfect forward secrecy
Hides nodes identity from each other. #TOR
VPN Protocols
Hint: TP at end for Tunneling Protocols PPTP, Point to Point tunneling protocol - Works at data link layer of OSI - Only one single point-to-point connection per session - Point To Point protocol (PPP) for authentication and tunneling - Dial-up network use - Does not support EAP - Sends initial packets in plaintext L2F, Layer 2 Forwarding - Cisco developed its own VPN protocol called which is a mutual authentication tunneling mechanism. - L2F does not offer encryption. L2F was not widely deployed and was soon replaced by L2TP. - both operate at layer 2. Both can encapsulate any LAN protocol. L2TP, Layer 2 tunneling protocol - Also in data-link layer of OSI - Single point-to-point connection per session - Dial-up network use - Port 115 - Uses IPsec IPSEC (hard to setup) - Operates at Network Layer of OSI - Enables multiple and simultaneous tunnels - Encrypt and authenticate - Build into IPv6 - Network-to-network use - Creates a private, encrypted network via a public network - Encryption for confidentiality and integrity 2 protocols: AH Authentication header and ESP Encapsulated Security Payload works with Security Associations (SA's) works with IKE protocols IKE IS FOR MANAGING SECURITY ASSOCIATIONS 2 modes: transport, data is encrypted header is not tunneled: new uses rc6; IP header is added, old IP header and data is encrypted cipher types: block (padding to blocks of fixed size) like DES 3DES AES or stream (bit/byte one by one o padding) like RC4, Sober TLS - Transport Layer Security (commonly used, easy) - encrypt and protect transactions to prevent sniffing while data is in transit along with VPN and IPsec - most effective control against session hijacking - ephemeral session key is used to encrypt the actual content of communications between a web server and client - TLS - MOST CURRENT not SSL!!! PVC - Permanent virtual circuits, is like a dedicated leased line; the logical circuit always exists and is waiting for the customer to send data. Like a walkie-talkie SVC - switched virtual circuit, is more like a shortwave or ham radio. You must tune the transmitter and receiver to a new frequency every time you want to communicate with someone.
Wireless
IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defines wireless networking, and 802.20 defines LTE. 802.11 (2 Mbps 2.4 GHz FHSS/DSSS) 802.11a (54 Mbps 5 GHz 150 - OFD A) 802.11b (11 Mbps 2.4 GHz 300 - DSSSS b/g/n) 802.11g (54 Mbps 2.4 GHz 300 b/g/n) 802.11n (200+Mbps 2.4 or 5 GHz 300 a/b/g) 802.11ac (1 Gbps 5 GHz 300 a/b/g) 802.16 (IEEE 802 WBA) 802.11i (AES CCMP WPA2)
Email Security Solutions & Certs
LDAP - Lightweight Directory Access Protocol, client/server based directory query protocol loosely based upon X.500, commonly manages user information, for accessing directory services and manage certificates Ex. Active Directory, cn=ben+ou=sales Zero or more, comma separated, no semi-colon, + to join SASL - provides secure LDAP authentication OpenLDAP - default, stores user PW in the clear Client SSL Certificates - used to identify clients to servers via SSL (client authentication) S/MIME Certificates - used for signed and encrypted emails, can form sign, and use as part of a SSO solution MOSS - MIME Object Security Services, provides authentication, confidentiality, integrity, and nonrepudiation PEM - provides authentication, confidentiality, integrity, and nonrepudiation DKIM - Domain Keys Identified Mail, domain validation tool OAuth - ability to access resources from another service OpenID - paired with OAuth is a RESTful, JSON-based authentication protocol can provide identity verification and basic profile information, phishing attack possible by sending fake data
DATA NETWORK TYPES
Local Area Network LAN: Limited geographically to e.g. a building. Devices are sharing resources like printers, email and files. Connected through copper wire or fiber optics. CAN: campus area network, multiple building connected to fast backbone on a campus MAN: metropolitan network extends over cities Wide Area network WAN: Connects LANS over a large geographical area Internet (intranet and extranet): Internet is global, intranet local for use within companies and extranet can be used e.g. by your customers and clients but is not public.
Hacks
Man in the middle Replay attack - Use token of legit uers (CSRF) to login on their behalf. The method to combat this timing out the session (token), time stamp (expire). DNS Poisoning - Hacker uses DNS to redirect users to their specified server. ARP Attacks (poisoning) - ARP translates IP addresses into MAC addresses on LAN. The attack only works on LAN, hackers trick the user into sending data to the wrong gateway. Typosquatting - Buy domain for user typing mistakes (example:facebool.com, faxebook.com)
Operations of Hardware
Multiplexors- device that enables more than one signal to be send out of one physical circuit WAN switches - multi-port networking devices that are used in carrier networks. Connect private data over public data by using digital signals. Data link layer. Access servers - server that provides dial-in and dial-out connections to the network Modems - transmits data over telephone lines Channel Service Unit (CSU)/Data service unit (DSU) - digital interface device used to terminate the physical interface on a DTE device. They connect to the closest telephone company switch in a central office (CO)
Bluetooth Attacks
NFC (30-50ft) Bluejacking - Send spam directly to a device. Bluesnarfing - Attacks pairing
NAS
NFS or CIFS (windows) for communication. Shows as file system unlike SAN which shows as raw storage.
Things to Know
Nikto, Burp Suite, Wapiti - web application vulnerability scanners
secure comm P's
P's that provide sec services for app-specific comm channels
Firewall architecture
Packet filtering routers: Sits between trusted and un-trusted network, sometimes used as boundary router. Uses ACL's. Protects against standard generic external attacks. Has no user authentication, has minimal auditing. Screened-Host firewall system: Has both a packet-filter router and a bastion host. Provides both network layer (package filtering) as application layer (proxy) server. Dual homed host firewall: Consists of a host with 2 NIC's. One connected to trusted, one to un-trusted. Can thus be used as translator between 2 network types like Ethernet/token ring. Internal routing capabilities must not be enabled to make it impossible to circumvent inspection of data. Screened-subnet firewalls: Has also defined a De-Militarized Zone (DMZ) : a small network between trusted an untrusted. Socks firewall: Every workstation gets some Socks software to reduce overhead Tiers - design separates distinct protected zones and can be protected by a single firewall that has multiple interfaces
Packet Switched Networks vs. Circuit Switched Networks
Packet-switched networks move data in separate, small blocks -- packets -- based on the destination address in each packet. When received, packets are reassembled in the proper sequence to make up the message. Circuit-switched networks require dedicated point-to-point connections during calls. Circuit-switched networks and packet-switched networks have traditionally occupied different spaces within corporations. Circuit-switched networks were used for phone calls and packet-switched networks handled data. But because of the reach of phone lines and the efficiency and low cost of data networks, the two technologies have shared chores for years. Designed in 1878, circuit-switched networks reserve a dedicated channel for the entire communication. The primary hardware for a circuit-switched network is the private branch exchange (PBX) system. Computer servers power packet-switched networks.
Remote Node Security Protocols
Password Authenticate Protocol (PAP): Provides identification and authentication of the user using static replayable passwords. No encryption of user-id or password during communication Challenge Handshake Authenticate Protocol (CHAP): Non-replayable challenge/response dialog
VM
Patch hypervisor
Network - layer 3
Path selection and logical/network addressing. Technology: Virtual circuits (ATM), routers. Packets Addressing - IP uses the destination IP to transmit packets thru networks until delivered Fragmentation - IP will subdivide a packet if its size is greater than the maximum allowed on a local network Message routing, error detection and control of node data are managed. IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, ZIP, DDP, X.25, NAT and IGMP OSPF Open Shortest Path First - routing protocol short path. SKIP, Simple Key Management for Internet Protocols - provides high availability in encrypted sessions to protect against crashes. Exchanges keys on a session by session basis. ARP, Address resolution protocol - Used to match an IP address to a hardware MAC address. ARP sends out broadcast to a network node to reply with its hardware address. It stores the address in a dynamic table for the duration of the session, so ARP requests are only sent the first time. ICMP, Internet control message protocol - sends messages between network nodes regarding the health of the network. Also informs about rerouting in case of errors. Utility PING uses ICMP messages to check physical connectivity of the network machines IPX, Appletalk, and NetBEUI are non-IP protocols. IP, Internet protocol - all hosts have an IP address. Each data packet has an IP address of sender and recipient. Routing in network is based upon these addresses. Datagram service is considered unreliable because there's no guarantee that the packet will be delivered, not even that its delivered only once and no guarantee that its delivered in the same sequence that its sent 32 bits long, IPv6 is 128 bits long DHCP: Dynamic Host Configuration Protocol BootP, Bootstrap Protocol when wireless workstation is on-lined it sends out a BootP request with its MAC address to get an IP address and the file from which it should boot. Replaced by DHCP
Physical - layer 1
Physical signaling. Coverts bits into voltages or light impulses. Electrical, Hardware and software drivers are on this level. It sends and receives bits. Repeaters, hubs, cables, USB, DSL, ISDN, ATM Physical topologies: BUS, MESH, STAR, TREE, RING
WAN Protocols
Private Circuit technologies: Dedicated line reserved communication, always available Leased line can be reserved for communications. Type of dedicated line: - T1 1,5 Mbps through telephone line - T3 44,7 Mbps through telephone line - E1 European 2048 Mbps digital transmission - Serial Line IP (SLIP) TCP/IP over slow interfaces to communicate with external hosts (Berkley UNIX, windows NT RAS), no authentication, supports only half-duplex communications, no error detection, manual link establishment and teardown Point to Point protocol (PPP) improvement on slip, adds login, password and error (by CHAP and PAP) and error correction. Data link. Integrated Services Digital Network (ISDN): Combination of digital telephony and data transports. Overtaken by xDSL, not all useable due to "D Channel" used for call management not data xDSL Digital subscriber Line uses telephone to transport high bandwidth data to remote subscribers: - ADSL - Asymmetric. More downstream bandwidth up to 18,000 feet over single copper cable pair - SDSL - Symmetric up to 10,000 feet over single copper cable pair - HDSL - High Rate T1 speed over two copper cable pairs up to 12,000 feet - VDSL - Very High speed 13-52MBps down, 1,5-2,3 Mbps upstream over a single copper pair over 1,00 to 4500 feet Circuit-switched networks: There must be a dedicated physical circuit path exist during transmission. The right choice for networks that have to communicate constantly. Typically for a telephone company network Voice oriented. Sensitive to loss of connection Message switching networks: Involves the transmission of messages from node-to-node. Messages are stored on the network until a forwarding path is available. Packet-switched networks (PSN or PSDN): Nodes share bandwidth with each other by sending small data units called packets. Packets will be send to the other network and reassembled. Data oriented. Sensitive to loss of data. More cost effective than circuit switching because it creates virtual circuits only when they are needed.
LAN Devices
Repeaters - amplify data signals to extend range (physical) HUBS - connect multiple LAN devices into a concentrator. Is actually a multi-port repeater (physical) Bridges - Forwards data to all other network segments if it's not on the local segment. Operates at level 2 (thus no IP-addressing) Switches - Will only send data to the specific destination address. It's actually a multi-port bridge. (Data link) Routers - opens up data packet, reads hardware or network address and then forwards it to the correct network Gateway - software that acts as access point to another network or device that translates between different protocols LAN extenders - remote access, multi layer switch that connects LANs over a WAN
Remote Access Security Technologies
Restricted Address - incoming calls are only allowed from specific addresses on an approval list. This authenticates the node, not the user! Callback - User initiates a connection, supplies identifying code, and then the system will call back a predetermined telephone number. Also less useful for travelling users Caller ID - checks incoming telephone number against an approval list and then uses Callback. Less useful for travelling users.
SOCKS
SOCKS protocol is designed to route packets between client-server applications via a proxy server. The protocol operates at Layer 5, the Session Layer of the OSI reference model, between the presentation layer and the transport layer. Clients behind a firewall have to connect to a SOCKS proxy server to access external services provided by the server. The proxy server controls the ability of the client to access the external server in the client-server access attempt. If the client is approved by the proxy server, the latter will then pass the request on to the destination server. SOCKS is bidirectional; thus, it can also be used in the opposite way, allowing the clients outside the firewall to connect to servers inside the firewall Comparing SOCKS and HTTP Proxies SOCKS employs a handshake protocol to inform the proxy software about the connection that a client initiated. The SOCKS protocol supports any form of TCP or UDP socket connection. In comparison, an HTTP proxy will analyze HTTP headers to determine the address of the destination server, which restricts its support to HTTP traffic.
Network Partitioning
Segmenting networks into domains of trust is an effective way to help enforce security policies. Controlling which traffic is forwarded between segments will go a long way to protecting an organization's critical digital assets from malicious and unintentional harm. 1. Dual-homed Host - has two network interface cards (NICs), each on a separate network. Provided that the host controls or prevents the forwarding of traffic between NICs, this can be an effective measure to isolate a network. 2. Bastion Host - Serves as a gateway between a trusted and untrusted network that gives limited, authorized access to untrusted hosts. For instance, a bastion host at an Internet gateway could allow external users to transfer files to it via FTP. This permits files to be exchanged with external hosts without granting them access to the internal network in an uncontrolled manner.
VLAN
Separate systems on a network into logical groups based on function, regardless of physical location. -Extend broadcast domain. -Layer 2 of stack, routers and firewalls not needed. Switches - Protect physically. VLAN lockdown (disable trunk negotiation to prevent VLAN hopping). 1. VLAN Pruning - Limit VLAN exposure (limit # of switches VLANs are trunked to) 2. VLAN Trunk Negotatiing - Prevents VLAN hopping attacks, disable automatic trunk negotiation. 3. Port Security - Limit devices (#) that can connect to switch by MAC address filtering. static -->admins manually configure valid MAC address for each port. dynamic-->switches memorize the list of MAC address they see on each port and limit access to that address. Port Isolation - private VLAN. Restricts traffic from source port to a single destination port. Prevents devices on the same switch from talking with each other (blocks ARP spoofing on data link layer
Cisco router configs
Standard ACL - Block traffic based on source IP: # Access - List 1 Deny 10.3.1.0 0.0.0.255 (10.3.1.0-10.3.1.55) Extended ACL - Block traffic based on IP (source and destination), ports (source and destination) and protocols. Firewalls - Offered advanced security protection over routers. Rule abilities and security functionality (integration threat intelligence).
Other important WLAN protocols
Synchronous Data Link Control (SDLC) - created by IBM for mainframes to connect to their remote offices. Uses a polling media access method. Works with dedicated leased lines permanent up. Data link layer of OSI model High-level Data Link Control (HDLC) - extension to SDLC also for mainframes. Uses data encapsulation on synchronous serial links using frame characters and checksums. Also data link layer High Speed Serial Interface (HSSI) - Defines electrical and physical interfaces to use for DTE/DCE communications. Physical layer of OSI
Port Address Translation
Systems share same public IP. Assign unique ports for each communication.
Network IPV4 (dotted quad)
TCPIP Classes: -Class A network number values begin at 1 and end at 127 -Class B network number values begin at 128 and end at 191 -Class C network number values begin at 192 and end at 223 ISDN: BRI B-channel 64Kbps, D-channel 16Kbps PRI B- and D-channels are 64Kbps 80211 has CSMA/CA as protocol. Can use DSSS and FHSS (ss stands for spread spectrum) 802.11b uses only DSSS Before a computer can communicate with the internet, it needs an IP-address, a default gateway and a subnet mask To connect multiple LAN segments you can use Bridges, Switches and Routers Fast Ethernet 100Base-TX has as characteristics: 100Mbps data transmission, 1 pairs Cat5 UTP and max segment of 100 meters (328 feet) Unsubnetted netmask is shown as /24 Other word for DMZ is screened subnet FTP, RLOGIN and TELNET never uses UDP but TCP Attenuation - is a decrease in amplitude as a signal propagates along a transmission medium SSL session key length is from 40bit to 256 bit The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer. Data backups addresses availability, integrity and recovery but not confidentiality. IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In an Ethernet LAN, however, addresses for attached devices are 48 bits long. Subnet Masks Class A 255.0.0.0 Class B 255.255.0.0 Class C 255.255.255.0 Private IP: 10.0.0.1-10.255.255.255 192.168.0.1-192.168.255.255 172.16.0.1-172.31.255.255 0-255 (256 values) 8 bits x4= 32 bits 2 to the 8th power, 256 possible (4.3 billion addresses) 192.168.1.100= 192.168 (Network address) -->1.100 (host address)
Security Enhancement Protocols
TELNET: Remote terminal access and Secure Telnet REMOTE PROCEDURE CALL: Secure remote procedure call (SRA) SSH - Secure Shell over Telnet for remote server administration via the command line
Firewalls
TYPES First generation - (static) Packet filtering firewall AKA screening router: -Examines source/destination address, protocol and ports of the incoming package. Based on ACL's access can be denied or accepted. Is considered a firewall and operates at Network or Transport layer of OSI Second generation - Application level firewall AKA proxy server: -While transferring data stream to another network, it masks the data origin. operating at Application layer of OSI Third generation - Stateful inspection firewall (also known as Dynamic): -All packages are inspected at the Networking layer so it's faster. By examining the state and context of the data packages it helps to track connectionless protocols like UDP and RPC. Analyzed at all OSI Layers. Fourth generation - Dynamic Packet Filtering firewall: -Enables modification of the firewall rule. It provides limited support for UDP by remembering UDP packages across the network. Fifth generation - Kernel Proxy Firewall / Application level: -Firewall Runs in windows NT, modular, kernel based, multiplayer session evaluation. Uses dynamic TCP/IP stacks to inspect network packages and enforce security policies. Web application firewall (WAF) - App layer, block attacks.
Security Perimeter
The first line of protection between trusted and untrusted networks. Generally includes a firewall and router that help filter traffic. May also include proxies, IDSs, and IPSs. Zero Day - application white list
Data Link - layer 2
This layer deals with addressing physical hardware. FRAMES Translates data into bits and formats them into data frames with destination header and source address. Error detection via checksums. LLC, the Logical Link Control Sub layer - Flow control and error notification MAC: the Media Access Control layer - Physical addressing. Concerns frames, logical topologies and MAC-addresses Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex A, Annex D, HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token Ring, FDDI RARP, Reverse address resolution protocol - When a hardware address is known but the IP address has to be found. (like an diskless machine) Switches, bridges, hardware addressing
Presentation - layer 6
Translations like EBCDIC/ANSI; compression/decompression and encryption/decryption. Uses a common format to represent data, Standards like JPEG, TIFF, MID, HTML; Technology: Gateway. Messages
LAN Cables
Twisted pair: Shielded (STP) or unshielded (UTP) Cat 3=10BaseT, Cat5=100BaseT. Interference rating is worst for the group, poor. Distance = 4921 ft.. Cost = Low Coaxial: More EMI resistant. Baseband: only one single channel. Interference rating is better than twisted pair therefore good. Distance = 328 ft.. Cost = high. Broadband: multiple signal types like data, video, audio Fiber. Optic: Most expensive, but hard to tap and resistant to EMI. Interference rating is very good. Distance = 393,701 ft. Cost = high. Install = hard.
Extended Service Set (ESS)
When two BSSs are connected via a repeater or wired connection, they form an ESS.
Packet Header Flags
Typical packet only have 1 or 2 flags set to a value of 1. CWR - Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set (added to header by RFC 3168). ECE (ECN-Echo) - indicate that the TCP peer is ECN capable during 3-way handshake (added to header by RFC 3168). URG - indicates that the URGent pointer field is significant ACK - indicates that the ACKnowledgment field is significant (Sometimes abbreviated by tcpdump as ".") PSH - Push function RST - Reset the connection (Seen on rejected connections) SYN - Synchronize sequence numbers (Seen on new connections) FIN - No more data from sender (Seen after a connection is closed)
Trusted Operating System
Undergone a formal evaluation
LAN Transmission Methods (396)
Unicast - Packet is sent from single source to single destination Multicast - source packet is copied and sent to multiple destinations Broadcast - source packet is copied and sent to all nodes
Network Attacks - Denial of Service
Used to overwhelm a targets resources - Filling up hard drive by using huge email attachments or file transfers. - Sends messages to reset targets host subnets masks. - Using up all system resources. DOS - performed by sending malformed packets to a system; can interrupt service or completely deny legitimate users of system resources, an attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. DDOS - botnet, zombie, massive dos attack using multiple computers SMURF - ICMP requires three players (attacker, victim and amplifying network); attacker spoofs packet header to make it appear that it originated on the victim system with amplifying network broadcasting the message. DDOS. **Countermeasures - disable broadcast at border routers; border routers should not accept packets that originate within network; restrict ICMP traffic (Hint IC = Its Smurf though spelled wrong) FRAGGLE - similar to Smurf but uses UDP ***Countermeasures - disable broadcast at border routers; border routers should not accept packets that originate within network; restrict UDP traffic; employ IDS; apply appropriate patches, block UDP port 7 & 9 from entering network Land Attack - The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously. SYN FLOOD - TCP packets requesting a connection (SYN bit set) are sent to the target network with a spoofed source address. The target responds with a SYN-ACK packet, but the spoofed source never replies. This can quickly overwhelm a system's resources while waiting for the half-open connections to time out. This causes the system to crash or otherwise become unusable. ***Counter: sync cookies/proxies, where connections are created later. Use flood guard. Teardrop - The length and fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash. Uses fragmented packets to target a TCP flaw in how the TCP stack reassembles them. DOS. Broadcast Storm - Routing loops, no capacity left for legitimate use. ***Counter: Use Spanning Tree protocol for prevention. MAC Flood: Fill switch (MAC Address table) with many entries (forgets where devices are). ***Counter: Use flood guard tech and/or use port security. ((((((Common Session Hijacking Attacks))))): Session hijacking (Spoofing) - IP spoofing involves altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the network. Intercept cookies from a request header TCP sequence number attack - intruder tricks target to believe it is connected to a trusted host and then hijacks the session by predicting the targets choice of an initial TCP sequence number
Types of Wireless Networks
Uses the 802.11x specification to create a wireless LAN Ad hoc Mode - directly connect two+ clients, no access point Infrastructure Mode - connects endpoints to a central network, not directly to each other, need access point and wireless clients for IM mode wireless Stand-alone Mode - isolated system WEP - don't use can be cracked in seconds, predecessor to WPA and WPA2, confidentiality, uses RC4 for encryption, weakened by use of RC4 use of common key and a limited number of initialization vectors WPA - uses TKIP for data encryption WPA2 - based on 802.11i, uses AES, key management, reply attack protection, and data integrity, most secure, CCMP included, WPA2 ENTERPRISE Mode - uses RADIUS account lockout if a password-cracker is used TKIP - Temporal Key Integrity Protocol, uses RC4 (NEW KEY FOR EACH PACKET). LEAP - Lightweight Extensible Authentication Protocol, Cisco proprietary protocol to handle problems with TKIP, security issues don't use. Provides reauthentication but was designed for WEP Other: WPS pin is 8 digits EvilTwin tools = KARMA tool
vishing
VoIP phishing -using a falsified identity and social engineering to trick victims into giving up info
Packet switching technologies
X25 defines point-to-point communication between Data terminal Equipment (DTE) and Data Circuit Terminating Equipment (DCE) Link Access Procedure-Balanced (LAPB) created for use with X25, LAPB defines frame types and is capable of retransmitting, exchanging and acknowledging frames as detecting out of sequence or missing frames Frame Relay High performance WAN protocol designed for use across ISDN interfaces. Is fast but has no error correction, supports multiple PVCs, unlike X.25, packet switched technology that provides CIR, requires DTE/DCE at each connection point Switched Multimegabit DATA Service (SMDS) high speed communication over public switches networks for exchanging 'bursts of data' between enterprises Asynchronous Transfer mode (ATM) very high bandwidth. It uses 53-byte fixed size cells instead of frames like Ethernet. It can allocate bandwidth up on demand making it a solution for Busty applications. Requires fiber optics. Voice over IP (VOIP) combines many types of data into a single IP packet. Cost, interoperability and performance wise it's a major benefit. Most VOIP devices employ a jitter buffer (telephone network uses a fixed path unlike VOIP). SIP enables telephony and VOIP services to be delivered over a packet network.
hash total
a checksum to verify the integrity of a transmission -the hash total obtained is added to the end of the msg and is called the msg digest
bastion host (aka screened host)
a fw system logically positioned b/t a private network and an untrusted network -usually located behind the router that connects the private network -all inbound traffic is routed here, which acts as a proxy for all the trusted systems within the private network
broadcast
a single system transmits data to all possible recipients
SKIP (simple key mgmt for IP)
enc tool used to protect sessionless datagram P's -designed to integrate with IPsec -operates at OSI 3 -able to enc any subprotocol of the TCP/IP suite -replaced by IKE in 1998
PPTP (point to point tunneling P)
encap P -creates a P2P tunnel b/t 2 systems and encapsulates PPP packets -does not support TACACS+ and RADIUS -not secure
omnidirectional (aka "isotropic")
sends signals in all directions
protocol
set of rules and restrictions that define how data is transmitted over a network medium
beacon frame
signal WAP sends out to announce the SSID
names of sent message across the OSI
app-session layer (7-5): data stream transport layer (4): segment (datagram for UDP) network (3): packet data link (2): frame physical (1): data is converted into bits for transmission
TCP wrapper
application that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs -form of port-based access control
wireless cells
areas within a physical environment where a wireless device can connect to a wireless access point -can leak outside the secured environment and allow intruders easy access to the wireless network
STP ("shielded twisted pair")
as metal foil around wires underneath metal sheath, providing some protection from EMI
screened subnet
similar to screened host (bastion) except it is placed b/t two routers
encapsulation
addition of a header (and possibly a footer) to the data received by each layer from the layer above before it's handed off tot he layer below. -occurs as the data moves down the OSI layers
SDN (software defined networking)
aims at separating the infrastructure (hardware) layer from the control layer -directly programmable from a central location, flexible, vendor neutral, based on open standards. -basically just "network virtualization" - allows data transmission paths, comm decision trees, flow control to be virtualized
SDN (software defined network)
aims at separating the infrastructure layer from the control layer -offers a new network design that is directly programmable from a central location, is flexible, vendor neutral, and is open standards based -frees an org from having to purchase devices from a single vendor -allow an org to mix and match hardware as needed
bluejacking
allows an attacker to transmit SMS-like msg's to your device
bluesnarfing
allows attackers to connect with your device w/o your knowledge and extract info
hyperlink spoofing
alteration of the hyperlink URL's in the HTML code of documents sent to clients -usually successful bc most users do not verify the domain name in a URL via DNS
TACACS+ (terminal access controller access-control system)
alternative to RADIUS -available as TACACS, XTACACS, and TACACS+ -integrates the authentication and authorization processes -TACACS+ supports two-factor auth and is most current version
open relay (SMTP)
an STMP server that does not authenticate senders before accepting and relaying email -prime targets for spammers
APIPA (automatic private IP addressing)
assigns an IP to a system in the event of a DHCP assignment failure -primarily a Windows feature -assigns each failed DHCP client with an IP from the range of 169.254.0.1 to 169.254.255.254 along with the default class B subnet mask of 255.255.0.0 -not directly concerned with sec
DNS poisoning
attacker alters the domain name to IP mappings in a DNS system to redirect traffic to a rogue system
DNS spoofing
attacker sends false replies to a requesting system, beating the real reply from the valid DNS server -exploitation of race conditions
DDoS
attacks involving zombied systems
CMSA/CA (carrier-sense multiple access with collision avoidance)
attempts to avoid collisions by granting only a single permission to comm at any given time -requires designation of a master/primary system
PAP (password auth P)
auth P for PPP -transmits usernames/pw's in cleartext -offers no form of enc -only provides a means to transport the logon credentials from client to server
EAP (extensible auth P)
authentication framework -allows for new auth tech's to be compatible with existing wireless or p2p conn tech
S-RPC (secure remote procedure call)
authentication service and is simply a means to prevent unauthorized execution of code on remote systems
captive portal
authentication technique that redirects a newly connected wireless web client to a portal access control page. -may require user to input payment info, credentials, or input an access code -can display legal policies -common for public wifi areas
red box (phreaker tool)
simulate tones of coins being deposited into a pay phone -usually small tape recorders
5-4-3 rule
between any two nodes, there can be a max of 5 segments connected by 4 repeaters/concentrators, and only 3 of those 5 segments can be populated -does not apply to switched networks or the use of bridges/routers
Yagi antenna
broadcasts signal in one, narrow direction
transparency
characteristic of a service, sec control, or access mechanism that ensures it is unseen by users -often a desirable feature -the more transparent, the less likely a user will be able to circumvent it or be aware that it exists
IP classes
class A subnet: supports 16,777,214 hosts class B subnet: 65,534 hosts class C subnet: 254 hosts class D subnet: used for multicasting class E: resv'd for future use
IP classes default subnet masks
class | default subnet mask | CIDR equiv. A . 255.0.0.0 /8 B . 255.255.0.0 /16 C 255.255.255.0 /24
two tier fw
can be in two designs: a) fw with 3 or more interfaces- DMZ is located off one of the interfaces b) two fw's in a series- allowing for a DMZ or a publicly accessible extranet -this system introduces a moderate level of routing and filtering complexity
baseband tech
can support only a single comm channel -uses direct current applied to cable
modification attacks
captured packets are altered and then played against a system -designed to bypass the restrictions of improved auth mechanisms and session sequencing
ATM (async transfer mode)
cell-switching WAN comm tech instead of a packet switching tech like frame relay -fragments comm into fixed length 53 byte cells -can use PVC's or SVC's
telephony
collection of methods by which telephone services are provided to an org or the mechanisms by which an org uses telephone services for either voice and/or data comm -traditionally this used POTS, aka PSTN combined with modems -PBX, VoIP, and VPN's are common telephone comm today
CDN (content delivery network)
collection of resource services deployed in numerous data centers across the internet to provide low latency, high perf, high availability.
L2TP (layer 2 tunneling P)
combines elements from PPTP and L2F -creates a P2P tunnel b/t comm endpoints -lacks a built in enc scheme, and typically relies on IPSec as sec mechanism. -supports TACACS+ and RADIUS
virtualized network
combo of hardware and software networking components into a single integrated entity
spread spectrum
comm occurs over multiple frequencies at the same time -a msg is broken into pieces, and each piece is sent at the same time but using a diff frequency -parallel comm rather than serial comm Two kinds of spread spectrum are available: -Direct-sequence spread spectrum (DSSS) -Frequency-hopping spread spectrum (FHSS)
multicast tech
comm to multiple specific recipients
VPN (virtual private network)
comm tunnel that provides point to point transmissino of both auth and data traffic over an intermediary untrusted network. -can use enc to protect the encap'd traffic, but enc is not necessary -most commonly used to establish secure comm paths across the internet -can provide conf and integrity over insecure/untrusted intermediary networks (no availability guarantee)
NAC (network access control)
concept of controlling access to an environment thru strict adherence to and implementation of a sec policy. -acts as automated detection/response system that can react in real time to stop threats goals: 1) protect against zero day attacks 2) enforce sec policy throughout the network 3) use identities to perform access control
endpoint security
concept that each individual device must maintain local sec whether or not its network channels also provide sec -aka "the end device is resp for its own sec"
PRI (primary rate interface)
connection with multiple 64 Kbps B channels (2-23) -single 64 Kbps D channel -maximum speed possible for ISDN
SMDS (switched multimegabit data service)
connectionless packet-switching tech -used to connect multiple LAN's to form a metro area network (MAN) -supports high speed bursty traffic and bandwidth on demand
bus topology
connects each system to a trunk or backbone cable -all systems can transmit data simultaneously, which could result in collisions -collision avoidance mechanism is put in place to prevent this -ex: ethernet
gateway (aka "protocol translators")
connects networks that are using different network P's -responsible for transferring traffic from one network to another by transforming the format of that traffic into a form compatible with the P or transport method used by each network. -can be stand-alone devices or a software service -used to connect network segments that use different P's -ex: data, mail, app, secure, and internet are ex's -operate at OSI 7
dedicated line (aka leased line)
continually reserved for use by a specific customer -always on and waiting for traffic
NAT (network address translation)
converts the internal IP addresses found in packet headers into public IP addresses for transmission over the internet -dev'd to allow private networks to use any IP address set w/o causing conflicts with public internet hosts -translates the IP addresses of your internal clients to leased addresses otuside your environment
CCMP (Counter Mode Cipher Block Chaining Message Authentication Code P)
created to replace WEP and TKIP/WPA -uses AES with a 128 bit key -preferred sec P of 802.11 -secure
DSSS (direct sequence spread spectrum)
employs all the available freq's simultaneously in parallel -provides higher throughput than FHSS -uses encoding mechanism called a chipping code to allow a receiver to reconstruct data even if parts of the signal were distorted
SSL (secure sockets layer)
enc P developed by Netscape to protecct the comm b/t a web server and browser. -can secure web, email, FTP, or telnet -provides conf and integrity -deployed using 40 or 128 bit key -superseded by TLS
HSSI (high speed serial interface)
defines how multiplexors and routers connect to high speed network carrier services such as ATM or frame relay
attenuation
degradation of the signal quality in network cables, caused by internal resistance to electron flow -long cables can often be supplemented through the use of repeaters or concentrators
three tier fw
deploys multiple subnets b/t the private network and the internet separated by fw's -each fw has more strict filtering rules -outermost subnet is usually a DMZ -middle subnet can serve as a transaction subnet where support for web app's in DMZ reside -the third (back end) subnet can support the private network -most secure, but most complex to design, implement, and manage
TKIP (temporal key integrity P)
designed as replacement for WEP -used on WPA
communications security
designed to detect, prevent, and even correct data transportation errors (confidentiality and integrity protection)
multiplexor
device that transmits multiple comm or signals over a single cable or virtual circuit
CSMA (carrier-sense multiple access)
does not directly address collisions -comm fails if there is a collision
PEM (privacy enhanced mail)
email enc mechanism that provides auth, integrity, conf, and nonrep. -uses RSA, DES, and X.509
S/MIME (secure multipurpose internet mail extensions)
email sec standard that offers auth and conf to email via public key enc and digital signatures. -auth is provided by X.509 dig cert's. -privacy is provided by PKCS (Public Key Cryptography Standards) -2 types of messages can be formed with this: 1) signed msg: provides integrity, sender auth, and nonrepudiation 2) enveloped msg: provides integrity, sender auth, and conf
star topology
employs a centralized connection device (hub or switch) -each system is connected to central hub by a dedicated segment -central hub can be single pt of failure -generally uses less cabling than other topologies -makes ID of damaged cables easier
OFDM (orthogonal frequency-division multiplexing)
employs a digital multicarrier modulation scheme that allows for a more tightly compacted transmission -the modulated signals are perpindicular (orthogonal) and do not cause interference with each other -requires smaller freq set (channel bands) -offers greater throughput
PEAP (protected extensible auth P)
encap's EAP in a TLS tunnel -preferred to EAP bc PEAP assumes channel is already protected -PEAP imposes its own sec -used to secure comm over 802.11 wireless conn's -can be used by WPA and WPA2 -also preferred over LEAP
CHAP (challenge handshake auth P)
encrypts usernames and passwords -performs auth using a challenge response dialogue that cannot be replayed -periodically reauthenticates the remote system throughout and establish comm sessions to verify ID -used over PPP links
OSI model (overview)
establish a common comm structure or standard for all computer systems -by working from the OSI model, vendors are able to ensure their products will integrate with products from other companies and be supported by many OS's. -each layer of the OSI model comm's via a logical channel with its peer layer on another computer
transmission logging
form of auditing focused on comm -records the particulars about source, destination, time stamps, ID codes, etc.
proxy
form of gateway that does not translate across P's -serve as mediators, filters, caching servers, and even NAT/PAT servers for a network. -performs a service on behalf of another system and connects network segments that use the same P -frequently used to protect the identity of the client
EAP (extensible auth P)
framework for auth instead of an actual P -allows customized auth sec solutions (supporting smart cards, tokens, biometrics) -assumes channel is already protected
PPP (point to point P)
full-duplex P used for transmitting TCP/IP packets over non-LAN connections, such as modems, ISDN, VPN's, frame realy, etc. -transport P of choice for dial up connections -replacement for SLIP
ISDN (integrated services digital network)
fully digital telephone network that supports both voice and high-speed data comm -two types- 1) BRI 2) PRI
TLS (transport layer sec)
functions similar to SSL but has stronger auth and enc P's -can be implemented at lower layers to operate as a VPN (OpenVPN) -can enc UDP and SIP
phreaking
gaining unauthorized access to personal voice mailboxes, redirect messages, block access, redirect inbound/outbound calls -circumvent the telephone system to make free long distance calls, alter function of telephone service, steal services, or cause service disruptions
bluebugging
grants attackers remote control over features and functions of a device
broadcast domain
group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it. -divided by using any layer 3 or higher device
collision domain
group of networked systems that could cause a collision if any of the systems in that group transmitted simultaneously -divided by using any layer 2 or higher device
liner bus topology
has a single trunk line with all systems directly connected to it
tree bus topology
has a single trunk line with branches that can support multiple systems -rarely used today bc it must be terminated at both ends and any disconnection can take down the whole network
MPLS (multi-P label switching)
hi-throughput, hi-perf tech that directs data across a network based on short path labels rather than longer network addresses -saves time over normal IP-based routing
TCP protocol field value
label or flag that tells the receiving system what type of packet it is. -indicates the identity of the next encapsulated P. -allows receiving system to know what the contents are without opening it.
security boundary
line of intersection b/t any two areas, subnets, or environments that have different sec requirements or needs -exists b/t a high sec area and a low sec area, for ex b/t a LAN and the internet -also exist b/t the physical environment and the logical environment
MAC filter
list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all non-auth devices
eavesdropping
listening to comm traffic for the purpose of duplicating it -usually requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software recording tool
virtual circuits (aka comm path)
logical pathway/circuit created over a packet-switched network b/t two endpoints -two types
stateful NAT
maintains info about the comm sessions b/t clients and external systems
black box (phreaker tool)
manipulates line voltages to steal long distance services -usually custom built circuit boards
DKIM (domainKeys identified mail)
means to assert that valid mail is sent by an org thru verification of domain name sec
converged P's
merging of specialty/proprietary P's with standard P's, like TCP/IP
ad hoc mode
mode in wireless tech that allows any two wireless devices to comm w/o a centralized control authority
static NAT
mode to be used when a specific internal client's IP is assigned a permanent mapping to a specific external public IP. -allows external entities to comm with systems inside your network
tunneling
network comm process that protects the contents of P packets by encap'ing them in packets of another P. -often used to enable comm b/t otherwise disconnected systems -protects the contents of the inner P and traffic packets by encasing, or wrapping, it in an authorized P used by the intermediary network
virtual application
software product deployed in such a way that it is fooled into believing it is interacting with a full host OS -able to operate w/o the full installation of its original host OS
firewall
network device used to filter traffic -usually deployed b/t a private network and a link to the internet -filter traffic based on a defined set of rules, called filters or access control lists (ACL's) -usually unable to block viruses/malware (do not scan traffic) -logs network traffic (reboots, dependencies not starting/crashing, changes to config file, system errors) -can be a single point of failure -offer no protection against traffic within a subnet (behind the fw)
LAN (local area network)
network typically spanning a single floor/building
iSCSI (internet small computer system interface)
networking storage standard based on IP -used to enable location independent file storage, transmission, and retrieval over LAN, WAN, or public internet. -low cost alt to fibre channel
transmission window
number of packets transmitted before an ACK packet is sent
botnet
numerous bots/zombies across numerous unsuspecting secondary victims
crosstalk
occurs when data transmitted over one set of wires is picked up by another set of wires due to radiating EM fields produced by electric current -each pair in the cable is twisted at a diff rate (the tighter the twisting, the more resistant)
packet switching
occurs when the msg or comm is broken up into small segments and sent across the intermediary networks to the destination -does not enforce exclusivity of comm pathways -can be seen as a logical transmission tech -places data from different sources on the same physical connection (vuln to disclosure/eavesdropping)
collision
occurs when two systems transmit data at the same time onto a connection medium that supports only a single transmission path
BRI (basic rate interface)
offers a connection with two B channels and one D channel B channel: 64 Kbps D channel: used for call estab, mgmt, teardown; 16 Kbps
X.25 WAN connections
older packet switching tech that was widely used in Europe. -uses perm virtual circuits to establish specific p2p connections b/t two systems -predecessor to frame relay
simplex
one-way direction comm
de-encapsulation
opposite of encapsulation, occurs as data moves up the OSI
frame relay connections
packet switching tech that also uses PVC's -supports multiple PVC's over a single WAN carrier service connection -OSI 2 -committed info rate (CIR)- guaranteed minimum bandwidth a service provider grants to its customers
token ring (LAN tech)
performs comm using a digital token -possession of token allows a host to transmit data
polling (LAN tech)
performs comm using a master-slave config -address collisions by attempting to prevent them from using a permission system
network topology
physical layout and org of computers/networking devices
pretexting
practice of obtaining your personal info under false pretenses -info is then sold to others who perform the abuse of your credit and reputation
DNP3 (distributed network P)
primarily used in the electric/water mgmt industries -supports comm b/t data acquisition systems and the system control eqmt -multilayer P and functions similar to TCP/IP
site survey
process of investigating the presence, strength, and reach of WAP's deployed in an environment.
MOSS (MIME object sec services)
provides auth, conf, integrity, and nonrep for email -uses MD2, MD5, RSA public key, DES to provide auth and enc
swIPe (software IP encryption)
provides auth, integrity, and conf using an encap P -OSI 3
application-level gateway firewall (aka "proxy" fw)
proxy: copies packets from one network to another, while changing the source and destination addresses to protect the ID of the internal network -filters traffic based on the internet service (i.e, the app) used to transmit/receive the data -comprises numerous proxy servers -negatively effects perf bc each packet must be examined and processed -"second generation" fw's -operate at OSI 7 (app)
PGP (pretty good privacy)
public-private key system that uses a variety of enc algo's to enc files and email msg's -initially used RSA, then IDEA, now it uses many enc algo's. -independently created product that has wide internet support
asynchronous comm
rely on a stop and start delimiter bit to manage the transmission of data -best suited for smaller amounts of data -ex: PSTN
synchronous comm
rely on a timing/clocking mechanism based on a clock or time stamp embedded in the data stream -able to support very high rates of data transfer
non-dedicated line
requires a connection to be established before data transmission can occur -ex: standard modems, DSL, ISDN
SET (secure electronic transaction)
sec P for the transmission of transactions over the internet -based on RSA enc and DES -SSL/TLS sessions are the preferred mechanism for secure ecommerce
extranet
section of an org's network that has been sectioned off so that it acts as an intranet for the private network but also serves info to the internet -an extranet for public consumption is often labeled a DMZ
mail bombing
sending so much email to a user's inbox that a DoS occurs
IEEE 802.11
standard for wireless network comm -2 Mbps; 2.4 GHz contains two methods to authenticate to WAP's: 1) OSA (open system authentication)- no real auth required 2) SKA (shared key authentication)- some form of auth must take place before comm can occur
IEEE 802.1x/EAP
standard port based network access control that ensure clients cannot comm with a resource until auth has taken place -supported by WPA and WPA2
X.400 standard
standard which many internet compatible email systems rely on for addressing and message handling
broadcast tech
supports comm to all possible recipients
broadband tech
supports multiple simultaneous signals -uses freq mod (FM) to support numerous channels -good for hi throughput rates -ex: cable TV, cable modems, ISDN, DSL, T1, T3
unicast tech
supports only a single comm to a specific recipient
DSL (digital subscriber line)
tech that exploits the upgraded telephone network to grant consumer speeds from 144 Kbps to 6 Mbps (or more) -has various formats which support different bandwidths
WPA (wifi protected access)
temp fix for WEP until 802.11i was finished -based on LEAP and TKIP cryptosystems and often employs a secret passphrase for auth. -the passphrase can be brute forced -does not provide long term reliable sec -supports 802.1X/EAP
fiber optic cables
transmit pulses of light rather than electricity -extremely fast and nearly impervious to tapping/interference -difficult to install and expensive
FHSS (freq hopping spread spectrum)
transmits data in a series while constantly changing the freq in use -entire range of freq's are employed, but only one freq at a time is used -designed to minimize interference by not using a single freq that could be affected
VoIP (voice over IP)
tunneling mechanism used to transport voice/video/data over a TCP/IP network -can be telephone replacement
UTP (unshielded twisted pair)
twisted pair cabling w/o the foil
half-duplex
two-way comm, but only one direction can send data at a time
full-duplex
two-way comm, data can be sent in both directions simultaneously
RADIUS (remote auth dial-in user service)
used to centralize the auth of remote dial-up connections -remote access server passes dial up user long creds to the RADIUS server for auth
wardriving
using a wireless detector to locate wireless network signals while driving.
authentication
verifying the identity of a user -done after establishing a connection b/t a system and server
PBX (private branch exchange)
voice comm P
infrastructure mode
wireless access point is required for wireless comm -preferred wireless mode -4 variations: a) stand alone mode: a WAP connecting wireless clients to each other but not to any wired resources b) wired extension mode: WAP acts as a connection point to link the wireless clients to the wired network c) enterprise extended mode: multiple WAP's are used to connect a large physical area to the same wired network d) bridge mode: wireless connection is used to link two wired networks