Network Security
two negotiation phases that the two network nodes must perform before the IPsec tunnel is complete.
IKE Phase 1: is a phase where both network nodes authenticate each other & set up an IKE SA(Security Association) Diffie-Hellman key exchange algorithm is used to generate a shared session secret key to encrypt the key exchange communications. (sets up a secure channel to protect further negotiations in phase 2) IKE Phase 2 uses secure channel established in phase 1 to negotiate the unidirectional IPsec Sas inbound and outbound to set up the Ipsec tunnel (parameters for AH & ESP negotiated)
Jamming
The wireless network is overwhelmed with wireless traffic, thereby jamming the network
Distributed Denial of Service Attacks
attack comes from a potentially massive amount of machines the worm has infected 1. attacker does a port scan & looks for an open port or a software application that is vulnerable to an attack. 2. machine is hacked(attacked) & distributes the malicious software 3. attacker can issue a command or an instruction that starts the attack on a specific site To stop DDoS attacks, you must stop intrusions to the network
Spoof
attacker doesn't use his IP address but will insert an IP address from the victim's network or another network as the source IP. There is a lot of software on the Internet that enables someone to spoof an IP address
malware
encompasses all malicious programs intended to harm, disrupt, deny, or gain unauthorized access to a computing system.
Secure socket layer (SSL)
encryption used by web servers example: packet transmission is encrypted when a credit card number is entered.
Antivirus Software
first line of defense against the viruses, worms, and general malware is antivirus software uses signatures or definitions to match against the viruses and worms. Network Access Quarantine Control (NAQC) - is a Resource Kit tool in Windows Server 2003 & 2008 that allows administrators to prevent remote client computers from connecting to their network w/ machines that aren't secure.
Demilitarized Zones (DMZs)
for the outside servers, which mean that they are moved to a place on the network so that they are isolated. If the machines are compromised, the intruder will have limited access to the inside of the network.
Stateful firewall
inbound & outbound data packets are compared to determine if a connection should be allowed includes tracking the source and destination port numbers and sequence numbers as well as the source and destination IP addresses used to protect the inside of the network from the outside world but still allow traffic to go from the inside to the outside and back. firewall needs to be stateful to accomplish this
Worm
type of computer virus that attacks computers, typically proliferating by itself (self-replicating); can use the network to send copies of themselves to other computers. Common objective of a worm is to establish a backdoor in the infected computer, which enables an attack access to someone's computer.
Point-to-Point Tunneling Protocol (PPTP)
A PPTP server was included in Microsoft NT 4.0 server, and PPTP was widely used as a remote access solution. PPTP was designed to work in conjunction with a standard PPP. A PPTP client software would establish a PPP connection to an ISP, and once the connection is established, it would then make the PPTP tunnel over the Internet to the PPTP server. The PPTP tunnel uses a modified GRE tunnel to carry its encapsulated packet for IP transmission.
Directed Broadcast
A message is sent to all hosts on a remote network. is passed through the router
Acceptable use policy (AUP)
A policy that defines the actions users may perform while accessing systems and networking equipment.
Guidelines that help prevent password cracking
Don't use passwords that are dictionary words Don't use your username as your password Don't use your username spelled backward as your password Limit the number of login attempts Make your password strong, which means it is sufficiently long (eight or more characters) and is an alphanumeric combination (for example, A b 1 & G 2 5 h) Change passwords often
Access Lists
In order to allow other data packets that do not match the ACL's permit and deny statements to enter and exit the LAN, the command access-list permit ip any any must be added to the last line of an access list to explicitly allow all other data packets RouterB(config)# access-list 100 permit ip any any instructs the router to permit IP packets from any source to any destination:
IPSec
Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity of IP packets. MD5 or SHA-1 ESP provides confidentiality, integrity, and authentication. (encryption)(DES)(3DES)(AES) IPsec uses port 500 for IKE with VPN connections. Security Association and Key Management Protocol (ISAKMP).
LEAP
Lightweight Extensible Authentication Protocol 802.1x authentication system
Steps to take to prevent viruses
Open only attachments that come from known sources. Even this can be a problem because email addresses can be spoofed or the message can come from a known person whose computer has been infected. Require that the emails you receive be digitally signed so you can verify the sender. Always run antivirus software on the client machines. The antivirus software is not 100% effective but will catch most viruses. Include email server filters to block specific types of emails or attachments. Keep the antivirus software up to date. Keep the operating system and applications software current. Use personal firewalls whenever possible.
WEP
RC4 algorithm is used for encryption in WEP weaknesses of WEP: - the challenge text in WEP is sent in clear text. - WEP initialization vector is only 24 bits in size and is always static - does not use a key management, and its pre-shared key never changes.(not too difficult to obtain the pre-shared key)
Six stages of Forensics examination
Readiness: This includes appropriate training, regular testing, and verification of software and equipment, familiarity with legislation, and ensuring that the onsite acquisition (data extraction) kit is complete and in working order. Evaluation: The evaluation process includes receiving instructions, clarifying the instructions, completing risk analysis, and allocating resources. Collection: This step involves collecting evidence and interviewing relevant personnel as well as the IT administration responsible for the affected system. Analysis: This step involves the use of the appropriate tools needed to provide thorough and repeatable analysis of the compromised system. Presentation: In this step the examiner will provide a structured report on the findings of the examination. This will also include addressing key points and any additional information relevant to the investigation. Review: At this point the examiner should review what went wrong, what was done properly, and what can be learned and improved on based on this incident.
SSID in WLANS
SSID is broadcast in radio link beacons about 10 times per second. In WLAN equipment, the beacons are transmitted so that a wireless user can identify an access point to connect to SSID can be turned off, so it isn't transmitted with a beacon, but it is still possible for the SSID to be obtained by packet sniffing Enterprise-grade access points implement multiple SSIDs, with each configured SSID having its own VLAN and wireless configuration.
SYN attack
TCP SYN (synchronizing) packet. Attacker sends many TCP SYN packets to a host, opening up many TCP sessions. Host machine has limited memory set aside for open connections. If all TCP connections are opened by SYN attack, other users are kept from accessing services from the computer because because the connection buffer is full. Most current operating systems take countermeasures against the SYN attack.
WPA
TKIP (Temporal Key Integrity Protocol) - TKIP basically generates a sequence of WEP keys based on a master pre-shared key and rekeys periodically every 10,000 packets - TKIP also uses an integrity check value to ensure that the packet is not tampered with (If so, WPA will stop using the current key and will rekey) user authentication provided by 802.1x
L2TP (Layer 2 Tunneling Protocol)
UDP port 1701
Web filter
Web traffic is usually one of the first to be monitored and filtered, and a web filter appliance is designed to do just that. In the K-12 school environment, web filtering is critical. K-12 school districts are required by law to implement filtering to block adult, illegal, or offensive content from minors law is known as the Children's Internet Protection Act (CIPA) web filter appliance has a database containing inappropriate websites A web filter appliance monitors the web traffic both via HTTP and HTTPS and matches it against the database. If an inappropriate website is detected, it is either discarded or the user is redirected to a security web page for further action
Firewalls Cont.
allow traffic from inside the network to exit don;t allow general traffic from the outside to enter network monitors data traffic & recognizes where packets are coming from will allow packets from the outside to enter the network if they match a request from within the network Based on Three technologies: - Packet Filtering - Proxy Server - Stateful packet filtering
Packet Sniffing
attackers can obtain a password by sniffing the network's data packets. Attacker must be able to see the network data packets device must be on the network that allows her to see the data packets attacker then watches the data packets until a telnet or FTP passes (or one from many of the other applications that have unencrypted logins)
Personal Firewall
basic packet filtering inspections: firewall accepts or denies incoming traffic based on information contained in the packets TCP or IP headers application-based firewall: where trusted programs can be defined. network traffic originated from or destined to the trusted programs is allowed by the firewall Some personal firewalls provide more granular control to allow specific hosts or subnets Windows 10 firewall allows for both packet filtering and application-based firewall. also gives the firewall software both inbound and outbound control Linux world, iptables, has been a de facto firewall program for a long time. iptables is a network packet filtering firewall program. Mac OS X is deploying PF (Packet Filter) as its OS firewall. PF is a BSD-based stateful packet filter firewall used in computer networks for protection against the "network elements" (for example, intrusions, denial of service attacks, and so on) Linux To start the Linux firewall (iptables) configuration, use the following steps: The command to view/add/modify/delete the Linux firewall configuration is iptables. For example, to view the firewall configuration, simply issue the command iptables-list as root or sudo iptables-list. The user must be connected as root or must open System Preferences and select Security. The output of the command iptables-list. It shows a list of chains: INPUT, FORWARD, OUTPUT, and RH-Firewall-1-INPUT. A chain can consist of firewall rules or another chain. Obviously, the only chain in this example that contains firewall rules is the RH-Firewall-1-INPUT. This chain allows incoming HTTP, HTTPS, SSH, SMTP, domain (DNS), and IMAP traffic and will reject any incoming traffic that does not match the allowed list.
Buffer Overflow
buffer overflow occurs when a program attempts to put more data into a buffer than it was configured to hold & the overflow writes past the end of the buffer & over adjacent memory locations. program stack contains data plus instructions that it will run.
VPN
connection between two endpoints is known as an IP tunnel . A tunnel is created by an encapsulation technique, which encapsulates the data inside a known protocol (IP) that is agreed upon by the two end points. A tunnel creates a virtual circuit-like between the two endpoints and makes the connection appear like a dedicated connection even though it spans over the Internet infrastructure. Two types of VPNs are commonly used today: Remote access VPN: A remote access VPN is used to facilitate network access for users in remote office networks or for remote users that travel a lot and need access to the network. The client usually initiates this type of VPN connection. Site-to-site VPN: A site-to-site VPN is used to create a virtual link from one site to the other. It essentially replaces the traditional WAN-type connection used in connecting typical sites. This type of VPN requires network hardware like a router or a firewall to create and maintain the connection.
PPP
de factor protocol of dial-up networking people would make a dialup connection to their ISP and establish a PPP session to the Internet most implementations of PPP provide user authentication using protocols such as Password Authentication Protocol ( PAP ) or Challenge Handshake Authentication Protocol ( CHAP ) PAP is a simple, clear-text (unencrypted) authentication method, which is superseded by CHAP, an encrypted authentication method that uses the MD5 hashing algorithm Related to MD5 is SHA, which is the secure hash algorithms required by law for use in certain government applications' SHA comes in many types: SHA-0, -1, -2, and -3. Extensible Authentication Protocol (EAP) was introduced as another PPP authentication method During the PPP authentication phase, the ISP dial-up server collects the user authentication data and validates it against an authentication server like a RADIUS server. RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is an IETF standard protocol that is widely used for authenticating remote users and authorizing user access. The RADIUS server supports many methods of user authentication including PAP, CHAP, and EAP. Even though PPP dial-up is not as prevalent today, the concepts of central authentication still lend themselves to many technologies and applications.
Packet Filtering
limit is placed on the packets that can enter the network can also limit information moving from one segment to another ACLs are used to enable the firewall to accept or deny data packets Disadvantages: - Packets can still enter the network by fragmenting data packets. - Difficult to implement complex ACLs - Not all network services can be filtered
Denial of service (DoS)
means that a service is being denied to a computer, network , network server. can be on: - individual machines, - on the network that connects the machines - all machines simultaneously can be initiated by exploiting software vulnerabilities. a software vulnerability can permit a buffer overflow, causing the machine to crash. (affects all applications, even secure applications) vulnerable software denial of service attack attacks the system by making it reboot repeatedly DoS attacks can also occur on routers via the software options available for connecting to a router example: SNMP management software many of the SNMP packages use a similar core code that could contain same vulnerability can affect network bandwidth & end points on the network
Intrusion Prevention System (IPS)
monitors & analyzes network traffic identifies misuse & anomaly on network detects a misuse intrusion by matching network packets w/ its IPS signatures for known attacks or activities that classified as bad. network anomaly can be detected by building up a profile of the system being monitored & detecting significant deviations from this profile IPS has the capability to stop or prevent malicious attacks that it detects by interacting with the firewall.
Access Lists
only allow specific sources from the network to enter the router's interfaces. example: network B connects to a router. Only packets sourced from network B are allowed to pass through the router downsides: - Maintenance problem: - Keeping track of the access lists can be a challenge for the network administrator - Processing access lists on the router is processor intensive & can slow the throughput of the packets. benefits: - eliminates spoofed packets
Smurf Attack
required few resources from the attacker 1. attacker sends a small packet & got many packets in return 2. attacker would pick a victim & an intermediate site Intermediate site has subnets of 10.10.1.0 & 10.10.2.0 Victim is at 10.10.1.0 attackers send a packet to 10.10.1.255, which is a broadcast address for the 10.10.1.0 subnet. The attacker then spoofs the source address information, making it look as if the packet came from the victim's network. All the machines on the 10.10.1.0 subnet send a reply to the source address. Remember, the attacker has spoofed the source address so the replies are sent to the victim's network If this attack were increased to all the subnets in the 10.0.0.0 network, an enormous amount of data packets are sent to the victim's network. This enables the attacker to generate a lot of data traffic on the victim's network without requiring the attacker to have many resources. type of attack is not new, and you can take certain steps to stop a network from becoming an intermediate site. Cisco routers have an interface command that blocks broadcast packets to that subnet. This prevents a network from becoming an intermediate site for a network attack such as this. Make sure this command or a similar command is a default or has been enabled on the router's interface: (on routers interface): no ip directed-broadcast routers will block general broadcasts (all 32 bits set to 1s or "F F F F F F F F" or 255.255.255.255). but not Directed Broadcast unless you use command on router's interface no ip directed broadcast (enables only the router to reply)
Secure FTP (STFP)
secure version of FTP
nmap
security tool that runs on Linux application can be installed using the command $yum install nmap port scanner that is used by the network administrator to scan a local computer or other computers internal to the network to determine what network ports & services are being made available to users. example: nmap localhost
netstat -b
shows the executable involved in creating the connection or listening port
proxy server
used by clients to communicate w/ secure systems using a proxy. The client gets access to the network via the proxy server. This step is used to authenticate the user, establish the session, and set policies. The client must connect to the proxy server to connect to resources outside the network. Disadvantages: - proxy server can run very slowly - Adding services can be difficult - There can be a potential problem w/ network failure if proxy server fails or is corrupted
IPSEC
used on Layer 3 each packet is encrypted prior to transmission across the network link. also a method used to encrypt VPN tunnels
WPA2
uses AES (Advanced Encryption Standard) CCMP(Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) as its key management
Cisco VPN Client
uses IPsec with option of two encryption modes: tunnel & transport tunnel mode encrypts the header & the data (payload) for each packet. transport mode only encrypts the data (payload) IPsec can be used to encrypt data between various networking devices such as PC to server PC to router Router to Router
brute-force-attack
uses every possible combination of characters for the password
dictionary attack
uses known passwords & many variations (upper- & lowercase & combinations)
Viruses
virus is a piece of malicious computer code that when run on your machine can damage your hardware, software, or other files. Computer viruses are typically attached to executable files & can spread when the infected program is run. is spread by sharing infected files or sending emails w/ attached files that are infected w/ the virus Problems: Annoyance Clogging up the mail server Denial of service Data loss Open holes for others to access your machine
penetration testing
way to evaluate the security of the user's network. trying to exploit vulnerabilities in the network includes identifying any potential problems w/ the OS, services, & applications, as well as verifying user adherence to policies validates any protection mechanisms currently in place