CISSP DOMAIN #5 ~Telecommunications, Network, and Internet Security
Layer 5
Session
Packet Switching
Share bandwidth, divide data into packets and frames, individually routed among various network nodes, more resilient than circuit-switched, on-demand, connectionless, done via fiber, Synchronous optical networking (SONET) X.25 56 kbps, Reliable Frame relay: extension of X.25, committed information rate (CIR), discard eligible (DE), can use permanent virtual circuits (PVCs) or switched virtual circuit (SVCs) Asynchronous Transfer Mode (ATM): cell-switching-based physical layer protocol, high-bandwidth, time-sensitive apps, in hardware, delays are minimized, Uses a fixed cell size 53-byte, LAN & WAN, MPLS superceded VoIP: hacking, DoS, LAN hopping, TFTP alteration
why have a network?
allow communication between computers, share information, share resources, provide central administration
gateway
general term for a device running software that allows connection of two different environments (from ethernet to fddi or in voice situations)
fiber optic cable
glass that carries light waves, surrounded by protective cladding and encased in an outer jacket. not affected by emi and does not radiate signals. usually used as the backbone of a network
internet
global connection of peered networks running TCPIP, providing best effort service
Transport
handles computer to computer communication through a connection oriented protocol - end to end transmission and segmentation into a data stream ex: tcp, udp, ssl, spx
ICMP
helps IP (layer 3) handle routing loops, ports, hosts or networks that are down. ICMP has no concept of ports like TCP and UDP, instead it uses types (echo and ttl) and codes - most common utility is ping. used by other connectionless protocols not just IP. subject to Loki attacks
directory services
hierarchical database of users, computers, printers, resources, attributes of each. x.500 and ldap are often used. uses classes of objects and subclasses which follows a specified schema that defines objects and their relationships
hdlc
high level data link control, successor to sdlc, adds error correction and flow control as well as response modes to control transmission
authoritative dns server
holds the records and zones domains, a secondary holds copies and these two servers are synchronized via zone transfers
ipsec architectures
host to gateway: client mode, connect one system running ipsec to a gateway running ipsec gateway to gateway: connect two gateways running ipsec to created a secure shared routable connection (like t1) host to host:
3 way handshake
how TCP establishes a reliable connection, syn - syn/ack, ack
components of VOIP
ip telephony device, call processing manager, voicemail system, voice gateway
half-duplex
send or receive at one time only (not simultaneously)
SLIP
serial line internet protocol, layer 2 protocol, provides IP connectivity via asynchronous connections such as serial lines and modems. introduced in 1988, allowed routing packets via modem links for the first time. a bare bones protocol that provides no built in confidentiality, integrity, or authentication. replaced by ppp
ring topology
series of devices connected by unidirectional transmission links
mpls
multiprotocol label switching, a way to forward wan data via labels (tags) and allows for carrying many different types of traffic
NAT
network address translation, translate a private address to a public one. it hides to origin of the packet, the source is identified as the gateway. Will cause problems with applications and protocols that contain addresses in upper layers such as IPSec, VOIP, and active FTP most implementations are stateful, meaning that they keep track of communication between the internal host and external host until the session is ended, common on firewalls
network stack
network protocol suite programmed in software or hardware
star topology
nodes connect to a central device, when one device fails it does not impact the others as is the case with bus or ring. can be either flat or hierarchical
dsl
o It can provide 6 to 30 times higher bandwidth speeds than ISDN and analog technologies. o It uses existing phone lines and provides a 24-hour connection to the Internet. o Have to be within a 2.5-mile radius of the DSL service provider's equipment. o As the distance between a residence and the central office increases, the transmission rates for DSL decrease.
disadvantage of circuit switched
once connected it is dedicated to that purpose, even while no data is being transferred
baseband
one channel, can only send one signal at a time - uses the entire channel for its transmission
unicast
one to one traffic. single packet too single course.
simplex
one-way communication
ospf
open shortest path first, uses link state algorithms, allows for more frequent routing table updates, hiearchical routing network that has a backbone link connecting all subnets together
OSI Model
open system interconnection, layered network model, used as a reference point between the layers of this network model. 7 layers
What is data encapsulated in layer 3 referred to as?
packets
ppp
point to point protocol, an encapsulation protocol, layer 2 protocol, mostly replaced SLIP, based on HDLC, adds confidentiality, integrity, and authentication via point to point links. supports synchronous links (such as t1s) in addition to asynchronous links such as modems. uses PAP, CHAP, or EAP to authenticate the user and service
PPTP
point to point tunneling protocol, tunnels ppp via IP. uses GRE (generic routing encapsualtion) to pass PPP via IP and it uses TCP for a control channel.
dedicated link
pre-established for purposes of wan communication. also called a leased line or point to point link
rfc 1918 addresses (definition)
private IPv4 addresses which may be used for internal traffic that does not route via the internet. any internet connection using one of these addresses will fail - they are not routable via the internet
pbx
private branch exchange, telephone switch located on the company's property. performs the same switching tasks that take place at the telco's office. can multiplex multiple lines into one, can control digital and analog signals
intranet
privately owned network running TCPIP
cable
provide high-speed access, up to 50 Mbps, to the Internet through existing cable coaxial and fiber lines. data can come down from a central point (referred to as the head) to a residential home and back up to the head and onto the Internet o Coaxial and fiber cables are used to deliver hundreds of television stations to users, and one or more of the channels on these lines are dedicated to carrying data. The bandwidth is shared between users in a local area; therefore, it will not always stay at a static rate As more people access the Internet within his local area, internet access performance drops
data throughput rate
the actual amount of data that goes through the wire
EAP TLS
the authentication server and wireless device exchange digital certificate device sends the server a password and the server authenticates to the wireless device with its digital certificate. In both cases, some type of public key infrastructure (PKI) needs to be in placeo Companies may choose to use PEAP instead of EAP-TLS because they don't want the hassle of installing and maintaining digital certificates on every wireless device
PAP
used by remote users to authenticate over PPP lines.. PAP is one of the least secure authentication methods, because the credentials are sent in clear text
firewalls
used to restrict access to one network from another. supports and enforces a company's network security policy. can be used to set up a dmz
csu/dsu
used when digital equipment will connect a lan to wan. necessary because the signals and frames can vary. csu (using a DCE) connects the network to the telephone company's line and the dsu (using a DTE) converts digital signals from routers, bridges, and multiplexers into signals that can be transmitted over the telephone company's digital lines
802.11a
5 Ghz/54Mbps/Orthogonal Frequency Division Multiplexing (OFDM)
TCP Flags
8 of them: urg, ack, psh, rst, syn, fin, cwr, exe
Application Layer Examples
FTP, HTTP, IMAP, POP3
extranet
connection between private intranets
types of ethernet
10base2 - thinnet - bus, 10mbps, 185 m, uses coaxial cable 10base5 - thicknet - bus, 10 mbps, 500 m, uses coax 10baseT - star, 10 mbps, 100m, uses twisted pair 100baseT - star, 100 mbps 100m 1000baseT - star,1000 mbps, 100m
class d networks
224.0.0.0 - 239.255.255.255, multicast
dynamic keys
...
well known ports
0-1023
class a networks
0.0.0.0 - 127.255.255.255 = 16mm networks
ICMP types and Codes
0/8 0 Echo Response/Request (Ping) 3 0-15 Destination Unreachable 4 0 Source Quench 5 0-3 Redirect 11 0-1 Time Exceeded 12 0 Parameter Fault 13/14 0 Time Stamp Request/Response 17/18 0 Subnet Mask Request/Response
main firewall architectures
1- screened host, 2- dual-home, 3-screened subnet
rfc 1918 addresses (address list)
10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255
class b networks
128.0.0.0 - 191.255.255.255 = 65k networks
class c networks
192.0.0.0 - 223.255.255.255 = 256 networks
802.11b
2.4 Ghz/11Mbps/Direct Sequence (DSSS) 11 channels
802.11g
2.4 Ghz/54Mbps/Orthogonal Frequency Division Multiplexing (OFDM)
token
24 bit control frame used to control which computers communicate at what intervals. passed from computer to computer and only the computer with it can communicate
class e networks
240.0.0.0 - 255.255.255.255, reserved
TCP/IP Model
4 layers: application, host to host, internet, network access.
Bluetooth Standards
802.15 - Uses Polling 2.4 Ghz/1Mbps/ Frequency Hopping (FHSS)
WPA2 / 802.11i
802.1x or pre-shared key access control EAP or pre-shared authentication CCMP (AES w/ Counter) for encryption CCMP (AES CBC-MAC) for integrity
Wi-fi Protected Access (WPA)
802.1x or pre-shared key access control EAP or pre-shared authentication TKIP (RC4) for encryption Michael MIC for integrity
autonomous systems
AS's, individual networks on the internet. made up of internal routers controlled by different corporations and use IGP within the boundaries of AS delineated by border routers . Border routers talk via EGP protocol.
Physical Layer Examples
Analog/Digital Topologies (bus, tree, ring, mesh, star) Cabling (UTP, coax, fiber, wireless) Equipment (patch panel, modem, DSL, hub/repeater, wireless access points)
Layer 7
Application
OSI layers
Application protocol data unit (PDU) Presentation Session Transport Segment Network Datagram/Packet SW Best Route Data Link Frame (Logical) HW (Header & Trailer added) CRC Physical HW
OSI Reference Model
Application, Presentation, Session, Transport, Network, Data Link, Physical (All People Seem To Need Doctor Pepper)
LAN Cabling
Baseband, Broadband Coaxial, Twisted pair
firewall best practices
Block ICMP redirects traffic, ACLs should be simple and direct, no source routing, Close unnecessary ports with dangerous services, Disable unused interfaces, Block directed IP broadcasts, Block incoming packets with internal address (they are spoofed), Block multicast traffic if not needed, Enable logging
Dynamic WEP
Changes keys
Proxy Firewalls
Circuit Level - Does require proxy for each service, can require authentication, (e.g. SOCKS, Works at Session Layer) Application Level - Different Proxy for each service, can require authentication. (e.g. Content inspection, Works at Application Layer)
3 Legged Firewall
DMZ
TCP/IP Model
Data Layer (Application/Presentation/Session OSI mapping), Transport Layer (Transport OSI mapping), Internet Layer (Network OSI Mapping), Network Interface Layer (Data Link and Physical OSI Layer)
Layer 2
Data Link
Routing Protocol
Decides best delivery means if IP (routed protocol is IP); Analogy is Post office delivering mail, Time-to-Live, the TTL keeps packets from traversing the network forever and decrements every time a router is passed. If the recipient cannot be found before the TTL reaches one, the packet will be discarded.
Voice over IP (VOIP)
Easier to wiretap DoS attacks on network can now be applied to phones Need VOIP firewalls and access control systems
Presentation Layer Examples
Encryption, Compression, Format
Transport mode
Encrypts end-to-end (IPSEC) Iterated Tunneling - Multiple layers of security protocols through IP tunnels
Network Layer Examples
Equipment - routers, NAT/PAT, firewalls Protocols - (IP, DHCP, ipv6, ICMP, IGMP, VPN, RIP) Attacks - IP Spoofing, SYN Floods, source route, smurf, fraggle
EAP
Extensible Authentication Protocol - The ability to add two factors to an essentially one factor (PAP/CHAP) system One Factor - EAP-MD5, LEAP, PEAP-MSCHAP, TTLS-MSCHAP, EAP-SIM Two-Factor - EAP-TLS, TTLS w/ OTP, PEAP-GTC
1G Wireless characteristics
Frequency Division Multiple Access (FDMA)
Bastion Host
Highly Secure System (Application Level Gateway)
ping
ICMP echo request to see if a node is up or down. an unanswered request does not mean the host is down - could be that the traffic is filtered for security reasons
IPSEC
IP Security - AH - Integrity, Origin Authentication ESP - Encryption, Integrity, Origin Authentication, anti-replay SA - Simplex Connection (contains IP address, AH/ESP, and SPI) SPI - Identifies SA
wormhole attack
In this type of attack, there are two attackers, one at each end of the tunnel (referred to as a wormhole) then send this token to the other attacker, who then uses it to gain unauthorized access to a resource. This can take place on a wired or wireless network, but it is easier to carry out on a wireless network because the attacker does not need to actually penetrate a physical wire o The countermeasure to this type of attack is to use a leash, which is just data that are put into a header of the individual packets. The leash restricts the packet's maximum allowed transmission distance.
Network User Authentication Modes
LDAP, NIS, NIS+, Distributed Computing Environment (DCE) - Kerberos, NTLM
L2F
Layer 2 Forwarding - tunneling, no encryption, mutual authentication
MAN/GAN/PAN?
Metropolitan area network. Global area network collection of WANs.. Personal Area Network.
Layer 3
Network
Carnivore
New technologies make it possible to monitor all types of information that one individual might send to another. Carnivore is one example of such a technology.
T-Carrier specs
POTS dialup service Switch line; widely used 56Kbps ISDN BRI digital Requires a terminal adaptor; costly 128Kbps ISDN PRI digital Requires a terminal adaptor; costly 1.54Mbps DSL Typically asymmetric; downloads faster than uploads up to 52Mbps T1 Dedicated leased line; 24 bundled phone lines 1.54Mbps T3 Dedicated leased line; 28 bundled T1s 44.736Mbps
L2TP
PPTP + L2F = Layer 2 Tunneling Protocol
Layer 1
Physical
PPTP
Point to Point Tunneling Protocol, uses PPP, can provide some encryption
Transport Layer Examples
Protocols - TCP, UDP, TLS Threats - port scanning - FIN, NULL, XMAS, SYN, denial of service
Transport Layer Security (TLS)
Provides Authentication and Protection
hdsl
Provides T1 (1.544 Mbps) speeds over regular copper phone wire without the use of repeaters. Requires two twisted pairs of wires, which many voice-grade UTP lines do not have
Proxy Server
Proxy Servers By definition, the word proxy means "to stand in place of." Therefore, an Internet proxy is a hardware or software device that can perform address translation and that communicates with the Internet on behalf of the network. The real IP address of the user remains hidden behind the proxy server. The proxy server can also be configured to filter higher-layer traffic
Session Layer Examples
RTP, RPC
DIAMETER
Roaming Applications, peer to peer Base protocol - defines message format, transport, error reporting, and security services Extensions - Modules such as mobile IP
Mobile phone vulnerabilities
SMS spamming, bluejacking, bluesurfing
Application Layer Security Protocols
Secure Remote Procedure Call (S-RPC) DNSSEC S-HTTP Electronic Payment Schemes (SET, Ecash, netcash, Mondex, Cybercash, etc.)
SSH
Secure Shell - Uses RSA, provides compression, confidentiality, and integrity
SSL
Secure Sockets Layer, Record Protocol - Used to Pass messages, Handshake Protocol - Used to establish SSL connection
TACACS+
TCP, encrypts all
WTLS
TLS for Cell Phones, Not Wireless LANS Built into stack so you have to turn it on, provides encryption and authentication, Encryption stops at gateway
2G Wireless characteristics
Time Division Multiple Access (TDMA). GSM & CDMA
Layer 4
Transport
Screened subnet
Two Separate Packet filters
Radius
UDP, encrypts some
Data Link Layer Examples
Unicast/Multicast/Broadcast CSMA/CD, CSMA/CA, Token Passing Equipment - Switches Protocols - ARP, PPP
Firewall Virtualization
Use if you need VLANS
Counter-Mode-CBC-MAC Protocol (CCMP)
Uses AES w/128 bit keys
PPP
Uses PAP, CHAP, EAP - Password, S/Key (MD4), token card, or digital certificate
Temporal Key Integrity Protocol (TKIP)
Uses RC4 with 128 bit keys (key + MAC + Counter changes per packet). Uses Message Integrity Code (MIC) called Michael
Screened Host
Uses both packet filtering router and bastion host
Static WEP
Uses the same key
Transport Adjacency
Using the same packet to apply multiple security protocols without invoking tunneling
3G Wireless Characteristics
Wideband CDMA / UMTS, CDMA 2000 1xdo
socket
a combination of IP address and a TCP or UDP port on one node.
collision domains
a group of computers that are contending, or competing, for the same shared communication medium. routers break up broadcast domains, switches and bridges break up collision domains (each port on a switch is its own collision domain)
polling
a method of monitoring multiple devices and controlling network access transmission. If used to monitor devices, the primary device communicates with each secondary device in an interval to check its status. if used for network access, the primary station asks each device if it has something to communicate to another device - mainly used in mainframe environments
hub
a multi-port repeater, receive bit on 1 port and repeat it across all other ports, provide no confidentiality or integrity, half duplex device, have one collision domain,
h.323
a standard that deals with video, real-time audio, and data packet-based transmissions where multiple users can be involved with the data exchange. terminals are connected to these gateways, which in turn can be connected to the PSTN.
dhcp
a udp based protocol that allows servers to assign ip addresses to network clients. client uses "xxxx discover" and the server responds with "xxxx offer"
frame relay
a wan protocol that operates at the data link layer. lets multiple companies and networks share the same WAN media. uses DTE and DCE equipment. The frame relay cloud is a collection of DCEs (service providers) that provides switching and data communications functionality
ARP
address resolution protocol, used to translate between layer 2 understands mac (physical) addresses and layer 3 ip addresses. uses a table to store the information. corrupting this table is called poisoning and is a type of masquerading attack. A known ARP IP to unknown MAC address.
CHAP
addresses some of the vulnerabilities found in PAP. It uses a challenge/response mechanism to authenticate the user instead of sending a password. To establish PPP both ends agree to use CHAP. The server sends the user a challenge, which is a random value. This challenge is encrypted with the use of a predefined password as an encryption key, and the encrypted challenge value is returned to the server. The authentication server also uses the predefined password as an encryption key and decrypts the challenge value, comparing it to the original value sent. If the two results are the same, the authentication server deduces that the user must have entered the correct password, and authentication is granted
screened subnet
adds another layer of security to the screened host architecture. The external firewall screens the data entering the DMZ network. However, instead of the firewall then redirecting the traffic to the internal network, an interior firewall also filters the traffic. The use of these two physical firewalls creates a DMZ If three firewalls create two separate DMZs, this may be called a three-tiered configuration
layer 2 broadcast
all "f"s for a mac address
broadcast
all notes on a lan if it is "limited broadcast", it is not forwarded across a router, but a "directed broadcast" is. one to all. Flooded vs directed. Flooded: All hosts to all nets. Routers designed to block flooded broadcast.
EAP
allows for mutual authentication to take place between the authentication server and wireless device, and provides flexibility in that users can be authenticated by using passwords, tokens, one-time passwords, certificates, smart cards, or Kerberos. Two entities (supplicant and authenticator) agree upon one of these authentication methods (EAP modules) during their initial handshaking process
x.25
an older WAN protocol that defines how devices and networks establish and maintain connections. o Like frame relay, X.25 is a switching technology that uses carrier switches to provide connectivity for many different networks. It also provides any-to-any connection, meaning many users use the same service simultaneously. uses HDLC
telnet
application layer (TCPIP model), provide no confidentiality,
isynchronous network
applications that are time sensitive, such as voice and video signals,network contains the necessary protocols and devices that guarantee continuous bandwidth without interruption
adsl
asymmetric, Data travel downstream faster than upstream. Upstream speeds are 128 Kbps to 384 Kbps, and downstream speeds can be as fast as 768 Kbps. Generally used by residential users. Fine for residence users because they usually download items from the Web much more often than they upload data
idsl
because of their distance from the central office. It is capable of reaching customers who are up to 36,000 feet (almost 7 miles) from the provider's central office. IDSL operates at a symmetrical speed of 128 Kbps.
three basic levels of QoS
best efforts (no guaranteed on throughput or delivery), differentiated services, guaranteed services (ensures specific data throughput at guaranteed speed)
What is data encapsulated in layer 1referred to as?
bits
BGP
border gateway protocol, enables routers on different ASs to share routing information to ensure effective and efficient routing between the different as networks. link state algorithms
link state
build a more accurate routing table because they build a topology database. look at more variables than distance and vector such as packet size, delay, loading, reliability and put these factors into an algorithm
dynamic routing protocol
can change the entries in the routing table based on changes that take place to the different routes (static means they are manually entered)
circuit switched
can provide dedicated bandwidth to point to point connections.
full-duplex
can talk and listen simultaneously
categories of cabling
cat 1, <1 mbps, analog voice cat 2, 4 mbps, arcnet cat 3, 10 mbps, 10baseT ethernet cat 4, 15 mbps, token ring cat 5, 100 mbps, 100 baseT ethernet cat 5e, 1000 mbps, 1000baseT ethernet cat 6, 1000mbps, 1000baseT ethernet - standard for gigabit (10gbps)
csma/ca
collision avoidance, each computer signals its intent to transmit data before it acutally does. wireless lan technologies use this for its media access functionality If you go wireless, you lose 1/2 bandwidth because of half duplex.
csma/cd
collision detection, each node monitors the wire and waits until it is free before transmitting. contention means that the nodes have to compete for the same shared medium. collision occurs when frames collide and this a random collision timer called the back off algorithm is used before retransmitting
LT2P
combines PPTP and L2F (layer 2 forwarding designed to tunnel PPP). LT2P focuses on authentication and does not provide confidentiality: it is frequently used with IPSec to provide encryption
analog
continuous waves of communication
Data Link
convert data into lan or wan frames for transmission, convert messages into bits, define how a computer accesses a network. two sub layers: llc and mac ex: slp, ppp, rarp, l2f, l2tp, fddo, isdn
Physical
converts bits into voltage for transmission which have different meanings for lan and wan technologies. this layer controls synchronization, data rates, line noise, and medium access standard interfaces at this layer: hssi,x.25, eia/tia232 and 449
coaxial cable
copper core surrounded by shielding and a grounding wire encased in an outer jacket. more resistant to emi and provides higher bandwidth and supports the use of longer cable runs. thinnet and thicknet, can be used for base or broadband
bootp
created after RARP to enhance functionality. the diskless workstation can recieve its IP adress, the name server address for future name resolution, and the default gateway adress from the xxxxx server. evolution rarp, bootp, dhcp
circuit level proxy firewall
creates a circuit between the client and server and provides protection at the session layer. knows the source and destination addresses and makes access decisions based on this type of header information. requires that protocols are following rfcs. common example is SOCKS which provides a secure channel between two computers
dynamic packet filtering
creates an acl that allows the external entity to communicate with the internal system via a high (1024+) port. benefit is that it gives you the option for allowing any type of traffic outbound and permitting only response traffic inbound
kernel proxy firewall
creates dynamic customized TCP/IP stacks when a packet needs to be evaluated. When a pack arrives a virtual stack is created which is made up of only the protocl proxies necessary to examine this specific packet properly. the layers are examined and if deemed unsafe, packet is discarded
modulation
data are combined with a carrier signal of a specific frequency. signals differ in amplitude (height) and frequency (number of waves in a period of time)
packet switched
data is broken into packets, each sent individually, make unused bandwidth available for other connections. uses QoS to provide precedence to one traffic type over another
fddi
data transmission speed up to 100mbps, usually a backbone using fiber. two rings and the second is used for redundancy. can be employed up to 100km, making it suitable for mans
t carriers
dedicated lines that carry voice and data over trunk lines. t1 can multiplex 24 channels. if called fractional, it means that the t line was chopped up to provide shared bandwidth
token ring
defined by ieee 802.5, each computer is connected to a central hub called a multi-station acess unit (MAU). in order for a device to communicate it must have the token. employs an active monitor and beaconing to deal with issues of frames continually circling the network
slash notation
denotes how many bits are used for the network portion of the address. ex: /8 - 8 for the network 24 for the host (32-8=24). called the netmask
socket pair
describes a unique connection between two nodes: source port, source IP, destination port, and destination IP.
network model
description of how a network protocol suite operates
SRTP and RTP
designed to carry and stream audio and video. RTP includes SIP and h.323. SRTP secure real time transport protocol may be used to secure VOIP including confidentiality, integrity, and secure authentication. uses AES confidentiality and sha-1 for integrity
ssl
designed to protect http, https uses port 443.
dsss
direct sequence spread, applies sub bits to a message before transmission called chips and the sequence of how these bits are applied is called the chipping code. uses all of the bandwidth continuously
resource record
dns server contains records that map hostnames to ip addresses
packet switching
does not set up a dedicated virtual link, and packets from one connection can pass through a number of different individual devices instead of all of them following one another through the same devices.
screened host
firewall that communicates directly with a perimeter router and the internal network
What is data encapsulated in layer 2 referred to as?
frame
virtual circuits
frame relay and x.25 forward frames across virtual circuits. A permanent virtual circuit works like a private line for a customer with an agreed upon bandwidth (committed information rate - cir) and a switched virtual circuit must be build ant torn down when no longer needed
fhss
frequency hoping, takes the total bandwidth and splits it into smaller sub channels. makes it much more difficult for eavesdroppers to listen in on and reconstruct data being transmitted - but the hoping sequence is known so it does not provide any extra security. uses only a portion of the bandwidth at one time
Path MTU discovery
how to determine the largest size packet allowed to cross a network. Send a pack with the DF (dont frag) flag set. A router with a smaller MTU will drop the packet and send fragmentation needed ICMP message if the MTU is to large. Process repeats until router passes packet cleanly
http vs https vs shttp
http & ftp not secure. SSH, SSL give you the s. SSH for SFTP & SHTTP. SSL for FTPS & HTTPS. SIMPLE.
classless
if an organization does not use traditional subnet masks. cidr must be used
Network
inserts information into the packet's header so it can be properly addressed and routed to a destination. the protocols at this level do no ensure delivery ex: ip, icmp, rip, ospf, bgp, igmp
application level proxy firewall
inspect the packet up through the application layer and makes access decisions based on the contents. works for one service or protocol, thus one app firewall per service is required.
twisted pair cable
insulated copper wires surrounded by an outer jacket, stp has extra shielding, utp does not. twisting of the wires protects the signals from emi and cross talk. the tighter the twist the more resistance. utp limited to 185 m.
IGP
interior gateway, proprietary to Cisco, uses 5 criteria to make a best route decision, network admin can set weights on these criteria to improve routing
EAP
is also supported by PPP. it provides a framework to enable many types of authentication techniques to be used during PPP connections. extends the authentication possibilities from the norm (PAP and CHAP) to other methods such as one-time passwords, token cards, biometrics, Kerberos, and future mechanisms.
What is data encapsulated in layer 4 referred to as?
segment
stateful firewall
keeps track of what computers say to each other. requires that the firewall maintain a state table. looks to see if the connection is already established, if not the state table holds no information about the packet and it is then compared to the ACLs. works at the network and transport layers
repeater
layer 1 device, receive bit on 1 port and repeats them out the other port - no understanding of protocols, used to extend the length of a network
bridges
layer 2 devices, has two ports and connects network segments together, works with mac addresses
ipsec
layer 3, provide confidentiality, integrity, authentication via IPv6. this is a suite of protocols: two major ones are ESP (confidentiality) and AH (integrity)- encapsulating security protocol and authentication headers (gives integrity)
bastion host
locked down hardened system in the DMZ (highly exposed) and its existence is known on the internet
distance vector routing protocols
make their routing decisions based on the distance (hops) and vector (direction). The protocol takes these variables and uses them with an algorithm to determine the best route for a packet.
MTU
maximum transmission unit, if a packet exceeds the MTU it will be fragmented. the default MTU is 1500 bytes. If fragmented, the IPID (identification header) field is used to help reassemble the packets
mutli-homed
means more than one nic
promiscuous mode
means that a network card is able to look at packets that are not addressed to it. "can access unicast traffic on a network segment"
What is data encapsulated in layer 7 referred to as?
message
dns
method of resolving host names to IP addresses.
broadband
multiple channels and can send multiple signals at a time - allows different types of data to be transmitted simultaneously
mesh topology
provides multiple paths to all the nodes, full means that every node is directly connected to every other node, which provides a great deal of redundancy
TKIP
provides the ability to rotate encryption keys to help fight against these types of attacks. The protocol increases the length of the IV value and ensures each and every frame has a different IV value. Ex: WEP key + IV value + MAC address = new encryption key also deals with the integrity issues by using a MIC instead of an ICV function
digital signals
represent binary digits as electrical pulses (1 or 0)
ephemeral ports
reserved, not well known, 1024-65535
Session
responsible for establishing, maintaining, releasing connection between two applications - known as dialog management. ex: nfs, sql, netbios, rpc
RARP
reverse, used by diskless workstations to determine what IP address is associated with its MAC. Known MAC to unknown IP add.
RIP
routing information protocol, distance vector, uses hop count as its metric. does not have a full view of the network, only sees what it is directly connected to. convergence is slow
vpn
secure, private connection through a public network. private because the encryption and tunneling protocols are used to ensure the confidentiality and integrity of the data in transit. uses PPTP, IPsec, and LT2P
packet filtering firewall
security method of controling what data can flow into and out of a network. takes place by sing ACLs. filtering is based on network layer information - based only on the header information. wont keep track of the state of the connection
SIP
session initiation protocol, a signaling protocol widely used for VOIP communications. two components: The UAC is the application that creates the SIP requests for initiating a communication session. The UAS is the SIP server, which is responsible for handling all routing and signaling involved in VoIP calls. provide little or no security by default
circuit switching
sets up a virtual connection that acts like a dedicated link between two systems. When the source system makes a connection with the destination system, they set up a communication channel. (connection oriented - usually for voice oriented data). Traffic moves in a predictable and constant manner with fixed delays.
UDP
simpler and faster than TCP, no handshake so no reliability, a best effort connectionless protocol. has neither packet sequencing nor flow and congestion control. works at layer 4
bus topology
single cable runs the entire length of the network and nodes are attached through drop points. linear means a single cable with nodes attached, tree means has branches from a single cable and can contain many nodes
proxy firewall
stands betwen trusted and untrusted networks and makes a connection on behalf of the source.
types of nat
static: one to one translation, pool: reserves a number of public IP addresses in a pool, addresses an be assigned from the pool then returned, port address translation: many private to one public translation
sdsl
symmetric Data travel upstream and downstream at the same rate. Bandwidth can range between 192 Kbps to 1.1 Mbps. Used mainly for business applications that require high speeds in both directions.
sdlc
synchronous data link control, a synchronous layer 2 wan protocol that uses polling to transmit data
SONET
synchronous optical networks, make up a majorirty of WANs along with FDDI. Considered self healing becuase the rings are fully redundant. uses multiplexing, data travels as electronic voltage and is then converted into light to run over optical carrier (OC) lines. It should be noted, while in the US we use T lines the rest of the world refers to E lines or SDH - synchronous digital hierarchy
process to statelessly configure a global address
take MAC and embed ffee constant in the middle two bytes, set the universal bit (fc01 = global, fe80 is local), prepend the network prefix and convert to : format, insert :: to convert the repeating zeroes ex: 00.0c.29.ef.11.46 - 00.0c.29.ff.ee.ef.11.36 - fc01.00.0c.29.ff.ee.ef.11.46 - fc01:0000:0000:0000:020c:29ff:eeef:1136 = fc01::20c:29ff:eeef:1136
Encapsulation
takes information from a higher layer and adds a header to it, treating the higher layer information as data.
synchronous communication
takes place when two devices are synchronized, transfers data as a stream of bits
attenuation
the loss of signal as it travels. directly affected by cable length
bandwidth
the number of signals transmitted over a link within a second (can be thought of as the size of the pipe)
MAC address
the unique hardware address of an Ethernet network interface card (NIC). 48 bits long - first 24 OUI (registered at IEEE), second 24 unique identifier of the card. The EUI allows the ui to be 40 bits and works with IPv6
network topology
the way a network is physically connected and shows the layout of resources and systems
subnetting
this is created from the host portion of an IP address to designate a sub network - not physical; logical. a smaller network inside of a larger network
convergence
time it takes for all routers to agree on the state of routing
digital
transfer data in bits: ones and zeroes
TCP
transmission control protocol, layer 4, reliable, uses 3 way handshake
statistical time division multiplexing
transmits several types of data simultaneously across a single transmission cable or lne
tls
transport layer security, latest version of ssl, can be used to encrypt many types of data and can be used to tunnel other IP protocols to form vpn cnnection.
tunneling protocols
tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted. The second variation to a tunnel is one that uses encapsulation and encryption.
ipsec tunnel and transport mode
tunnel mode: provides confidentiality (ESP) and /or AH to the entire original packet inclduding the original IP headers transport mode: protects the IP data (layer 4-7) only, leaving the original IP headers unprotected both modes add extra IPSec headers
asynchronous communication
two devices are not synchronized in any way. transfers data using stop and start bits
dual homed
two nics, one facing the external network and the other facing the internal network, many devices are actually multihomed. can create different dmzs to allow for different types of traffic and to ensure that if one dmz is compromised the other systems in the rest of the dmzs are not
dnssec
upon receiving a response, validates the digital signature on the message before accepting the information, to make sure that the response is from an authorized dns server
IPv6
uses 128 bit addresses, uses colons instead of periods to delineate sections (zeroes may be condensed by two colons), loopback address is ::1, has ipsec integrated into the protocol stack, allows for QoS
traceroute
uses ICMP time exceed messages to trace a network route by adjusting the TTL counter. Trace route, records hops, hits first one, then comes back.
ATM
uses cell switching method, connection oriented switching technology and creates and uses a fixed channel ATM technology is used by carriers and service providers and makes up part of the core technology of the Internet, But ATM technology can also be used for a company's private use in backbones and connections to the service provider's networks Because the fee is based on bandwidth used instead of a continual connection, it can be much cheaper.
multicast
uses class d addresses. one to many.
Key IPv4 Headers
version, IHL, type of service, identification/flags/offset, time to live, protocol, source and destination IP address, options
when is a lan no longer just lan
when it is connected to a router - resulting in an internetwork not a larger lan
classful
when traditional subnet masks are used
frequency division multiplexing
wireless spectrum in which each frequency within the spectrum is used as a channel to move data
multi-layered switches
work at layers 3 and 4 in addition to 2. offer more functionality, traffic prioritization, and QoS. use asic (application specific integrated circuit) for processing. use tags for assigning destination address, mpls
router
work at the network layer (3)
initialization vectors
An IV is a numeric seeding value that is used with the symmetric key and RC4 algorithm to provide more randomness to the encryption process. Randomness is extremely important in encryption because any patterns can give the bad guys insight into how the process works, which may allow them to uncover the encryption key that was used. The key and IV value are inserted into the RC4 algorithm to generate a key stream
types of servers used in SIP
The proxy server is used to relay packets within a network between the UACs and the UAS. • Proxy servers are also generally used for name mapping, which allows the proxy server to interlink an external SIP system to an internal SIP client Registrar server keeps a centralized record of the updated locations of all the users on the network. The redirect server allows SIP devices to retain their SIP identities despite changes in their geographic or physical location.
ICMP attacks
Ping of death, Smurf, timestamp query, netmask query & redirects.
Wireless Tech Transmission Schemes
. Orthogonal frequency division multiplexing (OFDM)—Splits the signal into smaller subsignals that use a frequency division multiplexing technique to send different pieces of the data to the receiver on different frequencies simultaneously. . Direct-sequence spread spectrum (DSSS)—A spread-spectrum technology that uses a spreading code to simultaneously transmit the signal on a small (22MHz wide) range of radio frequencies. The wider the spreading code, the more resistant the signal is to interference, but with the cost of a smaller data rate. . Frequency-hopping spread spectrum (FHSS)—Works by taking a broad slice of the bandwidth spectrum, which is divided into smaller subchannels of about 1MHz. The transmitter then hops between subchannels. Each subchannel is used to send out short bursts of data for a short period. This period is the dwell time. For devices to communicate, each must know the proper dwell time and be synchronized to the proper hopping pattern.
Switch Advantages
. Provides higher throughput than a hub . Provides VLAN capability . Can be configured for full duplex . Can be configured to span a port to support IDS/IPS (intrusion detection system/intrusion prevention system), network feed, or for monitoring Originally, switches were Layer 2 devices; today, switches can be found at OSI Layer 3 and work up to OSI Layer 7. Higher-layer switches are known as content switches, content-services switches, or application switches.
Wireless LAN Components
. Service Set IDs (SSID)— Distinguishes one wireless network from another. . Wireless access points—A wireless access point is a centralized wirelessdevice that controls the traffic in the wireless medium and can be used toconnect wireless devices to a wired network. . Wireless networking cards—Used to connect devices to the wirelessnetwork. . Encryption—802.11 encryption
Communication Standards
. Simplex—Communication occurs in one direction. . Half duplex—Communication can occur in both directions, but only one system can send information at a time. . Full duplex—Communication occurs both directions and both computers can send information at the same moment in time.
Routing Protocol categories
. Static routing - Depends on static tables, small networks . Dynamic routing - Uses Metrics, RIP, BGP, IGRP, and OSPF. Distance vector- Bellman-Ford algorithm, routing by rumor, RIP Link-state protocols-Dijkstra algorithms, metrics such as delay or bandwidth, OSPF . Default routes - designated route becomes the default path
Switch forwarding types
. Store-and-forward—After the frame is completely input into the switch, the destination MAC is analyzed to make a block or forward decision. . Cut-through—This faster design is similar to the store-and-forward switch, but it examines only the first six bytes before forwarding the packet to its rightful owner. . Fragment Free—This is a Cisco Systems design that has a lower error rate.
WAN Technologies
. Switched Multimegabit Data Service (SMDS)—A high-speed, packetswitched used for MANs and WANs. . Synchronous Data Link Control (SDLC)—Developed by IBM in the 1970s and used to develop HDLC. SDLC is a Layer 2 communication protocol designed for use with mainframes . High-Level Data Link Control (HDLC)—Uses a frame format to transmit data between network nodes. It supports full duplex communication and is used in SNA (Systems Network Architecture) network architecture. . High-Speed Serial Interface—A connection standard used to connect routers and switches to high speed networks.
Proxy Process
1. Accept packets from the external network 2. Copy the packets 3. Inspect them for irregularities 4. Change the addresses to the correct internal device 5. Put them back on the wire to the destination device
Switches
A switch performs in much the same way as a hub; however, switches are considered intelligent devices. Switches segment traffic by observing the source and destination MAC address of each data frame. In the classical sense, switches are OSI Layer 2 devices. Modern switches can operate at higher layers. A sample technology that bridges Layer 2 and Layer 3 is known as Multiprotocol Label Switching (MPLS). MPLS is an OSI Layer 2.5 protocol. MPLS works with high-speed switches. Commercial switches also offer virtual LAN (VLAN) capabilities. The frame is forwarded to only that switch port of the device with thc MAC address from the CAM (Content Address Memory).
Cellphone technologies
AMPS 1G TACS 1G GSM 2G (Global System for Mobile) CDMA 2G (code division multiple access) GPRS 2.5G EDGE 3G WWRF 4G
Where's ARP?
ARP can be discussed at either the TCP/IP Network or Internet layer. The ARP table and NICs are at TCP/IP Layer 1 whereas logical addresses are at Layer 2. The ARP process takes a Layer2 logical address & resolves it to an unknown Layer1 physical address
ARP
ARP's purpose is to resolve addressing between the network access layer and Internet layer of the TCP/IP model. ARP is a two-step resolution process performed by first sending a broadcast message requesting a target's physical address. If the device with the requested logical address hears the request, it ssues a unicast ARP reply containing its MAC address to the original sender. The MAC address is then placed in the requester's ARP cache and used to address subsequent frames. Reverse ARP (RARP) is used to resolve known physical addresses to unknown IP addresses.
Bridges
Bridges are semi-intelligent pieces of equipment that have the capability to separate collision domains. Bridges examine frames and look up the corresponding MAC address. If the device tied to that MAC address is determined to be local, the bridge blocks the traffic. One big problem with bridges is that, by default, they pass broadcast traffic. Almost the only bridges seen today are the wireless bridges used in 802.11x networks.
BROUTERS
Brouter routes by default (Layer 3) but can fall back to Layer 2 functionality. Brouters were designed to connect network segments that use the same protocol.
Topologies
Bus, Star, Ring Ring: No endpoints or terminators.Continuous loop of cable Token Ring Copper Distributed Data Interface (CDDI) and FDDI networks use a ring topology. Some ring technologies use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). CSMA/CA is deterministic protocol whereas CSMA/CD is contention based.
DMZ - Bastion, Screened Hosts, Dual homed
DMZ has bastion hosts. In bastion host all unnecessary services & applications removed; it is hardened against attack. To add security in DMZ, a screened host is sometimes used. packet filter - Between trusted and untrusted network dual homed - Bastion host with 2 interfaces, IP forwarding disabled, Packet filtering can be added for more safety Screened host - adds a router and screened host
DSL
IDSL (Internet) 160 kbps Duplex 18,000 ft., 24AWG HDSL (High data rate) 1.544 Mbps, 2.048 Mbps Duplex 12,000 ft., 24 AWG SDSL (Symmetric) 1.544 Mbps, 2.048 Mbps Duplex 10,000 ft., 24 AWG ADSL (Asymmetrical) 1.5-9 Mbps Down, 16-640 kbps Up 9,000-18,000 ft., 24 AWG VDSL (Very high) 13-52 Mbps Down, 1.5-2.3 Mbps Up 1,000-4,500 ft., 24 AWG
Internet Group Management Protocol
IGMP is a Layer 2 protocol that is responsible for managing IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts or routers. This is different from a broadcast, which all users in a network receive. IGMP transmissions are sent to a group of systems.
Internet Protocol (IP)
IP is a routable protocol whose job is to make the best effort at delivery. The IPv4 header is normally 20 bytes long, but can be as long as 60 bytes with options added. MAC addresses- physical address, an IP address- logical address. Covered in Request for Comments (RFC) 791 If the existing datagram is too large, IP performs fragmentation (Length, offset, more)
IPSec
IPSec Security for IP packets. Without IPSec, someone could capture, read, or change the contents of data packets and then send them back to the unsuspecting target. Current version of IP, IPv4, supports IPSec as an add-on; IPv6 has IPSec built in. IPSec offers its users several levels of cryptographic security: . Authentication header (AH)—Integrity, No privacy. . Encapsulating security payload (ESP)—Integrity, Privacy . Internet key exchange (IKE)—Secret key exchange OSI Layer 3 Transport mode - Protects only payload Tunnel mode - Protects payload and header, acts as a gateway
Routers
Routers reside at Layer 3 of the OSI model. Routers are usually associated with the IP protocol, which sends blocks of data that have been formatted into packets. IP is considered a "best effort" delivery protocol, and IP packets are examined and processed by routers. Routers can connect networks that have the same or different medium types. A router's primary purpose is to forward IP packets toward their destination through a process known as routing. Whereas bridges and switches examine the physical frame, routers focus on the information found in the IP header. limiting physical broadcast, access control lists (ACLs) filtering, segmenting devices into smaller subnets
Wi-Fi Protected Access (WPA)
WEP's immediate successor was a stop-gap measure that was popularized as Wi-Fi Protected Access (WPA).WPA certification meant that a piece of hardware wascompliant with a snapshot of the 802.11i amendment.Temporal Key Integrity Protocol (TKIP) for encryption scrambles the user key with network state information using a mixing algorithm, and adds an integrity-checking feature that was much stronger than WEP had to verify the frames haven't been tampered with. WPA certification tested equipment for the implementation of TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES solution, as a complete replacement for the outdated RC4 mechanism used in WEP and TKIP. CCMP is also tested for and certified by the Wi-Fi Alliance, and is recognized as WPA2.
War driving & War Chalking
War driving is the practice of driving around, finding, mapping, and possibly connecting to open wireless networks. Tools such as NetStumbler, Kismet, and AirSnort are typical tools that might be used to aid the war driver War chalking is the practice of marking the location and status of wireless networks.The practice can be traced to symbols used by hobos during the depression to mark the location of food and work.
Transport Layer
Whereas the network layer routes information to its destination, the transport layer ensures completeness by handling end-to-end error recovery and flow control, and establishes a logical connection between two devices. Transport layer protocols include the following: TCP, a connection-oriented protocol, handshaking, acknowledgments, error detection, & session tear down. UDP, a connectionless protocol that offers speed, low overhead. Applications must provide their own forms of error recovery.
Wireless Topologies
Wireless networks can function in either ad-hoc mode or infrastructure. Ad-hoc mode, or peer to peer, doesn't need any equipment except wireless network adaptors. Ad-hoc mode allows a point-to-point type of communication that works well for temporary exchange of information. Infrastructure mode centers around a wireless access point (AP). A wireless AP is a centralized wireless device that controls the traffic in the wireless medium. Wireless devices use CSMA/CA so that they can communicate efficiently. The wireless station listens before it sends a packet; if it detects that someone is transmitting, it waits for a random period and tries again
Circuit Switching
analog or digital configurations, Multiplexing (combine multiple channels of data over a single set of wires or transmission path), POTS, ISDN, T-carriers, DSL
Network Types
(W)PAN CAN LAN MAN WAN SAN
Presentation Layer Protocol & Standards
. American Standard Code for Information Interchange (ASCII) . Extended Binary-Coded Decimal Interchange Code (EBCDIC) . Joint Photographic Experts Group (JPEG) . Musical Instrument Digital Interface (MIDI) . Tagged Image File Format (TIFF)
Proxy Types
. Application-level proxy . Circuit-level proxy (SQUID) similar to packet filtering . SOCKS (client and server solution) FTP, HTTP, SMTP (tunnel)
Data Link Components
. Bridges . Switches . NICs (network interface cards) . MAC (Media Access Control) addresses
Bluetooth Classification
. Class 1—This classification has the longest range (up to 100m) and has 100mW of power. . Class 2—Although this classification is not the most popular, it allows transmission of up to 20m and has 2.5mW of power. . Class 3—This is the most widely implemented classification. It supports a transmission distance of 10m and has 1mW of power. Bluejacking is the unsolicited delivery of data to a Bluetooth user. Bluesnarfing is the actual theft of data or information from a user.
Physical
. Copper cabling . Fiber cabling . Wireless system components . Wall jacks and connectors . Ethernet hubs and repeaters
Application Layer Protocol
. File Transfer Protocol (FTP) . Line Print Daemon (LPD) . Telnet . Simple Mail Transfer Protocol (SMTP) . Trivial File Transfer Protocol (TFTP) . Hypertext Transfer Protocol (HTTP) . Post Office Protocol version 3 (POP3) . Internet Message Access Protocol (IMAP) . Simple Network Management Protocol (SNMP) . Electronic Data Interchange (EDI)
Physical standards
. High-Speed Serial Interface (HSSI) . V.24 and V.35 . EIA/TIA-232 and EIA/TIA-449 (where EIA/TIA stands for Electronic Industries Alliance/Telecommunications Industry Association) . X.21
LAN Protocols Ethernet II, Token Ring
. IEEE 802.3 . IEEE 802.3 with Logical Link Control (LLC) . IEEE 802.3 with Subnetwork Access Protocol (SNAP) Not including the preamble,an Ethernet (CSMA/CD) frame ranges from 64 to 1,518 bytes. Ethernet frame uses 18 bytes for control information; Data in an Ethernet frame can be between 46 and 1,500 bytes long. The second most popular LAN wired networking protocol is token ring, which functions by arranging all the systems in a circle. A special packet, known as a token, travels around the circle.
Network Protocol
. Internet Protocol . Internetwork Packet Exchange (IPX) . Internet Control Message Protocol (ICMP) . Open Shortest Path First (OSPF) . Border Gateway Protocol (BGP) . Internet Group Management Protocol (IGMP)
Data Link Protocols
. Layer 2 Forwarding (L2F) . Layer 2 Tunneling Protocol (L2TP) . Fiber Distributed Data Interface (FDDI) . Integrated Services Digital Network (ISDN) . Serial Line Internet Protocol (SLIP) . Point-to-Point Protocol (PPP)
VoIP Threats
. Open network—After the VoIP packets leave the organization's network,the network is not in charge of where they are routed or who might have access to them. . DoS attacks—Because VoIP uses UDP for portions of the communicationprocess, it is extremely susceptible to disruption or denial of service.VoIP uses an isochronous process in which data must be delivered withinstrict timelines. . Eavesdropping—Because VoIP relies on UDP and Session InitiationProtocol (SIP), it is an open service and communications can potentiallybe sniffed and replayed. Other protocols used by various vendors of VoIPproducts include IAX, IAX2, SCCP, and UNISTIM. . Unauthorized phone use—Services such as Skype, GoogleTalk, and soon open the corporate network to exposure to attack.
Session Layer
. Remote Procedure Call (RPC) . Structured Query Language (SQL) . Secure Sockets Layer (SSL) . Network File System (NFS)
Wireless Encryption Process
1. The transmitting and receiving stations are initialized with the secret key.Key must be distributed using an out-of-band mechanism 2. The transmitting station produces a seed, which is obtained by appending the 40-bit secret key to the 24-bit IV, for input into a Pseudo Random Number Generator (PRNG). 3. The transmitting station uses the secret key and a 24-bit IV as input into the WEP PRNG to generate a key stream of random bits. 4. The key stream is XORed with plain text to obtain the cipher text. 5. The transmitting station appends the cipher text to a copy of the IV for the receiver to use, and sets a bit in the header to indicate that the packet is WEP-encrypted, and the WEP frame is transmitted. Because WEP encrypts at OSI Layer 2, the Layer 2 header and trailer are sent in clear text. 6. The receiving station checks to see whether the encrypted bit of the frame it received is set. If so, the receiving station extracts the IV from the frame and inputs it and the secret key into its WEP PRNG. 7. The receiver generates the same key stream used by the transmitting station, and XORs it with the cipher text to obtain the sent plain text.
Cables
10BASE-5 50 ohm, thick coaxial 500m Bus (Thicknet) 10BASE-2 50 ohm, RG-58 A/U 185m Bus (Thinnet) 10BASE-T Cat3 UDP (or better) 100m Star 10BASE-FL Multimode fiber optic 2,000m Star 100BASE-TX Cat5 UTP 100m Star 10,000BASE-TX Cat6 UPT 100m Star 100BASE-T4 Cat3 UTP (or better) 100m Star 100BASE-FX Multiple-fiber connections 136 meters Star multimode fiber optic 100BASE-FX One-fiber connection 160 meters Star multimode fiber optic
Well known ports
21 FTP TCP 22 SSH TCP 23 Telnet TCP 25 SMTP TCP 53 DNS TCP/UDP 67/68 DHCP UDP 69 TFTP UDP 79 Finger TCP 80 HTTP TCP 88 Kerberos UDP 110 POP3 TCP 111 SUNRPC TCP/UDP 143 IMAP TCP 161 SNMP UDP 162 SNMP Trap UDP 389 LDAP TCP 443 SSL/TLS TCP
WLAN Standards
802.11a 5 GHz 54 Mbps OFDM 60 feet. 802.11b 2.4 GHz 11 Mbps DSSS 300 feet 802.11g 2.4 GHz 54 Mbps OFDM/DSSS 802.11i replacement for the Wired Equivalent Privacy (WEP) Encryption & Authentication 802.11n 2.4GHz 200 MBPS (Same vendor) 802.16 WiMAX deliver last mile connectivity, 75 MBPS Bluetooth and RFID (radio frequency identification) are defined by 802.15,written for wireless PANs (WPANs).
Gateways
A gateway connects networks that use dissimilar protocols by converting one software protocol into another. Gateways can be referred to as protocol translators. A gateway can be software based or a standalone hardware device. An example of a gateway is an IP-to-IPX gateway. Gateways function at OSI Layer 7.
LANs and Their Components
A local area network is a critical component of a modern data network. A LAN comprises two or more computers, a communication protocol, a network topology, and cabling or wireless connectivity.
OSI Summary
Application Application proxy FTP, DNS, HTTP, SNMP, RIP Presentation ASCII, TIFF, JPEG, GIF, MIDI, MPEG Session NetBIOS, NFS, SQL, RPC, SMB Transport Circuit level proxy TCP, UDP, SPX, SSL, TLS Network Router IP, ICMP, IGMP, OSPF, IPX Data link Switch, bridge SLIP, PPP, L2F, L2TP, FDDI, ARP,RARP Physical Hub EIA/TIA-232, HSSI, X.21, X.34
Loose source routing and strict source routing
Are other options that IP supports. These options allow a pseudo-routing path to be specified between the source and the target. Although potentially useful in certain situations, attackers can use this functionality to set up a man-in-the-middle attack.
ARP Attacks
Attackers can manipulate ARP because it is a trusting protocol. Two attacks include ARP poisoning and ARP flooding. A host accepts bogus ARP responses as valid because it is unauthenticated. Such attacks can be used to intercept traffic bound for the gateway or can be used to facilitate an attack against a targeted host. This allows attackers to redirect traffic on a switched network. ARP attacks play a role in a variety of man-in-the middle attacks, spoofing & session hijacking attacks.
TCP
Connection and exchange data reliably. Nominal 20-byte packet size, support flow control, reliable communication, and missing data is re-sent. At the heart of TCP is a 1-byte flag field. DNS uses TCP for zone transfers.
Wireless Encryption
Encryption—802.11 encryption was originally provided by the aging WEP protocol, which was intended to provide the same level of privacyas a user might have on a wired network. WEP used RC4 symmetric encryption, but was a flawed implementation. The amendment offering a secure replacement for WEP is 802.11i, which has become popularized by the Wi-Fi Alliance as Wi-Fi Protected Access (WPA, still using RC4) and WPA2 (uses AES).
Application ports
FTP 20,21 (TCP) Telnet 23 SMTP 25 DNS 53 (TNS/UDP) BootP 67, 68 (UDP)download operating parameters to thin clients TFTP 69 (UDP) HTTP 80 (TCP/ Stateless) IMAP (alt POP3) 143 SNMP V3 161, 162 SSL 443 LPD 515 (TCP) RIP 520 (UDP) PGP V5 11371
Integrated Services Digital Network
ISDN is a communication protocol that operates similarly to POTS, except that all-digital signaling is used. Separate frequencies called B channels used for voice, data, video, and fax services, and a D channel used for signaling by the service provider and user equipment. Keeping the D data separate makes it harder for attackers to manipulate the service. D-16Kbps; B-64Kbps. By binding the B channels together, can achieve higher speeds. ISDN is available in two levels: Basic Rate Interface (BRI) 128Kbps (2B and 1D) Primary Rate Interface (PRI) 1.544Mbps (23B and 1D)
Routing Protocol Types
Interior routing protocols: RIP, OSPF, and IS-IS are 3 examples of interior routing protocols. Interior routing protocols are those used within an organization. Exterior gateway: Used by routers connecting different autonomous systems (ASs). BGP is the core routing protocol used by the Internet. It is based on TCP and is used to connect autonomous systems. An early exterior routing protocol was Exterior Gateway Protocol (EGP). This term is sometimes used synonymously to describe all exterior routing protocols.
OSPF
OSPF is an improved link-state routing protocol that offers authentication. OSPF is an implementation of a Link-state based routing protocol developed in the mid-1980s to overcome the problems associated with RIP. OSPF has several built-in advantages over RIP that include the use of IP multicasts to send out router updates, no limitation on hop count (as with RIP), better support for load balancing, and fast convergence.
NAT
Network Address Translation (NAT) was originally developed because of the explosive growth of the Internet and the increase in home and business networks; the number of available public IP addresses is insufficient to support everyone. NAT allows a single device, such as a router, to act as an agent between the Internet and the local network. When private addressing is used, NAT is a requirement. TYPES - (Static, Dynamic, Port address translation)
Cellphone Vulnarabilities
One is through the practice of cloning. Cell phones have an electronic serial number (ESN) and a mobile identification number (MIN). Attackers can use specialized equipment to capture and decode these numbers from your phone and install them in another. Tumbling is another technique used to attack cell phones. Specially modified phones tumble and shift to a different pair of ESN/MIN numbers after each call. This technique makes the attacker's phone appear to be legitimate roaming cell phone. First-generation cell phones were vulnerable to this attack.
PAP, CHAP, EAP
PAP - Cleartext CHAP - 4 way, V2, dictionary attack, No replay, re-authentication EAP- Digital Certificate, Token Card, MD5;802.11i, WPA, WPA2; Authentication through RADIUS or TACACS+, pair-wise master key (PMK) is developed between the supplicant and the AS. EAP can be implemented in many different ways including EAP-MD5, EAP-TLS, EAPSIM, LEAP, PEAP-MSCHAP, and PEAP-GTC. Although EAP-MD5 is not appropriate for use by itself (a simple hash), and LEAP is dictionary-crackable; the other EAP types are robust.
Chat protection & Email
Pidgin encryption plug-ins and SSL-based chat should be used. Email protection mechanisms include PGP, Secure Multipurpose Internet Mail Extensions (S/MIME), and Privacy Enhanced Mail (PEM).
DoS (availability)
Ping of Death-Oversized packets (fragmentation)Bufferoverflow Smurf-Spoofed ping packet, source address as victim, floods ping requests Teardrop- malformed, offset value tweaked, overlapping fragments lock up system Land- Same source and destination port SYN Flood - Large number of fake packets Naptha - SYN flood designed to flood a targeted TCP stack for resource exhaustion
Plenum grade cables
Plenum-grade cable is coated with a fireretardant coating and is designed to be used in plenum spaces, such as crawlspaces, false ceilings, and below raised floors in a building. This special coating is fluoropolymers instead of polyethylene vinyl chloride used in nonplenum cables. It is designed to not give off toxic gasses or smoke as it burns to help ensure the safety of occupantsin case of a fire.
Point-to-Point Protocol (PPP)
Point-to-Point Protocol (PPP) is the most commonly used protocol for dialup connections. It can run on a line of any speed, from POTS to T1. Developed in 1994 by the IETF, PPP is a replacement to Serial Line IP (SLIP). SLIP is capable of carrying only IP and had no error detection, whereas PPP supports many types of authentication, including PAP, CHAP, and EAP.
Layer 6
Presentation
TCP/IP Model
Process/Application - Application, Presentation, Session; Host-to-Host - Transport; Internet - Network; Network Access - Data Link, Physical
QoS
Quality of service (QoS) can be defined as the capability of the network to provide . Dedicated bandwidth . Control jitter and latency
RADIUS
RADIUS was designed to support dialup users and originally used a modem pool to connect to the organization's network. Because of the features RADIUS offers, it is now used for more than just dialup user. (Enterasys) RADIUS server contains usernames, passwords of Suppicant. Supplicant refers to client that wants to gain access, RADIUS client (NAS) forwards to RADIUS server, shared secret, UDP based authentication; Authentication, Authorization, Accounting.
RIP
RIP is probably the most common distance-vector protocol currently in use. It is a legacy UDP-based routing protocol that does not use authentication, and determines path by hop count. RIP has a maximum 15-hop count maximum and uses broadcast routing updates to all devices. Later versions of RIP provide authentication in clear text. Although RIP works in small networks, it does not operate successfully in large network environments. Distance-vector protocols such as RIP can be spoofed and are subject to redirection. It also easy for attackers to sniff RIP updates. RIP routers update each other by sending out complete routing tables every 30 seconds.
Host-to-Host (Transport) Layer
Reliable and efficient communication between endpoints. The endpoints referred to are programs or services. This exchange may be peer-to-peer, such as an instant messaging application, or it might be a client/server interaction, such as a web browser sending a request to a web server. TCP and UDP. Capability for error checking and retransmission.
Destruction, Alteration, or Theft
Rootkits - Traditionally, rootkits replaced system software with trojaned versions (detected through tripwire, MD5sum) A kernel module (KLM) rootkit corrupts kernel; powerful; avoid detection Database attacks- sql injection Data diddling, Identity theft, Privilege escalation, Salami attack, Software piracy, Session hijacking, Spamming Password cracking (eg. rainbow table comprises precomputed hashed passwords and is known as a time memory tradeoff technique 1 to 14 alphanumeric)
Screened host
Screened host - adds a router and screened host The router is typically configured to see only one host computer on the intranet network. Users on the intranet have to connect to the Internet through this host computer, and external users cannot directly access other computers on the intranet. In this configuration, only one network interface card is needed for the application gateway or the screening host. The screened subnet sets up a DMZ.
Disclosure Attacks
Sniffing ARP Poisoning (switches) Redirect traffic, sniffing Ettercap & Hunt DNS Spoofing Pharming attack - similar to DNS poisoning, redirect internet request to different address Phishing attack War dialing War driving
TCP Process
Startup 3 step SYN, SYN ACK, ACK, Shutdown 4 step FIN ACK| ACK, FIN ACK |ACK
T-Carriers
T1 uses time-division multiplexing and consists of 24 digital signal 0 (DS0) channels. Each DS0 channel is capable of transmitting 64Kbps of data; therefore, a T1 can provide a composite rate of 1.544Mbps. T3s are the next available choice. A T3 is made up of 672 DS0s and has a composite data rate of 45Mbps
TACACS
TACACS is an access-control protocol used to authenticate a user logging onto a network. TACACS, UDP, AAA, Cisco original; When TACACS receives an authentication request, it forwards the received username and password to a central database. Verifies the information received and returns it to TACACS to allow or deny access based on the results. TACACS+ separates authentication and authorization, TCP based, extended two-factor authentication
Internet Layer
The Internet layer maps to OSI Layer 3. Two primary protocols found at this layer - routed and routing IP and IPX are two examples of routed protocols. Routing Protocols: OSPF and IGRP The Internet layer contains ICMP, interface to ARP, and the IGMP. ICMP is usually noted for its support of ping, but can also be used for IP support, error, and diagnostic, ICMP can handle problems such as delivering error messages. IGMP s used for multicast messages. ARP is used to resolve known IP addresses to MAC addresses.
Presentation Layer
The presentation layer is skilled in translation because its duties include encrypting data, changing or converting the character set, and handling format conversion. Modern systems can implement encryption at other layers such as data link, network, or even the application layer.
Presentation
receives application layer protocol information and puts it into a universal standard that all computers following osi can understand. - no protocols, just services. also handles data compression and encryption issues ex: ascii, ebcdic, tiff, jpeg, midi, mpeg
DOCSIS
There is ingering concern is that of the loss of confidentiality. Individuals have worried about the possibility of sniffing attacks. Most cable companies have addressed this issue by implementing the Data Over Cable Service Interface Specification (DOCSIS) standard. The DOCSIS standard specifies encryption and other security mechanisms that prevent sniffing and protect privacy. DOCSIS is currently at V3.
VPN
Three protocols are used to provide a tunneling mechanism in support of VPNs: (PPTP), L2TP, and IPSec. When an appropriate protocol is defined, the VPN traffic is encrypted. Microsoft supplies Microsoft Point-to-Point Encryption (MPPE) with PPTP, native to the operating system. L2TP offers no encryption, and is usually used with IPSec in ESP mode. IPSec can provide both tunnel and encryption. VPNs use digital certificates as the primary means of authentication- X.509 v3 Two types of tunnels can be implemented: . LAN-to-LAN tunnels—Users can tunnel transparently to each other on separate LANS. . Client-to-LAN tunnels—Mobile users can connect to the corporate LAN.
Network Access Layer
This portion of the TCP/IP network model is responsible for the physical delivery of IP packets via frames. Ethernet is the most commonly used LAN frame type. Ethernet uses Carrier Sense Multiple Access Collision Detection (CSMA/CD). Ethernet frames are addressed with MAC addresses that identify the source and destination devices. Vendors repeat addresses as they cycle through series. Vendors also provide features in the NIC driver to change the MAC address to a unique locally administered address. Third-party programs are available that allow attackers to spoof MAC addresses.
UDP
UDP does not perform any handshaking processes. So, although this makes it considerably less reliable than TCP, it does offer the benefit of speed. The UDP header is only 8 bytes in length. There are four 2 byte fields in the header DNS uses UDP for DNS queries
TCP Flags
URG Urgent Urgent data ACK Acknowledgement Acknowledge data PSH Push Push buffered data RST Reset Reset TCP connection SYN Synchronize Start session FIN Finish Close session
WEP
WEP is based on the RC4 algorithm that used either a 64-bit (IEEE standard)or a 128-bit (commercial enhancement) key. Keys are not that many bits because a 24-bit initialization vector (IV) was used to provide randomness. The "real key" is actually 40 or 104 bits long. WEP is known as static WEP because everyone has the same key. Two of the firstweaknesses realized about WEP are that this static encryption key was the samekey being used for the shared key authentication (SKA), and that the authentication used a challenge-handshake mechanism that was dictionary-crackable.
Fiber-optic cable
Whereas twisted pair cable and coax cable rely on copper wire for data transmissions, fiber uses glass. These strands of glass carry light waves encoded to signal the data being transmitted. Basically, two types of fiber cables are in use. They are constructed differently to handle different types of light: . Multimode fiber—Used in LANs and powered by LEDs. . Single-mode fiber—Used in WANs and powered by laser light.
Wireless Application Protocol (WAP)
Wireless Application Protocol (WAP). WAP is an open standard to help cell phone users get the same types of content available to desktop and laptop users. A WAP-enabled device customizes the content of a website to work with the small screen size of a mobile phone. A key component of this technology is wireless markup language (WML). Security issues in WAPv1 have been fixed by WAPv2. Encryption protocol called WTLS, which was a rewrite of transport layer security (TLS). When a client's signal reached the ISP's gateway, the WTLS packet had to be decrypted from WTLS to re-encapsulate it as a TLS signal and then to send it onto the Internet. This was a vulnerable moment, where data was fully decrypted, and became known as the GAP in WAP. WAP2 has been rewritten as an abbreviated form of TLS instead of WTLS, and the packet no longer needs to be decrypted.
Application
closest to the user, protocols that support the applications. when an application needs to send data over the network, it passes instructions and data to the protocols that support this layer. ex: smtp, http, lpd, ftp, tftp, the tcpip model combines this layer and presentation and session