Domain 4: Network Components
repeaters
The simplest type of connectivity because it only repeats electrical signals between cable segments, which enables it to extend a network Work at the physical layer and are add-on devices for extending a network connection over a greater distance. Amplifies signals because signals attenuate the farther they have to travel
Filters make access decisions based upon the following basic criteria
source and destination IP addresses source and destination port numbers protocol types inbound and outbound traffic direction
Issues with firewalls
Most of the time a distributed approach needs to be used to control all network access points, which cannot happen through the use of just one firewall Firewalls can present a potential bottleneck to the flow of traffic and a single point of failure threat Some firewalls do not provide protection from malware and can be fooled by the more sophisticated attack types Firewalls do not protect against sniffers or rogue wireless access points and provide little protection against insider attacks
Do switches have collision or contention issues?
No. Switches reduce and remove the sharing of the network medium and the problems that come with it. A switch is a multiport bridging drive and each port provides dedicated bandwidth to the device attached to it. A port is bridged to another port so the two devices have an end-to-end private link. Also employs a full-duplex communication, so one wire pair is used for sending and another pair is used for receiving - this ensures the two connected devices do not compete for the same bandwidth
appliances
dedicated hardware devices that have stripped-down operating systems that are limited and focused in software capabilities
important characteristics of a stateful-inspection firewall
maintains a state table that tracks each and every communication session provides a high degree of security and does not introduce the performance hit that application proxy firewalls introduce is scalable and transparent to users provides data for tracking connectionless protocols such as UDP and ICMP stores and updates the state and context of the data within the packets
Disadvantages of application-level proxy firewalls
not well suited to high-bandwidth or real-time applications limited in terms of support for new network applications and protocols they create performance issues because of the necessary per-packet processing requirements
Open SDN
relies on open-source code and standards to develop the building blocks of an SDN solution The controller communicates with the switches using OpenFlow (open-source communications interface between controllers and network devices in an SDN architecture) Applications communicate with the controller using RESTful or Java APIs
routers vs bridges
routers work at the network layer and fitler packets based on IP addresses - do not pass broadcast information bridges work at the data link layer and filter frames based on MAC addresses - do pass broadcast information
Pros of Packet Filtering
scalable not application dependent high performance due to low processing on the packets
Functions of a bridge
segments large network into smaller more controllable pieces uses filtering based on MAC addresses Joins different types of network links while retaining the same broadcast domain Isolates collision domains within the same broadcast domain Bridging functionality can take place locally within a LAN or remotely to connect two distant LANs Can translate between protocol types
Multihomed Firewall
several NICs are used to connect several different networks
Issues with UTM products
single point of failure single point of compromise performance issues - choke point
Different DMZs are used for two reasons
to control the different traffic types to ensure that if one system on one DMZ is compromised, the other systems in the rest of the DMZs are not accessible to this attacker
Software Defined Networking (SDN)
using a central control program separate from network devices to manage the flow of data on a network
forwarding plane
where traffic forwarding decisions are made. Where your router decides that a packet receive on network interface eth0 needs to be forwarded to network interface eth3 implemented in hardware
What happens inside a router when it receives a packet?
1. A packet is received on one of the interfaces of a router. The router views the routing data 2. The router retrieves the destination IP network address from the packet 3. The router looks at its routing table to see which port matches the requested destination IP network address 4. If the router does not have information in its table about the destination address, it sends out an ICMP error message to the sending computer indicating that the message could not reach its destination 5. If the router does have a route in its routing table for this destination, it decrements the TTL value and sees whether the MTU is different for the destination network. If the destination network requires a smaller MTU, the router fragments the datagram 6. The router changes header information in the packet so the packet can go to the next correct router, or if the destination computer is on a connecting network, the changes made enable the packet to go directly to the destination computer 7. The router sends the packet to its output queue for the necessary interface
Ensuring security of virtualize networks and devices
1. Stay on top of security patches 2. Beware of third-party add-ons. Ensure these are well tested and acquired from reputable vendors 3. Ensure that whoever provisions and maintains your virtualized infrastructure is competent and diligent.
hubs
a multiport repeater - also called a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other
intranet
"private" network a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
Multiprotocol Label Switching (MPLS)
A WAN technology popular among service providers. MPLS performs labels switching to forward traffic within an MPLS cloud by inserting a 32-bit header (which contains a 20-bit label) between a frame's Layer 2 and Layer 3 headers and making forwarding decisions based on the label within an MPLS header.
kernel proxy firewall
A fifth-generation firewall that inspects a packet at every layer of the OSI model but does not introduce the performance hit of an application-layer firewall because it does this at the kernel layer. faster than application-level proxy firewalls because all of the inspection and processing takes place in the kernel and does not need to be passed up to a higher software layer in the OS
dynamic packet-filtering firewall
A firewall that allows only a particular packet with a particular source, destination, and port address to enter through the firewall. Gives you the option of allowing any type of traffic outbound and permitting only response traffic inbound
next-generation firewall (NGFW)
A firewall that combines firewall software with anti-malware software and other software that protects resources on a network. Has the ability to connect to external data sources such as Active Directory, whitelists, blacklists, and policy servers. Allows controls to be defined in one place and pulled by every NGFW on the network, which reduces the chances of not being synchronized
screened host architecture
A firewall that communicates directly with a perimeter router and the internal network. The router carries out filtering activities on the traffic before it reaches the firewall only device that receives traffic directly from the router
virtual firewall
A firewall that is implemented in software within a virtual machine in cases where it would be difficult, costly, or impossible to install a traditional physical firewall. Provides bridge-type functionality in which individual traffic links are monitored between virtual machines or they can be integrated within the hypervisor If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the system
gateway
A general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their actions networks connect to a backbone, a gateway can translate the different technologies and frame formats used on the backbone network versus the connecting LAN protocol frame formats
phreaker
A hacker who manipulates the public telephone system to make free calls or disrupt services.
Difference between layer 2 and layer 3 switch?
A layer 2 switch only has the intelligence to forward a frame based on its MAC address and do not have a higher understanding of the network as a whole. A layer 3 switch has the intelligence of a router, it can route packets based on their IP addresses and choose routes based on availability and performance
extranet
A private network that uses Internet technologies to share business information with select corporate partners or key customers.
When to use a repeater, bridge, or router?
A repeater is used if an admin needs to expand a network and amplify signals so they do not weaken on longer cables. Also extends collision and broadcast domains Bridges work at the data link layer and have a bit more intelligence than a repeater. Can do simple filtering and separate collision domains, but not broadcast domains. Should be used when an admin wants to divid a network into segments and to reduce traffic congestion and excessive collisions A router splits up a network into collision domains and broadcast domains. A router gives more of a clear-cut divisions between network segments than repeaters or bridges. A router should be used if an administrator wants to have more defined control of where the traffic goes because mroe sophiosticated filtering is available with routers, and whena router is used to segment a network, the result is more controllable sections
Bridge vs Router
A router is used when an administrator wants to divide a network along the lines of departments, workgroups, or other business-oriented divisions. A bridge divides segments based more on the traffic type and load
bastion host
A system is considered this if it is a highly exposed device and most likely to be targeted by hackers. Any system close to an untrusted network (e.g. internet) is considered a target candidate Should have all unnecessary services disable, unnecessary accounts disabled, unneeded ports closed, unused applications removed, unused subsystems and administrative tools removed, etc. The attack surface of the system needs to be reduce, which means the number of potential vulnerabilities need to be reduced as much as possible
Network Access Control (NAC)
A technique that examines the current state of a system or network device before it is allowed to connect to the network.
Private Branch Exchange (PBX)
A telephone exchange for a specific office or business.
teardrop attack
A type of DoS that sends mangled IP fragments with overlapping and oversized payloads to the target machine. Could cause the victim system to become unstable
IP fragmentation attacks
An attack that breaks up malicious code into fragments, in an attempt to elude detection.
switch spoofing attack
An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols and can insert itself between other VLAN devices and gain access to the traffic going back and forth
proxy servers
Acts as an intermediary between the clients that want access to certain services and the servers that provide those services validates that requests is safe and then sends an independent request to the website on behalf off the user
Overlays SDN
All network nodes are virtualized - switches, routers, and servers Treated independently of the physical networks upon which this virtualized infrastructure exists A virtual overlay on top of a physical underlay network
VLAN hopping attacks
Allow attackers to gain access to traffic in various VLAN segments.
honeynet
An entire dummy network used to lure attackers.
Firewall shoulds
Any packet entering the network that has a source address of an internal host should be denied No traffic should be allowed to leave a network that does not have an internal source address When a fragmented packet comes to a firewall, it should accept each fragment, assemble the fragments into a complete packet, and then make an access decision based on the whole backet (can cause traffic delay) Deny network entrance to packets that contain source routing information - the packet decides how to get to its destination and not the routers
What layer do basic switches operate?
Basic switches operate at Layer 2 and forward traffic based on MAC addresses
Packet filtering security concerns
Cannot prevent attacks that employ application specific vulnerabilities or functions limited logging functionality most packet-filtering firewalls do not support advacned user authentication schemes many packet-filtering firewalls cannot detect spoofed addresses They may not be able to detect packet fragmentation attacks
SPI SDN
Championed by Cisco on the premise that OpenFlow is not sufficient to fully leverage the promise of SDN in the enterprise Leverages a rich API on proprietary switches that allows greater control over traffic in an SDN Deep packet inspection and manipulation
Switches
Combine the functionality of a multiport repeater (hub) and the functionality of a bridge. Amplifies the electrical signal like a repeater and build-in circuitry and intelligence of a bridge.
What is the great challenge in securing endpoints?
Knowing they are there in the first place. Intermittent connectivity is a problem when it comes to ensuring that mobile devices are properly configured and running the correct firmware, OS, and SW versions
Content Distribution Network (CDN)
Is a large distributed system of servers deployed in multiple data centers across the internet. Provides content that is optimized for users closest to it Reduces the number of network hops for your video packets Makes your internet presence more resistant to DDoS attacks
stateful firewall
Keeps a "scorecard" of all various protocol header values as packets go back and forth between systems. The values not only have to be correct, they have to happen in the right sequence
What does a stateful firewall keep track of for a UDP connection?
Keeps track of source and destination addresses UDP header values some ACL rules This connection information is also stored in the state table and tracked
Firewall Architectures
Single Tier; two Tier; three tier; bastion host; dual homed; screened host; screened subnet; transparent proxy
electronic mail gateway
Several email vendors have their own syntax, message format, and a way of dealing with message transmission. These are used to convert messages between email server software e.g Microsoft Exchange to Sendmail or vice versa
Security concerns of stateful-inspection firewalls
Several types of attacks are aimed at flooding the state table with bogus information When the state table is stuffed full of bogus information, a poorly designed device may either freeze or reboot
Common firewall rules that should be implemented
Silent Rule - drop noisy traffic without logging it to reduce log size Stealth rule - disallow access to firewall software from unauthorized systems Cleanup rule - drops and logs any traffic that does not meeting preceding rules Negate rule - used instead of the broad and permissive "any rules", provides tighter permission rights by specifying what the system can be accessed and how
Security concern with PBX
The modems hanging off their PBX to enable the vendor to dial in and perform maintenance to the system are usually unprotected. It should only be activated only when a problem requires the vendor to dial in - disabled otherwise Passwords are default and hardly ever change
What would happen if a company depends solely upon a multihomed firewall with no redundancy?
The system could be the single point of failure. All traffic flow stops Also lacks defense in depth, only one layer of protection
Multilayered switch
These higher-level switches offer routing functionality, packet inspection, traffic prioritization, and QoS functionality. They combine data link, network, and other layer functionalities
Difference between SDN and traditional networking?
Traditional networking relies on network devices that coordinate with one another in a mostly decentralized manner. Takes time for routers to converge on good routes, manually configured whenever any changes take place SDN centralizes the configuration and control of devices. Changes are pushed out to the devices either reactively or proactively. Allows traffic to be routed much more efficiently and securely - abstraction of control and forwarding planes
Overlapping Fragment Attack
Used to subvert packet filters that do not reassemble packet fragments before inspection. A malicious fragment overwrites a previously approved fragment and executes an attack on the victim's system.
Where do VLANs exist?
VLANs exist on top of the physical network and are not bound to it.
translation bridge
Used to interconnect two LANs that are operating two different networking protocols
How are switches different than a hub or bridge?
When a frame comes to a hub, the hub sends the frame out through all of its ports. When a frame comes to a bridge, the bridge sends the frame to the port to which the destination network segment is connected. When a frame comes to a switch, the switch sends the frame directly to the destination computer or network, which results in a reduction of traffic
Layer 3 and Layer 4 tags
When a packet reaches the switch, the switch compares the destination address with its tag information base (a list of all subnets and their corresponding tag numbers) The switch appends the tag to the packet and sends it to the next switch. All switches in between the first switch and the destination just review this tag information to determine which route it needs to take, instead of analyzing the full header. Once the packet reaches the last switch, the tag is removed and the packet is sent to the destination
Screened subnet architecture
When two filtering devices are used to create a DMZ. The external device screens the traffic entering the DMZ network, and the internal filtering device screens the traffic before it enters the internal network. Can have different networks within it and different firewalls that filter for specific threats
control plane
Where the internetwork routing decisions are being made. Responsible for discovering the topology of a neighboring networks and maintaining a table of routes for outbound packets Dynamic because congestion along different routes is always changing implemented in a central node that is responsible for managing all the devices in the network
local bridge
a network device that connects two or more LAN segments within a local area used in a building
bridges
a LAN device used to connect LAN segments - works at the data link layer and works with MAC addresses When a frame arrives at a bridge, the bridge determines whether or not the MAc address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment Uses to divide networks into smaller segments to ensure better use of bandwidth and traffic control
dual-homed firewall
a device that has two interfaces: one connected to one network and the other connected to a different network packet forwarding should be turned off - if not the computer may not apply the necessary ACLs, rules or other restrictions required of a firewall. The OS will forward the traffic instead of passing it up to the firewall software for inspection
packet filtering
a firewall technology that makes access decisions based upon network-level protocol header values. The device that is carrying out packet-filtering processes is configured with ACLs, which dictate the type of traffic that is allowed into and out of specific networks
router
a layer 3 device that has two or more interfaces and a routing table so its knows how to get packets to their destinations It can filter traffic based on access control lists (ACLs) and it fragments packets when necessary A router discovers information about routes and changes that take place in a network through its routing protocols (RIP, BGP, OSPF, and others). These protocols tell routers if a link has gone down, if a route is congested, and if another route is more economical. They also update routing tables and indicate if a router is having problems or has gone down
Virtual Local Area Network (VLAN)
a logical network that can separate physical devices without regard to the physical location of the device enable admins to apply particular security policies to their respective groups (payroll controls, software development controls, etc)
honeypot
a network device that is intended to be exploited by attackers, with the administrator's goal being to gain information on the attack tactics, techniques and procedures sits in the screened subnet, or DMZ, and attemps to lure attackers to it instead of to actual production computers
demiliarized zone (DMZ)
a network segment located between the protected and unprotected network provides a buffer zone between the dangerous internet and the goodies within the internal network that the company is trying to protect
packet filtering
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet also known as stateless inspection (does not understand the context that the packets are working within) filtering based solely on the data contained in that individual packet
Virtualized Networks
abstracting network resources that were traditionally delivered in hardware to software. NV can combine multiple physical networks to one virtual, software-based network, or it can divide one physical network into separate, independent virtual networks
proxy firewall
accepts messages either entering or leaving a network, inspects them for malicious information and when it decides the messages are okay, passes the data on to the destination computer stands between a trusted and untrusted network and makes the connection, each way, on behalf of the source proxy firewall breaks the communication channel,; there is no direct connection between the two communicating devices
forwarding proxy
allows the client to specify the server it wants to communicate with
double tagging attack
an attacker can insert VLAN tags to manipulate the control of traffic at the data link layer
greatest weakness of virtual networks
any attacker that can compromise the hypervisor could gain access to all virtualized devices and networks within it
endpoints
any computing device that communicates through a network and whose principal function is not mediate communications for other devices on that network
reverse proxy
appears to clients as the original servers can carry out load balancing, encryption acceleration, security and caching
application-level proxy vs circuit-level proxy
application-level - each protocol that is to be monitored must have a unique proxy - they provide more protection than circuit-level proxy firewalls - require more processing per packet and thus are slower than circuit-level proxy firewalls circuit-level proxy firewalls - do not require a proxy for each and every protocol - do not provide deep-inspection capabilities of an application-level proxy firewall - provide security for a wider range of protocols a circuit-level proxy can handle a wider variety of protocols and services than an application-level proxy can, but the downfall is that the circuit-level rpoxy cannot provide the degree of granular control that an application-level proxy provides
masquerading or impersonation
attacker modifies a packet header to have the source address of a host inside the network she wants to attack
Bridge security concern
broadcast storms - because bridges forward all traffic, they forward all broadcast packets as well. This can overwhelm the network and result in a broadcast storm, which degrades the network bandwidth and performance
remote bridge
can connect two or more LAN segments over a MAN by using telecommunications links. A remote bridge is equipped with telecommunications ports, which enable it to connect two or more LANs separated by a long distance and can be brought together via telephone or other types of transmission lines
web proxy servers
carry out content filtering to ensure that internet use conforms to the organization's acceptable-use policy can block unacceptable web traffic, provide logs with detail information pertaining to the websites specific users visited, monitor bandwidth, screen traffic
SOCKS-enabled client
circuit-level proxy gateway Sends a request to access a computer on the internet, this request usually goes to the network's SOCKS proxy firewall which inspects the packets for malicious information and checks it policy rules to see whether this type of connection is allowed If the packet is acceptable and this type of connection is allowed, the SOCKS firewall sends the message to the destination computer on the Internet. When the computer on the Internet responds, it sends its packets to the SOCKS firewall, which again inspects the data and then passes the packets on to the client computer
Unified Threat management
comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
circuit-level proxy
creates a circuit between the client and the server and doesn't deal with the contents of the packets that are being processed cannot look into the contents of a packet and does not carry out deep-packet inspection
What do proxy firewalls deny?
end-to-end connectivity between the source and destination middle man application- or circuit-level proxy
Advantages of application-level firewalls
extensive logging capabilities from examining the network packet than just addresses and ports capable of authenticating users directly, as opposed to packet-filtering firewalls and stateful-inspection firewal Not only a layer 3 device and can address spoofing attacks and other sophisticated attacks
open proxy
forwarding proxy that is open for anyone to use. An anonymous open proxy allows users to conceal their IP adddress while browsing websites or using other Internet services
firewalls
hardware, software, or both designed to prevent unauthorized persons from accessing electronic information monitors packets coming into and out of the network it is protecting. It can discard packets, repackage them, or redirect them, depending upon the firewall configuration. Packets are filtered based on their source and destination addresses, and ports by service, packet type, protocol type, header information, sequence bits, etc.
application-level proxy
inspect the packet up through the application layer understands the packet as a whole and can make access decisions based on the content of the packets one proxy per protocol
proxy
intercepts messages before delivering them to the intended recipients
Electronic Data Interchange (EDI)
the computer-to-computer exchange of business documents from a retailer to a vendor and back
control plane vs forwarding plane
the control plane is the strategic, methodical planner of traffic routing the forwarding plane is the tactical, fast executioner of those plans
