3- Basic Network Security Flashcards
Networking Concepts
- Protocols
- Understanding & Identifying Ports
- Well-known Ports
Networking Concepts: Protocols
Networking protocols provide the rules needed for computers to communicate with each other on a network. TCP/ IP is a full suite of protocols used on the Internet and many internal networks. Some of the TCP/ IP protocols, such as TCP, UDP, and IP, provide basic connectivity. Other protocols, such as HTTP and SMTP, support specific types of traffic, such as web traffic or e-mail.
Networking Concepts: Protocols- TCP/IP
TCP/ IP isn’t a single protocol, but a full suite of protocols.
Grouped protocols can fall within the following sections:
- Basic connectivity protocols
- Encryption protocols
- Application protocols
- E-mail protocols
- Remote access protocols
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols
Some basic protocols used within the TCP/ IP suite for basic connectivity and testing basic connectivity include:
- TCP (Transmission Control Protocol);
- UDP (User Datagram Protocol);
- The Internet Protocol;
- Address Resolution Protocol;
- ICMP (Internet Control Message Protocol).
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols: TCP (Transmission Control Protocol)
TCP (Transmission Control Protocol): provides connection-oriented traffic (guaranteed delivery). TCP uses a three-way handshake. To start a TCP session, the client sends a SYN (synchronize) packet. The server responds with a SYN/ ACK (synchronize/ acknowledge) packet, and the client completes the third part of the handshake with an ACK packet. At this point, the connection is established.
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols- SYN Flood Attack
SYN Flood Attack
The SYN flood attack is a common denial-of-service (DoS) attack. In the SYN flood attack, the attacker sends multiple SYN packets but never completes the third part of the handshake. Instead, the attacker withholds the last ACK packet, leaving the server with several open sessions waiting to complete the handshake in each.
This is like a friend extending his hand to shake hands with you, you extending your hand in response, and then, at the last instant, he pulls his hand away. While you or I will probably stop extending our hand back to someone doing this, the server doesn’t know any better and keeps answering every SYN packet with a SYN/ ACK packet.
Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can actually crash the server. Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.
An intrusion prevention system (IPS, covered in chapter 4) can detect a SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols: Internet Protocol
The Internet Protocol identifies hosts in a TCP/ IP network and delivers traffic from one host to another using IP addresses. IPv4 uses 32-bit addresses represented in dotted decimal format, such as 192.168.1.100. IPv6 uses 128-bit addresses using hexadecimal code such as: FE80: 0000: 0000: 0000: 20D4: 3FF7: 003F:DE62
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols: User Datagram Protocol (UDP).
User Datagram Protocol provides connectionless sessions (without a three-way handshake). ICMP traffic and audio and video streaming use UDP. Many network-based denial-of-service (DoS) attacks use UDP. All TCP/ IP traffic is either connection-oriented TCP traffic or connectionless UDP.
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols: Address Resolution Protocol
Address Resolution Protocol resolves IP addresses to media access control (MAC) addresses. MACs are also called physical addresses, or hardware addresses. TCP/ IP uses the IP address to get a packet to a destination network, but once it arrives on the destination network, it uses the MAC address to get it to the correct host. In other words, ARP is required once the packet reaches the destination subnet. ARP poisoning uses ARP packets to give clients false hardware address updates and can be used to redirect or interrupt network traffic.
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols: ICMP (Internet Control Message Protocol)
ICMP (Internet Control Message Protocol) is used for testing basic connectivity and includes tools such as ping, pathping, and tracert. As an example, ping can check for basic connectivity between two systems. Many DoS attacks use ICMP. Because of how often ICMP is used in attacks, it has become common to block ICMP at firewalls and routers, which disables a ping response. Blocking ICMP prevents attackers from discovering devices in a network with a host enumeration sweep.
Networking Concepts: Protocols- TCP/IP– Basic connectivity protocols- DoS Attack
Many DoS (Denial-of-Service) attacks use ICMP, so it is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.
Networking Concepts: Protocols- TCP/IP– Encryption Protocols
Encryption Protocols
Any traffic sent across the wire in clear text is subject to sniffing attacks with a protocol analyzer. One way to protect against this vulnerability is to encrypt the data. Some protocols used to encrypt traffic include:
-SSH (Secure Shell);
-SCP (Secure Copy).
Networking Concepts: Protocols- TCP/IP– Encryption Protocols: SSH (Secure Shell)
SSH (Secure Shell) can be used to encrypt a wide variety of traffic, such as Telnet, Secure Copy (SCP), and Secure File Transfer Protocol (SFTP). UNIX and Linux administrators often use SSH to remotely administer these systems. When traffic is encrypted with SSH, it uses port of 22.
Networking Concepts: Protocols- TCP/IP– Encryption Protocols: SCP (Secure Copy)
SCP (Secure Copy) is based on SSH. Users can use SCP to copy encrypted files over a network. SCP uses port 22.
Networking Concepts: Protocols- TCP/IP– Encryption Protocols: Secure Sockets Layer protocol
The Secure Sockets Layer protocol secures HTTP traffic as HTTPS. SSL can also encrypt other types of traffic such as LDAP. SSL uses port 443 when encrypting HTTP, and port 636 when encrypting LDAP/ SSL (LDAPS).
Networking Concepts: Protocols- TCP/IP– Encryption Protocols: Transport Layer Security protocol
Transport Layer Security protocol is the designated replacement for SSL. At this point, you can use TLS instead of SSL in just about any application. For example, TLS can encrypt HTTP traffic as HTTPS (on port 443), and LDAP traffic as LDAP/ TLS (LDAPS) on port 636. Notice that LDAPS can use either SSL or TLS and both use port 636.
Networking Concepts: Protocols- TCP/IP– Encryption Protocols: IPsec (Internet Protocol security)
IPsec (Internet Protocol security) is used to encrypt IP traffic. It is native to IPv6 but also works with IPv4. IPsec encapsulates and encrypts IP packet payloads and uses tunnel mode to protect virtual private network (VPN) traffic. IPsec includes two components: Authentication Header (AH), identified by protocol ID number 51, and Encapsulating Security Payload (ESP), identified by protocol ID number 50.
Networking Concepts: Protocols- TCP/IP– Encryption Protocols- summary
SSH encrypts a wide variety of traffic and uses port 22 in each implementation. It encrypts FTP traffic (as SFTP) using port 22 instead of the FTP ports of 20 and 21. It encrypts Telnet traffic using port 22 (instead of the Telnet port of 23). SSH is also used with SCP to copy encrypted files over a network.
SSL and TLS encrypt traffic, including traffic over the Internet. IPsec includes ESP to provide payload encryption and AH to provide authentication and integrity. IPsec is built into IPv6 but can also work with IPv4.
Networking Concepts: Protocols- TCP/IP– Application Protocols
Application Protocols
Many different applications protocols are used on the Internet and within an intranet. A common protocol that you probably use frequently is HTTP to access web pages on the Internet. Some of the more commonly used application protocols are:
-
Networking Concepts: Protocols- TCP/IP– Application Protocols: HTTP (Hypertext Transfer Protocol)
HTTP. Hypertext Transfer Protocol is used for web traffic on the Internet and in intranets. Web servers use HTTP to transmit web pages to client’s web browsers. Hypertext Markup Language (HTML) is the common language used to display the web pages. HTTP uses port 80.
Gibson, Darril (2011-11-10). CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide (Kindle Locations 3912-3914). . Kindle Edition.
Networking Concepts: Protocols- TCP/IP– Application Protocols: HTTPS (HTTP Secure)
HTTPS (HTTP Secure) secures web traffic by transmitting it in an encrypted format. Web browsers commonly indicate that a secure session is using HTTPS by displaying a lock icon and with HTTPS in the URL. HTTPS is encrypted with either SSL or TLS and it uses port 443.