CH 15 NETWORK SECURITY REVIEW Flashcards

1
Q

NETWORK SECURITY

A
  • Not all malicious attacks can be mitigated by local security practices.
  • Some attack vectors must be controlled by using network security practices.
  • This addresses the problem of attackers sending malicious network traffic to your system.
    • This WILL happen - the way to handle it is to manage the inevitable.
    • Malicious traffic includes DoS/DDoS attacks or targeted traffic to exploit weaknesses in software
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IP ADDRESSES AND PORT NUMBERS

A
  • Every host on an IP-based network has at least one IP address.
  • Every Linux host has a number of processes running on it at any given time.
  • Each of these processes can be a network client, a network server or both.
  • The fact that more than one process on a system can be running as a server means that using an IP address alone is not enough.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IP ADDRESSES AND PORT NUMBERS

  • TCP / UDP
  • port number ranges
A
  • TCP/IP requires that traffic not only have an IP address for the source and destination, but a port number as well – This is for TCP and UDP.
  • The port numbers ranges from 0 to 65535.
    • Ports 0 to 1023 are generally reserved for well-known services.
    • Ports 1024 and higher are either less-common applications or are for temporary (ephemeral) connections.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IP ADDRESSES AND PORT NUMBERS

  • Well-Known ports and their port numbers
A

Well-known services and their associated ports can be found in /etc/services.

  • Port 21 - FTP
  • Port 22 - SSH Remote Login Protocol
  • Port 23 - Telnet
  • Port 25 - Simple Mail Transfer Protocol (SMTP)
  • Port 53 - DNS
  • Port 80 - HTTP
  • Port 110 - POP3
  • Port 118 - SQL Services
  • Port 143 - Interim Mail Access Protocol (IMAP)
  • Port 161 - SNMP
  • Port 179 - Border Gateway Protocol (BGP)
  • Port 389 - Lightweight Directory Access Protocol (LDAP)
  • Port 443 - HTTPS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IP ADDRESSES AND PORT NUMBERS

  • Stateful Connection tracking
A

In order to identify every unique connection between hosts, Linux keeps track of four pieces of information:

  1. Source IP Address
  2. Source Port Number
  3. Destination IP Address
  4. Destination Port Number
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PORTS AND SERVICE BINDING

  • Binding
  • netstat command
A
  • Services generally watch for traffic on a specific port - this is a process known as binding.
    • Example: the apache web server works with HTTP and HTTPS traffic, therefore it will bind itself at startup to monitor and send traffic on ports 80 and 443.
  • To track what ports are open on your system and the associated bindings, the netstat command is used.
    • Example: run netstat –tcp –numeric
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NETSTAT COMMAND

A
  • By default (no parameters/options/switches), netstat will provide connections for both network and domain sockets.
    • This means you will see connections going over the network AS WELL as connections between processes (domain sockets)
  • It’s a good idea to be aware of what processes are bound to what ports, and what programs are listening on the network.
    • Example: if the bash shell is listening to a network port, you should be suspicious.
  • Main concern is destination port of a connection.
    • If they do not match or aren’t going to a standard port for a regular service, this is cause for concern.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NETSTAT COMMAND OPTIONS

A
  • -n do not resolve IP addresses
  • -a show ALL ports
  • -t show TCP traffic
  • -u show UDP traffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

BINDING TO AN INTERFACE

A
  • One way to improve security of a service/daemon running on a server is to bind it to a specific network interface.
    • Example: Interfaces
      • eth0 192.168.1.4
      • eth1 172.16.1.1
      • lo 127.0.0.1
    • IP forwarding is NOT enabled.
  • If an application binds itself to the 172.16.0.0/16 network, there is security since traffic cannot traverse the 172. to 192. networks due to IP forwarding being off.
  • You can even bind to 127.0.0.1 for applications that should only be accessed from services on the same server.
    • Ex: MYSQL should only be called from internal services such as apache, and has no need to communicate with the outside world.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SERVICE/DAEMON MANAGEMENT

A
  • As Linux becomes more user-friendly, more service/daemons are being installed and configured for launch on startup during installation.
  • When evaluating a system, ask three questions:
    • is this service needed?
    • if so, is the default setting secure?
    • does the service need updates?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

XINETD

A
  • xinetd - subsystem of Linux that launches services that need Internet connectivity.
    • Performs acces control, logging etc.
      *
How well did you know this?
1
Not at all
2
3
4
5
Perfectly