Chapter 11 Secure Network Architecture Flashcards
Describe encapsulation in the OSI model.
Communication between layers happens through encapsulation and decapsulation. Encapsulation adds a header, and possibly a footer. At each new layer, the previous layer’s header and payload becomes the new payload. Encapsulation goes from Application to Physical. The opposite happens with decapsulation.
–The application layer receives data from software. It adds information, usually only a header.
–Each layer adds information until the message reaches the physical layer.
–At the physical layer, the message is converted into electrical impulses that represents bits, and transmitted over a physical connection.
–The receiving computer captures the bits and recreates the message in the physical layer.
–The data goes to the data link layer, which strips the header.
–This continues until the application layer, which transfers the data to software.
Each layer contains instructions, checksums, etc that only the peer layer understands. This is known as peer level communication.
The data sent to the protocol stack at the application layer is encapsulated into a network container. The protocol data unit (PDU) goes to presentation and then to session. For those three layers, it is a PDU. Once it goes to Transport, it is a segment if TCP, or datagram if UDP. At layer 3, it is a packet. At layer 2, it is a frame. At layer 1, it becomes bits.
What does the application layer do?
Responsible for interfacing user applications, network services, or the OS with the protocol stack. The protocols and services required to transmit files, exchange messages, connect to remote terminals, etc, are found here.
What does the presentation layer do?
Responsible for transforming data into a format that any system following the OSI model can understand. It imposes a common structure, and is also responsible for encryption and compression. However, on TCP/IP networks, there is not an actual Presentation layer. There is no need to reformat data for network transport, and compression only occurs in concert with some encryption operations. Encryption can occur in at least five locations:
–pre-network encryption before entering the application layer
–Transport layer encryption typically performed by TLS
–VPN encryption, which can happen at layer 2 (L2TP), layer 3 (IPsec), or layer 4 (Open VPN)
–wireless encryption at the data link layer
–bulk encryption at the physical layer via a device external to the NIC
What does the session layer do?
Responsible for establishing, maintaining, and terminating communications sessions between two computers. It manages dialog discipline or dialog control, establishes checkpoints for grouping and recovery, and retransmits PDUs that have been lost since the last verified checkpoint. There is no Session layer on TCP/IP networks; the transport layer handles it for TCP, and it doesn’t happen for UDP.
Sessions happen in one of three control modes: simplex is one-way communication, half duplex is two-way communication but only one way can send at a time, and full duplex is two-way simultaneous communication.
What does the transport layer do?
Responsible for managing the integrity of a connection and controlling the session. It establishes communications between nodes (also known as devices), and defines the rules of a session. The rules specify how much data each segment can contain, how to verify message integrity, and how to determine whether data has been lost. Session rules are established through a handshake. The layer establishes a logical connection between two devices and provides end to end transport services to ensure data delivery. This includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction, multiplexing, and network service optimization. Includes TCP, UDP, and TLS.
What does the network layer do?
Responsible for logical addressing and performing routing. Logical addressing occurs when an address is assigned and used by software or a protocol rather than being provided and controlled by hardware. The packet header has the source and destination IP address.The network layer is responsible for providing routing or delivery guidance but is not responsible for verifying delivery. It also does error detection and node data traffic. Routers operate at layer 3, determining the best logical path for the transmission of packets.
Non-IP protocols exist but have become the purview of special purpose networks such as IPX, AppleTalk, and NetBEUI. Most firewalls cannot perform filtering on their headers. Block this traffic.
Describe interior and exterior routing protocols.
Two categories of interior routing protocols: distance vector and link state.
–Distance vector routing protocols maintain a list of destination networks along with metrics of direction and distance measured in hops. Examples are Routing Information Protocol and Interior Gateway Routing Protocol.
–Link state routing protocols gather router characteristics such as speed, latency, error rates, and monetary cost for use. Examples are Open Shortest Path First and Intermediate System to Intermediate System. Enhanced Interior Gateway Routing Protcol is a replacement for IGRP.
The main category of exterior routing protocols is path vector. These make next hop decisions based on the entire remaining path. This is different from interior protocols, which only look at the next hop. Border Gateway Protocol is the main form of path vector protocol.
What is the data link layer?
Responsible for formatting the packet for transmission. The proper format is determined by the hardware, topology, and the technology of the network, such as Ethernet.
One part of the processing is adding the source and destination hardware address to the frame. This is the MAC address, which is a 48 bit binary address. Also known as the physical address, the NIC address, and the Ethernet address. The first 24 bits are the organizationally unique identifier (OUI). The last 24 bitts are a unique number for that interface. Some manufacturers encode info like make and model into that part of the MAC address.
ARP is the main protocol. Network hardware at layer 2 includes switches and bridges.
What is the physical layer?
Converts a frame into bits for transmission. NICs, hubs, repeaters, concentrators, and amplifiers function here. These devices perform hardware-based signal operations.
Name important ports.
Telnet–TCP Port 23. Does not support file transfer. Don’t use.
FTP-TCP: Port 20 (data connection) and Port 21 (control connection). Don’t use
Trivial File Transfer Protocol: UDP Port 69. Exchange of files without authentication. Supports multicasting. Don’t use.
SMTP: TCP Port 25. Used to send emails from the server to a client and then deletes them. Also server to server. Only use with TLS
POP3: TCP Port 110. Pulls messages from inbox to the client. Only use with TLS
IMAP4: TCP Port 143. Server to the email client; unlike SMTP, it saves them. Also can retrieve only headers and delete off the email server. Only use with TLS.
DHCP: UDP Ports 67 (server listens) and 68 (client listens). Centralized control of TCP/IP settings assigned to systems upon bootup.
HTTP: TCP Port 80. TLS can be used but only for server to server communications.
HTTPs: TCP Port 443
Line Printer Daemon (LDP): TCP Port 515. Spools print jobs and sends to the printer. Consider enclosing it in a VPN.
X Window: TCP Ports 6000-6063. GUI API for command-line OS. Consider enclosing it in a VPN.
Network File System (NFS): TCP Port 2049. Network service used to support file sharing between dissimilar systems. Consider enclosing it in a VPN.
SNMP: UDP Port 161, Port 162 for trap messages. Used SNMPv3 only.
What are the different types of ports?
Connections via the transport layer are done via ports. They are 16 digit binary numbers, so there are 65,536 possible ports. An IP address plus a port number is a socket.
First 1024 ports are ““well known.”” Reserved for servers. Up to 49,151 are registered software ports. Softwware products register these with IANA. The rest are known as random, dynamic, or ephemeral. Clients often use them as a source port.
What is the difference between a FIN and a RST packet?
FIN for graceful shutdown, RST is sudden.
Describe the basics of DNS.
Domain name is a temporary human friendly name, IP address is a temporary logical address.
DNS is a hierarchial naming system. In www.google.com, com is the TLD, Google is the registered domain, and www is the subdomain. registered domain name is registered with approved domain registrars. Total length of a FQDN, including the dots. must be 253 or fewer characters. No single section can exceed 63 characters. Only letters, numbers, and hyphens are permitted.
Every registered domain must have an authoritative name server. The primary one hosts the original editable zone file; secondary ones have read-only copies. A zone file is the collection of resource records or details about the specific domain. Originally there was a static local file, but a dynamic DNS query system has replaced it.
When a client points to a FQDN, it first checks the local cache to see whether the answer is already known. The cache has pre-loaded local hosts and any DNS query results. If the answer isn’t there, a DNS query is sent to the DNS server.
TCP Port 53 is used for zone transfers, which are zone file exchanges between DNS servers, special manual queries, or responses exceeding 512 bytes. UDP Port 53 is used for most DNS queries.
DNSSEC is a security improvement that provides mutual certificate authentication and encrypts sessions. It only applies to DNS servers, not clients performing queries. Non-DNS servers should use DNS over HTTPS. Oblivious DoH adds a DNS proxy between the client and resolver to protect the identity of the requesting client.
What is DNS poisoning and how do you protect against it?
Act of falsifying DNS information used by a client to reach a desired system. It can happen in various ways:
–Rogue DNS serer. Can listen in on network traffic for DNS queries and send back a response with false information. Once the client receives a response, it will close the query and ignore the real response. DNS queries contain a 16-bit value known as the query ID. Rogue DNS responses must include the QID.
–DNS cache poisoning. DNS poisoning is attacking DNS servers and placing false information into the zone file or cache. This is aimed to alter the primary record in the zone file. This typically gets noticed very quickly. An alternative is cache poisoning. A caching DNS server is any DNS sytem deloyed to cache DNS information from other DNS servers. This conttent is not generally monitored because they are for local users. May not get noticed.
–DNS pharming. Malicious redirection of a URL or IP address to a fake Web site. Typically occurs by modifying the local hosts file or by poisoning or spoofing DNS resolution.
–Altering the hosts file. Modifying the hosts file by placing false data into it. When the system boots up, it will be read into memory and take precedence. It is effective but highly targeted.
–Corrupt the IP configuration. Can result in a client having false DNS server definition. The DNS server address is typically distributed via DHCP but can be assigned statically. Attacks try to alter DHCP or through a script.
–DNS query spoofing. When a hacker eavesdrops on a client’s query and sends back a false result.
–Use proxy falsification. Could be implemented via DNS if the proxy’s domain name has been resolved by the client to use the proxy. A rogue proxy server can modify traffic packets to go wherever the hacker wants.
Limit zone transfers from internal DNS servers to external servers. Do this by blocking inbound TCP Port 53 and UDP Port 53.
Require internal clients to resolve all domain names through internal DNS. Block outbound UDP Port 53 but allow TCP Port 53.
Limit the external DNS servers from which DNS servers pull zone transfers.
Deploy a NIDS to watch for unusual DNS traffic.
Properly harden all DNS, server, and client systems in your network.
use DNSSEC.
Use DoH or ODoH.
A split DNS uses one DNS server for public use and one for private use.
A DNS sinkhole attempts to provide false responses to malware to protect C2 systems, and protect users from accessing known malicious sites.”
How can IPv4 and IPv6 exist on the same network?
There are three ways for IPv4 and IPv6 to exist on the same network.
Dual stack means having systems operate both and using the protocol for each.
Tunneling allows most systems to operate on one, and use an encapsulation tunnel to access systems on the others.
NAT Protocol Translation (NAT-PT) can be used to convert between IPv4 and IPv6, similar to how it converts between internal and external addresses.
What numbers go with each IP class?
Class A: 1-126
Class B: 128-191
Class C: 192-223
Class D: 224-239
Class E: 240-255
How many hosts does each type of class support?
Class A supports 16,777,214 hosts. Class B supports 65,534 hosts. Class C supports 254 hosts. D is used for multicasting and E is reserved.
What is IGMP?
Internet Group Management Protocol allows systems to support multicasting. This is the transmission of data to multiple specific recipients. It is used to manage a host’s dynamic multicast group management. With IGMP, s single initial signal is multiplied at the router if divergent pathways exist to the intended recipients. Multicasting can be assisted by a TFTP systtem to host or cache content.
What is ARP? What is ARP poisoning?
ARP is used to resolve IP addresses into 48-bit MAC addresses. Traffic on a network segment is directed from source to destination via MAC addresses. ARP is carried as the payload on an Ethernet frame and is a dependent Layer 2 protocol. It uses caching and broadcasting to perform its operations. If the needed information is already present in the ARP cache, it is used. Otherwise, there is an ARP broadcast. If the system is on the subnet, it will respond; otherwise, the system will use its gateway MAC address.
ARP cache poisoning or spoofing is caused by an attacker responding with false replies. The ARP cache is updated each time an ARP reply is received. Content usually remains for 10 minutes. Another form is ARP poisoning is gratuitous ARP or unsolicited ARP replies. This occurs when a system announces its MAC-to-IP mapping withoutt being asked. A third form of ARP cache poisoning is to create static ARP entries. This is done via the ARP command and must be done locall; however it can be done with a malicious script.
The best defense against ARP-based attacks is port security on the switch. Switch port security can prohibit communications with unknown, unauthorized, rogue devices and may be able to determine which system is responding to all ARP queries and block it. A local or software firewall, HIDS, or special endpoint security products can also help. One tool is arpwatch. Static ARP entries can also be used as a defense (not just as an attack), but you lose flexibility, and will have to redo after each reboot.
What are the implications of multilayer protocols?
TCP/IP is a multilayer protocol. For a typical web connection, HTTP is encapsulated in TCP, which is encapsulated in IP, which is encapsulated in Ethernet.
[Ethernet [IP [TCP [HTTP [Payload] ] ] ] ]
You can add additional layers of encapsulation, such as with TLS encryption
[Ethernet [IP [TCP [TLS [HTTP [Payload] ] ] ] ] ]
You can then add network layer encryption
[Ethernet [IPSec [IP [TCP [TLS [HTTP [Payload] ] ] ] ] ]]
This is not always used for benign purposes. Covert channel communications use encapsulation to hide an unauthorized protocol inside an authroized one. Filters can be bypassed. Logically imposed network segment boundaries can be overstepped.
The advantage of multilayer protocols is a wide range of protocols can be used at higher layers; encryption can be incorporated at various layers; and there is supported flexibility in complex network structures.
Describe converged protocols.
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. this allows existing TCP/IP network infrastructure to host special services without needing unique deployments.
–Storage Area Networks: Secondary network used to consolidate and manage various storage devices into a single network-accessible storage container. Used to enhance hard drives, drive arrays, optical jukeboxes, and tape libraries so they appear to servers to be local.
–Fibre channel over Ethernet (FCoE): A form of network-data storage solution (SAN or NAS) that allows for high-speed file transfers upward of 128 GBps. It operates at layer 2. Although FC typically needs its own wiring FCoE can use existing network infrastructure (assuming you have 10 Gbps Ethernet). It will operate at layer 3. Fiber Channel over IP (FCIP) is the SAN equivalent of VOIP.
–Multiprotocol Label Switching (MPLS): A high-throughput high performance network technology that directs data across a network based on short path labels instead of longer network addresses. This saves significant time. It can handle many protocols.
–Internet Small Computer System Interface (iSCSI): A networking storage standard based on IP that operates at layer 3. Can be used to enable location-independent file storage, transmission, and retrieval. Low-cost alternative to FCoE.
What is microsegmentation?
Networks are usually segmented or subdivided into smaller organizational units. Segmentation can boost performance, reduce congestion, and provide security by isolating traffic and user access.
Segments can be created using switch-based VLANs, routers, or firewalls. A private LAN or intranet, screened subnet, and an extranet are examples of network segments.
Out of band pathways create a separate and distinct network structure for traffic that would otherwise interfere with the production network or be put at risk on the production network. Secondary network paths may be created to support data storage traffic, VoIP, backup data, patch distribution, and management operations.
Microsegmentation is dividing an internal network into numerous subzones, potentially as small as a single device. This could be a high-value server or client. Each zone is separated by internal segmentation firewalls (ISFWs), subnets, VLANs, or other virtual networking solutions. All communications between zones are required to authenticate, require session encryption, and may be subject to allowlisting and blocklisting. In some cases, communication must be encapsulated for egress.
Virtual eXtensible LAN (VXLAN) is an encapsulation protocol that allows VLANs to be stretched across subnets and geographic distances. VLANs are typically restricted to layer 2 network areas and are not able to include members from other networks. VXLAN allows for up to 16 million virtual networks, whereas traditonal VLANs only support 4,096. Defined in RFC 7348.”
What are the generations of wireless?
802.11: 2 Mbps, 2.4 GHZ
a: Wi-Fi 2, 54 Mbps, 5 GHz
b: Wi-Fi 1, 11 Mbps, 2.4 GHz
g: Wi-Fi 3, 54 Mbps, 2.4 GHz
n: Wi-Fi 4, 200 plus Mbps, either
ac: Wi-Fi 5, 1 Gbps, 5 GHz
ax: Wi-Fi 6 or 6E, 9 Gbps, 1-5/1-6 Ghz
What are the wireless deployment modes?
Wi-Fi can be deployed in either ad hoc mode/peer to peer Wi Fi or infrastructure mode.
Ad hoc means any two wireless devices can communicate without a centralized control authority (base station or AP). WiFi Direct is an upgraded version that supports WPA2 and WPA3; original only supported WEP.
Infrastructure mode requires a WAP. It has several variations, including standalone, wired extension, enterprise extended, and bridge.
—Standalone is when there is a WAP connecting wireless clients to one another but not any wired devices.
—Wired Extension Mode is when the WAP acts as a connection point to link the wireless clients to the wired network.
—Enterprise extended mod is when multiple WAPs are used to connect a large physical area to the same network. Each WAP will use the same extended SSID so that clients can roam the area while maintaining network connectivity, even while their wireless NICs change associations from one WAP to another.
A bridge mode deployment is when a wireless connection links wired networks.
