Chapter 12 Secure Communications and Network Attacks Flashcards
What is Point to Point Protocol?
Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP over dial-up or point-to-point links. It is a data link layer protocol that allows for multivendor interoperability of WAN devices. Rarely found today, but was the foundation of which many modern protocols are based. Includes the assignment and management of IP addresses, management of synchronous communications, encapsulation, multiplexing, link configuration, link quality testing, error detection, and compression. It replaced Serial Line Internet protocol, which had no authentication and was only half duplex.
Origninal authentication options for PPP were:
–Password Authentication Protocol (PAP): Transmitted credentials in cleartext. Was simply a means to transport them from the client to the authentication server.
–Challenge Handshake Authentication Protocol (CHAP): Reforms authentication using a challenge-response dialogue that cannot be replayed. The challenge is a random number issued by the server; the client uses that along with the password hash to compute a one-way function derived response. It also periodically reauthenticated the remote system. Since it was based on MD5, no longer considered secure. Microsoft created MS-CHAPv2 with updated algorithms
–Extensible authentication protocol (EAP): A framework for authentication instead of an actual protocol. It allows customized authentication solutions, such as smartcards, tokens, and biometrics. It originally assumed secured pathways, and not all forms use encryption. 802.1X defines the use of encapsulated EAP to support a wide range of authentication options for LAN connections. The standard is formally known as the ““Port-Based Network Access Control,”” where port refers to any network link, not just physical ones. 802.1X is not a wireless technology, it is an authentication technology that can be used in WAPs, firewalls, routers, switches, proxies, Vpn gateways, and remote access servers. When it is in use, it makes a port-based decision on whether to allow or deny a connection. it is vulnerable to MiTm and hijacking attacks because authentication occurs after the connection is established. This can be addressed through periodic mid-session re authentication and implementing session encryption.
What are the important EAP derivatives?
Lightweight Extensible Authentication Protocol (LEAP): Was a Cisco proprietary alternative to TKIP. Avoid it now.
Protected Extensible Authentication Protocol (PEAP): Encapsulates EAP in a TLS tunnel. Preferred to EAP because it has its own security. Supports mutual authentication.
Subscriber Identity Module (EAP-SIM) A means of authenticating mobile devices over GSM. Each device has a SIM card.
Flexible Authentication via Secure Tunneling (EAP-FAST): Cisco proprietary protocol proposed to replace LEAP, which is obsolete because of WPA2.
EAP-MD5 was an early EAP method; it is now deprecated.
EAP Protected One-Time Password (EAP-POTP): supports the use of OTP tokens in MfA for use in one-way and mutual authentication.
EAP TLS is an open IETF standard that is an implementation of the TLS protocol for use in protecting authentication traffic. It is most effective when both the client and server have a digital certificate.
EAP Tunneled TLS (EAP-TTLS) is an extension of EAP-TLS that creates a VPN-like tunnel between endpoints prior to authentication. This assures that even the username is not transmitted in clear text.
What is DISA?
Direct inward system access. It adds authentication requirements to all external connections to the PBX.
What are the four types of remote access?
Four types of remote access techniques:
—service specific (gives the ability to remotely control a single service, such as email);
—remote control (gives the user ability to fully control a remote system);
—remote note operation (establishing a direct connection via wireless, VPN, or dialup); and
—screen scraper (can refer to remote control, remote access, or remote desktop services, or to a technology allowing an automated tool to interact with a human interface)
How does load balancing work?
Goal is to obtain a more optimal utilization, minimize response time, maximize throughput, and eliminate bottlenecks. Load balances accomplish this in various ways.
–Random choice: each packet or connection is assigned a destination randomly.
–Round robin—assigned to the next destination in order.
–Loading monitoring: device with the lowest current load is assigned.
–Referencing assigned based on a subjective preference or known capacity difference.
–Least connections: which one has the fewest active connections. Locality based on distance from the load balancer, or based on previous connections to the same client.
This can be done either through software or hardware, and can include features like caching, TLS offloading (removing encryption), compression, buffering, etc
Describe email security solutions.
S/MIME is an email security standard that offers authentication and confidentiality to email through public key encryption, digital envelopes, and digital signatures. Authentication is provided through X.509 digital certificates issued by trusted CAs. Privacy is issued through Public Key Cryptography standard (PKCS) encryption. Signed messages provide integrity, sender authentication, and nonrepudiation; enveloped messages add recipient authentication and confidentiality.
PGP is a peer-to-peer public-private key-based email system. It is not a standard but rather an independently developed product.
DomainKeys Identified Mail (DKIM) is a means to assert that a valid mail is sent by an organization through verification of domain name identity.
Sender Policy Framework (SPF) is a way that organizations can configure their SMTP servers to protect against spam and email spoofing. SPF checks that inbound messages originate from a host authorized to send them.
Domain Message Authentication Reporting and Comformance (DMARC) is a DNS-based email authentication system intended to protect against BEC, phishing, and other scams. Email servers can verify if a received message is valid via DNS-based instructions.
STARTTLS (aka explicit TLS or opportunistic TLS) will attempt to start up an encrypted connection with the target email server. The encrypted connection is on port 587. it can be used with IMAP connections; POP3 uses STLS commands.
Implicit SMTPS is the TLS-encrypted form of SMTP, which assumes the target server supports TLS. If it does, it opens a connection on TCP port 465. If not, connections are terminated.
Consider blocking all attachments or those with extensions known to be used for malicious activity. use email reputation filtering, which grad email services based on how often they are abused.
What is a VPN concentrator?
Dedicated hardware device that is designed to support hundreds or thousands of connections.
What is VPN tunneling?
The network communications process that protects the content of protocol packets by encapsulating them in packets of another protocol. As data is transmitted from one system to another across a VPN link, the normal LAN TCP/IP traffic is encapsulated in the VPN protocol. The VPN acts like a security envelope that provides special delivery capabilities and security. It is akin to sending a letter—you have your letter, the primary content protocol packet—and place it in an envelope.
Tunneling helps you bypass firewalls, gateways, proxies, and other traffic control devices. Tunneling is often used to enable communications between otherwise disconnected systems. It protects the contents of the inner packets by encasing, or wrapping, them in an authorized protocol. For example, the network might not make the primary protocol routable. Encapsulation is generally an insufficient means of communicating, as it introduces more error detection, handling, session management, etc. Larger/additional packets consume bandwidth. It’s not designed to handle broadcast traffic.
What is the difference between transport mode and tunnel mode?
VPNs can connect systems or individual devices. Transmitted data is only protected while within the VPN tunnel. Remote access servers or firewalls on the network border serve as start and end points, so traffic is unprotected within the source LAN and within the destination LAN.
For VPNs in transport mode, links are anchored at the individual hosts connected together. For example, with IPsec, there is encryption for the payload but not the header. This is known as a host-to-host VPN or an end-to-end encrypted VPN. Best to only use on a trusted network.
With tunnel mode, the links terminate at VPN devices on the boundaries of connected devices. IPsec would provide protection for both the payload and the header. It adds its own, unencrypted IPsec header. Tunnel mode can be used to connect two networks across the Internet (site-to-site VPN) or to allow two distant clients to connect into an office LAN (remote access VPN). A remote access VPN is a variety of site-to-site, and is also known as link encryption VPN.
What is the difference between a split and a full tunnel?
A split tunnel allows VPN-connected clients to access both the organization network over the VPN and the Internet directly. This can be a security risk, since it allows an open pathway from the Internet to the internal network via the client. A full tunnel is a VPN configuration in which all of the client’s traffic is sent via the VPN link, and Internet-bound traffic is routed out via the normal network proxy.
What is PPTP?
Point to Point Tunneling Protocol is an obsolete encapsulation protocol developed from the dial-up Point to Point protocol. It operates at Layer 2 on TCP Port 1723 and is used on IP networks.
It offered authentication via PAP, CHAP, EAP or MS-CHAPv2. The initial tunnel negotiation process is not encrypted, meaning the session establishment packets include the IP address of the sender and receiver, as well as their usernnames and hashed passwords. Modern versions have adopted MS-CHAPv2, which supports encryption using MS point-to-point encryption (MPPE) and supports various secure authentication options.
What is L2TP?
Layer 2 Tunneling Protocol. Combined features of PPTP and Cisco’s Layer 2 Forwarding (L2F). It became an Internet standard. Uses UDP port 1701. Since it operates at Layer 2, it ca support any layer 3 networking protocol.
Can reply on PPP’s supported authentication protocols, including 802.1X. This allows L2TP to leverage available AAA servers, such as RADIUS or TACACS+. It does not offer native encryption but supports the use of payload encryption protocols.
Can SSH be used as a VPN?
Yes, but it is limited to transport mode. OpenSSH is one example.
What is OpenVPN?
A TLS-based VPN.
What is IPsec?
AKA Internet Protocol Security. Standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6. Only works with IP networks.
–Authentication Header (AH) provides assurances of message integrity and nonrepudiation. Primary authentication mechanism for IPsec, implements session access control, and prevents replay attacks.
–Encapsulating Security Payload (ESP) provides confidentiality and integrity. It provides encryption, limited authentication, and prevents replay attacks. ESP can establish its own links without AH and can operate in either transport mode or tunnel mode.
–Hash-based message authentication (HMAC) is the primary integrity mechanism.
–IP Payload Compression (IPComp) compresses data prior to encryption to speed up transmission.
IPsec uses PKI and symmetric cryptography. It uses Internet Key Exchange (IKE) to manage it. It consists of OAKLEY (a key generation and exchange protocol similar to DH), SKEME (Secure Key Exchange Mechanism, which is similar to a digital envelope), and ISAKMP (Internet Security Association and Key Management Protocol, which is used to organize and manage the security keys).
A security association is the agreed-on method of authentication and encryption used by two entities. Each IPsec VPNH used two security association one for encrypted transmission and one for reception. Thus, it has two simplex communication channels.
