Chapter 2 - Telecommunications and Network Security Flashcards
Network layering models
OSI - reference model - structured into 7 layers and TCP/IP or Department of Defense model - structured into 4 layers. Encapsulation is common to both - layers isolated on a technical level and operate independently
OSI - defined in 1984 Open System Interconnect ISO/IEC 7498-1. Latest revision 1994
Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
OSI - Physical Layer - Layer 1
describes the networking hardware - such as electrical signals and bits and bytes such as network interfaces and cabling. Repeaters for communication trnsfer devices at this layer.
OSI - The Data-Link Layer - Layer 2
describes data transfer between machines, for instance by an Ethernet - prepares the packet it receives form the network layer to be transmitted as frames on the network, detects errorrs in frames, converts higher layers into bits. Has two sub layers - logical link control (LLC) - manages connections between peers; - Medai Access Control (MAC) - transmits and recieves frames between peers. Moves data to the next physically connected device. SLIP, CSLIP, PPP at this layer.
OSI - Network Layer - Layer 3
describes data transfer between machines for instance by the Internet Protocol (IP) - moves information between two hosts that are not physically connected. Uses logical addressing - Internet Protocol (IP) is the most important network layer protocol. IP uses the destination IP address to transmit packets thorugh networks - Addressing. Fragmentation - IP will subdivide a packet if its size is greater than the maximum size allowed. routers used as this layer, does not guarantee error free delivery. ICMP and IGMP at this layer. Single unit of IP data is a datagram.
OSI - Transport Lyer - Layer 4
describes data transfer between applications, flow control, and error detectection and correction for instance by TCP - end to end transport between hosts. User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) are important transport layer protocols. TCP provides error free transmission. Does not provide confidentiality. Unit of TCP data is a segment. Controls rate of packet transfers. End to End.
OSI- Session Layer - Layer 5
describes the handshake between applications, for instance authentication process - logical persistent connection between peer hosts - responsible for creating, maintaining, and tearing down the session. Full duplex - both host can exchange info simulateneously and independent; Half Duplex - hosts can exchange information but only one host at a time; Simplex only one host can send information to its peer. Information travels in one direction only. With Presentation layer can provide end to end security
OSI - Presentation Layer - Layer 6
describes the presentation of information, such as ASCII syntax - assures peer applications use a common format to represent data. Services: data conversion, character code translation, compresion, encryption and decryption. Two sublayer components: CASE - provides and request services; SASE - application specific services. With Session layer can provide end to end security
OSI - Application Layer - Layer 7
describes the structure, interpretation, and handling of information. In security terms it is relevant because it relies on all underlying layers. From the point of view of the (ISC)2 Common Body of Knowledge, the application layer is covered in the Operations section. Portal to Network based Services - determining the identity and availability of remote applications. HTTP, FTP, SMTP. Provides non-repudiation services - integrity of data
RIP in Layer 3
Routing information Protocol - uses only hop counts to determine routing metric
OSPF in layer 3
Open shortest path first - require large amounts of CPU power and memory
Border Gateway Protocol in Layer 3 (BGP)
allow fully decentralized routing - exchanges routing information between gateway hosts
ICMP in layer 3
Internet Control Message Protocol - means to send error messages and to probe network at Network layer.
TCP
client sends a SYN segment, server sends an ACL and a SYN, client sends an ACK. Stateful packet filter.
TCP/IP Reference Model
Link Layer, network layer, transport layer, application layer
Link layer
physical communication and routing - covers OSI 1&2
Network Layer
Covers OSI layer 3
Transport layer
covers OSI layer 4
Application Layer
Covers OSI layers 5,6,7
IP addresses
four octets; two parts network number and the host. Network number assigned by ICANN. Host represents the network interface within the network. Range of 0 -255
Class of IP Addresses for Network number
Class A - 1-127 (1 octet) Class B - 128-191 (2 octets) Class C- 192-223 (3 octets) Class D - 224-239 (multicast) Class E - 240-155 (Reserved)
Class A - Computer’s loop back address
127.0.0.0 - troubleshooting at machine level
IPV6
Modernization of IPV4 (32 bits). IPV6 is 128 bits and supports two hosts
TCP and UDP
map data connections through the association of port numbers managed by Internet Assigned Numbers Authority (IANA). 65,536 (216) ports exist. Port number length of 16. TCP connection oriented. UDP is not.
Well known ports
0 through 1023 - used by privileged processes and users
Registered ports
1024-49151 - can be registered with IANA by application developers but are not assigned by them - users may not have privileges to run an application on a well-known port
Dynamic or Private Ports
49152 -65535 can be freely used by applications; one typical use for these ports is initiation of return connections for requested data or services.
User Datagram Protocol
UDP - lightweight service for connectionless data transfer without error detection and correction - easy prey to spoofing techniques.
RFC 3550
Real-time protocol (RTP) and real-time control protocol (RTCP)
MBone - RFC 2960
Multicasting protocol, reliable UDP and Stream control transmission protocol (SCTP)
Extranet
differs from a DMZ - it is made available to authenticated connections - where DMZ hosts publicly available resources that support unauthenticated connections.
DHCP
Dynamic Host Configuration Protocol - automatically assigns IP addresses to workstations
RFC 3118
replaces normal DHCP messages with authenticated ones.
ICMP
Internet Control Message Protocol - exchange of control messages between hosts and gateways and is used for diagnostic tools such as ping and traceroute - can be leveraged for man-in-the-middle and denial-of-service attacks.
ping of death
An enormous number of operating systems would crash or become unstable upon receiving an ICMP eco greater than the legal packet limit of 65,536.
IGMP
Internet Group Management Protocol - manages multicasting groups. Version 1 - periodically sends queries to hosts, Version 2 - two types of queries: general and group-specific. Version 3 - specifies sources
RIP
Routing Information Protocol - dynamic routing designed for small networks - uses number of hops for best route less than or equal to 15 hops. cannot be used in a network with different subnet masks, exchange entire route table every 30 seconds, can’t verify trustworthiness. Version 2 - allowed different subnet masks and RFC 2082 MD5 authentication.
VRRP
Virtual Router Redundancy Protocol - supports automatic failover - appears as a physical router.
DNS
Domain named services - supports use and resolution of e-mail and WWW addresses. Prominent target of attacks. Port 53. RFC 882,1034, 1035
LDAP
Lightweight Directory Access Protocol - manages user information loosely based on X.500, front end. Uses backends like NIS, Active Directory, Java System directory. Weak authentication based on host name resolution. Port 389, RFC 1777. Clear text - easily intercepted. Deployment over SSL provides authentication, integrity, confidentiality.
NetBIOS
Network Basic Input Output System. Ports 137 and 138 (TCP) and 139 (UDP). 135 for remote procedure calls.
NIS and NIS +
network information service- manages user credentials
CIFS/SMB
common internet file system/ server message block - user level and tree level security - Windows
NFS
Network file system - file sharing UNIX
SMTP/ESMTP
Simple Mail Transfer Protocol & Enhanced Simple Mail Transfer Protocol - used to route email, Port 25/TCP managed thru DNS using mail exchange records - robust, nonexistent authentication and lock of encryption. Enhanced version offers authentication mechanisms
FTP
File Transfer Protocol - publishing data over the Internet, Port 20 - data, Port 21 - control, RFC 959. Original clear text simple authentication. Secure FTP with TLS encrypts session RFC 4217; SFTP - not FTP but uses secure shell to transfer files - encrypts both commands and data
HTTP
Hypertext Transfer Protocol - Port 80 RFC 1945, 2109, 2616 - supports exchange of information in HTML - does not support encryption and fairly simple authentication.
SCADA
Supervisory Control Data Acquisition - systems designed to operate with several different communication methods including modems, WANS and various networking equipment.
Dual Homed Host
has two network interface cards - each on a separate network
Bastion Host
serves as a gateway between a trusted and untrusted network - central host to resist attack
Hubs
all connected devices will receive each other’s broadcasts; single point of failure
Bridges
Layer 2 devices filter traffic based on MAC addresses. IEEE 802.11
Routers
read destination Layer 3 addresses
Twisted Pair
Cat 1 less than 1Mbps Cat 2 less than 4 Mbps Cat 3 16 Mbps Cat 4 20Mbps Cat 5 100 Mbps Cat 5e 1000 Mbps Cat 6 1000 Mbps Shielded and Unshielded - copper wires twisted together UTP does not require fixed spacing
Coaxial Cable
one thick conductor surrounded by a grounding braid of wire in a protective sheath - greater bandwidth and longer cable lengths, expensive and difficult to bend. Requires fixed spacing
Patch Panel
devices are connected to a patch panel instead of directly connecting to other devices
DSSS
Direct-Sequence Spread Spectrum - wireless technology spreads signal over a wider band
FHSS
Frequency-Hopping Spread Spectrum spreads signal over rapidly changing frequencies
CDMA
Code Division Multiple Access - wireless mostly used for cellular technology. CDMA 200 - Rate of 153.6 Mbps.
GSM
Global Service for Mobile Communications most popular cellular technology
Open System Authentication
most basic form of wireless authentication
Shared Key Authentication
encrypt a shared secret between the access point and the wireless client - WEP can be decrypted by an attacker in a very short time.
WiFi Protected Access
WPA - RC$ 128 bit uses temporal key integrity protocol - uses different key for each packet - mutual authentication. WPA2 certified IEEE 802.11i
EAP-TLS
Extensible Authentication Protocol, Transport Layer Security - mutual authentication with digital certificate - too much overhead
EAP_TTLS
tunneled TLS - digital certificates are used but no client-side certificate but less secure
EAP-PEAP
protected EAP - similar to EAP-TLS but non digital certificate
IEEE 802.11
802.11b legacy - first ratified version of WiFi 802.11a - not compatible with b 802.11g-frequency band of b and speed of a - 52Mbps. compatible with b
Bluetooth
short range low-power wireless specification
ARP
Address resolution protocol - given layer 3 IP address determines layer 2 MAC address - does not require authentication - maps 32 bit IPv4 to 48 bit hardware addresses. RARP - finds IP address
PPP
Point to Point protocol - used to connect a device to a network over a serial line to a network. ISPs use PPP to allow dial up users access to the Internet - supports authentication, Password Authentication Protocol, CHallenge handshake protocol, and Extensible Authentication protocol
Broadband wireless
IEEE 802.16 WiMax - 2Mbps to 10 Mbps - allows users to connect to wireless base stations miles from where they are located and obtain MAN access. Uses AES to protect confidentialilty with authentication options including EAP
Fiber Optics
uses glass or plastic to transmit light - light source, optical cable and light detector. 40gig/second, not easily intercepted
Firewalls
filters traffic based on a set of rules that enforce administrative security policies. Placed between entitites with different trust domains.complex to admister and manage. Filter by address or service. Should not mount file systems via NFS. 3rd generation firewalls - statefull inspection
NAT
Network Address Translation - change source address of outgoing packet to a different address. PAT - translate all source port number in the packet to a unique value
Static packet filetering
examine’s static criteria - blocking all packets with Port number 79(finger) is an example
Stateful Inspection or Dynamic Packet FIltering
examines each packet in the context of the session allowing dynamic adjustments
Proxies
mediates communications between untrusted end-points and trusted end points - creates illusion that the traffic orginated from the proxy firewall hiding the trusted internal client from potential attackers
IPSec
IP security is a suite of protocols for communicating securely with IP by providing mechanisms for authenticating and encrypting. Transport mode - client to server, tunnel mode - firewall to firewall. HAIPE is an extension of IPSec. Does not allow system to select security protocols.
AH
Authentication Header is used to prove the identity of the sender and ensure that the transmitted data has not been tampered with using hash - ensures integrity not confidentiality - Encapsulating Security Payload - provides intergirty and confidentiality.
ESP
Encapsalating security payload encrypts IP packets and ensures their integirty
Security Association
SAs work in one direction and defines mechanisms that an endpoint will use to communicate
IKE
Internet key exchange - proves identity to each other - shared secret, public key encryption or revised mode of Public Key encryption is Phase 1. Phase 2 - security associations established. Like IPSEC - authentication with pre-shared key, public key, certificate based
PPTP
Point to Point Tunneling Protocol relies on generic routing encapsulation (GRE) to build the tunnel between end points - drives encryption key from the user’s password
L2TP
Layer 2 Tunneling Protocol allows caller over a serial line using PPP to connect over the internet to a remote network - does not provide encryption
SSH
Secure Shell allows users to securely access resources on remote computers over an encrypted tunnel - supports authentication
SOCKS
popular circuit proxy used to access a remote server - application gateway acts as a connection proxy
SSL/TLS
SSL 3.0 and TLS 1.1 are compatible with SSL being a session encryption tool - creates a tunnel back to home office. At Application layer - 40 bit and 128 bit. Client side authentication. SSLv2 uses signed certificates
XMPP
Extensible Messaging and Presence Protocol. Jabber is an open instance messaging protocol and formalized XMPP
IRC
Internet Relay Chat - Port 194, RFC 1459 - unecrypted
RADIUS
Remote AUthentication Dial-in User Service - authentication protocol used mainly in network environments , or for similar services requiring single signon for layer 3, Port 1812, 1813 RFC 2865
SNMP
Simple Network Management Protocol - Port 161, 162 and RFC 1157. designed to manage network infrastructure
Telnet
Port 23 RFC 854, 855
Virtual Network Terminal Services
used for remote access to server resources. Port 80 (TCP), 443 (UDP) - eg Citrix
BUS
is a lan with a central cable to which all nodes connect
Tree Topology
similar to BUS
Ring
CLosed loop technology
Mesh
all nodes are connected to every node
Star
all nodes connected to a central device
Ethernet
IEEE 802.3
Token RIng
IEEE 802.5
FDDI
Fiber Distribute Data Interface - uses two rings, one used other back up 100 Mbps - counter rotating - has been supplanted
MPLS
Multiprotocol Label Switching - refered to a IP VPN - but does not incude encryption services
ISDN
Integrated Services Digital Network - remote access with higher bandwidth (before DSL and cable modems) - at end of life
Point-toPoint Lines
expensive options - connects two end points - high bandwidth fiber cable
T1
multiplexes 24 channels over copper cable - 1.544 Mbps - T2 4xT1, T3 7xT2, T4 6xT3
X.25
allows users and hosts to connect through a model to remote hosts via a packet-switched network - replaced by DSL and ATM
Frame Relay
Economical alternative to circuit-switched networks - uses packet switching technology for WAN Connectivity.
ATM
Asynchronous Transfer Mode - 155Mbps - uses virtual circuits, fixed size frames
SLIP
serial line IP cannot be used for full duplex WAN
MNP
Microsoft Networking Protocol - Echoplex
XDSL
1.544 - HDSL - two copper twisted pairs.
Ethernet
A unit is a frame. Fast Ethernet 802.3u 100Mbps. Ethernet access method is CSMA/CD 100 BAse TX Fast Ethernet - 2 pair Cat 5 UTP or Cat1 STP
Unicast
LAN Trasmission Protocol
POP#
Runs on Port 110
IP Header Protocol Field
ICMP - 1, IGMP - 2, TCP - 6, UDP 17
X.400
OSI for message handling
Diverse routing
thru split cable or duplicate cable facilities
Telenet & Rlogin
Use TCP protocol
Screening Router
packet filter based on source & destination filter
CHAP
Challenge Hand Authentication Protocol
Syn Attack
high number of half open connections
Macro Virus
Not depending on size of packet
Distributed Denial of Service
First Phase - compromise as many machines as possible. Components - client, handler, agent, target
VPN Software
Does not encrypt
Bots and Botnets
Bots are zombies controlled by shadowy figures - largest shource of spam e-mail
Teardrop
ip fragments are constructed so that the target host calculates a negative fragment length
Overlapping fragment attack
subvert packet filters that only inspect the first fragment of a fragmented packet.
Source Routing Exploitation
sender specifies path
Smurg and Fraggle attacks
use broadcasts to create DoS attacks. Smurf misuses ICMP. Fraggel uses UDP
NFS Attacks
basic authentication method easy to exploit
Network Nws Transport Protocol Secuirty
NNTP - main shortcoming authentication
Finger Use Information Protocol
last log in time of a user and whether currently logged in
Network Time Protocol
NTP sychronizes computer clocks
DoS
overload with excessive traffic
Syn Flood Attack
DoS against the inital handshake - overloads the target’s connection table
Spoofing
bogus source address
Session Highjack
unatuhorized insertion of packets into a data stream
Layer Ethernet 802.3 is placed on
Data Link Layer
Best Proactive Network Defense
Perimeter Surveillance and intelligence gathering
Network is not the target of attack in
man in the middle attack
Most effective against a distribute DoS attack
Traffic Filtering
Optimal placement for network based intrusion detection systems
On the network perimeter to alert the network administrator of all suspicious activity
End-point devices most likely be considered part of a converged IP network
fileserver, ip phone, security camera
an advantage of fiber-optic over copper cables from a security perspective
more difficult to wiretap
Part of a network’s perimeter defense
firewall, proxy server, host based intrusion detection system
Principal Security Risk of wireless LANs
Lack of physical access controls
WLAN’s SSID configured with adequate security protection
SSIDs are not for authentication
IPSec
provides mechanisms for authentication and encryption
Security Event Manager
aggreagates logs from security devices and application servers looking for suspiious activity
DNS weakness
lack of authenticationof servers and therby the authenticity of records
Open email relays
using a blacklist of open email relays does not provide a secure way for an email administrator to identify open mail relays and filter spam
botnet can be characterized by
a group of dispersed compromised machines controlled remotely for illicit reasons
mesh network is rarely implemented in modern networks due to
cost
Strongest wireless encryption an 801.11N
WPA2
Media best suited for an area with a lot of electromagnetic raidation
Fiber
Multi layer Protocols such as Modbus
are often insecure by their very nature as they were not designed to natively operate over today’s IP networks.
Best approach for admistering a server remotely
SSHv2
