Chapter 4: Communication and Network Security

Question 1

-mulithomed firewall

Answer 1

Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)

On any multi-homed machine, IP forwarding should be disabled.*

Question 2

802.11 wireless protocols

Answer 2

802.11a 54Mbps5Ghz8 channels802.11b11Mbs2.4Ghz (same as other home devices)802.11g54Mbs2.4Ghz802.11i : Wireless with security. First standard to require WPAII802.11n100Mbs2.4Ghz or 5Ghz

Question 3

802.15

Answer 3

Bluetooth

Question 4

802.1x and eap

Answer 4

802.1x is a port based network access control and includes

EAP.

• EAP is an auth frameworks that describes many specific auth protocols PORT Based Auth. at Layer 2 for both wired and wireless

Question 5

ad-hoc and infrastructure wireless

Answer 5

ah-hoc wirles cards to wireless cares infrastrcute is through access points

Question 6

Application Proxies - Firewallpros & cons?

Answer 6

Like circuit layer proxies, but actually understand the application/protocol they are proxying.This allows for additional security as they can inspect the data for protocol violations or content.AdvantagesApplication proxies understand the protocol, so they can add extra securityCan have advanced logging/auditing and access control featuresEx. Restrict users to only allowed websitesEx. Inspect data for protocol violationsEx. Inspect data for malware (viri etc)DisadvantagesExtra processing requires extra CPU (slower)Proxies ONLY understand the protocols they were written to understand. So you generally have a separate application proxy for EACH protocol you want to proxyexamples: smtp proxies, ftp proxies

Question 7

ARP

Answer 7

I’m looking for 192.168.1.2’s MAC addressanswer: that’s me at 00:af:14:b3:bc:12

Layer 2 take ip from L3 for the test say layer 2

Map IP address to Mac address via broadcast

it it then added to the ARP cache

arp poisoning: change mac address to bad server…

Question 8

asymmetric dsl

Answer 8

fast download less upload

Question 9

autonomous network how many entitites

Answer 9

one

Question 10

Blue Bugging

Answer 10

More serious

Allows full use of phone

Allows one to make calls

Can eavesdrop on calls

Question 11

Blue Jacking

Answer 11

sending spam to bluetooth devices

Question 12

Blue Snarfing

Answer 12

Copies info off remote devices

Question 13

Bonk

Answer 13

similar to Teardrop manipulates how a pc reassembles a packet and allows of too large a packet

Question 14

Buffer Overflow

Answer 14

Attacks a specific type of memeory on a system …the buffers best avoided with input validation. too much to handle…

Question 15

CHAP

Answer 15

does not expose the cleartext password and is not susceptible to replay attacks. CHAP relies on a shared secret: the password. The password is securely created (such as during account enrollment) and stored on the CHAP server. Since both the user and the CHAP server share a secret (the plaintext password), they can use that secret to securely authenticate.

Question 16

circuit Switching

Answer 16

all data follows same pathPSTNISDNDSLT-carriers

Question 17

Data Diddling

Answer 17

Altering/Manipulating data, usually before entry

Question 18

DCE

Answer 18

similar to kerberos developed by Open Group The Distributed Computing Environment (DCE) is a software system developed in the early 1990s by a consortium that included Apollo Computer (later part of Hewlett-Packard), IBM, Digital Equipment Corporation, and others. The DCE supplies a framework and toolkit for developing client/server applications.

Question 19

DDos

Answer 19

use of Control Machines (Handlers) and Zombies (Bots) many machines making the attack

Question 20

Dial up protocol

Answer 20

PPP Point to Point Protocol: Provides Layer 2 framing for dial-up. Needs other protocols for securityEncryption: MPPEAuthentication:PAP (Password Authentication Protocol): Clear TextCHAP (Challenge Handshake Authentication Protocol) Client responds to a challenge from the server. The only way the client can answer correctly is if the correct password had been entered.EAP (Extensible Authentication Protocol) Extends capabilities beyond passwords (smart cards, biometrics, token devices, etc)

Question 21

DMZ

Answer 21

A buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two.

Question 22

DNS port

Answer 22

UDP port 53 tcp port 53 large answers ie zone xfer

Question 23

Dos

Answer 23

Denial of Service - overwhelm a system and disrupt its availability

Question 24

DSL

Answer 24

layer 1

Question 25

Dynamic Packet Filtering Firewalls

Answer 25

Like a state full firewall but more advanced. Can actually rewrite rules dynamically.Some protocols such as FTP have complex communications that require multiple ports and protocols for a specific application, packet and statefull filter cannot handle these easily, however dynamic packet filter can as they can create rules on the fly as needed.

Question 26

Ethernet

Answer 26

Layer 2 transports data via frames

Question 27

Ethernet

Answer 27

Most common form of LAN networking, has the following characteristicsShares mediaBroadcast and collision domains (see next slides)CSMA/CDSupports full duplex with a switchDefined by IEEE 802.3

Question 28

Fraggle

Answer 28

Similar to smurf but uses UDP vs IMCP layer 4 attack. you can block distrubed attacks on router to mitigate.

Question 29

frame relay

Answer 29

Frame Relay is a packet-switched Layer 2 WAN protocol that provides no error recovery and focuses on speed. Higher-layer protocols carried by Frame Relay, such as TCP/ IP, can be used to provide reliability. Frame Relay multiplexes multiple logical connections over a single physical connection to create Virtual Circuits; this shared bandwidth model is an alternative to dedicated circuits such as T1s. A PVC (Permanent Virtual Circuit) is always connected, analogous to a real dedicated circuit like a T1. A Switched Virtual Circuit (SVC)

Question 30

FTP

Answer 30

uses tcp to guarantee delivery

vs

tftp uses udp faster doesn’t guanatee delivery.

Question 31

http

Answer 31

port 80

Question 32

https port

Answer 32

443

Question 33

imap port

Answer 33

internet massage access protocol port 143

Question 34

imcp

Answer 34

L3 used to troubleshoot and report error conditions

ICMP – “IP helper”Protocol behind echoing utilities like PING and Traceroute

Frequently exploited

• LOKI :sending data in ICMP messages header (not supposed to be there) —covert Channel
• Ping of Death:violates the MTU (maximum transmission unit) size
• Ping Floods: Lots of ping traffic
• SMURF: Uses spoofed source address (Target) and directed broadcasts to launch a DDos

Question 35

infrastructure as a service

Answer 35

storing things in the cloud. services provided by the cloud vs local…

Question 36

IPsec

Answer 36

IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to provide security. To address this lack of security at Layer 3, IPsec (Internet Protocol Security) was designed to provide confidentiality, integrity, and authentication via encryption for both IPv4 and IPv6. IPsec is a suite of protocols; the major two are Encapsulating Security Protocol (ESP) and auth header AH

Question 37

IPv4

Answer 37

32 bit source and destination address

Question 38

IPv6

Answer 38

64 bit destination address

Question 39

ISDN

Answer 39

PRI and BRI

Question 40

L2TP

Answer 40

Layer 2 Tunneling ProtocolCisco designed L2F to break free of dependence on IP networks, but kept it proprietary.L2TP was a combination of L2F and PPTPDesigned to be implemented in software solutionsTHERE IS NO SECURITY with L2TP. It MUST use IPSec to secure

Question 41

L3 Firewall

Answer 41

Static Packet Filters: Base decisions on Source/Destination IP address and port

Question 42

L5 Firewall

Answer 42

Stateful Inspection Knowledge of who initiated the session. Can block unsolicited replies. Protocol Anomaly firewalls.

Question 43

L7 Firewall

Answer 43

Application Proxies/Kernel Proxies: Make decisions on Content, Active Directory Integration, Certs, time…etc

Question 44

Land Attack

Answer 44

Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.

Question 45

Layer 1 Threats

Answer 45

Physical - TheftUnauthorized AccessVandalismSniffingInterferenceData Emanation

Question 46

Layer 2 two sub layers

Answer 46

Data Layer —– sublayers are: MAC Media Access Control xfters data down to phys layer & Logical Link Control up to L3. -Error Dectectiondevices: switches and bridgesEthernet card and its mac addresss

Question 47

Layer 3

Answer 47

network layer describes routing moving data from a system on one lan to a system on another. IP address and routers ICMPOther protocols that “work” on this layer are: ICMP – IP “helpers” (like ping) IGMP – Internet Group Message Protocol IPRouters All protocols that start with “I” (except IMAP) Ping Floods, Pings of Death, Loki, Smurf

Question 48

Layer 4

Answer 48

OSI Layer 4 Transport – Provides end-to-end data transport services and establishes a logical connection between 2 computers systems

”The “pony express”

Protocols used at layer 4:

• SSL/TLS (Discussed in Cryptography Chapter)
• TCP UDPTCP &
• UDP and L4 protocols SSL/TLS

Question 49

Layer 5

Answer 49

OSI Layer 5 (Session) – responsible for establishing a connection between two APPLICATIONS! (either on the same computer or two different computers)

• Create connection
• Transfer data
• Release connection

TCP - Does session oriented services

.Session layer manages sessions which provide maintenance on connections. connections between applications RPC’s , simplex 1/2 duplex, full duplex

setup, maintainance and teardown of session

Question 50

Layer 6

Answer 50

OSI Layer 6 Presentation Layer – presents the data in a format that all computers can understand

Think 3 things: Formating, Compression and Encryption

testable - This is the only layer of OSI that does NOT have any protocol.

• Concerned with encryption, compression and formatting

Making sure data is presented in a universal format

File level encryption

Removing redundancy from files (compression)

Presentation Layer - presents data to the application concepts include data conversion, ASCII and image formats gif, jpeg, tiff

Question 51

Layer 7

Answer 51

APPLICATION Layer

This defines a protocol (way of sending data) that two different programs or applications understand.

• HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, etc.
• Application Proxies
• Non-Repudiation
• Certificates
• Integration with Directory SErvices
• Time awareness.
• Application- web brower, word processor etc.Procy Firewalls
• Content Inspection

if you don’t know what application try layer 7 cause there’s a bunch!

Question 52

LEAP

Answer 52

lightweight extensible auth protocol cisco proprietary has security flaws

Question 53

Least Secure Type of Cable

Answer 53

Twisted - Pair

Question 54

Logic Bomb

Answer 54

malicious code that lays dormant until a logical even occurs.

Question 55

Logical Link Layer

Answer 55

L2 - Error Detection

Question 56

Loki Attack

Answer 56

Information is stored in IMCP header (covert channel)

Question 57

MAC - Physical 1st Part

Answer 57

L2 - DataMedia Access control Addressing/Resolution and Media Access Determination-ARP (Address Resolution Protocal)-RARP (Reverse Address Resolution Protocol)

Question 58

MAC - Physical 2nd Part

Answer 58

L2 - Data MAC Media access control**CSMD/CD Carrier Sense Mutl. Access w/collision Detection 802.3 Ethernet - waits for clear then starts talking**CSMA/CA Carrier Sense Mutl. Access w/collision Avoidance 802.11 Wireless - Signals intent to talkToken Passing: 24 bit control frame passed around the network environment..determine who can transmit.

Question 59

MAN

Answer 59

Metropolitan area network

Question 60

MPLS

Answer 60

Mulit Protocol Labeled Switching

• MPLS is used to create cost effective, private Wide Area Networks (WANs) faster and more secure than regular routed “public” IP networks like the internet.
• More secure than the public internet, because a “virtual” private network (end-to-end circuit)can be built just for your organization
• Since it’s a private network, we don’t have to configure and maintain tradition encryption based VPN equipment anymore, and can also avoid the latency and delay inherent in the tech.
• Provides QoS for VOIP
• Purely Layer 3 technology.

Question 61

NAT

Answer 61

one to one mapping private to public

3 ranges of internal

192.168

10.

172.16.x.x-172.31.x.x

PAT-is port translation allows you to map many internal to one external…

Question 62

Network Perimeter concept

Answer 62

choke points

Question 63

NIS

Answer 63

a distributed database system that lets computers share sets of files…does not support md5

Question 64

OSPF

Answer 64

because RIP could not scale well in large networks. Open Shortest Path First Protocal was created. It support hierarchies and the simultaneouse use of multiple paths.

Question 65

packet Filter

Answer 65

Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives.Not state full, just looks at the network and transport layer packets (IP addresses, ports, and “flags”)**Does not look into the application, cannot block viri etc.**Generally do not support anything advanced or customPacket filters keep no state

Question 66

Packet Switching

Answer 66

• X.25
• Frame Relay
• ATM
• VOIP
• MPLS
• Cable Modems

Question 67

PAP

Answer 67

PAP (Password Authentication Protocol) is a very weak authentication protocol. It sends the username and password in cleartext. An attacker who is able to sniff the authentication process can launch a simple replay attack, by replaying the username and password, using them to log in. PAP is insecure and should not be used.

Question 68

PAT

Answer 68

mult. private address to share one public address.PAT looks at the IP and transport layer port number and rewrites both*

Question 69

Ping Flooding

Answer 69

overwhelm system with multitude of pings. via imcp

Question 70

Ping of Death

Answer 70

sending a ping packet that violates the Max Trans Unit. a huge packet

IMCP

Question 71

Platform as a service

Answer 71

is all about application hosting

Question 72

pop3 port

Answer 72

110

Question 73

PPP

Answer 73

L2 that adds CIA via point to point links

Question 74

PPTP

Answer 74

Point to Point Tunneling ProtocolBased on PPP (uses MPPE for encryption and PAP, CHAP or EAP for authentication)Lead by Microsoft protocol for a tunneling VPNOnly works across IP networksRemote user connects to ISP, gets an Internet AddressEstablishes VPN connection to work VPN server, get’s Internal IP address.Sends private IP packets encrypted within other IP packets.

Question 75

Proxy Firewalls - Circuit Level pros & cons?

Answer 75

• A circuit-level gateway is a type of firewall. Circuit level gateways work at the session layer of the OSI model, or as a “shim-layer” between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate.

Application Proxies

advantages

• understand the protocol, so they can add extra security
• can have advanced logging/auditing and acess control features
  
  • ex. restrict users to only allowed website
  • inspect data for protocol violations
  • inspect data for malware

Disadvantages

• extra processing
• proxies only understand the protocols the were written to understand. do you generally have a seperate application proxy for each protocol.

Examples:

• internet security and acceleration server… ms web proxy
• smtp proxies
• ftp proxies

Question 76

RDP

Answer 76

remote desk protocol tcp port 3389

Question 77

RFC 1918

Answer 77

10.x.x.x172.16.x.x-172.31.x.x192.168.x.x

Question 78

SAAS

Answer 78

Office 365 online for example.

word on the cloud.

Question 79

Salami

Answer 79

many small attacks add up to equal a large attack

office space type of account

Question 80

screened subnet

Answer 80

In a screen subnet, there is a separate firewall on both sides of the DMZ.When using this model it is recommended that each firewall be a different vendor/product.Diversity of defense*

Question 81

Security Zones - Firewall

Answer 81

DMZ

bastion hosts - a hardened server

vender divesity is good..

Question 82

SIP

Answer 82

Consists of the User agent client an the user agent server user for voip

Question 83

smtp

Answer 83

simple mail transport protocol port 25

Question 84

Smurf

Answer 84

uses IMCP directed broadcasts. L3 attack.

Block distributed broadcasts on routers to stop it.

Question 85

Sniffing

Answer 85

Capturing and Viewing packet through the use of a Protocol analyzer best defense encrypt.

Question 86

Socket

Answer 86

When a tcp or udp message is formed, a sourceand a destination port are contained in the header info along with source and IP addresses…this makes a socket.

Question 87

ssh

Answer 87

port 22

Question 88

Stateful Firewall

Answer 88

Layer 5

-router keeps track of a connections in a table. It knows which conversations are active, who is involved etc.-

It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic-

More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory.-

If rebooted can disrupt conversation that had been occurring.

Context dependant access control*

Question 89

stateful firewall

Answer 89

Layer 5

Stateful firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters, but are far more secure. Computer 1 sends an ICMP Echo Request to

Question 90

stateless firewall layer

Answer 90

3

Question 91

Switch

Answer 91

A network Switch is just a multi-port bridge. Switches will often have 24 or more ports, and learns which MAC addresses are on which ports.

Works at layer 2 (data link)

On a switch a computer can send data AND receive data at the same time (full duplex… increasing performance by up to 2x)

On a switch each port is it’s own collision domain, and will not have a collision, therefore allowing line speed communication on each port A switch does not alter broadcast domains

A switch only sends traffic from the sending computer to the receiving computer, therefore stops sniffing (watch for MAC flooding attacks though)

Since switches inspect the MAC address on all traffic, a switch can be programmed to only allow certain MAC addresses to communicate, and ignore other MAC addresses.

Question 92

Syn Flood

Answer 92

exploits 3 way handshake TCP layer 4 attack. need stateful firewall to prevent

Question 93

Syn Flood

Answer 93

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYNrequests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Layer 4 attack

Question 94

TCP

Answer 94

Transmission control Protocol:Connection oriented “guaranteed” delivery. ***Advantages

• Easier to program with
• Truly implements a session
• Adds security

***Disadvantages

• More overhead / slower
• SYN Floods

KNOW OSI and mapping…

Question 95

TCP - Handshake

Answer 95

Reliable connection-oriented protocolHas a guaranteed delivery based on the handshake process

SYN ———> hey open an area in memory

SYN/ACK————>

ACK

Question 96

TCP Sequence Number

Answer 96

a way of ensuring that the message is delivered to teh appropriate destination and from its appropriate sender.

Question 97

TCP/IP Protocols

Answer 97

UDP - user data protocal IMCP internet control message protocal etc.

Question 98

Tear Drop

Answer 98

sending malformed packets which the OS doesn’t know how to re-assemble L2 Attack

Question 99

telnet

Answer 99

tcp port 23

Question 100

Trojan Horse

Answer 100

One program (usually type of Malicious code) masquerades as another. common means of distributing back-door programs

Question 101

types of EAP

Answer 101

leap, eap-tls, eap-ttls and peap

Question 102

udp

Answer 102

user datagram protocol lossy apps

Question 103

UDP

Answer 103

User Datagram Protocol:

• Connectionless
• Unreliable
• No handshaking
• Desirable when “real time” transfer is essential

1. Media Streaming, Gaming, live time chat, etc
2. FTP uses TCP
3. TFTP uses UDP

Question 104

unsolictated Reply

Answer 104

sending a reply to a question that was never asked.

Question 105

Virus

Answer 105

A piece of malicious code that can take many forms.

Needs a host, and action by user to spread.

Question 106

VNC port #

Answer 106

Virtual Network computing port 5900

Question 107

VOIP Security Issues

Answer 107

Eavesdropping (greatest threat) Enable s/rtp secure real time protocal

Toll Fraud

Vishing - fishing using phon

SPIT - spam of telephone

Performance issues - Jitter, Latency

Question 108

VPN - tunneling

Answer 108

A function of VPNs - Tunnel encapsulates one protocol within another protocol to create a virtual network.Can encrypts original IP headersCan encrypts dataAllows for routing non routable protocols and IP addressesCan provide remote/internal IP addressesDifferent protocolsPPTPL2TPIPSEC

Question 109

WAN - Circuit Switching

Answer 109

Anything that has to do the the telephone system

All data follow the same path

PSTN

ISDN

DSL

T-Carriers

Question 110

WAP

Answer 110

Wireless Application Protocola protocol developed mainly to allow wireless devices (cell phones) access to the Internet.Requires a Gateway to translate WAP HTML (see visual)Uses WTLS to encrypt data (modified version of TLS)Uses HMAC for message authenticationWAP GAP* problem (see visual and explain)A lot of wireless devices don’t need WAP anymore.

Question 111

Wardialing

Answer 111

RAS attack find phone number that has a modem

Question 112

WEP

Answer 112

WEP Wired Equivalent Privacy

Shared authentication passwords

Weak IV (24 bits) (initalization Vector)

IV transmitted in clear text

RC-4 (stream cipher)Easily crackable

Only option for 802.11b

Question 113

Wireless Security Problems

Answer 113

Unauthorized accesssniffingWar drivingUnauthorized access points (Man in the middle)

Question 114

Worm

Answer 114

Similar to a Virus, but does not need a host and is self - replicating

Question 115

WPA

Answer 115

Wi-Fi Protected AccessStronger IV

Introduced TKIP

Still used RC-4 it needed to maintain backwards compatibility.

Question 116

WPA2

Answer 116

Wi-Fi Protected Access

WPA2

• AES
• CCMP
• NOT backwards compatible

WPA and WPA2 Enterprise

• Uses 802.1X authentication to have individual passwords for individual users
• RADIUS

Question 117

Firewall Static Packet Filter

Answer 117

layer 3 static packet filtering - screen router with access control lists all or nothing devices.

layer 5 stateful firewalls-

Question 118

Session Hijack

Answer 118

Where an attacker steps in between two host and either monitors the exchange, or often disconnects one. Session hijacks are types of Man in the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent session hijack.

cross-site request forgery…a type of hijack…

Question 119

Firewall Best Practices

Answer 119

Question 120

media gateway

Answer 120

is the translation betewwn diparate telecommunications networks. VOIP Media gateways perform the conversion between time dividsion multiplexing voice to VOIP. as a secruity measure the numver of calls via media gateways should be limited to avoid DOS, hijacking, etc…

Question 121

Persistant XSS vulnerability

Answer 121

is targeted at bew sites that allow user to input data that is stored in a database for similar location. the coded can be automatic withour luring an unsuspecting user.

AKA - second- order vulnerability

Question 122

non persistant vulnerabilty

Answer 122

enable an attacker to inject malicious code into vulnerable web pages. Unsuspecting user visits infected page with a rouge script to steal the victims sensitive information such as cookies or session IDs.

Question 123

DOM Attack

Answer 123

XSS cross site scripting uses the Document Object Model to modify client side java script causes the victimes browers to execute the malicious java code.

Question 124

IGP

Answer 124

Internet gateway protocal handles routing task between heach AS atonomous systems

Question 125

IGRP

Answer 125

interisor gateway routing protocol is a distance -vector routing protocal that was developed by cisco.

RIP - routing information protocal is a standard that outines how routers exchange routing table data as is considered a distance vector protocal which means it calulates the shorted length from source to destination.

IGRP is better but is it propiatary to cisco—RIP is free

Question 126

type of routing protocols

Answer 126

indicate how routers talk to eachother

2 types

distance vector and link state routing

distance vector just looks at hops

link state builds a topology database of the network. looks at more variable than the number of hops.

Question 127

EAP

Answer 127

Extensible Auth Protocol

Provides a framework to enable many type of authentifiation techniques.

Question 128

IEEE standards

Answer 128

802. 1AR - a unique id for a device
803. 1AE - data encrption and integrity
804. 1AF- key agreements session keys

Question 129

hypervisor

Answer 129

the sofware component that carries out virtual machine management and oversees guest system software execution.

Question 130

Common ports

ftp, telnet, smtp, dns

Answer 130

FTP - Port 21

Telnet - Port 23

SMTP - Port 25

DNS - Port 53

Question 131

ip header protcol number

udp, igmp, tcp, imcp

Answer 131

ServiceProtocol Number

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation

(PPTP data over GRE) 47

Question 132

ecure HTTP (S-HTTP).

Answer 132

An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers.