Chapter 4 - Secure Networks

Question 1

Explain the four general goals for secure networking.

Answer 1

CIFAC: Confidentiality, Availability, Functionality, Access Control
Confidentiality - Not the idea of keeping messages secret, but also keeping network structure and data secret as well. Things like network protocols and packet header values need to be kept secure.
Availability - Ensuring that authorized users have access to information, services, and network resources.
Functionality - Preventing attackers from altering the capabilities or operation of the network (think DDoS).
Access Control - Keep attackers from accessing internal resources.

Question 2

How can information be gathered from encrypted network traffic?

Answer 2

Information can be gathered from encrypted traffic by passively monitoring said traffic. Even encrypted, you could still see sites visited, how much data is sent or received, etc.

Question 3

How does the castle model relate to secure networking?

Answer 3

The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers would be stopped.

Question 4

What is a denial-of-service attack?

Answer 4

A denial-of-service attack is an attack made in order to attempt to render a server or network unavailable by flooding it with attack packets.

Question 5

Is a slow degradation of service worse than a total stoppage? Why?

Answer 5

It is worse, in that it’s much harder to detect. It might just look like actual growth in traffic, as opposed to an attack.

Question 6

What is a denial-of-service attack?

Answer 6

A denial-of-service attack is a method of overwhelming network resources in such a way that legitimate users cannot access it.

Question 7

Other than a DoS attack, what could cause a company’s network to crash?

Answer 7

Other things that could cause a company’s network to crash might be things like:
Referral from sites with considerably larger traffic volume.
Poor coding.

Question 8

What are the main goals of DoS attacks?

Answer 8

The primary goal of DoS attacks is to cause harm, by either stopping a service, or slowly degrading it over time.

Question 9

What is the difference between a direct and indirect DoS attack?

Answer 9

A direct DoS occurs when the attacker sends attack packets directly from his computer. An indirect attack relies on IP address spoofing in order to try and misdirect traceback.

Question 10

What is backscatter?

Answer 10

Backscatter is a side effect of an attacker spoofing an IP address, where the victim’s response packets unintentionally flood the spoofed IP address the attacker is using. Hilarity ensues.

Question 11

What types of packets can be sent as part of a DoS attack?

Answer 11

Although any packet could be used in theory, there are a few particulars:
SYN Packets - Known as a SYN Flood, the SYN packets form half-open connections, as the system waits for the final confirmation packet, which won’t come. Eats up memory.
Ping Flood - The system is hit with ICMP packets that look like standard supervisory traffic, overwhelming bandwidth and CPU.
HTTP Flood - Usually with webservers, flooded with web requests, crashing due to lack of memory and CPU power.

Question 12

How does a DDoS attack work?

Answer 12

A DDoS attack is much like a DoS attack, but the attack comes from multiple computers, often botted. This provides resources that one attacker might not have with one machine, and can take down large targets.

Question 13

What is a handler, and what does it do?

Answer 13

A handler is an intermediary computer that coordinates large groups of bots, as significant numbers of bots can be difficult to manage. They are also known as command-and-control servers, and provide an additional layer of anonymity.

Question 14

How does a P2P redirect work?

Answer 14

A P2P redirect works by redirecting legitimate P2P requests to an unrelated network, redirecting the “flow” of the P2P traffic. The target can generally not filter out legitimate users from the flood.

Question 15

How does a reflected attack work?

Answer 15

A reflected attack is similar to a P2P redirect. The attacker sends spoofed requests to servers that offer legitimate services. The responses from the servers then overwhelm the victim, as they often have far more power than the victim. The servers can be blocked, but this might cause more trouble, as attackers might use something like the DNS services of the victim, thus causing additional harm.

Question 16

What is a DRDoS attack, and how does it work?

Answer 16

A DRDoS attack is a Distributed Reflected Denial of Service attack, and it uses the same basic mechanism of the reflected attack, but using a botnet to achieve far greater volume.

Question 17

What is a smurf flood?

Answer 17

A smurf flood is a form of the reflected attack, but it takes advantage of a server that hasn’t been configured in a way to prevent broadcasting to all devices. The attacker sends a spoofed ICMP echo to the router (or other network device), which then echoes it to all network devices. All the devices then echo to the target, flooding it. The target need not be internal to the smurfed network.

Question 18

How could a malformed packet cause a host to crash?

Answer 18

A malformed packet is a packet that somehow violates the rules of an operating system, causing it to have unhandled exceptions and go down.

Question 19

What is black holing?

Answer 19

Black holing is when all packets from an IP address are dropped automatically. This isn’t good, if done automatically. Spoofed IPs could cause blocking of genuine business partners or customers, and it’s simple for attackers to change IP addresses.

Question 20

How can the effects of SYN floods be mitigated?

Answer 20

SYN Floods can be mitigated by firewalls; the firewall accepts the SYN packet and sends back the SYN/ACK packet. If no final ACK is forthcoming, the firewall drops the original packet. If the final ACK does come, it lets it through. This is called a “false open”.

Question 21

What is rate limiting, and why is it good? Why is it bad?

Answer 21

Rate limiting is done by limiting the amount of a certain type of traffic that a network will admit to a reasonable amount. This can prevent smurf flooding by preventing an unacceptable amount of ICMP packets from entering, while still allowing broadcasting to be used. Unfortunately, this limitation can limit legitimate users as well.

Question 22

Why are DoS community problems?

Answer 22

DoS attacks are community problems because they can saturate ISP access lines, causing problems for legitimate users, and can only really be stopped by the ISP and any organization whose computers have been zombified.

Question 23

Why do hosts use Address Resolution Protocol?

Answer 23

Hosts use Address Resolution Protocol (or ARP) to resolve 32-bit IP addresses into 48-bit local MAC addresses. For this to work, hosts must know each other’s MAC addresses. This allows them to send and receive packets using IP addresses.

Question 24

How does ARP work?

Answer 24

When a router receives a packet addressed to an internal host, it sends an ARP request to every host on the LAN asking for their IP address. The actual host replies with an ARP reply, the rest ignore the request. This reply contains its physical ARP reply. The network switch then records this information, along with port numbers, and looks from that point on at MAC addresses, not IP addresses.

Question 25

Can ARP poisoning be used outside the LAN? Why or why not?

Answer 25

ARP poisoning cannot be used outside the LAN, because ARP tables aren’t used anywhere but on a LAN.

Question 26

Why do hosts send ARP requests?

Answer 26

Hosts send ARP requests to determine the MAC addresses of hosts on their network.

Question 27

What is ARP spoofing?

Answer 27

ARP spoofing is when false ARP replies are used to map any IP address to any MAC address. These spoofed ARP replies are broadcast to all hosts on the LAN, manipulating the ARP tables.

Question 28

What is ARP poisoning, and how does it work?

Answer 28

ARP poisoning is when a continuous stream of unsolicited, spoofed ARP requests to all the hosts on the LAN save the gateway. This tells the hosts that the gateway is at a new location, the attacker’s MAC. All packets they want to send now go to the attacker. Thanks to the switch only looking at MAC addresses, it goes along with it.
The attacker then poisons the gateway by bombarding it with ARP replies telling it that all the hosts are at the attacker’s MAC.
The ARP requests must be continuous, or else the hosts and gateways will reply normally, and self-correct.

Question 29

How can ARP poisoning be used as a DoS attack?

Answer 29

ARP poisoning can be used very easily as a DoS attack, by setting the MAC address of all hosts in the tables to a non-existent MAC address. All packets will be dropped, and nothing will get through.

Question 30

How can ARP poisoning be prevented?

Answer 30

ARP poisoning can be prevented through the use of static ARP tables and static IP tables. These are set manually, and cannot be dynamically updated.
Another method would be by limiting local access, keeping foreign hosts out.

Question 31

What’s the downside of static IP and ARP tables?

Answer 31

They’re flat-out unwieldy for anything save small networks, as they’ll have to be updated constantly whenever the network structure changes.

Question 32

What is the main access control threat to Ethernet LAN?

Answer 32

The main access control threat to Ethernet LANs is the act of people actually physically plugging in to an ethernet port in the wall.

Question 33

What is the main access control threat to wireless LANs? Why is it even more severe than that of an Ethernet LAN?

Answer 33

The main access control threat to wireless LANs is remote connection to an unsecured access point. This is more severe because the attacker does not even need to be inside the building physically, or even within sight.

Question 34

Is eavesdropping usually a problem for wired LANs, wireless LANs, or both?

Answer 34

Eavesdropping is an issue for both wired and wireless LANs, provided the attacker gains access. The attacker can use a packet sniffer to intercept and read legitimate data (since encryption is rare on Ethernet). This is astonishingly easy on wireless LANs unless traffic is strongly encrypted.

Question 35

Why is 802.1X called Port-Based Access Control?

Answer 35

802.1X makes the Ethernet workgroup switch the gateway to the network. From there, the user connects to via UTP to a wall jack (or directly to the switch), to a specific port. Thus it is port-based.

Question 36

In 802.1X, where is the heavy authentication done?

Answer 36

In 802.1X, the heavy authentication is done by a central authentication server, so as to not burden the switch.

Question 37

What are three benefits of using a central authentication server with 802.1X?

Answer 37

Three benefits to the central authentication server are:

1. Cost savings - Having a centralized authentication server means each switch is much easier to configure, and doesn’t need to be as beefy.
2. Consistency - Credential checking will always be done the same way, no matter what workgroup switch someone connects to. Same database, every time.
3. Immediate changes - Changes made to central echo out immediately. No updating one switch at a time.

Question 38

In 802.1X, which device is the verifier?

Answer 38

Both the central auth server and the switch share the task of verifier.

Question 39

In 802.1X, which device is the authenticator?

Answer 39

In 802.1X, the switch is the authenticator. The central auth server is the authentication server.

Question 40

What does EAP stand for? What is it?

Answer 40

EAP stands for the Extensible Authentication Protocol. This is used to govern authentication interactions under 802.1X.

Question 41

When does an EAP session start?

Answer 41

An EAP session starts when an ethernet switch detects a connection on one of its ports.

Question 42

Describe how the central authentication server tells the authenticator that the supplicant is acceptable.

Answer 42

When the supplicant successfully provides the authentication server with valid credentials, the authentication server sends an EAP Success message to the authenticator.

Question 43

Once the authenticator has received an EAP Success message, how does it inform the supplicant?

Answer 43

When the supplicant is approved by the EAP Success message, the authenticator notifies the supplicant by a method outside the EAP protocol? I guess?

Question 44

What does it mean that EAP is extensible?

Answer 44

EAP is called Extensible because it’s simple to add new authentication methods. The structure of EAP messages stay the same regardless of authentication method.

Question 45

When a new authentication method is added to EAP, what device software must be changed to use the new method?

Answer 45

When a new authentication method is added to EAP, the device software of both the supplicant and “verifier” must be updated. The authenticator does not change in this instance, though, as it simply passes the EAP Request through, regardless of method.

Question 46

Why is it important that authenticators do not need to be updated when authentication methods are added or removed?

Answer 46

Because a system could have dozens or hundreds or thousands of switches, and that’s a lot of work, yo.

Question 47

What standard to most central authentication servers follow?

Answer 47

Most central authentication servers follow the RADIUS protocol.

Question 48

How do EAP and RADIUS function together.

Answer 48

RADIUS provides not only authentication, but authorization and auditing. Authorization in this case can limit what severs the user can access, file directories, privileges, and so on. It can also audit connections, determining how long and where a particular computer was connected.

Question 49

What is the most common attack against wireless networks? Why?

Answer 49

The most common attack against wireless networks is simple “unauthorized access”, connecting to a network without permission. This is because even if a network is not locked, it does not mean that you have authorization to use it.

Question 50

What device acts as a relay between wireless and wired networks?

Answer 50

An access point acts as a relay between wireless and wired networks.

Question 51

What is the typical range of a WLAN?

Answer 51

The range of a typical WLAN is 30 to 100 meters.

Question 52

What is the difference between an open network and a private network?

Answer 52

An open network is one that can be legally accessed by anyone, whereas a private network is one that do not allow access unless specifically authorized, regardless of security.

Question 53

What is a rogue access point? Who would set one up and why?

Answer 53

A rogue access point is an unauthorized access point set up by individuals or departments with little or no security. A hacker might set one up, giving them a clear avenue past border security and wireless security.

Question 54

What is an example of internal and external harm caused by unauthorized wireless access.

Answer 54

An example of internal harm might be identity theft, or the planting of malware. An example of external harm might be downloading illegal content.

Question 55

What man-in-the-middle attack is a danger to 802.11 WLANs? How?

Answer 55

The evil twin access point is a man-in-the-middle attack that threatens 82.11 WLANs. This is done by configuring a computer to disguise itself as a legitimate access point with a high-powered antenna (to trick clients into automatically connecting). This evil twin then pretend to be the client that has connected to it, and connect to the legitimate access point within the corporate walls, acting as the supplicant user.

Question 56

What two types of attacks can an “evil twin” take part in?

Answer 56

The evil twin can either do the traditional “man-in-the-middle” snooping, or it can pretend to be the client and send attack packets.

Question 57

Where are evil twins most commonly encountered?

Answer 57

Evil twins are most commonly encountered with public hot spots.

Question 58

How can evil twins be combated?

Answer 58

The easiest way to combat the evil twin is by forcing users to connect to a VPN using a pre-shared secret, preventing the evil twin from intercepting it.

Question 59

What is a wireless DoS attack?

Answer 59

A wireless DoS attack is exactly what it seems like; it’s a denial-of-service attack upon a wireless LAN, attempting to disrupt its availability.

Question 60

What are the three main forms of the wireless DoS?

Answer 60

The three main forms of wireless denial of service are:
Frequency Flooding - This is a crude but effective method, where the attacker floods the entire transmission frequency with electromagnetic interference (or noise), making packets unreadable. Shit like baby monitors can do this.
Access Point Flooding - This is an attempt to overwhelm the access point with too much traffic with a large amount of packets, or a smaller number of very large files.
Send Attack Commands - The attacker can use specific packets or frames to disrupt the LAN, like sending spoofed “deauthenticate messages”, forcing people to disconnect.

Question 61

What device can be used to identify a DoS flood if the entire frequency is being flooded?

Answer 61

A spectrum analyzer can be used to identify DoS floods, by recording all signals, including packet transmissions, within a given radio frequency band.

Question 62

What commands can be sent to cause a wireless DoS attack?

Answer 62

The following commands make for effective wireless DoS attacks:

• Deauthenticate Commands - Causes users to be disconnected.
• Request-to-Send Frame - Causes a flood of Clear-to-Send frames
• Clear-to-Send Frame - A CTS frame with a long transmission duration will force other clients to wait to transmit.

Question 63

What is the main weakness of EAP in regards to wireless LANs?

Answer 63

EAP assumes that the connection between the supplicant and the authenticator is secure. Unlike Ethernet, it is not hard to “tap” a wireless connection.

Question 64

What standard did the 802.3 Working Group create to extend 802.1X operations to WLANs for security for EAP?

Answer 64

The 802.3 Working Group created 802.11i to extend security for WLANs.

Question 65

In 802.11i, what’s the difference between outer and inner authentication?

Answer 65

In the 802.11i standard, outer authentication is done via a digital certificate that is installed on the AP that is used. Inner authentication is done through the standard EAP protocol.

Question 66

What two extended EAP protocols are popular today? How do they work?

Answer 66

The two most popular extended EAP protocols are EAP-TLS and protected EAP (PEAP).
EAP-TLS uses transport-level security, requiring the supplicant to have a digital certificate.
PEAP uses any authentication method specified in the EAP standard, and this is generally favored due to it being cheap and supported by Cisco.

Question 67

Is 802.11i security strong?

Answer 67

802.11i is fairly strong; the two levels of authentication provide reasonable security.

Question 68

What was the first core wireless security standard?

Answer 68

The first core wireless security standard was the Wired Equivalent Privacy standard, or WEP. It was tragically, fatally flawed.

Question 69

What encryption algorithm does the WEP standard use?

Answer 69

The WEP standard uses a shared key encryption, and the RC4 cipher.

Question 70

Why are permanent shared keys undesirable?

Answer 70

Because they are easy to get passed around, and once cracked, they’re 100% worthless.

Question 71

What per-frame key does a WEP computer or access point use to encrypt when it transmits?

Answer 71

The WEP standard uses a RC4 key plus a 24-bit initialization vector that changes from frame to frame. This still allows a bit of the shared key to leak, though. Still no good.

Question 72

How long does it take to crack WEP today?

Answer 72

It takes a good 2-3 minutes to crack WEP today.

Question 73

What’s the difference between WPA and WEP?

Answer 73

WPA uses a 48-bit initialization vector, to vastly reduce leakage, and it uses the Temporal Key Integrity Protocol (TKIP) for keying and rekeying. WEP does not.

Question 74

What does the Wi-Fi Alliance call 802.11i?

Answer 74

The Wi-Fi Alliance calls 802.11i WPA2.

Question 75

What weakness is there to WPA, and why do some companies continue to use it?

Answer 75

Thus far, the primary weakness to WPA is that the TKIP has been partially cracked. Companies do not shift away due to cost issues.

Question 76

Why is 802.1X unsuitable for homes and small offices?

Answer 76

802.1X is unsuitable for homes and small offices because it requires a central authentication server, and would be extremely expensive to set up for a small number of computers.

Question 77

What mode was created for homes or very small businesses with a single access point?

Answer 77

Both 802.11i and WPA offer “Pre-Shared Key” mode, or PSK. The problems with a shared key are far more avoidable in a small firm than a large company.

Question 78

How does 802.11i and WPA bypass the issue with shared keys being easy for cryptanalysis to crack?

Answer 78

802.11i and WPA only use the shared key initially, for authentication, and briefly at that. After that happens, the access point sends the client an unshared session key.

Question 79

How are PSK/personal keys generated?

Answer 79

PSK/personal keys are generated from passphrases that are provided to each piece of equipment. Long passphrases generate better keys.

Question 80

How long must a passphrase be to generate an adequate key for PSK/personal keys?

Answer 80

A passphrase must be at least 20 characters long.