CISSP ch 12 Flashcards
PPP
Point-to-point Protocol,
An encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links
Data link layer (layer 2) protocol that allows for multivendor interoperability of WAN devices supporting serial links
Rarely found on typical ethernet networks today
SLIP
Serial Line Internet Protocol (SLIP), replaced by PPP
offered no authentication, supported only half-duplex communications, no error detection, required manual link establishment and teardown
PPP communication services
Assignment and management of IP addresses
Management of synchronous communications
Standardized encryption
Multiplexing
Link configuration
Link quality testing
Error detection
Feature or option negotiation (such as compression)
PPP authentication options
PAP, CHAP, EAP and EAP derivatives
EAP derivatives
LEAP, PEAP, EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, EAP-TTLS
PAP
Password Authentication Protocol
Transmits usernames and passwords in cleartext
Offers no encryption, simply transports logon credentials from the client to the authentication source
CHAP
Challenge Handshake Authentication Protocol
Based on MD5 and no longer considered secure
Performs authentication using a challenge-response dialogue that cannot be replayed
Challenge is a random number issued by the server, which the client uses along with the password hash to compute the one-way function derived response
Periodically reauthenticates
MS-CHAPv2 uses updated algorithms and is preferred over the original CHAP
EAP
Extensible Authentication Protocol
Framework for authentication, not an actual protocol
Allows customized authentication security solutions, such as supporting smartcards, tokens and biometrics
Originally designed for use of physically isolated channels / assumed secured pathways
Some EAP methods use encryption, others do not
LEAP
Lightweight Extensible Authentication Protocol
CISCO proprietary alternative to TKIP for WPA
Now a legacy solution to be avoided
PEAP
Protected Extensible Authentication Protocol
Encapsulates EAP in a TLS tunnel
Preferred to EAP
Support mutual authentication
EAP-SIM
EAP – Subscriber Identity Module
A means of authenticating mobile devices over the Global System for Mobile Communications (GSM) network
Uses each device/subscriber’s subscriber identity module (SIM) card
EAP-FAST
EAP – Flexible Authentication via Secure Tunneling
A Cisco protocol proposed to replace LEAP which is now obsolete, given the development of WPA2
EAP-MD5
Now deprecated
EAP-POTP
EAP – Protected One-Time Password
Supports the use of OTP tokens in multifactor authentication
EAP-TLS
EAP – Transport Layer Security
An open IETF standard that is an implementation of the TLS protocol for use in protecting authentication traffic
Most effective when both client and server have a digital certificate
EAP-TTLS
EAP – Tunneled Transport Layer Security
An extension of EAP-TLS that creates a VPN-like tunnel between endpoint prior to authentication
Ensures that even client’s username is never transmitted in cleartext
IEEE 802.1X
an authentication technology that can be used anywhere authentication is needed that Defines EAP
“Port Based Network Access Control”
QoS
Quality of Service
The oversight and management of the efficiency and performance of network communications
Items to measure:
Throughput rate
Bit rate
Packet loss
Latency
Jitter
Transmission delay
Availability
Throttling or shaping can be implemented on a protocol or IP basis to set maximum use or consumption limit
PTSN / POTS
Public Switched Telephone Network = plain old telephone service
PBX
Private branch exchange
A telephone switching or exchange system deployed in private organizations in order to enable multistation use of a small number of external PSTN lines
DISA
Type of telephony, Direct inward system access
Adds authentication requirements to all external connections to the PBX
Vishing
Voice based phishing
Phreakers
malicious attackers who abuse phone systems in much the same way that hackers abuse computer networks
VPC
Virtual private cloud
VDI
Virtual desktop interface
VMI
Virtual mobile interface
Remote access techniques
Service specific remote access
Remote control remote access
Remote node operation
Screen scraper/scraping
Service specific remote access
Gives users the ability to remotely connect to and manipulate or interact with a single service, such as email
Remote control remote access
Grants a remote user the ability to fully control another system that is physically distant from them
Remote node operation
When a remote client establishes a direct connection to a LAN, such as with wireless, VPN or dial-up connectivity
Remote system connects to a remote access server, which provides the remote client with network services and possible internet access
Screen scraper/scraping
Could refer to remote control, remote access or remote desktop services (virtual applications/desktops). The screen on the target machine is scraped and shown to the remote operator
Also a technology that allows an automated tool to interact with a human interface
Load balancing
obtaining more optimal infrastructure utilization, minimize response time, maximize throughput, reduce overloading and eliminate bottlenecks
Load balancer
used to spread or distribute network traffic in a variety of situations
Common implementation is spreading a load across multiple members of a server farm or cluster
Scheduling
load balancing methods = means by which a load balancer distributes the work, requests or loads among the devices behind it:
Random choice
Round robin
Load monitoring
Preferencing or weighted
Least connections/traffic/latency
Locality based (geographic)
Locality based (affinity)
Random choice (scheduling, load balancing)
Each packet or connection is assigned a destination randomly
Round robin (scheduling, load balancing)
Each pack or connection is assigned the next destination in order
Load monitoring (scheduling)
Each packet or connection is assigned a destination based on the current load of capacity of the targets
The device/path with the lowest current load receives the next packet or connection
Preferencing or weighted (scheduling, load balancing)
Each packet or connection is assigned a destination based on a subjective preference or known capacity difference
E.g., one system can handle twice the capacity of other systems
Least connections/traffic/latency (scheduling, load balancing)
Each packet or connection is assigned a destination based on the least number of active connections, traffic load or latency
Locality based (geographic) (scheduling, load balancing)
Each packet or connection is assigned a destination based on the destination’s relative distance from the load balancer
Used when cluster members are geographically separated or across numerous router hops
Locality based (affinity) (scheduling, load balancing)
Each packet or connection is assigned a destination based on previous connections from the same client, so subsequent requests go to the same destination to optimize continuity of service
TLS offloading
process of removing the TLS-based encryption from incoming traffic to relieve a web server of the processing burden of decrypting and/or encrypting traffic
Virtual IP addresses
Sometimes used in load balancing
When the IP address is not actually assigned to a physical machine – communications received at the IP address are distributed in a load-balancing schedule to the actual systems operating on some other set of IP addresses
Persistence / Affinity (load balancing)
when a session between a client and a member of a load-balanced cluster is established and subsequent communication from the same client are sent to the same server, thus supporting persistence or consistency of communications
Active-active system (load balancing)
a form of load balancing that uses all available pathways or systems during normal operations
Used when traffic levels or workload during normal operations need to be maximized, but reduced capacity will be tolerated during adverse conditions
active-passive system (load balancing)
a form of load balancing that keeps some pathways or systems in an unused dormant state during normal operations to that if one active element fails, then a passive element is brought online and takes over the workload
Used when the level of throughput or workload needs to be consistent between normal states and adverse conditions
Open relay agent or relay agent
an SMTP server that does not authenticate senders before accepting and relaying mail
Closet relays
authenticated relays = SMTP server that authenticates senders
S/MIME
Secure Multipurpose Internet Mail Extensions
An email security standard that offers authentication and confidentiality to email through public key encryption, digital envelopes and digital signatures
Authentication is provided by X.509 digital certificates issued by trusted third-party CAs (certificate authorities)
Privacy is provided through the use of Public Key Cryptography Standard (PKCS) compliant encryption
Signed message = provides integrity, sender authentication and nonrepudiation
Enveloped message = provides recipient authentication and confidentiality
PGP
Pretty good privacy
A peer-to-peer public-private key-based email system that uses a variety of encryption algorithms to encrypt files and email messages
Not a standard, but an independently developed product with wide support, elevating its proprietary certificates to de facto standard status
DKIM
DomainKeys Identified Mail
A means to assert that valid mail is sent by an organization through verification of domain name identity
SPF
Sender Policy Framework
Checks that inbound messages originate from a host authorized to send messages by the owners of the SMTP origin domain
DMARC
Domain Message Authentication Reporting and Conformance
A DNS-based email authentication system
Intended to protect against business email compromise (BEC), phishing and other email scams
Email servers can verify if a received message is valid by following the DNS-based instructions; if invalid, the email can be discarded, quarantined or delivered anyway
STARTTLS
Secure SMTP over TLS = explicit TLS or opportunistic TLS for SMTP
Attempt to set up an encrypted connection with the target email server in the event that it is supported. If not supported, sent as plaintext
Not a protocol, but an SMTP command
Takes place on TCP port 587
SMTP
Simple Mail Transfer Protocol (SMTP) is a technical standard for transmitting electronic mail (email) over a network
Implicit SMTPS
TLS-encrypted form of SMTP, which assumes the target server supports TLS
If it does, then an encrypted session is negotiated
If not, then the connection is terminated because plaintext is not accepted
TCP port 465
VPN concentrator
dedicated hardware device designed to support a large number of simultaneous VPN connections, often hundreds or thousands = VPN server, gateway, firewall, remote access server (RAS), device, proxy or appliance
Tunneling
network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol = VPN protocol acts like a security envelope that provides special delivery capabilities as well as security mechanisms
Enables communications between otherwise disconnected systems (e.g., encapsulates LAN traffic in whatever communication protocol is used by a temporary connection with non LAN)
Transport mode links/VPNs
host-to-host VPN = end-to-end encrypted VPN
Anchored or end at the individual hosts connected together
IP Header and IPSec Header left unencrypted
Only used within a trusted network between individual systems
Tunnel mode links/VPNs
Terminate at VPN devices on the boundaries of the connected networks
Encrypts IP header, only leaving IPSec header unencrypted
Should be used when crossing untrusted networks or linking multiple systems
Remote access VPN
variant of site-to-site VPN = link encryption VPN
Encryption is only provided when the communication is in the VPN link or portion of the communication; there may be network segments before and after the VPN which are not secured by the VPN
Always-on VPN
VPN that attempts to auto-connect to the VPN service every time a network link becomes active
Split tunnel
a VPN configuration that allows a VPN-connected client systems to access both the organizational network over the VPN and the internet directly at the same tim
Full tunnel
a VPN configuration in which all of the client’s traffic is sent to the organizational network over the VPN link, and then any internet-destined traffic is routed out of the organizational network’s proxy or firewall interface to the internet
VPN Protocols
PPTP
L2TP
GRE
SSH
OpenVPN
IPsec
PPTP
Point-to-Point Tunneling Protocol
Obsolete encapsulation protocol
TCP Port 1723
Offers same authentication protocols as PPP (point-to-point protocol)
PAP = Password Authentication Protocol
CHAP = Challenge Handshake Authentication Protocol
EAP = Extensible Authentication Protocol
MS-CHAPv2 = Microsoft Challenged Handshake Authentication Protocol
Initial tunnel negotiation process is not encrypted
L2TP
Layer 2 Tunneling Protocol
An internet standard (RF 2661)
Can support almost any layer 3 networking protocol
Uses UDP port 1701
Can rely on PPP’s supported authentication protocols, specifically IEEE 802.1X, a derivative of EAP
Does not offer native encryption, but supports the use of payload encryption protocols
Often deployed using IPSec’s ESP for payload encryption
GRE
Generic Routing Encapsulation
A proprietary Cisco tunneling protocol
Provides encapsulation but not encryption
SSH
Secure Shell
A secure replacement for Telnet (TCP port 23)
Operates over TCP Port 22
All SSH transmission (both authentication and data exchange) are encrypted
Limited to transport mode
If S is the prefix of a secure protocol (e.g., SFTP), encryption is provided by SSH. If S is in the suffix (e.g., HTTPS), encryption is provided by TLS.
OpenVPN
Based on TLS
Provides an easy-to-configure but robustly secured VPN option
Can use either pre-shared passwords or certificates for authentication
IPsec
Internet Protocol Security
A standard of IP security extension used as an add-on for IPv4 and integrated into IPv6
Primary use is for establishing VPN links between internal and/or external hosts or networks
Works only on IP networks and provides for secured authentication as well as encrypted data transmission
AH = Authentication Header
ESP = Encapsulating Security Payload
HMAC = Hash-based Message Authentication Code
IPComp = IP Payload Compression
Uses public-key cryptography and symmetric cryptography to provide encryption, secure key exchange, access control, nonrepudiation and message authentication
IKE = Internet Key Exchange = mechanism IPsec uses to manage cryptography keys
AH (IPsec)
Authentication Header
Provides assurances of message integrity and nonrepudiation
Primary authentication function for IPsec, implements session access control and prevents replay attacks
ESP (IPsec)
Encapsulating Security Payload
Provides confidentiality and integrity of payload contents
Provides encryption, offers limited authentication, and prevents replay attacks
Uses AES encryption
Can operate in either transport or tunnel mode
HMAC (IPsec)
Hash-based Message Authentication Code
Primary hashing or integrity mechanism used by IPsec
IPComp (IPsec)
IP Payload Compression
A compression tool used by IPsec to compress data prior to ESP encrypting it in order to attempt to keep up with wire speed transmission
IKE (IPsec)
Internet Key Exchange = mechanism IPsec uses to manage cryptography keys
OAKLEY
SKEME = Secure Key Exchange Mechanism
ISAKMP = Internet Security Association and Key Management Protocol
OAKLEY (IKE)
A key generation and exchange protocol similar to Diffie-Hellman
SKEME (IKE)
Secure Key Exchange Mechanism
A means to exchange keys securely, similar to a digital envelope
Modern IKE implementations may also use ECDHE (elliptic curve Diffie-Hellman exchange) for key exchange
ISAKMP (IKE)
Internet Security Association and Key Management Protocol
Used to organize and manage the encryption keys that have been generated and exchanged by OAKLEY and SKEME
Security association = agreed-on method of authentication and encryption used by two entities
Used to negotiate and provide authenticated keying material for security associations in a secured manner
Each IPsec VPN uses two security associations, one for encrypted transmission and the other for encrypted reception; thus, each IPsec VPN is composed of two simplex communication channels that are independently encrypted
Switches - four primary functions
Learning
Forwarding
Dropping
Flooding
CAM table
Content Adressable Memory table = used to map MAC addresses and physical port numbers
If a destination MAC address is present in the switch’s CAM table, frame is forwarded to the appropriate port
Learning (switch)
How a switch first becomes aware of its local network
Forwarding (switch)
CAM table = Content Adressable Memory table = used to map MAC addresses and physical port numbers
If a destination MAC address is present in the switch’s CAM table, frame is forwarded to the appropriate port
Dropping
If the destination MAC address came from associated port, frame is dropped
Flooding
If the destination MAC is not present in the CAM table, then the frame is flooded/sent out to all ports
VLAN
virtual local area network
A hardware-imposed network segmentation created by switches. Used to segment a network logically without altering its physical topology. Can have software-based implementations
By default, all ports on a switch are part of VLAN 1, can be reassigned on a port-by-port basis
VLAN management is most commonly used to distinguish between user traffic and management traffic
VLAN 1 is typically the designated management traffic VLAN
VLAN management
use of VLANs to control traffic for security or performance reasons
Distributed virtual switches
used in cloud and virtual environments
Port isolation / private ports
private VLANs that are configured to use a dedicated or reserved uplink port
Members of a private VLAN or a port-isolated VLAN can interact only with each other and over the predetermined exit port or uplink port
Commonly implemented in hotels
Port mirror
duplicates traffic one or more other ports out a specific port
SPAN port
Switched Port Analyzer port = duplicates the traffic for all other ports, or any port can be configured as the mirror, audit, IDS or monitoring port for one or more other ports
Port tap
a means to eavesdrop on network communications, especially when a switch’s SPAN function isn’t available or doesn’t meet the current interception needs
Trunk port
a dedicated port with higher bandwidth capacity than the other standard access ports, used to link multiple switches together
VLAN tags
modify the standard construction of an Ethernet frame header to include a VLAN tag value
MAC flooding attack
an intentional abuse of a switch’s learning function to cause it to get stuck flooding by flooding a switch with Ethernet frames with randomized source MAC addresses; once the CAM table is filled with false MAC addresses, the switch is unable to properly forward traffic, so it reverts to flooding mode (attacker on network will also receive a copy of the communication)
FIFO (switches)
first-in, first-out queue, how a CAM table makes room for new MAC addresses
MAC limiting
defense against MAC flooding that restricts the number of MAC addresses that will be accepted into the CAM table from each jack/port
MAC spoofing
changing the default MAC address to some other value
MAC cloning
impersonating another system, often a valid or authorized network device, to bypass port security or MAC filtering limitations
NAT
network address translation
Hides the IPv4 configuration of internal clients and substitutes the IPv4 configuration of the proxy server’s own public external NIC in outbound requests; effectively prevents external hosts from learning the internal configuration of the network
Translates the IPv4 addresses of your internal clients to leased addresses outside your environment
One-to-one basis – a single leased public IPv4 address can only allow a single internal system to access the internet
Usually also refers to PAT
PAT / NPT/ NAPT
port address translation = overloaded NAT = network and port address translation (NPAT) = network address and port translation (NAPT)
Allows a single public IPv4 address to host up to 65,536 simultaneous communications from internal clients
SNTA / Stateful NAT / Dynamic NAT
Source Network Address Translation = NAT = Stateful NAT or Dynamic NAT
NAT that maintains a mapping between requests made by internal clients, a client’s internal IP address and the IP address of the internet service contacted
NAT changes source address in outgoing packet from client’s to NAT server’s; this change is recorded in the NAT mapping database along with destination address
Once a reply is received from the internet server, NAT matches the reply’s source address to an address stored in its mapping database
NAT-T
NAT Traversal = RFC 3947
Designed specifically to support IPsec (normally not compatible with NAT because of changes NAT makes to packet headers) and other tunneling VPN protocols, such as L2TP
Static NAT / DNAT
reverse proxy = port forwarding = destination network address translation (DNAT)
Allows an external entity to initiate communication with an internal entity behind a NAT by using a public socket that is mapped to redirect to an internal system’s private address
Not usually a secure solution, may be useful for systems in a screened subnet or extranet, but not for accessing systems in the internal private LAN
Private IPv4 addresses
Private IPv4 addresses = defined in RFC 1918
10.0.0.0 – 10.255.255.255
Full Class A range
172.16.0.0 – 172.32.255.255
16 Class B ranges
192.168.0.0 – 192.168.255.255
256 Class C ranges
APIPA
Automatic Private IP Addressing = link-local address assignment = 169.254.0.01 to 169.254.255.254
Defined in RFC 3927
Assigns an IP address to a system in the event of a Dynamic Host Configuration Protocol (DHCP) assignment failure
A feature of Windows
Assigns each failed DHCP client an IP address from the range of 169.254.0.01 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0
Allows the system to communicate only with other APIPA-configured clients within the same broadcast domain but not with any system across a router or with a correctly assigned IP address
Loopback address
127.0.0.1
Purely a software entity
An IP address used to create a software interface that connects back to itself via TCP/IP
Allows for the testing of local network setting in spite of missing, damaged or nonfunctional network hardware and related device drivers
Entire 127.x.x.x network is reserved for loopback use, though only the 127.0.0.1 address is widely used
ISA
Interconnection security agreement
A formal declaration of the security stance, risks and technical requirements of a link between two organizations’ IT infrastructures
Circuit switching
Originally developed to manage telephone calls over the public switched telephone network
A dedicated physical pathway is created between the two communicating parties
Grants exclusive use of a communication path to the current communication partners
Packet switching
The message or communication is broken up into small segments (fixed-length cell or variable-length packets) and sent across the intermediary networks to the destination
Each segment of data has its own header that contains source and destination information
Header is read by each intermediary system and is used to route each packet to its intended destination
Each channel or communication path is reserved for use only while a packet is actually being transmitted over it; as soon as the packet is sent, the channel is made available for other communications
Virtual circuit
A logical pathway or circuit created over a packet-switched network between two specific endpoints
PVC
Permanent virtual circuits
Like a dedicated leased line; the logical circuit always exists and is waiting for the customer to send data
SVC
Switched virtual circuits
Has to be created each time it is needed using the best paths currently available before it can be used and then disassembled after the transmission is complete
Dedicated line = leased line = point-to-point link
A line that is continually reserved for use by a specific customer
Always on and waiting for traffic to be transmitted over it
Connects two specific endpoints and only those two endpoints
Types (mostly been replaced by fiber optic-based solutions):
T1 = Telephone line 1 [1.64 Mbps capacity]
TS3 or DS3 = Digital Service 3 [44.7 Mbps capacity]
X.25
ATM = Asynchronous Transfer Mode
Frame Relay
Nondedicated line
Line that requires a connection to be established before data transmission can occur
DSL
Digital Subscriber Line
A technology that exploits the upgraded telephone network to grant customers speeds from 144 Kbps to 20 Mbps (or more)
Formats (varies downstream and upstream bandwidth provided):
ADSL
xDSL
CDSL
HDSL
SDSL
RASDSL
IDSL
VDSL
ISDN
Integrated Services Digital Network
Planned replacement for PSTN, but did not gain widespread adoption
SDH
Synchronous Digital Hierarchy
A fiber-optic high-speed networking standard by the International Telecommunications Union (ITU)
Uses synchronous time-division multiplexing (TDM) to high-speed duplex communications with minimal need for control and management overhead
Supports a foundational speed of 51.48 Mbps
Synchronous Transport Modules (STM) = levels of SDH
SONET
Synchronous Optical Network
A fiber-optic high-speed networking standard by the American National Standards Institute (ANSI)
Uses synchronous time-division multiplexing (TDM)
Synchronous Transport Signals (STS) = Optical Carrier (OC) = levels of SONET
STM
Synchronous Transport Modules (STM) = levels of SDH
STS-768/OC-768 = STM-256 = 39.813 Gbps
STS and OC
Synchronous Transport Signals (STS) = Optical Carrier (OC) = levels of SONET
STS-768/OC-768 = STM-256 = 39.813 Gbps
Transmission logging
a form of auditing focused on communications
Records the particulars about source, destination, time stamps, identification codes, transmission status, number of packets, size of message and so on
Transmission error correction
a capability built into connection- or session-oriented protocols and services
if it is determined that a message was corrupted, altered or lost, a request can be made for the source to resend the message
CRC
cyclic redundancy check = check for communication integrity?
Modification attacks
captured packets are altered and then played against a system