D4: Communications & Network Security Flashcards
Communications and Network Security - Main Topics
OSI Model : Open Systems Interconnections Model
OSI Reference Model Network Protocols Network Connectivity Devices Threats to Network Security Firewalls Wireless Communication
OSI Model: Definition & Significance
In a company, you had all of these devices using their own computing protocols e.g. TCP/IP, Novelle, Apple Call - this requires translation between it all. The OSI protocol solves this
OSI Protocol: standards-based, open source protocol
- TCPIP - became the common protocol because it offered standardization, which is so significant
Promotes interoperability between vendors Enables standardization Describes encapsulation (packaging) of data to enable it to get from point A to point B
MUST KNOW OSI MODEL FOR THIS EXAM
- know each layer, number of each layer, what happens in each layer, the concept of encapsulation
PDU: data in whatever packaging there is
- at the top 3 layers is just called data
- at the transport layer data is a segment
- network layer becomes a packet
- datalink data becomes frame
- physical layer data becomes bits
‘do some people fear birthdays’
Potential Test Questions:
- at what layer does XYZ device work?
- across which layers does XYZ device work?
- many devices don’t fit in one box
OSI Layers
All People Seem to Need Dominoes Pizza >
People Don’t Need to See Paula Abdul <
Application: data/protocol data unit (PDU) / data stream
Presentation: data
Session: data
Transport: segment/TCP protocols/datagram UDP
Network: packet
Datalink: frame
Physical: bits
OSI Model - Layer 1
- bottom > up
Physical Layer is concerned with physical connectivity and sending electric signals over a medium
All hardware devices have a point of connection, therefore at least partially have a layer 1 element
‘Dumb Devices’ - they don’t do anything to data
- Hubs, Cables, Connectors, Network Cards
A router would technically be at layer three, but it would also be at from level 1 to whatever top layer is
Threats to Physical Layer: theft, unauthorized access, vandalism, sniffing, interference, data emanation (radiation?), pipes, humidity
OSI Model - Layer 2
- bottom > up
Data Link Layer: the only layer of the OSI model with 2 sublayers
- Logical Link Control (LLC): error detection
- Media Access Control (MAC): physical
CSMA/CD Carrier Sense Multiple Access with Collision Detection (IEEE standard) 802.3 Ethernet
- detecting collisions, and expects to have collisions
- in ethernet connections
CSMA/CA Carrier Sense Multiple Access with Collision Detection (IEEE standard) 802.11 Wireless
- avoiding collisions
- used in wireless devices
Token Passing: 24 bit control frame passed around the network environment with the purpose of determining which system can transmit data. There is only one token and since a system can’t communicate without the token, there are no collisions.
- dated but does still exist
- bring a microphone, and pass it in a circle and wait for your turn. Eliminates chance of collisions
- between POS devices
MAC Address
Unique identifier for every single network card on the planet - SHOULD be the case
48 bit address - first 24 for manufacturer, and last 24 for individual card itself
nothing about MAC address that would indicate your location
MAC address shouldn’t change but can change or be spoofed
A MAC address doesn’t have info in it to locate you
- not good for global addressing, but really good for local addressing
- once the packet get’s close to your local router, the MAC can be used to find you
ARP: Address Resolution Protocol????
- takes a known IP address and learns an unknown MAC address
Once the packet is close, the system sends out an ARP broadcast, system sends the MAC and picks it up off the network
Ethernet
Carrier Sense Multiple Access with Collision Avoidance
Used by ethernet
Contention (or collision based)
Multiple systems can access the network, but data will collide
Collisions will slow things down
Ethernet requires the resolution of an IP address to a MAC address
ARP
ARP: Address Resolution Protocol????
- takes a known IP address and learns an unknown MAC address
- once a host on the local network learns the destination IP and is local, that host sends out a broadcast with the IP, and the system of that IP returns the MAC address
Once the system learns the recipient MAC address, the system will cache it and store it locally
- the downside to this, is that its trusting old information
- cache poisoning: system mapped an IP to a specific MAC address, an attacker can switch out their MAC address, or ARP, so the message comes to their host
- anything with cache can be subject to poisoning, like web or DNS cache
What layer does it function? 2
Across which layers? 2 & 3
ARP poisoning would happen at layer 2
Unsolicited ARP replies are malicious, a lot of OS’s block it. Firewalls block it but also should see where the origin of the reply (smart firewall)
Switch
By default, switches operate at layer 2
Uses MAC addresses to direct traffic
Isolates traffic into collision domains
Does NOT isolate broadcasts natively
A HUB will not provide any isolate or traffic control, so every system on the hub is colliding
- if a sniffer is plugged into a hub,
Router
OSI Model - Layer 3 Network
Routers isolate traffic into broadcast domains and use IP addressing to direct traffic and segment out the network but still allow the different subnets to talk
Sales people’s broadcast away from the HR’s broadcast - different bandwidth, different security mechanisms
Production device routers are very expensive on a port by post basis
- when you have a lot of ports, you’ll only get one router at a time ???????
VLAN
VLAN = separate broadcast domains via a switch
Routers are expensive, so isolate the broadcast domain via a switch HOWEVER this is a native function on a switch - so some switches may not support VLAN (but most probably do)
- To get a broadcast isolation on a switch, a VLAN is necessary
A Layer 2 switch, even with a VLAN, doesn’t truly understand Layer 3 IP addressing
- you can a VLAN on a layer 2 switch, but you can’t have a VLAN layer 2 to talk to a VLAN layer 1, because the switch doesn’t understand where VLAN 1 is. It doesn’t work with IPs, it works with MAC addresses.
A Layer 3 switch is necessary for inter-VLAN Communication
- layer 3 VLAN can do IP address routing, determine traffic etc. it ALMOST replaces a router, but the difference is that it doesn’t allow to get off the local network
Routers shifted their role from being internal devices, to boundary devices
Layer 3 Protocols
All protocols that start with the letter “I” except IMAP (which is a layer 7 mail protocol)
IP ICMP: IP 'helpers' like ping IGMP: Internet group Message Protocol IGRP IPSEC IKE ISAKMP
Internet Control Messaging Protocol: ICMP
Protocol used by most echoing capabilities; ping, traceroute, path-ping
ICMP is filled with holes, very weak and no inherent security and often without security mechanism.
Heavily used in DDoS attacks
Ping attacks = Layer 3 attacks that overwhelm the system
Ping Flood: send an overwhelming amount of ICMP echo request packets, that you can’t respond
Ping of Death: sends a lot of ping packets
SMURF: Uses a spoofed source address (Target) and directed broadcasts to launch a DDos
- send a ping request, spoofed as someone safe as the source address, and send it to everyone on the broadcast
- you should NEVER allow a broadcast from outside of the network, to come into inside of your network (directed broadcast) there is NO good reason for this to happen so it should be blocked!
- everyone knows how exploited ICMP is, so everyone blocks them from the firewall
- fraggle is the same thing but uses UDP (layer 4) but this is sometimes needed from the outside, so cannot block at the firewall level. so instead of blocking it all together, you can look for it misbehaving, like flooding
Loki Attack: information is being hidden behind or within the ICMP headers, which is not the function of ICMP headers. Data being placed there may avoid being detected by tools that don’t look for data there
User Datagram Protocol (UDP) - Layer 4
- connectionless
- unreliable
- no handshaking
- desirable when “real time” transfer is essential
- media streaming, gaming, live time chat, etc.
- FTP (file transfer protocol) used TCP; much more reliable
- TFTP (trivial file transfer protocol) uses UDP for speed
Session - Layer 5
Layer 5 (Session) - responsible for establishing a connection between two applications (either on the same computer or two different computers)
Will see SQL, RPC, session hijacking, session-based info being stored on a local host
Dialogue control
Release connection
Services
- session management
- dialog management
- activity management
- synchronization
Protocol
- connection-oriented
- common protocols
- ISO 8327 (OSI)
- APPC (IBM)
- DNA Session Control
Layer 6 - Presentation
Present the data in a format that all computers can understand
This is the only layer of OSI that does not have any protocols
- concerned with encryption, compression and formatting
- making sure data is presented in a universal format
- file level encryption
- removing redundancy from files
Layer 7 - Application
This defines a protocol (way of sending data) that two different programs or applications understand.
- HTTP, HTTPS, FTP, TFTP, SMPTP, SNMP, etc.
- Application proxies
- Non-repudiation
- Certificates
- Integration with Directory Services
- Time Awareness
Intelligent devices - can be integrated with other applications, services can understand content of messages e.g. mail filter that can block mail with ‘free offer’ takes a lot of intelligence because it has to check the content and make decisions based on the content
Non Repudiation: digital signing, public private key pair, stop users from using without digital signatures, stop users fr5om looking at gaming websites after 5pm
Protocols that users interact with!
Email: SMTP, POP, IMAP,
Web Browser: HTTP, HTTPS
EXAM TIP: if you don’t know where a protocol lives, stick it in layer 7
TCP/IP Model - bottom up
Network Access Layer
Internet Layer
Transport Layer
Application Layer
does the same thing as OSI, but says that application, presentation and session is being handled by the OS, so they group them all into their own “application layer”
EXAM TIP: if they don’t specify the model, then answer as the OSI, but if they ask for the TCP/IP model for a question, make sure you use the correct layers because they will try to trick you. GO SLOW.
Memorize OSI model and then learn how TCP/IP maps to OSI
7 Application
Responsibilities: User application services
Data Type: User Data
Info: GATEWAYS (exam) - smartest layer, content layer, certs, non-repudiation, mail. API - Application Program Interface
Firewall: Kernel Proxy FW - very fast hardware (GEN5)
Common Protocols & tech: FTP, TFTP, SSH, IMAP, POP, HTTP, HTTPS
TCP/IP Model Mapping: Application
6 Presentation
Responsibilities: Data Transition, Compression, and Encryption
Data Type: Data
Info: File Level Formatting, Encryption and Compressing
Firewall: —
Common Protocols & tech: EFS - Encryption File System
TCP/IP Model Mapping: Application
5 Session
Responsibilities: Session Establishment, Management and termination
Data Type: Data
Info: Application to Application
Firewall: Stateful? Firewall - inspects, understands traffic, allows protocols as long as it behaves like it should (GEN 3)
Common Protocols & tech: SQL: RPC (DNS is Layer 5 for the exam
TCP/IP Model Mapping: Application
4 Transport
Responsibilities: End-to-End connections; segmentation and reassembly
Data Type: Segment
Info: Syn flood; fraggle - exploits UDP
Firewall: —
Common Protocols & tech: TCP and UDP, SSL / TLS
TCP/IP Model Mapping: Transport / Host to Host
3 Network
Responsibilities: logical addressing; routing (path determination); diagram encapsulation; error handling and diagnostics
Data Type: Packages, diagrams
Info: Router - isolates broadcast traffic; logical addressing (IPSec for security), Ping floods/ping of death/loki/smurf attack - spoof course address
Firewall: static/stateless FW - very limited; all or nothing - FW blocks or allows entire protocol (gen 1)
Common Protocols & tech: IP, IPv6, IP NAT, IP Sec, ICMP, RIP, BGP
TCP/IP Model Mapping: Internet
2 Data Link
Responsibilities: Logical Link Control; Media Access Control (MAC); Data Framing; Addressing; Error Detection
Data Type: Frames
Info: Switch - doesn’t address broadcast traffic; MAC, Ethernet, NIC Tunneling - encapsulation (L2TP gives you the tunnel / IPSec gives you the security)
Firewall: —
Common Protocols & tech: IEEE 802 2 LLC; Ethernet; Token Ring; FDDI and CDDI, IEEE 802, 11, WLAN, WiFi, PPTP; L2TP
TCP/IP Model Mapping: Network Access
1 Physical
Responsibilities: encoding and signaling physical data transmission; hardware specifications; topology and design
Data Type: Bits
Info: Cable, Hub, Model (No Addressing)
Firewall: —
Common Protocols & tech: Physical Layer ??
TCP/IP Model Mapping: Network
Firewalls
Provide isolation and separation based on trusted traffic vs. untrusted traffic
Create zones based on trusted zones vs. untrusted vs semi-untrusted (DMZ)
- DMZ gives us some control, but is also public; like web servers
Hardware firewalls vs. software firewalls
- if you have a software firewall, you need a system that would exist where that firewall would exist
Used rule-based access control; block or deny rules. SHOULD DENY BY DEFAULT; everything else can be whitelisted (explicitly allowed)
Firewalls and the OSI Model
Layer 3 (Network Layer) - packet filtering - screening routers inspect layer 3 and layer 4 headers - source and destination IP - source and destination port - protocol (TCP or UDP)
You know what a firewall does, based on what layer it operates in
- by default it’s probably layer 3
- a layer 3 firewall has a tiny bit of layer 4 because it can look at ports number and protocols at layer 4
- packet filtering fw (layer 3) you can determine source/destination IP, port and protocol; but you don’t have a lot of granularity. if you’re experiencing TCP sin flooding, all you can really do is block TCP which would bring the network to a screeching halt for external traffic
- basically a router that has a access control list that does first level screening (screening router)
EXAM: Why would you use a layer 7 firewall over a layer 3?
- things are
- 7 has deeper packet inspection, decisions on more criteria
3 vs 7?
- 3 is faster and cheaper
Stateful Filtering
Layer 5 - Session Layer
Stateful Filtering
- awareness of the initiation of the session and the state
- can block unsolicited replies
- can understand syntax of lower protocols and can block misbehaving traffic
Unsolicited Replies (IRL Example)
- I want to allow DNS replies through my firewall but only if they’re in response to a query
- in the session layer, you can see all components of the session like who started it (or the state of the connection)
Application Proxies / Firewalls
Layer 7 (Application Layer)
- deep packet and content inspection / has access to all of the data
Forward Proxy: inspects traffic from inside going out
- audit where users’ traffic is going
Reverse Proxy: inspects traffic form outside going in
- see and restrict users coming into the network
- dns server directs their request to go to their proxt, inspects the traffic, forwards it onto the web server
- SMTP
- Can inspect on content, time, application-awareness, certificates, etc.
- Specific to the application protocol
IRL Example: Don’t want a user to go to a specific website, and all we have is a layer 3 firewall - you can block that person’s IP from connecting to the website, or block IP on a certain port, or block all traffic thru a certain port
layer 5 - keep responses from coming in that weren’t solicited
layer 7: you want this person, who is on AD, to not access a malicious website before 5pm, you’ll need a layer 7
Application Proxies (layer 7 firewalls): can stop people from going to websites displaying the human body; unless their last query was medical in nature
Firewalls
- enforce network policy
- usually firewalls are put on the perimeter of a network and allow or deny traffic based on company or network policy
- must have IP forwarding turned off*
- firewalls are often used to create a DMZ
- generally are dual/multi-homed*
Types of firewalls
- packet filtering
- state full
- proxy
- dynamic packet filtering
Packet Filter
ACLs: rules that firewall applies to each packet ir receives
Note state full, just looks at the network and transport layer packets (IP addresses, ports and “flags”)
- does not look into the application, cannot block viruses, etc.
- generally does not support anything advanced or custom
Packet Filters keep no state
- each packet is evaluated on it’s own without regard to previous traffic
- advantages
- disadvantages (fragments)
Rule based access control
Packet filters are still used on the edge of the network before a state full firewall for performance reasons
Stateful Firewall
Router keeps track of a connections in a table. It knows which conversations are active, who is involved, etc.
It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic
More complex, and ca launch DoS against by trying to fill up all the entries in the state tables/use up memory
If rebooted can disrupt conversation that had been occurring
Context dependent access control*
Encapsulation / Deencapsulation
- Application layer creates a message > passes the message to the Presentation layer
- All layers adds a header at the start of the message, and sometimes a footer before it passes along to the next layer.
- At the Physical layer, the message is converted into electrical impulses that represent bits and is transmitted over the physical connection
- The receiving computer captures the bits from the physical connection and re-creates the message in the Physical Layer.
- The Physical Layer converts the message from bits into a Data Link frame and sends the message up to the Data Link layer.
- The Data Link layer strips its information and sends the message up to the Network layer, and act called deencapsulation occurs all the way to the Application layer
* the information removed at each layer includes instructions, checksums, etc. that can only be understood by the peer layer that originally added it - When the message reaches the Application layer, the data in the message is sent to the intended software recipient
Physical Layer
The Physical layer accepts the frame from the Data Link layer, and converts the frames to bits for transmission over the physical connection medium.
The Physical layer receives bits from a physical connection medium and converts the bits into a frame to be used in the Data Link Layer
The Physical layer contains device drivers that tell protocols how to employ hardware for transmission or reception of bits.
The Physical layer controls throughput rates, synchronization, line noise and medium access.
The Physical layer determines whether to use digital or analog signals or light pulses to transmit or receive data over the physical hardware interface.
Network Hardware Devices at Layer 1: devices that perform hardware-based signal operations, such as sending a signal from one connection port out on all other ports (a hub) or amplifying the signal to support greater transmission distances (a repeater).
- NICs: (Network Interface Cards)
- Hubs
- Repeaters
- Concentrators
- Amplifiers
Data Link Layer
The Data Link Layer is responsible for formatting the packet from the Network layer into the proper format for transmission - this is determined by the hardware and technology of the network. Some examples:
- Ethernet (the only common one in modern networks)
- Token Ring
- Asynchronous Transfer Mode
- Fiber Distributed Data Interface
- Copper DDI
The Data Link Layer contains the technology specific protocols that convert the packet into properly formatted frame > then sent to Physical layer from transmission
The Data Link Layer adds the hardware source and destination address to the frame.
- MAC (Media Access Control) Address = hardware address
-
The Datalink Layer has two sub-layers:
- Logical Link Layer (LLC)
- Media Access Control (MAC)
MAC Address: 6-byte/48-bit binary address written in hexadecimal notation
- first 3 bytes is the OUI (Organizationally Unique Identifier) which denote the vendor or manufacturer of the physical network interface - these are registered with the IEEE (Institute of Electrical
- last 3 bytes represent a unique number assigned to the interface by the manufacturer
- no two devices have the same MAC address in the same Ethernet broadcast domain, or it would lead to address conflict
- when they are not unique by accident, the NIC hardware would have to be replaces or the MAC address would have to spoofed
Address Resolution Protocol (ARP): ARP is used to resolve IP addresses into MAC addresses. Traffic on a network segment is directed from its source system to its destination using MAC addresses
Layer 2 Network Hardware Devices: switches and bridges
- these devices support MAC-based traffic routing
- switches receive a frame on one port and send it out another port based on the destination MAC address
- MAC address destinations are used to determine whether a frame is transferred over the bridge from the network to another
Address Resolution Protocol and Why it Doesn’t Fit into Any Layers
ARP does not fit perfectly into OSI model since it is a conceptual model
ARP is carried as the payload of an Ethernet frame > since Ethernet is layer 2, it would make sense to consider ARP layer 3. HOWEVER - ARP does not use source/destination addresses to direct communications in its header > instead it is dependent on Ethernet’s source and destination MAC addresses
ARP is ALSO not a layer 2 protocol as it depends upon Ethernet to serve as its transportation host. So AT BEST it is a dependent layer 2 protocol.
Network Layer
The Network Layer is responsible for adding routing and addressing information to the data.
The Network Layer accepts the segment from the Transport layer, and adds information to it to create a packet. The packet includes source and destination IP addresses.
The Network Layer is responsible for providing routing or delivery information it is not responsible for verifying guaranteed delivery - that is the responsibility of the Transport layer
The Network Layer manages error detection and node traffic data (traffic control)
Hardware Devices at Layer 3: routers and bridge routers (brouters)
- routers determine the best logical path for the transmission of packets based on sped, hops, preference and so on
- routers use the destination IP address to guide the transmission of packets
- brouters work primarily in layer 3, but also in layer 2 when necessary
- brouters are devices that attempt the route first, but if it fails, it will default to bridging.
Routing Protocols:
- Distance Vector: maintains a list of destination networks along with metrics of direction and distance as measured in hops (the number of routers to cross to reach the destination). RIP, IGRP
- Link State: maintains a topography map of all connected networks and use this map to determine the shortest path to the destination. OSPF, IGRP
Protocols in the Data Link Layer
Protocols in the Data Link Layer:
- SLIP Serial Line Internet Protocol
- PPP Point-to-Point Protocol
- ARP Address Resolution Protocol
- L2F Layer 2 Forwarding
- L2TP Layer 2 Tunneling Protocol
- PPTP Point-to-Point Tunneling Protocol
- ISDN Integrated Services Digital Networks
Protocols in the Network Layer
- ICMP Internet Control Message Protocol
- RIP Routing Information Protocol
- OSPF Open Shortest Past First
- BGP Border Gateway Protocol
- IGMP Internet Group Management Protocol
- IP Internet Protocol
- IPSec Internet Protocol Security
- IPX Internetwork Packet Exchange
- NAT Network Address translation
- SKIP Simple Key Management for Internet Protocols
Network Layer: Non-IP Protocols
Non-IP Protocols serve as an alternative to IP at the Network Layer. It used to be widely used but now only used for special-purpose networks.
The three most popular are IPX, AppleTalk and NetBEUI. They can be used as alternatives to IP in a dead-zone network implementation using IP to-alternate-protocol gateways
- A dead zone is a network segment using an alternative network layer protocol instead of IP.
IPX: part of the IPX/SPX packet suite commonly used on Novell NetWare networks in the 90s.
AppleTalk: a suite of protocols developed for Apple
NetBEUI: Microsoft protocol used for printer and file sharing and can be used in modern networks by devising NetBIOS over TCP/IP (NBT). This in turn serves the Windows sharing protocol of SMB (Server Message Block) which is also known as Common Internet File System (CIFS). It is no longer in use for lower layer protocols, only SMB and CIFS variants are still in use.
SECURITY RISK: since non-IPs are rare, most firewalls are unable to perform packet header, address, or payload content filtering on those protocols
- when it comes to non-IP protocols, a firewall can ONLY block or allow. The most concern lives within packet segments.
- Non-IP protocols can be encapsulated in IP to be communicated across the internet. In an encapsulation situation, IP firewalls are rarely able to perform content filtering on such encapsulation and thus security has t be set to an allow-all or deny-all configuration.
Transport Layer
The Transport Layer is responsible for managing the integrity of a connection and controlling the session.
The Transport Layer accepts a PDU, aka a container of information or data passed between network layers.
A PDU coming from a Session layer is converted into a segment.
The Transport layer, which controls how devices on the network are addressed or referenced, establishes communication connections between nodes (also known as devices) and defines the rules of a session.
Session rules specify how much data each segment can contain, how to verify the integrity of data transmitted, and how to determine whether data has been lost.
Session rules are established through a handshaking process, so the communicating devices are in agreement on the rules
The Transport Layer establishes a logical connection between two devices and provides end-to-end transport services to ensure data delivery
Includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction, multiplexing, and network service optimization
Transport Layer Protocols
TCP Transmission Control Protocol UDP User Datagram Protocol SPX Sequences Packet Exchange SSL Secure Sockets Layer TLS Transport Layer Security
Session Layer
The Session Layer is responsible for establishing, maintaining, and terminating communication sessions between two computers.
Session Layer manages dialogue discipline or dialogue control (simplex, half-duplex, or full duplex), establishes checkpoints for grouping and recovery and retransmits PDUs that have failed or been lost since the last verified checkpoint
Simplex: one way communication
Half-Duplex: two-way communication, but only one direction can send data at a time
Full-Duplex: two-way communication, in which data can be sent in both directions simultaneously
Session Layer Protocols
NFS Network File System
SQL Structured Query Language
RPC Remote Procedure Call
