Domain 4 Flashcards
Network Architectures
VXLAN - Virtual Extensible LAN
Network virtualization enabling network segmentation at high scale.
Overcomes VLAN scale limitations - limit is 4096 VLANs versus millions of VXLANs
Tunneling protocol that encapsulates an Ethernet frame (layer 2) in a UDP packet
Network Architectures
Software Defined Networks (SDNs)
A network architecture approach that enables the network to be intelligently and centrally controlled, or programmed using software
- Has the capacity to reprogram the data plane aat any time
- Use case include SD-LAN and SD-WAN
- Separating control plane and data plane opens a number of security challenges
- Vulnerable to attacks like MITM and DoS
Secured with TLS
Network Architectures
Software Defined Wide Area Networks (SD-WAN)
Enables users in branch offices to remotely connect to an enterprises’ network.
Enables use of many network services like MPLS, LTE, and broadband internet to securely connect users to apps
Security is based mostly on IPsec, VPN Tunnels, next gen firewalls (NGFWs), and the micro-segmentation of app traffic
Uses a centralized control function for intelligent routing and Secure Access Service Edge (SASE) to decentralize connectivity
Network Architectures
Light Fidelity (Li-Fi)
Uses the modulation of light intensity to transmit data (uses LED)
can safely function in areas otherwise succeptible to electromagnetic interference
Can theoretically transmit at speeds of up to 100 Gbit/s
- LiFi only requires working LED lights
- Visible light is that is cant penetrate opaque walls
Network Architectures
Zigbee - Personal Area Network (PAN)
Short range wireless
Developed to support automation, machine to machine comms, remote control, and monitoring of IoT devices
Supports bot centralized and distributed security models and mesh topology
Assumes that symmetric keys used are transmitted securely (encrypted in transit)
NOTE
- During pre-configuration of a new device, in which a single key may be sent unprotected, created brief vulnerability
IoT Smart Home Hub
Cellular Networking
5th Gen Cellular 5G
Faster speeds and lower latency
- Unlike 4G, 5G does
NOT
ID each user through their SIM card. Instead can assign IDs to each device - Some air interface threats such as session hijacking are dealt with in 5G
-
NOTE
NSA anchors the control signing of 5G networks to the 4G Core - Diameter protocol: provides AuthN and AuthZ and accounting (AAA) with be a target
- Old vulns of 3G/4G are still a threat bc 5G relies on them
- DDoS is a concern bc IoT endpoint counts on 5G are exponentially greater
Content Delivery Networks (CDN)
Geographically distributed network of proxy servers and their data centers
- Goal is fast and highly availible content delivery by distributing content spatially relative users
- CDNs serving JavaScript have been targeted to inject malicious content into pages
- Vendors in CDN offer DDoS protection and Web Application Firewalls (WAF)
- Ex) video streaming, software download, audio streaming
OSI Model
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical
All People Seem To Need Data Processing
Standard Network Topologies
STAR
Employs a centralized connection device
- Can be a simple hub or switch
- Each system is connected to the central hub by a dedicated segment
Standard Network Topologies
MESH
Connects systems to all other systems using numerous paths
- A partial mesh is possible
-
BENEFIT
provides redundant connections to systems, allowing multiple segment failures without seriously affecting connectivity
Standard Network Topologies
RING
Connects each system as points on a circle
- The connection medium acts as a unidirectional transmission loop
- Only one system can transmit data at a time. Traffic management is performed by a token
`NOTE token ring network is a ring-based network
Standard Network Topologies
BUS
Connects each system to a trunk or backbone cable
- All systems on the bus can transmit data simultaneously which can result in collisions
- collision occurs when two systems transmit data at the same time; the signals interfere with each other
NOTE
ethernet is a bus network
Analog Signals
Communications occur with a continous signal that varies in frequency
- Variances occur in a wave shape
- Communication is altered / corrupted over long distances due to interference
Digital Signals
Comms occur through the use of a discontinuous electrical signal and a state change or on / off pulses
1s and 0s
- More reliable than analog
- Uses current voltage where voltage ON is 1 and voltage OFF is 0
Synchronous Communication
Rely on a timing or clocking mechanism based on either an independent clock or time stamp embedded in the data stream
- Typically support high rates of data transfer. Example networking
Asynchronous Communication
Rely on a Stop and start delimeter bit to manage the transmission of data
- Best suited for smaller amounts of data
- EX) Public switched telephone network (PSTN) modems
Baseband
Supports only a single communication channel
- It uses a direct current applied to the cable. A current that is at a higher level reps the binary signal of 1 and a lower level is 0
- is a form of digital signal
- EX) ethernet
Broadband
Can support multiple simultaneous signals uses frequency modulation to support numerous channels
- Each supporting a distinct communication session. Suitable for high throughput rates especially when several channels are multiplexed
- Is a form of analog signal
- EX) TV, Cable modem, ISDN, DSL, T1, T3
Broadcast
Technology supports somms to ALL possible recipients
Multicast
Technology supports comms to multiple specific recipients
Unicast
Technology support only a single comm to a specific recipient
Carrier Sense Multiple Access (CSMA)
Developed to decrease the chances of collisions when 2+ stations start sending their signals over the datalink layer. Requires that each station first check the state of the medium before sending
CSMA variations and collisions
CSMA/CA (collision avoidance)
Attempts to avoid collisions by granting only a single permision to comm at any given time
CSMA variations and collisions
CSMA/CD (collision detection)
Responds to collisions by having each member of the collision domain wait for a short but random period of time before starting the process over.
Token Passing
Performs Comms using a digital token, Once it s transmission is complete it releases the token to the next system
NOTE
Prevents collisions in ring networks
Polling
Performs comms using a master-slave configuration The primary system polls each secondary system in turn whether they have a need to transmit data.
NOTE
used by Synchronous Data Link Control (SDLC) (layer 2 protocol used by IBM)
Network Segmentation
Intranet
A private network that is designed to host the same information services found on the internet.
Network Segmentation
Extranet
A section of an orgs network that has been sectioned off to act as an intranet for the private network but also serves information to the public internet
NOTE
A cross between Internet and Intranet
Network Segmentation
DMZ
An extranet for public consumption is typically labeled a perimeter network
Network Segmentation
Reasons for segmentation
- Boosting Performance where systems that often communicate are in the same segment
- Reducing comm problems: reduces congestion and contains problems into each segment
- Providing Security: isolates traffic and user access to those segments where they are authorized
Bluetooth (IEEE 802.15)
is a Personal Area Network
- Pairing has the primary device scan for 2.4 GHz radio frequencies for avilable devices
- Pairings with 4 digit code help with accidental pairings but not secure
Mobile System Attacks
Bluejacking
Annoyance
- Pushing unsolicited messages to nearby bluetooth devices using a loophole in the technologies messaging options
Mobile System Attacks
Bluesnarfing
Data Theft
- Wirelessly connect to early bluetooth enable mobile devices without owners consent to steal data
Mobile System Attacks
Bluebugging
Grants hackers remote control over the features / functions of a Bluetooth device. Includes ability to turn on device mic and use it as a bug
Service Set Identifier ( SSID ) Broadcast
Wireless networks traditionally announce their SSID on a regular basis with a beacon frame
- When the SSID is broadcast, any device with automatic detect and connect to the network
- Hiding the SSID is considered security through obscurity - its detectable through client traffic
Temporal Key Integrity Protocol (TKIP)
Was designed as the replacement for WEP without the need to replace legacy hardware.
- Implemented into 802.11 wireless networking under the name WPA (Wi-Fi Protected Access)
CCMP
Counter Mode with Cipher Block Chaining Message Authenticartion Code Protocol
- Created to **replace WEP and TKIP/WPA
- Uses AES (Advanced Encryption Standard) with a 128-bit key
Fibre Channel
A form of *network data storage** solution like Storage Area Network or Network-Attached Storage that allows for high-speed file transfers
Fibre Channel over Ethernet (FCoE)
Used to encapsulate Fibre Channel comms over ethernet networks
Internet Small Computer System Interface (iSCSI)
a networking storage standard based on IP
Site Survey
The process of investigating the presence, strength and reach of wireless access points deployed in an environment
Extensible Authentication Protocol (EAP)
Authentication framework allows for new authentication technologies to be compatible with existing wireless or point-to-point connection technologies
Protected EAP (PEAP)
Encapsulates EAP method within a TLS tunnel that provides authentication and potentially encryption
Lightweight EAP (LEAP)
Cisco proprietary alternative to TKIP for WPA. Developed to address deficiencies in TKIP before the 802,11i/WPA2 system was ratified as a standard
MAC Filtering
A list of authorized wireless client interface MAC addresses
- Used by a wireless access point to block access to all nonauthorized devices
Captive Portals
Authentication technique that redirect a newly connected wireless web client to a portal access control page
- Ex) NCSU Guest wifi
Network Devices
Firewalls
Used to filter traffice based on rules
Network Devices
Switch
Repeats traffic only out to the port on which the destination is known to exist.
- Greater efficiency for traffic delivery, create separate collision domains, improve overall data throughput
NOTE
Usually layer 2, sometimes layer 3
Network Devices
Router
Controls traffic flow on network and are often used to connect similar networks and control traffic flow between the two.
- Can function using statically defined routing tables, or employ dynamic routing system
NOTE
Layer 3
Network Devices
Gateways
Connects networks that are using different network protocols. Also know as protocol translators, can be hardware devices or software service.
NOTE
layer 3
Network Devices
Repeaters, Concentrators, Amplifiers
Strengthen the comms signal over a cable segment as well as connect network segments that use the dame protocol
Layer 1
Network Devices
Bridges
Connect 2 networks (could have different topologies, cabling types, and speeds) in order to connect network segments that use the same protocol
Layer 2
Network Devices
Hubs
Connect multiple systems and connect network segments that use the same protocol.
- Multiport repeater
Layer 1
Network Devices
LAN Extenders
Remote access, multilayer switch used to connect distant networks over WAN
LAN & WAN Technologies
Private Circuit
Use dedicated physical circuits
Examples:
- Dedicated or leased lines
- Point-To-Point Protocol (PPP)
- Serial Line Internet Protocol (SLIP)
- Integrated Services Digital Network (ISDN)
- Digital Subscriber Line (DSL)
LAN & WAN Technologies
Packet-switching
use virtual circuits instead of dedicated physical circuits.
- efficient and cost effective
Examples:
- X.25, Frame Relay
- Asynchronous transfer mode (ATM)
- Synchronous Data Linc Control (SDLC)
- High-Level Data Link Control (HDLC)
Firewalls
Static Packet-Filtering Firewalls
Filters traffic by examining data from a message header
Operate on level 3 and up
Firewalls
Application-Level Firewalls
Filters based on a signle internet service, protocol, or application
Operate at layer 7
Firewalls
Circuit-Level Firewalls
Used to establish comms sessions between trusted partners.
Example)
- SOCKS
Operate at level 5
Firewalls
Stateful Inspections Firewalls
Evaluate the state, session, or context of network traffic
Firewalls
Deep Packet Inspection Firewalls
A Filtering mechanism that operates typically at the application layer in order to filter the payload contents of a comm rather than only on the header values.
Firewalls
Stateless Firewalls
Watch network traffic and restrict or block packets based on src and dest addresses or other statis values
- Not aware of traffic patterns or data flows
- Do better for heavy traffic loads
Firewalls
Stateful Firewalls
Can watch traffic streams from end to end
- Are aware of comm paths
- Can implement IPsec functions like tunnels / encryption
- Better at ID’ing unauthorized or forged comms
Firewalls
Web Application Firewalls (WAF)
Protects web apps by filtering HTTP traffic between the app and the internet.
- Typically protects web apps against common attacks like XSS, CSRF, and SQL Injection
- Some come preconfigured with OWASP rulesets
Firewalls
Next Generation Firewalls
a deep packect inspection firewall that moves beyond port / protocol inspection and blocking.
- adds app level inspection and brings in intelligence from outside the firewall
Firewalls
Unified Threat Management (UTM)
a Multifunction Device (MFD) composed of several security features in addition to a firewall;
- May include IDS, IPS, TLS/SSL proxy, Web filtering, QoS management, bandwidth throttling, NAT, VPN, antivitrus
- Hard to scale, common in small and medium businesses (SMB)
Firewalls
Network Address Translation Gateway (NAT)
Allows private subnets to comm with the internet but hides the internal network from internet users
- NAT gateway has the Network Access Control List (NACL) for the private subnets
Firewalls
Content / URL Filter
Looks at the content of the webpage and blocks based on filters
- Used to block inappropriate content in the context of the situation
- associated with deep-packet inspection
Firewalls
Open-Source
Vendor makes the license freely availible and allows access to the source code
- no vendor support
- Popular option is pfsense
Firewalls
Proprietary
More expensive but tent to provide more / better protection and more functionality / support (at a cost)
- no source code access
Firewalls
Hardware
Piece of purpose built network hardware
- May offer more config support for LAN and WAN
- Often has better throughput bc its designed for speeds and connections common to an enterprise network
Firewalls
Software
Install on your own hardware
- Provides more flexibility, can be on any host
- Host based (software) are more vulnerable in some aspects due to attack vectors
Firewalls
Application
Typically just for application comms
- Often HTTP / Web Traffic
- Ex) NGFW
Firewalls
Host-Based
An app installed on a host OS, both client and server OSs
Firewalls
Virtual
In the cloud, firewalls are implemented as Virtual Network Appliances (VNA)
- Available from both CSP and 3rd parties
Intrusion Detection System (IDS)
Analyzes whole packets, both header and payload, looking for known events.
- When event is detected, a log message is created
Reports and / or alerts
Intrusion Prevention System (IPS)
Analyzes whole packets, both header and payload, looking for known events.
- When event is detected, packet is rejected
Takes Action
Types of IDSs
Behavior Based
Creates a baseline of activity to ID normal behavior and then measure system performance against the baseline to detect abnormal behavior
- Can detect previously unknown attack methods
Types of IDSs
Knowledge Based
Uses signatures similar to the signature definitions used by anti-malware software
- Only effective against known attack methods
Host Based IDS and IPS (HIDS, HIPS)
IDS / IPS in software form, installed on a host (often a server)
Network Based IDS and IPS (NIDS, NIPS)
IDS / IPS at the network level, often in hardware form
NIDS / NIPS Modes of Operation
Inline (in-band)
NIDS / NIPS placed on or near the firewall as an additional layer of security
NIDS / NIPS Modes of Operation
Passive (out-of-band)
Traffic does NOT
go through the NIDS/ NIPS.
- sensor and collectors forward alerts to the NIDS
Network Appliances
Sensors and Collectors
Can be placed on a network to alert NIDS of any changes in traffic patterns on the network.
- If you place a sensor on the Internet side of the network, it can scan all of the traffic from the internet
Secure Network Design
Bastion Host
Computer or Appliance that is exposed on the internet and has been hardened by removing all unnecessary elements, such as services, programs, protocols, and ports
Hardened
Secure Network Design
Screened Host
A firewall-protected system logically positioned just inside a private network
MOST SECURE
vs Bastion Host
Secure Network Design
Screened Subnet
Similar to Screened host in concept.
Subnet is placed between 2 routers or firewalls and the bastion host(s) is located within that subnet
Secure Network Design
Proxy Server
Functions on behalf of the client requesting service masking the true origin of the request to the resource
Secure Network Design
Honeypot
Lure bad ppl into doing bad things and lets you watch them
- Only
ENTICE
not entrap.
Example:
- Allowing the download of a fake payroll file would be entrapment
GOAL
to distract from real assets and isolate in a padded cell until you can track them down
Network Attacks
Teardrop Attack
DoS attack that involves sending fragmented packets to a target machine
- Machine cannot reassemble them due to bug in TCP / IP fragmentation reassembly, the packets overlap and crash the machine
Network Attacks
Fraggle Attack
DoS attack that involves sending large amount of spoofed UDP traffic to a router’s broadcast address within a network.
- Smurf attack does the same thing but with ICMP
Network Attacks
SYN Flood
DoS attack where attacker sends a lot of SYN requests to a target system in attempt to consume enough server resources to make the system unresponsive to legit traffic
Network Attacks
Ping of Death
Sends a oversized ping packet
- Max allowed ping sizer is 65536 bytes
- PoD sends 65537 or larger
TCP 3-Way Handshake
Client –> SYN –> Server
Client <– SYN + ACK <– Server
Client –> ACK –> Server
ID vs AuthN
Identification
Subjects claim an ID
ID vs AuthN
Authentication
Subjects prove their identity by providing credentials
AuthZ vs Accountability
Authorization
After authentication subjects, systems authorize access to objects based on their proven identity
After authentication
AuthZ vs Accountability
Accountability
Auditing logs and audit trails record events including the ID of the subject that performed the action
Provides proof
Identification + authentication + auditing = Accountability
Primary Authentication Factors
Passwords
weakest form of authentication
-
Password policies
help increase security by enforcing complexity and history requirements
Primary Authentication Factors
Smartcards
include micropressors and cryptographic certificates
Primary Authentication Factors
Tokens
create onetime passwords
Primary Authentication Factors
Biometric
ID users based on characteristics like finger prints
Know the crossover error rate
Biometrics
Gait Analysis
The way a person walks to ID them, can be used on low quality cameras
Biometrics
False acceptance
When an invalid subject is authenticated.
- Type 2 error
- false positive
- FAR = False Acceptance Rate
False acceptance is generally worse than false rejection
Biometrics
False rejection
When a valid subject is rejected
- Type 1 error
- false negative
- FRR = False Rejection Rate
Biometrics
Crossover Error Rate
IDs the accuracy of a biometric method
- It shows where the false rejection rate is equal to the false acceptance rate
- To move the CER higher or lower, you can increase / decrease sensitivity of the biometric device
Single Sign-On
Allows subjects to authenticate once and access multiple objects without authenticating again.
Common SSO standards:
- SAML
- SESAME
- KryptoKnight
- OAuth
- OpenID
SSO - SAML, OAuth, OpenID
Security Assertion Markup Language (SAML)
XML-based open standard data format for AuthN. and AuthZ data between parties
- Between ID provider and a service provider
- common in federation scenarios
SSO - SAML, OAuth, OpenID
OAuth 2.0
Open standard for AuthZ, commonly used as a way for internet users to log into 3rd party websites with their Google (etc) accounts without exposing their password.
- Developed by IETF, updated through RFC
SSO - SAML, OAuth, OpenID
OpenID
Open standard, provides decentralized AuthN, allowing users to log into multiple unrelated websites with one set of credentials maintained by a 3rd party service refered to as OpenID provider