Domain 4 - Communication and Network Security Flashcards
Virtual extensible LAN (VXLAN)
network virtualization enabling high scale segmentation, can make MILLIONS versus just 4096 VLANS, tunneling protocol that encapsulates an ethernet frame (layer 2) in a UDP packet, layer 2 can typically only be attacked from within ie MAC spoofing or flooding, RFC 7348 is the vxlan rfc
Software defined networks (SDN)
enables network to be centrally controlled using software, can reprogram the data plane at any time, SD-LAN and SD-WAN, typically uses ABAC!! separate control plane from data plane and create sec challenges, vulns include man in the middle attacks and DoS, secure with TLS!
SDWAN
enables users in branch offices to remotely connect to an enterprises network, enables use of many network services MPLS, LTE, broadband, etc. Sec is based largely on VPN tunnels, Ipsec, next gen firewalls (NGFWs), and micro-segmentation of application traffic, uses secure access service edge (SASE) to decentralize connectivity
Li-Fi
uses LED to transmit data, can function in areas susceptible to electromagnetic interference, can theoretically transmit up to 100gbit/s, only requires working LEDs but walls are a barrier, still in development
Zigbee
short range wireless personal area network (PAN), supports automation/ machine to machine comms/ remote control/ monitoring of IOT devices, supports centralized/ distributed models and mesh topology, assumes that symmetric keys used are transmitted securely (encrypted in transit), IOT smart home hubs
5G
faster speed lower latency, doesn’t identify users through SIM cards = can assign identity through device, standalone (SA) version of 5G will be more secure than non-standalone (NSA) version, anchors control signaling of 5G networks to the 4G core, Diameter protocol provides authentication/ authorization/ accounting (AAA), DDoS is a concern due to scale of IoT endpoints
Content delivery networks (CDN)
geographically distributed network of proxy servers and their data centers, goal is fast and highly available content delivery by distributing content spatially relative (close to) users, CDN networks serving Javascript have been targeted to inject malicious content into pages, vendors in CDN space offer DDoS protection and web application firewalls (WAFs), video/ audio streaming
The OSI MODEL
All People Seem To Need Data Processing
Physical (layer 1 OSI)
contains device drivers that tell the protocol how to use the hardware for tramission/ reception of bits. 802.11 - Wifi, ethernet, bluetooth, EIATIA-232, EIA/TIA-449, X21, HSSI, SONET
Data Link (layer 2 OSI)
- Frames!! are the transmission type, formatting packet from Network layer in proper format for transmission, ARP, PPP, L2F, L2TP, PPTP, FDDI, ISDN, SLIP
Network (layer 3 OSI)
- PACKETS!! routing and addressing information (source and destination) ICMP, IP, IPSec, NAT, SKIP, IPX, RIP, OSPF, IGMP
Transport (layer 4 OSI)
- manages integrity of a connection and controlling the session (segment or diagram), TLS, TCP, UDP, SPX, SSL
Session (layer 5 OSI)
- establishing/ maintining/ terminating communication sessions between computers, SMB, RPC, NFS, SQL
Presentation (layer 6 OSI)
- transforms data received from application layer into a format that any system following the model can understand, encryption protocols and format types such as ASCII, EBCDICM, TIFF, JPEG, MPEG, MIDI
Application (layer 7 OSI)
- interfacing user applications, network services, or the OS with the protocol stack, HTTP, SSH, FTP, SMTP, POP3, IMAP, SNMP, SET, telnet
TCP/IP stack vs OSI
Application = Application/presentation/session
Transport = Transport
Internet = Network
Link = Datalink / Physical
Common ports
FTP = TCP 20/21
SSH = TCP 22
Telnet = TCP 23
SMTP = TCP 25
DNS = TCP/UDP 53
DHCP = UDP 67/68
TFTP = UDP 69
HTTP = TCP 80
Kerberos = TCP/UDP 88
POP3 = TCP 110
NTP = UDP 123
NetBIOS = TCP/UDP 137/138/139
iMAP = TCP 143
SNMP = TCP/UDP 161/162
BGP = TCP 179
Syslog = UDP 514
LDAP = TCP 636
FTP over TLS = TCP 989/990
TCP
connection oriented, byte stream= every byte matters, does NOT support multicasting/ broadcasting, supports full duplex transmission, reliable service of data transmission, packet is called a segment , provides error detection
UDP
connection-less protocol, message stream, supports multi-casting and broadcasting, NO support for full duplex (simultaneouse bidirectional), unreliable service of data transmission, packet is called a datagram, no support for error detection, media streaming!!
Cabling types
CAT 5 = 100mb
CAT 5e = 1gb
CAT 6 = 10gb 55meters
CAT6e = 10gb 55meters
CAT7 = 10gb 100 meters
Star (network topology)
- central connection device (can be hub or switch), each system is connected to central hub by a dedicated segment, MODERN ETHERNET
Mesh (network topology)
connects systems to all other systems using numerous paths, partial mesh connects many systems to many other systems, redundant connections allow for multiple segment failures
Ring (network topology)
connects each system as points on a circle, connection medium acts as a unidirectional transmission loop, only one system can transmit data at a time, traffic management is performed by a token, token ring is a ring based network, “collision avoidance”
Bus (network topology)
connects each system to a trunk, all systems on a bus can transmit simultaneously which can result in collisions (when 2 systems transmit data at the same time and signals interfere)
Analog
continuous signal that varies in frequency/ amplitude/ phase etc. variances in continuos signal produce a wave shape as opposed to square shape of digital, comms become altered and corrupted because of attenuation over long distances
Digital
comms occur through electrical signal and state change (0s and 1s), more reliable over distance or when interference is present, uses current voltage that creates binary data
Synchronous
comms rely on timing or clocking mechanism, high rates of data transfer, i.e. networking
Asynchronous
comms rely on a stop and start delimiter bit to manage transmission of data, small amounts of data, i.e. public switched telephone network (PSTN)
Baseband
single comm channel, form of digital signal, direct current applied to cable. i.e. ETHERNET
Broadband
supports multiple simultaneous signals, suitable for high throughput and multiplexing several channels, form of ANALOG signal. Ie TV, cable modem, ISDN, DSL, T1, T3
Broadcast,Multicast,Unicast
determine how many destinations a single transmission can reach. Broadcast=all possible, Multicast=multiple specific recipients ie windows OS deployment, Unicast=single communication to specific recipient
Carrier sense multiple access (CSMA)
- decreases chances of collisions when 2 or more stations start sending signals over datalink layer.
-Each state must check the state of the medium.
-CSMA/CA=collision avoidance=grants single comm at any given time ie ring networks with token/ wireless/ used in 802.11 standard,
-CSMA/CD=collision detection=responds to collisions by having each member of the collision domain wait for a short but random period of time before restarting process the resends data frame ie wired networks/ 802.3 standard
Token passing
performs comms using digital token, releases token once transmission is complete, prevents collisions in ring networks
Polling
performs comms using master-slave config, primary system polls the secondary system in turn when they have to transmit data, used by synchronous datalink control (SDLC)
Network segmentation
boosts performance, dedicated environment to reduce comm problems, security via isolating traffic
Intranet
private network
Extranet
sectioned off portion of network to act as intranet for private network, but also serves information to public internet
DMZ
extranet for public consumption aka perimeter network
Bluetooth (IEEE 802.15)
- connects wireless devices, connections are paired with 2.4ghz radio, often a 4 digit code to pair
Bluejacking
pushing unsolicted messages to nearby bluetooth users, more of an annoyance
Bluesnarfing
- data theft, wirelessly connecting to some early BT enabled mobile devices without owners knowledge to download data
Bluebugging
grants hackers remote control over the feature and functions of a BT device
Wi-Fi versions (latest 802.11)
802.11n = 200+ mb/s > 2.4ghz
802.11ac = 1gb/s > 5ghz
SSID broadcast
- wireless networks announces SSID on regular basis with a beacon frame, any device can try to connect, hiding SSID is considered “security through obscurity”
Temporal key integrity protocol/ WPA (TKIP)
- commonly known as WPA, was designed as replacement for WEP without need to replace legacy hardware
CCMP
- used with WPA2, counter mode with cipher block chaining message authentication code protocol, created to replace WEP and TKIP/WPA, uses AES with 128bit
WPA2
- encryption scheme with CCMP, AES encryption, modern day wireless uses this
Fibre channel
- form of network data storage solution ie SAN (storage area network) or NAS (network attached storage) that allows for high speed file transfers
FCoE (fiber channel over ethernet)
- encapsulate fiber channel communications over ethernet networks
iSCSI (internet small computer system interface)
- networking storage standard based on IP, high speed but not as fast as fiber
Site survey
- process of investigating the presence, strength and reach of wireless access points deployed in environment, usually walking around with portable network device and marking on a map/ floor plan
Extensible authentication protocol (EAP)
- authentication framework, brings new auth technologies to existing hardware
Protected extensible authentication protocol (PEAP)
- encapsulates EAP methods within a TLS tunnel
Lightweight extensible authentication protocol (LEAP)
- cisco proprietary, developed to replace WPA BEFORE WPA2
MAC filtering
- uses list of authorized wireless client interface MAC addresses, used by a WAP to block access to all non-authorized devices
Captive portals
- portal is an auth technique that redirects a newly connected wireless web client to a portal access control page
Antenna types
omnidirectional (loop, monopole, dipole) vs unidrectional (panel, parabolic, yagi, cantenna)
Firewall
- manage/ control/ filter network traffic at the perimeter
Static packet filtering (firewalls)
- filters traffic by examing data from MESSAGE HEADER, layer 3 and up
Application level (firewalls)
- filters based on single internet service, protocol, or application, operates at layer 7
Circuit level (firewalls)
- establish comm sessions between trusted partners, session layer 5 of the OSI model, SOCKS is an example
Stateful inspection (firewall)
- evaluate state, session, or context of network traffic, watch traffic streams from end to end, can implement various IP security functions such as tunnels and encryption, identify forged/ unauthorized communications
Deep packet inspection (firewall)
- filtering mechanism that operates at the application layer in order to filter the payload contents of a communication rather than only header values, looks at both header and payload, detects protocol compliance/ spam/ viruses/ intrusions
Stateless (firewalls)
- restrict or block traffic based on source/ destination or other static values, not aware of patterns or session information, FASTER and perform better under load than stateful because they are doing less
Web application firewalls (WAF)
- protect web apps by filtering and monitoring HTTP/S traffic between web app and internet, protects against XSS, CSRF, and SQL injection, come preconfigured with OWASP rulesets often
Next gen firewall (NGFW)
- deep packet inspection, adds application level inspection, intrusion prevention, and brings threat intelligence from outside the firewall
Unified Threat Management (UTM)
- multifunction device (MFD) composed several sec features including firewall, may include IDS/IPS/ TLS proxy/ web filtering/ QoS management/ bandwidth throttling/ NAT/ VPN anchoring/ antivirus, doesn’t scale well so more common in small to medium businesses
Network address translation gateway (NAT)
allows private subnets to communicate with other cloud services and the internet but hides the internal network from internet users, has the network access control list (NACL) for the private subnets ,used for browsing internet to hide users behind NAT gateway
Content/ URL filter
looks at content on requested web and blocks based on filters, associated with deep packet inspection
Open source firewall
-license freely available, access to source code, no vendor support, pfsense
Proprietary firewalls
- expensive but more functionality and support than open source, cisco/ checkpoint/ palo alto/ barracuda, no source code access
Hardware (firewall)
- purpose built network hardware, often has superior throughput because it is DESIGNED to
Software (firewall)
- install on your own hardware and place it anywhere, “host based” can be more vulnerable
Application (firewall)
- catered to app level comms, HTTP or web traffic, example is a next gen firewall (NGFW)
Host based (firewall)
installed on a host OS ie windows/ linux
Virtual (firewall)
- cloud firewalls implemented as a virtual network appliance (VNA), available from CSP directly and 3rd party partners (commercial vendors)
Switch
- repeats traffic out of port where the destination is, create separate collision domains and improve throughput of data, usually layer 2, sometimes layer 3 if it’s a hybrid “routing” switch
Routers
- control traffic flow on networks, connect networks and control flow between the 2, can function with static routing tables or dynamic routing system, layer 3 with IP
Gateways
-connects networks that are using different protocols aka protocol translators, ie IPv4 to IPv6, can be standalone hardware devices or a software service, work at layer 3
Repeaters/ concentrators/ amplifiers
- layer 1, strengthen signal over a cable segment and connect segments that use the same protocol
Bridges
- connect 2 networks using the same protocol, layer 2
Hubs
- connect multiple systems/ segments that use the same protocol, multiport repeater, layer 1, not really used in businesses anymore
LAN extenders
- remote access, multilayer switch used to connect distant networks over WAN links
Sensors/ Collectors
- place on network to alert NIDS of changes in traffic patterns, if you place on internet side of network it can scan ALL TRAFFIC but will need to be very beefy hardware
WAN
- wide area network, can provide private circuit and packet switching
Private circuit (WAN technology)
- use dedicated physical circuits, expensive, ie dedicated lines/ point to point (PPP) protocol/ SLIP (serial line internet protocol)/ ISDN (integrated services digital network)/ DSL (digital subscriber line)
Packet-Switching (WAN technology)
- uses virtual circuits instead of physical, efficient and cost effective, ie X.25 frame relay/ asynchronous transfer mode (ATM)/ synchronous data link control (SDLC)/ high-level data link control (HDLC)
Intrusion Detection Systems (IDS)
- analyzes whole packets (header and payload), looking for known events. When a known event is detected a log message is generated, both host (HIDS) and network (NIDS) can be a combination of behavior and knowledge based
Intrusion Prevention System (IPS)
- analyzes whole packets, both header and payload, looking for known events, when a known event is detected the packet is rejected
Behavior based (IDS/ IPS)
- creates a baseline of activity to identify normal behavior and then measures system performance against baseline to detect abnormal, can detect previously unknown attack methods
Knowledge based (IDS/ IPS)
- uses signatures similar to the signature definition used by anti-virus, only effective against known attacks
Host based (IDS/ IPS)
- software form installed on a host, often a server
Network based (NIDS/ NIPS)
- network level, often in hardware form as a purpose built appliance
Inline mode (NIDS/ NIPS)
- in band, traffic runs through it, placed on or near firewall as additional layer of security
Passive mode (NIDS/ NIPS)
- traffic does not run through it, “out of band”, uses sensors/ collectors to forward logs
Bastion host
- hardened!! Computer or appliance that is exposed on the internet, all unnecessary elements removed such as services/ programs/ protocols/ ports
Screened host
- MOST SECURE, firewall protected system logically positioned inside a private network
Screened subnet
- similar to screened host in concept except a subnet is placed between routers/ firewalls and the bastion host is located within the subnet
Proxy server
functions on behalf of a client requesting service, masking the true origin of the request to the resource
Honeypot
- lure bad people into doing bad things so we can watch them, only ENTICE not ENTRAP, not allowed to let them download items, ie allowing download of a fake payroll file would be entrapment, goal is to distract from real assets and isolate in a padded cell until they can be tracked down
Teardrop attack
denial of service attack that involves sending FRAGMENTED PACKETS to a target machine, machine cannot reassemble them due to a bug in TCP/IP fragmention reassembly, the packets overlap and crash the machine
Fraggle attack
- DoS attack that sends large amount of SPOOFED UDP TRAFFIC to a routers broadcast address within a network, similar to SMURF attack which uses spoofed ICMP traffic
Land attack
- layer 4 DoS, attacker sets SOURCE AND DESTINATION of a TCP packet to be the same value, a vulnerable machine will crash due to the packet being repeatedly processed by the TCP stack
SYN Flood
- DoS attack, attacker sends a succession of SYN REQUESTS to target system to make it unresponsive to legit traffic
Ping of death
-DoS attack, oversized ping packet, bigger than 65,536 bytes which is the usual max
TCP 3 way handshake
- SYN > SYN-ACK > ACK.
Internal segmentation firewall (ISFW)
used to segment a network
ad hoc wireless mode
directly connect 2 wireless clients ie tablet and laptop
standalone wireless mode
connects 2 clients together using a wap, but not to wired resources like a central network, ie laptop and tablet communicating through wap
infrastructure mode (wireless)
connects endpoints to a central network, not directly to each other
wired extension mode
uses a WAP to link wireless clients to a central network
Authentication Header (AH)
part of IPsec, provides authentication, integrity and nonrepudiation
Encapsulating security payload (ESP)
part of IPsec, provides encryption and thus confidentiality, prevents replay attacks
L2TP
independent VPN protocol
IP Payload Compression (IPcomp)
used by IPsec to compress data prior to ESP it in order to attempt to keep up with wire speed transmission
Internet Key Exchange (IKE)
IPsec mechanism that manages crypto keys and is composed of 3 elements: OAKLEY, SKEME, and ISAKMP