Domain 4 - Communications and Network Security Flashcards
SSL (Application – layer 7 )
Two layered: SSL record protocol and handshake protocol. Same as SSH it uses
symmetric encryption for private connections and asymmetric or public key cryptography for peer
authentication
SMTP (Application – layer 7 )
Email queuing. Port 25
Simple Networking Management Protocol (Application – layer 7 )
Collection of network information by polling the
devices from a management station. Sends out alerts – called traps - to an database called
Management Information Bases (MIBs)
Presentation – layer 6
Compression/decompression and encryption/decryption. Uses acommon format to represent data, Standards like JPEG, TIFF, MID, ; Technology: Gateway
Session - layer 5
Inter-host communication, logical persistent connection between peer hosts, a conversation, simplex,
half duplex, full duplex. Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP, PPTP, RPC NFS SSL/TLS NETBIOS
Transport
End-to-end data transfer services and reliability. Technology: Gateways. Segmentation, sequencing,
and error checking at this layer.
Protocols: TCP, UDP, SSL, SSH-2,
Fragmentation
– IP will subdivide a packet if its size is greater than the maximum allowed on a local
network
Simple Key Management for Internet Protocols
Provides high availability in encrypted
sessions to protect against crashes. Exchanges keys on a session by session basis.
ARP, Address resolution protocol
Used to match an IP address to a hardware MAC address. ARP
sends out broadcast to a network node to reply with its hardware address. It stores the address in a
dynamic table for the duration of the session, so ARP requests are only sent the first time
FRAMES
Translates data into bits and formats them into data frames with destination header and source
address. Error detection via checksums.
Logical Link Control
Flow control and error notification
Packet-filtering firewalls (layer 3/4)
Use rules based on a packet’s source, destination, port or other basic information to determine whether or not to allow it into the network
Stateful packet filtering firewalls (layer 7)
Have access to information such as; conversation, look
at state table and context of packets; from which to make their decisions.
Application Proxy firewalls (layer 7)(3-7 actually)
Which look at content and can involve
authentication and encryption, can be more flexible and secure but also tend to be far slower
Circuit level proxy (layer 5)
Looks at header of packet only, protects wide range of protocols and
services than app-level proxy, but as detailed a level of control. Basically once the circuit is allowed all
info is tunneled between the parties. Although firewalls are difficult to configure correctly, they are a
critical component of network security
IEEE 802.15
is the standard for Bluetooth
IEEE 802.3
Defines Ethernet
802.11
Defines wireless
networking
802.20 d
Defines LTE
Class A network
1 and end at 127
Class B
128 and end at 191
Class C network
192 and end at 223
SSL session key length
40bit to 256 bit
Ad hoc Mode
Directly connect two+ clients, no access point
Infrastructure Mode
Connects endpoints to a central network, not directly to each other, need access
point and wireless clients for IM mode wireless
WEP
Predecessor to WPA and WPA2, confidentiality, uses RC4 for encryption,
WPA
Uses TKIP for data encryption
WPA2
Based on 802.11i, uses AES, key management, reply attack protection, and data integrity, most
secure, CCMP included, WPA2 ENTERPRISE Mode - uses RADIUS account lockout if a passwordcracker is used
LEAP
Cisco proprietary protocol to handle
problems with TKIP, security issues don’t use. Provides reauthentication but was designed for WEP
Fiber Distributed Data Interface (FDDI)
Form of token ring that has second ring that activates on error
Frame Relay WAN
Over a public switched network. High Fault tolerance by relaying fault segments
to working.
SASL
Provides secure LDAP authentication
OpenLDAP
default, stores user PW in the clear
Client SSL Certificates
Used to identify clients to servers via SSL (client authentication)
S/MIME Certificates
Used for signed and encrypted emails, can form sign, and use as part of a SSO
solution
MOSS
MIME Object Security Services, provides authentication, confidentiality, integrity, and
nonrepudiation
OAuth
Ability to access resources from another service
OpenID
Paired with OAuth is a RESTful, JSON-based authentication protocol can provide identity
verification and basic profile information, phishing attack possible by sending fake data
Broadband Technologies
ISDN, cable modems, DSL, and T1/T3 lines that can support multiple
simultaneous signals. They are analog and not broadcast technologies.
CHAP
Challenge-Handshake Authentication Protocol, used by PPP servers to authenticate remote
clients. Encrypts username and PW and performs periodic re authentication while connected using
techniques to prevent replay attacks
CIR – (committed Information Rate)
Minimum bandwidth guarantee provided by service provider to customers
Data Streams
Occur at Application, Presentation, and Session layers
EAP, Extensible Authentication Protocol
An authentication framework. Effectively, EAP allows for
new authentication technologies to be compatible with existing wireless or point-to-point connection
technologies, extensible was used for PPP connections
FCoE
Fiber Channel Over Ethernet, allows existing high-speed networks to be used to carry storage
traffic
iSCI
Internet Small Computer Interface, Converged protocol that allows location-independent file
services over traditional network technologies. Cost less than Fiber. Standard for linking data storage
sites
ISDN
PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, faster than BRI’s 144 Kbps
MPLS
Multiprotocol Label Switching, high performance networking, uses path labels instead of
network addresses, wide area networking protocol, label switching, finds final destination and then
labels route for others to follow
PAP
Password Authentication Protocol, sends PW unencrypted
PEAP
Provides encryption for EAP methods and can provide authentication, does not implement
CCMP, encapsulates EAS in a TLS tunnel
PPP
Point-to-Point Protocol, most common, used for dial up connections, replaced SLIP
RST flag
Used to reset or disconnect a session, resumed by restarting the connection via a new threeway handshake
SONET
Protocol for sending multiple optical streams over fiber
SYN FLOOD
TCP packets requesting a connection (SYN bit set) are sent to the target network with
a spoofed source address. The target responds with a SYN-ACK packet, but the spoofed source never
replies. This can quickly overwhelm a system’s resources while waiting for the half-open connections
to time out. This causes the system to crash or otherwise become unusable. Counter: sync
cookies/proxies, where connections are created later
Teardrop
The length and fragmentation offset fields of sequential IP packets are modified, causing
the target system to become confused and crash. Uses fragmented packets to target a TCP flaw in how
the TCP stack reassembles them.
TCP sequence number attack
Intruder tricks target to believe it is connected to a trusted host and then hijacks the session by predicting the targets choice of an initial TCP sequence number.
X25
Defines point-to-point communication between Data terminal Equipment (DTE) and Data Circuit Terminating Equipment (DCE)
Frame Relay
High performance WAN protocol designed for use across ISDN interfaces. Is fast but has
no error correction, supports multiple PVCs, unlike
Synchronous Data Link Control
Works with dedicated leased lines permanent up. Data
link layer of OSI model
High-level Data Link Control
extension to SDLC also for mainframes. Uses data
encapsulation on synchronous serial links using frame characters and checksums. Also data link layer
High Speed Serial Interface
Defines electrical and physical interfaces to use for DTE/DCE communications. Physical layer of OSI
Baseband
only one single channel
Broadband
Multiple signal types like data, video, audio
Packet filtering routers
Sits between trusted and un-trusted network, sometimes used as boundary
router. Uses ACL’s. Protects against standard generic external attacks. Has no user authentication, has
minimal auditing
Screened-Host firewall system
Has both a packet-filter router and a bastion host. Provides both network layer (package filtering) as application layer (proxy) server.
Dual homed host firewall
Consists of a host with 2 NIC’s. One connected to trusted, one to untrusted. Can thus be used as translator between 2 network types like Ethernet/token ring. Internal
routing capabilities must not be enabled to make it impossible to circumvent inspection of data.
Screened-subnet firewalls
Has also defined a De-Militarized Zone (DMZ) : a small networkbetween trusted an untrusted.
Socks firewall
Every workstation gets some Socks software to reduce overhead
TACACS+
Enhanced version with use of two factor authentication, ability to change user password,
ability of security tokens to be resynchronized and better audit trails and session accounting
Remote
Authentication Dial-In User Service RADIUS
Client/server protocol, often leads to TACACS+.
Clients sends their authentication request to a central radius server that contains all of the user
authentication and network ACL’s RADIUS does not provide two way authentication, therefore it’s not
used for router-to-router authentication. Port 1812. Contains dynamic password and network service
access information (Network ACLs) NOT a SSO solution
DIAMETER
Remote connectivity using phone wireless etc, more secure than radius, cordless phone
signal is rarely encrypted and easily monitored
Thinnet
10base2 with coax cables up to 185 meters
Thicknet
10Base5, coax up to 500 meters
Carrier Sense Multiple Access CSMA
for Ethernet. Workstations send out packet. If it doesn’t get
an acknowledgement, it resends
CSMA with Collision Detection
Only one host can send at the time, using jamming signals for the rest.
PPTP, Point to Point tunneling protocol
- Works at data link layer of OSI
- Only one single point-to-point connection per session
- Point To Point protocol (PPP) for authentication and tunneling
- Dial-up network use
- Does not support EAP
- Sends initial packets in plaintext
L2F, Layer 2 Forwarding
• Cisco developed its own VPN protocol called which is a mutual authentication tunneling
mechanism.
• L2F does not offer encryption. L2F was not widely deployed and was soon replaced by L2TP.
• both operate at layer 2. Both can encapsulate any protoco
L2TP, Layer 2 tunneling protocol
- Also in data-link layer of OSI
- Single point-to-point connection per session
- Dial-up network use
- Port 115
- Uses IPsec
IPSEC
Operates at Network Layer of OSI
• Enables multiple and simultaneous tunnels
• Encrypt and authenticate
• Built into IPv6
• Network-to-network use
• Creates a private, encrypted network via a public network
• Encryption for confidentiality and integrity
IPSEC tunneled vs transport
- transport: data is encrypted header is not
* tunneled: new uses rc6; IP header is added, old IP header and data is encrypted
TLS – Transport Layer Security
• Encrypt and protect transactions to prevent sniffing while data is in transit along with VPN and
IPsec
• most effective control against session hijacking
• ephemeral session key is used to encrypt the actual content of communications between a web
server and client
• TLS - MOST CURRENT not SSL!!
PVC
Permanent virtual circuits, is like a dedicated leased line; the logical circuit always exists and is
waiting for the customer to send data. Like a walkie-talkie
SVC
Switched virtual circuit, is more like a shortwave or ham radio. You must tune the transmitter
and receiver to a new frequency every time you want to communicate with someone
IP-sec compatible
• Encryption via Tunnel mode
Entire data package encrypted)
IP-sec compatible - Transport mode
Only datagram encrypted
Socks-based proxy servers
Used to reach the internal network from the outside. Also contains strong
encryption and authentication methods
.ESP Header
contains information showing which security association to use and the packet
sequence number. Like the AH, the ESP sequences every packet to thwart replay attacks
ESP Payload
Payload
FHSS
Frequency Hopping Spread Spectrum, The entire range of available frequencies is employed,
but only one frequency at a time is used.
DSSS
Direct Sequence Spread Spectrum, employs all the available frequencies simultaneously in
parallel. This provides a higher rate of data throughput than FHSS. DSSS also uses a special encoding
mechanism known as chipping code to allow a receiver to reconstruct data even if parts of the signal
were distorted because of interference.
OFDM
Orthogonal Frequency-Division Multiplexing, employs a digital multicarrier modulation
scheme that allows for a more tightly compacted transmission. The modulated signals are
perpendicular and thus do not cause interference with each other.
T1
1,5 Mbps through telephone line
T3
44,7 Mbps through telephone line
E1
European 2048 Mbps digital transmission
• Serial Line IP (SLIP)
TCP/IP over slow interfaces to communicate with external hosts
(Berkley UNIX, windows NT RAS), no authentication, supports only half-duplex
communications, no error detection, manual link establishment and teardown
Point to Point protocol (PPP)
Improvement on slip, adds login, password and error (by CHAP and PAP) and error correction. Data link.
Integrated Services Digital Network
Combination of digital telephony and data transports.
Overtaken by xDSL, not all useable due to “D Channel” used for call management not data
xDSL Digital subscriber Line
- uses telephone to transport high bandwidth data to remote subscribers
ADSL
Asymmetric. More downstream bandwidth up to 18,000 feet over single copper cable
pair
SDSL
Symmetric up to 10,000 feet over single copper cable pair
HDSL
High Rate T1 speed over two copper cable pairs up to 12,000 feet
VDSL
Very High speed 13-52MBps down, 1,5-2,3 Mbps upstream over a single copper pair
over 1,000 to 4,500 feet
Circuit-switched networks
There must be a dedicated physical circuit path exist during transmission. The right choice for networks
that have to communicate constantly. Typically for a telephone company network Voice oriented.
Sensitive to loss of connection
Packet-switched networks
More cost effective than
circuit switching because it creates virtual circuits only when they are needed.
