Network Security Flashcards
TCP/IP Protocols
TCP
UDP
IP
ICMP
Addresses
IDs networks and devices on a network
Port Numbers
IDs services running on a device
Messages
Typically addressed to both the device and the port number of the service
Socket
IP address:port number (147.63.12.2:8080)
Socket Pairs
Client IP address:port number and the Servers IP address:port number
Eg. 177.41.72.6:3022 communicating to 41.199.222.3:80
ICMP
Internet Control Message Protocol
Used for network troubleshooting Reports errors and reply to requests Ping and traceroute use ICMP Several types: * 0 - Echo Reply * 3 - Destination Unreachable * 8 - Echo * 30 - Traceroute
Well-Known Ports
0-1023
Registered Ports
1024-49151
Dynamic Ports
49152-65535
AKA Ephemeral Ports
PAT
Used when an app does not bind to a specific port
Port 20/21
FTP-Data/Control
Port 22
SSH/SFTP/SCP
Port 23
Telnet
Port 25
SMTP
Port 53
DNS
Port 67/68
DHCP
Port 69
TFTP
Port 80
HTTP
Port 88
Kerberos
Port 110
POP3
Port 889/890
FTPS (Implicit)
Port 443
FTPS (Explicit), HTTPS, SSL, TLS
Port 119
NNTP
Port 137-139
NetBIOS
Port 445
NetBIOS/Directory Services
Port 143
IMAP4
Port 161/162
SNMP
Port 389
LDAP
Port 636
Secure LDAP
Port 1701
L2TP
Port 1812
RADIUS
Port 3389
RDP
Port 49
TACACS+
IPv4
32-bit addresses Classes: * A - 0-127 * B - 128-191 * C - 192-223 * D - 227-239 * E - 240-255 Subnetting/CIDR
Private IP Addresses:
A- 10.0.0.0 - 10.255.255.255
B- 172.16.0.0 - 172.31.255.255
C- 192.168.0.0 - 192.168.255.255
Blind FTP
User cannot see names of files in the directory
Anonymous FTP
Login = “anonymous” and password usually an email
Limited privileges
IPv6
79 octillion addresses
128 bits: 8 blocks (4 hexadecimal digits)
Zero Compression ::
Link-Local: fe80
SFTP
Secure FTP
Uses SSH (TCP port 22)
FTPS
FTP over SSL
Uses SSL/TLS for security
Two Modes:
* FTPS: Implicit - SSL/TLS negotiated before FTP data is sent
* FTPES: Explicit - Client has control over what is encrypted
SSH
Secure Shell
Secures remote access and remote terminal commo
Secure replacement for Telnet/FTP
Symmetric cryptography
Uses TCP port 22
SSH Suite: SCP, SSH, SFTP, Slogin
SNMP
Simple Network Management Protocol
Manage/monitor devices in network
Application layer
Ability to send traps (if something happens alert server)
TCP Port 161/162
NetBIOS
Naming convention for resources
Broadcast oriented network protocol
Disable to reduce null sessions
Ports 137, 138, 139, 445
NetBEUI
NetBIOS Extended User Interface
Transports NetBIOS traffic on a LAN
Non-routable
Traffic easily intercepted
WINS
Windows Internet Naming Service
Translates NetBIOS names to IP addresses
Pre-Windows 2000
Runs as a service on a server
DNS
Domain Name Service
Translate FQDN to IP address
Local Host File
Stores info on nodes in a network
Maps hostnames to IP addresses
Supplement DNS
DNS Zones
Portion of the DNS domain space for which the server is responsible.
UDP 53 for queries
TCP 53 for zone transfers
Zone Transfers
Publishes information about the domain and the name servers of any domains subordinate.
DNS Record Types (4)
A/AAAA - Returns IPv4/6 address
CERT - Certificate Record
MX - Mail Exchange
NS - Name Server
DNS Poisoning
Incorrect DNS data
Redirects to incorrect sites
Domain Name Kiting
Process of registering for a domain name using registered name for a 5 day grace. At the end of 5 days not paying.
Tasting=legit
Kiting=taking advantage
RDP
Remote Desktop Protocol
Allows user to control a networked computer
Software: RDC or TSC (terminal services client)
Port should always be blocked
TCP port 3389
PPP
Point-to-Point Protocol/Tunneling Protocol
Remote connection over serial/dial-up connection
No encryption
EAP, CHAP, or PAP Authentication
L2F
Layer 2 Forwarding (Cisco)
Used for Dial up
Authentication no data encryption
Mutual authentication
Operates at layer 2
UDP port 1701
PPTP
Point-to-Point Tunneling Protocol (Microsoft)
Encapsulates and encrypts PPP packets
Negotiation in the clear
* only after negotiation is channel encrypted
* uses MPPE to encrypt data
Authentication: PAP, CHAP, MS-CHAP, EAP-TLS
Operates at Layer 2
TCP Port 1723
L2TP
Layer 2 Tunneling Protocol
Hybrid of PPTP and L2F
No data encryption
* uses IPsec to provide data encryption/integrity
Authentication: PAP, CHAP, MS-CHAP, or EAP-TLS
Operates at Layer 2
Uses UDP port 1701
VPN
Virtual Private Network
Private network connection over a public network Can provide security Established via Tunneling Protocols: * L2TP - IPsec * PPTP (MPPE)
IPSec
Internet Protocol Security Widely deployed VPN tech Requirement for IPv6 Can encrypt any traffic supported by IP Both encryption and authentication Used with L2TP or along Requires either certs or pre-shared keys Operates at Layer 3
TCP port 500
2 Modes of Commo for IPSec
“Transport on the LAN and Tunnel on the WAN”
Transport - end to end encryption of data
Packet data is protected but header is not
Tunnel - used for link-to-link commo
Both packet contents and the header are encrypted
Memory Aid: Semi trucks open road vs in a tunnel
IPsec Protocols
Authentication Header (AH)
- Offers authentication/integrity
- HMCA with SHA-1 or MD5
- IP protocol #51
- Incompatible with NAT
Encapsulating Security Payload (ESP)
- Offers authentication, integrity and confidentiality
- Uses AES, 3DES, or DES
- IP protocol #50
SA
IP Sec Security Association
- Authenticates and negotiates end users and manages secret keys
- Established by IKE (tries forever.. no TTL) or manual user configuration
- Unidirectional (trust from both sides)
ISAKMP
Internet Security Association and Key Management Protocol
Part of IPSec
Defines procedures and packet formats
* Establish, negotiate, modify and delete Sec Assoc.
Defines payloads
Typically uses IKE for key exchange. Other methods can be used
UDP port 500
IKE
Internet Key Exchange
Standard automated method for negotiating shared secret keys in IPsec
Generates, exchanges and manages keys
Supports pre-shared keys and X.509 certs
Built on ISAKMP and Oakley
UDP port 500
Oakley Key Determination
Key agreement protocol
802.1W
RSTP/Rapid Spanning Tree Protocol
802.1D
STP/Spanning Tree Protocol
Default on switches
802.1S
MSTP/Multiple Spanning Tree Protocol
802.1Q
VLAN Protocol
* Helps decide which VLAN you belong to
ACL
Access Control List
Rule based access control set to regulate traffic Applied inbound AND/OR outbound traffic Usually simple packet filtering by: * Source/Destination IP address * Ports * Protocol Last line: Implicit deny statement List rules specific to general Standard (source address) 1-99 * 0.0.0.0 = wildcard subnet mask Extended (protocols/destinations)100-199 * Permission, Protocol, Source, Destination
Firewall Rules
Allows computer to send/receive traffic from programs, system services, computers or users.
Created for both in and outbound
Packet Filtering Firewall
Filters traffic to specific address based on IP header
Compared against ACL
Works at Layer 3
Stateful Inspection Firewall
Tracks each connection
May examine header info and/or contents of packet
Filtering based on rules and on context established by prior packets
Works at Layers 3 and 4
Application Level Gateway
Traffic evaluated by user, group policies, etc.
Slowest form of firewall
Works at Layer 7
Circuit Level Proxy
Monitors traffic between trusted and un-trusted hosts via virtual circuit
Filtering based on sessions rather than content
Works at Layer 5
Eg. PuTTY
SOCKS
Network protocol designed to allow clients to communicated with internet servers through firewall
Proxy Server
Border device to protect security zones
One-to-One Address Mapping
NAT
Many-to-One Address Mapping
PAT
Bastion Host
Any hardened system located in the DMZ
Extranet
Segment of your network set aside for trusted partners, organization
Out in the Internet not DMZ or Intranet
VPN Concentrator
Device that handles large number of VPN tunnels
SSL or IPSec
Flood Guards
Network device, firewall/router, that has the ability to prevent some flooding DoS attacks
Failover cluster
Group of independent computers that work together to increase availability of applications and services
Where is the best place to put an IDS
Behind the firewall
IDS Methods
Signature-based:
* Evaluates based on database of signatures written by the vendor
Anomaly-based (Heuristic):
- Looks for unexpected events
- Must learn what activities are normal and acceptable
NAC
Network Access Control
Evaluates system security status before connecting to network Anti-virus status System update level Configuration settings Software firewall enabled
WTLS
Wireless Transport Layer Security
Security layer for WAP
Provides authentication, encryption and data integrity
* Class 1: Anonymous authentication
* Class 2: Server authentication
* Class 3: Mutual client/server authentication
Used in older versions of WAP
TLS replaced WTLS
Rogue Access Points
WAP installed on a secure co network without authorization or has been created to allow a cracker to conduct a man in the middle attack.
Discovering: War Driving tools (Flying Squirrel, Air Snort, etc.)
Ransoware/Ransoming
Someone hacks in and will encrypt your information then email asking for a ransom.
Bluebugging
Take control of Bluetooth device for person gain
Bluejacking
Sending of unsolicited messages over Bluetooth.
Bluesnarfing
Theft of information from a Bluetooth device
Packet Sniffing
Capture all data that passes through network
Can be wired or wireless
Plaintext data
Toos: Wireshark, Cain and Able, snoopt, kismet, etc.
Promiscuous Mode
Sniffer is capable of capturing ALL packets traversing the network.
Hypervisor
Controls virtualization technology
Two Types:
- Type 1 (native, bare-metal)
- run directly on the host’s hardware
- Type 2 (hosted)
- software applications running within conventional OS
