Networks/Network Security (Ch. 3,4) Flashcards
OSI Model
_ open systems interconnection model layers (mnemonic: “all people seem to need data processing” – know layer numbers too)
_ (1) physical - hardware
_ (2) data link - switches that format data into data frames and route between systems on a local network using MAC addresses
_ (3) network - introduces IP addresses, routing between systems not on the same local network
_ (4) transport - end-to-end communication (e.g. TCP, UDP)
_ (5) session - establishes and manages sessions between apps
_ (6) presentation - translates data into standard format, provides encryption, compression, other data transformation
_ (7) application - provides network services to apps
TCP
_ transmission control protocol
_ 3-way handshake (client sends SYN, server sends SYN/ACK, client sends ACK)
UDP
_ user datagram protocol
_ connectionless (no 3-way handshake)
_ DoS attacks often use UDP
IP
_ internet protocol
_ IPv4 - 32 bits, dot-delimited numbers
_ IPv6 - 128 bits, colon-delimited hex
ICMP
_ internet control message protocol
_ tests basic connectivity
_ includes tools like ping and traceroute
_ DoS often uses ICMP
_ firewalls and routers often block to prevent DoS
TFTP
_ trivial file transfer protocol
_ transfers small amounts by FTP
_ used for comms with some devices
_ usually disabled to prevent attacks
TLS
_ transport layer security
_ replaced SSL
IPsec
_ internet protocol security
_ encrypts IP payload traffic
_ includes authentication header
SSH and SFTP port
22
HTTPS/TLS port
443
IMAP ports
_ internet message access protocol
_ 143 plaintext
_ 993 TCP
SMTP ports
_ simple main transfer protocol
_ 25 plaintext
_ 587 TLS (SMTPS)
POP3 ports
_ post office protocol
_ 110 plaintext
_ 995 TCP
Email gateway
_ network device or software app that filters external mail for an internal mail system
AD DS
_ Microsoft Active Directory Domain Services
_ uses TLS-encrypted LDAP
_ uses Kerberos for authentication
RTP/SRTP
_ real-time transport protocol
_ for audio and video over IP
_ includes VoIP
_ SRTP secures transmission
SIP
_ session initiation protocol
_ inits and manages voice/video sessions
_ establishes RTP/SRTP connection in cleartext
RDP
_ remote desktop protocol
OpenSSH
_ suite of tools that simplify use of SSH
_ supports SCP and SFTP
Create SSH key pair
_ ssh-keygen -t rsa
_ creates “id_rsa.pub”, the public key
_ creates “id_rsa”, the private key
_ use “ssh-copy-id” to copy public key to remove server
Private IPv4 addresses
_ any of form 10.x.y.z
_ 172.16.y.z - 172.31.y.z
_ 192.168.y.z
_ routers block all traffic from or to private IP addresses
Unique local IPv6 addresses
_ start with prefix FC00
DNS port
_ 53, for both TCP and UDP
DNS zone record types
_ A - host record for IPv4
_ AAAA - host record for IPv6
_ PTR - pointer record, used to provide reverse lookup from IP to domain name
_ MX - mail exchange record identifying a mail server
_ CNAME - canonical name record (aka alias record), assigns additional domains to an IP
_ SOA - start of authority record, providing domain or zon info such as TTL
TTL
_ time to live
_ duration of a DNS cache entry in seconds
DNS poisoning
_ replacing a DNS cache entry to an IP, causing domains to incorrectly resolve to the false IP
_ happens on the DNS server (DNS pharming is the client attack)
DNSSEC
_ domain name system security extensions
_ adds a digital signature to each DNS cache entry, providing integrity and authentication to DNS replies
_ helps prevent DNS poisoning
Unicast
_ 1-to-1 traffic between IP addresses (intervening hosts may see the data, but they won’t process it)
_ can’t be captured by a protocol analyzer
broadcast
_ 1-to-all traffic, sending traffic to all other hosts on a subnet using a broadcast address
_ 255.255.255.255 is an example broadcast address
_ every host processes broadcast traffic
_ switches pass broadcast traffic but not routers
switch
_ devices connect to a switch’s physical ports
_ internally connects ports
_ when it receives a packet from a port, it knows the MAC address of the device at that port
_ to send a packet to a MAC address for which it doesn’t have a port mapping, it sends packet to all ports
_ can limit MAC addresses per port for security
hub
_ broadcasts received data to all ports
_ switches provide better security
Switching loop
_ where output of one switch port enters another port of the switch
_ when looped data is broadcast, called a “broadcast storm”
_ can degrade performance
_ Spanning Tree Protocol (STP) can prevent this
_ Rapid STP can also prevent this
_ without prevention, easy to slow network to a crawl by connection two ports, such as within a conference room
BPDU
_ bridge protocol data unit
_ sent by STP (spanning tree protocol) to detect loops
_ edge ports should not be able to send this; if they do, problem discovered
router
_ routes traffic between network segments
_ don’t pass broadcasts between networks
_ each segment also called a “broadcast domain”
_ can implement ACL rules based on IP and port
Implicit deny
_ principle of ACLs by which all traffic that isn’t explicitly allowed is implicitly denied
_ the last rule of an ACL, if not the default behavior
_ routers and firewalls include the implicit deny rule
Default gateway
_ IP address of the router on the network
_ typically provides a path to the Internet
route command
_ shows known paths to other networks
_ shows the default gateway
SNMP
_ simple network management protocol
_ monitors and manages network devices such as routers and switches
_ can monitor device config
_ can have devices report status
_ can install agents on devices
_ only use SNMPv3, as it encrypts credentials
_ SNPMPv3 uses ports 161 and 162
Host-based firewall
_ monitors traffic to and from a single host (server or workstation)
_ many OSs provide a software-based firewall
Network-based firewall
_ usually a network appliance
_ has 2 or more NICs
Stateless firewall
_ applies ACL rules to traffic
_ a router is a stateless firewall
_ rules may specify protocol, source, destination, and port, in addition to the associated permission. Source and destination can include wildcards
Stateful firewall
_ bases decisions on traffic context or state
_ tracks sessions (e.g. after TCP handshake)
_ blocks traffic not part of a session
_ operate on transport layer (layer 4)
WAF
_ web application firewall
_ placed between web server and clients
_ can protect against XSS and other attacks
_ provides HTTP security on top of network security provided by a network firewall
_ analyzes all layers of firewall, so called a “layer 7 firewall”
First generation firewall
_ packet-filtering firewall
_ stateless
_ based decisions per packet
Second generation firewall
_ stateful
_ evaluates based on session state
NGFW
_ next-generation firewall
_ understand traffic for various apps
_ provides app-level inspection
_ performs content filtering and URL filtering
_ analyzes all layers of firewall, so called a “layer 7 firewall”
Failure modes
_ fail-open system - everything passes through when system fails, so no traffic disruption, but also no security
_ fail-closed system - nothing passes through when system fails, traffic disruption but provides security
Security zones
_ portion of network with its own security characterization
Screened subnet
_ aka demilitarized zone (DMZ)
_ security zone between private network and the Internet
_ by a firewall on both external and internal sides
_ contains servers that are to be available to the Internet, such as mail server, web server, and CA server
NAT
_ network address translation
_ translates public IP addresses to private IP addresses and back to public addresses
_ hosted by a NAT gateway
_ prevents public IPs from having to be purchased for each client
_ hides internal computers from the Internet
_ not compatible with IPsec
Static NAT
_ maps a private IP to a single public IP
Dynamic NAT
_ maps multiple public IPs, choosing based on load
ICS
_ industrial control system
SCADA
_ supervisory control and data acquisition
_ typically for industrial control
_ physically isolated from other networks
_ has embedded systems that control an ICS
_ e.g. for power plants, manufacturing plants, etc.
Air-gapped system
_ a system or network that is not connected to any other system
Network segmentation
_ routers segment traffic between networks
subnetting
_ dividing large address ranges into smaller ranges
VLAN
_ virtual local area network
_ uses switches to group computers into a virtual network, rather than just by using cabling
_ dynamically reconfigurable
_ can separate traffic type (e.g. minimize traffic by putting those who use VoIP on their own VLAN)
East-west traffic
_ traffic between servers
_ diagrams usually show servers side-by-side with clients above or below them
Proxy server
_ aka forward proxy server
_ forwards requests from client to servers
_ serves a private network forwarding to the Internet
_ performs intermediary services, such as caching or filtering
_ admins configure clients to use proxy servers for specific protocols
Agent-based proxies
_ sit on each computer, proxying from there
Reverse proxy
_ accepts requests from the Internet
_ usually the front end for web server, which can therefore be behind a firewall
_ caches web pages to improve performance
Load balancer
_ a kind of reverse proxy server
_ forwards to multiple backend web servers
Transparent vs non-transparent proxy servers
_ transparent proxy servers forward requests without modifying them.
_ non-transparent proxy servers filter out access to specify URLs.
UTM
_ unified threat management
_ security service bundles
_ available within a single appliance
_ might do URL filtering (like a proxy server)
_ might do malware/content inspection
_ might mitigate DDoS (the way an IPS does)
_ placed at boundary with the Internet
Jump server
_ aka jump box
_ a hardened server used to access and manage devices in a different security zone
_ often allows a passwordless SSH login for connecting to a remote server
_ e.g. to connect to a device via a jump server, enter “ssh -J maggie@jump maggie@ca1”, which has the jump server TCP-forward to the CA server
_ target systems should only allow connections from the jump server
ZTNA
_ zero trust network access
_ trust decisions are not based on location (e.g. within the same local network)
_ use authentication and policy-based access control
Adaptive identity authentication
_ means of authentication may vary by user location
Control and data planes
_ control plane controls and configures the network
_ data plane is where users and software communicate
PEP
_ policy enforcement point
_ used in zero trust networks as a gatekeeper for accessing resources
_ uses adaptive identity authentication
Components of a zero-trust control plane
_ PE (policy engine) - decides whether to grant resources to a given subject
_ PA (policy administrator) - communicates decisions made by the PE to the tools that enforce those decisions, specifically the PEP
_ PEP (policy enforcement point) - gatekeeper for accessing resources, using adaptive identity authentication, enforcing authorization in the data plane
SASE
_ secure access service edge
_ cloud service that builds on zero-trust
_ provides firewall services
_ provides secure web gateway services
_ provides anti-malware service
_ provides intrusion prevention services
_ provides cloud access broker (CASB) services
_ provides data loss prevention (DLP) services
Intranet vs. extranet
_ intranet is for internal users
_ extranet is for internal users and authorized external users
IPS
_ intrusion prevention system
_ a kind of intrusion detection system (IDS)
_ reacts to attacks in progress to prevent them from reaching systems and networks
_ “in-line” with traffic (all traffic passes through)
_ can block traffic
HIDS
_ host-based intrusion detection system
_ software installed on workstation or server
_ monitors traffic passing through the NIC
_ many also monitor application traffic
_ some monitor log files or system resources
_ can detect malware that antivirus programs might miss
Port tapping
_ aka port mirroring
_ configuration of a switch or router that sends all traffic to a single port, where it can be monitored
NIDS
_ network-based intrusion detection system
_ admin installs NIDS sensors (aka collectors) on network devices to gather info and report to the NIDS
_ often includes a sensor on a port tap
_ can only analyze plaintext traffic
_ provides a monitoring console
Signature-based IDS
_ aka definition-based IDS
_ uses a database of known vulnerabilities or known attack patterns
Trend-based detection
_ aka anomaly detection
_ compares current network behavior to a previously established baseline behavior
_ can be effective at discovering zero-day exploits, which don’t yet have signatures
_ admin should establish a new baseline every time they make a significant change to the network
_ rules assign thresholds at which point to consider recurrence of a behavior an attack
SYN flood attack
_ DoS attack
_ attacker sends many SYN packets without ever ACKing the returned SYN/ACK packets
_ a server can limit the number of resources made available to connections to prevent it from crashing due to running out of resources
_ IDS can detect this, IPS can stop it
_ a firewall can also guard against SYN flood attacks
IDS aggregator
_ stores log entries from dissimilar systems
_ IDS analyzes they log entries for insights
_ logs may be collected in batches or in realtime
NOC
_ network operations center
NIPS
_ network intrusion prevention system
RAT
_ remote access trojan
_ allows outsiders to work inside a network
_ reason to have IDS/IPS even within an assumed-secure network
honeypot
_ server with intentional vulnerabilities and fake data
_ allows security to gather info on attackers
honeyfile
_ file designed to attract an attacker by its file name
honeytoken
_ a fake datum or record maintained to see where else it ends up
_ if it ends up anywhere else, it was stolen
WLAN
_ wireless local area network
AP
_ wireless access point
_ connects wireless clients to a wired network
_ can also be routers, in which case both wired ports and wireless connections use an internal switch
SSID
_ service set identifier
_ name of a wireless network
_ default SSIDs tell attackers what type of AP it is
_ broadcasts of SSID tell users of your device but can be disabled
MAC filtering
_ restricts access to allowed MAC addresses
_ a wireless sniffer can discover the allowed MAC addresses, telling attacker what MAC to use
MAC address cloning
_ allows a workstation to use the MAC of its internet-facing router
Wireless footprinting
_ detailed diagram of wireless APs, hotspots, and dead spots
WEP and WPA
_ Wired Equivalent Privacy
_ Wi-Fi Protected Access
_ poor security
_ no longer used
RADIUS
_ remote authentication dial-in user service
_ aka diameter server
_ central authentication service VPNs can use
_ helps companies having many offices with different VPN servers
_ usually accesses an LDAP server
_ during sign-on, only encrypts password
_ uses EAP to encrypt sessions
WPA2
_ Wi-Fi Protected Access 2
_ uses CCMP to protect traffic
_ CCMP is based Advanced Encryption Standard (AES)
_ not the best security available
_ has modes: open (cleartext), anonymous pre-shared key (PSK), or enterprise (authenticates with a RADIUS/802.1X server)
_ enterprise mode requires the RADIUS IP and port, and a shared secret
_ home networks typically use PSK
WPA3
_ Wi-Fi Protected Access 3
_ enhanced open mode - allows unauthenticated users but encrypts data (replaces WPA2 open mode)
_ simultaneous authentication of equals (SAE) mode - uses a passphrase plus additional security (replaces WPA2 PSK mode)
_ enterprise mode - supports RADIUS server w/ individual authentication
EAP
_ extensible authentication protocol
_ allows two systems to create a secure encryption key (aka pairwise master key or PMK)
_ Uses a pairwise transient key (PTK) to encrypt data between devices
_ used in CCMP
PEAP
_ protected EAP
_ builds on EAP
_ encapsulates communication in a TLS tunnel
_ requires the server to have a certificate
_ helps compensate for lack of physical security
EAP-FAST
_ EAP-flexible authentication via secure tunneling
_ secure replacement for Cisco’s LEAP (Lightweight EAP)
_ supports protected access credential (PAC) instead of certifications
EAP-TLS
_ EAP transport layer security
_ “one of the most secure EAP standards”
_ like PEAP but also requires clients to have certificates
EAP-TTLS
_ EAP-tunneled TLS
_ extension of EAP-TLS
_ allows older auth methods such as PAP
_ only requires a certificate on the server
RADIUS federation
_ single-sign-on federated access
IEEE 802.1X
_ a port-based authentication protocol
_ requires authentication to a wireless AP or a physical port
_ block access to network if not authenticated
_ prevents port access from being sufficient to send traffic over a network
_ used in both wireless and wired networks
_ used in VPNs
_ can be used in VLANs to control access to resources
Captive portal
_ way of forcing web browsers to complete a process before giving them access to a network
_ common for free internet access points
_ cheaper alternative authentication than 802.1X
Disassociation attack
_ a client ends its association with an AP by sending a “disassociation frame” that includes the client’s MAC address
_ any device on the network can sniff the MAC and send the dissociation frame to disconnect any device
_ some hotels do this with wireless hotpots to force customers to use their paid internet service
WPS
_ Wi-Fi Protected Setup
_ allows users to configure wireless devices without typing in a passphrase
_ users press buttons or enter a PIN
_ susceptible to brute-force attacks with WPA2
_ safe with WPA3
_ experts recommend disabling WPS
Rogue access point
_ aka counterfeit access point
Data exfiltration
_ unauthorized transfer of data to a location controlled by an attacker
Evil twin
_ rogue access point with the same SSID as (or similar to) a legit access point
_ when set up in a public area, users may connect to it instead of the desired AP
_ wireless scanners can detect evil twins during site surveys
Jamming attack
_ transmits noise or other radio data on the frequency used by the wireless network
IV attack
_ initialization vector attack
_ some encryption systems require pre-sharing a key
_ the smaller the key, the more likely it will eventually get reused
_ an attack can add data to the network to force cycling through keys faster, until the attacker’s guessed key works
NFC attack
_ near field communication (NFC) attack
_ contactless near-device communication
_ an antennae can boost NFC range to allow an attacker to intercept
RFID attack
_ radio-frequency identification attack
_ RFID tags are placed on inventory to manage it
_ various obvious attacks
bluejacking
_ sends unsolicited messages to bluetooth devices
_ annoying but harmless
bluesnarfing
_ unauthorized access to or theft of info from a bluetooth device
bluebugging
_ a kind of bluesnarfing
_ attacker installs a backdoor to have the device call the attacker at any time to listen in on conversations in a room or on a phone call
_ can enable call forwarding, send messages, etc.
Bluetooth pairing
_ manual pairing of bluetooth devices eliminates most attacks
War driving
_ practice of looking for vulnerable wireless networks
_ used by attackers in cars or walking around a city
_ useful for finding vulnerabilities as part of an audit
War flying
_ war driving done from planes or drones
VPN concentrator
_ dedicated device providing services need for a VPN
_ typically goes in the screened subnet, selectively routing external (firewall-provided) traffic to the intranet
VPN server
_ software equivalent of a VPN concentrator
_ uses RADIUS for authentication, which might delegate to LDAP
_ implements IPsec tunnel mode
IPsec tunnel mode
_ encrypts entire IP packets, including headers
_ internal IP and MAC addresses are encrypted
_ attacker can only see address of client and address of the VPN server
IPsec transport mode
_ only encrypts payload
_ includes authentication header
Split vs full tunnel
_ split tunnel allows client to hit Internet directly, only tunneling for internal resources
_ full tunnels all traffic
NAC
_ network access control
_ continuously monitors computers
_ blocks computer access to network if it doesn’t pass inspection (health checks such as using a firewall, OS is up-to-date and patched, using antivirus software)
_ good for controlling access from 3rd party computers or devices
_ useful on VPNs where random devices connect
_ can redirect unhealthy clients to a “remediation network”
PAP
_ password authentication protocol
_ used with PPP (point-to-point protocol)
_ sends passwords in cleartext
_ was used with dial-up connections
CHAP
_ challenge handshake authentication protocol
_ uses PPP
_ client and server hashes password with a shared secret and nonce (number used once)
TACACS+
_ alternative to RADIUS
_ encrypts entire authentication process, not just password
_ unlike RADIUS, uses multiple challenges to authenticate
_ can interact with Kerberos
_ can authenticate users before they access a router or switch
AAA protocols
_ provide authentication, authorization, and accounting
_ e.g. RADIUS, TACACS+, Diameter
_ (Kerberos doesn’t provide accounting services on its own)
