Telecom Flashcards
TCP/IP Layers
Network Access (OSI: Physical & Data Link)
Internet (OSI: Network)
Host-to-Host Transport (OSI: Transport)
Application (OSI: Session, Presentation, App)
Protocol
Protocol: Standard set of rules that determine how systems will communicate across networks
IP
IP (Internet Protocol): A connectionless protocol that supports network addressing and packet forwarding and routing.
TCP
TCP (Transport Control Protocol): A reliable and connection-oriented protocol, that ensures that packets are delivered to the destination computer.
UDP
UDP (User Datagram Protocol): Is a best-effort and connectionless oriented protocol. Does not have packet sequencing, flow and congestion control and the destination does not acknowledge every packet it receives.
TCP Handshake
TCP Handshake:
- Host sends a SYN packet
- Receiver answers with a SYN/ACK packet
- Host sends an ACK packet
Ethernet
Ethernet: Devices share the same media and use broadcast and collision domains.
(This is also known as a contention technology)
• Uses CSMA/CD, CSMA/CA
• Usually implemented in star or bus topology.
CSMA/CD
Carrier Sense Multiple Access with Collision Detection (CSMA/CD- 802.3), LAN and WAN
CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA- 802.11), Wi-Fi
FDDI
FDDI—Fiber Distributed Data Interface: A high speed token-passing media access topology.
• Provides fault tolerance by providing a second counter-rotating fiber ring.
• Enables several tokens to be present on the ring at the same time.
Coaxial Cable
Coaxial Cable: Is more resistant to EMI electromagnetic interference;
provides a higher bandwidth and longer cable lengths compared to twisted pair.
Can transmit using a baseband or broadband method
Twisted pair
Twisted pair: Is cheaper and easier to work with than coaxial cable.
• STP Shielded twisted pair
• UTP Unshielded twisted pair. (More susceptible to interference)
Fiber-optic cabling
Fiber-optic cabling: • Has high transmission speeds that can travel over longer distances • Is not affected by attenuation and EMI • Very hard to tap into. • Very expensive and hard to work with. • Multimode & Singlemode fiber
Multimode fiber
Multimode fiber carrier uses multiple modes (paths) of light, resulting in light dispersion. Used for shorter distances.
Single-mode fiber
Single-mode fiber uses a single strand of fiber, and the light uses one mode (path) down the center of the fiber. Used for long-haul, high-speed networking
Noise
Noise – Signal interference that can be caused by motors, electrical devices or florescent lightning.
Attenuation
Attenuation – The loss of signal strength as it travels down a length of wire
Crosstalk
Crosstalk - When electrical signals of one wire spill over to another wire.
Transmission types
- Asynchronous communication
- Synchronous communication
- Baseband
- Broadband
- Unicast method
- Multicast method
- Broadcast method
Asynchronous communication
Asynchronous communication: Two devices are not synchronized in any way. The sender can send data at anytime and the receiving end must always be ready. Uses start and stop bits.
Synchronous communication
Synchronous communication: Takes place between two devices that are synchronized, usually via a clocking mechanism. Transfers data as a stream of bits.
Baseband
Baseband: Uses the full cable for its transmission
Broadband
Broadband: Divides the cable into channels so that data can be transmitted on more than one channel at a time
Unicast
Unicast method: A packet needs to go to one particular system
Multicast
Multicast method: A packet need to go to a specific group of systems
Broadcast
Broadcast method: A packet goes to all computers on its subnet
Network Topologies
Ring
Bus
Star
Mesh
Ring Topology
Ring Topology: Has a series of devices connected by unidirectional transmission links that form a logical ring. Each node is dependent upon the preceding nodes. The physical topology is often a star.
Bus Topology
Bus Topology: A single cable runs the entire length of the network. Each node decides to accept, process or ignore packets. The cable where all nodes are attached is a potential single point of failure.
Star Topology
Star Topology: All nodes connect to a central hub or switch. Each node has a dedicated link to the central hub
Mesh Topology
Mesh Topology: Each node in the network has more than one path to any other node
ARP
ARP – Address Resolution Protocol: Knows the IP address and broadcasts to find the matching hardware address (the MAC address).
Masquerading attack: An attacker alters a system’s ARP table so that it contains
incorrect information (ARP table poisoning).
ICMP
ICMP - Internet Control Message Protocol: Delivers messages, reports errors, replies to certain requests, reports routing information and is used to test connectivity and troubleshoot problems on IP networks. (Used by PING)
SNMP
SNMP – Simple Network Management Protocol: Allows for remote network monitoring and status checking of network devices
PPP
PPP – Point to Point Protocol: An asynchronous encapsulation protocol for transporting IP traffic. One of the best solutions for dial-up access
PBX
PBX Private Branch Exchange: Is a telephone switch that is located on a company’s property.
Many PBX systems have default system manager passwords which makes them vulnerable to
attacks by telephone hackers, known as Phreakers.
DMZ
DMZ - Demilitarized Zone: A Network segment that is located between the protected and the unprotected networks.
Packet Filtering
Packet Filtering (L3): Uses an Access Control List (ACL) to determine which packets to let through. Does not keep track of state. Works on the network layer information. Access decisions are based on:
• Source and destination IP addresses
• Source and destination port numbers
• Protocol types
Application Proxy Server
Application Proxy Server (L7): Stands between a trusted and untrusted network and does not allow direct connections between trusted and untrusted systems. May be a “Duel Homed Host” with separate NIC cards for interfacing the trusted and un-trusted network.
• Makes a copy of each accepted packet before transmitting it and repackages the packet to hide the packet’s true origin.
• Works at the application layer
• Inspect the entire packet
• Understands different services and protocols and the commands that are used within them
• There must be one application-level proxy per service.
Circuit-Level Proxy
Circuit-Level Proxy (L5): Similar to a proxy server in that there are no direct connections, hides addresses from outside world. Operates like a packet filter for making access decisions.
Stateful Inspection Firewall
Stateful Inspection Firewall (L5): Maintains a record of communication processes in a state table and uses that table to make access decisions. If a response packet is received there must be a corresponding request in the state table or the packet is rejected.
• Highly secure
• Scalable
• Better performance than “Proxy” servers.
SOCKS
SOCKS: Is an example of a circuit-level proxy gateway that provides a secure channel between two TCP/IP computers.
• Does not provide detailed protocol-specific control.
• Requires applications that are SOCKS compliant
multi-homed firewall
multi-homed firewall - It’s fitted with two NICs that sits between an untrusted network (like the Internet) and trusted network (such as a corporate network) to provide secure access
Bastion Host
Bastion Host: Is a locked down system with no unnecessary services, ports, protocols, subsystems or applications running. It is patched and has no unnecessary user accounts. This is a hardened server to be used on the perimeter or in a demilitarized zone.
Screened Host
Screened Host: A bastion host firewall that has a screening packet filtering router between it and the untrusted network.
Screened Subnet
Screened Subnet: The bastion host, housing the firewall, is sandwiched between two packet filtering routers
Honey Pot
Honey Pot: Is a computer that sits in the DMZ and is designed to lure attackers to it, instead of actual production computers
DHCP
DHCP- The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services.
DNS
DNS (L5) - Domain Name service: Is a method of resolving hostnames to IP addresses.
NAT
NAT - Network Address Translation: hides internal network addresses by forwarding only the address of the NAT server. The NAT server maintains state and performs transparent routing and address translation.
PAT
PAT translates IP addresses to ports, reducing IP address need.
Frame Relay
Frame Relay (L2): Packet switched; no error recovery; speed focused; usually carries TCP/IP. It uses packet switching across a shared private network where more than one company shares access to the same routers and switches. Frames are forwarded across virtual circuits which can be permanent or switched.
o Permanent Virtual Circuit (PVC): A logical circuit that works like a dedicated line and provides an agreed upon bandwidth availability.
o Switched Virtual Circuits (SVC): A virtual circuit created as required.
X.25
X.25: older faded popularity; packet switched; has error correction that adds latency
ATM
ATM - Asynchronous Transfer Mode: Uses a cell-switching technology. This means that data is segmented into fixed size cells, 53 bytes, instead of variable-size packets. It is a high-speed networking technology that uses virtual circuits to guaranty bandwidth and Quality of Service.
T1
T1 (E1 in Europe)- 1.544megabit dedicated circuit with 24 x 64-bit DS0 channels
T3
T3 (E3 in Europe)- 28 x bundled T1s, 44.736-mebabit
SONET
SONET (Synchronous Optical Network)- multiple T carrier circuits; fiber optical; fiber ring
MPLS
MPLS (Multiprotocol Label Switching)- forwards data via labels over shared cloud network; carries ATM, Frame Relay, IP traffic; used most often now for connecting offices
SDLC
SDLC (Synch Data Link Control)- L2; uses polling (similar to tokens) to transmit data; supports NRM (Normal Response Mode- secondary nodes transmit only with permission) only
HDLC
HDLC (High-level Data Link Control)- SDLC successor; adds error correction and flow cntrl; supports:
- ARM where secondary nodes can initiate comm
- ABM (Asynch Balanced where all nodes can act as primary or secondary),
- NRM
Convergence
Convergence is when all routers agree on the state of routing
IGP
IGP (Interior Gateway Protocols) for intranets
EGP
EGP (Exterior Gateway Protocols) for Internet
Distance Vector protocols
Distance Vector protocols (e.g. RIP, BGP) use metrics to determine shortest distance but discount bandwidth.
RIP
RIP (Routing Information Protocol) uses hop count; has slow convergence
BGP
BGP (Border Gateway Protocol) is EGP; routes between autonomous systems; also considered a path vector routing
Link State protocols
Link State routing protocols (e.g. OSPF) factor in bandwidth as well as metrics
OSPF
OSPF (Open Shortest Path First) have event driven updates; fast convergence
RAS
Remote Access Service (RAS) server: Performs authentication by comparing the provided credentials with the database of credentials it maintains.
ISDN
ISDN - Integrated Services Digital Network: obsolete. Breaks the telephone line into different channels and transmits data in a digital form.
DSL
DSL (ADSL for asymmetric) - Digital Subscriber Line: Is a broadband technology. The service transports data on standard phone lines using higher frequencies than analog calls, which takes advantage of idle bandwidth.
Cable modems
Cable modems: Provides high speed access. They modulate and demodulate signals and perform functions similar to a router.
**Vulnerability: Cable modems also function like a two way repeater repeating cable network segment traffic to the modem and all private network traffic out to the cable network.
VPN
VPN - Virtual Private Network: Is a secure private connection through a public network.
PPTP
PPTP - Point-to-point tunneling protocol: Is an encapsulation protocol based on PPP. It works at the data link layer and it enables a single point-to-point connection. It encrypts and encapsulates PPP packets and can only work on top of IP networks
L2TP
L2TP - Layer 2 Tunneling Protocol: Can run on top and tunnel through networks that use other protocols than IP, such as Frame Relay. It does not encrypt data.
IPSec
IPSec: Handles multiple connections at the same time and provides secure authentication and encryption. Supports only IP networks and was designed for LAN-to-LAN communication. Works at the network layer and provides security on top of IP. It can work in tunnel mode, meaning the payload and header is encrypted or transport mode, meaning that only the payload is encrypted.
RADIUS
Remote Authentication Dial-in User service (RADIUS): A centralized authentication protocol used over a Point-to-Point connection.
TACACS+
Terminal Access Controller Access Control System (TACACS+): A Cisco standard that supports two factor authentication. Encrypts all data. Separates authentication, authorization and auditing
Diameter
Diameter: An authentication protocol that can be used with many different types of devices and protocols.
802.11
Wireless networking is defined by the IEEE 802.11 standards. Wireless networks interface with wired networking through the use of an Access Point (AP). When connected to a wired network the Access Point acts as a bridge and operates on level 2 of the OSI model.
802.11b
802.11b (Wi-Fi) standard:
• Data transfer rate of 11 Mbps
• Operates at 2.4 GHz.
• Signal range of 50 – 300 ft.
802.11g
802.11g :
• Basically a speed extension of the 802.11b standard
• Increased the data transfer rate to 54 Mbps
• Is backward compatible with 802.11b networks.
802.11i
802.11i: First to require WPA2
802.15
802.15 Bluetooth:
• Signal range of only 35 ft
• Used for small personal devices like cell phones and PDAs.
• Uses spread spectrum technology in the 2.4 GHz range
- Vulnerability: Bluetooth transmissions are generally insecure and can be intercepted by other Bluetooth enable devices in range.
- Note: Bluetooth does include an optional security specification that enables device authentication and line encryption
FHSS
Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.
DSSS
direct-sequence spread spectrum (DSSS) is a spread spectrum modulation technique. Spread spectrum systems are such that they transmit the message bearing signals using a bandwidth that is in excess of the bandwidth that is actually needed by the message signal. This spreading of the transmitted signal over a large bandwidth make the resulting wideband signal appear as a noise signal which allows greater resistance to intentional and unintentional interference with the transmitted signal.
BSS
Basic Service Set (BSS): A group of clients and access points that form a wireless network.
SSID
Service Set Identifier (SSID): Is a network name assigned to a Basic Service Set.
- Unless it is disabled, access points periodically broadcast their SSID
OSA
Open System Authentication (OSA) does not authenticate the wireless client and does not use encryption. This is really a non-authenticating model.
SKA
Shared Key Authentication (SKA) uses a shared key and encryption for wireless authN. The assumption is that if the client knows the shared key, they represent a valid user.
WEP
Wireless Equivalent Protection (WEP): A first generation wireless encryption that uses a symmetrical algorithm (RC4) with key sizes of 64 or 128 bits.
MAC Address Checking
MAC Address Checking: This is used to try and compensate for the WEP weakness. The Access Point has a list of MAC address that are allowed to connect to the network and only those clients on the list can connect. Vulnerability: MAC addresses are transmitted in the clear and can be sniffed and spoofed
WPA2
Wi-Fi Protected Access (WPA2): The second generation of WPA security; providing a high level of assurance that only authorized users can access a wireless network. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard.
- WPA is designed for use with an 802.1X (e.g. Radius) authentication server, which distributes different keys to each user
- Uses a longer Initialization Vector and a stronger encryption protocol.
PAP
PAP (Password Authn Protocol)- very weak; uname & password in clear txt
CHAP
CHAP (Challenge Handshake Authn Protocol)- doesn’t expose cleartxt password; not susceptible to replay attacks; uses a preshared password and hashing for authn. It sends a random challenge to the user and the user encrypts the value with a shared password and sends it back. The server then decrypts the response using the shared password and if the value matches the random challenge the credentials are accepted. The challenge response activity continues throughout the connection which prevents man-in-the-middle attacks.
PBNAC
- 1x Port Based Network Access Control (PBNAC) includes EAP; has 3 roles:
- Supplicant- client
- Authenticator- access point or other device
- Authentication Server (AS)- validates credentials
EAP
EAP (Extensible AuthN Protocol)- is a framework; includes many protocols; used in wired and wireless; commonly deployed on WLANs
• EAP-MD5- weakest; client to server authn only; susceptible to man-in-the-middle attack
• LEAP (Lightweight EAP)- Cisco proprietary; significant security flaws
• EAP-FAST (EAP Flexible AuthN via Secure Tunneling)- Cisco designed to replace LEAP; uses pre shared key
• EAP-TLS (EAP Transport Layer Security)- requires server and client side certs; very secure but costly
• EAP-TTLS (EAP Tunneling Transport Layer Security)- simplifies EAP-TLS by not requiring client side cert;
• PEAP (Protected EAP)- competitor and similar to EAP-TTLS
WAP
Wireless Application Protocol (WAP)- to allow older wireless devices connection to internet;
• Uses WTLS to encrypt data
• Uses HMAC for message authN
• requires a gateway to translate WAP HTML, opening a vulnerability when data is unencrypted
NIDS
NIDS (Network IDS) monitor unicast traffic; configure NIC card in promiscuous mode or use SPAN (Switch Port Analyzer)
NIPS
NIPS (Network IDP) alters flow of traffic; stop malicious traffic; active & inline;
IDS Event types
Event types:
- True positive (IDS accurately detects attack);
- True negative (IDS accurately detects no attack);
- False positive (IDS inaccurately detects attack);
- False negative (IDS does not detect attack- worst case);
HIDS
HIDS/HIPS (Host IDS/IPS)- perform checks on files and processes
Antivirus
Antivirus- one layer of many for defense-in-depth; use malware signatures as well as heuristics
App whitelisting
App whitelisting- lists safe binary for machine; can be signed; hash matched; trusted pathname
Honeypots
Honeypots- a system that attracts attackers; simulate parts of systems by scripting network actions
IDS Anomaly detection
Anomaly detection- establishes baseline and looks for alterations from the baseline
IDS Protocol behavior
Protocol behavior- detect anomalies from how protocols should work
IDS Pattern Matching
Pattern Matching- compares events to static signatures; good for detecting known attacks
MAC Address
MAC (Media Access Control) Addresses
64 bits- 00:00:00:00:00:00
first 6 contains OUI (org Unique ID)
IPv4 Address
IPv4- 32 bit address; 20 byte header • IHL- length of header; • Type of Service- sets precedence like QoS; • Identification, • Flags, • Offset- used for fragmentation; • Time to Live- ends routing loops; • Protocol- TCP, UDP; • Source Address; • Destination Address; • Options; • Padding
IPv6 Address
IPv6- 128 bit address
Hosts can statelessly autoconfigure IPv6 addresses (no need for DHCP (but possible) or static addressing)
Global link addresses are configured by routing advertisements (Scope:Global)
Local link addresses are used for local LAN communication (Scope:Local)
Loopback is ::1
IPv6 enabled systems can autoconfigure, enabling opportunity for attack- should be disabled if not used
CIDR
CIDR (Classless Inter-Domain Routing)
More flexible than Classful networks (Class A -> E) where each class reserved an address block
Class A netmask is /8, e.g. 10./8; /8 is the network portion first 8 bits; 24 bits for host
Class C netmask is /24, e.g. 192.0.2./24; giving 8 bits for host
Cutting a Class C CIDR network in half (192.0.2.*/25) will give you 2^7 addresses for 128
Internal-only traffic addresses (RFC 1918): 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16
NIDS
NIDS (Network IDS) monitor unicast traffic; configure NIC card in promiscuous mode or use SPAN (Switch Port Analyzer)
NIPS
NIPS (Network IDP) alters flow of traffic; stop malicious traffic; active & inline;
IDS Event types
Event types:
- True positive (IDS accurately detects attack);
- True negative (IDS accurately detects no attack);
- False positive (IDS inaccurately detects attack);
- False negative (IDS does not detect attack- worst case);
HIDS
HIDS/HIPS (Host IDS/IPS)- perform checks on files and processes
