Week 7 - DNS, Management and Security

Question 1

What is DNS?

Answer 1

Domain Name System
- Solution to directory problem for hosts
- Distributed (no single point of failure)
- Local control and update (accuracy of information)
- Replicable (secure)
- Consistent (everyone has same view of data)

Question 2

What are zones of control?

Answer 2

Each zone has a primary server
Each zone is in charge of information about the zone
For performance & availability each zone has backup servers

Question 3

How does DNS lookup work?

Answer 3

1. A local machine asks its local dns server for www.ibm.com
2. The dns1 server asks a root name server m for www.ibm.com
3. The root server m refers dns1 to the .com name server f (referral)
4. The root server f refers dns1 to the ibm.com name servers y
5. THe root server y responds with www.ibm.coms address

After this query the dns1 now knows:
- THe name and ip address of the .com name servers (m)
- The name and ip address of the ibm.com name servers (y)
- The IP address of www.ibm.com

Now the resolution process is cached to directly go to the correct root server and avoid referral. Cache will have a TTL that allows for reduced queries but without losing ability to change addresses efficiently.

DNS lookups can be done in an iterative mode or a recursive mode.

Question 4

What is the difference between authoritative and non-authoritative dns lookup answers?

Answer 4

Authoritative is from the server, non-authoritative is from the cache.

Question 5

What are the main types of DNS records?

Answer 5

Question 6

What is SNMP?

Answer 6

Simple Network Management Protocol (SNMP)
Manages information that is:
- static: information that characterises the current config (e.g. number of interfaces)
- dynamic: related to events in the networks (e.g. number of packets)
- statistical: information derived from dynamic information (e.g. average packets per unit of time).

Runs over UDP as messages are small

Question 7

How does SNMP work?

Answer 7

Monitoring application:
- functions visible to the user/manager
- performance monitoring, fault monitoring, security monitoring, account monitoring
Manager function:
- performs basic monitoring function of retrieving info
Agent function:
- gathers and records management information for one or more network elements and communicates the information to the network monitoring elements
- usually runs in the router/switch and listens/replies to information requests
Managed Objects:
- the resources
- queue sizes, number of packets on each interface, number of packets with errors, abnormal occurences
Monitoring Agent:
- Generates summaries and stats from info

Question 8

Whats the difference between polling and traps?

Answer 8

Polling is when the management station continuously tries to get the status information about hte managed devices.
Traps occur when something abnormal happens in the management station.
Crucial for network efficiency.

Traps are not acknowledged by the monitoring station which can cause problems. Threshold of when trap is sent is configurable. Trap is usually packed with information in the form of MIB objects and their values.

Question 9

What is MIB?

Answer 9

An MIB is a database where each resource is represented by an object. It is a tree structure. Each system (router, switch) maintains one for i its managed resources.

Question 10

What is an SMI?

Answer 10

SMI (Structure of Management Information) defines the general framework in which an MIB can be defined.

Question 11

What are the four main SNMP functions?

Answer 11

GetRequest()
GetNextRequest()
GetResponse()
SendTrap() - can only be run by server not client

Question 12

How is polling frequency calculated?

Answer 12

Example:
Polling every 15 minutes
Processing time of 50ms
Network delay of 1ms
N <= 15x60/0.202=4500

Question 13

What are the SNMPv2/SNMPv3 enhancements?

Answer 13

SNMPv2:
- No security mechanisms
- New structure of Management Information (SMI)
- Manager to Manager capabilities
- New protocol operations

SNMPv3:
- Administration and security added

Question 14

Name some network security risks?

Answer 14

Confidentiality - Someone intercepts packets between two entities (man-in-the-middle attack) - packet sniffer.
Authentication - Someone pretends to be someone else (phishing, dns poisoning, fake email address)
Non-repudiation - Charlier sends message to ALice but then claims he didn’t send it.
Unauthorized Access - Charlie pretends to be Alice and accesses her resources (password capture, inadequate firewall)
Denial of service - Charlie sends a huge amount of traffic disabling Alice’s server (botnets, SYN floods, source spoofing, email spam)

Question 15

What steps can be taken to protect a network?

Answer 15

1. Security policy
   - First step to decide what is to be protected - systems, data, cpu cycles, etc.
   - Who is it to be protected from? Who gains the most from the organisations loss
   - Is it affordable? Equipment, admin, frustration - extreme end is a system not connected to any network in a locked room.
2. Physical security
   - Theft, access to console, power cuts, floods, fire
   - Mitigation includes security, insurance, steel doors, cctv, uninterruptible power supplies (UPS)

Question 16

What are viruses/worms/botnets?

Answer 16

Viruses attach to other programs. Worms propagate by themselves. Both have exponential impact as each program can infect many hosts.

BotNets - commonly virus/trojan infected machines are recruited to form large networks which can be remotely controlled. Used to launch distribtued DDoS attacks (usually for blackmail). Used to accept and relay SPAM.

Question 17

What is the key problem in cryptography?

Answer 17

Question 18

How do public keys work?

Answer 18

System was invented independently by Ellis, Cocks and Williams in 1975. Uses large prime numbers and modular arithmetic as the basis of one way functions (a one way function is where it is very computationally expensive to reverse the calculation).

Public keys can also be used for authentication. Bob sends a message encrypted by private key. Alice with the public key can check if Bob signed the message.

Question 19

What is SSL/TLS?

Answer 19

Secure Sockets Layer/Transport Layer Security
- Server must have a public/private key pair.
- Should have a certificate.
- User connects to the server with a browser on https (which connects on port 443 as it signifies the use of ssl/tls)
- Client and server negotiate a cryptographic algorithm (symmetric) to use for the session and the server assigns a sessionID (allows same keys to be used for a period)
- Server sends the certificate to the client.
- Client checks the certificate using the root certification authority’s key (suppled with the browser)
- Also checks the name of the server
- Client now generates the key material for encrypting the network traffic
- Material is signed using the servers public key and sent
- The server and client then exchange a message authentication code (MAC) to ensure that both agree with the key exchanges up to that point.
- Caveat - unless you check the certificate details, all you know is that you are talking to some site over an encrypted channel.

Question 20

How do certificates work?

Answer 20

Question 21

What is a secure shell?

Answer 21

Question 22

How are IP and DNS secured?

Answer 22

IPSec and DNSSec - same principles

Question 23

What is a firewall?

Answer 23

Question 24

What are the firewall methods of access control?

Answer 24

Static filtering - simplest method. TCP and UDPnpackets will be identifiable with the 4-tuple of: source ip, source port, destiantion ip, destination port. A set of rules will specify allowed combinations of this key. Have to allow traffic in both directions.

Dynamic filtering - similar to static, but the firewall makes a note of the addresses and port numbers and dynamically installs a rule to allow the reverse traffic. Causes issues where data channels are negotiated dynamically with the application.

Content Based Access Control - deals with the limitations of static and dynamic filtering. Can look inside of the command stream and set up rules to enable the protocol to work.

Question 25

What are the next generation firewall features?

Answer 25

Content inspection.
Email attachment sandbox (validate attachments and check sysstem behaviour before allowing traffic through)
Machine learning

Question 26

What DDOS methods exist?

Answer 26

Source spoofing:
- Any host can put the source address on message - ISP/AS should check but some don’t
- THey can check by doing a reverse path check (check message came from direction expected for given source).
SYN Flood
- Attackers send SYN packets, creating state in the receivers, attackers never send the final ACK
- SYN cookies avoid this. It encodes the client initial sequence in the server, only when it receives the final ack is state created.
Botnets
- Many computers are in the control of Botnet herders - very difficult to detected.
- Traffic comes with the right source address
- Attackers can return the right ACK to SYN-ACK
- Cloud computing helps - instantiating new services on demand
- Still an open issue: Machine learning can help.
SPAM
- Sending identical messages to thousands of recipients. Represents 95% of the mail sent in the internet. Major problem for ISPs.
- Bayesian filtering in mail readers classifies SPAM. Does not save bandwith though.
- Governments have legal options
- Bill Gates proposed electronic stamps
Sender Policy Framework (SPF)
- see picture