CISSP - PowerPoint PPT Presentation

About This Presentation
Title:

CISSP

Description:

CISSP Chapter 7 Telecommunications and Network Security Chapter 7 This chapter is HUGE and honestly you are not going to understand all of it unless you ve done ... – PowerPoint PPT presentation

Number of Views:449
Avg rating:3.0/5.0
Slides: 164
Provided by: bri9162
Category:
Tags: cissp | high | link | serial | speed

less

Transcript and Presenter's Notes

Title: CISSP


1
CISSP Chapter 7
  • Telecommunications and Network Security

2
Chapter 7
  • This chapter is HUGE and honestly you are not
    going to understand all of it unless youve done
    a lot of network or network security in your
    life. Dont get too stressed, try to follow along
    I will try to point out the most important things
    to understand. If you have questions ASK ME,
    luckily this is my area of expertise so I should
    be able to help you out. Some questions may have
    to be directed to after class or in between
    breaks if they go to in depth.

3
Chapter 7 OSI/Internet Model 483
  • There is something called the OSI model that
    lays out functional levels/different distinct
    services that a network should provide. Its not
    actually used in real life but serves as a
    reference. The Internet (TCP/IP) model is used
    and maps directly to the OSI model, but is
    simpler.
  • The layered model defines that functionality a
    certain layer should provide and provides
    Services to the layer directly above it that
    that layer can use. Each layer generally uses the
    resources and functionality of the layer below it.

4
OSI model 484
  • 7 layers
  • A P S T N D P All People Seem to Need Data
    Processing say that 10 times
  • Application
  • Presentation
  • Session
  • Transport
  • Network
  • Data link
  • Physical

5
OSI model layer 1 physical 494
  • Layer 1 Physical simply put is concerned with
    physically sending electric signals over a
    medium. Is concerned with
  • specific cabling,
  • voltages and
  • Timings
  • This level actually sends data as electrical
    signals that other equipment using the same
    physical medium understand ex. Ethernet

6
OSI model layer 2 data link 492
  • Layer 2 Data Link data link goes hand in hand
    with physical layer. The data link level actually
    defines the format of how data Frames will be
    sent over the physical medium, so that two
    network cards of the same network type will
    actually be able to communicate. These frames are
    sent to the physical level to actually be
    turned into the electronic signals that are sent
    over a specific network. (layer 2 uses the
    services of layer 1)
  • Two network cards on the same LAN communicate at
    the data link layer.
  • Data Link and Physical layers really go together
    to define how a specific network type operates,
    in fact Layer 1 2 of the OSI model layer 1 of
    the TCP/IP model (Network Access)
  • (more)

7
OSI model layer 2 - 492
  • Protocols that use the data link layer
  • ARP
  • RARP
  • PPP
  • SLIP
  • Any LAN format (Ethernet)

8
OSI model layer 3 network - 491
  • Layer 3 Network For the Internet this is IP
    which defines how packets are sent across
    different physical networks/LANs. Layer 2 is
    concerned with defining unique hosts on a
    network, and routing packets between distinct
    networks.
  • Layer 3 protocols
  • IP
  • IPX/SPX
  • Apple Talk
  • (more)

9
OSI model layer 3 network - 491
  • For IP other protocols that work on this layer
    are
  • ICMP IP helpers (like ping)
  • IGMP Internet Group Message Protocol
  • RIP routing protocol
  • OSPF routing protocol
  • BGP routing protocol
  • (more)

10
OSI Model Layer 3 - 491
  • OSI layer 3 Network Internet model layer 2
    (Network)
  • Layer 3 actually uses to services of the data
    link layer to move data between two computers on
    the same LAN.

11
OSI model Layer 4 Transport - 490
  • OSI Layer 4 Transport Provides end-to-end
    data transport services and establishes a logical
    connection between 2 computers systems
  • Virtual connection between COMPUTERS
  • Protocols used at layer 4
  • TCP
  • UDP
  • In the Internet Model this is layer 3
    (transport/host to host)
  • Layer 4 user the services of layer 3 to move data
    between 2 different networks/hosts

12
OSI Model Layer 5 Session - 489
  • OSI Layer 5 Session responsible for
    establishing a connection between two
    APPLICATIONS! (either on the same computer or two
    different computers)
  • Create connection
  • Transfer data
  • Release connection
  • Protocols that work at this layer
  • NFS
  • SQL
  • RPC
  • Remember Session is setting up a conversation
    between two applications rather than comptuers,
    however the session layer uses the services of
    the layer beneth it (transport) to move data
    between 2 computers
  • OSI lay 5 Internet model layer 3
    (transport/host to host)

13
OSI model Layer 6 Presentation - 487
  • OSI Layer 6 present the data in a format that
    all computers can understand
  • Concerned with encryption, compression and
    formatting
  • Maps to layer 4 of the Internet Model

14
OSI model Layer 7 Application - 487
  • This defines a protocol (way of sending data)
    that two different programs or protocols
    understand.
  • HTTP
  • SMTP
  • DNS
  • This is the layer that most software uses to talk
    with other software.
  • This maps to the Internet model Layer 4
    (application)


15
Quick OSI review
  • What layer is creates a connection between 2
    applications?
  • What layer turns the frames sent to it into the
    proper voltages and timings to send across a
    wire?
  • What layer is concerned with finding paths
    between different networks?
  • What layer is concerned with the formatting of
    the data?
  • What layer is concerned with communicating
    between two of the? same interface types on
    computers on the same LAN?
  • What layer creates a connection between two
    computers?
  • What layer is concerned with the data/protocol
    that the application you are using uses?

16
Some network equipment and what layers they
generally work on
  • We will talk about these later on.
  • Hub/repeater physical
  • Switch data link
  • Router network
  • firewall can be one of many levels above
    network
  • Application proxy firewall application

17
TCP/IP model
  • Network Access OSI layers 1 2, defines LAN
    communication, what do I mean by that?
  • Network OSI layer 3 defines addressing and
    routing
  • Transport/Host to Host OSI layer 4, 5 defines
    a communication session between two applications
    on one or two hosts
  • Application OSI layers 6,7 the application
    data that is being sent across a network

18
OSI vs. TCP/IP model
19
TCP/IP (497)
  • TCP/IP is a suite of protocols that define IP
    communications.
  • IP is a network layer protocol, and handles
    addressing and routing
  • We use IP version 4
  • The main components of an IP address
  • IP address
  • Netmask
  • What is the netmask used for?
  • Host part, network part, like street address and
    zip code.
  • (more)

20
TCP/IP class networks - 504
  • Class A
  • IP ranges 0.0.0.0 127.255.255.255
  • Implied Netmask 255.255.255.0
  • Lots of hosts (about 16 million)
  • Class B
  • IP ranges 128.0.0.0 to 192.255.255.255
  • Implied netmask 255.255.0.0
  • About 65,000 hosts
  • (more)

21
TCP/IP class networks - 504
  • Class C
  • IP ranges 192.0.0.0 to 223.255.255.255
  • Implied netmask 255.255.255.0
  • 254 hosts
  • Class D
  • IP ranges 224.0.0.0 to 239.255.255.255
  • Reserved for multicast, not normal IP addresses
  • Class E
  • IP ranges 240.0.0.0 to 255.255.255.255
  • Reserved for research

22
TCP/IP Classless networks
  • Classes are not really used anymore, we now use
    CIDR, which is just an IP address and a netmask
    or /
  • Ex. 172.16.1.0/24 172.16.1.0 with a netmask of
    255.255.255.0

23
TCP/IP - 504
  • We currently use IPv4 with has 232 addresses
    (about 4 billion IP addresses) however we are
    running out. IPv6 has 2128 addresses (4 billion
    x 4 billion (NOT 16 billion))
  • IPv6 also has a simplified format and additional
    features such as IPSEC. (talk about IP SEC later)

24
TCP/UDP - 498
  • TCP/UDP handle the transport and session layers.
    They setup a communications channel between two
    programs talking over the network
  • Programs talk via ports which are numbers that
    generally define what program/services you want
    to talk to (talk about this in a couple slides)
  • More on TCP/UDP in the next slides

25
TCP - 502
  • Reliable connection-oriented protocol
  • Has a true connection
  • Starts with a 3-way handshake, (SYN, SYN-ACK,
    ACK) talk about this

26
TCP - 499
  • Keeps state, and will guarantee delivery of data
    to other side (or inform the application of the
    inability to send) does this with sequence and
    acknowledgement numbers, these numbers also
    provide ordering to packets
  • Has some security due to the state of the
    connection
  • Nice to program with, but slower/more overhead
    because of the work done to guarantee delivery.

27
UDP - 499
  • Like a postcard, each packet is separate
  • No guarantee on delivery
  • Best effort
  • Fast, little overhead
  • No sequence numbers (ordering)
  • No acknowledgements
  • No connection
  • Security issues due to lack of a connection

28
Ports - 501
  • Both TCP and UDP use ports as the end points of
    conversations. Ports for services that are
    defined and static are called well known ports
    some well know ports are
  • telnet TCP/23
  • Email (SMTP) TCP/25
  • Email (POP) TCP/110
  • Email (IMAP) TCP/143
  • Web (HTTP) TCP/80
  • Web (HTTPS) TCP/443
  • DNS TCP UDP 53
  • FTP TCP/21 20

29
Random Networking Terms - 507
  • Latency
  • Bandwidth
  • Synchronous synchronized via a time source
  • Asynchronous not timed
  • Baseband use the entire medium for
    communication
  • Broadband slide the medium into multiple
    channels for multiple simultaneous communications

30
Random Networking Terms
  • Unicast (524)
  • Multicast (524)
  • Broadcast (524)

31
Network Topologies (509)
  • Ring
  • Bus
  • Star
  • Mesh
  • Talk about each of these
  • Perhaps memorize chart at bottom of 511

32
Ethernet - 513
  • Most common form of LAN networking, has the
    following characteristics
  • Shares media (only one person talks at a time (at
    least without a switch)
  • Broadcast and collision domains
  • CSMA/CD
  • Supports full duplex with a switch
  • Defined by IEEE 802.3

33
Ethernet media types - 514
  • 10Base2
  • Thin net, coaxial cable (like TV cable, but
    different electrically)
  • Max length about 200 meters
  • 10 Mbs second
  • Requires a BNC connector
  • BUS/Shared medium (security problems?)
  • obsolete
  • (more)

34
Ethernet Media Types - 514
  • 10base5
  • Thick net, thicker coax
  • Max length about 500 meters
  • 10Mbs
  • Uses vampire taps
  • More resistant to electrical interference
  • BUS/shared medium
  • Used to be used as backbone
  • Obsolete
  • (more)

35
Ethernet Media Types - 514
  • 10BaseT
  • Length about 100 Meters
  • 10Mbs second
  • Twisted pair (like phone wire) (CAT 3)
  • Use RJ-45 connector
  • Use in star topology
  • Susceptible to interference
  • Mostly obsolete
  • (more)

36
Ethernet Media Types - 514
  • 100BaseTX
  • Length about 100 Meters
  • 100Mbs
  • Twisted pair (like phone wire) (CAT 5, 6)
  • Use RJ-45 connector
  • Use in star topology
  • Susceptible to interference
  • (more)

37
Ethernet Media Types - 514
  • 1000BaseT
  • Length about 100 Meters
  • 1000Mbs
  • Twisted pair (like phone wire) (CAT 5e,6)
  • Use RJ-45 connector
  • Use in star topology
  • Susceptible to interference

38
Token Ring (516)
  • Briefly describe token ring
  • Ring topology, though using a HUB
  • HUB Multistation access Unit (MUA)
  • Token passing for control of network
  • Beaconing for failure detection
  • Pretty much not used except legacy networks

39
FDDI - 517
  • Similar to token ring but uses fiber.
  • High Speed
  • Used to be used as backbone networks
  • 2 rings to create a wrap if one goes down

40
Cabling - 519
  • Coaxial copper core surrounded by a shielding
    layer and a grounding wire.
  • More resistant to EMI than UTP
  • Note used much anymore
  • Can be baseband (one channel Ethernet) or
    broadband (multiple channels, cable TV)

41
Twisted Pair - 520
  • Like phone wire, but more wires.
  • RJ-45 connector
  • Two main types UTP, and STP
  • STP is shielded and better if you have EMI issues
  • UTP is unshielded and susceptible to EMI and
    crosstalk
  • UTP also gives off signals which could be picked
    up if you have sufficient technology. (tempest
    stuff)
  • least secure vs. coax and fiber
  • Chart on 521 (for your own study)

42
Fiber - 522
  • Glass tubes
  • High speed, long haul
  • NOT effected by EMI, doesnt lose signal either
    (attenuation)
  • Does NOT radiate energy, better security
  • Expensive
  • Difficult to work with
  • Used in backbones

43
Media Access Technologies (526)
  • Token Passing
  • CSMA/CD waits for clear, then starts talking,
    detect collisions
  • CSMA/CA signals intent to talk
  • Collision Domain where collisions can occur.
    (i.e. two people try to talk at the same time)
    (how do we make the collision domain smaller?)
  • What is a security impact of collision domains?
    sniffing, DoS

44
LAN Protocols - 529
  • ARP Network Adapters have 2 addresses, and IP
    address, and a MAC address. (what is each used
    for? How do they relate? which layer does each
    exist on?)
  • ARP is the glue for relating the IP and the MAC
    addresses
  • Attacks
  • ARP table poisoning what is this how does it
    happen, what would it do?

45
DHCP - 530
  • DHCP what is it what is it used for?
  • Precursors
  • RARP what did it do?
  • BOOTP what did it do?

46
ICMP - 531
  • ICMP IP helper
  • Echo request/reply
  • Destination unreachable
  • Source quench
  • Redirect
  • Trace route
  • Security problems? Anyone?
  • LOKI sending data in ICMP messages. (stealthy!)

47
Basic Networking Devices (536)
  • There are different types of networking devices
    that exist we will look at
  • Repeaters
  • Hubs
  • Bridges
  • Switches
  • Routers

48
Repeaters - 536
  • Layer 1 device
  • No intelligence
  • Simply repeats and electrical signal from an
    input to an output.
  • Used to increase range (ex. Put a repeater 200
    meters down a 10Base2 run to double the length)

49
Hub
  • Multiport repeater
  • The initial way to connect computer together in a
    STAR configuration, using twisted pair wiring
  • Layer 1 device
  • No intelligence
  • Just repeats a signal down ALL the wires

50
Bridge (537)
  • Layer 2 device, splits a LAN into 2 segments.
  • A bridge builds a table of the layer 2 (MAC)
    addresses on each side of the bridge and only
    forwards communication if communication is
    between MAC addresses on each side of the bridge
  • Reduces collision domain by ½
  • Does not affect broadcast domain (doesnt affect
    broadcast storms)
  • Recreates the signal
  • Can combine two network types into one LAN (i.e.
    translate between LAN types)
  • Uses Spanning Tree algorithm to detect loops.

51
Switch - 541
  • Multi-port bridge (all the bridge attributes hold
    true)
  • Modern form of connecting computer together on a
    LAN
  • Allows full duplex communication (what do I mean
    by this?)
  • Each link is a separate collision domain
  • Does not alter broadcast domains
  • Can be used to create VLANS (talk about in a few
    slides)

52
VLANs - 544
  • Virtual Lan
  • What is it
  • Why would it be used?
  • Do you still have to route between VLANS?
  • Two different VLAN protocols
  • 802.1Q, or Cisco ISL for trunking between
    switches
  • see picture on next slide

53
VLAN - 544
54
Routers - 539
  • Work on layer 3 Network layer
  • Uses IP addresses to best route between networks,
    is NOT used to create a LAN. You must use hubs or
    switches to create a LAN, routers go between
    LANS/networks to allows communications between
    different LANS/networks.
  • Routers do NOT care about layer 2 (MAC addresses)
  • When would you use a router, when would you use a
    switch?
  • Routers can perform firewall functionality.
  • Does not forward on broadcasts!

55
Routers vs. Switches - 540
  • You should understand the different between a
    router and a switch. Also memorize the table at
    the bottom of 540.
  • Now we need to talk about some routing protocols

56
Routing Protocols (532)
  • Routing is the dynamic updating and sharing of
    routes to networks with other routers in your
    company and thought the internet. You can setup
    routes either
  • Statically
  • Dynamically
  • (discuss pros/cons of each, not too in-depth)

57
Routing Protocols (532)
  • Some Dynamic routing protocols use the concept of
    an AS Autonomous System, which groups a bunch
    of networks together for an organization, and
    only advertise the networks that can be reached
    in the AS, not the details of the individual
    networks inside. These are generally called
    Exterior Routing Protocols and are used to
    connect different organizations together
  • Other routing protocols try to advertise and
    track each individual network separately. These
    are generally called Interior Routing Protocols
    and are for use within an organization
  • A company can run IGP and EGPs at the same time,
    how?

58
Dynamic Routing Protocols (533)
  • Distance vector
  • Builds a TABLE of all routes and a distance to
    get to them along with the next hop router
  • Susceptible to route-flapping
  • Long convergence times
  • Examples
  • RIP
  • IGRP

59
Dynamic routing protocols (533)
  • Link State
  • Actually builds a graph/map of all networks and
    the ways to reach them. So the router can see
    the entire topography
  • Has quick convergence times
  • Can take link speeds and other factors into
    consideration
  • Slow to build initially
  • Requires a lot of resources
  • Examples
  • OSPF

60
Specific Routing Protocols (534)
  • RIP
  • DV algorithm used only in small networks, sends
    entire route table every 30 seconds.
  • Max number of hops to a networks 16
  • Slow convergence
  • Only cares about hops, not network speed or
    reliability etc.
  • Original RIP could only use Classful routing,
    v2 allows classless (CIDR) routing

61
Specific Routing Protocols (534)
  • IGRP DV protocol designed to solve problems
    with RIP.
  • Examines bandwidth and delay
  • Converges faster than RIP
  • No max hop limit
  • New version is EIGRP (enhanced IGRP)

62
OSPF (534)
  • Open Shortest Path First Link State protocol
    developed as a replacement for RIP.
  • Supports Autonomous systems
  • Builds a graph rather than a table
  • Fast convergence
  • Slow to start
  • Requires high resources to build and maintain
    map.
  • Only sends link changes to other routers.

63
BGP (535)
  • BGP is an exterior routing protocol
  • Uses AS
  • Used by ISPs and large companies as their
    Internet Routing protocol. (to connect to the
    internet)

64
Advanced Networking Devices
  • These are devices that are beyond the basic
    fundamental networking devices, they generally
    provide some specific advanced functionality.
  • Let the slides begin!

65
Gateway - 545
  • Generic Term for something that connects two
    separate things together (can be any level).
  • Default gateway router to get you off your
    network
  • Application gateways work at the application
    level and help translate between two different
    applications. (Ex. Windows and Unix file sharing)
  • Email Gateway translate between different email
    types. (Exchange and SMTP)

66
PBX 547
  • Private Branch Exchange phone system
  • Old systems analog
  • New systems digital and VoIP
  • Crackers that hack phone systems used to be call
    phreakers
  • Free calls (long distance)
  • Masquerade as other people/hide calls
  • Often this goes un-noticed as companies often do
    not audit their phone bills closely

67
Firewalls - 548
  • Enforce network policy.
  • Generally firewalls are put on the perimeter of a
    network and allow or deny traffic based on
    company or network policy.
  • MUST have IP forwarding turned off
  • Firewalls are often used to create a DMZ.
  • Generally are dual/multi homed (What do I mean
    by this?)
  • 5 types of firewalls (more in depth about each
    next slides)
  • Packet filtering
  • Statefull
  • Proxy
  • Dynamic packet filtering
  • Kernel Proxy

68
Packet filter
  • Uses Access control lists (ACLs), which are rules
    that a firewall applies to each packet it
    receives.
  • Not statefull, just looks at the network and
    transport layer packets (IP addresses, ports, and
    flags)
  • Do not look into the application, cannot block
    viri etc.
  • Generally do not support anything advanced or
    custom

69
Statefull firewall
  • Like packet filtering, however the router keeps
    track of a connection. It knows which
    conversations are active, who is involved etc.
  • It allows return traffic to come back where a
    packet filter would have to have a specific rule
    to define returned traffic
  • Keeps a state table which lists the state of the
    conversations.
  • More complex, and can launch DoS against by
    trying to fill up all the entries in the state
    tables/use up memory.
  • If rebooted can disrupt conversation that had
    been occurring.

70
Dynamic packet filtering
  • Like a statefull firewall but more advanced. Can
    actually rewrite rules dynamically.
  • Some protocols such as FTP have complex
    communications that require multiple ports and
    protocols for a specific application, packet and
    statefull filter cannot handle these easily,
    however dynamic packet filter can as they can
    create rules on the fly as needed.

71
Proxy firewall 552
  • Works as a middleman
  • Works only with the applications it understands.
  • Inspects the data that is being past to look for
    dangerous data (like viri) or incorrect usage of
    a protocol.
  • Also rewrites the address so the external hosts
    only see the proxy. (stops direct access between
    two computers, hides the internal network
    structure) why is this good?
  • (more)

72
Proxy firewall - 552
  • looks at data at all levels, (though usually
    concentrates on applications layer)
  • can provide very specific security tailored to
    specific protocols and vulnerabilities
  • hides internal network
  • Slow
  • Can be a bottleneck
  • Breaks the traditional client/server application
    model which can cause issues on some
    applications. Can make troubleshooting harder
  • (more)

73
Proxy firewalls - 552
  • Two types of proxies
  • Circuit level
  • Application
  • Talk about each of these on next slides

74
Application level proxies - 552
  • Proxies only specific applications (ex. HTTP,
    SMTP)
  • these can strongly protect and be aware of
    specific vulnerabilities and protocol violations,
    or dangerous data
  • can have logging or authentication features
  • Only work with the protocols that they
    specifically understand

75
Circuit Level proxies - 554
  • Works at a lower level (transport/session level)
    to generically be a middle man between two
    computer.
  • generally works with all network protocols, as
    it doesnt understand the actual applications
    involved
  • Cannot protect against, violations in the
    protocol or bad data being passed around, main
    purpose is to hide internal network and stop
    direct communications between external machines
    and internal machines.
  • Example SOCKS, NAT, PNAT

76
NAT (577)
  • Network address translation
  • a type of generic network proxy
  • Hides internal networks by rewriting internal
    addresses
  • Allows you to use private network addresses and
    still have internet connectivity
  • Protects internal machines from being accessed.
  • Requires a pool of IP addresses to use. (mapping
    is 1-to-1)
  • (example next page)

77
NAT (577)
78
NAT (577)
  • Example 10.0.0.1 want to talk to 175.56.28.03
  • SRC 10.0.0.1
  • Dest 175.56.28.03
  • Router at 215.37.32.203 intercepts request and
    changes SRC to be 175.56.28.03
  • SRC 215.37.32.203
  • DEST 175.56.28.03
  • Destination send response
  • SRC175.56.28.03
  • DEST 215.37.32.203
  • Router accepts packet rewrites
  • SRC 175.56.28.03
  • DEST 10.0.0.1
  • Send packet to original requestor (10.0.0.1)

79
NAT (577)
  • See handout for normal IP traffic and NAT traffic

80
PNAT (577)
  • Similar to NAT but only requires a single IP
    address, rather than map IPs one to one, we
    actually remap port numbers.
  • Much more commonly used that NAT, a bit more
    secure, as only established connections can
    respond back to the sender, whereas in normal NAT
    once a machine is using a temporary IP, the
    outside world can establish connections back to
    the originating computer.
  • Example next 2 slides

81
PNAT (577)
82
PNAT (577)
  • Client computer creates packet
  • SRC 10.0.0.1TCP10000
  • DEST 130.85.1.3TCP80
  • Router rewrites the SRC portion to be
  • SRC 208.254.31.11026
  • Makes an entry in the PNAT table
  • End server accepts packet
  • End server creates return packet
  • SRC 130.85.1.3TCP80
  • DEST 208.254.31.11026
  • Router receives packet, rewrites destination to
    be
  • DEST 10.0.0.1TCP10000
  • 6. Client receives the return packet

83
Basic Firewall best practices (563)
  • Block ICMP redirects
  • Keep ACLS simple
  • Implicit deny what is this?
  • Disallow source routed packets explain
  • Only keep open necessary ports/services
  • Block directed IP broadcasts
  • Block packets where the addresses seem spoofed
    (how can you tell?)
  • Enable logging
  • Drop fragments, or re-assemble fragments Anyone
    know why?

84
Firewall issues
  • Potential bottleneck
  • Can restrict valid access
  • Often mis-configured (not the firewalls fault)
  • Except for certain types (application proxies)
    generally dont filter out malevolent data (viri
    etc)
  • Dont protect against inside attacks!

85
Firewall architecture - 560
  • Now that we understand firewalls, how do we lay
    them out

86
DMZ
87
DMZ - 560
  • A zone between the Internet and your companies
    internal network where you put your Internet
    accessible servers. A DMZ usually has
  • A of firewall between it and the Internet that
    blocks access except to Internet accessible
    services.
  • A firewall between it and the internal company
    network, usually a much more locked down
    firewall that doesnt allow any access into the
    company

88
Bastion Host (560)
  • Bastion Host a server that is highly locked
    down (hardened). Usually put in a DMZ. These
    machines can be directly accessed by the internet
    (though usually though one layer of firewall) so
    they are hardened (what do I mean by that?)

89
Dual Homed Firewall
  • Pretty much any firewall, dual homed means there
    are two network interfaces, one on the Internet
    one on the Internal network
  • Multi-homed just means 2 or more interfaces.
    Multi-homed firewalls may be used to setup a DMZ
    with a single firewall. (see next slide)
  • On any dual/multi-homed machine, IP forwarding
    should be disabled.

90
Multi-homed firewall
91
Screened Subnet - 561
  • A type of DMZ, where there is a middle network
    where internet services reside before the
    Internal network (see next slide). In a screen
    subnet, there is usually a router performing
    packet filtering before the first firewall

92
Screen Subnet
93
Multiple interface firewalls - 560
  • You may have a firewall that protects internal
    networks from each other!

94
End of firewalls
95
Other Technological security concepts (566)
  • Honey pot a machine left open for attackers to
    try to hack.. Why?
  • Honey net same concept, but an entire network,
    again why?
  • What is the difference between entrapment and
    enticement?

96
NOS (568)
  • NOS is just a term you should understand, a
    Network Operating System. All modern OSes are
    NOS. This just means they manage more than just
    the local computer, they usually provide or use
    network services in a client server architecture.
    Some features a NOS provides are on the following
    slide

97
NOS (568)
  • NOS features
  • Directory services
  • Remote access
  • Clustering (sometimes)
  • Authentication, authorization, Access Control,
    Auditing
  • File and printer sharing
  • User management
  • redirector services what is this?

98
DNS - 569
  • Network software uses IP addresses, however these
    are difficult for users to remember (especially
    in IPv6). So DNS is used to help map names that
    we use such as www.paladingrp.com to addresses
    that computers use like 63.251.179.13
  • (more)

99
DNS - 569
  • DNS uses a hierarchical model. Starting with the
    . then the top level domains com, edu, org
    etc. Sub domains are broken out into zones, and
    organizations can be assigned authority for their
    own zones and run their own DNS servers to
    provide DNS lookups for their own zone.
  • A name server that is authoritative for a zone
    is called an authoritative name server for
    example. Paladingrp.com runs is authoritative for
    its own DNS and has its own group of name
    servers that provide DNS resolution to the rest
    of the Internet for names ending in
    paladingrp.com
  • Name server can be primary or secondary and
    perform Zone transfers to each other
  • See next slide for example DNS hierarchy

100
DNS (also example on 571)
101
DNS
  • Common top level domains are
  • .COM
  • .EDU
  • .MIL
  • .GOV
  • .ORG
  • .NET
  • You should be aware of these above

102
DNS cache poisoning - 572
  • Besides authoritative name servers organizations
    also have Caching name servers that simply do
    DNS resolution on behalf of clients.
  • One common attack is DNS cache poisoning
    describe how that works and the purpose of it.

103
DNS SEC
  • DNS sec tries to ensure integrity of DNS queries
    by signing them. This will defeat cache
    poisoning.
  • authoritative DNS servers should NOT also provide
    the caching service.

104
NIS - 573
  • Network information System (NIS) originally
    called YP Yellow Pages. Provides shared network
    information (ex user accounts, hosts entries) for
    many computers in a domain (NOT DNS domain or
    Windows domain) using RPC
  • ypserv
  • ypbind
  • Files are sent clear text! Bad. Why?

105
NIS (574)
  • Improved upon NIS performance (hierarchal rather
    than flat namespace)
  • Incremental updates
  • Improved upon NIS security concerns. (secure
    RPC), provides authentication, authorization and
    encryption)

106
Intranet, Extranet - 579
  • Intranet internal IP network, though often used
    to define a set of resources made available
    through a web interface for INTERNAL use
  • Extranet a set of network resources (usually
    web based) for two companies to collaborate or
    share resources, may or may not make use of VPNs

107
LAN, WAN, MAN - 581
  • LAN local area network
  • High speed
  • Small physical area
  • WAN wide area network
  • Used to connect LANS
  • Generally slow, using serial links
  • MAN metropolitan area network
  • Connect sites together within a medium range area
    (like a city)

108
Types of links for WANs and MANS
  • Dedicated/leased/point to point a link that is
    pre-established and used ONLY for communications
    between 2 locations, it is DEDICATED (see next
    slide) to their use
  • Expensive, cost per distance
  • Types
  • T1 - about 1.5Mbs
  • T3 - about 45 Mbs
  • Fractional T some fraction of a T1/T3
  • T1s are time division multiplexed (what does this
    mean?)
  • T1s are annoying, because the local loop
    portion often fails
  • T1/T3 can also be used in shared/frame relay

109
Dedicated
110
Frame Relay - 592
  • Data link protocol
  • Not a point to point connection, but a connection
    into a cloud (see next slide)
  • CIR
  • Uses virtual circuits (PVC)
  • Uses DLCIs
  • Still uses T1/T3 but rather than going all the
    way, they just go to the nearest carriers frame
    relay cloud POP.

111
Frame relay / cloud
112
WAN terms
113
Multiplexing
  • Time Division
  • Frequency Division
  • Wavelength Division
  • CDMA speak multiple languages/mathematic
    multiplexing

114
CSU/DSU - 589
  • Channel Service Unit / Data service Unit
    effectively the modem for serial lines.

115
Circuit vs. Packet Switching - 590
  • Packet-based networking vs. circuit based
  • Packets are small, quick to send
  • Routes vary
  • Route determined after computer begins to send
    the packet
  • Can arrive from different routes in different
    order than sent.
  • Can introduce delays as packets traverse network,
    where as with circuit switching the delays is
    before data is sent (circuit/setup)
  • Circuit switching connection oriented/dedicated
    resources and circuit
  • Circuit switching has fixed delays.

116
ATM - 594
  • A type of packet based switching used to emulate
    circuit switching
  • Used by telcos
  • 53 byte packets
  • Sets up a virtual circuit
  • Guarantees resources once a circuit is setup
  • Guarantees QoS

117
QoS - 595
  • What is Qos, why is it needed?

118
VoIP - 598
  • What is VoIP
  • What are some concerns with VoIP
  • Technical
  • Latency, Jitter, dropped packets QoS
  • Security
  • Eavesdropping
  • Caller id Spoofing and vishing
  • Long Distance calls
  • What is SIP?
  • What is a call processor?
  • Sets up calls, terminates calls.
  • (more)

119
VoIP
  • What is a voicemail server?
  • What is convergence
  • VoIP and VLANS/Priority?
  • What is an h.323 gateway?

120
Remote Access
121
Remote Access - 603
  • Home users/remote users need a way to access work
    (though some high security places dont allow
    offsite work)
  • Dial Up
  • ISDN
  • DSL
  • Cable Modems

122
Dial up - 603
  • Advantages
  • Reduce networking costs (use internet) as opposed
    to dedicated connections
  • Allows work from home
  • Streamlines access to information
  • Provides a competitive advantage
  • (more)

123
Dial Up - 603
  • Disadvantages
  • Back door into networks (bypass firewall)
  • Often forgotten about
  • Slow
  • Attacks
  • War dialing
  • Defenses
  • Dial Back /
  • Caller ID restrictions
  • Use authentication
  • Answer after 4 or more rings (why/war dialing)

124
ISDN - 604
  • Uses same lines as phone lines, directly dial
    into company
  • BRI
  • 2 B Channels (64Kbits x 2)
  • 1 D Channel (control channel) Out of Band
  • PRI
  • 23 B Channels
  • 1 D Channel
  • Not for personal use

125
DSL - 606
  • MUCH faster than IDSN (6-30 times faster)
  • Must live very close to the DSL equipment (a few
    miles)
  • Symmetric and Asymmetric
  • Always on (security concerns)
  • Doesnt connect directly to company / use VPN

126
Cable Modem - 606
  • High speed access up to 50Mbps via cable TV
    lines.
  • Shared bandwidth
  • Always on (security concerns)
  • Doesnt connect directly to company, require VPN

127
VPNs - 608
  • Securely connect to companies network/extend
    company network
  • Private, usually encrypted connection
  • Usually use tunneling
  • Can be host to server or server to server
  • Can provide internal IP addresses
  • Can encrypt actual IP addresses
  • Protocols
  • PPTP
  • L2TP
  • IP Sec
  • (more)

128
Tunnels - 609
  • Tunnel a virtual path across a network the
    encapsulates network packets within OTHER IP
    packets
  • Can use to tunnel non-IP protocols (like IPX,
    NetBEUI)
  • Can encrypt encapsulated packets for extra
    security.

129
PPTP - 612
  • Microsoft
  • User gets connection to ISP
  • Setups PPTP connection to server at company
  • Setup a tunnel
  • Generally encrypt traffic
  • Only works over IP networks
  • Designed for use in software

130
L2TP - 613
  • Same general functionality of PPTP but works over
    other type of networks (non-IP) (ex. Frame relay,
    X.25, ATM)
  • Does not provide encryption or authentication!
    Ouch, need to use IPSEC if wanting to do this
  • Supports TACACS, RADIUS, PPTP does not
  • Meant to be implemented in hardware
  • More of a carrier concept.

131
IPSEC (749 (chapter 8))
  • IPSEC a protocol providing a method for VPNs
    between to sites
  • Designed for IPv6
  • Extended for use for IPv4
  • Not a strict protocol, allows for extensibility
    with encryption and authentication algorithms
  • A Framework
  • 2 main protocols AH and ESP (next slide)
  • 2 modes Tunnel and Transport (2 slides away)

132
IPSEC
  • AH - authentication header
  • Protocol number 51
  • Authentication only
  • ESP Encapsulating security payload
  • Protocol number 50
  • Encryption

133
Transport and Tunneling
  • Transport does not actually tunnel IP within IP.
    It only encapsulates the transport layer and
    above
  • Tunnel actually encapsulates IP within IP an
    entirely new IP packet is encapsulated within an
    external IP packet
  • See next slide

134
Transport vs. Tunnel
135
Example of transport
136
Example of Tunneling
137
IPSEC
  • Each device in IPSec will have at least 1
    security association for each VPN connection it
    uses. A SA is a set of parameters used for
    communication and includes
  • Authentication and encryiption keys
  • Algorithms choosen
  • IP ranges
  • SAs are unidirectional, so usually you have at
    least 2 for each tunnel that exists (one for
    sending, one for receiving)
  • An SPI (security parameter Index) is used to
    label which SA that any packet is associated with
  • Use IKE/ISAKMP on port 500 UDP for key
    negotiations/SA setup

138
Authentication Protocols - 614
  • PAP
  • CHAP
  • EAP framework not actual protocol

139
Remote Access Best Practices
  • Always authenticate users
  • Use multi-factor authentication
  • Audit access
  • Answer modems after 4 rings (modems)
  • Use caller id (modems)
  • Use callback (modems)
  • use VPNs

140
Wireless
141
Wireless (619)
  • Wireless, very common now.
  • No wires
  • Easy to use
  • Shared Medium (like Ethernet with Hubs whats
    wrong with this? From security and performance?)
  • Uses CSMA/CA

142
Spread Spectrum - 619
  • Spreads communication across different
    frequencies available for the wireless device.
  • Frequency Hopping Spread Spectrum
  • Hop between frequencies (helps if other devices
    use same frequencies) (doesnt use the entire
    bandwidth of frequencies)
  • Harder for eavesdroppers (if everybody didn't
    know the sequence.. Which they actually do)
  • Direct Sequence Spread Spectrum
  • Sends data across entire bandwidth, using
    chipping code along with data to appear as
    noise to other devices.

143
Wireless Components - 621
  • Access points are like wireless hubs, they
    create a infrastructure WLAN
  • If you use just wireless cards of computers to
    communicate together that is called an Ad-Hoc
    network.
  • Wireless devices must use the same channel
  • Devices are configured to use a specific SSID
    (often broadcasted)

144
802.11 standard
  • Wireless networking
  • 2.4, 3.6, 5 GHz
  • Data Link layer specifications
  • Access point (a type of bridge)

145
802.11 family
  • 802.11a
  • 54Mbps
  • 5Ghz
  • 8 channels
  • 802.11b
  • 11Mbs
  • 2.4Ghz (same as other home devices)
  • 802.11g
  • 54Mbs
  • 2.4Ghz
  • 802.11n
  • 100Mbs
  • 2.4G or 5Ghz

146
Wireless security problems
  • Unauthorized access
  • sniffing
  • War driving
  • Unauthorized access points (Man in the middle)

147
Wireless Authentication types - 623
  • Open System Authentication
  • Doesnt actually require authentication
  • can be sniffed
  • Shared Key Authentication
  • Requires each device use the same key, and before
    access is granted a challenge occurs

148
Transmission encryption - 626
  • There are many different types of wireless
    encryption protocols
  • WEP
  • Shared passwords (why is this bad?)
  • 64 or 128 bit
  • Easily crack able
  • Only option for 802.11b
  • WPA Personal
  • Shared password
  • 128 bit key
  • TKIP (what is TKIP?)
  • Implements a portion of 802.11i standard (later)

149
Transmission Encryption
  • WPA2
  • more compliance with 802.11i standard
  • AES based algorithm
  • Also uses TKIP
  • Should use WPA2 as WPA can be cracked like WEP
  • WPA Enterprise
  • Uses 802.1X authentication to have individual
    passwords for individual users
  • RADIUS what was radius again?
  • 802.11i the official IEEE wireless security
    spec, officially supports WPA2

150
802.1X - 627
  • Authenticated port based access control.
  • Provides distinct user authentication
  • Has supplicant (client), Authenticator (AP) and
    Authentication Service (usually radius)

151
Bluetooth (634)
  • What is Bluetooth, what is the purpose?
  • Blue jacking
  • Blue snarfing
  • Blue bugging
  • (next slides)

152
Mobile device security
  • Blue jacking
  • Sending forged message to nearby Bluetooth
    devices
  • Need to be close
  • Victim phone must be in discoverable mode
  • Blue snarfing
  • Copies information off of remote devices
  • Blue bugging
  • More serious
  • Allows full use of phone
  • Allows one to make calls
  • Can eavesdrop on calls

153
WAP (636)
  • Wireless Application Protocol
  • What is it
  • What is the purpose?
  • WML (wireless markup language)
  • WTLS ( wireless transport layer security)
  • Requires a gateway
  • Between WTLS and HTTPS there is an encryption
    gap.
  • Authentication
  • Class 1 none
  • Class 2 server authenticates to wireless
  • Class 3 mutual authentication

154
Some attacks against software and systems
155
Root Kit
  • What is a root kit?

156
MAC flooding
  • What is it, what is the purpose?

157
Smurf
  • Describe Smurf
  • Forge source address
  • Ping broadcast address
  • Countermeasures
  • Disable directed broadcasts at perimeter routers
  • Configure routers to drop forged packets
  • Employ and IDS

158
Fraggle (like Fraggle rock)
  • Like Smurf, but uses UDP (echo and chargen)
  • Countermeasures
  • Disable directed broadcasts on perimeter
  • Disable address forging
  • Disable echo and chargen services
  • Block echo and chargen ports on router
  • Use an IDS

159
SYN flood
  • Describe 3 way handshake (not too in-depth)
  • Describe listen queue
  • Describe SYN flood
  • What does it accomplish
  • Countermeasures
  • Decrease connection-establish timeout
  • Increase listen queue size
  • Patch
  • Use and IDS
  • Use a Firewall

160
Tear Drop
  • Overlapping fragments, cause OS to get confused
    and crash.
  • Countermeasures
  • Patch the OS
  • Drop fragments (problems?)
  • Use a firewall that does fragment re-assembly.

161
DDoS
  • What is it, why is it hard to defend against
  • What previously discussed thing is used in DDoS
    attacks?
  • Countermeasures
  • Good luck.

162
Buffer Overflows
  • What are they? What are the attributes of a
    buffer overflow?

163
From Chapter 5
  • Maintenance Hooks
  • Time of Check/ Time of Use Attacks
Write a Comment
User Comments (0)
About PowerShow.com