CISSP – Chapter 7
advertisement
CISSP – Chapter 7 Telecommunications and Network Security Chapter 7 • This chapter is HUGE and honestly you are not going to understand all of it unless you’ve done a lot of network or network security in your life. Don’t get too stressed, try to follow along I will try to point out the most important things to understand. If you have questions ASK ME, luckily this is my area of expertise so I should be able to help you out. Some questions may have to be directed to after class or in between breaks if they go to in depth. Chapter 7 – OSI/Internet Model 483 • There is something called the “OSI” model that lays out functional levels/different distinct services that a network should provide. It’s not actually used in real life but serves as a reference. The “Internet (TCP/IP)” model is used and maps directly to the OSI model, but is simpler. • The layered model defines that functionality a certain layer should provide and provides “Services” to the layer directly above it that that layer can use. Each layer generally uses the resources and functionality of the layer below it. OSI model 484 • 7 layers • A P S T N D P… “All People Seem to Need Data Processing”… say that 10 times – – – – – – – Application Presentation Session Transport Network Data link Physical OSI model – layer 1 physical 494 • Layer 1 Physical – simply put is concerned with physically sending electric signals over a medium. Is concerned with – specific cabling, – voltages and – Timings • This level actually sends data as electrical signals that other equipment using the same “physical” medium understand – ex. Ethernet OSI model – layer 2 data link 492 • Layer 2 Data Link – data link goes hand in hand with physical layer. The data link level actually defines the format of how data “Frames”* will be sent over the physical medium, so that two network cards of the same network type will actually be able to communicate. These frames are sent to the “physical” level to actually be turned into the electronic signals that are sent over a specific network. (layer 2 uses the services of layer 1) • Two network cards on the same LAN communicate at the data link layer. • Data Link and Physical layers really go together to define how a specific network type operates, in fact Layer 1 & 2 of the OSI model = layer 1 of the “TCP/IP model” (Network Access) (more) OSI model – layer 2 - 492 • Protocols that use the data link layer – ARP – RARP – PPP – SLIP – Any LAN format (Ethernet) OSI model – layer 3 network - 491 • Layer 3 Network – For the Internet this is “IP” which defines how “packets” are sent across different physical networks/LANs. Layer 2 is concerned with defining unique hosts on a network, and routing packets between distinct networks. – Layer 3 protocols • IP • IPX/SPX • Apple Talk (more) OSI model layer 3 network - 491 • For IP other protocols that “work” on this layer are – ICMP – IP “helpers” (like ping) – IGMP – Internet Group Message Protocol – RIP – routing protocol – OSPF – routing protocol – BGP – routing protocol (more) OSI Model Layer 3 - 491 • OSI layer 3 Network = Internet model layer 2 (Network) • Layer 3 actually uses to services of the data link layer to move data between two computers on the same LAN. OSI model Layer 4 Transport - 490 • OSI Layer 4 Transport – Provides “end-to-end” data transport services and establishes a logical connection between 2 computers systems” • Virtual connection between “COMPUTERS” • Protocols used at layer 4 – TCP – UDP • In the Internet Model this is layer 3 (transport/host to host) • Layer 4 user the services of layer 3 to move data between 2 different networks/hosts OSI Model Layer 5 Session - 489 • OSI Layer 5 Session – responsible for establishing a connection between two APPLICATIONS! (either on the same computer or two different computers) • Create connection • Transfer data • Release connection • Protocols that work at this layer – NFS – SQL – RPC • Remember Session is setting up a conversation between two applications rather than comptuers, however the session layer uses the services of the layer beneth it (transport) to move data between 2 computers • OSI lay 5 = Internet model layer 3 (transport/host to host) OSI model Layer 6 – Presentation 487 • OSI Layer 6 – present the data in a format that all computers can understand – Concerned with encryption, compression and formatting • Maps to layer 4 of the Internet Model OSI model Layer 7 – Application 487 • This defines a protocol (way of sending data) that two different programs or protocols understand. – HTTP – SMTP – DNS • This is the layer that most software uses to talk with other software. • This maps to the Internet model Layer 4 (application) Quick OSI review • What layer is creates a connection between 2 applications? • What layer turns the frames sent to it into the proper voltages and timings to send across a wire? • What layer is concerned with finding paths between different networks? • What layer is concerned with the formatting of the data? • What layer is concerned with communicating between two of the? same interface types on computers on the same LAN? • What layer creates a connection between two computers? • What layer is concerned with the data/protocol that the application you are using uses? Some network equipment and what layers they generally work on We will talk about these later on. • Hub/repeater – physical • Switch – data link • Router – network • firewall – can be one of many levels above network • Application proxy firewall – application TCP/IP model • Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that? • Network = OSI layer 3 – defines addressing and routing • Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hosts • Application = OSI layers 6,7 the application data that is being sent across a network OSI vs. TCP/IP model TCP/IP (497) • TCP/IP is a suite of protocols that define IP communications. • IP is a network layer protocol, and handles addressing and routing • We use IP version 4 • The main components of an IP address – IP address – Netmask – What is the netmask used for? – Host part, network part, like street address and zip code. (more) TCP/IP class networks - 504 • Class A – IP ranges 0.0.0.0 – 127.255.255.255 – Implied Netmask 255.255.255.0 – Lots of hosts (about 16 million) • Class B – IP ranges 128.0.0.0 to 192.255.255.255 – Implied netmask 255.255.0.0 – About 65,000 hosts (more) TCP/IP class networks - 504 • Class C – IP ranges 192.0.0.0 to 223.255.255.255 – Implied netmask 255.255.255.0 – 254 hosts • Class D – IP ranges 224.0.0.0 to 239.255.255.255 – Reserved for multicast, not normal IP addresses • Class E – IP ranges 240.0.0.0 to 255.255.255.255 – Reserved for research TCP/IP Classless networks • Classes are not really used anymore, we now use CIDR, which is just an IP address and a netmask or / – Ex. 172.16.1.0/24 = 172.16.1.0 with a netmask of 255.255.255.0 TCP/IP - 504 • We currently use IPv4 with has 2^32 addresses (about 4 billion IP addresses) however we are running out. IPv6 has 2^128 addresses (4 billion x 4 billion… (NOT 16 billion)) • IPv6 also has a simplified format and additional features such as IPSEC. (talk about IP SEC later) TCP/UDP - 498 • TCP/UDP handle the transport and session layers. They setup a communications channel between two programs talking over the network • Programs talk via “ports” which are numbers that generally define what program/services you want to talk to (talk about this in a couple slides) More on TCP/UDP in the next slides TCP - 502 • Reliable connection-oriented protocol – Has a true connection – Starts with a 3-way handshake, (SYN, SYNACK, ACK) talk about this TCP - 499 – Keeps state, and will guarantee delivery of data to other side (or inform the application of the inability to send) does this with sequence and acknowledgement numbers, these numbers also provide ordering to packets – Has some security due to the state of the connection – Nice to program with, but slower/more overhead because of the work done to guarantee delivery. UDP - 499 • • • • • • • • Like a postcard, each packet is separate No guarantee on delivery Best effort Fast, little overhead No sequence numbers (ordering) No acknowledgements No connection Security issues due to lack of a connection Ports - 501 • Both TCP and UDP use “ports” as the end points of conversations. Ports for services that are defined and static are called “well known ports” some well know ports are – – – – – – – – telnet TCP/23 Email (SMTP) TCP/25 Email (POP) TCP/110 Email (IMAP) TCP/143 Web (HTTP) TCP/80 Web (HTTPS) TCP/443 DNS TCP & UDP 53 FTP TCP/21 & 20 Random Networking Terms - 507 • • • • • Latency Bandwidth Synchronous – synchronized via a time source Asynchronous – not timed Baseband – use the entire medium for communication • Broadband – slide the medium into multiple channels for multiple simultaneous communications Random Networking Terms • Unicast (524) • Multicast (524) • Broadcast (524) Network Topologies (509) • • • • Ring Bus Star Mesh • Talk about each of these • Perhaps memorize chart at bottom of 511 Ethernet - 513 • Most common form of LAN networking, has the following characteristics – Shares media (only one person talks at a time (at least without a switch) – Broadcast and collision domains – CSMA/CD – Supports full duplex with a switch – Defined by IEEE 802.3 Ethernet media types - 514 • 10Base2 – Thin net, coaxial cable (like TV cable, but different electrically) – Max length about 200 meters – 10 Mbs second – Requires a BNC connector – BUS/Shared medium (security problems?) – obsolete (more) Ethernet Media Types - 514 • 10base5 – – – – – – – – Thick net, thicker coax Max length about 500 meters 10Mbs Uses vampire taps More resistant to electrical interference BUS/shared medium Used to be used as backbone Obsolete (more) Ethernet Media Types - 514 • 10BaseT – Length about 100 Meters – 10Mbs second – Twisted pair (like phone wire) (CAT 3) – Use RJ-45 connector – Use in star topology – Susceptible to interference – Mostly obsolete (more) Ethernet Media Types - 514 • 100BaseTX – Length about 100 Meters – 100Mbs – Twisted pair (like phone wire) (CAT 5, 6) – Use RJ-45 connector – Use in star topology – Susceptible to interference (more) Ethernet Media Types - 514 • 1000BaseT – Length about 100 Meters – 1000+Mbs – Twisted pair (like phone wire) (CAT 5e,6) – Use RJ-45 connector – Use in star topology – Susceptible to interference Token Ring (516) • Briefly describe token ring – Ring topology, though using a HUB – HUB = Multistation access Unit (MUA) – Token passing for control of network – Beaconing for failure detection • Pretty much not used except legacy networks FDDI - 517 • • • • Similar to token ring but uses fiber. High Speed Used to be used as backbone networks 2 rings to create a “wrap” if one goes down Cabling - 519 • Coaxial – copper core surrounded by a shielding layer and a grounding wire. – More resistant to EMI than UTP – Note used much anymore – Can be baseband (one channel Ethernet) or broadband (multiple channels, cable TV) Twisted Pair - 520 • • • • • • • • Like phone wire, but more wires. RJ-45 connector Two main “types” UTP, and STP STP is shielded and better if you have EMI issues UTP is unshielded and susceptible to EMI and crosstalk UTP also gives off signals which could be picked up if you have sufficient technology. (tempest stuff) “least secure vs. coax and fiber” Chart on 521 (for your own study) Fiber - 522 • Glass tubes • High speed, long haul • NOT effected by EMI, doesn’t “lose” signal either (attenuation) • Does NOT radiate energy, better security • Expensive • Difficult to work with • Used in backbones Media Access Technologies (526) • Token Passing • CSMA/CD – waits for clear, then starts talking, detect collisions • CSMA/CA – signals intent to talk Collision Domain – where collisions can occur. (i.e. two people try to talk at the same time) (how do we make the collision domain smaller?) What is a security impact of collision domains? sniffing, DoS LAN Protocols - 529 • ARP – Network Adapters have 2 addresses, and IP address, and a MAC address. (what is each used for? How do they relate? which “layer” does each exist on?) – ARP is the glue for relating the IP and the MAC addresses • Attacks – ARP table poisoning – what is this how does it happen, what would it do? DHCP - 530 • DHCP – what is it what is it used for? – Precursors • RARP – what did it do? • BOOTP – what did it do? ICMP - 531 • ICMP – “IP helper” – Echo request/reply – Destination unreachable – Source quench – Redirect – Trace route • Security problems? Anyone? • LOKI – sending data in ICMP messages. (stealthy!) Basic Networking Devices (536) • There are different types of networking devices that exist we will look at • Repeaters • Hubs • Bridges • Switches • Routers Repeaters - 536 • Layer 1 device • No intelligence • Simply repeats and electrical signal from an input to an output. • Used to increase range (ex. Put a repeater 200 meters down a 10Base2 run to double the length) Hub • Multiport repeater • The initial way to connect computer together in a STAR configuration, using twisted pair wiring • Layer 1 device • No intelligence • Just repeats a signal down ALL the wires Bridge (537) • Layer 2 device, splits a LAN into 2 segments. • A bridge builds a table of the layer 2 (MAC) addresses on each side of the bridge and only forwards communication if communication is between MAC addresses on each side of the bridge • Reduces collision domain by ½ • Does not affect broadcast domain (doesn’t affect broadcast storms) • Recreates the signal • Can combine two network types into one LAN (i.e. translate between LAN types) • Uses “Spanning Tree algorithm” to detect loops. Switch - 541 • Multi-port bridge (all the bridge attributes hold true) • Modern form of connecting computer together on a LAN • Allows full duplex communication (what do I mean by this?) • Each link is a separate collision domain • Does not alter broadcast domains • Can be used to create VLANS (talk about in a few slides) VLANs - 544 • • • • • • Virtual Lan What is it Why would it be used? Do you still have to route between VLANS?* Two different VLAN protocols 802.1Q*, or Cisco ISL* for trunking between switches • see picture on next slide VLAN - 544 Routers - 539 • Work on layer 3 – Network layer • Uses IP addresses to best route between networks, is NOT used to create a LAN. You must use hubs or switches to create a LAN, routers go between LANS/networks to allows communications between different LANS/networks. • Routers do NOT care about layer 2 (MAC addresses) • When would you use a router, when would you use a switch? • Routers can perform firewall functionality. • Does not forward on broadcasts!* Routers vs. Switches - 540 • You should understand the different between a router and a switch. Also memorize the table at the bottom of 540. Now we need to talk about some routing protocols Routing Protocols (532) • Routing is the dynamic updating and sharing of routes to networks with other routers in your company and thought the internet. You can setup routes either – Statically – Dynamically (discuss pros/cons of each, not too in-depth) Routing Protocols (532) • Some Dynamic routing protocols use the concept of an “AS” Autonomous System, which groups a bunch of networks together for an organization, and only advertise the networks that can be reached in the AS, not the details of the individual networks inside. These are generally called “Exterior Routing Protocols” and are used to connect different organizations together • Other routing protocols try to advertise and track each individual network separately. These are generally called “Interior Routing Protocols” and are for use within an organization • A company can run IGP and EGPs at the same time, how? Dynamic Routing Protocols (533) • Distance vector – Builds a TABLE of all routes and a “distance” to get to them along with the next hop router – Susceptible to route-flapping – Long “convergence” times – Examples • RIP • IGRP Dynamic routing protocols (533) • Link State – Actually builds a graph/map of all networks and the ways to reach them. So the router can “see the entire topography” – Has quick convergence times – Can take link speeds and other factors into consideration – Slow to build initially – Requires a lot of resources – Examples • OSPF Specific Routing Protocols (534+) RIP • DV algorithm used only in small networks, sends entire route table every 30 seconds*. • Max number of hops to a networks = 16* • Slow convergence • Only cares about hops, not network speed or reliability etc. • Original RIP could only use “Classful routing”, v2 allows classless (CIDR) routing* Specific Routing Protocols (534) • IGRP – DV protocol designed to solve problems with RIP. • Examines bandwidth and delay • Converges faster than RIP • No max hop limit • New version is EIGRP (enhanced IGRP) OSPF (534) • Open Shortest Path First – Link State protocol developed as a replacement for RIP. • Supports Autonomous systems • Builds a graph rather than a table • Fast convergence • Slow to start • Requires high resources to build and maintain map. • Only sends link changes to other routers. BGP (535) • BGP is an exterior routing protocol • Uses AS • Used by ISPs and large companies as their Internet Routing protocol. (to connect to the internet) Advanced Networking Devices • These are devices that are beyond the “basic” fundamental networking devices, they generally provide some specific advanced functionality. • Let the slides begin! Gateway - 545 • Generic Term for something that connects two separate things together (can be any level). • Default gateway = router to get you off your network • Application gateways – work at the application level and help translate between two different applications. (Ex. Windows and Unix file sharing) • Email Gateway – translate between different email types. (Exchange and SMTP) PBX 547 • Private Branch Exchange – phone system – Old systems “analog” – New systems digital and VoIP • Crackers that hack phone systems used to be call “phreakers” – Free calls (long distance) – Masquerade as other people/hide calls – Often this goes un-noticed as companies often do not audit their phone bills closely Firewalls - 548 • Enforce network policy. • Generally firewalls are put on the perimeter of a network and allow or deny traffic based on company or network policy. • MUST have IP forwarding turned off* • Firewalls are often used to create a DMZ. • Generally are dual/multi homed* (What do I mean by this?) • 5 types of firewalls (more in depth about each next slides) – – – – – Packet filtering Statefull Proxy Dynamic packet filtering Kernel Proxy Packet filter • Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives. • Not statefull, just looks at the network and transport layer packets (IP addresses, ports, and “flags”) – Do not look into the application, cannot block viri etc. – Generally do not support anything advanced or custom Statefull firewall • Like packet filtering, however the router keeps track of a connection. It knows which “conversations” are active, who is involved etc. • It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic • Keeps a state table which lists the state of the conversations. • More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory. • If rebooted can disrupt conversation that had been occurring. Dynamic packet filtering • Like a statefull firewall but more advanced. Can actually rewrite rules dynamically. • Some protocols such as FTP have complex communications that require multiple ports and protocols for a specific application, packet and statefull filter cannot handle these easily, however dynamic packet filter can as they can create rules on the fly as needed. Proxy firewall – 552 • Works as a middleman • Works only with the applications it understands. • Inspects the data that is being past to look for dangerous data (like viri) or incorrect usage of a protocol. • Also rewrites the address so the external hosts only see the proxy. (stops direct access between two computers, hides the internal network structure) why is this good? (more) Proxy firewall - 552 + looks at data at all levels, (though usually concentrates on applications layer) + can provide very specific security tailored to specific protocols and vulnerabilities + hides internal network - Slow - Can be a bottleneck - Breaks the traditional client/server application model which can cause issues on some applications. Can make troubleshooting harder (more) Proxy firewalls - 552 • Two types of proxies – Circuit level – Application • Talk about each of these on next slides Application level proxies - 552 • Proxies only specific applications (ex. HTTP, SMTP) + these can strongly protect and be aware of specific vulnerabilities and protocol violations, or dangerous data + can have logging or authentication features - Only work with the protocols that they specifically understand Circuit Level proxies - 554 • Works at a lower level (transport/session level) to generically be a middle man between two computer. + generally works with all network protocols, as it doesn’t understand the actual applications involved - Cannot protect against, violations in the protocol or bad data being passed around, main purpose is to hide internal network and stop direct communications between external machines and internal machines. - Example SOCKS, NAT, PNAT NAT (577) • Network address translation – a type of generic network proxy – Hides internal networks by rewriting internal addresses – Allows you to use “private” network addresses and still have internet connectivity – Protects internal machines from being accessed. – Requires a pool of IP addresses to use. (mapping is 1-to-1) (example next page) NAT (577) NAT (577) Example: 10.0.0.1 want to talk to 175.56.28.03 – SRC = 10.0.0.1 – Dest = 175.56.28.03 Router at 215.37.32.203 intercepts request and changes SRC to be 175.56.28.03 – SRC = 215.37.32.203 – DEST= 175.56.28.03 Destination send response – SRC=175.56.28.03 – DEST = 215.37.32.203 Router accepts packet rewrites – SRC = 175.56.28.03 – DEST = 10.0.0.1 Send packet to original requestor (10.0.0.1) NAT (577) • See handout for normal IP traffic and NAT traffic PNAT (577) • Similar to NAT but only requires a single IP address, rather than map IPs one to one, we actually remap port numbers. • Much more commonly used that NAT, a bit more secure, as only established connections can respond back to the sender, whereas in normal NAT once a machine is using a temporary IP, the outside world can establish connections back to the originating computer. Example next 2 slides PNAT (577) PNAT (577) 1. Client computer creates packet SRC: 10.0.0.1:TCP:10000 DEST: 130.85.1.3:TCP:80 2. Router rewrites the SRC portion to be SRC: 208.254.31.1:1026 Makes an entry in the PNAT table 3. End server accepts packet 4. End server creates return packet SRC: 130.85.1.3:TCP:80 DEST: 208.254.31.1:1026 5. Router receives packet, rewrites destination to be – DEST: 10.0.0.1:TCP:10000 6. Client receives the return packet Basic Firewall best practices (563) • • • • • • • Block ICMP redirects Keep ACLS simple Implicit deny * what is this? Disallow source routed packets* explain Only keep open necessary ports/services Block directed IP broadcasts Block packets where the addresses seem spoofed (how can you tell?) • Enable logging • Drop fragments, or re-assemble fragments… Anyone know why? Firewall issues • Potential bottleneck • Can restrict valid access • Often mis-configured (not the firewalls fault) • Except for certain types (application proxies) generally don’t filter out malevolent data (viri etc) • Don’t protect against inside attacks!* Firewall architecture - 560 • Now that we understand firewalls, how do we lay them out DMZ DMZ - 560 • A zone between the Internet and your companies internal network where you put your Internet accessible servers. A DMZ usually has – A of firewall between it and the Internet that blocks access except to “Internet accessible services”. – A firewall between it and the internal company network, usually a much more “locked down” firewall that doesn’t allow any access into the company Bastion Host (560) • Bastion Host – a server that is highly locked down (hardened). Usually put in a DMZ. These machines can be directly accessed by the internet (though usually though one layer of firewall) so they are “hardened” (what do I mean by that?) Dual Homed Firewall • Pretty much any firewall, dual homed means there are two network interfaces, one on the “Internet” one on the “Internal network” • Multi-homed just means 2 or more interfaces. Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide) • On any dual/multi-homed machine, “IP forwarding” should be disabled.* Multi-homed firewall Screened Subnet - 561 • A type of DMZ, where there is a “middle” network where internet services reside before the “Internal” network (see next slide). In a screen subnet, there is usually a router performing packet filtering before the “first firewall” Screen Subnet Multiple interface firewalls - 560 • You may have a firewall that protects internal networks from each other! End of firewalls Other Technological security concepts (566) • Honey pot – a machine left open for attackers to try to hack.. Why? • Honey net – same concept, but an entire network, again why? • What is the difference between entrapment and enticement?* NOS (568) • NOS is just a term you should understand, a Network Operating System. All modern OSes are NOS. This just means they manage more than just the local computer, they usually provide or use network services in a client server architecture. Some features a NOS provides are on the following slide NOS (568) • NOS features – Directory services – Remote access – Clustering (sometimes) – Authentication, authorization, Access Control, Auditing – File and printer sharing – User management – “redirector services” *what is this? DNS - 569 • Network software uses IP addresses, however these are difficult for users to remember (especially in IPv6). So DNS is used to help map “names” that we use such as www.paladingrp.com to addresses that computers use like 63.251.179.13 (more) DNS - 569 • DNS uses a hierarchical model. Starting with the “.” then the top level domains “com, edu, org” etc. “Sub domains” are broken out into zones, and organizations can be assigned authority for their own zones and run their own DNS servers to provide DNS lookups for their own zone. • A name server that is “authoritative for a zone” is called an “authoritative name server” for example. Paladingrp.com runs is authoritative for it’s own DNS and has it’s own group of name servers that provide DNS “resolution” to the rest of the Internet for names ending in paladingrp.com • Name server can be “primary” or “secondary” and perform “Zone transfers” to each other See next slide for example DNS hierarchy DNS (also example on 571) DNS • Common top level domains are – .COM – .EDU – .MIL – .GOV – .ORG – .NET • You should be aware of these above DNS cache poisoning - 572 • Besides authoritative name servers organizations also have “Caching” name servers that simply do DNS resolution on behalf of clients. • One common attack is DNS cache poisoning* – describe how that works and the purpose of it. DNS SEC • DNS sec tries to ensure integrity of DNS queries by signing them.* This will defeat cache poisoning. • authoritative DNS servers should NOT also provide the “caching service”. NIS - 573 • Network information System (NIS) – originally called “YP” Yellow Pages. Provides shared network information (ex user accounts, hosts entries) for many computers in a “domain” (NOT DNS domain or Windows domain) using “RPC” – ypserv – ypbind • Files are sent clear text! Bad. Why? NIS+ (574) • Improved upon NIS performance (hierarchal rather than flat namespace) • Incremental updates • Improved upon NIS security concerns. (secure RPC), provides authentication, authorization and encryption) Intranet, Extranet - 579 • Intranet – internal IP network, though often used to define a set of resources made available through a web interface for INTERNAL use • Extranet – a set of network resources (usually web based) for two companies to collaborate or share resources, may or may not make use of VPNs LAN, WAN, MAN - 581 • LAN – local area network – High speed – Small physical area • WAN – wide area network – Used to connect LANS – Generally slow, using serial links • MAN – metropolitan area network – Connect sites together within a medium range area (like a city) Types of links for WANs and MANS • Dedicated/leased/point to point – a link that is pre-established and used ONLY for communications between 2 locations, it is DEDICATED (see next slide) to their use – Expensive, cost per distance – Types • • • • • • T1 - about 1.5Mbs T3 - about 45 Mbs Fractional T – some fraction of a T1/T3 T1s are time division multiplexed (what does this mean?) T1s are annoying, because the “local loop portion” often fails T1/T3 can also be used in shared/frame relay Dedicated Frame Relay - 592 • Data link protocol • Not a point to point connection, but a connection into a “cloud” (see next slide) • CIR • Uses virtual circuits (PVC) • Uses DLCIs • Still uses T1/T3 but rather than going all the way, they just go to the nearest “carriers” frame relay cloud POP. Frame relay / cloud WAN terms Multiplexing • • • • Time Division Frequency Division Wavelength Division CDMA – speak multiple “languages”/mathematic multiplexing CSU/DSU - 589 • Channel Service Unit / Data service Unit – effectively the “modem” for serial lines. Circuit vs. Packet Switching - 590 • Packet-based networking vs. circuit based – Packets are small, quick to send – Routes vary – Route determined after computer begins to send the packet – Can arrive from different routes in different order than sent. – Can introduce delays as packets traverse network, where as with circuit switching the delays is before data is sent (circuit/setup) – Circuit switching – connection oriented/dedicated resources and circuit – Circuit switching has fixed delays. ATM - 594 • A type of packet based switching used to emulate circuit switching – Used by telcos – 53 byte packets – Sets up a virtual circuit – Guarantees resources once a circuit is setup – Guarantees QoS QoS - 595 • What is Qos, why is it needed? VoIP - 598 • What is VoIP • What are some concerns with VoIP – Technical • Latency, Jitter, dropped packets QoS – Security • Eavesdropping • Caller id Spoofing and vishing • Long Distance calls • What is SIP? • What is a call processor? – Sets up calls, terminates calls. (more) VoIP • • • • What is a voicemail server? What is “convergence” VoIP and VLANS/Priority? What is an h.323 gateway? Remote Access Remote Access - 603 • Home users/remote users need a way to access work (though some high security places don’t allow offsite work) – Dial Up – ISDN – DSL – Cable Modems Dial up - 603 • Advantages – Reduce networking costs (use internet) as opposed to dedicated connections – Allows work from home – Streamlines access to information – Provides a competitive advantage (more) Dial Up - 603 • Disadvantages – Back door into networks (bypass firewall) – Often forgotten about – Slow • Attacks – War dialing • Defenses – – – – Dial Back / Caller ID restrictions Use authentication Answer after 4 or more rings (why/war dialing) ISDN - 604 • Uses same lines as phone lines, directly dial into company – BRI • 2 B Channels (64Kbits x 2) • 1 D Channel (control channel) Out of Band – PRI • 23 B Channels • 1 D Channel • Not for personal use DSL - 606 • MUCH faster than IDSN (6-30 times faster) • Must live very close to the DSL equipment (a few miles) • Symmetric and Asymmetric • Always on (security concerns) • Doesn’t connect directly to company / use VPN Cable Modem - 606 • High speed access up to 50Mbps via cable TV lines. • Shared bandwidth • Always on (security concerns) • Doesn’t connect directly to company, require VPN VPNs - 608 • Securely connect to companies network/extend company network • Private, usually encrypted connection • Usually use tunneling • Can be host to server or server to server • Can provide internal IP addresses • Can encrypt actual IP addresses • Protocols – PPTP – L2TP – IP Sec (more) Tunnels - 609 • Tunnel – a virtual path across a network the encapsulates network packets within OTHER IP packets • Can use to tunnel non-IP protocols (like IPX, NetBEUI) • Can encrypt encapsulated packets for extra security. PPTP - 612 • Microsoft • User gets connection to ISP • Setups PPTP connection to server at company • Setup a tunnel • Generally encrypt traffic • Only works over IP networks* • Designed for use in software* L2TP - 613 • Same general functionality of PPTP but works over other type of networks (non-IP) (ex. Frame relay, X.25, ATM) • Does not provide encryption or authentication! Ouch, need to use IPSEC if wanting to do this • Supports TACACS+, RADIUS, PPTP does not • Meant to be implemented in hardware • More of a carrier concept. IPSEC (749 (chapter 8)) IPSEC a protocol providing a method for VPNs between to sites • Designed for IPv6 • Extended for use for IPv4 • Not a strict protocol, allows for extensibility with encryption and authentication algorithms • A “Framework” • 2 main protocols AH and ESP (next slide) • 2 modes “Tunnel and Transport” (2 slides away) IPSEC • AH - authentication header – Protocol number 51 – Authentication only • ESP – Encapsulating security payload – Protocol number 50 – Encryption Transport and Tunneling • Transport does not actually tunnel IP within IP. It only encapsulates the transport layer and above • Tunnel actually encapsulates IP within IP an entirely new IP packet is encapsulated within an external IP packet See next slide Transport vs. Tunnel Example of transport Example of Tunneling IPSEC • Each device in IPSec will have at least 1 security association for each VPN connection it uses. A SA is a set of parameters used for communication and includes – – – – Authentication and encryiption keys Algorithms choosen IP ranges SAs are unidirectional, so usually you have at least 2 for each tunnel that exists (one for sending, one for receiving)* – An SPI (security parameter Index) is used to label which SA that any packet is associated with – Use “IKE/ISAKMP” on port 500 UDP for key negotiations/SA setup* Authentication Protocols - 614 • PAP • CHAP • EAP – framework not actual protocol Remote Access Best Practices • • • • • • • Always authenticate users Use multi-factor authentication Audit access Answer modems after 4 rings (modems) Use caller id (modems) Use callback (modems) use VPNs Wireless Wireless (619) • Wireless, very common now. – No wires – Easy to use – Shared Medium (like Ethernet with Hubs… what’s wrong with this? From security and performance?) – Uses CSMA/CA Spread Spectrum - 619 • Spreads communication across different frequencies available for the wireless device. – Frequency Hopping Spread Spectrum • Hop between frequencies (helps if other devices use same frequencies) (doesn’t use the entire “bandwidth of frequencies) • Harder for eavesdroppers (if everybody didn't know the sequence.. Which they actually do) – Direct Sequence Spread Spectrum • Sends data across entire bandwidth, using “chipping code” along with data to appear as noise to other devices. Wireless Components - 621 • Access points are like wireless “hubs”, they create a “infrastructure WLAN” • If you use just wireless cards of computers to communicate together that is called an “Ad-Hoc” network. • Wireless devices must use the same “channel” • Devices are configured to use a specific SSID (often broadcasted) 802.11 standard • • • • Wireless networking 2.4, 3.6, 5 GHz Data Link layer specifications Access point (a type of bridge) 802.11 family • 802.11a – 54Mbps – 5Ghz – 8 channels • 802.11b – 11Mbs – 2.4Ghz (same as other home devices) • 802.11g – 54Mbs – 2.4Ghz • 802.11n – 100Mbs Wireless security problems • • • • Unauthorized access sniffing War driving Unauthorized access points (Man in the middle) Wireless Authentication types - 623 • Open System Authentication – Doesn’t actually require authentication – can be sniffed • Shared Key Authentication – Requires each device use the same key, and before access is granted a “challenge” occurs Transmission encryption - 626 There are many different types of wireless encryption protocols • WEP – – – – Shared passwords (why is this bad?) 64 or 128 bit Easily crack able Only option for 802.11b • WPA Personal – – – – Shared password 128 bit key TKIP (what is TKIP?) Implements a portion of 802.11i standard (later) Transmission Encryption • WPA2 – – – – more compliance with 802.11i standard AES based algorithm Also uses TKIP Should use WPA2 as WPA can be cracked like WEP • WPA Enterprise – Uses 802.1X authentication to have individual passwords for individual users • RADIUS – what was radius again? • 802.11i – the official IEEE wireless security spec, officially supports WPA2 802.1X - 627 • Authenticated port based access control. • Provides distinct user authentication • Has “supplicant” (client), Authenticator (AP) and Authentication Service (usually radius) Bluetooth (634) • What is Bluetooth, what is the purpose? – Blue jacking – Blue snarfing – Blue bugging (next slides) Mobile device security • Blue jacking – Sending forged message to nearby Bluetooth devices – Need to be close – Victim phone must be in “discoverable” mode • Blue snarfing – Copies information off of remote devices • Blue bugging – – – – More serious Allows full use of phone Allows one to make calls Can eavesdrop on calls WAP (636) • Wireless Application Protocol – What is it – What is the purpose? – WML (wireless markup language) – WTLS ( wireless transport layer security) – Requires a “gateway” • Between WTLS and HTTPS there is an encryption gap. – Authentication • Class 1 – none • Class 2 – server authenticates to wireless • Class 3 – mutual authentication Some attacks against software and systems Root Kit • What is a root kit? MAC flooding • What is it, what is the purpose? Smurf • Describe Smurf – Forge source address – Ping broadcast address • Countermeasures – Disable directed broadcasts at perimeter routers – Configure routers to drop forged packets – Employ and IDS Fraggle (like Fraggle rock) • Like Smurf, but uses UDP (echo and chargen) • Countermeasures – Disable directed broadcasts on perimeter – Disable address forging – Disable echo and chargen services – Block echo and chargen ports on router – Use an IDS SYN flood • Describe 3 way handshake (not too in-depth) • Describe listen queue • Describe SYN flood • What does it accomplish Countermeasures • Decrease connection-establish timeout • Increase listen queue size • Patch • Use and IDS • Use a Firewall Tear Drop Overlapping fragments, cause OS to get confused and crash. Countermeasures • Patch the OS • Drop fragments (problems?) • Use a firewall that does fragment reassembly. DDoS • What is it, why is it hard to defend against • What previously discussed thing is used in DDoS attacks? Countermeasures • Good luck. Buffer Overflows • What are they? What are the attributes of a buffer overflow? From Chapter 5 • Maintenance Hooks • Time of Check/ Time of Use Attacks
