Telecommunications and Network Security

advertisement
EVOC 502/503
CSUSB
IN-SERVICE
PRESENTATION
Telecommunications and
Network Security
Presented
by
Victor E. Dike
Textbook:
Harris, Shon. “CISSP Certification Exam Guide”. McGraw-Hill. 2002.
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 1
Overview
• Introduction
- How protocols work
• The OSI Model
• TCP/IP
• Networking
• Firewalls
• Networking Services
• Intranets and Extranets
• MANs and WANs
• Remote Access
• Resource Availability
• Wireless Technologies
• Summary
CISSP - Telecommunications & Networks
•Networking
-Media Access Technologies
-Cabling
-Transmission
-Network Topology
-Standards
-Media Access Protocols
-Networking Devices
-Segregation and Isolation
NetworksV52.ppt Slide: 2
Introduction
• Environment
- Mechanisms, devices, software, protocols
• Network Admin
- Configure environment
- Interoperability issues
- Interface with telecommunications
- Strong troubleshooting ability
• Security Professional
- Everything, plus understand vulnerabilities
- Secure an application, e.g. from buffer overflow
- Secure a network architecture
- Understand how protocols work
- Placement of firewalls, routers, switches, etc.
• Layered Security
- Provide multiple barriers
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 3
How Protocols Work
• How do protocols work?
A
~ LAN-to-LAN communication
- Non-Routable
• Sending computer
- Packetize messages
- Address (source & dest.)
- Transmit
• Receiving computer
- Pick data off cable
- Strip header/trailer
- Buffer and reassemble
- Pass to application
CISSP - Telecommunications & Networks
Layers
~ Stays in one LAN
B
7 Application
Application
6 Presentation
Presentation
5
Session
4
Transport
3
Network
2
Data Link
Data Link
1
Physical
Physical
Protocols
- Systematic steps
- Consistent order
- Routable
Session
Transport
Network
Network
NetworksV52.ppt Slide: 4
The OSI Model
Application Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Application Layer
•User-to-Process Interface
•Database Access
•E-Mail
•File Transfer
•Remote Connection
•e.g. X.400
Protocols
•FTP, TFTP
•HTTP
•LPD
•SMTP
•SNMP
•Telnet
•TFTP
•WWW
NetworksV52.ppt Slide: 5
The OSI Model
Presentation Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Presentation Layer
•Process-to-Session Interface
•Protocol Conversion
•Data Translation
•Compression/Encryption
•Character Set Conversion
•Graphics Command Interpretation
•Redirectors
Formats
•File System
•ASCII
•Printers
•EBCDIC
•Encrypted
•Networks
•GIF
•JPEG
•MPEG
•MIDI
•TIFF
•Compressed
NetworksV52.ppt Slide: 6
The OSI Model
Session Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Session Layer
•Process-to-Process
•Establishes comm link between processes
•Controls Dialog: transmit/receive
•Synchronization: Keeps track of long
messages
•Modes:
•Simplex
Protocols
•Half-Duplex
•SSL
•Full-Duplex
•NFS
•SQL
•RPC
NetworksV52.ppt Slide: 7
The OSI Model
Transport Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Transport Layer
•Session-to-Network Interface
•Packetizes Session Messages
•Ensures Reliable Connection
•Transmits “Acknowledgement”
•Types
•Connection-Oriented: TCP allows four
“connections” thru an X.25 Network Layer
•Connection-Less: Correctly reorders
messages from an IP Network Layer
Protocols
•TCP
•UDP
•SPX
NetworksV52.ppt Slide: 8
The OSI Model
Network Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Network Layer
•Network-to-Network
•Packet Transmission
•Intermediate Routing Decisions
•Load Adaptation
•Types
•Connection-Oriented = X.25
•Connection-Less = IP
Protocols
•IP
•ICMP
•RIP
•OSPF
•BGP
•IGMP
NetworksV52.ppt Slide: 9
The OSI Model
Data Link Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Data Link Layer
•Machine-to-Machine
•Frame Creation
•Error Detection
•Error Correction
•Frame Sequence
•Checksums
Formats
•Ethernet
•Token-Ring
•ATM
•FDDI
•ISDN
•Protocols
•SLIP
•PPP
•ARP, RARP
•L2F, L2TP
NetworksV52.ppt Slide: 10
The OSI Model
Physical Layer
A
7 Application
Layers
6 Presentation
5
Session
4
Transport
3
Network
2
Data-Link
1
Physical
CISSP - Telecommunications & Networks
Physical Layer
•Adapter-to-Adapter
•Transmission of Bits
•Voltage Levels
•Bits per Second
•Connector Dimensions
•Adapter Interrupts
Formats
•RS-232
•HSSI
•X.21
•EIA-449
•Cat-5, -6
•Coax
•PCMCIA
•USB
NetworksV52.ppt Slide: 11
The OSI Model
Encapsulation
Headers
Trailer
Message
A
Application
Presentation
Session
Transport
Network
Data Link
Physical
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 12
TCP/IP
(and the OSI model)
V52: Split Application Layer.
OSI Model
A
TCP/IP Suite
B
TCP/IP Layers
7 Application
Layers
6 Presentation
WinSock
Application
HTTP SMTP APPC
TFTP Telnet SNMP FTAM
5
Session
4
Transport
Host-to-Host
3
Network
Internet
2
Data Link
1
Physical
CISSP - Telecommunications & Networks
FTP
NetBIOS
Network Access
TCP
UDP
DHCP
IP
ICMP
LLC
ARP
MAC
RARP
NetworksV52.ppt Slide: 13
TCP/IP
TCP, UDP, IP
• TCP: Transmission Control Protocol
- Service addressing: Port #’s
- Governs transmission between devices
~ Connection-Oriented: TCP “Three-Way” Handshake
~ Packet sequencing, flow control, error detection &
correction
• UDP: User Datagram Protocol
- Does not governs transmission
~ Connectionless: Best effort
• IP: Internet Protocol
- Inter-network addressing: IP addresses
- Packet forwarding & routing
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 14
TCP/IP
TCP “Three-Way” Handshake
Internet
SYN
Port #, ISN
ACK, ISN+1
H
10.10.1.2
ACK
SYN/ACK
ACK, ISN+2
• ISN
H
123.45.67.8
- Initial Sequence Number
- Picked at random
- Controls packet sequence
Client
CISSP - Telecommunications & Networks
Server
NetworksV52.ppt Slide: 15
TCP/IP
Packet Structures
TCP
UDP
32 bits
32 bits
Destination Port
Sequence Number
Source Port
Destination Port
Length
Checksum
Acknowledgement Number
Data Offset & Codes
Window
Checksum
Urgent Pointer
Options
Padding
Application Layer Data
UDP Header
TCP Header
Source Port
Application Layer Data
Goldman, James E. “Local Area Networks” Wiley & Sons. 1997. pp 486-487
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 16
TCP/IP
IPv4 Packet Structure
IPv4
IP Header
IP
Ver.
32 bits
Hdr
Service
Len
Type
Frag. ID
Lifetime
Protocol
Total Length
Frag. Control
Checksum
Source IP Address
Destination IP Address
Options
Padding
TCP or UDP Data
Goldman, James E. “Local Area Networks” Wiley & Sons. 1997. pg 482
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 17
Networking
• Purpose
- Share resources: printers, servers, connections, etc.
- Communication between computers
- Central administration
• Scope
- LAN: Shared medium, address space, & access protocol
- MAN: Metropolitan or campus area -- bridges
- WAN: Wide area Inter-network by routers
• Media Access Technologies
- Topology: Physical layout
- Domain: Communications strategy (aka logical topology)
- Method: Access methodology or protocol
- Media: Cabling and other transmission media
• Cabling
- Types: Coax, Twisted-Pair, Fiber-Optic
- Characteristics: Bandwidth, Data Rate, Distance
- Issues: Noise, Attenuation, Crosstalk, Fire Rating
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 18
Networking Scope
LANs, MANs, and WANs
• LAN
-
• WAN
A building
Related Computers
100 users or less
Uniform Security
Server login
Limited Distance
-
LAN A
H
H
H
An enterprise
Unrelated Computers
10,000 users or less
Non-Uniform Security
Domain login
LAN B
LAN C
H
H
H
• MAN
CISSP - Telecommunications & Networks
A campus
Unrelated Computers
1,000 users or less
Uniform Security
Domain login
NetworksV52.ppt Slide: 19
Media Access Technologies
Ethernet: (IEEE 802.3)
• Purpose: LAN Sharing
• Topologies: Bus or Star
• Domains: Broadcast & Collision
• Methods: CSMA/CD
• Media:
- Coaxial Cable
~ 10Base2: “Thin-net” -- coax, BNC, 185 m, 10 Mbps, bus
~ 10Base5: “Thick-net” -- coax, BNC, 500 m, 10 Mbps, bus
- Twisted-Pair
~ 10Base-T: “Twisted-pair” -- UTP, RJ-45, 100 m, 10 Mbps, star
~ 100Base-TX: “Fast Ethernet” -- dual Cat-5, 100 m, 100 Mbps
~ 1000Base-T: “GigaBit Ethernet” -- quad-Cat-5, 100 m, 1 Gbps
- Fiber-Optic
~ 10Base-FL: “Fiber” -- 4 km, 10 Mbps
~ 100Base-FX: “Fast Fiber” -- 2 km, 100 Mbps
~ 1000Base-LX: “Long-wavelength” -- 3 km, 1 Gbps
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 20
Media Access Technologies
Token-Ring: (IEEE 802.5)
• Purpose: LAN Sharing
• Topologies: Bus or Star
• Domains: Sequential & Failure
• Methods: Token-Passing
• Media: Coax or Twisted-Pair
• Implementations: 4 or 16 Mbps
• Issues:
- Tokens: Packet passed from machine to machine
~ Access denied until token received
- MAU: Multi-Station Access Unit -- i.e. a hub
- Active Monitor: Removes undeliverable tokens
- Beaconing: Locates failures & attempts work-around
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 21
Media Access Technologies
FDDI: (IEEE 802.8)
• Purpose: Campus & service provider backbone
• Topologies: Ring
• Domains: Sequential
• Methods: Modified Token-Passing
• Media: Fiber-Optic
• Implementations: 100 km, >100 Mbps
• Issues:
- Dual Rings: Adds fault tolerance
~ Counter-Rotating: Pass token in reverse sequence
- CDDI: Copper -- FDDI over UTP
FDDI: Fiber Distributed Data Interface
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 22
Cabling
• Types: Twisted-Pair, Coax, Fiber-Optic (See next)
• Characteristics:
- Bandwidth: Highest frequency -- Hz, kHz, MHz, ...
- Data Rate: Throughput -- bps, Kbps, Mbps, ...
- Distance: Recommended length before regenerating
• Issues
- Noise: Accumulates with distance
~ EMI: Electromagnetic Interference -- motors, lights
~ RFI: Radio Frequency Interference -- transmitters, the Sun
- Attenuation: Degrades signal over distance
~ Keep cable runs short, then regenerate
- Crosstalk: Ghost signal induced between cables
~ Reduced by shielding, twisting, or separating
- Fire Rating:
~ Plenum Space: Gap in false ceilings and raised floors
~ Non-Plenum Cables: PVC jacket covering
~ Plenum Cables: Fluoro-polymer covering -- fire resistant
~ Conduits: Metal is fire resistant and physical protection
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 23
Cabling
Twisted-Pair
Cat 1: Voice
14.4-56 Kbps
Cat 1 STP
56-144 Kbps
Cat 3, 4, 5: Data
4-100 Mbps
• Advantages
- Least expensive
- Choice of ratings
~ UTP, STP
~ Cat 1 - 7
Graphics: “Networking Essentials Plus” 3d Ed. Microsoft Press. 2000.
CISSP - Telecommunications & Networks
Not Shown
Cat 2: M/F, 4 Mbps
Cat 6: 155 Mbps
Cat 7: 1 Gbps
• Disadvantages
- Least resistant to
interference
- High attenuation
- Easily tapped
NetworksV52.ppt Slide: 24
Cabling
Coaxial Cable
• Advantages
- EMI resistant
- Higher B/W than UTP
- Longer distance than
UTP
RG-58/U (10Base2) = 10 Mbps
RG-59/U (10Base2) = 10 Mbps
RG-6/U (video) 1,500 ft
RG-11/U (video) 3,000 ft
Graphics: Goldman & Rawles. “Local Area Networks” Wiley & Sons. 2000. pg 132. Figure 3-22
Video Ref: http://www.infosyssec.com/infosyssec_cctv_.htm
CISSP - Telecommunications & Networks
• Disadvantages
- Expensive
- Difficult to work with
NetworksV52.ppt Slide: 25
Cabling
Fiber Optic Cable
• Advantages
-
No EMI or RFI
Highest B/W
Longest distance
Hardest to tap
10BaseF = 100 Mbps
OC-1 = 51.84 Mbps
OC-3 = 155.52 Mbps
OC-12 = 622.08 Mbps
Graphics: Goldman & Rawles. “Local Area Networks” Wiley & Sons. 2000. pg 133. Figure 3-23
CISSP - Telecommunications & Networks
• Disadvantages
- Most Expensive
- Difficult to work with
NetworksV52.ppt Slide: 26
“Cabling”
Wireless Transmission
Satellite = 64 Kbps - 100 Mbps
Microwave = 64 Kbps - 100 Mbps
WLAN = 2-16 Mbps
Cellular = <56 Kbps
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 27
Transmission
Digital versus Analog
• Analog
• Digital
- Voice, Radio
- Continuous variation
- Modulate carrier
signal
Digital 0
0
-
0
1
1
0
1
1
0
1
0
0
Data: 1 or 0
Pulse: high or low
Shift Keying
Easier to regenerate
1
0
1
1
Amplitude
Frequency
Phase
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 28
Transmission
Asynchronous vs Synchronous
• Asynchronous
- Send at any time
- Start-Stop pulse after
every byte
- Modems
Graphics: “Networking Essentials Plus”. Ed.3. Microsoft Press. 2000
CISSP - Telecommunications & Networks
• Synchronous
- Timing or Counting
- Sync pulse after every
frame or packet
- LANs
NetworksV52.ppt Slide: 29
Transmission
Broadband versus Baseband
V
• Narrowband
- Single, small channel
- AM radio, telephone, modem
0
V
f
• Baseband
- Uses entire bandwidth
- Radar, TV, µ-wave radio, F/O
0
V
f
• Broadband
- Splits bandwidth into channels
- ISDN, DSL, ATM, T1, DS3, CATV
0
Source: Chellis, Perkins, Strebe; “Networking Essentials”; Chapter 2: Network Components; Sybex; 1997
CISSP - Telecommunications & Networks
f
NetworksV52.ppt Slide: 30
Transmission
LAN Transmission Methods
• Unicast: One-to-One
- From one computer to another specific computer
~ Source & destination addresses are specific
- Use: Normal communications
• Multicast: One-to-Many
- From one computer to a group of computers
~ Class D address
- Use: Multimedia, real-time video, voice clips
• Broadcast: One-to-All
- From one computer to all computers on a subnet
~ Example: x.y.z.255
- Use: Administrator notifications, Network mapping
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 31
Network Topology
• Physical Topology
- Ring, Bus, Star, Tree, Mesh
• Logical Domains
- Sequential / Failure: Token-Ring
- Broadcast / Collision: Ethernet
• Access Methodology
- Token-Passing
- CSMA/CD: Collision Detection
- CSMA/CA: Collision Avoidance
• Transmission Media
- Metal: Coax, Twisted-Pair
- Glass: Fiber-optic
- Air: Terrestrial Microwave, Satellite, VHF/UHF/SHF radio
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 32
Network Topology
Physical Topology
Ring
Star
Mesh
Tree
Bus
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 33
Network Topology
Logical Domain
Sequential
CISSP - Telecommunications & Networks
Broadcast
NetworksV52.ppt Slide: 34
Network Topology
Access Methodology
Token Passing
•Token-Passing
- Token: 24-bit control frame
~Passed from machine-to-machine
- Process
~Source machine receives token
› Adds data & addressing -- Send to Dest.
~Destination copies data
› Returns token to Source -- acknowledged
~Source removes data -› Transmits Empty Token
- Advantage: No collisions
CSMA/CD
•CSMA/CD
- Carrier: A machine is transmitting
~Contention: Compete for access
~Collision: Simultaneous transmits
- Process
~Source listens for carrier
› If no carrier, transmit. -- Otherwise, wait.
~Destination receives packet
› If no collision, acknowledge. -- If yes
collision, request retransmission
~Source receives retransmit request
› Wait for random time -- then retransmit
- Advantage: Fast at low traffic loads
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 35
Network Topology
Controlled Access Methods
V52: Corrected CSMA/CD to CSMA/CA.
• Collision Avoidance
- CSMA/CA: Source machine signals intent to transmit
~ Intent packet is much smaller than actual data packet
- Demand Priority: Source requests permission
~ Central controller determines who transmits
• Collision Domains
- Setup: Broadcast Domain
~ A group of machines competing for same media
- Problem: Contention leads to collisions
- Causes: Too many machines; too much distance
- Solution: Collision Domains
~ Smaller groupings separated by routers or bridges
• Polling
- Central controller polls each node for data
~ Nodes with data transmit, otherwise NAK
- Repeat in sequence or at regular interval
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 36
IEEE 802.x Standards
802.1
802.2
802.3
802.4
802.5
802.6
802.7
802.8
802.9
802.10
802.11
802.12
802.13
802.14
802.15
802.16
Internetworking [Management]
Logical Link Control (LLC)
MAC layer, CSMA/CD LAN (Ethernet)
MAC layer, Token Bus LAN
MAC layer, Token Ring LAN
Metropolitan Area Networks (MAN)
Broadband Technical Advisory Group
Fiber-Optic Technical Advisory Group
Integrated Voice/Data Networks
Network Security
Wireless Networks
Demand Priority Access LAN, 100BaseVG-AnyLAN
Unused
Cable Modem Standards
Wireless Personal Area Networks (WPAN)
Broadband Wireless Standards
Source: “Networking Essentials Plus” 3d Ed. Microsoft Press. 2000. pg 222.
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 37
IPv4 Address Classes
V52: Corrected Class C Host ID count.
Class A
Class B
Class C
Class ID
Network ID
Host ID
0
126 IDs
16,777,214 Host IDs
(1 bit)
(7 bits)
(24 bits)
Class ID
Network ID
Host ID
10
16,382 IDs
65,534 Host IDs
(2 bits)
(14 bits)
(16 bits)
Class ID
Network ID
Host ID
110
2,097,150 IDs
255 Host IDs
(3 bits)
(21 bits)
(8 bits)
Redrawn from Goldman & Rawles. “Local Area Networks”. Ed.2. Wiley & Sons. 2000
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 38
Media Access Protocols
• Addresses
- MAC Address: Unique physical address of NIC
~ Initial MAC in ROM: 24 bit manufacturer code + 24 bit S/N
- IP Address: Unique logical address on network
~ Static: Assigned by administrator
~ Dynamic: Assigned by DHCP server
• Address Resolution Protocol (ARP)
- Given an IP address, get a MAC address
~ Store results in ARP table -- watch out for “poisoning”
• Reverse ARP (RARP)
~ Given a MAC address, get an IP address
- Boot Protocol (BOOTP): returns own IP address,
name server address and gateway address
• Internet Control Message Protocol (ICMP)
- Delivers messages, reports errors & routing info.
- Replies when testing connectivity & problems
~ “Ping” - Echo frame, Reply frame
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 39
Hardware in the OSI Model
B
Application
6 Presentation
Gateway
Presentation
Session Gateway
4
Transport
Service Gateway
3
Network
2
Data-Link
Firewall
Session
Session
Transport
Bridge
Switch
Data-Link
Hub
Physical
N-IDS
Router
VLAN
5
H-IDS
Gateway
VPN
7 Application
Brouter
Layers
A
Network
NIC
1
Physical
CISSP - Telecommunications & Networks
Repeater
NetworksV52.ppt Slide: 40
Networking Devices
- Repeater: Amplify electrical signals -- L1
~ Regenerator: Recreate digital signals
- Bridge: Connect LAN segments -- Collision domains -- L2
~ Types: Local, Remote, Translation (protocol)
~ Routing: Static, Transparent, Spanning-Tree, Source-Routing
› Forwarding Table: Match source MAC with bridge port #
- Router: Connect similar or different networks -- L3
~ Routing: Static, Dynamic
› Routing Table: Match IP address with router port #
- Switch: Combines repeater with bridge
~ Divides “hub” into multiple, parallel connections
~ Layers 2, 3, 4, 5: MAC, routing, packet inspection, QoS
- VLAN: Switches that logically separate LANs -- L2
- Brouter: Combines bridge with router -- if L3 fails, try L2
- Gateway: Connects two different environments -- L7
~ Network Access Server, Mail Gateway, VoIP
- PBX: Private Branch Exchange -- company phone switch
- Firewall: Restrict access between networks -- L3 & L4
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 41
Bridges & Forwarding Tables
(Source Route Bridging Example)
Routing Packet
Explorer Packet
A2-B2-C1-#8
Machine #8?
#1
#2
#3
0
3
A
0
3
2
#4
#5
#6
B
0
3
1
#8
2
#7
#8
#9
0
2
1
2
0
3
F
1
C
1
CISSP - Telecommunications & Networks
E
1
2
0
3
D
1
NetworksV52.ppt Slide: 42
Routers & Routing Tables
0
ACL
Addr
10.2.2.*
10.2.2.2
10.2.2.*
tcp
80
23
*
?
1
1
0
Modem
Internet
Router Port #’s
10.1.1.1
10.1.1.2
10.2.2.1
10.3.3.2
Routing
Addr
10.1.1.*
10.2.2.*
10.3.3.*
10.4.4.*
10.5.5.*
10.6.6.*
10.7.7.*
*.*.*.*
10.7.7.1
10.1.1.8
10.1.1.7
CISSP - Telecommunications & Networks
10.1.1.3
10.7.7.2
10.1.1.4
10.1.1.6
10.1.1.5
10.3.3.1
#
0
0
3
2
1
1
1
0
1
2
123.45.6.7
10.2.2.2
3
10.4.4.1
10.6.6.1
10.5.5.1
10.6.6.2
Protocols
•RIP
•BGP
•OSPF
10.4.4.2
10.5.5.2
NetworksV52.ppt Slide: 43
Network Segregation & Isolation
• Purpose
- Users do not need full access to all assets
~ If physically segregated, must also logically segregate
- Limiting access also reduces network traffic
• Physical Segregation
- Devices: Locked in wiring closets
- Servers: Kept in controlled room
- Workstations: Separated by organization function
• Logical Segregation
- Architecture: Clearly thought-out, fully documented
- Routers: Block broadcast & collision domain information
- Users: Limit number who can connect to critical assets
- ACLs: Strict controls on management segment
• Penetration Testing
- Investigate to see if controls are working
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 44
Firewalls
V52: Changed DMZ description.
• Purpose: Restrict access between networks
- Support & enforce organization security policy
~ Acceptable & unacceptable actions
~ Allowable TCP ports & services
~ IP address range restrictions
• Function
- Gateway: router, server, authentication server or device
- Monitors & filters packets based on
~ IP address, TCP port, packet type, protocol, header info,
sequence #, ...
• DMZ: Demilitarized Zone
- Segment between protected & unprotected
networks
- Usually consists of two firewalls: inward & outward
- DMZ servers: web, file, mail, DNS, IDS
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 45
Demilitarized Zone (DMZ)
(AKA “Free Trade Zone” or “Screened Subnet”)
V52: Changed subtitle.
Internet
N
N
N
N
Dial-up Modems
(via PSTN)
N
N
N
Management
Segment
CISSP - Telecommunications & Networks
H
Data
Segment
Data Services
(ftp, SQL, API, ...)
Business Partners
(via DCTN)
PSTN
Public
Segment
Internet Services
(web, http, smtp, DNS, ...)
Internet Customers
Extranet
H
H
Private
Segment
Business Operations
(LAN, MAN, WAN)
Router
Switch
N
H
N-IDS
H-IDS
NetworksV52.ppt Slide: 46
Filtering Firewalls
• Packet Filtering - First Generation
- Inspect packet header: IP address & TCP port
~ Use ACL rules to allow or disallow
- Pros: Scalable, Fast, Application independent
- Cons: Header data only, Does not track state
• Proxy Firewalls - Second Generation
- Makes connection: hides private network addresses
~ Handles all messages: copies, inspects, repackages
- Pros: Application aware, Filters at all layers
- Cons: Not scalable, very slow, limited to defined apps
• Stateful Packet Filtering - Third Generation
- Tracks connections to completion
- State Table: Pairs inbound & outbound packets
~ States: Outbound request is waiting for inbound reply
~ Rules: Disallow inbound requests, but allow inbound replies
- Pros: Scalable, Fast, Transparent, Stateful
- Cons: Complexity allows DoS attacks
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 47
Proxy Services
• Dual-Homed Host Firewalls
- Two interfaces, Two NICs - inward & outward
~ No packet-forwarding: would allow uncontrolled access
~ Proxy software handles packet transfers
• Proxy Types
- Application-Level: Inspects packet content
~ Access decided based on content of packet
› Service, Protocol, Command: FTP Get vs. FTP Put
~ Pro: High level of granularity
~ Con: Must have one App-Level proxy per service, Slow
- Circuit-Level: Monitors client to server connection
~ Access based on source & destination IP addresses
~ Pro: Handles many protocols
~ Con: Not as granular as App-level
- SOCKS Servers: Circuit-level proxy gateway
~ Usage: Outbound Internet & pseudo VPN functionality
› Provides authentication & encryption
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 48
Firewall Architecture
V52: Corrected typo.
• Bastion Host - The Firewall
- Exposed to the Internet: existence is known
- Locked down: Lose all protection if compromised
• Screened Host
- Bastion behind a border router
~ Border router filters out irrelevant Internet traffic
~ Only the firewall talks to the border router
• Screened Subnet
- Bastion between two routers
~ External: Filters traffic from the Internet
~ Internal: Filters traffic to/from private network
• Honeypots
- Purpose: Entice (not entrap) attackers
- Setup: Unprotected computer in the DMZ
- Concept: Loss of honeypot is not critical
~ Can provide warning before attack to critical systems
~ Can support evidence of attack against other systems
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 49
Firewall Configuration Guidelines
• Purpose: Separate internal from external, Separate
subnets, Construct DMZ buffer zone
• Default:
- Implicitly deny what is not explicitly allowed
• Packets of trouble
- Spoofing: Inbound packet has internal source address
- Zombies: Outbound packet has external source address
- Fragmented: May be malicious when reassembled
- Source-routing: Helps outsiders map internal networks
• Lock-Down
- No unnecessary services
- Disable unused subsystems
- Patch known vulnerabilities
- Disable unused user accounts
- Close unneeded TCP ports
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 50
Networking Services
Network Operating System (NOS)
• Purpose
- Provides services for networked computers
~ Directory, file, print, backup, & replication
~ Internetworking, routing, WAN & dial-up support
~ Built-in mechanisms for
› authentication, authorization, access control & audit
~ Remote client management tools
~ Software distribution and inventory functions
~ Clustering functionality
~ Fault tolerance capabilities
- Allows centralized use of shared resources
• Key Component: Redirector
- Points to local disk or networked resource
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 51
Networking Services
Domain Name Service (DNS)
• Purpose
- Resolve host name URLs to IP addresses
~ Governed by ICANN
• Architecture
- Root Domain Server: Managed by Network Solutions, Inc.
- TLD Server: One for each Top-Level Domain -- i.e. .com
- DNS Server: Usually managed at gateways -- i.e. ISPs
- Authoritative Name Server: DNS for internal “zone”
~ Zone: DNS services for organizational subgroups
› May encompass one or more domains
- Fault tolerance: Primary & secondary servers in parallel
• Name Resolution Process
- User enters a URL: www.somewhere.org
- Client asks name server to resolve to IP
~ If not in Resource Records, pass to next level up
- Name server returns IP address
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 52
Networking Services
Top-Level Domains (TLD)
Generic (gTLD)
Code
Name
aero
Air-transport industry
arpa
Infrastructure
biz
Businesses
com
US Commercial
coop
Cooperatives
edu
US Educational
gov
US Government
info
Information
mil
US Military
museum Museums
name
Individuals
net
Networks
org
Organizations
pro
Professionals
int
International
County-Code (ccTLD)
Code
Name
au
Australia
ca
Canada
cn
China
de
Germany
es
Spain
fr
France
in
India
jp
Japan
kr
Korea, South
mx
Mexico
nl
Netherlands
pl
Poland
ro
Romania
ru
Russian Federation
tv
Tuvalu
uk
United Kingdom
us
United States
Generic Top-Level Domains (gTLD): http://www.iana.org/gtld/gtld.htm
County Code Top-Level Domains (ccTLD): http://www.iana.org/cctld/cctld.htm
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 53
Networking Services
Directory Services
• Purpose: Central repository of important network info.
- Provide rich service to users, admins & networks
• Components
- Hierarchical database
~ Object classes & subclasses: Apply policies to objects
› X.500: model for database structure
~ Entities: Instances of objects
› Types: users, computers, peripherals, other resources
› Attributes: name, location, resources, profiles
› Information: peripherals, e-commerce, network services
› Controls: ACLs, audits, resource limits, firewall rules, VPN, QoS
- Schema: Structure of the directory, object relationships
~ Organizations define their own schemas
- LDAP: Lightweight Directory Access Protocol
- Meta-directory: Stores information about directories
~ Allows communication among multiple directories
• Examples
- Microsoft Active Directory, Novell Directory Services (NDS)
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 54
The Internet, Intranets, Extranets
Modem
Internet
PSTN
Extranet
Remote PC’s
H
H
Modem
Server
Gateway
Firewall
RADIUS
H
Desktop PC’s
H
File
Server
N
Intranet
Server
H
Mail
Server
N
Web
Server
N
Data Terminal
N
FDDI
N
SNA
Network
AS
H
FEP
Main
Frame
N
155Mbps+ (FDDI)
45 Mbps (DS3)
100 Mbps (100BaseT)
16 Mbps (T-Ring)
1.544 Mbps (T-1)
56-128 Kbps
H
Database
Servers
Router
Switch
CISSP - Telecommunications & Networks
N
H
N-IDS
H-IDS
NetworksV52.ppt Slide: 55
Intranets and Extranets
• Intranets
- Web-based technology on internal networks
~ Easy to implement -- highly interoperable
- Lax controls can lead to policy violations
~ Typing error could access inappropriate content
• Extranets
- Private inter-network between organizations
~ Business-to-business applications
- EDI: Electronic Data Interchange
~ Provides structure & format to electronic documents
- Dedicated links or VPN via the Internet
• Private IP Addresses
- “10”-Net: 10.x.y.z -- internal private networks only
- Class B: 172.16.0.0 - 173.31.255.255
- Class C: 192.168.0.0 - 192.168.255.255 -- e.g. DSL firewall
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 56
Network Address Translation (NAT)
• Purpose
- Allow private addresses, but still access Internet
~ Short-term fix until IPv6
~ Hides internal network architecture
• Process: Change addresses in header
- Track state until reply
Internet
Source
Dest
66.78.9.10 123.4.5.6
66.78.9.10
NAT Table
DSL
Source
10.1.1.1
Dest
123.4.5.6
From
To
123.4.5.6 10.1.1.1
192.68.1.1
CISSP - Telecommunications & Networks
10.1.1.1
10.1.1.2
10.1.1.3
NetworksV52.ppt Slide: 57
Metropolitan Area Network (MAN)
• Purpose: Business backbone
- Connect to Internet, WAN or other business
• Implementations
- FDDI: Fiber Distributed Data Interface -- IEEE 802.8
- SONET: Synchronous Optical Network
~ Telecom over fiber standard: self-healing, redundant paths
~ Content: Digitized voice, Variable frame size
~ Carriers: T-1, Fractional T1, T-3
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 58
Wide Area Network (WAN)
V52: Corrected typo..
• Telecommunications Evolution
- Origin: Copper lines, analog, Central Switching Office
- Multiplexing: Combine multiple channels onto one path
- TDM: Time-Division Multiplexing -- shared by timeslot
~ T-1 = 24 channels, T-3 = 28 T-1 channels
- Fiber-optics: Large bandwidth, long-distance, high quality
- Optical Carrier: Packetized TDM over F/O -- e.g. SONET
- ATM: Asynchronous Transfer Mode
~ Fixed-length frames, called “cells”, over SONET
• Dedicated Links
- Lease or “point-to-point”: Fast, but expensive
~ Pro: Only destination points can use it to communicate
~ Con: Connected even during periods of non-use
• T-Carriers
- Dedicate lines carry voice & data over trunks
~ T-1 = 1.544 Mbps, T-3 = 45 Mbps
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 59
WAN Protocols (1)
- CSU/DSU: Channel Service Unit/Data Service Unit
~ Bridge digital LANs to telephone WANs
- Switching
~ Circuit-Switching: Connects a channel from end to end
~ Packet-Switching: Packets use multiple paths to the destination
- Virtual Circuits
~ Permanent Virtual Circuit (PVC): Programmed in advance
~ Switched Virtual Circuit (SVC): Built up on demand
- Frame Relay
~ Packet-switching over shared dedicated links
› Cost based on bandwidth needs -- Cheaper than dedicated links
› Committed Information Rate -- Guarantees a specific bandwidth
~ Equipment:
› Data Terminal Equipment (DTE) -- User-owned
› Data Circuit-Terminating Equipment (DCE) -- Telco-owned
- X.25:
~ HDLC frames over carrier switches -- 128 byte data blocks
~ Same as Frame Relay,
› but more error checking, correcting & redundancy
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 60
WAN Protocols (2)
- ATM: Asynchronous Transfer Mode
~ Cell-Switching: Data in fixed-size cells -- 53 bytes
~ Connection-Oriented: Virtual circuits guarantee B/W & QoS
› Good for voice & video -- Costs based on bandwidth
- SMDS: Switched Multimegabit Data Service
~ Connect LANs over WANs -- connectionless, packet-switched
- SDLC: Synchronous Data Link Control
~ Dedicated links with permanent physical circuits -- SNA
- HDLC: High-Level Data Link Control
~ Extends SDLC: High throughput because it’s Full-Duplex
- HSSI: High-Speed Serial Interface
~ Connects multiplexers to ATM or Frame Relay -- Layer 1
- VoIP: Voice over Internet Protocol
~ Uses same physical network for both telephone & LAN
› Eliminates need for two cable runs
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 61
WAN Technologies
• S/WAN: Secure WAN
- Firewall-to-Firewall connection
~ Based on VPNs created with IPSec (a part of IPv6)
› Strong encryption (incl. header), Public-Key authentication
- Initiative of RSA Security
- Linux version: FreeS/WAN
• Multi-Service Access
- Combine voice, data and video
~ Higher performance, reduced costs, greater flexibility
- PSTN: Public Switched Telephone Network
~ Circuit-switched technology -- Signaling System 7 protocol
- VoIP: Voice over Internet Protocol
~ Uses compression & address/protocol translation
~ “Jittering” -- the delay caused by network congestion
- H.323: Multimedia communications terminals & gateways
- VoATM & Vo-Frame Relay
~ Provide better QoS: Quality of Service
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 62
Remote Access
Connectivity Methods (1)
• Dial-up and RAS
- Analog, point-to-point, circuit-switched
~ Modem provides 56 Kbps
- Network Access Server: Gateway for PPP session
- Remote Access Service: Microsoft version
- RADIUS Server: (See Access Control)
• ISDN: Integrated Services Digital Network
- Digital, point-to-point, circuit-switched
~ Basic (B) channel: 64 Kbps -- voice or data
~ Data (D) channel: 16 Kbps -- signaling
- Basic Rate Interface (BRI): 2B+D= 144 Kbps
- Primary Rate Interface (PRI): 23B+D= 1.544 Mbps
- Broadband-ISDN: backbone service
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 63
Remote Access
Connectivity Methods (2)
• DSL: Digital Subscriber Line
- Digital, high-speed, broadband -- up to 52 Mbps
~ Rate depends on distance from central office
~ Symmetric or asymmetric
• Cable Modems
- Digital, high-speed, broadband -- up to 50 Mbps
~ Rate depends on number of subscribers
• VPN: Virtual Private Network
- Secure, private connection via public networks
~ Encryption/tunneling ensure privacy -- PPTP, IPSec, L2TP
- Usage
~ Dial-up to ISP to Company: Requires special client S/W
~ User-to-User: Requires VPN S/W, protocols & encryption
~ Gateway-to-Gateway: VPN between routers
~ Firewall-to-Firewall: VPN between firewalls -- Extranet
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 64
Remote Access
Protocols
• Tunneling Protocols
- Tunnel: Virtual path across networks
~ Allows connection of non-routable protocols -- NetBEUI
- PPP: Point-to-Point Protocol -- Internet dial-up -- replaced SLIP
~ Encapsulate messages & transmit over serial line
- PPTP: Point-to-Point Tunneling Protocol
~ Encrypts & encapsulates PPP packets
- L2F: Layer Two Forwarding -- provides mutual authentication
- L2TP: Layer Two Tunneling Protocol -- PPTP + L2F
~ Tunnels many types of networks, but is not encrypted
• Authentication Protocols
- Negotiation order: EAP, CHAP, PAP
- PAP: Password Authentication Protocol -- Cleartext
~ Vulnerable to sniffing, replay and MiM attacks
- CHAP: Challenge-Handshake Authentication Protocol
~ Encrypt & compare random value
- EAP: Extensible Authentication Protocol -- framework
~ Allows tokens, biometrics, one-time P/W, ...
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 65
Remote Access
Guidelines
• Modems
- Caller ID: Don’t answer if not on approved # list
- Call-Back: Call back to prearranged phone number
~ Compromised if call-back # has Call-Forwarding
- Modem Pools: Consolidate for consistent security
~ Should go through the firewall, just like Internet
• Wardialing: Call all numbers to find modems
- Precautions: Disable unprotected modems, Answer
after fourth ring, Dial-out only
• “Always-on” Connections
- DSL & cable modems are susceptible to attacks
~ Sniffing, scanning, probing, hacking, DoS’ing, etc.
- Countermeasure: Personal firewalls
• General
- Identify & audit users: Disable unneeded accounts
- Two-factor authentication: RADIUS or TACACS+
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 66
Resource Availability
V52: Added acronym.
• Networks
- Cables: Correct type & length, tested for breaks
- NICs: Faulty, wrong speed, duplicate MAC address
• Single Points of Failure (SPoF)
- Precautions: redundancy, backups, maintenance
• RAID: Redundant Array of Inexpensive Disks
• Clustering
- Servers viewed & managed as a single system
~ Share tasks, load balancing -- better than a hot-backup
• Backups
- Policy defines what gets backed up, how often
- Balance cost of backups against potential loss
• Archives
- Tertiary data store: Off-site, slow retrieval
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 67
Network & Resource Availability
RAID
• Redundant Array of Inexpensive Disks
- Level 0: Striping -- data written across multiple disks
- Level 1: Mirroring -- data duplicated on multiple disks
- Level 2: Hamming Code -- bit-level striping w/parity
- Level 3: Byte-Level -- data striping w/parity disk
- Level 4: Block-Level -- disk sector striping w/parity
- Level 5: Interleave -- disk sector writing using XOR
parity -- eliminates SPoF
- Level 6: Second parity -- RAID 5, but duplicate parity
- Level 10: 1+0 -- combines RAID 1 & 0
- Level 15: 1+5 -- combines RAID 1 & 5
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 68
Wireless Technologies
V25: Modified 802.11a bandwidth.
• Wireless Communications
- General: Higher frequencies carry more data
› but are susceptible to atmospheric interference & noise
- WLAN: Wireless LAN
~ 802.11a: 54 Mbps over 5 GHz
~ 802.11b: 11 Mbps over 2.4 GHz
- WAP: Wireless Application Protocol
~ Wireless Markup Language (WML): (similar to HTML)
~ WMLscript: (similar to JavaScript)
~ Wireless Transport Layer Security (WTLS): (TLS & SSL)
› session, transaction, and transport layer security
- Issue: WTLS is decrypted at the WAP gateway
• Wireless Personal Area Network -- “Bluetooth”
- Devices setup networks spontaneously
~ Very short range: must detect presence of each other
› Challenge-response configures domain of trust
~ Encryption & authentication included
- Media: any conductive surface -- including human skin
CISSP - Telecommunications & Networks
NetworksV52.ppt Slide: 69
Summary
• Introduction
- How protocols work
• The OSI Model
• TCP/IP
• Networking
• Firewalls
• Networking Services
• Intranets and Extranets
• MANs and WANs
• Remote Access
• Resource Availability
• Wireless Technologies
• Summary
CISSP - Telecommunications & Networks
•Networking
-Media Access Technologies
-Cabling
-Transmission
-Network Topology
-Standards
-Media Access Protocols
-Networking Devices
-Segregation and Isolation
NetworksV52.ppt Slide: 70
Download