EVOC 502/503 CSUSB IN-SERVICE PRESENTATION Telecommunications and Network Security Presented by Victor E. Dike Textbook: Harris, Shon. “CISSP Certification Exam Guide”. McGraw-Hill. 2002. CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 1 Overview • Introduction - How protocols work • The OSI Model • TCP/IP • Networking • Firewalls • Networking Services • Intranets and Extranets • MANs and WANs • Remote Access • Resource Availability • Wireless Technologies • Summary CISSP - Telecommunications & Networks •Networking -Media Access Technologies -Cabling -Transmission -Network Topology -Standards -Media Access Protocols -Networking Devices -Segregation and Isolation NetworksV52.ppt Slide: 2 Introduction • Environment - Mechanisms, devices, software, protocols • Network Admin - Configure environment - Interoperability issues - Interface with telecommunications - Strong troubleshooting ability • Security Professional - Everything, plus understand vulnerabilities - Secure an application, e.g. from buffer overflow - Secure a network architecture - Understand how protocols work - Placement of firewalls, routers, switches, etc. • Layered Security - Provide multiple barriers CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 3 How Protocols Work • How do protocols work? A ~ LAN-to-LAN communication - Non-Routable • Sending computer - Packetize messages - Address (source & dest.) - Transmit • Receiving computer - Pick data off cable - Strip header/trailer - Buffer and reassemble - Pass to application CISSP - Telecommunications & Networks Layers ~ Stays in one LAN B 7 Application Application 6 Presentation Presentation 5 Session 4 Transport 3 Network 2 Data Link Data Link 1 Physical Physical Protocols - Systematic steps - Consistent order - Routable Session Transport Network Network NetworksV52.ppt Slide: 4 The OSI Model Application Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Application Layer •User-to-Process Interface •Database Access •E-Mail •File Transfer •Remote Connection •e.g. X.400 Protocols •FTP, TFTP •HTTP •LPD •SMTP •SNMP •Telnet •TFTP •WWW NetworksV52.ppt Slide: 5 The OSI Model Presentation Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Presentation Layer •Process-to-Session Interface •Protocol Conversion •Data Translation •Compression/Encryption •Character Set Conversion •Graphics Command Interpretation •Redirectors Formats •File System •ASCII •Printers •EBCDIC •Encrypted •Networks •GIF •JPEG •MPEG •MIDI •TIFF •Compressed NetworksV52.ppt Slide: 6 The OSI Model Session Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Session Layer •Process-to-Process •Establishes comm link between processes •Controls Dialog: transmit/receive •Synchronization: Keeps track of long messages •Modes: •Simplex Protocols •Half-Duplex •SSL •Full-Duplex •NFS •SQL •RPC NetworksV52.ppt Slide: 7 The OSI Model Transport Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Transport Layer •Session-to-Network Interface •Packetizes Session Messages •Ensures Reliable Connection •Transmits “Acknowledgement” •Types •Connection-Oriented: TCP allows four “connections” thru an X.25 Network Layer •Connection-Less: Correctly reorders messages from an IP Network Layer Protocols •TCP •UDP •SPX NetworksV52.ppt Slide: 8 The OSI Model Network Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Network Layer •Network-to-Network •Packet Transmission •Intermediate Routing Decisions •Load Adaptation •Types •Connection-Oriented = X.25 •Connection-Less = IP Protocols •IP •ICMP •RIP •OSPF •BGP •IGMP NetworksV52.ppt Slide: 9 The OSI Model Data Link Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Data Link Layer •Machine-to-Machine •Frame Creation •Error Detection •Error Correction •Frame Sequence •Checksums Formats •Ethernet •Token-Ring •ATM •FDDI •ISDN •Protocols •SLIP •PPP •ARP, RARP •L2F, L2TP NetworksV52.ppt Slide: 10 The OSI Model Physical Layer A 7 Application Layers 6 Presentation 5 Session 4 Transport 3 Network 2 Data-Link 1 Physical CISSP - Telecommunications & Networks Physical Layer •Adapter-to-Adapter •Transmission of Bits •Voltage Levels •Bits per Second •Connector Dimensions •Adapter Interrupts Formats •RS-232 •HSSI •X.21 •EIA-449 •Cat-5, -6 •Coax •PCMCIA •USB NetworksV52.ppt Slide: 11 The OSI Model Encapsulation Headers Trailer Message A Application Presentation Session Transport Network Data Link Physical CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 12 TCP/IP (and the OSI model) V52: Split Application Layer. OSI Model A TCP/IP Suite B TCP/IP Layers 7 Application Layers 6 Presentation WinSock Application HTTP SMTP APPC TFTP Telnet SNMP FTAM 5 Session 4 Transport Host-to-Host 3 Network Internet 2 Data Link 1 Physical CISSP - Telecommunications & Networks FTP NetBIOS Network Access TCP UDP DHCP IP ICMP LLC ARP MAC RARP NetworksV52.ppt Slide: 13 TCP/IP TCP, UDP, IP • TCP: Transmission Control Protocol - Service addressing: Port #’s - Governs transmission between devices ~ Connection-Oriented: TCP “Three-Way” Handshake ~ Packet sequencing, flow control, error detection & correction • UDP: User Datagram Protocol - Does not governs transmission ~ Connectionless: Best effort • IP: Internet Protocol - Inter-network addressing: IP addresses - Packet forwarding & routing CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 14 TCP/IP TCP “Three-Way” Handshake Internet SYN Port #, ISN ACK, ISN+1 H 10.10.1.2 ACK SYN/ACK ACK, ISN+2 • ISN H 123.45.67.8 - Initial Sequence Number - Picked at random - Controls packet sequence Client CISSP - Telecommunications & Networks Server NetworksV52.ppt Slide: 15 TCP/IP Packet Structures TCP UDP 32 bits 32 bits Destination Port Sequence Number Source Port Destination Port Length Checksum Acknowledgement Number Data Offset & Codes Window Checksum Urgent Pointer Options Padding Application Layer Data UDP Header TCP Header Source Port Application Layer Data Goldman, James E. “Local Area Networks” Wiley & Sons. 1997. pp 486-487 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 16 TCP/IP IPv4 Packet Structure IPv4 IP Header IP Ver. 32 bits Hdr Service Len Type Frag. ID Lifetime Protocol Total Length Frag. Control Checksum Source IP Address Destination IP Address Options Padding TCP or UDP Data Goldman, James E. “Local Area Networks” Wiley & Sons. 1997. pg 482 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 17 Networking • Purpose - Share resources: printers, servers, connections, etc. - Communication between computers - Central administration • Scope - LAN: Shared medium, address space, & access protocol - MAN: Metropolitan or campus area -- bridges - WAN: Wide area Inter-network by routers • Media Access Technologies - Topology: Physical layout - Domain: Communications strategy (aka logical topology) - Method: Access methodology or protocol - Media: Cabling and other transmission media • Cabling - Types: Coax, Twisted-Pair, Fiber-Optic - Characteristics: Bandwidth, Data Rate, Distance - Issues: Noise, Attenuation, Crosstalk, Fire Rating CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 18 Networking Scope LANs, MANs, and WANs • LAN - • WAN A building Related Computers 100 users or less Uniform Security Server login Limited Distance - LAN A H H H An enterprise Unrelated Computers 10,000 users or less Non-Uniform Security Domain login LAN B LAN C H H H • MAN CISSP - Telecommunications & Networks A campus Unrelated Computers 1,000 users or less Uniform Security Domain login NetworksV52.ppt Slide: 19 Media Access Technologies Ethernet: (IEEE 802.3) • Purpose: LAN Sharing • Topologies: Bus or Star • Domains: Broadcast & Collision • Methods: CSMA/CD • Media: - Coaxial Cable ~ 10Base2: “Thin-net” -- coax, BNC, 185 m, 10 Mbps, bus ~ 10Base5: “Thick-net” -- coax, BNC, 500 m, 10 Mbps, bus - Twisted-Pair ~ 10Base-T: “Twisted-pair” -- UTP, RJ-45, 100 m, 10 Mbps, star ~ 100Base-TX: “Fast Ethernet” -- dual Cat-5, 100 m, 100 Mbps ~ 1000Base-T: “GigaBit Ethernet” -- quad-Cat-5, 100 m, 1 Gbps - Fiber-Optic ~ 10Base-FL: “Fiber” -- 4 km, 10 Mbps ~ 100Base-FX: “Fast Fiber” -- 2 km, 100 Mbps ~ 1000Base-LX: “Long-wavelength” -- 3 km, 1 Gbps CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 20 Media Access Technologies Token-Ring: (IEEE 802.5) • Purpose: LAN Sharing • Topologies: Bus or Star • Domains: Sequential & Failure • Methods: Token-Passing • Media: Coax or Twisted-Pair • Implementations: 4 or 16 Mbps • Issues: - Tokens: Packet passed from machine to machine ~ Access denied until token received - MAU: Multi-Station Access Unit -- i.e. a hub - Active Monitor: Removes undeliverable tokens - Beaconing: Locates failures & attempts work-around CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 21 Media Access Technologies FDDI: (IEEE 802.8) • Purpose: Campus & service provider backbone • Topologies: Ring • Domains: Sequential • Methods: Modified Token-Passing • Media: Fiber-Optic • Implementations: 100 km, >100 Mbps • Issues: - Dual Rings: Adds fault tolerance ~ Counter-Rotating: Pass token in reverse sequence - CDDI: Copper -- FDDI over UTP FDDI: Fiber Distributed Data Interface CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 22 Cabling • Types: Twisted-Pair, Coax, Fiber-Optic (See next) • Characteristics: - Bandwidth: Highest frequency -- Hz, kHz, MHz, ... - Data Rate: Throughput -- bps, Kbps, Mbps, ... - Distance: Recommended length before regenerating • Issues - Noise: Accumulates with distance ~ EMI: Electromagnetic Interference -- motors, lights ~ RFI: Radio Frequency Interference -- transmitters, the Sun - Attenuation: Degrades signal over distance ~ Keep cable runs short, then regenerate - Crosstalk: Ghost signal induced between cables ~ Reduced by shielding, twisting, or separating - Fire Rating: ~ Plenum Space: Gap in false ceilings and raised floors ~ Non-Plenum Cables: PVC jacket covering ~ Plenum Cables: Fluoro-polymer covering -- fire resistant ~ Conduits: Metal is fire resistant and physical protection CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 23 Cabling Twisted-Pair Cat 1: Voice 14.4-56 Kbps Cat 1 STP 56-144 Kbps Cat 3, 4, 5: Data 4-100 Mbps • Advantages - Least expensive - Choice of ratings ~ UTP, STP ~ Cat 1 - 7 Graphics: “Networking Essentials Plus” 3d Ed. Microsoft Press. 2000. CISSP - Telecommunications & Networks Not Shown Cat 2: M/F, 4 Mbps Cat 6: 155 Mbps Cat 7: 1 Gbps • Disadvantages - Least resistant to interference - High attenuation - Easily tapped NetworksV52.ppt Slide: 24 Cabling Coaxial Cable • Advantages - EMI resistant - Higher B/W than UTP - Longer distance than UTP RG-58/U (10Base2) = 10 Mbps RG-59/U (10Base2) = 10 Mbps RG-6/U (video) 1,500 ft RG-11/U (video) 3,000 ft Graphics: Goldman & Rawles. “Local Area Networks” Wiley & Sons. 2000. pg 132. Figure 3-22 Video Ref: http://www.infosyssec.com/infosyssec_cctv_.htm CISSP - Telecommunications & Networks • Disadvantages - Expensive - Difficult to work with NetworksV52.ppt Slide: 25 Cabling Fiber Optic Cable • Advantages - No EMI or RFI Highest B/W Longest distance Hardest to tap 10BaseF = 100 Mbps OC-1 = 51.84 Mbps OC-3 = 155.52 Mbps OC-12 = 622.08 Mbps Graphics: Goldman & Rawles. “Local Area Networks” Wiley & Sons. 2000. pg 133. Figure 3-23 CISSP - Telecommunications & Networks • Disadvantages - Most Expensive - Difficult to work with NetworksV52.ppt Slide: 26 “Cabling” Wireless Transmission Satellite = 64 Kbps - 100 Mbps Microwave = 64 Kbps - 100 Mbps WLAN = 2-16 Mbps Cellular = <56 Kbps CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 27 Transmission Digital versus Analog • Analog • Digital - Voice, Radio - Continuous variation - Modulate carrier signal Digital 0 0 - 0 1 1 0 1 1 0 1 0 0 Data: 1 or 0 Pulse: high or low Shift Keying Easier to regenerate 1 0 1 1 Amplitude Frequency Phase CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 28 Transmission Asynchronous vs Synchronous • Asynchronous - Send at any time - Start-Stop pulse after every byte - Modems Graphics: “Networking Essentials Plus”. Ed.3. Microsoft Press. 2000 CISSP - Telecommunications & Networks • Synchronous - Timing or Counting - Sync pulse after every frame or packet - LANs NetworksV52.ppt Slide: 29 Transmission Broadband versus Baseband V • Narrowband - Single, small channel - AM radio, telephone, modem 0 V f • Baseband - Uses entire bandwidth - Radar, TV, µ-wave radio, F/O 0 V f • Broadband - Splits bandwidth into channels - ISDN, DSL, ATM, T1, DS3, CATV 0 Source: Chellis, Perkins, Strebe; “Networking Essentials”; Chapter 2: Network Components; Sybex; 1997 CISSP - Telecommunications & Networks f NetworksV52.ppt Slide: 30 Transmission LAN Transmission Methods • Unicast: One-to-One - From one computer to another specific computer ~ Source & destination addresses are specific - Use: Normal communications • Multicast: One-to-Many - From one computer to a group of computers ~ Class D address - Use: Multimedia, real-time video, voice clips • Broadcast: One-to-All - From one computer to all computers on a subnet ~ Example: x.y.z.255 - Use: Administrator notifications, Network mapping CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 31 Network Topology • Physical Topology - Ring, Bus, Star, Tree, Mesh • Logical Domains - Sequential / Failure: Token-Ring - Broadcast / Collision: Ethernet • Access Methodology - Token-Passing - CSMA/CD: Collision Detection - CSMA/CA: Collision Avoidance • Transmission Media - Metal: Coax, Twisted-Pair - Glass: Fiber-optic - Air: Terrestrial Microwave, Satellite, VHF/UHF/SHF radio CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 32 Network Topology Physical Topology Ring Star Mesh Tree Bus CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 33 Network Topology Logical Domain Sequential CISSP - Telecommunications & Networks Broadcast NetworksV52.ppt Slide: 34 Network Topology Access Methodology Token Passing •Token-Passing - Token: 24-bit control frame ~Passed from machine-to-machine - Process ~Source machine receives token › Adds data & addressing -- Send to Dest. ~Destination copies data › Returns token to Source -- acknowledged ~Source removes data -› Transmits Empty Token - Advantage: No collisions CSMA/CD •CSMA/CD - Carrier: A machine is transmitting ~Contention: Compete for access ~Collision: Simultaneous transmits - Process ~Source listens for carrier › If no carrier, transmit. -- Otherwise, wait. ~Destination receives packet › If no collision, acknowledge. -- If yes collision, request retransmission ~Source receives retransmit request › Wait for random time -- then retransmit - Advantage: Fast at low traffic loads CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 35 Network Topology Controlled Access Methods V52: Corrected CSMA/CD to CSMA/CA. • Collision Avoidance - CSMA/CA: Source machine signals intent to transmit ~ Intent packet is much smaller than actual data packet - Demand Priority: Source requests permission ~ Central controller determines who transmits • Collision Domains - Setup: Broadcast Domain ~ A group of machines competing for same media - Problem: Contention leads to collisions - Causes: Too many machines; too much distance - Solution: Collision Domains ~ Smaller groupings separated by routers or bridges • Polling - Central controller polls each node for data ~ Nodes with data transmit, otherwise NAK - Repeat in sequence or at regular interval CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 36 IEEE 802.x Standards 802.1 802.2 802.3 802.4 802.5 802.6 802.7 802.8 802.9 802.10 802.11 802.12 802.13 802.14 802.15 802.16 Internetworking [Management] Logical Link Control (LLC) MAC layer, CSMA/CD LAN (Ethernet) MAC layer, Token Bus LAN MAC layer, Token Ring LAN Metropolitan Area Networks (MAN) Broadband Technical Advisory Group Fiber-Optic Technical Advisory Group Integrated Voice/Data Networks Network Security Wireless Networks Demand Priority Access LAN, 100BaseVG-AnyLAN Unused Cable Modem Standards Wireless Personal Area Networks (WPAN) Broadband Wireless Standards Source: “Networking Essentials Plus” 3d Ed. Microsoft Press. 2000. pg 222. CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 37 IPv4 Address Classes V52: Corrected Class C Host ID count. Class A Class B Class C Class ID Network ID Host ID 0 126 IDs 16,777,214 Host IDs (1 bit) (7 bits) (24 bits) Class ID Network ID Host ID 10 16,382 IDs 65,534 Host IDs (2 bits) (14 bits) (16 bits) Class ID Network ID Host ID 110 2,097,150 IDs 255 Host IDs (3 bits) (21 bits) (8 bits) Redrawn from Goldman & Rawles. “Local Area Networks”. Ed.2. Wiley & Sons. 2000 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 38 Media Access Protocols • Addresses - MAC Address: Unique physical address of NIC ~ Initial MAC in ROM: 24 bit manufacturer code + 24 bit S/N - IP Address: Unique logical address on network ~ Static: Assigned by administrator ~ Dynamic: Assigned by DHCP server • Address Resolution Protocol (ARP) - Given an IP address, get a MAC address ~ Store results in ARP table -- watch out for “poisoning” • Reverse ARP (RARP) ~ Given a MAC address, get an IP address - Boot Protocol (BOOTP): returns own IP address, name server address and gateway address • Internet Control Message Protocol (ICMP) - Delivers messages, reports errors & routing info. - Replies when testing connectivity & problems ~ “Ping” - Echo frame, Reply frame CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 39 Hardware in the OSI Model B Application 6 Presentation Gateway Presentation Session Gateway 4 Transport Service Gateway 3 Network 2 Data-Link Firewall Session Session Transport Bridge Switch Data-Link Hub Physical N-IDS Router VLAN 5 H-IDS Gateway VPN 7 Application Brouter Layers A Network NIC 1 Physical CISSP - Telecommunications & Networks Repeater NetworksV52.ppt Slide: 40 Networking Devices - Repeater: Amplify electrical signals -- L1 ~ Regenerator: Recreate digital signals - Bridge: Connect LAN segments -- Collision domains -- L2 ~ Types: Local, Remote, Translation (protocol) ~ Routing: Static, Transparent, Spanning-Tree, Source-Routing › Forwarding Table: Match source MAC with bridge port # - Router: Connect similar or different networks -- L3 ~ Routing: Static, Dynamic › Routing Table: Match IP address with router port # - Switch: Combines repeater with bridge ~ Divides “hub” into multiple, parallel connections ~ Layers 2, 3, 4, 5: MAC, routing, packet inspection, QoS - VLAN: Switches that logically separate LANs -- L2 - Brouter: Combines bridge with router -- if L3 fails, try L2 - Gateway: Connects two different environments -- L7 ~ Network Access Server, Mail Gateway, VoIP - PBX: Private Branch Exchange -- company phone switch - Firewall: Restrict access between networks -- L3 & L4 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 41 Bridges & Forwarding Tables (Source Route Bridging Example) Routing Packet Explorer Packet A2-B2-C1-#8 Machine #8? #1 #2 #3 0 3 A 0 3 2 #4 #5 #6 B 0 3 1 #8 2 #7 #8 #9 0 2 1 2 0 3 F 1 C 1 CISSP - Telecommunications & Networks E 1 2 0 3 D 1 NetworksV52.ppt Slide: 42 Routers & Routing Tables 0 ACL Addr 10.2.2.* 10.2.2.2 10.2.2.* tcp 80 23 * ? 1 1 0 Modem Internet Router Port #’s 10.1.1.1 10.1.1.2 10.2.2.1 10.3.3.2 Routing Addr 10.1.1.* 10.2.2.* 10.3.3.* 10.4.4.* 10.5.5.* 10.6.6.* 10.7.7.* *.*.*.* 10.7.7.1 10.1.1.8 10.1.1.7 CISSP - Telecommunications & Networks 10.1.1.3 10.7.7.2 10.1.1.4 10.1.1.6 10.1.1.5 10.3.3.1 # 0 0 3 2 1 1 1 0 1 2 123.45.6.7 10.2.2.2 3 10.4.4.1 10.6.6.1 10.5.5.1 10.6.6.2 Protocols •RIP •BGP •OSPF 10.4.4.2 10.5.5.2 NetworksV52.ppt Slide: 43 Network Segregation & Isolation • Purpose - Users do not need full access to all assets ~ If physically segregated, must also logically segregate - Limiting access also reduces network traffic • Physical Segregation - Devices: Locked in wiring closets - Servers: Kept in controlled room - Workstations: Separated by organization function • Logical Segregation - Architecture: Clearly thought-out, fully documented - Routers: Block broadcast & collision domain information - Users: Limit number who can connect to critical assets - ACLs: Strict controls on management segment • Penetration Testing - Investigate to see if controls are working CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 44 Firewalls V52: Changed DMZ description. • Purpose: Restrict access between networks - Support & enforce organization security policy ~ Acceptable & unacceptable actions ~ Allowable TCP ports & services ~ IP address range restrictions • Function - Gateway: router, server, authentication server or device - Monitors & filters packets based on ~ IP address, TCP port, packet type, protocol, header info, sequence #, ... • DMZ: Demilitarized Zone - Segment between protected & unprotected networks - Usually consists of two firewalls: inward & outward - DMZ servers: web, file, mail, DNS, IDS CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 45 Demilitarized Zone (DMZ) (AKA “Free Trade Zone” or “Screened Subnet”) V52: Changed subtitle. Internet N N N N Dial-up Modems (via PSTN) N N N Management Segment CISSP - Telecommunications & Networks H Data Segment Data Services (ftp, SQL, API, ...) Business Partners (via DCTN) PSTN Public Segment Internet Services (web, http, smtp, DNS, ...) Internet Customers Extranet H H Private Segment Business Operations (LAN, MAN, WAN) Router Switch N H N-IDS H-IDS NetworksV52.ppt Slide: 46 Filtering Firewalls • Packet Filtering - First Generation - Inspect packet header: IP address & TCP port ~ Use ACL rules to allow or disallow - Pros: Scalable, Fast, Application independent - Cons: Header data only, Does not track state • Proxy Firewalls - Second Generation - Makes connection: hides private network addresses ~ Handles all messages: copies, inspects, repackages - Pros: Application aware, Filters at all layers - Cons: Not scalable, very slow, limited to defined apps • Stateful Packet Filtering - Third Generation - Tracks connections to completion - State Table: Pairs inbound & outbound packets ~ States: Outbound request is waiting for inbound reply ~ Rules: Disallow inbound requests, but allow inbound replies - Pros: Scalable, Fast, Transparent, Stateful - Cons: Complexity allows DoS attacks CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 47 Proxy Services • Dual-Homed Host Firewalls - Two interfaces, Two NICs - inward & outward ~ No packet-forwarding: would allow uncontrolled access ~ Proxy software handles packet transfers • Proxy Types - Application-Level: Inspects packet content ~ Access decided based on content of packet › Service, Protocol, Command: FTP Get vs. FTP Put ~ Pro: High level of granularity ~ Con: Must have one App-Level proxy per service, Slow - Circuit-Level: Monitors client to server connection ~ Access based on source & destination IP addresses ~ Pro: Handles many protocols ~ Con: Not as granular as App-level - SOCKS Servers: Circuit-level proxy gateway ~ Usage: Outbound Internet & pseudo VPN functionality › Provides authentication & encryption CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 48 Firewall Architecture V52: Corrected typo. • Bastion Host - The Firewall - Exposed to the Internet: existence is known - Locked down: Lose all protection if compromised • Screened Host - Bastion behind a border router ~ Border router filters out irrelevant Internet traffic ~ Only the firewall talks to the border router • Screened Subnet - Bastion between two routers ~ External: Filters traffic from the Internet ~ Internal: Filters traffic to/from private network • Honeypots - Purpose: Entice (not entrap) attackers - Setup: Unprotected computer in the DMZ - Concept: Loss of honeypot is not critical ~ Can provide warning before attack to critical systems ~ Can support evidence of attack against other systems CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 49 Firewall Configuration Guidelines • Purpose: Separate internal from external, Separate subnets, Construct DMZ buffer zone • Default: - Implicitly deny what is not explicitly allowed • Packets of trouble - Spoofing: Inbound packet has internal source address - Zombies: Outbound packet has external source address - Fragmented: May be malicious when reassembled - Source-routing: Helps outsiders map internal networks • Lock-Down - No unnecessary services - Disable unused subsystems - Patch known vulnerabilities - Disable unused user accounts - Close unneeded TCP ports CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 50 Networking Services Network Operating System (NOS) • Purpose - Provides services for networked computers ~ Directory, file, print, backup, & replication ~ Internetworking, routing, WAN & dial-up support ~ Built-in mechanisms for › authentication, authorization, access control & audit ~ Remote client management tools ~ Software distribution and inventory functions ~ Clustering functionality ~ Fault tolerance capabilities - Allows centralized use of shared resources • Key Component: Redirector - Points to local disk or networked resource CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 51 Networking Services Domain Name Service (DNS) • Purpose - Resolve host name URLs to IP addresses ~ Governed by ICANN • Architecture - Root Domain Server: Managed by Network Solutions, Inc. - TLD Server: One for each Top-Level Domain -- i.e. .com - DNS Server: Usually managed at gateways -- i.e. ISPs - Authoritative Name Server: DNS for internal “zone” ~ Zone: DNS services for organizational subgroups › May encompass one or more domains - Fault tolerance: Primary & secondary servers in parallel • Name Resolution Process - User enters a URL: www.somewhere.org - Client asks name server to resolve to IP ~ If not in Resource Records, pass to next level up - Name server returns IP address CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 52 Networking Services Top-Level Domains (TLD) Generic (gTLD) Code Name aero Air-transport industry arpa Infrastructure biz Businesses com US Commercial coop Cooperatives edu US Educational gov US Government info Information mil US Military museum Museums name Individuals net Networks org Organizations pro Professionals int International County-Code (ccTLD) Code Name au Australia ca Canada cn China de Germany es Spain fr France in India jp Japan kr Korea, South mx Mexico nl Netherlands pl Poland ro Romania ru Russian Federation tv Tuvalu uk United Kingdom us United States Generic Top-Level Domains (gTLD): http://www.iana.org/gtld/gtld.htm County Code Top-Level Domains (ccTLD): http://www.iana.org/cctld/cctld.htm CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 53 Networking Services Directory Services • Purpose: Central repository of important network info. - Provide rich service to users, admins & networks • Components - Hierarchical database ~ Object classes & subclasses: Apply policies to objects › X.500: model for database structure ~ Entities: Instances of objects › Types: users, computers, peripherals, other resources › Attributes: name, location, resources, profiles › Information: peripherals, e-commerce, network services › Controls: ACLs, audits, resource limits, firewall rules, VPN, QoS - Schema: Structure of the directory, object relationships ~ Organizations define their own schemas - LDAP: Lightweight Directory Access Protocol - Meta-directory: Stores information about directories ~ Allows communication among multiple directories • Examples - Microsoft Active Directory, Novell Directory Services (NDS) CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 54 The Internet, Intranets, Extranets Modem Internet PSTN Extranet Remote PC’s H H Modem Server Gateway Firewall RADIUS H Desktop PC’s H File Server N Intranet Server H Mail Server N Web Server N Data Terminal N FDDI N SNA Network AS H FEP Main Frame N 155Mbps+ (FDDI) 45 Mbps (DS3) 100 Mbps (100BaseT) 16 Mbps (T-Ring) 1.544 Mbps (T-1) 56-128 Kbps H Database Servers Router Switch CISSP - Telecommunications & Networks N H N-IDS H-IDS NetworksV52.ppt Slide: 55 Intranets and Extranets • Intranets - Web-based technology on internal networks ~ Easy to implement -- highly interoperable - Lax controls can lead to policy violations ~ Typing error could access inappropriate content • Extranets - Private inter-network between organizations ~ Business-to-business applications - EDI: Electronic Data Interchange ~ Provides structure & format to electronic documents - Dedicated links or VPN via the Internet • Private IP Addresses - “10”-Net: 10.x.y.z -- internal private networks only - Class B: 172.16.0.0 - 173.31.255.255 - Class C: 192.168.0.0 - 192.168.255.255 -- e.g. DSL firewall CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 56 Network Address Translation (NAT) • Purpose - Allow private addresses, but still access Internet ~ Short-term fix until IPv6 ~ Hides internal network architecture • Process: Change addresses in header - Track state until reply Internet Source Dest 66.78.9.10 123.4.5.6 66.78.9.10 NAT Table DSL Source 10.1.1.1 Dest 123.4.5.6 From To 123.4.5.6 10.1.1.1 192.68.1.1 CISSP - Telecommunications & Networks 10.1.1.1 10.1.1.2 10.1.1.3 NetworksV52.ppt Slide: 57 Metropolitan Area Network (MAN) • Purpose: Business backbone - Connect to Internet, WAN or other business • Implementations - FDDI: Fiber Distributed Data Interface -- IEEE 802.8 - SONET: Synchronous Optical Network ~ Telecom over fiber standard: self-healing, redundant paths ~ Content: Digitized voice, Variable frame size ~ Carriers: T-1, Fractional T1, T-3 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 58 Wide Area Network (WAN) V52: Corrected typo.. • Telecommunications Evolution - Origin: Copper lines, analog, Central Switching Office - Multiplexing: Combine multiple channels onto one path - TDM: Time-Division Multiplexing -- shared by timeslot ~ T-1 = 24 channels, T-3 = 28 T-1 channels - Fiber-optics: Large bandwidth, long-distance, high quality - Optical Carrier: Packetized TDM over F/O -- e.g. SONET - ATM: Asynchronous Transfer Mode ~ Fixed-length frames, called “cells”, over SONET • Dedicated Links - Lease or “point-to-point”: Fast, but expensive ~ Pro: Only destination points can use it to communicate ~ Con: Connected even during periods of non-use • T-Carriers - Dedicate lines carry voice & data over trunks ~ T-1 = 1.544 Mbps, T-3 = 45 Mbps CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 59 WAN Protocols (1) - CSU/DSU: Channel Service Unit/Data Service Unit ~ Bridge digital LANs to telephone WANs - Switching ~ Circuit-Switching: Connects a channel from end to end ~ Packet-Switching: Packets use multiple paths to the destination - Virtual Circuits ~ Permanent Virtual Circuit (PVC): Programmed in advance ~ Switched Virtual Circuit (SVC): Built up on demand - Frame Relay ~ Packet-switching over shared dedicated links › Cost based on bandwidth needs -- Cheaper than dedicated links › Committed Information Rate -- Guarantees a specific bandwidth ~ Equipment: › Data Terminal Equipment (DTE) -- User-owned › Data Circuit-Terminating Equipment (DCE) -- Telco-owned - X.25: ~ HDLC frames over carrier switches -- 128 byte data blocks ~ Same as Frame Relay, › but more error checking, correcting & redundancy CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 60 WAN Protocols (2) - ATM: Asynchronous Transfer Mode ~ Cell-Switching: Data in fixed-size cells -- 53 bytes ~ Connection-Oriented: Virtual circuits guarantee B/W & QoS › Good for voice & video -- Costs based on bandwidth - SMDS: Switched Multimegabit Data Service ~ Connect LANs over WANs -- connectionless, packet-switched - SDLC: Synchronous Data Link Control ~ Dedicated links with permanent physical circuits -- SNA - HDLC: High-Level Data Link Control ~ Extends SDLC: High throughput because it’s Full-Duplex - HSSI: High-Speed Serial Interface ~ Connects multiplexers to ATM or Frame Relay -- Layer 1 - VoIP: Voice over Internet Protocol ~ Uses same physical network for both telephone & LAN › Eliminates need for two cable runs CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 61 WAN Technologies • S/WAN: Secure WAN - Firewall-to-Firewall connection ~ Based on VPNs created with IPSec (a part of IPv6) › Strong encryption (incl. header), Public-Key authentication - Initiative of RSA Security - Linux version: FreeS/WAN • Multi-Service Access - Combine voice, data and video ~ Higher performance, reduced costs, greater flexibility - PSTN: Public Switched Telephone Network ~ Circuit-switched technology -- Signaling System 7 protocol - VoIP: Voice over Internet Protocol ~ Uses compression & address/protocol translation ~ “Jittering” -- the delay caused by network congestion - H.323: Multimedia communications terminals & gateways - VoATM & Vo-Frame Relay ~ Provide better QoS: Quality of Service CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 62 Remote Access Connectivity Methods (1) • Dial-up and RAS - Analog, point-to-point, circuit-switched ~ Modem provides 56 Kbps - Network Access Server: Gateway for PPP session - Remote Access Service: Microsoft version - RADIUS Server: (See Access Control) • ISDN: Integrated Services Digital Network - Digital, point-to-point, circuit-switched ~ Basic (B) channel: 64 Kbps -- voice or data ~ Data (D) channel: 16 Kbps -- signaling - Basic Rate Interface (BRI): 2B+D= 144 Kbps - Primary Rate Interface (PRI): 23B+D= 1.544 Mbps - Broadband-ISDN: backbone service CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 63 Remote Access Connectivity Methods (2) • DSL: Digital Subscriber Line - Digital, high-speed, broadband -- up to 52 Mbps ~ Rate depends on distance from central office ~ Symmetric or asymmetric • Cable Modems - Digital, high-speed, broadband -- up to 50 Mbps ~ Rate depends on number of subscribers • VPN: Virtual Private Network - Secure, private connection via public networks ~ Encryption/tunneling ensure privacy -- PPTP, IPSec, L2TP - Usage ~ Dial-up to ISP to Company: Requires special client S/W ~ User-to-User: Requires VPN S/W, protocols & encryption ~ Gateway-to-Gateway: VPN between routers ~ Firewall-to-Firewall: VPN between firewalls -- Extranet CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 64 Remote Access Protocols • Tunneling Protocols - Tunnel: Virtual path across networks ~ Allows connection of non-routable protocols -- NetBEUI - PPP: Point-to-Point Protocol -- Internet dial-up -- replaced SLIP ~ Encapsulate messages & transmit over serial line - PPTP: Point-to-Point Tunneling Protocol ~ Encrypts & encapsulates PPP packets - L2F: Layer Two Forwarding -- provides mutual authentication - L2TP: Layer Two Tunneling Protocol -- PPTP + L2F ~ Tunnels many types of networks, but is not encrypted • Authentication Protocols - Negotiation order: EAP, CHAP, PAP - PAP: Password Authentication Protocol -- Cleartext ~ Vulnerable to sniffing, replay and MiM attacks - CHAP: Challenge-Handshake Authentication Protocol ~ Encrypt & compare random value - EAP: Extensible Authentication Protocol -- framework ~ Allows tokens, biometrics, one-time P/W, ... CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 65 Remote Access Guidelines • Modems - Caller ID: Don’t answer if not on approved # list - Call-Back: Call back to prearranged phone number ~ Compromised if call-back # has Call-Forwarding - Modem Pools: Consolidate for consistent security ~ Should go through the firewall, just like Internet • Wardialing: Call all numbers to find modems - Precautions: Disable unprotected modems, Answer after fourth ring, Dial-out only • “Always-on” Connections - DSL & cable modems are susceptible to attacks ~ Sniffing, scanning, probing, hacking, DoS’ing, etc. - Countermeasure: Personal firewalls • General - Identify & audit users: Disable unneeded accounts - Two-factor authentication: RADIUS or TACACS+ CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 66 Resource Availability V52: Added acronym. • Networks - Cables: Correct type & length, tested for breaks - NICs: Faulty, wrong speed, duplicate MAC address • Single Points of Failure (SPoF) - Precautions: redundancy, backups, maintenance • RAID: Redundant Array of Inexpensive Disks • Clustering - Servers viewed & managed as a single system ~ Share tasks, load balancing -- better than a hot-backup • Backups - Policy defines what gets backed up, how often - Balance cost of backups against potential loss • Archives - Tertiary data store: Off-site, slow retrieval CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 67 Network & Resource Availability RAID • Redundant Array of Inexpensive Disks - Level 0: Striping -- data written across multiple disks - Level 1: Mirroring -- data duplicated on multiple disks - Level 2: Hamming Code -- bit-level striping w/parity - Level 3: Byte-Level -- data striping w/parity disk - Level 4: Block-Level -- disk sector striping w/parity - Level 5: Interleave -- disk sector writing using XOR parity -- eliminates SPoF - Level 6: Second parity -- RAID 5, but duplicate parity - Level 10: 1+0 -- combines RAID 1 & 0 - Level 15: 1+5 -- combines RAID 1 & 5 CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 68 Wireless Technologies V25: Modified 802.11a bandwidth. • Wireless Communications - General: Higher frequencies carry more data › but are susceptible to atmospheric interference & noise - WLAN: Wireless LAN ~ 802.11a: 54 Mbps over 5 GHz ~ 802.11b: 11 Mbps over 2.4 GHz - WAP: Wireless Application Protocol ~ Wireless Markup Language (WML): (similar to HTML) ~ WMLscript: (similar to JavaScript) ~ Wireless Transport Layer Security (WTLS): (TLS & SSL) › session, transaction, and transport layer security - Issue: WTLS is decrypted at the WAP gateway • Wireless Personal Area Network -- “Bluetooth” - Devices setup networks spontaneously ~ Very short range: must detect presence of each other › Challenge-response configures domain of trust ~ Encryption & authentication included - Media: any conductive surface -- including human skin CISSP - Telecommunications & Networks NetworksV52.ppt Slide: 69 Summary • Introduction - How protocols work • The OSI Model • TCP/IP • Networking • Firewalls • Networking Services • Intranets and Extranets • MANs and WANs • Remote Access • Resource Availability • Wireless Technologies • Summary CISSP - Telecommunications & Networks •Networking -Media Access Technologies -Cabling -Transmission -Network Topology -Standards -Media Access Protocols -Networking Devices -Segregation and Isolation NetworksV52.ppt Slide: 70