Tel: 020 8456 3550

Home » Training » CISSP » Communications and Network Security

Communications and Network Security

CHAPTER 4

 

Communications and Network Security

 

COMMUNICATIONS AND NETWORK SECURITY

OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
Wireless Communications

 

OSI REFERENCE MODEL

OSI

 

ENCAPSULATION

 

OSI MODEL

 

7 layers A P S T N D P… “All People Seem to Need DataProcessing” Application
Presentation
Session
Transport
Network
Data link
LLC
MAC
Physical

OSI MODEL – LAYER 1 PHYSICAL

 

Layer 1 Physical – simply put is concerned with physically sending electric signals over a medium. Is concerned with
specific cabling,
voltages and
Timings
This level actually sends data as electrical signals that other equipment using the same “physical” medium

 

OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
TRANSMISSION MEDIA/CABLING

OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
TOPOLOGY

Bus•No central point of connection
•Difficult to troubleshoot
•One break in cable takes down the whole network

Ring•No central point of connection•Often implemented with a MAU for fault tolerance

Star•Switch offers fault tolerance, as individual links no longer affect the network
•Switch is still a single point of failure

 

Mesh
•Most fault tolerant
•Fully redundant
•Partial Mesh is often used to spare cost

 

OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
CONNECTIVITY DEVICES

Hub•Sends all data out all ports
•No addressing
•Historically a cheap point of central connectivity

Modem•Modulator/Demodulator
•Converts digital signal to analog and back

Wireless Access Point•Provides wireless devices a point of connection to the wired network.

 

OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)Threats:
•Theft
•Unauthorized Access
•Vandalism
•Sniffing
•Interference
•Data Emanation

 

OSI MODEL – LAYER 2 DATA LINK

Data Link Layer
LLC Logical Link Control—error detection
MAC Media Access Control—Physical
Addressing/Resolution and media access determination
ARP (Address Resolution Protocol
RARP (Reverse Address Resolution Protocol)
Media Access Control
CSMA/CD Carrier Sense Multiple Access with Collision Detection (IEEE standard) 802.3 Ethernet
CSMA/CA Carrier Sense Multiple Access with Collision Avoidance(IEEE standard) 802.11 Wireless
Token Passing: 24 bit control frame passed around the network environment with the purpose of determining which system can transmit data. There is only one token and since a system can’t communicate without the token, there are no collisions.

 

MEDIA ACCESS TECHNOLOGIES

Token Passing
CSMA/CD – waits for clear, then starts talking, detect collisions
CSMA/CA – signals intent to talk

 

Collision Domain – where collisions can occur. (i.e. two people try to talk at the same time)
What is a security impact of collision domains? sniffing, DoS

 

ETHERNET –

Most common form of LAN networking, has the following characteristics
Shares media
Broadcast and collision domains (see next slides)
CSMA/CD
Supports full duplex with a switch
Defined by IEEE 802.3

 

ARP

 

SWITCH

 

Layer 2
Uses MAC addresses to direct traffic
Isolates traffic into collision domains
Does NOT isolate broadcasts natively

 

OSI MODEL LAYER 3 NETWORK

Routers Isolate traffic into broadcast domains and use IP addressing to direct traffic

 

VLANS

Routers are expensive
To get broadcast isolation on a switch, a VLAN is necessary
Not all switches support VLANs
A Layer 2 switch (even with a VLAN) doesn’t truly understand Layer 3 IP Addressing
A Layer 3 switch is necessary for inter-Vlan Communication

LAYER 3 PROTOCOLS

All Protocols that start with the letter “I” except IMAP (which is a layer 7 mail protocol)
IP
ICMP – IP “helpers” (like ping)
IGMP – Internet Group Message Protocol
IGRP
IPSEC
IKE
ISAKMP

ICMP ICMP – “IP helper”
Protocol behind echoing utilities like PING and Traceroute
Frequently exploited
LOKI :sending data in ICMP headers—covert Channel
Ping of Death: violates the MTU (maximum transmission unit) size
Ping Floods: Lots of ping traffic
SMURF: Uses spoofed source address (Target) and directed broadcasts to launch a DDos

 

OSI MODEL LAYER 4 TRANSPORT

 

OSI Layer 4 Transport – Provides end-to-end data transport services and establishes a logical connection between 2 computers systems”
The “pony express”
Protocols used at layer 4
SSL/TLS (Discussed in Cryptography Chapter)
TCP
UDP

 

TCP (TRANSMISSION CONTROL PROTOCOL)

 

Connection oriented “guaranteed” delivery.
Advantages
Easier to program with
Truly implements a session
Adds security
Disadvantages
More overhead / slower
SYN Floods

 

TCP

Reliable connection-oriented protocol
Has a guaranteed delivery based on the handshake process

 

 

1.  SYN
SYN/ACK
ACK

 

UDP (USER DATAGRAM PROTOCOL)

 

Connectionless
Unreliable
No handshaking
Desirable when “real time” transfer is essential
Media Streaming, Gaming, live time chat, etc..
FTP uses TCP
TFTP uses UDP

 

OSI MODEL LAYER 5 SESSION

 

OSI Layer 5 (Session) – responsible for establishing a connection between two APPLICATIONS! (either on the same computer or two different computers) Create connection
Transfer data
Release connection

TCP actually does session oriented services

 

OSI MODEL LAYER 6 PRESENTATION

 

OSI Layer 6 – present the data in a format that all computers can understand
This is the only layer of OSI that does NOT have any protocol.
Concerned with encryption, compression and formatting

Making sure data is presented in a universal format
File level encryption
Removing redundancy from files (compression)

 

OSI MODEL LAYER 7 – APPLICATION

 

This defines a protocol (way of sending data) that two different programs or applications understand.
HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, etc…
Application Proxies
Non-Repudiation
Certificates
Integration with Directory Services
Time awareness.

 

 

TCP/IP MODEL

 

OSI VS. TCP/IP MODEL

 

 

Host to Host or Transport

Network Access
Or Network Interface

 

OSI/TCP…WHAT YOU NEED TO KNOW

 

 

THREATS TO NETWORK SECURITY

 

COMMON ATTACKS

 

Virus: Virus A piece of malicious code that can take many forms and serve many purposes. Needs a host in which to live, and an action by the user to spread.
Worm: Similar to a virus, but does not need a host and is self replicating
Logic Bomb: A type of malicious code that lays dormant until a logical event occurs
Trojan Horse: One program (usually some type of malicious code) masquerades as another. Common means of distributing Back Door Programs
Back Door Programs: A Program that allows access (often administrative access) to a system that bypasses normal security controls. Examples are NetBus, Back Orifice, SubSeven

 

COMMON ATTACKS CONTINUED

Salami: Many small attacks add up to equal a large attack
Data Diddling: Altering/Manipulating data, usually before entry
Sniffing: Capturing and Viewing packets through the use of a protocol analyzer. Best defense: Encryption
Session Hijacking: Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one. Session hijacks are types of Man in the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent a session hijack
Wardialing: An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls. RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.

 

COMMON ATTACKS
CONTINUED

 

 

Dos Denial of Service: The purpose of these attacks is to overwhelm a system and disrupt its availability
DDoS Distributed Denial of Service: Characterized by the use of Control Machines (Handlers) and Zombies (Bots) An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim. The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.
Ping of Death: Sending a Ping Packet that violates the Maximum Transmission Unit (MTU) size—a very large ping packet.
Ping Flooding: Overwhelming a system with a multitude of pings.

 

COMMON ATTACKS
CONTINUED

 

 

Tear Drop: Sending Malformed packets which the Operating System does not know how to reassemble. Layer 3 attack
Buffer Overflow: Attacks that overwhelm a specific type of memory on a system — the buffers. Is best avoided with input validation
Bonk : Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large.
Land Attack: Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.
Syn Flood: Type of attack that exploits the three way handshake of TCP. Layer 4 attack. Stateful firewall is needed to prevent
Smurf: Uses an ICMP directed broadcast. Layer 3 attack. Block distributed broadcasts on routers
Fraggle: Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack. Block distributed broadcasts on routers

 

FIREWALLS, PROXIES, AND NAT

 

FIREWALLS AND THE OSI

 

Firewalls: Allow/Block traffic
Rules to Allow or Deny  Traffic. Can be HW or SW
Layer 3: Static Packet Filters: Base decisions on Source/Destination IP Address and Port
Layer 5 Stateful inspection. Knowledge of who initiated the session. Can block unsolicited replies. Protocol Anomaly firewalls—can block traffic based on syntax being different than the RFC would specify
Layer 7: Application Proxies/Kernel Proxies: Make decisions on Content, Active Directory Integration, Certificates, Time

 

FIREWALLS

 

FIREWALLS –

 

Enforce network policy.
Usually firewalls are put on the perimeter of a network and allow or deny traffic based on company or network policy.
MUST have IP forwarding turned off*
Firewalls are often used to create a DMZ.
Generally are dual/multi homed*
Types of firewalls
Packet filtering
State full
Proxy
Dynamic packet filtering

 

 

PACKET FILTER –

 

Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives.
Not state full, just looks at the network and transport layer packets (IP addresses, ports, and “flags”)
Do not look into the application, cannot block viruses etc…
Generally do not support anything advanced or custom

 

PACKET FILTER

 

Packet filters keep no state*
Each packet is evaluated own it’s own without regard to previous traffic
Advantages
Disadvantages
fragments
Rule based access control
Packet filters are still used on the edge of the network before a statefull firewall for performance reasons.

 

STATE FULL FIREWALL –

 

router keeps track of a connections in a table. It knows which conversations are active, who is involved etc…
It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic
More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory.
If rebooted can disrupt conversation that had been occurring.
Context dependant access control*

 

DYNAMIC PACKET FILTERING

 

 

I believe the author is confusing about this topic and actually is describing a state full filter in the book.
However there are firewalls that do allow “triggers” these could be called dynamic packet filters
Like a state full firewall but more advanced. Can actually rewrite rules dynamically.
Some protocols such as FTP have complex communications that require multiple ports and protocols for a specific application, packet and statefull filter cannot handle these easily, however dynamic packet filter can as they can create rules on the fly as needed.

 

PROXY FIREWALLS

 

Two types of proxies
Circuit level*
Application*

 

Both types of Proxies hide the internal hosts/addressing from the outside world.

 

 

Talk about each of these on next slides

 

APPLICATION PROXIES

 

Like circuit layer proxies, but actually understand the application/protocol they are proxing.
This allows for additional security as they can inspect the data for protocol violations or content.

APPLICATION PROXIES

 

 

Advantages
Application proxies understand the protocol, so they can add extra security
Can have advanced logging/auditing and access control features
Ex. Restrict users to only allowed websites
Ex. Inspect data for protocol violations
Ex. Inspect data for malware (viri etc..)
Disadvantages Extra processing requires extra CPU (slower)
Proxies ONLY understand the protocols they were written to understand. So you generally have a separate application proxy for EACH protocol you want to proxy

 

APPLICATION PROXIES –

 

Examples:
Internet Security and Acceleration Server (MS web proxy)
SMTP proxies
FTP proxies

 

SECURITY ZONES

It is common practice in network and physical security to group different security levels into different areas or zones. Each zone is either more or less trusted then the other zones. Interfaces between zones have some type of access control to restrict movement between zones (like biometric and guard stations) or firewalls.) In Network security there is often a median zone between the Internet and internal network called a DMZ.

 

DMZ

 

A buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two.
Internet accessible servers (bastion hosts) are placed in a DMZ between the Internet and Internal network

DMZ

 

DMZ ARCHITECTURES

 

Multi-homed Firewall
Screened Subnet

 

MULTI HOMED FIREWALL –

 

Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)
On any multi-homed machine, IP forwarding should be disabled.*

 

 

MULTI-HOMED FIREWALL

 

 

 

SCREENED SUBNET –

 

In a screen subnet, there is a separate firewall on both sides of the DMZ.

 

When using this model it is recommended that each firewall be a different vendor/product.
•  Diversity of defense*

 

SCREENED SUBNET

 

NAT/PAT

 

A proxy that works without special software and is transparent to the end users.
Remaps IP addresses, allowing you to use private addresses internally and map them to public IP addresses
NAT allows a one-to-one mapping of IP addresses
PAT allows multiple private address to share one public address

 

 

NAT

 

Computer 10.0.0.1 sends a packet to 175.56.28.3
Router grabs packet, notices it is NOT addressed to it. Modifies the src address to one from it’s pool (215.37.32.202), then sends the packet on it’s way to the destination*
The end machine accepts the packet as it’s addressed to him.
End machine creates response, src = itself (172.56.28.3) dest = 215.37.32.202
Router grabs packet, notices the dest address, and looks up in it’s NAT table, rewrites the dest to 10.0.0.1 and sends it on its way*
Originating machine grabs response since it’s addressed to him, he processes it.

 

 

NAT / PAT

 

Advantages
Allows you to use private addresses Internally, you don’t need to get real public IP addresses for each computer
Protects the network by stopping external entities from starting conversations to internal machines
Hides internal network structure
Transparent, doesn’t require special software
Disadvantages
Single Point of Failure / Performance Bottleneck
Doesn’t protect from bad content

 

RFC 1918

 

10.x.x.x
172.16.x.x-172.31.x.x
192.168.x.x

 

 

OVERALL FIREWALL ISSUES

 

Potential bottleneck
Can restrict valid access
Often mis-configured
Except for application proxies firewalls generally do not filter out malware or improper content.
Don’t protect against internal attacks!*

 

OVERALL FIREWALL BEST PRACTICES

 

Block un-necessary ICMP packets types.
(Be careful though, know your environment)
Keep ACLS simple
Use Implicit deny*
Disallow source routed packets*
Use least privilege*
Block directed IP broadcasts
Perform ingress and egress filtering*
Block traffic leaving the network from a
non-internal address (indicates the network is possibly being used as zombie systems in a possible DDoS attack.
Block all traffic entering the network from an internal address (indicates a potential spoofing attack)
Enable logging
Drop fragments or re-assemble fragments

 

 

WAN TECHNOLOGY

 

LAN, WAN, MAN

 

 

LAN – local area network
High speed
Small physical area
WAN – wide area network
Used to connect LANS
Generally slow, using serial links
MAN – metropolitan area network
Connect sites together within a medium range area (like a city)

 

CIRCUIT SWITCHING

 

All Data Follows the Same Path

 

CIRCUIT SWITCHING TECHNOLOGIES

 

PSTN
ISDN
DSL
T-carriers

 

DIAL UP (REMOTE ACCESS)

 

Disadvantages
Back door into networks (bypass firewall)
Often forgotten about
Slow
Attacks*
War dialing
Defenses*
Dial Back /
Caller ID restrictions
Use authentication
Answer after 4 or more rings (why/war dialing)
Use a different numbering convention for RAS

 

 

ISDN

 

Uses same lines as phone lines, directly dial into company orISP
BRI
2 B Channels (64Kbits x 2)
1 D Channel (control channel) Out of Band
PRI
23 B Channels
1 D Channel
Not for personal use

 

ADSL

 

MUCH faster than IDSN (6-30 times faster)
Must live very close to the DSL equipment
Symmetric and Asymmetric
Always on (security concerns)

 

 

 

PACKET SWITCHING

 

PACKET SWITCHING TECHNOLOGIES

X.25
Frame Relay
ATM
VOIP
MPLS
Cable Modems

 

 

CABLE MODEM –

 

High speed access up to 50Mbps via cable TV lines.
Shared bandwidth
Always on (security concerns)

 

MPLS (MULTI PROTOCOL LABELED
SWITCHING MPLS is used to create cost effective, private Wide Area Networks
(WANs) faster and more secure than regular routed “public” IP networks like the internet.
More secure than the public internet, because a “virtual” private network (end-to-end circuit)can be built just for your organization
Since it’s a private network, we don’t have to configure and maintain traditional encryption based Virtual Private Networking (VPN) equipment anymore, and can also avoid the latency and delay inherent in this technology.
Provides QoS for VOIP and other high priority traffic
Purely Layer 3 technology

 

MPLS

 

VOIP VOICE OVER IP

 

Converts analog to digital through use of Telephony adapter or smartphone
Data is channeled though gateways (often lacking in authentication mechanisms leading to TOLL FRAUD)
At the end of a VOIP connection the smartphone or TA converts the signal back to
analog

 

 

VOIP SECURITY ISSUES

 

Eavesdropping (greatest threat)—Enable S/RTP
Toll Fraud
Vishing
SPIT
Performance Issues
Latency
Jittering

 

REMOTE ACCESS PROTOCOLS

 

DIAL-UP

 

PPP Point to Point Protocol: Provides Layer 2 framing for dial – up. Needs other protocols for security
Encryption: MPPE
Authentication:
PAP (Password Authentication Protocol): Clear Text
CHAP (Challenge Handshake Authentication Protocol) Client responds to a challenge from the server. The only way the client can answer correctly is if the correct password had been entered.
EAP (Extensible Authentication Protocol) Extends capabilities beyond passwords (smart cards, biometrics, token devices, etc..)

 

TUNNELING

 

function of VPNs – Tunnel encapsulates one protocol within another protocol to create a virtual network.
Can encrypts original IP headers
Can encrypts data
Allows for routing non routable protocols and IP addresses
Can provide remote/internal IP addresses

 

VPN PROTOCOLS

 

Different protocols
PPTP
L2TP
IPSEC

PPTP

 

 

Point to Point Tunneling Protocol
Based on PPP (uses MPPE for encryption and PAP, CHAP or EAP for authentication) Lead by Microsoft protocol for a tunneling VPN
Only works across IP networks
Remote user connects to ISP, gets an Internet Address
Establishes VPN connection to work VPN server, get’s
Internal IP address.
Sends private IP packets encrypted within other IP packets.

 

L2TP

 

 

Layer 2 Tunneling Protocol
Cisco designed L2F to break free of dependence on IP networks, but kept it proprietary.
L2TP was a combination of L2F and PPTP
Designed to be implemented in software solutions
THERE IS NO SECURITY with L2TP. It MUST use IPSec to secure

 

 

 

WIRELESS

 

WIRELESS COMPONENTS

 

Access points are like wireless hubs, they create a infrastructure WLAN
If you use just wireless cards of computers to communicate together that is called an ad-hoc* network.
Wireless devices must use the same channel
Devices are configured to use a specific SSID (often broadcasted)

 

 

802.11 FAMILY

 

802.11a
54Mbps
5Ghz
8 channels
802.11b
11Mbs
2.4Ghz (same as other home devices)
802.11g
54Mbs
2.4Ghz
802.11i :  Wireless with security.  First standard to require WPAII
802.11n
100Mbs
2.4Ghz or 5Ghz

 

WIRELESS SECURITY PROBLEMS

 

Unauthorized access
sniffing
War driving
Unauthorized access points (Man in the middle)

 

 

AIRSNARFING (WIRELESS MITM)

 

 

Wireless AP

 

Wireless User                 Attacker

 

TRANSMISSION ENCRYPTION

 

There are many different types of wireless encryption protocols
WEP
Shared authentication passwords
Weak IV (24 bits)
IV transmitted in clear text
RC-4 (stream cipher)
Easily crackable
Only option for 802.11b
WPA
Stronger IV
Introduced TKIP
Still used RC-4

TRANSMISSION ENCRYPTION

 

WPA2
AES
CCMP
NOT backwards compatible
WPA and WPA2 Enterprise
Uses 802.1X authentication to have individual passwords for individual users
RADIUS

 

BLUETOOTH

 

Bluetooth is a Personal Area Network protocol designed to free devices from physical wires.

 

Bluetooth Modes
Discovery Mode
Automatic Pairing

 

BLUETOOTH ATTACKS

 

Blue jacking
Sending SPAM to nearby Bluetooth devices
Blue Snarfing
Copies information off of remote devices
Blue bugging
More serious
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls

 

BLUETOOTH COUNTERMEASURES

 

Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing

 

WAP

 

Wireless Application Protocol – a protocol developed mainly to allow wireless devices (cell phones) access to the Internet.
Requires a Gateway to translate WAP <-> HTML (see visual)
Uses WTLS to encrypt data (modified version of TLS)
Uses HMAC for message authentication
WAP GAP* problem (see visual and explain)
A lot of wireless devices don’t need WAP anymore.

Cloud Computing

 

A new paradigm in computing that involves the provision and hosting of services over the Internet, modeled after a pay-as-you-go approach.
It allows organizations to extend their existing computing capabilities and also easily scale up.
As of now three variety of services are provided, namely, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
There are also four different types of deployment approaches, namely, Private Clouds, Public Clouds, Community Clouds, and Hybrid Clouds.
Cloud computing can offer useful extensions to enterprise Architectures, on demand without any additional capital investment.
Many organizations are concerned with security in the cloud and are hesitating going into the cloud.

 

TELECOMMUNICATIONS AND NETWORK SECURITY OBJECTIVES

OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
WAN Technology
Wireless Communications

REMEMBER…

 

Senior management is responsible for the physical safety of their employee
Focus on prevention, not correction
Human life should always supersede other assets
Physical security is the first line of defense in protecting a company’s assets

 

TELECOMMUNICATIONS AND NETWORK SECURITY REVIEW

OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
WAN Technology
Wireless Communications