Tel: 020 8456 3550
CHAPTER 4
Communications and Network Security
COMMUNICATIONS AND NETWORK SECURITY
OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
Wireless Communications
OSI REFERENCE MODEL
OSI
ENCAPSULATION
OSI MODEL
7 layers A P S T N D P… “All People Seem to Need DataProcessing” Application
Presentation
Session
Transport
Network
Data link
LLC
MAC
Physical
OSI MODEL – LAYER 1 PHYSICAL
Layer 1 Physical – simply put is concerned with physically sending electric signals over a medium. Is concerned with
specific cabling,
voltages and
Timings
This level actually sends data as electrical signals that other equipment using the same “physical” medium
OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
TRANSMISSION MEDIA/CABLING
OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
TOPOLOGY
Bus•No central point of connection
•Difficult to troubleshoot
•One break in cable takes down the whole network
Ring•No central point of connection•Often implemented with a MAU for fault tolerance
Star•Switch offers fault tolerance, as individual links no longer affect the network
•Switch is still a single point of failure
Mesh
•Most fault tolerant
•Fully redundant
•Partial Mesh is often used to spare cost
OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)
CONNECTIVITY DEVICES
Hub•Sends all data out all ports
•No addressing
•Historically a cheap point of central connectivity
Modem•Modulator/Demodulator
•Converts digital signal to analog and back
Wireless Access Point•Provides wireless devices a point of connection to the wired network.
OSI REFERENCE MODEL: LAYER 1 (PHYSICAL)Threats:
•Theft
•Unauthorized Access
•Vandalism
•Sniffing
•Interference
•Data Emanation
OSI MODEL – LAYER 2 DATA LINK
Data Link Layer
LLC Logical Link Control—error detection
MAC Media Access Control—Physical
Addressing/Resolution and media access determination
ARP (Address Resolution Protocol
RARP (Reverse Address Resolution Protocol)
Media Access Control
CSMA/CD Carrier Sense Multiple Access with Collision Detection (IEEE standard) 802.3 Ethernet
CSMA/CA Carrier Sense Multiple Access with Collision Avoidance(IEEE standard) 802.11 Wireless
Token Passing: 24 bit control frame passed around the network environment with the purpose of determining which system can transmit data. There is only one token and since a system can’t communicate without the token, there are no collisions.
MEDIA ACCESS TECHNOLOGIES
Token Passing
CSMA/CD – waits for clear, then starts talking, detect collisions
CSMA/CA – signals intent to talk
Collision Domain – where collisions can occur. (i.e. two people try to talk at the same time)
What is a security impact of collision domains? sniffing, DoS
ETHERNET –
Most common form of LAN networking, has the following characteristics
Shares media
Broadcast and collision domains (see next slides)
CSMA/CD
Supports full duplex with a switch
Defined by IEEE 802.3
ARP
SWITCH
Layer 2
Uses MAC addresses to direct traffic
Isolates traffic into collision domains
Does NOT isolate broadcasts natively
OSI MODEL LAYER 3 NETWORK
Routers Isolate traffic into broadcast domains and use IP addressing to direct traffic
VLANS
Routers are expensive
To get broadcast isolation on a switch, a VLAN is necessary
Not all switches support VLANs
A Layer 2 switch (even with a VLAN) doesn’t truly understand Layer 3 IP Addressing
A Layer 3 switch is necessary for inter-Vlan Communication
LAYER 3 PROTOCOLS
All Protocols that start with the letter “I” except IMAP (which is a layer 7 mail protocol)
IP
ICMP – IP “helpers” (like ping)
IGMP – Internet Group Message Protocol
IGRP
IPSEC
IKE
ISAKMP
ICMP ICMP – “IP helper”
Protocol behind echoing utilities like PING and Traceroute
Frequently exploited
LOKI :sending data in ICMP headers—covert Channel
Ping of Death: violates the MTU (maximum transmission unit) size
Ping Floods: Lots of ping traffic
SMURF: Uses spoofed source address (Target) and directed broadcasts to launch a DDos
OSI MODEL LAYER 4 TRANSPORT
OSI Layer 4 Transport – Provides end-to-end data transport services and establishes a logical connection between 2 computers systems”
The “pony express”
Protocols used at layer 4
SSL/TLS (Discussed in Cryptography Chapter)
TCP
UDP
TCP (TRANSMISSION CONTROL PROTOCOL)
Connection oriented “guaranteed” delivery.
Advantages
Easier to program with
Truly implements a session
Adds security
Disadvantages
More overhead / slower
SYN Floods
TCP
Reliable connection-oriented protocol
Has a guaranteed delivery based on the handshake process
1. SYN
SYN/ACK
ACK
UDP (USER DATAGRAM PROTOCOL)
Connectionless
Unreliable
No handshaking
Desirable when “real time” transfer is essential
Media Streaming, Gaming, live time chat, etc..
FTP uses TCP
TFTP uses UDP
OSI MODEL LAYER 5 SESSION
OSI Layer 5 (Session) – responsible for establishing a connection between two APPLICATIONS! (either on the same computer or two different computers) Create connection
Transfer data
Release connection
TCP actually does session oriented services
OSI MODEL LAYER 6 PRESENTATION
OSI Layer 6 – present the data in a format that all computers can understand
This is the only layer of OSI that does NOT have any protocol.
Concerned with encryption, compression and formatting
Making sure data is presented in a universal format
File level encryption
Removing redundancy from files (compression)
OSI MODEL LAYER 7 – APPLICATION
This defines a protocol (way of sending data) that two different programs or applications understand.
HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, etc…
Application Proxies
Non-Repudiation
Certificates
Integration with Directory Services
Time awareness.
TCP/IP MODEL
OSI VS. TCP/IP MODEL
Host to Host or Transport
Network Access
Or Network Interface
OSI/TCP…WHAT YOU NEED TO KNOW
THREATS TO NETWORK SECURITY
COMMON ATTACKS
Virus: Virus A piece of malicious code that can take many forms and serve many purposes. Needs a host in which to live, and an action by the user to spread.
Worm: Similar to a virus, but does not need a host and is self replicating
Logic Bomb: A type of malicious code that lays dormant until a logical event occurs
Trojan Horse: One program (usually some type of malicious code) masquerades as another. Common means of distributing Back Door Programs
Back Door Programs: A Program that allows access (often administrative access) to a system that bypasses normal security controls. Examples are NetBus, Back Orifice, SubSeven
COMMON ATTACKS CONTINUED
Salami: Many small attacks add up to equal a large attack
Data Diddling: Altering/Manipulating data, usually before entry
Sniffing: Capturing and Viewing packets through the use of a protocol analyzer. Best defense: Encryption
Session Hijacking: Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one. Session hijacks are types of Man in the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent a session hijack
Wardialing: An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls. RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.
COMMON ATTACKS
CONTINUED
Dos Denial of Service: The purpose of these attacks is to overwhelm a system and disrupt its availability
DDoS Distributed Denial of Service: Characterized by the use of Control Machines (Handlers) and Zombies (Bots) An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim. The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.
Ping of Death: Sending a Ping Packet that violates the Maximum Transmission Unit (MTU) size—a very large ping packet.
Ping Flooding: Overwhelming a system with a multitude of pings.
COMMON ATTACKS
CONTINUED
Tear Drop: Sending Malformed packets which the Operating System does not know how to reassemble. Layer 3 attack
Buffer Overflow: Attacks that overwhelm a specific type of memory on a system — the buffers. Is best avoided with input validation
Bonk : Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large.
Land Attack: Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.
Syn Flood: Type of attack that exploits the three way handshake of TCP. Layer 4 attack. Stateful firewall is needed to prevent
Smurf: Uses an ICMP directed broadcast. Layer 3 attack. Block distributed broadcasts on routers
Fraggle: Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack. Block distributed broadcasts on routers
FIREWALLS, PROXIES, AND NAT
FIREWALLS AND THE OSI
Firewalls: Allow/Block traffic
Rules to Allow or Deny Traffic. Can be HW or SW
Layer 3: Static Packet Filters: Base decisions on Source/Destination IP Address and Port
Layer 5 Stateful inspection. Knowledge of who initiated the session. Can block unsolicited replies. Protocol Anomaly firewalls—can block traffic based on syntax being different than the RFC would specify
Layer 7: Application Proxies/Kernel Proxies: Make decisions on Content, Active Directory Integration, Certificates, Time
FIREWALLS
FIREWALLS –
Enforce network policy.
Usually firewalls are put on the perimeter of a network and allow or deny traffic based on company or network policy.
MUST have IP forwarding turned off*
Firewalls are often used to create a DMZ.
Generally are dual/multi homed*
Types of firewalls
Packet filtering
State full
Proxy
Dynamic packet filtering
PACKET FILTER –
Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives.
Not state full, just looks at the network and transport layer packets (IP addresses, ports, and “flags”)
Do not look into the application, cannot block viruses etc…
Generally do not support anything advanced or custom
PACKET FILTER
Packet filters keep no state*
Each packet is evaluated own it’s own without regard to previous traffic
Advantages
Disadvantages
fragments
Rule based access control
Packet filters are still used on the edge of the network before a statefull firewall for performance reasons.
STATE FULL FIREWALL –
router keeps track of a connections in a table. It knows which conversations are active, who is involved etc…
It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic
More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory.
If rebooted can disrupt conversation that had been occurring.
Context dependant access control*
DYNAMIC PACKET FILTERING
I believe the author is confusing about this topic and actually is describing a state full filter in the book.
However there are firewalls that do allow “triggers” these could be called dynamic packet filters
Like a state full firewall but more advanced. Can actually rewrite rules dynamically.
Some protocols such as FTP have complex communications that require multiple ports and protocols for a specific application, packet and statefull filter cannot handle these easily, however dynamic packet filter can as they can create rules on the fly as needed.
PROXY FIREWALLS
Two types of proxies
Circuit level*
Application*
Both types of Proxies hide the internal hosts/addressing from the outside world.
Talk about each of these on next slides
APPLICATION PROXIES
Like circuit layer proxies, but actually understand the application/protocol they are proxing.
This allows for additional security as they can inspect the data for protocol violations or content.
APPLICATION PROXIES
Advantages
Application proxies understand the protocol, so they can add extra security
Can have advanced logging/auditing and access control features
Ex. Restrict users to only allowed websites
Ex. Inspect data for protocol violations
Ex. Inspect data for malware (viri etc..)
Disadvantages Extra processing requires extra CPU (slower)
Proxies ONLY understand the protocols they were written to understand. So you generally have a separate application proxy for EACH protocol you want to proxy
APPLICATION PROXIES –
Examples:
Internet Security and Acceleration Server (MS web proxy)
SMTP proxies
FTP proxies
SECURITY ZONES
It is common practice in network and physical security to group different security levels into different areas or zones. Each zone is either more or less trusted then the other zones. Interfaces between zones have some type of access control to restrict movement between zones (like biometric and guard stations) or firewalls.) In Network security there is often a median zone between the Internet and internal network called a DMZ.
DMZ
A buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two.
Internet accessible servers (bastion hosts) are placed in a DMZ between the Internet and Internal network
DMZ
DMZ ARCHITECTURES
Multi-homed Firewall
Screened Subnet
MULTI HOMED FIREWALL –
Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)
On any multi-homed machine, IP forwarding should be disabled.*
MULTI-HOMED FIREWALL
SCREENED SUBNET –
In a screen subnet, there is a separate firewall on both sides of the DMZ.
When using this model it is recommended that each firewall be a different vendor/product.
• Diversity of defense*
SCREENED SUBNET
NAT/PAT
A proxy that works without special software and is transparent to the end users.
Remaps IP addresses, allowing you to use private addresses internally and map them to public IP addresses
NAT allows a one-to-one mapping of IP addresses
PAT allows multiple private address to share one public address
NAT
Computer 10.0.0.1 sends a packet to 175.56.28.3
Router grabs packet, notices it is NOT addressed to it. Modifies the src address to one from it’s pool (215.37.32.202), then sends the packet on it’s way to the destination*
The end machine accepts the packet as it’s addressed to him.
End machine creates response, src = itself (172.56.28.3) dest = 215.37.32.202
Router grabs packet, notices the dest address, and looks up in it’s NAT table, rewrites the dest to 10.0.0.1 and sends it on its way*
Originating machine grabs response since it’s addressed to him, he processes it.
NAT / PAT
Advantages
Allows you to use private addresses Internally, you don’t need to get real public IP addresses for each computer
Protects the network by stopping external entities from starting conversations to internal machines
Hides internal network structure
Transparent, doesn’t require special software
Disadvantages
Single Point of Failure / Performance Bottleneck
Doesn’t protect from bad content
RFC 1918
10.x.x.x
172.16.x.x-172.31.x.x
192.168.x.x
OVERALL FIREWALL ISSUES
Potential bottleneck
Can restrict valid access
Often mis-configured
Except for application proxies firewalls generally do not filter out malware or improper content.
Don’t protect against internal attacks!*
OVERALL FIREWALL BEST PRACTICES
Block un-necessary ICMP packets types.
(Be careful though, know your environment)
Keep ACLS simple
Use Implicit deny*
Disallow source routed packets*
Use least privilege*
Block directed IP broadcasts
Perform ingress and egress filtering*
Block traffic leaving the network from a
non-internal address (indicates the network is possibly being used as zombie systems in a possible DDoS attack.
Block all traffic entering the network from an internal address (indicates a potential spoofing attack)
Enable logging
Drop fragments or re-assemble fragments
WAN TECHNOLOGY
LAN, WAN, MAN
LAN – local area network
High speed
Small physical area
WAN – wide area network
Used to connect LANS
Generally slow, using serial links
MAN – metropolitan area network
Connect sites together within a medium range area (like a city)
CIRCUIT SWITCHING
All Data Follows the Same Path
CIRCUIT SWITCHING TECHNOLOGIES
PSTN
ISDN
DSL
T-carriers
DIAL UP (REMOTE ACCESS)
Disadvantages
Back door into networks (bypass firewall)
Often forgotten about
Slow
Attacks*
War dialing
Defenses*
Dial Back /
Caller ID restrictions
Use authentication
Answer after 4 or more rings (why/war dialing)
Use a different numbering convention for RAS
ISDN
Uses same lines as phone lines, directly dial into company orISP
BRI
2 B Channels (64Kbits x 2)
1 D Channel (control channel) Out of Band
PRI
23 B Channels
1 D Channel
Not for personal use
ADSL
MUCH faster than IDSN (6-30 times faster)
Must live very close to the DSL equipment
Symmetric and Asymmetric
Always on (security concerns)
PACKET SWITCHING
PACKET SWITCHING TECHNOLOGIES
X.25
Frame Relay
ATM
VOIP
MPLS
Cable Modems
CABLE MODEM –
High speed access up to 50Mbps via cable TV lines.
Shared bandwidth
Always on (security concerns)
MPLS (MULTI PROTOCOL LABELED
SWITCHING MPLS is used to create cost effective, private Wide Area Networks
(WANs) faster and more secure than regular routed “public” IP networks like the internet.
More secure than the public internet, because a “virtual” private network (end-to-end circuit)can be built just for your organization
Since it’s a private network, we don’t have to configure and maintain traditional encryption based Virtual Private Networking (VPN) equipment anymore, and can also avoid the latency and delay inherent in this technology.
Provides QoS for VOIP and other high priority traffic
Purely Layer 3 technology
MPLS
VOIP VOICE OVER IP
Converts analog to digital through use of Telephony adapter or smartphone
Data is channeled though gateways (often lacking in authentication mechanisms leading to TOLL FRAUD)
At the end of a VOIP connection the smartphone or TA converts the signal back to
analog
VOIP SECURITY ISSUES
Eavesdropping (greatest threat)—Enable S/RTP
Toll Fraud
Vishing
SPIT
Performance Issues
Latency
Jittering
REMOTE ACCESS PROTOCOLS
DIAL-UP
PPP Point to Point Protocol: Provides Layer 2 framing for dial – up. Needs other protocols for security
Encryption: MPPE
Authentication:
PAP (Password Authentication Protocol): Clear Text
CHAP (Challenge Handshake Authentication Protocol) Client responds to a challenge from the server. The only way the client can answer correctly is if the correct password had been entered.
EAP (Extensible Authentication Protocol) Extends capabilities beyond passwords (smart cards, biometrics, token devices, etc..)
TUNNELING
function of VPNs – Tunnel encapsulates one protocol within another protocol to create a virtual network.
Can encrypts original IP headers
Can encrypts data
Allows for routing non routable protocols and IP addresses
Can provide remote/internal IP addresses
VPN PROTOCOLS
Different protocols
PPTP
L2TP
IPSEC
PPTP
Point to Point Tunneling Protocol
Based on PPP (uses MPPE for encryption and PAP, CHAP or EAP for authentication) Lead by Microsoft protocol for a tunneling VPN
Only works across IP networks
Remote user connects to ISP, gets an Internet Address
Establishes VPN connection to work VPN server, get’s
Internal IP address.
Sends private IP packets encrypted within other IP packets.
L2TP
Layer 2 Tunneling Protocol
Cisco designed L2F to break free of dependence on IP networks, but kept it proprietary.
L2TP was a combination of L2F and PPTP
Designed to be implemented in software solutions
THERE IS NO SECURITY with L2TP. It MUST use IPSec to secure
WIRELESS
WIRELESS COMPONENTS
Access points are like wireless hubs, they create a infrastructure WLAN
If you use just wireless cards of computers to communicate together that is called an ad-hoc* network.
Wireless devices must use the same channel
Devices are configured to use a specific SSID (often broadcasted)
802.11 FAMILY
802.11a
54Mbps
5Ghz
8 channels
802.11b
11Mbs
2.4Ghz (same as other home devices)
802.11g
54Mbs
2.4Ghz
802.11i : Wireless with security. First standard to require WPAII
802.11n
100Mbs
2.4Ghz or 5Ghz
WIRELESS SECURITY PROBLEMS
Unauthorized access
sniffing
War driving
Unauthorized access points (Man in the middle)
AIRSNARFING (WIRELESS MITM)
Wireless AP
Wireless User Attacker
TRANSMISSION ENCRYPTION
There are many different types of wireless encryption protocols
WEP
Shared authentication passwords
Weak IV (24 bits)
IV transmitted in clear text
RC-4 (stream cipher)
Easily crackable
Only option for 802.11b
WPA
Stronger IV
Introduced TKIP
Still used RC-4
TRANSMISSION ENCRYPTION
WPA2
AES
CCMP
NOT backwards compatible
WPA and WPA2 Enterprise
Uses 802.1X authentication to have individual passwords for individual users
RADIUS
BLUETOOTH
Bluetooth is a Personal Area Network protocol designed to free devices from physical wires.
Bluetooth Modes
Discovery Mode
Automatic Pairing
BLUETOOTH ATTACKS
Blue jacking
Sending SPAM to nearby Bluetooth devices
Blue Snarfing
Copies information off of remote devices
Blue bugging
More serious
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls
BLUETOOTH COUNTERMEASURES
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing
WAP
Wireless Application Protocol – a protocol developed mainly to allow wireless devices (cell phones) access to the Internet.
Requires a Gateway to translate WAP <-> HTML (see visual)
Uses WTLS to encrypt data (modified version of TLS)
Uses HMAC for message authentication
WAP GAP* problem (see visual and explain)
A lot of wireless devices don’t need WAP anymore.
Cloud Computing
A new paradigm in computing that involves the provision and hosting of services over the Internet, modeled after a pay-as-you-go approach.
It allows organizations to extend their existing computing capabilities and also easily scale up.
As of now three variety of services are provided, namely, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
There are also four different types of deployment approaches, namely, Private Clouds, Public Clouds, Community Clouds, and Hybrid Clouds.
Cloud computing can offer useful extensions to enterprise Architectures, on demand without any additional capital investment.
Many organizations are concerned with security in the cloud and are hesitating going into the cloud.
TELECOMMUNICATIONS AND NETWORK SECURITY OBJECTIVES
OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
WAN Technology
Wireless Communications
REMEMBER…
Senior management is responsible for the physical safety of their employee
Focus on prevention, not correction
Human life should always supersede other assets
Physical security is the first line of defense in protecting a company’s assets
TELECOMMUNICATIONS AND NETWORK SECURITY REVIEW
OSI Reference Model
Network Protocols
Network Connectivity Devices
Threats to Network Security
Firewalls
WAN Technology
Wireless Communications
