Information Systems Security

Telecommunications

Domain #7

OSI Reference Model

Physical Datalink Network Transport Session Presentation Application

Routing

Dynamic– RIP I– RIP II– OSPF– BGP

Cabling Types - Coaxial

Copper wire insulated by braided metallic ground shield

Less vulnerable to EMI Two main types

– 10BASE2 (Thinnet) (185 meters)– 10BASE5 (Thicknet) (500 meters)

Mainly used in one-way networks (TV) Two-way networks required special equipment Larger minimum arc radius than TP

Cabling Type - TP

Copper-based Two major types

– UTP Least secure Susceptible to EMI, cross-talk, and eavesdropping Less security than fiber or coaxial Most commonly used today

– STP Extra outer foil shielding

Cabling Type - Fiber

Data travels as photons Higher speed, less attenuation, more secure Expensive and harder to work with Two major types

– Multimode Less expensive with slower speed

– Single mode Faster speeds available but more $ and delicate

Signal Issues

Attenuation– Interference from environment– Cable runs are too long– Poor quality cable

Cross Talk– Signals radiate from a wire and interfere with

other wires– Data corruption– More of a problem with UTP

Transmission Types

Analog– Carrier signal used to move data– Signal works at different frequencies– Used in broadband networks

Digital– Discrete units of voltage– Moves data in binary representation– Cleaner signal compared to analog

Encoding Techniques

Parameter AM FM Digital

Signal-to-noise ratio

Low Moderate High

Cost Moderate Moderate High

Performance over time

Moderate Excellent Excellent

Installation Adjustments required

No adjustments

No adjustments

Synchronous or Asynchronous

Sync– Prior agreement of data TX rules– Sending system sends a clocking pulse– Stop and start bits are not required– T-lines & optical lines use synchronous

Asynchronous– Must use start/stop bits– Dial-up connections use asynchronous

Broadband or Baseband

Baseband– TX media only uses one channel– Digital signaling– Used over TP or Coax

Broadband– Multiple channels– TXs more data at one time– Can use analog signaling– Used over coax or fiber (at 100Mbps or more)– Can carry video, audio, data, and images

Plenum Cable

Polyvinyl chloride can give off dangerous chemicals if burned

Plenum rated cable is made of safe fluoropolymers

Should be used in dropped ceilings and raised floorings and other ventilation areas

Number of Receivers

Unicast– One system communicates to one system

Multicast– One system communicates to many systems– Class D addresses dedicated to this– “Opt-in” method (webcasts, streaming video)

Broadcast– One system communicates to all systems– Destination address contains specific values

Types of Networks

Local Area Network (LAN)– Limited geographical area– Ethernet and Token Ring

Metropolitan Area Network (MAN)– Covers a city or town– SONET, FDDI

Wide Area Network (WAN)– ATM, Frame Relay, X.25

Network Terms

Internet– Network of networks providing a communication

infrastructure– The web runs on top of this Internet

infrastructure Intranet

– Employs Internet technology for internal use HTTP, web browsers, TCP/IP

Network Terms

Extranet– Intranet type of network that allows specific

entities to communicate– Usually business partners and suppliers– B2B networks– Shared DMZ area or VPN over the Internet

Network Configuration

DMZ– Network segment that is between the protected

internal network and the external (non-trusted) network

– Creates a buffer zone – Systems in DMZ will be the 1st to come under

attack and must be properly fortified

Physical Layer

Network Topologies– Physical connection of system and devices– Architectural layout of network– Choice determined by higher level technologies

that will run on it Types (Bus, Ring, Star, Mesh)

BUS

Nodes are connected to a backbone through drops

Linear bus – one cable with no branches Tree – network with branches Easy to extend Single node failure affects ALL participants Cable is the single point of failure

Ring

Interconnection of nodes in circle Each node is dependent upon the physical

connection of the upstream node Data travels unidirectionally One node failure CAN affect surrounding

nodes Used more in smaller networks

Star

All computers are connected to central device

Central device is single point of failure No node-to-node dependencies

Mesh

Network using many paths between points Provides transparent rerouting when links

are down High degree of fault tolerance Partial Mesh – Not every link is redundant

– Internet is an example Full Mesh – All nodes have redundancy

Media Access

Dictates how system will access the media Frames packets with specific headers Different media access technologies

– CSMA– Token Ring– Polling

Protocols within the data link– SLIP, PPP, L2F, L2TP, FDDI, ISDN

Carrier Sense Multiple Access

CSMA/CD (Collision Detection)– Monitors line to know when it is free– When cable not busy, data is sent– Used in Ethernet

CSMA/CA (Collision Avoidance)– Listens to determine is line is busy– Sends out a warning that message is coming– All other nodes go into waiting mode– Used in 802.11 WLANs

Wireless Standards (802.x)

802.11 – 2.4 GHz range at 1-2 Mbps 802.11b – 2.4 GHz up to 11 Mbps 802.11a – 5 GHz up to 54 Mbps 802.11g – 2.4 GHz up to 54 Mbps 802.11i – Security protocol (replace WEP) 802.15 – Wireless PANs 802.16 – Wireless MANs

Access Points

Connects a wireless network to a wired network

Devices must authenticate to the AP before gaining access to the environment

AP works on a specific frequency that the wireless device must “tune itself” to

Service Set ID (SSID)

WLANs can be logically separated by using subnet addresses

Wireless devices and APs use SSID when authenticating and associating

Should not be considered a security mechanism

Authenticating to the AP

Station sends probe to all channels looking for the closest AP

AP will respond with the necessary information and a request for credentials

If WEP key is required, AP sends a challenge to the device and device encrypts with key and send it back

If no WEP key, could request SSID value and MAC value

Wired Equivalent Protocol (WEP)

Protocol used to encrypt traffic for all IEEE wireless standards

Riddled with security flaws Improper implementation of security

mechanisms No randomness (uses the same password) No Automated Dynamic Key Refresh

Method (DKRM), requires manual refresh

More WEP Woes

Small initialization vector values– Uses a 24-bit value– Exhaust randomness is as little as 3 hours

Uses stream cipher (RC4) No data integrity Use XORs – flip a bit in ciphertext the

corresponding bit in plaintext is flipped

Wireless Application Protocol (WAP)

Requires a different protocol stack than TCP/IP

WAP allows wireless devices to access the Internet

Provides functions at each of the OSI layers similar to TCP/IP

Founded in 1997 by cell phone companies

Wireless Transport Layer Security

Security layer of the WAP Provides privacy, integrity, and

authentication for WAP applications Data encrypted with WTLS must be

decrypted and reencrypted with SSL or TLS

Common Attacks

Eavesdropping on traffic and spoofing Erecting a rogue AP Man-in-the-middle Unauthorized modification of data War driving Cracking WEP

– Birthday attacks– Weak key attacks (airsnort, WEPCrack)

War Driving

Necessary Components– Antenna (omnidirectional is best)– Sniffers (TCPDump, Ethereal)– NetStumbler, AirSnort, or WEPCrack

NetStumbler finds APs and Logs– Network name– SSID– MAC– Channel ID– WEP (yes or no)

Wireless Countermeasures

Enable WEP Change default SSID and don’t broadcast Implement additional authentication Control the span of the radio waves Place AP in DMZ Implement VPN for wireless stations Configure firewall for known MAC and IP

TCP/IP Suite

TCP – connection oriented transport layer protocol that provides end-to-end reliability

IP – connectionless network layer protocol that provides the routing function

Includes other secondary protocols

Port and Protocol Relations

Well known port numbers are 0-1023– FTP is 20 and 21– SMTP is 25– SNMP is 161– HTTP is 80– Telnet is 23– HTTPS is 443

Source is usually a high dynamic number while destination is usually under 1024

Address Resolution Protocol (ARP)

Maps the IP address to the MAC address Data link understands MAC, not IP Element in man-in-the middle attacks

– Intruder spoofs its MAC address against the destination’s IP address into ARP cache

Countermeasures– Static ARP, active monitoring, and IDS to detect

anomalies

ARP Poisoning

Insert bogus IP to MAC addressing mapping in remote system

Misdirect traffic to attacker’s computer Ideal scenario for man-in-the-middle attack

Internet Control Message Protocol (ICMP)

Status and error messaging protocol Ping is an example Used by hackers for host enumeration Redirects traffic by sending bogus ICMP

messages to a router

Simple Network Management Protocol (SNMP)

Master and agent model Agents gather status information about

network devices Master polls agent and provides an overall

view of network status Runs on ports 161 and 162

Simple Mail Transfer Protocol (SMTP)

Transmits mail between different mail servers

Security issue with mail servers– Improperly configured mail relay– Sendmail functions

Other Protocols

FTP

TFTP

Telnet

Repeater Device

Works at the physical layer Extends a network Helps with attenuation No intelligence built in

Hub Devices

Works at the physical layer Connects several systems and devices Also called multipoint repeater/concentrators All data is broadcast No intelligence

Bridge Device

Functions at the data link layer Extends a LAN by connecting similar or

dissimilar LANs Filtering capabilities Uses the MAC address Forwards broadcast data Transparent – Ethernet Source Routing – Token Ring

Switch Device

Transfers connection from one circuit to another

Faster than bridges Originally made decisions based on MAC Major functionality takes place at Data Link

Layer Newer switches work at the Network layer

and use IP addresses

Virtual LAN (VLAN)

Logical containers used to group users, systems, and resources

Does not restrict administration based upon the physical location of device

Each VLAN has its own security policy Used in switches Can be static or dynamic

Router Device

Works at the network layer Can connect similar or dissimilar networks Blocks broadcast Uses routing tables Bases decisions on IP addresses Can work as a packet filtering firewall wit the

use of Access Control Lists

Gateway Device

Translates different protocols or software formats

Mail gateways – allows for different mail applications to communicate

Data gateways – allow heterogeneous clients and servers to communicate

Security gateways – firewalls and perimeter security devices

Bastion Host Device

Gateway between an internal network and an external network; used for security

Hardened system– Disable unnecessary accounts– Disable unnecessary services– Disable unnecessary subsystems– Remove administrative tools– Up to date with patches and fixes

All systems in DMZ should be Bastion Hosts

Firewall Characteristics

Generation 1 – Packet Filtering Generation 2 – Proxy Generation 3 – Stateful Generation 4 –Dynamic Packet Filtering Generation 5 – Kernel Proxies All provide transparent protection to internal

users

Packet Filtering

Simplest and least expensive Screens with a set of ACL Referred to as a Layer 3 device Access depends on network and transport

layer information Best in low-risk environments 1st generation firewall

Circuit Level Proxy

Makes access decisions based on network and transport layer information

Not application or protocol dependent More protection than a packet filter SOCKS is the most common used Hides information about the network they

protect 2nd generation firewall

Application Layer Proxy

Access decision is based on data payload Must understand the command structure of

payload Provides a high level of protection Can filter application specific commands Logs user activity Requires manual configuration of each client

computer 2nd generation firewall

Stateful Firewall

Makes access decisions based on IP addresses, protocol commands, historical comparisons, and contents of packet

Uses a state engine and state table Monitor connection-oriented and

connectionless protocols Expensive and complex to administer 3rd generation firewall

Dynamic Packet Filtering Firewalls

Combination of application proxies and state inspection firewalls

Dynamically changes filtering rules based on several different factors

May examine the contents and not just the header of packets

Decisions based on history and admin rules 4th generation firewall

Firewall Placement

Segments internal network subnets and sections to enforce the security policy

Acts as a ‘choke point’ between trusted and untrusted entities

Creates a DMZ Could use screened host, dual-homed, or

screened subnet

Screened Host

Usual configuration is a router filtering for a firewall

Reduces the amount of traffic the firewall has to work with

Screening device is a filtering router Screened host is the firewall

Dual Homed

Two or more interfaces One interface for each network Allows for one firewall to create more than

one DMZ Forwarding and routing need to be turned

off or packets would not be inspected by firewall software

All inbound traffic directed to the Bastion Host, then proxied, and passed to 2nd router

Screened Subnet

Buffer zone is created by implementing two routers or two firewalls and this creating a single DMZ

Provides the most protection out of the three architectures because three devices must be compromised before attacker can get through to the internal network.

SLIP Dialup Protocol

Serial Line Internet Protocol Moves IP data over serial lines Largely replaced by PPP SLIP does not provide

– Header and data compression– Packet sequencing– Authentication features– Classless IP addressing

PPP Dial Up Protocol

Point-to-Point Protocol Moves digital data over telecommunications lines Full duplex protocol Can use synchronous and asynchronous Authentication through

– PAP– CHAP– EAP

Authentication Protocols

Password Authentication Protocol (PAP)– Authenticates remote users– Credentials are sent in plain text

Challenge Handshake Authentication Protocol (CHAP)– Authenticates remote users– Encrypts usernames and passwords– Client uses user’s password to encrypt the challenge– Protects against man-in-the-middle attacks

EAP Authentication

Extensible Authentication Protocol Allows for authentication protocols to be

added to give more flexibility Supports multiple frameworks Developed for PPP, but now used in LAN

and wireless authentication

VPN Technologies

Tunneling involves establishing and maintaining a logical network connection

Packets are encapsulated within IP packets and encryption is used for security

Voluntary tunneling – client manages connection setup

Compulsory tunneling – carrier provider manages connection setup

PPTP Tunneling Protocol

Encapsulating protocol used more for end-to-end VPNs instead of gateway VPNs

Data link layer protocol that provides single point-to-point connection

Works only with TCP/IP Works at the Internet layer

L2TP Tunneling Protocol

Works at the data link layer Can provide VPNs over WAN links using

frame relay, X.25, or ATM Cannot encrypt data Uses IPSec for security Developed by CISCO to combine L2F and

PPTP

IPSec Tunneling Protocol

Provides network layer protection Used for gateway-to-gateway VPNs Provides authentication, integrity, and

confidentiality Only works over IP and is becoming the de

facto standard

Domain Name Services

Works within a hierarchical naming structure Host name to IP address mapping DNS server that holds resource records for

a zone is the authority for that zone Uses forward-lookup tables and reverse-

lookup tables Uses iterative and non-iterative procedures

Network Address Translation

Invented due to the shortage of IP addresses

Allows companies to use private addresses Can use static mapping on 1-1 relationship Can use dynamic mapping Port address translation (PAT)

– One address is used for all hosts– Older term was hiding NAT

Can be implemented with software (ICS)

Fiber Distributed Data Interface (FDDI)

Token passing is the media method Two rings for fault tolerance Operates up to 100 Mbps CDDI is possible with shorted distances

Synchronous Optical Network(SONET)

Physical layer standard used by telephony Dual ringed and self-healing Used to connect T1 and T3 channels Carries nearly any higher level protocol Supports 52 Mbps Built in support for maintenance SONET 3 is coming with 155.5 Mbps

Dedicated Lines

Physical communication lines connecting two locations

Usually more expensive than other options Leased from larger service providers

– T1 – 1.544 Mbps– T3 – 44.736 Mbps

Public Switched Telephone Network (PSTN)

Also known as POTS Interconnected systems operated by

different companies All digital except for the ‘last mile’ Analog converted to digital at Central Office

Integrated Services Digital Network (ISDN)

Moves the ‘last mile’ from analog to digital Data rates of 64 Kbps Circuit-switched instead of packet-switched Uses bearer channels to move data and a

single separate channel (D) to setup Used by most companies as backup BRI – 2 64-kbps B channels and 1 D PRI – 23 64-kbps B channels and 1 D

Digital Subscriber Line (DSL)

Digital solution for the ‘last mile’ Very high frequency Must be a POP within 2.5 miles Farther from a POP, lower the bandwidth ‘Always On’ technology 32 Mbps for upstream traffic 32 Kbps for downstream traffic

Cable Modems

Service provided by local cable company Security issues of neighborhood sniffing Cable modem converts RF to digital Could overload cable companies Most offer speeds up to 2 Mbps but is

shared with neighborhood

X.25

First WAN packet-switching technology Considered a ‘fat’ protocol because of error

detection and correction overhead Has been replaced by frame relay Virtual circuits are used Customers share and pay for the same

network

Frame Relay

Fastest WAN packet-switching protocol Path set up for two locations to

communicate Path is permanently configured (PVC) Could be dynamically built (SVC) Customers are offered a dedicated rate of

flow (CIR) Inexpensive with rates from 56K to T1

Asynchronous Transfer Mode (ATM)

Provides the highest bandwidth Uses 53-byte fixed cells Intelligence is hardware based Technology used for Internet’s backbone Equipment is expensive Available in Constant Bit Rate (CBR),

Variable Bit Rate (VBR), Available Bit Rate (ABR) or Unspecified Bit Rate (UBR)

Multiplexing (MUX)

Receives data from different sources and places on one communication line

Combines two or more channels onto one transmission medium

Two types– FDM (used by broadband)– TDM (used by T1 and T3)

Voice over IP (VoIP)

Moving voice data in packets Allows combining of voice and data Long distance calls can be done cheaply Uses packet switching instead of

telephone’s circuit switching Can experience jittering and latency

Private Branch Exchange (PBX)

Telephone switch that resides on the customer’s property

A T1 or T3 connects the switch to the provider’s central office

Used for switching calls between internal lines and the PSTN

New versions are called Centrex where switching occurs at Central Office

PBX Considerations

Not usually included in security assessment Compromising and reconfiguring the

telephone switch by hackers Attackers obtaining free long distance Disclosure of sensitive information Phreakers (telephone hackers)