Upload
jemtallon
View
472
Download
3
Embed Size (px)
DESCRIPTION
StaridLabs CISSP Study slides for week 6
Citation preview
CISSP p316-380
Securing Network Components
Deterministic Routing
-traffic only travels on pre-determined routes
Boundary Routers
-advertise routes that external hosts can use to reach internal destinations
-filters external traffic
Design and Set up a perimeter! (IDS,FW,filtering)
Network Partitioning
-segment networks into domains of trust
-control what is forwarded between segments
Dual-Homed Host
-has two NICS, each on a separate network
Bastion Host
-gateway between trusted & untrusted that gives limited, authorized access to untrusted hosts
-data diode = simplex communication
Demilitarized Zone (DMZ)
-aka Screened Subnet
-allows an org to give external host limited access to public resources, like a web server that contains the org's site, without giving access to the org's internal network
Hardware
Modems - analog
Concentrators - multiplex connected devices into a signal signal
Front-End Processors - purpose is to off-load from the host computer the work of managing the peripheral devices
Multiplexers-elects one of several analog or digital input signals and forwards the selected input into a single line
Concentrators vs. Multiplexers
Hubs & Repeaters
-Hubs used for star topology
-All devices receive each other's broadcasts
-All devices can read & modify others traffic
-Repeaters repeat to help stop signal degradation
Bridges
-layer 2 device (Data link)
-filters traffic between segments based on MAC addys
-also amplifies signals for large networks
-filters frames not destined for another segment
Switches
-only forwards frames to devices specified in the frame
-forwards broadcasts to all
Routers
-forwards packets to other networks
-the read the destination from layer 3 (IP addy)
-based on it's view of the network it will determine the next device on the network to send the packet
Transmission Media
Wired
Throughput:rate that the data will be transmitted
Distance:how far in between devices, degrading signal
Data Sensitivity:will someone try to tap this cable?
Environment:bent cables, EMI, RMI, temp
Twisted Pair
-copper wires twisted together to reduce EMI
-each wire is coated then surrounded by jacket
-twists/in, type of insulation, conductive material
Cat 1-6
Unshielded Twisted Pair (UTP)
-no shielding, duh
-EMI and RMI will kill signal
-easy to tap with radiation monitoring
-cheap and common
Shielded Twisted Pair (STP)
-UTP except it has an electronically grounded shield inside the cable
-expensive and bulky
Coaxial Cable (Coax)
-one thick conductor surrounded by a grounding braid of wire
-great bandwidth and longer runs than TP
-very well insulated
-expensive and bulky
Patch Panels
-alternative to directly connecting devices
-use patch cables to change connections easily
-need to be neat
Wireless
Direct-Sequence Spread Spectrum (DSSS)
-spreads a transmission over a large frequency band with small amplitude
-wider band = less interference
-sender & receiver communicate which frequencies are too cluttered to send data over
Frequency-Hopping Spread Spectrum (FHSS)
-spreads signal over rapidly changing frequencies
-signals rapidly change among sub-frequencies in an order that is agreed upon between s&r
-can interfere with DSSS
-this rapid changing keeps interference minimized
Orthogonal Frequency Division Multiplexing (OFDM)
-signal is divided into sub-frequency bands, each band is manipulated so they broadcast together so they don't interfere with each other
Frequency Division Multiple Access (FDMA)
-analog
-old cellular technology
-divides band into sub-bands and assigns an analog conversation to each sub-band
-replaced by GSM & CDMA
Time Division Multiple Access (TDMA)
-multiplexes several digital calls (voice or data) at each sub-band by devoting a small time slice in a round-robin to each call in the band
-2 sub-bands are required for each call
1 for each sender
Mobile Cellular Telephony
Code Division Multiple Access (CDMA)
-spread spectrum cellular tech
-runs like DSSS
CDMA 2000 improves capability by 10 (153 Mbps)
Wideband CDMA: this is 3G
Global Service for Mobile Communications (GSM)
-most popular cell tech
-divides frequency bands into simplex channels
-users ID: Subscriber Identity Module, SIM card
-phone talks to network, but network doesn't talk to phone, makes it easy to masquerade as another user
Wireless LANs
Authentication is the 1st line of defense
Open System Authentication
-client is permitted to join if it's SSID matches the wireless network's
Shared-Key Authentication
-WEP, will talk about later
MAC Address Tables
-Authenticates based on a MAC address
-Easy to spoof, so its not very effective
Service Set Identifier (SSID) Broadcasting
-name of wireless LAN
-wireless clients send probe asking for SSID response
-router will beacon out the name at all times
-Don't make your SSID
"TOP SECRET SECRETS of Wells Fargo"
Placement
-keep your wireless routers in central locations to keep the network radiation from getting outside the walls
-don't keep it in a microwave
Encryption
Wired Equivalent Privacy (WEP)
-uses a shared secret
-before each packet is sent a CRC-32 checksum is appended to it, then both are encrypted using RC4 with the shared secret & initialization vector
-its weak
WiFi Protected Access (WPA)
-improved use of RC4
-uses Temporal Key Integrity Protocol (TKIP) so there is a new key for each packet
-CRC-32 checksum was replaced with a message integrity check called Michael, it protects heady & data from tamper, also has a frame counter
WPA2 - IEEE 802.11i
-RC4 is replaced with Advanced Encryption Standard (AES)
-TKIP & Michael replaced with Counter Mode/CBC-Mac Protocol (CCMP)
-Supports Extensible Authentication Protocol (EAP)
WiFi Variants
802.11b
-1st version of WiFi
-uses DSSS
-2.4 GHz band
802.11a
-won't work with 'b'
-uses OPDM
-5 GHz band
802.11g
-works with 'b'
2.4 GHz
Bluetooth 802.15.1
-uses FHSS on 2.4 GHz band
-Blue Jacking: allows anonymous message to show on device
-Buffer Overflow: remotely exploit bugs in software
-Blue Bug Attack: uses AT commands on victims' phone to initiate calls and send messages
Address Resolution Protocol (ARP)
-given a layer 3 address (IP), ARP determines the layer 2 address (MAC)
-ARP tracks IP addresses and their MACs in a dynamic table called ARP cache
Point-to-Point Protocol (PPP)
-used to connect a device to a network over a serial line
-dial up
-Password Authentication Protocol (PAP) - cleartext
-Challenge Handshake Authentication Protocol (CHAP) - 3 way handshake
-Uses EAP
Broadband Wireless IEEE 802.16
-WiMAX
-doesn't work like cell towers
-Metro Area Network (MAN)
-channel sizes are flexable
Fiber
-uses glass/plastic to transmit light
Needs
-light source
-optics cable
-light detector
LEDS: cheap, less bandwidth, only good over short distances, use in LANS
Diode Laser:expensive, great distances
Wavelength Division Multiplexing (WDM) 32x capacity
Multimode Fiber:transmitted in different modes, cable is 50-100 microns thick
light disperses too much when using medium/long cable runs
Single Mode Fiber: 10 microns thick, light goes down the middle, long runs, great bandwidth, internet backbone
Network Access Control Devices
Firewalls:
-filters traffic based on set of rules
-should always be on internet gateways, and in between trust domains
Filtering: blocks or forwards packets
-by source/destination address
-by service, port number
Network Address Translation (NAT): firewalls can change the source addy of a packet on its way out
Port Address Translation (PAT): translates all addresses to one routable IP addy & translate the source port number in the pack to a unique value
Static Packet Filtering: hard line that cannot be temporarily changed to accept legit
Stateful Inspection/Dynamic Packet Filtering: stateful inspection examines each packet in the context of the session, FTP provides a good example
Proxies: User talks to a proxy server, the proxy communicates with the untrusted host and gives that host's response back to the user
Circuit Level Proxy: does not inspect any traffic it forwards
Application Level Proxy:
-relays traffic from trusted endpoint running a specific application to an untrusted host
-analyzes the traffic for manipulation/attacks
-Example: Web Proxy - everyone's browser goes through it
Personal Firewalls: for security in depth, workstation firewalls should be used in tandem with network firewalls
End-Point Security
-update antivirus/antimalware
-configured firewall
-hardened configuration/no unneeded services
-patched/updated OS
-encrypt the entire disk
-Remote Management
-wipe -geolocate -update operation
Secure Communication Channels
Virtual Private Network (VPN)
-encrypted tunnel between 2 hosts/gateways
IPSec Authentication & VPN Confidentiality
IPSec:suite of protocols for communicating securely through IP
Authentication Header (AH):
-used to prove id of sender and prove its not been tampered with
-Hash value of packets contents, based on the shared secret, is inserted into the last field of the AH
-each pack has a sequence number during the security association
-ensures integraty no confidentiality
Encapsulating Security Payload (ESP):
-encrypts IP and ensures integrity
ESP Header: contains info showing which security association to use and the sequence number
ESP Payload:contains the encrypted part of the packet, endpoints negotiate which encryption to use
ESP Trailer:padding to align fields
Authentication:if used it contains the hash of the ESP packet
Security Associations (SA)
-defines the mechanisms that an endpoint will use to communicate with its partner
-second SA is needed for 2-way communication
Transport Mode & Tunnel Mode
IPSec will use one of these
Transport Mode: IP payload is protected, client to server, end to end
Tunnel Mode:IP payload & header are protected, the entire protected packet becomes a payload of new IP packet & heady
-used between networks
Internet Key Exchange (IKE)
-authentication component of IPSec
-Two Phases
Phase 1:
Partners authenticate with each other using one of the following:
1.Shared Secret:Key is exchanged by man
2.Public Key Encryption:Digital certs
3.Revised mode of Public Key Encryption: uses a nonce is encrypted with the partners public key
Phase 2:
-Establishes a temporary security association, using the secure tunnel created at the end of Phase 1
High Assurance Internet Protocol Encryptor (HAIPE)
-based on IPSec
-possesses additional restrictions & enhancements
-encrypts multicast data
-requires manual loading of keys
-military grade security
Tunneling
Point-to-Point Tunneling Protocol (PPTP)
-VPN protocol that runs over other protocols
-relies on Generic Routing Encapsulation (GRE) to build the tunnel
-user authenticates with MSCHAPv2, then a Point-to-Point Ptcl (PPP) session creates a tunnel
-vulnerable to password guessing
-derives its encryption key from the users password
Layer 2 Tunnel Protocol (L2TP)
-Hybrid of PPTP and Layer 2 Forwarding (L2F)
-allows callers over a serial line using PPP to connect over the Internet to a remote network
-no encryption of its own
TLS/SSL
Secure Shell (SSH):
-allows user to securely access resources on remote computers over an encrypted tunnel
-remote log on, file transfer, command execution, port forwarding
-strong authenticaiton
SOCKS:
-popular circuit proxy server
-client connects to SOCKS, then can act as a VPN
SSL/TLS VPNs
-remote users use a web browser to access applications
-easy to deploy and set up access
-no network-to-network tunnels
VLAN
-not necessarily on the same physical media, but are part of the same logical routing subnet
Voice
Modems & Public Switched Telephone Networks (PSTN)
-PSTN is a circuit-switched network that was originally used for analog voice
-uses hierarchical tree to route transmissions
War Dialing: dial a range of numbers to id modems, best defense is to shut off modems
Plain Old Telephone Service (POTS): bi-directional analog voice, high reliability, low bandwidth
Private Branch Exchange (PBX): enterprise class phone system used in business/large orgs
-internal switching network
-analog
VoIP:
-replacing telephony networks
-more configurable/more breakable
-no geo-spatial coordinates with IPs so 911 will leave you to die
Session Initiation Protocol (SIP)
-manages multimedia connections
Multimedia Collaboration
Peer to Peer Applications & Protocols
-monitor p2p apps in your org
-bandwidth consumption/security risks/legality
-it opens uncontrolled channels through your network boundaries
Remote Meeting Technology:
-web based -usually browser extensions
-desktop sharing/remote control
-vendor backdoors
Instant Messaging (IM)
3 classes
1.Peer to peer networks
2.Brokered Communication
3.Server-oriented networks
-All support 1 to 1 and many to many
Open Protocols, Applications, and Services
Extensible Messaging and Presence Protocol (XMPP) & Jabber
-Jabber is an open IM protocol
-XMPP is the formalized name of Jabber
-server based, so a server operator can eavesdrop
Internet Relay Chat (IRC)
-good anonymity
-no security
-client/server based
-IDs can be easily falsed
-most have no confidentiality
-IRC clients can execute scripts