Transcript Data Networks - Auburn University, College of Business

Telecommunications,
Network, and Internet
Security
1
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Introduction
• The telecommunications, network, and
Internet security domain discusses the:
– Network structures
– Transmission methods
– Transport formats
– Security measures used to provide availability,
integrity, and confidentiality
– Authentication for transmission over private
and public communications networks and
media.
2
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Objectives
• The CISSP should be able to:
– Describe the telecommunications and
network security elements as they relate to
the transmission of information in local area,
wide area, and remote access.
– Define the concepts associated with the
Internet, intranet, and extranet
communications, such as firewalls, gateways,
and associated protocols.
3
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Objectives (cont.)
• The CISSP should be able to:
– Identify the communications security
management and techniques that
prevent, detect, and correct errors so
that the protection of information
transmitted over networks is maintained.
4
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Goals of Network
Security
• The common thread among good information security objectives is
that they address all three core security principles.
Prevents unauthorized
disclosure of systems
and information.
Prevents unauthorized
modification of systems
and information.
Availability
Prevents disruption of
service and productivity.
© Copyright 2005 (ISC)2® All Rights Reserved.
5
Telecommunications, Network and Internet Security v5.0
Specific Network Security
Objectives
• The objectives of network security:
– Transmission channels and services
are secure and accessible.
– Interoperability of network security
mechanisms are operational.
– Messages sent are the messages that
are received.
– Message link is between valid source
and destination nodes.
6
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Specific Network Security
Objectives (cont.)
• Message non-repudiation is available.
• Prevent unauthorized disclosure of
messages.
• Prevent unauthorized disclosure of traffic
flows.
• Remote access mechanisms are secure.
• Security mechanisms are easy to
implement and maintain.
• Security mechanisms are transparent to
end-users.
7
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
8
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various network
architectures
• List the elements and devices that
comprise a data network
• Describe data network technologies
9
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Network Structures
Examples ….
• Personal Area
Network
• Wireless Personal
Area Network
• Local Area Network
• Metropolitan Area
Network
• Campus Area
Network
•
•
•
•
•
Wide Area Network
Internet
Intranet
Extranet
Value Added
Network
• World Wide Web
• Global Area Network
10
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Network Components
• Data network components include:
– Mainframe/Server Hosts
– File Servers
– Workstations
– Software - Network Operating System
and Applications
11
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Network Components (cont.)
• Data network components include:
– Network Adapter/Network Interface Card
– Hub/Concentrator/Repeater
– Bridges
– Switches - Layer 2, 3, 4, etc.
– Routers
– Gateways
12
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Network Components (cont.)
• Data network
components include:
– Physical Cabling
• Twisted Pair/Coaxial
Cable/Fiber Optics
– Wireless
• Radio Frequency/
Infrared/Optical/
Satellite
13
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Circuit Switched Networks
• Information is segmented into pieces that fit
within a channel or time slot (usually 8 bits).
• A connection is established permanently or on
demand and is maintained between switches in
order to route traffic to the correct destination.
• Traffic is switched based on Time Division
Multiplexing (TDM).
14
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Packet Switched Networks
• Each data packet contains information such as addresses
and sequence numbers.
• A connection is established permanently, or on demand, and
maintained between switches in order to switch traffic to the
correct destination.
• Switches switch the packets to the final destination based on
the header information.
• Traffic is switched based on Statistical Time Division
Multiplexing (STDM)
15
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Circuit vs. Packet Switching
Circuit-Switched
Packet-Switched
• Designed for constant
traffic
• Typically experience
fixed delays
• Connection-oriented
• Traffic is sensitive to
loss of connection
• Voice/video oriented
• Can waste resources
• Designed for bursty
traffic
• Typically experience
variable delays
• Connection-less oriented
• Traffic is sensitive to loss
of data
• Data oriented
• Can introduce delays
16
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Virtual Circuits
• A logical circuit created over a packet
switched network
• Two types
– Permanent Virtual Circuits (PVCs) permanently established circuits that remain
in place till the network administrators delete
them from the switches.
– Switched Virtual Circuits (SVCs)dynamically established when requested
and removed when transmission is finished
17
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
LAN Network Topologies
LANs are logically or physically organized as:
Bus
Tree
Ring
Mesh
Star
18
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
LAN Transmission Methods
• Unicast - packet is sent from
source to destination address
• Multicast - packet is copied and
sent to a specific subset of nodes
on the network
• Broadcast - packet is copied and
sent to all nodes on the network
19
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
LAN Media Access Methods
• Three types of methods are used by
hosts to access the physical network
medium.
– Carrier Sense Multiple Access (CSMA)
• With Collision Avoidance (CSMA/CA)
• With Collision Detection (CSMA/CD)
– Polling
– Token Passing
20
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
LAN Implementations
Subtopics
• Wired
– Ethernet / IEEE
802.3
– Fiber Distributed
Data Interface
(FDDI)
– Token Ring /
IEEE 802.5
• Wireless
– Bluetooth / IEEE
802.15
– 802.11a
– 802.11b
– 802.11g
21
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Ethernet/IEEE 802.3
• Usage
– Most widely used LAN implementation.
• Access Method
– CSMA/CD, probabilistic
• Topology
– Logically a bus topology, often implemented as a
physical star or sometimes point-to-point.
• Speeds
• Ethernet (10 Mbps), Fast Ethernet (100 Mbps),
Gigabit Ethernet (1 Gbps)
© Copyright 2005 (ISC)2® All Rights Reserved.
22
Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Fiber Distributed Data Interface (FDDI)
• Usage
– Standard originally designed for fiber optic networks.
– Typically used as backbones for LANs/WANs.
– FDDI-2 extension provides for voice, video, and data.
• Access Method
– Token passing, deterministic
• Topology
– Ring
• Speeds
– 100 mps–1000 mps
© Copyright 2005 (ISC)2® All Rights Reserved.
23
Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Token ring IEEE 802.5
• Usage
– Promoted by IBM as their networking standard
• Access Method
– Token passing, single token contains priority mechanism.
– Nodes insert, copy, or remove data.
– Data sent sequentially bit by bit around ring.
• Topology
– Star wired ring topology.
• Speeds
– 16-100mps
© Copyright 2005 (ISC)2® All Rights Reserved.
24
Telecommunications, Network and Internet Security v5.0
Introduction to Wireless
Cordless
Toys
Phones
Appliances
PDAs
WLANs
Cell Phones
25
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Radio Frequency Band
0
100
200
300
400
500
600
700
800
900
1GHz
3GHz
5GHz
10GHz
28GHz
38GHz
802.11a/h, Phones (5 GHz)
802.11b/g, Bluetooth, Phones (2.4 GHz)
Digital Cellular (1850-1900 MHz)
Cordless Phones, Baby Monitors, Toys (900 MHz)
Analog Cellular (824-894 MHz)
UHF TV (512 – 806 MHz)
FM Radio (88 – 108 MHz)
VHF TV (174 – 216 MHz)
AM Radio (535 – 1605 KHz)
Unlicensed Radio Frequencies
Licensed Radio Frequencies
26
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Network Standards
• Bluetooth
– Used as short distance
replacement for cabling
– Less than 1 Mbps
– 2.4 GHz frequency band
– Frequency Hopping Spread
Spectrum (FHSS)
• 802.11b
– Extension to 802.11 Wireless
LAN standard
– 11 Mbps data rate
– 2.4 GHz frequency band
– Direct Sequence Spread
Spectrum (DSSS)
• 802.11a
– Extension to 802.11 Wireless
LAN standard
– 54 Mbps data rate
– 5 GHz frequency band
– Orthogonal Frequency Division
Multiplexing (OFDM)
• 802.11g
–
–
–
–
54Mbps data rate
2.4 GHz frequency band
OFDM
802.11b compatible
27
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wide Area Networks
• Connects LANs together through
technologies such as:
– Dedicated leased lines
– Dial-up phone lines
– Satellite and other wireless links
– Data packet carrier services
28
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
WAN Network Technologies
Subtopics
• Integrated Services
Digital Network
• Point-to-Point Lines
• Digital Subscriber Line
and Cable Modem
• Synchronous Data Link
Control and Derivatives
• X.25
• Frame Relay
• Asynchronous
Transfer Mode
• Wireless Wide Area
• WAP
• i-Mode
• IP Telephony
29
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
ISDN and Point to Point Lines
Integrated Services Digital Network (ISDN)
Attributes:
1.
2.
3.
4.
5.
End-to-End digital connectivity
Integrated access
Small family of standard interfaces
Message-oriented signaling
Customer control
Point to Point Lines
Types
–
–
–
Leased Lines
Digital Circuits
Optical Circuits.
30
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
DSL and Cable Modems
DSL and Cable Modems
• “Always-on” technologies (as opposed to on-demand),
that provide high-speed connections that pose risks to
unprotected computers.
DSL
– Provides high-bandwidth data transport
– Uses existing twisted pair telephone lines
Cable Modem
– High-speed access to the Internet over television
cable lines.
– Uses a modem that filters the coaxial cable
connection.
31
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SDLC and HDLC
• SDLC and HDLC
– Data link layer protocols.
– Designed for point-to-point connections.
– Developed to carry data.
• Synchronous Data Link Control (SDLC)
– Protocol developed by IBM for their SNA
networks
• High Level Data Link Control (HDLC)
– Based on SLDC but standardized by ISO
32
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
X.25
• International protocol for a packet-switched
network technology
– Defines how connections between user devices and
network devices are established and maintained.
– Operates at the Network and Data Link Layers.
– It uses PVCs and SVCs.
• Used by telecommunication carriers.
• Overhead requirements limit it to lower speeds.
• Data-only support.
33
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Frame Relay
High performance packet switching technology
– Operates at the physical and data link layers of the OSI
model.
– Designed to replace X.25. Originally, data-only support,
implementation supports voice and video as well.
– Uses PVCs and SVCs.
Remote
Host
34
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Asynchronous Transfer Mode (ATM)
• Very high speed cell relay service, similar in a
number of ways to frame relay.
• Transfers data in cells that are a fixed size.
• Small, constant cell size allows video, audio,
and computer data to be transmitted over the
same network.
• It uses PVCs and SVCs.
• It is packet switched.
• Designed to replace frame relay with a faster
technology designed to carry all traffic types.
35
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Wide Area
• Satellites provide global coverage in
areas where terrestrial cable facilities
are not available.
• Microwave technology also supports
wide area connections.
36
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Generations of Wireless Wide
Area Protocols
• 1G Wireless
– First wave of analog
phones
– Heavy and bulky
– Not many services
other than voice
• 2G Wireless
– Commonly deployed
– Smaller size
– Caller id, paging,
email
• 2.5G Wireless
– Addition of always on
Internet email and
alerts (GPRS)
– Higher data rates
• 3G Wireless
– First hit in Japan late
2001
– Packet technology
– Higher connection
speeds (video
conferencing, MPEG)
37
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Application Protocol
(WAP)
• Standard protocol for enabling wireless data
access via small portable terminals to secure
transaction services.
• It supports wireless browsing, messaging, and
other applications.
• It uses less resources (i.e., CPU, memory) and
is simpler than TCP/IP.
• WAP supported networks include:
– CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX,
ReFLEX, iDEN, TETRA, DECT, DataTAC, and
Mobitex
38
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
i-Mode
• Mobile Internet service
• First introduced in Japan by NTT DoCoMo, Inc.
• Now available in European markets through i-mode
partners including Belgium, France, Germany, Greece,
Italy, Spain, Netherlands, etc.
• Wide variety of specialized services including
– Online shopping
– Banking
– Ticket reservation
– Restaurant advice
– Multimedia e-mailing of still and moving images
– Java-based application for downloading and storing
sophisticated content
39
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Mobile Phone Vulnerabilities
• Lack of policies and awareness
• Theft of mobile phones, Personal Digital
Assistants (PDAs) and their data
• Subscriber Identity Module cloning
• False Base Stations
• Stealing secrets using phone-based or
PDA-based cameras, email, storage chips,
etc.
• Access to the Internet, bypassing the
firewalls
40
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Mobile Phone Vulnerabilities
(cont.)
•
•
•
•
Short Message Service spamming
Malicious downloadable code or content
Encryption is weak or non-existent
Turning on wireless encryption does not
mean data is protected end-to-end
– Wired portion of the traffic may travel in the
clear
• Bluetooth vulnerabilities
– Pin length, lack of encryption, bluejacking, etc.
41
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony
• Integrates existing voice network with data
networks.
• Combines data, voice, and video over a single
packet.
• Uses “isochronous” (i.e., time-dependent)
processes where data must be delivered within
certain time constraints -- used for video that
requires synchronization.
• Includes: Voice over IP, Voice over Frame
Relay, Voice over Asynchronous Transfer Mode,
etc.
42
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What is the difference between
synchronous and asynchronous
communication?
• What is the difference between a
circuit-switched network and a packetswitched network?
43
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• Synchronous communication is the transfer of data that
relies on the presence of a clocking system at both ends
of the transmission.
• Asynchronous communication is the transfer of data by
sending bits sequentially, with start bits and stop bits to
mark beginning and end, without a shared clock.
• A circuit-switched network is a connection established on
demand and maintained between data stations in order
to allow exclusive use of a circuit (transmission line) until
the connection is released.
• A packet-switched network has segmented data, with
each packet containing information such as a destination
address, source address, and packet sequence number.
Network devices route the packets to the final
destination.
44
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
45
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various standard network
protocols
• Describe the OSI network model
• Describe the TCP/IP network protocol
• Identify network protocol
vulnerabilities
46
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Protocol Definition
• A standard set of rules that governs the
exchange of data between hardware and/or
software components in a communications
network.
• A Network Protocol also describes the format of
a message and how it is exchanged.
– When computers communicate with one another, they
exchange a series of messages.
– To understand and act on these messages,
computers must agree on what a message means.
47
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
• Open System Interconnection (OSI)
Model
• Transmission Control Protocol/Internet
Protocol (TCP/IP)
48
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
OSI Model
• Seven Layers
• Data transfer is accomplished by a layer interacting with
the layer above or below through the use of interface
control information.
• ISO 7498
– Describes the OSI model
– Defines the security services that are available and where they
fit in the layered model.
•
•
•
•
Encipherment
Digital Signatures
Access Control
Data Integrity
•
•
•
•
Authentication Exchange
Traffic Padding
Routing Control
Notarization
49
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Layer Interaction
Protocol Layer
Protocol Layer
7
Application
6
Present.
5
Session
Session
4
Transport
Transport
3
Network
2
Data Link
1
Physical
Host 1
Application
Original
Presentation
Message
Hdr3
Hdr2
Hdr1
Data 3
Data 2
Data 1
Network
Tlr3
Data Link
Tlr2
Tlr1
Hdr1Hdr2 Hdr3 Message Tlr3 Tlr2 Tlr1
Physical
Host 2
50
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Application Layer
• Provides a user
interface through
which the user
gains access to the
communication
services.
• Ideal place for endto-end encryption
and access control.
51
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Presentation Layer
• Ensures
compatible syntax
in how the
information is
represented for
exchange by
applications.
• Not used
extensively.
52
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Session Layer
• Coordinates
communications
dialogue between
cooperating application
processes.
• Maintains a logical
connection between
two processes on end
hosts.
• Ideal place for
identification and
authentication.
53
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Transport Layer
• Ensures host-to-host
information transfer.
• Provides reliable,
transparent data transfers
between session entities.
• Isolates the user from any
concerns about the actual
movement of the
information.
• A place to implement
end-to-end encryption.
54
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Layer
• Selects and manages a
route chosen from the
available links arranged
as a network.
• Can determine alternate
routes to avoid
congestion or node
failure.
• A place to implement link,
or end-to-end encryption.
55
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Link Layer
• Responsible for reliable
delivery of information
over a point-to-point or
multi-point network.
• Can be divided into
Logical Link Control
and Media Access
Control.
• Common place to
implement link
encryption.
56
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Physical Layer
• Provides for the
transparent transfer of
a bit stream over a
physical circuit.
• Provides physical or
virtual connection for
transmission between
data link entities.
57
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP
Suite of protocols.
• Transmission Control Protocol (TCP)
• Internet Protocol (IP)
• De facto standard for networking.
• Architecture-independent.
• Security was not originally designed into
the protocols. Therefore, security-specific
protocols have been devised for use on
TCP/IP networks.
58
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
OSI vs. TCP/IP
OSI Model
TCP/IP Implementation
59
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Application Layer
• Includes the functionality
of the OSI application,
presentation, and session
layers.
• Sends to and retrieves
data from the transport
layer.
• Converts received data to
a usable, viewable format.
60
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Transport Layer
Transfers data between different
applications on end hosts.
Can construct data in two ways:
• Transmission Control Protocol
(TCP)
• User Datagram Protocol (UDP)
61
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Network Layer
• Defines how information
is sent between hosts. It
contains the:
– Internet Protocol (IP)
– Internet Control Message
Protocol (ICMP)
– Internet Group
Management Protocol
(IGMP)
62
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Data Link Layer
• Defines how the physical layer
transmits the network layer
packets between adjacent or
broadcast computers
• Resolves information into bits
that control construction and
exchange of packets.
• Mediates access to the
physical layer.
63
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Physical Layer
• Defines the encoded signaling
on the transmission channel.
• Specifies the characteristics of
the wire that connects the
machines in a network.
• Specifies how network cards
encode the bits they transmit.
• Includes the transmission
medium.
64
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Encapsulation
• To transmit data across a layered network, the
data passes through each layer of the protocol
stack.
• It begins at the application layer with the
application software passing the data to the
next lower protocol in the stack.
• At each layer the data is encapsulated – the
protocol processes the data in the format that
the next protocol layer requires.
65
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Encapsulation
Send
Receive
Application Layer (Program)
Data
Transport Layer (TCP Module)
TCP Header
Data
IP Header TCP Header
Data
IP Header TCP Header
Data
Network Layer (IP Module)
Data Link Layer
DL Header
66
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Structure Terminology
Application Layer
TCP
UDP
stream
message
segment
packet
datagram
datagram
frame
frame
Transport Layer
Internet (Network)
Layer
Network Access
(Data Link) Layer
67
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP Implementation
Application Layer
Program
Data Link Layer
UDP
TCP
Transport Layer
Network Layer
Program
IGMP
ARP
ICMP
IP
Hardware
Interface
PPP
Physical Layer
Network Cable
68
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP/IP
• The protocols in the TCP/IP suite work
together to:
– Break the data into small pieces that can be
efficiently handled by the network.
– Communicate the destination of the data to
the network.
– Verify the receipt of the data on the other end
of the transmission.
– Reconstruct the data in its original form.
69
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Protocols
Subtopics
• Internet Protocol (IP)
• Transmission Control
Protocol (TCP)
• User Datagram
Protocol (UDP)
• Internet Control
Message Protocol
(ICMP)
• Internet Group
Management Protocol
(IGMP)
© Copyright 2005 (ISC)2® All Rights Reserved.
• Point-to-Point Protocol
(PPP)
• Domain Name System
(DNS)
• Address Resolution
Protocol (ARP)
• Simple Network
Management Protocol
(SNMP)
• Routing Protocols 70
Telecommunications, Network and Internet Security v5.0
Internet Protocol (IP)
• The Internet Protocol is a packetbased protocol used to exchange
data over computer networks.
• Network layer protocol.
• Handles addressing and control
information to allow packets to travel
through the network.
• IP is a best-effort protocol.
71
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Functions
• Define the datagram (the basic unit of
transmission in the Internet).
• Define the Internet addressing scheme.
• Move data between Network Layer and
Transport Layer.
• Route datagrams to remote hosts.
• Perform fragmentation and reassembly of
datagrams.
72
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Addresses
• Composed of 32-bit addresses that are
often displayed in the form of four groups of
decimal digits separated by a period/dot.
• Each group of numbers cannot be larger
than 254.
1 1 0 1 10 0 0
216
00011001
.
25
.
01101000 11001111
104
.
207
73
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP version 6 (IPv6)
• Expands the address to 128 bit.
• Simplifies the header format.
• Provides support for extensions and
options.
• Adds quality of service capabilities.
• Adds address authentication and
message confidentiality and integrity.
74
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Security Issues
• IP Fragmentation Attacks
– Tiny fragment attack
– Overlapping fragment attack
– Teardrop Denial of Service Attack
•
•
•
•
IP Address Spoofing
Source Routing
Smurf and Fraggle
IP Tunneling over other protocols
75
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Transmission Control Protocol (TCP)
• Provides reliable data transmission.
• Retransmits lost/damaged data
segments.
• Sequences incoming segments to
match original order.
• Marks every TCP packet with a source
host and port number, as well as a
destination host and port number.
76
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP Provides:
• Connectionoriented data
management
• Reliable data
transfer
• Stream-oriented
data transfer
• Push functions
•
•
•
•
Resequencing
Flow Control
Multiplexing
Full-duplex
transmission
• Identification of
urgent data
• Graceful close
77
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Connection Oriented TCP
• TCP maintains status and state
information about each user data
stream flowing into and out of the
TCP module.
• TCP provides end-to-end transfer of
data across one network or multiple
networks to a receiving user
application.
78
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Sample TCP Session
Host A
Active open
Host B
SYN(1000)
Passive open
SYN(2000), ACK(1001)
ACK(2001)
Connection
established
Host A close
ACK, data
Connection
established
ACK(2300), FIN(1500)
ACK(1501)
ACK(1501), FIN(2400)
Connection closed
ACK(2401)
Host B close
Connection closed
79
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TCP Security Issues
• TCP Sequence Number Attacks
• Session Hijacking
• SYN Flood
80
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
User Datagram Protocol (UDP)
• Transport layer protocol
• Provides quick and simple service
• Provides unreliable, connectionless,
service for applications
81
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
UDP Security Issues
• Does not offer error correction,
retransmission, or protection from
lost, duplicated, or re-ordered
packets.
• Easier to spoof since there are no
session identifiers (handshake,
sequence number and ACK bit)
82
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Internet Control Message Protocols
(ICMP)
• Used to exchange control messages
between gateways and hosts
regarding the low-level operation of
the Internet.
• Also used for diagnostic tools such as
Ping and Traceroute.
• The ICMP message is encapsulated
within the IP packet.
83
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
ICMP Security Issues
• Denial of Service
– Ping of Death
– Host/Network Not Reachable messages
• ICMP Redirect
• Traceroute
84
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Internet Group Management
Protocol (IGMP)
• Supports multicast transmissions (IP only
supports broadcast and unicast).
• When a message is sent to a particular
multicast group, all computers in that
group will get a copy of the message.
• It is used by hosts to report multicast
group memberships to neighboring
multicast routers.
85
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Point-to-Point Protocol (PPP)
• Data link layer protocol.
• Standardized encapsulation protocol
for transporting packets over dial-up
and dedicated transmission links.
• Supports other protocols, including
authentication protocols.
86
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Domain Name System (DNS)
• Distributed Internet directory service.
• Global network of “name servers” that
translate host names to numerical IP
addresses.
– www.ISC2.org = 209.164.6.194
• Internet services rely on DNS to work, if
DNS fails, web sites cannot be located
and email delivery stalls.
87
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
DNS (cont.)
• It is tree structured.
• Contains two elements:
– Name Server - responds to client
requests by supplying name to address
conversions.
– Resolver - when it does not know the
answer, the resolver element will ask
another name server for the information.
88
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
DNS Security Issues
• Attackers have been known to corrupt the
tree and obtain access to a trusted
machine.
• The name servers can be poisoned so that
legitimate addresses are replaced.
• Unauthorized users could discover
sensitive information if querying is allowed
by users.
89
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Address Resolution Protocol (ARP)
• Used when a node
knows the network layer
address, but needs the
data link layer address
to forward the
encapsulating frame.
• The ARP software
maintains a table of
translations between IP
addresses and data link
addresses.
90
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
ARP (cont.)
• The table is built dynamically - if a
destination data link address is not
found in the table, the node will
broadcast a message on the data link
asking for the host with the chosen IP
address to respond with its data link
address.
91
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Reverse ARP (RARP)
• Used to discover the IP address
which corresponds to a known data
link address (MAC).
• Sometimes used by diskless
workstations to learn their own IP
address.
92
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
ARP Security Issues
• ARP is unauthenticated, thus an attacker
can poison the ARP table to spoof another
host by sending unsolicited ARP replies.
• An attacker can send an ARP reply
mapping the attacker’s MAC address to
the default router’s IP address, the target
will then send all traffic destined for the
router to the attacker’s node. The attacker
“sniffs” the traffic, then forwards it to the
real router.
93
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
ARP Poisoning
94
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Simple Network Management
Protocol (SNMP)
• Provides remote administration of network
devices.
• SNMP is referred to as "simple" because the
agent requires minimal software.
• SNMP accesses particular instances of an object
and each object belongs to a community.
• Community strings are used to provide read-only
or read-write access controls. They authenticate
messages sent between the SNMP manager and
agent.
95
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Routing Protocols
• Routing is the process of selecting a path
through a network.
• At each router in the network, the datagrams are
examined, and the destination address is
mapped to a routing table kept in memory. The
table tells the router which outgoing link to use to
continue sending the datagram.
• Routing protocols are used by routers to
determine the appropriate path that data should
travel.
96
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Routing Protocols
• Routing protocols specify how routers share
information with other routers in the network
that they can reach.
• Routing Protocol examples:
– Routing Information Protocol (RIP)
– Exterior Gateway Protocol (EGP)
– Border Gateway Protocol (BGP)
– Open Shortest Path First Protocol (OSPF)
97
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Routing Protocols Security Issues
• A routing table can be compromised or
altered to:
– Reduce availability
– Reroute traffic from a secure network to a
compromised network
• Networks may not use any authentication
for their routing protocols which might
result in a lack of security for the network
infrastructure.
98
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Routing Protocols Security Issues
(cont.)
Attackers can also use source routed packets or
ICMP redirect messages to bypass controls.
99
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What network protocol is used for
internet communications?
• What is the difference between UDP
and TCP?
• What vulnerabilities exist with ICMP?
• What OSI layer maintains
communications between processes?
• What is IPv6? Why is it important?
© Copyright 2005 (ISC)2® All Rights Reserved.
100
Telecommunications, Network and Internet Security v5.0
Section Summary
• Network protocols provide a standard set of
rules that governs the exchange of data
among hardware and software components
in a communications network.
• Network protocols contain many security
vulnerabilities.
• Some protocols are designed to control
specific vulnerabilities.
101
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
102
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Objectives
•
•
•
•
Describe telephony components
Discuss telephony vulnerabilities
Describe IP telephony
Understand how traditional security
concepts can address IP telephony
security concerns
103
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony
Traditional Voice Network
•Simple analog and digital
phones
•Separate cabling systems
(data and voice)
•Closed and proprietary
PBX (Private Branch
Exchange) systems
•The Public Switched
Telephone Network (PSTN)
104
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony
Voice System Vulnerability
105
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony
Authorized Modem Vulnerability
Telephones
Voicemail
PSTN
Central
Office
PBX
Modems
Authorized
Modem
ISP
Attacker
Internet
Central
Office
IDS
LAN
Firewall
Servers
Workstations
106
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony
Outbound Modem Vulnerability
Telephones
Voicemail
PSTN
Central
Office
PBX
Modems
ISP
Attacker
Internet
Central
Office
IDS
LAN
Firewall
Servers
Workstations
107
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony
Voice Eavesdropping
Winnipeg Office
Telephones
PSTN
Central
Office
Voicemail
PBX
PBX
Modems
Toronto Office
ISP
PBX
Internet
Central
Office
IDS
LAN
Firewall
Servers
Workstations
108
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Traditional Voice & Data Network
109
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Concept of IP Telephony with
Wireless
• IP phones and
softphones that can run
PC applications
Internet
•Voice servers providing
IP PBX, Voice Mail,
Messaging, etc.
•Media gateways to
connect to the PSTN and
TDM components
•TDM trunks and IP
trunks
Router
Corporate
LAN
Server
PSTN
Telephony
Server
Access
Points
IP Phones
Wireless
LAN
Phones
110
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony Network Issues
• Inherits security issues of traditional IP
networks
– Uses Non-secure operating systems
– IP/Web based administration
– Susceptible to Denial of Service (DoS) against
media sometimes makes it unusable
– Connected to an un-trusted IP network
– Authentication should be user-transparent
• IP Telephony intelligence advancing rapidly
111
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony Vulnerabilities
• Voice System
–
–
–
–
Operating System/Support Software Implementation
Application implementation
Application manipulation (Toll Fraud, Blocking)
Unauthorized administrative access
• Network and media:
–
–
–
–
–
DoS on media and signaling
DoS against media gateway / TDM sites
DoS against any shared network resource
Eavesdropping on conversations
Media Tunneling
112
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Phone attacks
• IP Phone attacks
• ‘Rogue’ softphones
• Implementation attacks (DoS and access
controls)
• Remote access attacks
• Local access attacks
• Unauthorized firmware / applications
• Protocol attacks
113
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony Security
Subtopics
• Apply the IP security safeguards
to the voice network:
–Firewalls
–Strong Authentication
–Virtual Private Networks
–Intrusion Detection
114
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Telephony Security
Voice Firewall Application
X
Alert
•Unauthorized calls should be blocked by the firewall
115
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Strong Authentication
Audit Trail
Produced
•Modem calls should require two-factor authentication
116
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Voice, Fax, Modem, Video VPN
•Calls between sites should use encryption
117
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Intrusion Detection
Alert Sent
to IDS
Call
Monitored!!
• Real-time monitoring of abusive call patterns, DTMFbased attacks
• Modem/Fax Recording and Content Monitoring
118
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony Security
Recommendations
• Voice Servers
–
–
–
–
–
–
–
–
Secure the operating system/network services
Patch maintenance
Use strong authentication for authorized hosts
Maintain strong physical security
Follow best practices for basic server/IP security
Consider using host-based security
Consider deploying a firewall and IDS
Control access by IP Phones and softphones
119
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony Security
Recommendations
Engineer the network to have proper security
– Maintain strong security on all networking components
– Limit the number of calls over media gateways
• Infrastructure requirements
– Switched networks
– Firewalls and NIDS
• Perimeter firewalls block unauthorized IP Telephony
– VLANs
• Encryption
– Encrypting phones
– Un-trusted parts of the network
© Copyright 2005 (ISC)2® All Rights Reserved.
120
Telecommunications, Network and Internet Security v5.0
IP Telephony Security
Recommendations
• Engineer the network to have proper security
– Deploy IP Telephony aware perimeter devices
for end-to-end security
• Perform high speed processing of the media (and
NAT)
• Open and close ports for media sessions
• Inspect media for tunneling, illegal flow levels, and
DoS
• Provide intrusion prevention functions for signaling
• Implement VPN functions, if desired
• Support appropriate QoS standards
121
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IP Telephony Security
Recommendations
• IP Phones
– Update default administrator passwords
– Disable unnecessary remote access features
– Prevent casual local configuration of the IP
Phone
– Secure the firmware upgrade process
– Insist upon IP Phones that support security
features
– Limit use of the web server
– Enable logging
– Cautiously use IP softphones
122
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some examples of
telephony vulnerabilities?
• What are the advantages and
disadvantages of IP telephony?
123
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• The traditional voice network has known
vulnerabilities.
• These security issues can be addressed by
applying technologies with parallels in the data
network, such as firewalls, intrusion detection,
VPN’s, etc.
• IP Telephony introduces new vulnerabilities.
• IP Telephony vulnerabilities can be addressed
with a combination of existing and new
technologies.
• Voice is a unique application and security should
be managed similarly for the current and IP
124
Telephony networks.
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
– Remote Access Security Methods
– Tunneling Standards
– Virtual Private Networks
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
125
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various methods of remote
access to a network
• Discuss remote access control
techniques
• Describe remote access tunneling
protocols
• Describe virtual private networks
(VPNs)
126
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Remote Access Services
Typically conducted over an untrusted network.
• Increased risk to disclosure, modification, and
denial of service.
• Remote access security minimums
– Strong identification and authentication services
• Rapid growth of remote access via the Internet
– Wide availability
– Economical
127
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Remote Access Technologies
Allows users to access network
information through a dial-in or wireless
connection.
Telecommuter
Network
Access
Server
Branch
Office
Mobile
User
© Copyright 2005 (ISC)2® All Rights Reserved.
128
Telecommunications, Network and Internet Security v5.0
Internet Access
Allows users to access network information
through an Internet Service Provider (ISP)
connection.
Corporate
Gateway
Mobile
User
129
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
General Remote Access
Safeguards
• Publish a clear/definitive remote access
policy and enforce it through audit.
• Justify all remote users and review
regularly, such as yearly.
• Identify and periodically audit all remote
access facilities, lines and connections.
• Consolidate all general user dial-up
facilities into a central bank that is
positioned on a DMZ.
130
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
General Remote Access
Safeguards (cont.)
• Use phone lines restricted to outbound
access for dial-out services.
• Set modems to answer after a predetermined number of rings; counters “war
dialers.”
• Use secure modems for single-port
diagnostic and administrative access, or
unplug when not in use.
• Consolidate remote access facilities when
practical.
131
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
General Remote Access
Safeguards (cont.)
• Implement two-factor user authentication
and network access restrictions for remote
access to all resources on private
WAN/LANs.
• Use Virtual Private Networks for sensitive
data communications on public networks.
• Use personal firewalls and anti-virus tools
on remote computers.
132
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Remote Access Controls
Three basic methods to restrict dial-up remote
access are:
• Restricted Access – Only accepts incoming calls
from addresses on approved list.
• Caller ID – Checks each caller’s telephone
number against an approved list.
• Callback – Callers identify themselves to the
server with passcodes or ID numbers. The
server terminates connection and calls the user
back at pre-determined phone number.
133
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Tunneling
• Tunneling is the act of packaging one
network packet (the tunneled packet)
inside another (the transport packet).
• The tunnel is the vehicle for encapsulating
packets inside a protocol that is
understood at the entry and exit points of a
given network.
• For confidentiality and integrity, the tunnels
should be encrypted.
134
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Tunneling (cont.)
• Tunneling can allow different protocols to travel
over a public IP network.
• Protocols being used are:
–
–
–
–
–
–
–
Point to Point Tunneling Protocol
Layer 2 Forwarding Protocol
Layer 2 Tunneling Protocol
IPSec Protocol
MPLS (Multi-Protocol Label Switching)
SOCKS
SSH
135
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
PPTP
Point to Point Tunneling Protocol (PPTP)
• One of the first protocols deployed for
Internet-based virtual private networks.
• It is a client/server architecture that allows
the Point-to-Point Protocol (PPP) to be
tunneled through an IP-network.
136
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
L2F Protocol
Layer 2 Forwarding (L2F) Protocol
• Permits tunneling at the link layer.
• Designed as a protocol for tunneling traffic
from users to their corporate site.
• Provides mutual authentication of user and
server.
• Does not offer encryption.
137
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
L2TP
Layer 2 Tunneling Protocol (L2TP)
• Hybrid of Layer 2 Forwarding (L2F) and
Point-to-Point Tunneling Protocol (PPTP).
• Designed for single user point-to-point
client/server connection.
• Multiple protocols can be encapsulated
within the tunnel.
• No encryption, but is often deployed over
IPSec.
138
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec Protocol
• IP standard for encryption and node
authentication.
• It has enough functionality to encrypt,
authenticate, and carry IP-only data through a
shared network.
• While PPTP, L2F, and L2TP are aimed at end
users, IPSec focuses on LAN-to-LAN or host-tohost tunnels.
• Allows multiple, simultaneous tunnels per end
host.
• No user authentication method defined in the
standard.
139
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec AH and ESP
• The IP Authentication Header (AH)
– provides connectionless integrity, data origin
authentication, & an optional anti-replay
service
• The Encapsulating Security Payload (ESP)
– provides confidentiality (encryption) & limited
traffic flow confidentiality
– may provide connectionless integrity, data
origin authentication, & anti-replay service
140
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec Protocol Security Associations
All implementations must support a Security
Association (SA)
– Simplex (i.e., one-way) “connection” that affords security
services to the traffic carried by it
– To secure typical, bi-directional communication, 2
Security Associations (one in each direction) are
required
• Security services are provided using AH or ESP
– If both AH & ESP protection is applied to a traffic
stream, then 2 (or more) SAs are created
141
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Association Triplet
• A security association is uniquely
identified by a triplet:
– An IP destination address
– Security protocol (AH or ESP) identifier
– Security parameter index (SPI)
• Distinguishes among different SAs
terminating at the same destination
142
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Association Combinations
Security associations may be combined in two ways:
•
Transport adjacency: using the same IP datagram to apply
multiple security protocols , without invoking tunneling
– Allows for only one level of combination; further nesting
yields no additional benefit
•
Transport mode: encrypts normal communication between
end-node to end-node(peer to peer).
– Iterated tunneling: applying multiple layers of security
protocols through IP tunnels
– allows for multiple levels of nesting
– each tunnel can originate or terminate at a different
IPSec site along the path
– Iterated tunneling mode is designed to be used by VPN
gateways (LAN to LAN/office to office).
143
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec Protocol
• IPSec imposes computational performance costs
on the hosts or security gateways.
–
–
–
–
Memory needed for IPSec code and data structures.
Computation of integrity check values.
Encryption and decryption.
Added per-packet handling - manifested by increased
latency and possibly, reduced throughput
– Use of SA/key management protocols, especially those
that employ public key cryptography, also adds
computational performance costs to use of IPSec
144
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Multi-Protocol Label Switching
(MPLS)
• Does not rely on encapsulation and encryption
to maintain high-level of security
– Service providers create IP tunnels throughout their
network without encryption
• Uses forwarding tables and ‘labels’ to create a
secure connection
• Used to guarantee a certain level of
performance, to route around network
congestion, or to create IP tunnels for networkbased virtual private networks
145
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
MPLS Benefits
• MPLS brings benefits to IP-based
networks, such as:
– Traffic Engineering - the ability to set
performance characteristics and the path a
particular class of traffic will use
– VPNs – gives service providers the ability to
provide IP tunnels through their network
without need end-user applications or
encryption
146
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Socket Security (SOCKS)
• Circuit-level proxy that contains
authentication and encryption features.
– Usually used to allow internal computers
access to the external Internet
– Can be used for tunneling to allow external
users access to the internal network.
– Requires client applications to be SOCKSified.
147
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Secure Shell (SSH, SSH2)
• SSH
– Powerful method of performing client authentication
– Safeguards multiple service sessions between two
systems.
• Provides support for:
– Host and user authentication
– Data compression
– Data confidentiality and integrity
• Credentials are validated by digital certificate
exchange using RSA.
148
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Virtual Private Networks (VPN)
• Virtual Private Network (VPN)
– Dynamically established secure
network link between two specific
network nodes or subnets using a
secure encapsulation method.
– Uses tunneling AND encryption to
protect private traffic over an untrusted network.
149
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
VPN LAN-to-LAN Configuration
VPN
Server
Internet
DMZ
VPN
Server
Encrypted
LAN
Firewall
VPN Server is behind
the firewall
Firewall
LAN
VPN Server is
on DMZ
150
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Mobile User-to-LAN VPN
Internet
Mobile
User
Encrypted
Laptop with
VPN client
software
LAN
Firewall and
VPN Server on
same box
151
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec Compatible VPN Devices
• IPSec Compatible VPN Devices
– Derive confidentiality and integrity from
workstation IP address and either machine
certificate or shared secret key.
– Require least user intervention since IPSec
authentication and encryption are not userbased.
– Work only with IP, not multi-protocol.
– Operate at the Network Layer of OSI model.
152
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IPSec Compatible VPN Devices (cont.)
Key management is a critical component
of using IPSec for a VPN.
IPSEC Key Exchange
153
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Non-IPSec Compatible VPN Devices
Non-IPSec Compatible VPN Devices
• Use protocols such as PPTP,
SOCKS, or MPLS.
• Provide advantages over IPSEC
– Two-factor authentication
– Better integration with proxy servers and
NAT.
154
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall based VPN Devices
• Integrated with many firewall systems.
• Central VPN administration is integrated on
firewall system.
• Often uses proprietary, non-standard protocols.
• Allows VPN traffic to be securely transmitted and
filtered by the firewall.
• Typically does not provide any user
authentication, but relies on the firewall
authentication service to perform the user
identification and authentication.
155
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
•
•
•
•
What functions does a VPN provide?
What is IPSec?
What is tunneling?
Name a few tunneling protocols.
156
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• Remote access typically refers to
accessing a trusted network from outside
the network.
• Identification and authentication is critical
prior to establishing remote access.
• A VPN can be used to help support remote
access.
• Various protocols exist to support and
control remote access.
157
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
158
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Understand the categories of attacks that can
impact network security
• Identify wireless network components
• Describe wireless protocols
• Discuss wireless threats and vulnerabilities
• Describe wireless controls components
• Understand Instant Messaging vulnerabilities
• Describe the steps in a successful network attack
159
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Various Network Threats & Attacks
• Denial of Service
(DoS)
• Distributed DoS
• Mobile Code
• Malicious Code
• Wireless LAN
Vulnerabilities
•
•
•
•
•
Spoofing
Sniffing
Eavesdropping
Masquerading
Instant Messaging
(IM) Vulnerabilities
160
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Remote Access Threat
• Often provides undetected access to
unprotected back doors.
• Brute force attack on location’s prefix using “war
dialer” is an example.
• Targets of opportunity include:
–
–
–
–
Insecure Internet connections
Unsecured modem access
Diagnostic ports on various network devices
Administrative ports on voice mail systems, PBX, fax
servers
– Unauthenticated sessions
161
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
The Target
• Sensitive and critical information.
• Computing services, such as storage
space and other resources.
• Toll telephone services
• Voice mail
• Network access to interconnected
networks, such as customers or business
partners.
162
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Lan Vulnerabilities
Subtopics
•
•
•
•
•
•
•
Detection
Eavesdropping
Modification
Injection
Hijacking
WLAN Architecture
Radio Frequency
Management
Internet
Corporate
Intranet
163
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Detection & Eavesdropping
•
Detection
–
•
WLAN will generate and
broadcast detectable
radio waves for a great
distance
Eavesdropping
–
WLAN signals extend
beyond physical security
boundaries
164
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Eavesdropping
•
•
Service Set Identifier (SSID) may be
broadcasted.
SSID string may identify your organization.
165
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Eavesdropping
•
•
•
Standard Wired Equivalent Privacy (WEP)
encryption is often not used.
When used, WEP is flawed and vulnerable.
No user authentication in WEP.
Clear Text Passwords
IP Addresses
Company Data
166
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Modification, Injection & Hijacking
•
Modification
–
•
Injection
–
–
•
Standard Wired Equivalent Privacy (WEP)
encryption has no effective integrity protection.
Static WEP keys can be determined by analysis.
Adversaries can attach to the network without
authorization.
Hijacking
–
Adversaries can hijack authenticated sessions
protected only by WEP.
167
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
WLAN Architecture
• Security Architecture
Internet
DMZ
Firewall
Internal Network
© Copyright 2005 (ISC)2® All Rights Reserved.
Rogue AP
168
Telecommunications, Network and Internet Security v5.0
Radio Frequency Management
•
•
Poor RF
management will
lead to unnecessary
transmission of your
RF signal into
unwanted areas.
Also consider other
devices which may
cause interference.
Parking Lot
Building A
169
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless LAN Security Controls
Subtopics
1.
2.
3.
4.
5.
6.
7.
SSID Broadcasting
MAC Address Filtering
Security Architecture
Radio Frequency Management
Encryption
Authentication
New Wireless LAN Security Protocols
170
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SSID Broadcasting
• Disable the broadcasting of the SSID.
– Not possible on all Access Points
– Easily bypassed
– Only useful on low-value networks
– SSID should also not be easily correlated
to your organization name
171
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
MAC Address Filtering
• Some Access Points allow the
administrator to specify which link
layer (MAC) addresses can attach.
– Easily bypassed
– Does not scale
– Only useful for low-value networks
172
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Architecture
Internet
DMZ (VPN Server)
Firewall
Firewall
Internal Network
© Copyright 2005 (ISC)2® All Rights Reserved.
DMZ (VPN Server)
173
Telecommunications, Network and Internet Security v5.0
Radio Frequency Management
Parking Lot
Building A
© Copyright 2005 (ISC)2® All Rights Reserved.
•Use a scanner to determine
your RF footprint
•Monitor interference
sources
174
Telecommunications, Network and Internet Security v5.0
Wireless Encryption
• Static WEP keys are insufficient for
many networks
• New secure protocols are being
designed for WLAN
• Layered VPN is a common solution
for WLAN networks
175
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
Wireless LAN Security Mechanisms:
• Access Control
• Authentication
• Encryption
• Integrity
802.11 Wireless LAN Security Protocols:
• 802.1X / Dynamic WEP
• Wi-Fi Protected Access
• Robust Security Network
176
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Access Control: 802.1X
Client
AP
Authentication
Server
Probe, Authenticate, Associate
802.1X Port Blocked
802.1X EAP Request/Response
RADIUS Encapsulation
EAP Authentication Exchange and Key Material
EAP Success / Key Material
802.1X EAP Success
Nonce Exchange / Derive Keys
802.1X Port Open
177
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Authentication
• Wireless LAN needs an authenticated key
exchange mechanism
• Most secure WLAN implementations use
Extensible Authentication Protocol (EAP)
• Many EAP methods are available
– One factor include EAP-MD5, LEAP, PEAPMSCHAP, TTLS-MSCHAP, EAP-SIM
– Two factor methods include EAP-TLS, TTLS
with OTP, and PEAP-GTC
• Need mutual authentication
178
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Encryption
• Static WEP
• Dynamic WEP
• Temporal Key Integrity Protocol (TKIP)
– Uses RC4 Stream Cipher with 128 bit perpacket keys
• Counter-Mode-CBC-MAC Protocol
(CCMP)
– Uses Advanced Encryption Standard
(AES) with 128 bit keys
179
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Integrity Protection
• WEP has no cryptographically strong
integrity protection
• TKIP uses a new Message Integrity
Code called “Michael”
• CCMP uses AES in CBC-MAC mode
180
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
802.11 Security Solutions
802.1x
Dynamic WEP
Wi-Fi
Protected
Access
Wi-Fi
Protected
Access 2
Access Control 802.1X
802.1X or PreShared Key
802.1X or PreShared Key
Authentication
EAP methods
EAP methods
or Pre-Shared
Key
EAP methods
or Pre-Shared
Key
Encryption
WEP
TKIP (RC4)
CCMP (AES
Counter Mode)
Integrity
None
Michael MIC
CCMP (AES
CBC-MAC)
181
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Instant Messaging Threats
• Many of today’s IM systems were built for chatting
rather than secure corporate communications.
• Rapidly working their way into corporations because
of their efficiency and convenience.
• Few organizations have standards, therefore,
leaving users to choose for themselves and
potentially compromise security within the
organization.
• Create new and hidden vulnerabilities.
• Companies need to create and implement a strategy
to fully reap the benefits of IM systems, while
reducing exposure to security attacks.
182
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IM Security Issues
• Most lack encryption capabilities.
• Most have features to bypass
traditional corporate firewalls.
• Insecure password management.
• Increased exposure to account
hijacking and spoofing.
183
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
IM Security Issues (cont.)
• May contain bugs that can be exploited by
attackers, such as buffer overflows, allowing
access to PC with vulnerable IM client.
• Vulnerable to denial-of-service attacks.
• Ideal platform for fast-spreading malicious
software and worms.
• Easy to locate new targets (buddy lists) that can
be controlled by easy-to-write scripts.
• Susceptible to eavesdropping .
• Enables users to exchange files.
184
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Instant Messaging Security
• Establish corporate IM usage policies
• Deploy desktop firewall to block usage of
unapproved IM programs and prevent
attacks to and from systems
• Deploy anti-virus software and personal
firewalls on all desktops
• Restrict sending confidential information
over public IM systems
• Properly configure corporate firewalls to
block unapproved IM traffic
185
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Instant Messaging Security (cont.)
• Deploy private corporate IM servers to
isolate corporate messaging system from
the outside world
• Enforce client-side IM settings (refuse file
transfers, etc.)
• Install patches to IM software as soon as
possible
• Use vulnerability management solutions to
ensure IM client policy compliance
186
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Threats and Attacks
Methodology - Subtopics
Attack Methodology
1. Identify the target and
collect information
2. Analyze the target to
identify a vulnerability
3. Gain access to the
target
4. Escalate privileges
5. Complete the attack
© Copyright 2005 (ISC)2® All Rights Reserved.
187
Telecommunications, Network and Internet Security v5.0
Attack Step One
Identify the target and collect information
• Systematically map the target’s network.
– Traceroute, Ping scanning, Port scanning, TCP half
scanning, FIN scanning, OS fingerprinting.
• Information wanted:
–
–
–
–
Domain names and network numbers
IP addresses
Names/phone numbers of personnel
Network map, including services that are available or
running.
– Operating System type and version
188
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Attack Step Two
Analyze the target to identify a vulnerability
• Query to gather detailed information such as:
– Operating system and services running -- many
systems will freely volunteer the product name and
version number in a greeting banner.
– List of user ids, shared file systems, system
information.
– Probe telephone lines for modems that answer.
189
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Attack Step Three
Gain access to the target
• Make connection attempts using:
– Direct login attempts to reach hosts
– Modems to attack remote access servers and
modems attached to individual computers.
•
•
•
•
•
Try to guess passwords
Exploit known security vulnerabilities
Perform piggybacking/hijacking/spoofing
Use social engineering
Perform a denial of service attack
190
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Attack Step Four
Escalate privileges
• Try to gain administrative or operator privileges.
• Try to utilize the compromised system to gain
access to more valuable systems.
• Techniques:
– Buffer overflows
– Trojan horses
– Password guessing or install a password
sniffing/gathering/cracking tool.
– Exploit trust relationships
191
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Attack Step Five
Complete the attack
• Install a backdoor mechanism that allows
the attacker to bypass access control and
avoid detection, such as a rootkit.
• Create rogue user account.
• Close the original vulnerability so no one
else can compromise the system.
• Modify audit logs if they are stored locally
to prevent discovery of the attack.
192
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Attacks
• Threat agents: External attackers, internal attackers, disgruntled
employees, viruses, Internet worms, etc.
•
Active Attacks:
–
–
–
–
–
–
•
Vulnerabilities in the network systems
Attacks on “perimeter defenses” (network infiltration)
Malicious code – viruses, worms, Trojan horses, etc.
Login/Password Brute-force attacks
Vulnerabilities in Web Applications
Denial of Service (DoS) attacks: network flood, session
consumption, buffer overflow, etc.
Passive Attacks:
– Network sniffing and eavesdropping
– Wiretapping
– Spyware/adware
193
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 1
Internet Firewall
• Security risk scenario: “vulnerability in external
perimeter controls” – a flaw in the firewall rules
194
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 1
Attack Illustration
•
•
•
•
An attacker scans the network, firewall blocks all attempts except…
The attacker finds an open MS SQL port (1433/tcp) on “CUSTOMERDB1”
(firewall admin opened it during a test and forgot to close)
This is a good starting point for “penetrating the network”
Server Banner (MS SQL)  Default User “sa”/NULL  Brute-force attack
195
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 1
Countermeasures
• Compensating access controls – “Tightly configured” Firewall
– Firewall rules should be configured according to the organization’s
standard or approved network zone specifications
– Best practices – allow only “firewall friendly ports”:
• HTTP (80/tcp), HTTPS (443/tcp)
- for Web servers
• FTP (20/21/tcp)
- for File Transfer servers
• SMTP (25/tcp)
- for Email servers
• DNS (53/udp/tcp)
- for Domain Name servers
• IPSec-IKE (500/udp)
- for IPSec/VPN access
196
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2
Network Device
• Security risk scenario: “vulnerability in network
perimeter controls” - a flaw in the router
configuration
197
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2
Attack Illustration
•
•
•
•
•
•
•
An external attacker scans the network, identifies a router and …
Finds port 80/tcp (HTTP) open on that router
Connects to the router via a web browser and gets to a “Login Prompt”
Tries the following URL: http://router.company.com/level5/show/config
The router configuration file is displayed
Using “weak password encryption”  password is recovered
Router configuration can now be changed
198
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2
Countermeasures
• A Few Common Best Security Practices - Switches / Routers:
– Shut down unnecessary and dangerous services (HTTP,
NTP, TCP-small-services, UDP-small services, BOOTP,
Finger, etc.)
– Shutdown unused interfaces
– Do not allow “source routing”
– Block directed IP broadcasts – to prevent DoS attacks (e.g.
Smurf)
– Define Access Control Lists – try to make it simple and easy
(if it looks too complex you may need a stateful firewall)
• Block “spoofed” IP traffic – outside packets that are
obviously fake
• Block broadcast and IP multicast packets (if not used)
• Block ICMP redirect packets
199
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2
Countermeasures
– Protect access to the Telnet VTY (only
authorized IP’s should have access)
– Turn on logging and log all security
exceptions, such as “access denied”
– Use encrypted, “strong” community
strings for SNMP – disable ‘SNMP-write’
if it not used
– Use “strong” passwords (MD5 password
encryption for Cisco)
200
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk Example # 3
Internal Windows Server
•
•
•
•
•
Security risk scenario: “vulnerability in the server’s network configuration”
An internal attacker scans the network looking for only one port (161/udp)
Finds the SNMP service running on server “WIN2KB001” (“public”
community)
Queries System Configuration via SNMP-GET (system, resources, users,
file shares) and attempts to access these resources
Runs an exploit code for Windows SNMP Buffer Overflow (MS02-006)
201
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk example # 3
Countermeasures
• Best Security Practices for configuring network access
controls on servers:
– Shut down unnecessary and dangerous network
services
– SNMP,
– File Sharing (139/tcp),
– NetBios Messenger (138/tcp),
– Computer browser (137/udp broadcasts),
– Rlogin, Rshell, TFP (on Unix)
– RPC services (if it is not used)
– Telnet
– Define IP filters using IPSec rules (Windows) or IP
Tables/IP Firewall on Unix
202
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Security Risk example # 3
Countermeasures
– Turn on logging and log all security
exceptions, such as “access denied”
– If SNMP is required, use encrypted,
“strong” community strings for SNMP,
but disable SNMP-write (it is not usually
required for servers)
– For terminal access use Citrix or
Windows Terminal Services, do not use
“simple” freeware software like VNC
203
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Other Network Threats
•
•
•
Denial-of-Service Attacks (DoS)
• Distributed DoS attacks
• TCP Syn Attack, Ping of death, Land attack, Teardrop attack
• SMURF (ICMP broadcast traffic flood)
Brute force (dictionary driven attacks)
Buffer overflows
• Many examples of vulnerable services: SNMP, RPC, SSH, FTP…
Viruses/Worms
• Automated “unleashed” versions of the above
Spoofing
• Where the IP address is manipulated to bypass IP-level access controls
(e.g. if two systems “trust” each other based on their IP addresses)
Network Traffic Sniffing (passive attack)
Man-in-the-middle attacks
•
Network session hijacking/piggybacking
•
•
•
•
© Copyright 2005 (ISC)2® All Rights Reserved.
204
Telecommunications, Network and Internet Security v5.0
Network Maintenance Process
•
Network Access Controls maintenance
process:
– Trigger events: New requirement, New
vulnerability, Time-to-review
– Assess/analyze – any new
risks/vulnerabilities in the environment
– Implement – update rules, and
configurations to mitigate the risk
– Test – test the rules and configurations to
ensure that they work as expected
– Deploy – put in the production
environment, document the change,
including the trigger, analyze, test the
results and
– Monitor activities to ensure that the
network access controls work properly
Trigger
205
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What is the primary difference
between 802.11b and 802.11g?
• What type of encryption is typically
available on wireless networks?
• True or False:
– Steel walls will contain wireless signals.
– Concrete walls will contain wireless
signals.
206
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• Wireless networks have become very prevalent.
• Wireless networks introduce new risks into a network
environment.
• New controls need to be evaluated for wireless
networks:
–
–
–
–
Access Control
Authentication
Encryption
Integrity
• Instant Messaging can be an effective organizational
tool, but needs to be protected accordingly.
• Perimeter security controls need to be implemented
properly to ensure adequate security.
207
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
208
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various types of network
authentication protocols
• Describe methods of network user
authentication
• Identify various firewall and perimeter
security approaches
209
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
• PPP Authentication
• Centralized Authentication
• Network User Authentication
– Perimeter Security
210
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Identification and Authentication
• Network identification and
authentication processes are used to
identify and verify the source
attempting to establish the
connection.
• Authentication should be used for:
– Node authentication
– End user authentication
211
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Identification and Authentication
• Node authentication is knowing the source
(node) that is attempting to establish the
connection.
– When the node is authenticated, it is possible to
identify the location and type of device.
• End user authentication verifies the identity of
the remote user.
– It is preferred to network node authentication.
– It should be two factor, such as using both a
password and token device or smart card.
212
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Remote Access Authentication
1. Remote User requests authentication
from Network Access Server.
2. Network Access Server then sends
requests to the Centralized
Authentication Server.
213
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
• PPP Authentication
• Centralized Authentication
• Network User Authentication
– Perimeter Security
214
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
PPP Authentication Protocols
• Authentication of source.
• Commonly used to establish a remote access
session.
• Supports several security protocols to verify the
network device and/or location of the originating
connection point.
• Deployed to authenticate the end-user.
• PPP authentication protocols include:
– Password Authentication Protocol (PAP)
– Challenge Handshake Authentication Protocol (CHAP)
– Extensible Authentication Protocol (EAP)
215
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
PAP
• A simple, standards-based password
protocol.
• Provides automated identification and
authentication of remote entity.
216
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
PAP (cont.)
• Authentication is accomplished using
a cleartext, reusable (static)
password.
• Supported by most network devices.
• Decreasing use due to weakness of
authentication process.
217
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
CHAP
• Standards based authentication service
• Periodically validating users with a
sophisticated challenge-handshake
protocol.
218
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
CHAP (cont.)
• Authentication process uses non-replayable,
challenge/response dialog to verify the
identification of the remote entity (because of the
nonce).
• Authentication step takes place at the initial
connection and can be repeated at any time
during the session.
• Standard password database is unencrypted on
end nodes. MSCHAP stores one-way encrypted
passwords.
• Password is sent as a one-way hash over the
transmission link.
219
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Extensible Authentication Protocol
(EAP)
Flexible authentication framework
220
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
EAP (cont.)
• Framework for a variety of embedded
authentication methods
– Password, S/Key, token card, or digital
certificate.
• S/Key uses the MD4 hash function to
generate one-time passwords.
– Supports new authentication methods as
they become available.
221
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
• PPP Authentication
• Centralized Authentication
• Network User Authentication
– Perimeter Security
222
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Centralized Authentication
Protocols
• With large remote access network it becomes
impractical to store security information on each
network access server.
• Standards-based centralized authentication
databases simplify maintaining user lists,
passwords, user profiles, and accounting
records.
• Authentication database can be utilized by all
remote access equipment. Unless properly
designed, this could be a single point of failure.
223
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Centralized Authentication
Protocols (cont.)
• Any system that authenticates in a central
location.
• Should provide three services:
– Authentication - verifies who the user is and
whether access is allowed.
– Authorization - what the user is allowed to do.
– Accountability - tracks what the user (or device,
service) did and when it was done.
224
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
• Remote Authentication Dial-In User
Service (RADIUS)
• Terminal Access Controller Access
Control Systems (TACACS)
– TACACS+
• DIAMETER
225
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
RADIUS
• Three components of RADIUS
– Server resides on a central computer at
site
– Client resides in dial-up or network
access servers (NAS)
– Protocol that utilizes UDP/IP
226
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
TACACS and TACACS+
• Similar functionality to RADIUS.
• TACACS does not support dynamic passwords,
but TACACS+ does.
• RADIUS only encrypts some parts of the
communication like the user password.
• All communication between the network access
server (TACACS+ client) and the TACACS+
server are sent over TCP.
• TACACS+ communication is encrypted with a
secret key that is never sent over the network.
227
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
DIAMETER
• Supports roaming applications and
overcomes limitations of RADIUS.
• Uses peer-to-peer rather than client/server
configuration to offer scalability.
• Has two parts:
– Base Protocol - defines message format,
transport, error reporting, and security services
– Extensions - modules designed to conduct
specific types of AAA transactions, such as
NAS, Mobile-IP, and Secure Proxy
228
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
• PPP Authentication
• Centralized Authentication
• Network User Authentication
– Perimeter Security
229
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network User Authentication
• Network user authentication is when a
user is trying to login to an intelligent
client node, such as a server, but must
receive further authorization to access the
resources.
• Need to protect against replay attacks and
brute force password guessing.
230
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Lightweight Directory Access
Protocol (LDAP)
• Widely accepted, industry standard for
access to directory information and
application services
• Multi-vendor interoperability.
• Open, extensible, vendor-independent,
platform-independent
• LDAP directories provide repositories for
security-related data (e.g. userIDs,
passwords, URLs, pointers, binary data,
Public Key Certificates, etc.)
231
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Information System
• A distributed database system that lets
computers share a set of system files.
232
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Information System (NIS)
• A central server stores a shared database
with one-way encrypted passwords.
• Use of these shared files allows users to
access any of a set of computers, using
credentials stored in a centrally
administered database.
• NIS uses only IP addresses to authenticate
the client and server nodes.
• NIS+ is a hierarchical and secure NIS
implementation.
233
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Distributed Computing Environment
(DCE)
• Standard promoted by the Open Group.
• Network authentication is derived from
Kerberos.
– Adds extensions for authorization attributes
(privileges).
– Uses Universal Unique Identifiers instead of
user names to identify users.
– Requires synchronized time clocks to
generate time stamps to prevent replay
attacks.
234
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
NT/LAN Manager (NTLM)
• NTLM authentication protocol provides
challenge/response authentication for
client/server networks.
• The user’s password is hashed and used as a
key to encrypt a challenge sent by the server.
235
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
– Perimeter Security
• Perimeter Security Overview
• Perimeter Security Technologies
• Perimeter Security Architecture
• Firewall Security Best Practices
236
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Perimeter
• Refers to the concept that public, sensitive
private networks and non-sensitive private subnetworks are segregated and entry is
controlled.
• Access from one network or segment to
another is controlled through a “Choke Point”.
• Network security policy is defined and enforced
by some type of mechanism at each boundary
router and secure gateway.
237
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Boundary Routers
• Provide entry to and from network
perimeters; i.e., boundary routers
interconnect networks at their perimeter
entry points.
• Permit or deny predefined traffic (via
ACLs) and implement safeguards against
IP spoofing and other network attacks.
• Forward permitted traffic to and from
secure gateways and networks.
238
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
DeMilitarized Zone (DMZ)
• DMZ networks function as a small and isolated
network positioned between the untrusted
network and the private network.
• Typically systems on the untrusted network and
some systems on the private network can
access a limited number of services on the DMZ.
• The goal is to prevent the transmission of traffic
directly between the untrusted network and the
private network.
239
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Bastion Host
• A computer system that is highly secured
because it is vulnerable to attack, usually
because it is exposed to an untrusted
network.
• An application-level gateway is a type of
“bastion host” because it is a designated
system that is specifically armored and
protected against attacks.
240
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
– Perimeter Security
• Perimeter Security Overview
• Perimeter Security Technologies
• Perimeter Security Architecture
• Firewall Security Best Practices
241
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Perimeter Security Technologies
Subtopics
• Perimeter Security Techniques/Technologies
– Filtering
• By Protocol/Service
• By Address
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port
Address Translation (PAT)
– Firewalls
242
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Filtering by Protocol/Service
• Filtering by communications
protocol/service.
– Reduces risk by blocking all but authorized
protocols and services.
– Filtering accomplished by Access Control
Lists (ACLs) on various network devices
such as routers, firewalls, gateways, and
bridges.
– Protocol examples include ICMP, UDP
– Service examples include HTTP, Telnet
243
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Filtering by Address
• Used to restrict network connections and routing
– Enables only authorized nodes/network segments to
communicate -- blocks out all others.
• Different than filtering by protocol/services but
often used in conjunction with it.
• Filtering done by Access Control Lists (ACLs) on
various devices, such as routers, gateways, etc.
244
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Perimeter Security Technologies
Subtopics
• Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port
Address Translation (PAT)
– Firewalls
245
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Segment / Subdomain
Isolation
• Concept of filtering by protocol/services/source
and destination address to isolate network traffic
and services from private or sensitive parts of
the network; e.g., traffic restricted to an extranet.
• Design the network architecture to separate
“untrusted” traffic apart from “private” and
“trusted” network segments/subdomains.
• Accomplished by:
– Filtering by protocol/services
– Filtering by source and destination address
– Network design (e.g. Switches, VLANs, etc.)
246
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Perimeter Security Technologies
Subtopics
• Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port
Address Translation (PAT)
– Firewalls
247
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Inspection
• Concept of monitoring and examining
predefined communication layers of
transmitted data and taking appropriate
action if not allowed by security rules.
• Volume of network traffic, degree of
analysis and the seriousness of the
transmitted data determines how
implemented; i.e., real-time analysis or
off-line analysis and type of
alarm/response.
248
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Inspection Applications
• Common applications of network data
inspection:
– Computer virus scanning
– Stateful inspection of network
packets/frames
– Content inspection for Web mobile code,
such as Java or ActiveX content
– Intrusion Detection Systems
249
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Perimeter Security Technologies
Subtopics
• Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port
Address Translation (PAT)
– Firewalls
250
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Address Translation
• Address translation is when an
address is converted from one value
to another.
• Typically used to hide the internal
network IP address from external
systems.
• Translates each private IP address to
a registered IP address.
251
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
NAT and RFC 1918
• RFC 1918 lists three segments of private
addresses that are not to be used on the
Internet, so they can be used safely
behind a NAT environment.
• They are:
– 10.0.0.0 - 10.255.255.255
– 172.16.0.0 - 172.31.255.255
– 192.168.0.0 - 192.168.255.255
252
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Port Address Translation
• Multiplexes many internal IP
addresses into one external address.
• Changes source TCP/UDP port
number of outgoing datagrams.
253
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
NAT/PAT
Network and Port
Address Translation
Source IP – 192.168.1.50
Destination IP – 206.121.73.5
Source Port – 1037
Destination Port - 80
Source IP – 199.53.72.2
Destination IP – 206.121.73.5
Source Port – 1058
Destination Port - 80
254
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Perimeter Security Technologies
Subtopics
• Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port
Address Translation (PAT)
– Firewalls
255
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewalls
• Firewalls enforce security rules
between two or more networks.
• Evaluate each network packet
against a network security policy.
256
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewalls Technologies
Subtopics
• Packet filtering firewalls
• Stateful inspection firewalls
• Proxy firewalls
– Circuit-level
– Application level
• Personal firewalls
257
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Packet Filtering Firewalls
• A method or device for limiting
network traffic between two networks
by enforcing security rules.
• Examines packet headers to either
block or pass packets.
• Uses Access Control Lists (ACLs)
that allow it to accept or deny access.
258
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Packet Filtering Firewalls (cont.)
• Considers the following information:
– Source and destination addresses
– Data session’s protocol (TCP, UDP, ICMP,
etc.)
– Source and destination application port for
the desired service (FTP, Telnet, HTTP, etc.).
– Whether packet is the start of a connection
request (lack of ACK bit in the TCP header).
259
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Stateful Inspection Firewalls
• Transmitted data packets or frames are
captured and analyzed at all
communication layers.
• “State” and “context” data are stored and
updated dynamically.
• Provides information for tracking
connectionless protocols; e.g., Remote
Procedure Call (RPC) and UDP-based
applications.
260
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Stateful Inspection Firewalls
(cont.)
• A secure method of analyzing data
packets.
• Places extensive information about a data
packet into a table. In order for a session
to be established, information about the
connection must match information stored
in the table.
• Examines the content of each packet to an
arbitrary level of detail. For example, it
may be able to associate incoming UDP
replies with an old outgoing UDP request.
261
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Proxy Firewalls
A proxy acts
on another’s
behalf.
262
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Proxy Firewalls (cont.)
• Proxy clients talk to proxy servers.
• Proxy servers relay approved client
requests to external servers and relay
answers back to clients.
• Conceptually, outsiders are not allowed to
“talk” directly to private nodes.
• There are two types of proxies:
– Circuit-level
– Application-level
263
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Circuit-Level Proxy Firewalls
• Do not require special proxy for each
service (i.e., FTP, HTTP, TELNET, etc.).
• Can require user authentication before
allowing access.
• Create a circuit between client and server
without requiring knowledge about the
service.
• Have no application specific controls.
• An example is a SOCKS server.
264
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Application-Level Proxy Firewalls
• Perform the highest level of security
because it allows the greatest level of
control.
• A different proxy is needed for each
service.
• Provide information on the type and
amount of traffic.
• Can require user authentication for each
service, which provides accountability.
265
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Application-Level Proxy Firewalls
(cont.)
• Can impact network performance because
they must analyze packets and make
decisions about access control.
• Good place to do content inspection for
mobile code and viruses.
• FTP Example - restrict whether external
users can only read file (use the GET
command) or also write file (use the PUT
command).
266
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Personal Firewalls
• Individual hosts are protected with
firewall software that provides stateful
packet filtering and intrusion
detection.
• Increasing availability of “always on”
broadband connections for Small
Office/Home Office users is
increasing exposure to compromise.
267
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Comparison
Firewall Type
OSI Model Layer
Characteristics
Packet Filtering
Network Layer
•Routers using ACLs dictate acceptable
access to a network
•Looks at destination and source addresses,
ports and services requested
Application-level
Proxy
Application layer
•Deconstructs packets and makes granular
access control decisions
•Requires one proxy per service
Circuit-level Proxy
Session Layer
•Deconstructs packets
•Protects wider range of protocols and
services than app-level proxy, but not as
detailed a level of control
Stateful
Network Layer
•Keeps track of each conversation using a
state table
•Looks at state and context of packets
268
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
– Perimeter Security
• Perimeter Security Overview
• Perimeter Security Technologies
• Perimeter Security Architecture
• Firewall Security Best Practices
269
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Perimeter Security Configurations
Subtopics
•
•
•
•
•
Packet Filtering
Dual-Homed Host
Screened Host
Screened Subnet
Multi-Legged Firewall
270
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Packet Filtering
• Place a packet-filtering router between
private network and the untrusted
network.
Network
Packet Filter
271
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Dual-Homed Host
• Single computer with two network
interface cards that acts as a dividing
line between local network and the
Internet.
Host Computer
With Two Network Cards
272
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Screened Host
• Uses both a packet-filtering router and a
bastion host.
Bastion Host
Network
Router
© Copyright 2005 (ISC)2® All Rights Reserved.
273
Telecommunications, Network and Internet Security v5.0
Screened Subnet
• Uses two separate packet filters or stateful
inspection firewalls and a network of
bastion hosts.
DMZ
Firewall
Network
Firewall
Switch
274
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
3-Legged Firewall
• Configuration with a third
network interface, usually
for the DMZ.
• The DMZ segment allows
both internal and external
users to access common
servers
• Does not allow external
users to access non-DMZ
resources.
DMZ
Firewall
Network
275
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Access Controls
Subtopics
• Network Access Controls
– Identification and Authentication
– Perimeter Security
• Perimeter Security Overview
• Perimeter Security Technologies
• Perimeter Security Architecture
• Firewall Security Best Practices
276
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security - Concepts
277
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security Environmental
• Document and clearly communicate who is
authorized to
– Install, de-install and move firewalls
– Perform hardware maintenance and changes to
physical configuration
– Make physical connections to the firewall
• Define procedures for
–
–
–
–
Locating and securing firewalls by zone
Securing console physical access
Recovering in the event of physical damage
Escalating in the event of firewalls tampering
278
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security - Data Link
• Use VLAN’s
sparingly on
critical firewalls.
• If VLANs are
necessary
consider using
known firewall
virtualization (e.g.
VSX)
VLAN Enabled
279
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security – Operating
System
• Ensure that the operating systems have
been appropriately hardened.
• Ensure that unnecessary services have
been disabled.
• Turn on operating system logging
mechanism
• Use double intervention controls for critical
functions (e.g. access to the operating
system)
280
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security – Application
Layer
• Use appropriate stealth, cleanup
and silent rules.
Stealth Rule
Cleanup Rule
281
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security – Application
Layer
• Use negate in preference over a
permitted destination.
Preferred
282
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Firewall Security – Define
Appropriate Global Rules
• Limit the use of implied rules
283
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Group Exercise
• An electronics company wishes to
make their product documentation
available on the Internet. They have
decided to use a packet filtering
security architecture to protect the
server housing the documentation.
What are the pros and cons of this
approach?
284
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• In order to access a network, you must
authenticate to the network.
• Authentication should be done at two levels,
user level and node level.
• Authentication can be controlled in various ways.
• Firewalls should be used to protect your internal
network from unauthenticated and unauthorized
access.
• Various firewall and perimeter security
approaches exist, using a combination of
technologies and architectures can give you
adequate security.
285
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
286
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Availability Technologies
Subtopics
• Network Availability Technologies
– Network Disaster Prevention
• Cabling
• Topology
• Single Points of Failure
• Saving Configuration Files
– Server Disaster Prevention
287
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Objectives
• Understand how to prevent network
disasters from happening
• Describe methods of protecting
important network elements such as
servers
288
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Cabling
• The cabling that is used will impact how
resilient the network is to failure.
• Test and certify all cabling before use on
the network.
• Segment problem areas with switches.
• Use fiber to avoid electromagnetic
interference.
• Avoid excessive cable lengths.
289
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Topology
• Some topologies do a better job of recovering
from problems that can happen on networks.
• Ethernet, when used with twisted-pair cabling,
can be extremely resistant to cabling problems.
• Token Ring was designed to be fault tolerant,
but is subject to faulty network interface cards.
• Fiber Distributed Data Interface (FDDI) if
implemented with dual counter-rotating rings is
very reliable.
290
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Single Points of Failure
• Leased lines can introduce a single point
of failure.
• Frame Relay
– provides wide area network connectivity
across a shared public switched network.
– If any segment in the frame relay cloud has a
failure, traffic is diverted across other links.
– The link to the Central Office from the
customer site is still a single point of failure.
291
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Single Points of Failure
Countermeasures
• Best way to minimize disasters is to
identify single points of failure and build in
redundancy.
• Creating single points of failure is a
common mistake made in network design.
• Be careful of consolidated equipment,
such as routers or switches.
• Deploy redundant equipment.
292
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Single Points of Failure
Countermeasures (cont.)
• Take advantage of redundant LAN routes.
• Provide on-demand backup for WAN
connections.
• Build systems that are:
– Basic Availability - sufficient components to satisfy
system’s functional requirements
– High Availability - also has sufficient redundancy
– Continuous Availability - also has components to
apply to planned outages (i.e., upgrades, backups)
293
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Saving Configuration Files
• When network devices fail, chances are local
configurations will be lost.
• Terminal logging - allows saving of configuration
files by logging what appears on the terminal as
device is locally programmed.
• Trivial File Transfer Protocol (TFTP) - supports
saving or retrieving configuration information. A
single server can archive configuration files for
every device on the network.
294
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network Availability Technologies
Subtopics
• Network Disaster Prevention
• Server Disaster Prevention
– Uninterruptible Power Supply (UPS)
– Redundant Array of Independent Disks
(RAID)
– Redundant Servers
– Clustering
– Backup Technologies
– Server Recovery
295
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
UPS, RAID & MAID
• Uninterruptible Power Supply (UPS)
– Provides a source of clean and steady power.
• Redundant Array of Independent Disks (RAID)
– Provides fault tolerance against hard disk crashes
and can improve system performance.
• Massive Array of Inactive Disks (MAID)
– Similar to RAID, except disks remain dormant until
requested.
– By reducing number of disks that are concurrently
active, disk controller costs can be significantly
reduced.
296
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Redundant Servers
• Keep a redundant idle computer available for
failover -- server fault tolerance
• Provide one or more entire systems to be
available in case primary one crashes.
297
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Clustering
• Similar to redundant servers except all
systems take part in processing.
• Cluster acts as a single intelligent unit in
order to balance traffic load.
• More attractive than server redundancy
because secondary systems actually
provide processing time.
• Boosts availability and performance.
298
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Backups
• Safeguard the information that is stored
on the server. Three types are:
– Full backup - complete archive of every file
– Differential backup - copies only files that
have changed since a full backup was last
performed
– Incremental backup - copies only files that
have recently been added or changed since
the last backup of any kind
299
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Tape Arrays
Tape Arrays
• Redundant Array of Independent Tapes
(RAIT) - similar to RAID technology
Other technologies:
• NAS (Network Attached Storage)
• S-ATA (Serial-Advanced Technology
Architecture)
• Others
300
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Online Backup
Continuous Online Backup with Hierarchical
Storage Management (HSM)
• Combines hard disk technology with use of
slower and cheaper optical or tape juke boxes.
• Continuous online backup package.
Storage Area Network (SAN)
• Shared network that connects hosts to storage
devices.
• Often used to implement server-less backups.
301
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some of the ways to prevent
disasters from happening on a
network?
• How can we provide protection for
servers on a network?
302
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• Preventing disasters on a network can
be minimized by using the correct
cabling and topologies, as well as
addressing single points of failure and
building in redundancy.
• There are several ways to protect
servers, they include mirroring,
clustering, backing up, RAID, etc.
303
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
– Data Link Layer Security Protocols
– Network Layer Security Protocols
– Transport Layer Security Protocols
– Application Layer Security Protocols
• Multimedia and Quality of Service
• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
304
Telecommunications, Network and Internet Security v5.0
Section Objectives
• List some of the protocols available to
provide security, in relation to the TCP/IP
layers.
• Understand how to address security for
specialized multimedia applications.
• Understand the objectives of Quality of
Service.
• Understand the activities that need to be
addressed by security professionals in
order to ensure adequate network security.
305
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Data Link Layer Security Protocols
• Tunneling and VPN Protocols are the
mechanisms to protect transmission
at the Data Link Layer.
– Point to Point Tunneling Protocol
– Layer 2 Forwarding
– Layer 2 Tunneling Protocol
– 802.11 Wireless LAN Security Protocols
– Other Layer 2 Solutions
306
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Network/Internet Layer Security
Protocols
• Several protocols have been
proposed.
• Most notable is IPSec.
– It can be implemented in various types
of network equipment.
– Designed to support multiple encryption
and authentication protocols.
307
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Transport Layer Security Protocols
• Some examples:
– Secure Shell (SSH)
– Secure Sockets Layer (SSL)
– Transport Layer Security Protocol
(TLS)
– Wireless Transport Layer Security
(WTLS)
308
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Secure Sockets Layer (SSL)
• Enables client/server applications to
communicate securely, minimizing the risk of
eavesdropping, tampering, or message forgery.
• Provides data confidentiality, integrity control,
server authentication, and optionally, client
authentication
• Two layer protocol:
– SSL Record Protocol - used to pass messages
– SSL Handshake Protocol - used to establish an SSL
connection
309
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step One
• A link is established to the secure server over
TCP/IP. The client sends the server a
‘Client.Hello’ message including the client’s SSL
version number, cipher settings, and a random
number.
310
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Two
•The server sends back a response
(Server.Hello).
•The response includes the server’s public
key certificate, SSL version number,
cipher settings, and a random number.
311
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Three
• The client can now authenticate the server. It
sends an encrypted message using the server’s
public key. The server decrypts the message. It
is used to generate a session key, the secret for
HMAC, and the IV (if needed).
312
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Four
• The client sends a message encrypted with the
session key, closing the client side of the
handshake. The server responds with a message
encrypted with the session key, closing the server
side. Communication is now secure.
313
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Transport Layer Security Protocol
(TLS)
• The TLS Working Group was
established in 1996 to standardize a
'transport layer' security protocol.
– Based on, and backward compatible
with, SSL version 3.0
• TLS provides for authentication and
data protection for communication
between two entities.
314
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Wireless Transport Layer Security
(WTLS)
• Security in the Wireless Application
Protocol v1.2 uses WTLS instead of
standard SSL.
• Wireless gateway must use WTLS to
secure the channel to the wireless device
and SSL to secure the channel from the
destination web server.
• A security issue is that the information on
the gateway is unencrypted.
315
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Application Layer Security
Protocols
Examples:
• Secure Remote Procedure Call (S-RPC)
• Domain Name System Security
(DNSSec)
• Secure WWW Transactions (S-HTTP)
• Electronic Payment Schemes (SET,
Ecash, Netcash, Mondex, Cybercash,
etc.)
316
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
317
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Multimedia Security
• Growing concern in competitive global
market for confidentiality and privacy.
• Increased susceptibility to industrial and
economic espionage.
• Effective security via encryption. For
example, can use virtual private
networks with encryption services.
318
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Multimedia Security
• Protocols at network level can provide
end-to-end security.
• Applications can also provide some
security.
• Use of encryption and security protocols
impose a performance penalty.
– Bandwidth overhead
– Processing time
319
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quality of Service (QoS)
QoS refers to the capability of the
network to provide better service to
selected network traffic over various
technologies.
320
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Primary Goals of QoS
• Dedicated bandwidth
• Controlling jitter and latency
• Enabling coexistence of real-time traffic,
such as voice/video, with best efforts
traffic, such as data.
Jitter is the variation in arrival times of frames (latency)
and is caused by queuing in routers, switches, and by
carrier switched networks.
321
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Types of QoS
• Best-effort service is basic connectivity
with no guarantees.
• Differentiated service is when some
traffic is more important than the rest
(i.e., more bandwidth on average, lower
loss rate on average).
• Guaranteed service is a complete
reservation of network resources for
specific traffic.
322
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Traffic QoS Needs
• Data (Best Effort) - bursty, intolerant of
errors, tolerant of jitter
• Audio/Video (Real Time) - constant
bandwidth, tolerant of errors, intolerant of
jitter
• Interactive (Terminal Emulation) - similar
to Best Effort but more impacted by endto-end latency than by jitter.
323
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Data Networks
Network Protocols
Telephony
Remote Access
Network Threats, Attacks and Countermeasures
Network Access Controls
Network Availability Technologies
Internet and Web Security Protocols
Multimedia and Quality of Service
Information Security Activities
324
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Audit Log Processing
– Host audit logs
– Network device logs
– Intrusion Detection reports
• Security Reviews
• Vulnerability Assessment
– Network Audit
– Penetration Test
– Rogue Wireless Access Point Detection
325
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Sound Network Design (no single
points of failure, defense in depth, etc.)
• Network scans (to know what is on it)
• Secure configuration
• Change management
• Configuration management
326
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Awareness and Training
– Train systems personnel so they know how to use
systems properly
– All employees should be aware of system security
responsibilities.
• Support and manage activities related to
security of the network
• Perform vulnerability assessments
• Perform security reviews
• Choose correct technologies and protocols
to ensure adequate security of all network
elements
327
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some of the Transport layer
security protocols?
• What is Quality of Service?
• What is the best way to protect multimedia
transmissions across an un-trusted
network?
• What are some of the activities that
security professionals need to be involved
in, related to network security?
328
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
Section Summary
• Transport layer security protocols include SSL, TLS, WTLS.
• Quality of service refers to the concept of making sure that
your networks address the level of service that is required by
specific applications. We do this mostly by addressing
redundancy and controlling jitter and latency.
• Best way to protect any transmission, including multi-media
is to use encryption and secure protocols at the network
layer.
• Security activities include awareness and training, promoting
sound network design, performing vulnerability assessments,
security reviews, change management, choosing the correct
security technologies and controls, etc.
329
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0
330
© Copyright 2005 (ISC)2® All Rights Reserved.
Telecommunications, Network and Internet Security v5.0