Transcript Telecommunications and Network Security

CISSP Review Course
Domain 2b:
Telecommunications
and
Network Security
This presentation includes a compendium of slides, both original and gathered from various
public information sources and is not intended for use by any for-profit individuals or organizations
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
1
Domain Objective:
Telecommunications and Network Security
The objective of this domain is to understand:
• data communications in terms of physical and logical networks,
including local area, metropolitan area, wide area, remote
access, Internet, intranet, extranet, their related technologies of
firewalls, bridges, routers, and the TCP/IP and OSI models
• communications and network security as it relates to voice,
data, multimedia, and facsimile
• communications security management techniques that prevent,
detect, and correct errors
We will cover most, but not all of these areas in this review
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
2
Domain Summary:
Telecommunications and Network Security
The telecommunications and network security
domain is a very significant part of the CBK. The
information for this domain typically represents 15%
of the CISSP exam content and includes the
structures, transmission methods, transport formats,
and security measures used to provide and ensure
the integrity, availability, authentication, and
confidentiality of transmissions over private and
public communications networks.
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
3
Last Session:
Network Structure
•
•
•
•
•
•
•
OSI Model
Internet Protocols
Network Devices
Network Topologies
Internet Protocol
LAN Topologies
Access Technologies
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
4
This Session:
• Internet, intranet, extranet, & remote access,
their related technologies of firewalls, Proxy
servers, and controls
• communications security management
techniques that prevent, detect, and correct
errors
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
5
Internet/Intranet/Extranet
• Internet
- global network of public networks and service providers
- uses TCP/IP protocol
• Intranet internal network of WAN
- used for connecting to private web pages, internal web sites,
internal web applications
• Extranet
– segment of WAN physically or logically isolated from the other WAN
segments
- activities on segment are considered untrusted
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
6
Firewall Terms
 Network address translation (NAT)
 Internal addresses unreachable from external
network
 DMZ - De-Militarized Zone
 Hosts that are directly reachable from untrusted
networks
 ACL - Access Control List
 can be router or firewall term
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
7
Firewall Terms
• Choke, Choke router
– A router with packet filtering rules (ACLs) enabled
• Gate, Bastion host, Dual Homed Host
– A server that provides packet filtering and/or proxy
services
• proxy server
– A server that provides application proxies
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
8
Firewall Types
 Packet-filtering router
 Most common
 Uses Access Control Lists (ACL)
 Port
 Source/destination address
 Screened host
 Packet-filtering and Bastion host
 Application layer proxies
 Screened subnet (DMZ)
 2 packet filtering routers and bastion host(s)
 Most secure
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
9
Firewall Types
• boundary routers
- provide entry to and from network perimeters
- permit or deny predefined network traffic
- forward permitted traffic from a secure device
• secure gateways
-
enforce network security policy between two or more networks
usually a firewall type device
used for central network administration
circuit level – application level using TCP without additional
processing
- application level – proxy service
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
10
Firewall Mechanisms
 Stateful Inspection
 State and context analyzed on every packet in
connection
 Proxy servers
 Intermediary
 Think of bank teller
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
11
Proxies
– Defined: A server acts on behalf of your or your
PC to increase security or accelerate data flow.
– Types of Proxies
• Forward Proxy - many internal clients to one external
server.
• Reverse Proxy - many external clients to one internal
server.
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
12
Proxies
• Brands of Proxies
• Cisco
• SUN / Netscape I-Planet
• CacheFlow - Blue Jacket
• Examples of Proxies:
• FTP Telnet HTTP SSH
• Network Appliance
• Microsoft ISA
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
13
Intrusion Detection (IDS)
•
•
•
•
Host or network based
Context and content monitoring
Positioned at network boundaries
Basically a sniffer with the capability to detect
traffic patterns known as attack signatures
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
14
Web Security
• Secure sockets Layer (SSL)
• Transport layer security (TCP based)
• Widely used for web based applications
• by convention, https:\\
• Secure Hypertext Transfer Protocol (S-HTTP)
• Less popular than SSL
• Used for individual messages rather than
sessions
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
15
Web Security
• Secure Electronic Transactions (SET)
• PKI
• Financial data
• Supported by VISA, MasterCard, Microsoft,
Netscape
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
16
IPSEC
• IP Security
• Set of protocols developed by IETF
• Standard used to implement VPNs
• Two modes
• Transport Mode
• encrypted payload (data), clear text header
• Tunnel Mode
• encrypted payload and header
• IPSEC requires shared secret key & security
association
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
17
Common Attacks
• This section covers common hacker attacks
• No need to understand them completely,
need to be able to recognize the name and
basic premise
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
18
Spoofing
•
•
•
•
TCP Sequence number prediction
UDP - trivial to spoof (CL)
DNS - spoof/manipulate IP/hostname pairings
Source Routing
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
19
Denial of Service (DoS)
• Attempts to "flood" a network, thereby preventing
legitimate network traffic
• Attempts to disrupt connections between two
machines, thereby preventing access to a service
• Attempts to prevent a particular individual from
accessing a service
• Attempts to disrupt service to a specific system or
person
• Distributed Denial of Service (DDoS); multiple
systems controlled to conduct the attack
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
20
Sniffing
• Passive attack
• Monitor the “wire” for all traffic - most effective
in shared media networks
• Sniffers used to be “hardware”, now are a
standard software tool
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
21
Session Hijacking
• Uses sniffer to detect sessions, get pertinent
session info (sequence numbers, IP
addresses)
• Actively injects packets, spoofing the client
side of the connection, taking over session
with server
• Bypasses I&A controls
• Encryption is a countermeasure, stateful
inspection can be a countermeasure
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
22
IP Fragmentation
• Use fragmentation options in the IP header to
force data in the packet to be overwritten
upon reassembly
• Used to circumvent packet filters
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
23
IDS Attacks
• Insertion Attacks
• Insert information to confuse pattern
matching
• Evasion Attacks
• Trick the IDS into not detecting traffic
• Example - Send a TCP RST with a TTL
setting such that the packet expires prior to
reaching its destination
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
24
Syn Floods
• Remember the TCP handshake?
• Syn, Syn-Ack, Ack
• Send a lot of Syns
• Don’t send Acks
• Victim has a lot of open connections, can’t
accept any more incoming connections
• Denial of Service
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
25
Telecom/Remote Access Security
• Dial up lines are favorite hacker target
• War dialing
• social engineering
• PBX is a favorite phreaker target
• blue box, gold box, etc.
• Voice mail
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
26
Telecommunications Security
• Facsimile Security
• Technical controls - FAX encryptor and bulk data link encryption
• Management controls - activity and exception reports
• Physical Access Controls
• Voice Mail Security
• exposure to toll fraud if compromised
• PINs should be generated randomly
• unassigned or unused mailboxes removed
• block access to transfer to local or long distance lines
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
27
Telecommunications Security
• Private Branch Exchange (PBX) Security
• PBX - a switching system that controls and manages a
companies physical phones and connections to the local
telephone company
• security goal is to prevent unauthorized use, manipulation, or
access of the switch, operating software, or system
configuration
• security measures
• detail call recording
• control remote maintenance access
• install strong passwords for system management
• block all unassigned access codes
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
28
Remote Access Security
• SLIP - Serial Line Internet Protocol
• PPP - Point to Point Protocol
• SLIP/PPP about the same, PPP adds error
checking, SLIP obsolete
• PAP - Password authentication protocol
• clear text password
• CHAP - Challenge Handshake Auth. Prot.
• Encrypted password
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
29
Remote Access Security
• TACACS, TACACS+
• Terminal Access Controller Access Control
System
• Network devices query TACACS server to
verify passwords
• “+” adds ability for two-factor (dynamic)
passwords
• Radius
• Remote Auth. Dial-In User Service
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
30
Virtual Private Networks
• PPTP - Point to Point Tunneling Protocol
• Microsoft standard
• creates VPN for dial-up users to access
intranet
• IPSEC client
• Cisco Secure Client
• Nortel VPN Client
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
31
Transport Layer Protocols
• SSH - Secure Shell
• allows encrypted sessions, file transfers
• can be used as a VPN
• SSL – Secure Sockets Layer
• Enables client/server applications to
communicate, minimizing the risk of
eavesdropping, tampering or message forgery
• Provides data confidentiality, integrity control,
server authentication and client authorization
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
32
Tranport Layer Protocols
• Wireless Transport Layer Security (WTLS)
• Security in the Wireless Application Protocol v1.2
users WTLS instead of standard SSL
• Wireless gateway must user WTLS to secure the
channel to the wireless device and SSL to secure
the channel from the destination web server.
• A security issue is that the information on the
gateway is unencrypted.
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
33
Application Layer Security Protocols
• Secure Hypertext Transfer Protocol (S-HTTP)
• Supports fine grained application security, such
as:
• Key distribution using shared secrets or PKI
• Web-page specific encryption controls for
highly granular access control
• Overshadowed by transport layer security
protocols such as Secure Socket Layer (SSL)
• It is not the same as HTTPS, which is SSL running
under HTTP
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
34
Application Layer Security Protocols
• Electronic Payment schemes
• Examples are Ecash, Netcash, Mondex,
Cybercash
• Secure Electronic Transaction (SET)
• SET provides payment protection but not link
encryption
• Goal to provide worldwide payment card protocol
• Authentication and non-repudiation of purchaser
and merchant
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
35
Communications
• Security techniques to prevent detect, and
correct errors for Confidentiality Integrity &
Availability (CIA).
•
•
•
•
Tunneling
VPN
IDS
Protocol & Packet Analyzers (Sniffers)
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
36
Communications
•
•
•
•
•
NAT
PAT
Hash
CRC
Transmission Logging, error correction,
retransmission
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
37
Email Security
•
•
•
•
•
Privacy
Ownership
Legal Liability
Financial communications
Personal email security versus business
email security
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
38
Email Security
Encryption - Personal Email
• Email has less security than a letter or
postcard sent in the U.S. Mail.
• A postcard has nonrepudiation; a signature
on the card identifies who sent the card.
• A letter has confidentiality; no one should be
able to see inside the envelope
• A letter has integrity; tampering with the
envelope should be noticed.
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
39
Encryption - Personal Email
• Why would you want to encrypt or digitally sign your
personal email?
• Personal Privacy
• Professional Association / Law Enforcement /
Information Security Company requires secure
communications
• Identification
• Credibility
• Use latest technology
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
40
Domain 2 Questions
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
41
Domain 2 Practice Questions
Spoofing can be defined as:
A) Eavesdropping on communications
between persons or processes
B) Person or process emulating another person
or process
C) A hostile or unexpected entity concealed
within another entity
D) The testing of all possibilities to obtain
information
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
42
Domain 2 Practice Questions
The purpose of Nessus is to?
A)
B)
C)
D)
Close network security holes
Establish network audit trails
Identify vulnerabilities in networks
Exploit system-related vulnerabilities
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
43
Domain 2 Practice Questions
Which of the following is an attack specificallly
against mail systems?
A) Smurf
B) SYN/Ack
C) Spam
D) Teardrop
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
44
Domain 2 Practice Questions
What role does biometrics have in logical
access control?
A)
B)
C)
D)
Certification
Authorization
Authentication
Confidentiality
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
45
Domain 2 Practice Questions
How many types of intrusion detection engines
are there?
A)
B)
C)
D)
E)
One
Two
Three
Four
Seven
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
46
Domain 2 Practice Questions
Which protocol is commonly used to verify dial-up
connections between hosts?
A) Unix-to-Unix Communication Protocol (UUCP)
B) Challenge Handshake Authentication Protocol
(CHAP)
C) C) Point-to-Point Tunneling Protocol (PPTP)
D) D) Simple Key Management for Internet Protocol
(SKIP)
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
47
Domain 2 Practice Questions
The UDP protocol is a connectionless and
reliable service for applications?
A) True
B) False
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
48
Domain 2 Practice Questions
A) Firewall Types can be which of those listed
below? (Choose all that apply)
B)
C)
D)
E)
F)
Packet Filtering
Stateful Inspection
Application level Proxy
Personal
Circuit level Proxy
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
49
Domain 2 Practice Questions
Which form of firewall performs the highest level
of control?
A)
B)
C)
D)
E)
Packet Filtering
Stateful Inspection
Application level Proxy
Personal
Circuit level Proxy
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
50
Domain 2 Practice Questions
All implementations of IPSEC must support a
Security Authentication?
A) True
B) False
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
51
Domain 2 Practice Questions
Telnet is the much preferred over SSH for it’s
secure connection attributes.
A) True
B) False
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
52
Domain 2 Practice Questions
Wireless Security and Access control has which of the
following as a noted security issue? (Choose all that
apply)
A) Access Point Mapping
B) SSID Broadcasting
C) Compatibility between devices
D) Authentication
E) Encryption
F) Default Settings
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
53
Domain 2 Practice Questions
Network Disaster Prevention might include which of the
following practices?
A) Redundant LAN routes
B) On demand WAN connections
C) Creation of a single point of failure for added
redundancy
D) Use of Frame Relay
E) Leased line or T1 connections
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
54
Domain 2 Practice Questions
Use of Trivial File Transfer Protocol (TFTP) is a
recommended practice for securing device
configuration data?
A) True
B) False
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
55
Domain 2 Practice Questions
Which of the following RAID levels provide for
server fault-tolerance?
A)
B)
C)
D)
E)
RAID 1
BlackFlag Technique
RAID 5
RAID 0
RAID 10
February 2, 2004
CISSP Prep, University of Buffalo
Domain 2b - 2004
56