Transcript Computer Security

Information Systems Security
Telecommunications
Domain #7
OSI Reference Model







Physical
Datalink
Network
Transport
Session
Presentation
Application
Routing
 Dynamic
– RIP I
– RIP II
– OSPF
– BGP
Cabling Types - Coaxial
 Copper wire insulated by braided metallic ground
shield
 Less vulnerable to EMI
 Two main types
– 10BASE2 (Thinnet) (185 meters)
– 10BASE5 (Thicknet) (500 meters)
 Mainly used in one-way networks (TV)
 Two-way networks required special equipment
 Larger minimum arc radius than TP
Cabling Type - TP
 Copper-based
 Two major types
– UTP
 Least secure
 Susceptible to EMI, cross-talk, and eavesdropping
 Less security than fiber or coaxial
 Most commonly used today
– STP
 Extra outer foil shielding
Cabling Type - Fiber




Data travels as photons
Higher speed, less attenuation, more secure
Expensive and harder to work with
Two major types
– Multimode
 Less expensive with slower speed
– Single mode
 Faster speeds available but more $ and delicate
Signal Issues
 Attenuation
– Interference from environment
– Cable runs are too long
– Poor quality cable
 Cross Talk
– Signals radiate from a wire and interfere with
other wires
– Data corruption
– More of a problem with UTP
Transmission Types
 Analog
– Carrier signal used to move data
– Signal works at different frequencies
– Used in broadband networks
 Digital
– Discrete units of voltage
– Moves data in binary representation
– Cleaner signal compared to analog
Encoding Techniques
Parameter
AM
FM
Digital
Signal-tonoise ratio
Cost
Low
Moderate
High
Moderate
Moderate
High
Performance Moderate
Excellent
Excellent
over time
Installation
Adjustments No
No
required
adjustments adjustments
Synchronous or Asynchronous
 Sync
– Prior agreement of data TX rules
– Sending system sends a clocking pulse
– Stop and start bits are not required
– T-lines & optical lines use synchronous
 Asynchronous
– Must use start/stop bits
– Dial-up connections use asynchronous
Broadband or Baseband
 Baseband
– TX media only uses one channel
– Digital signaling
– Used over TP or Coax
 Broadband
–
–
–
–
–
Multiple channels
TXs more data at one time
Can use analog signaling
Used over coax or fiber (at 100Mbps or more)
Can carry video, audio, data, and images
Plenum Cable
 Polyvinyl chloride can give off dangerous
chemicals if burned
 Plenum rated cable is made of safe
fluoropolymers
 Should be used in dropped ceilings and
raised floorings and other ventilation areas
Number of Receivers
 Unicast
– One system communicates to one system
 Multicast
– One system communicates to many systems
– Class D addresses dedicated to this
– “Opt-in” method (webcasts, streaming video)
 Broadcast
– One system communicates to all systems
– Destination address contains specific values
Types of Networks
 Local Area Network (LAN)
– Limited geographical area
– Ethernet and Token Ring
 Metropolitan Area Network (MAN)
– Covers a city or town
– SONET, FDDI
 Wide Area Network (WAN)
– ATM, Frame Relay, X.25
Network Terms
 Internet
– Network of networks providing a communication
infrastructure
– The web runs on top of this Internet
infrastructure
 Intranet
– Employs Internet technology for internal use
 HTTP, web browsers, TCP/IP
Network Terms
 Extranet
– Intranet type of network that allows specific
entities to communicate
– Usually business partners and suppliers
– B2B networks
– Shared DMZ area or VPN over the Internet
Network Configuration
 DMZ
– Network segment that is between the protected
internal network and the external (non-trusted)
network
– Creates a buffer zone
– Systems in DMZ will be the 1st to come under
attack and must be properly fortified
Physical Layer
 Network Topologies
– Physical connection of system and devices
– Architectural layout of network
– Choice determined by higher level technologies
that will run on it
 Types (Bus, Ring, Star, Mesh)
BUS
 Nodes are connected to a backbone through
drops
 Linear bus – one cable with no branches
 Tree – network with branches
 Easy to extend
 Single node failure affects ALL participants
 Cable is the single point of failure
Ring
 Interconnection of nodes in circle
 Each node is dependent upon the physical
connection of the upstream node
 Data travels unidirectionally
 One node failure CAN affect surrounding
nodes
 Used more in smaller networks
Star
 All computers are connected to central
device
 Central device is single point of failure
 No node-to-node dependencies
Mesh
 Network using many paths between points
 Provides transparent rerouting when links
are down
 High degree of fault tolerance
 Partial Mesh – Not every link is redundant
– Internet is an example
 Full Mesh – All nodes have redundancy
Media Access
 Dictates how system will access the media
 Frames packets with specific headers
 Different media access technologies
– CSMA
– Token Ring
– Polling
 Protocols within the data link
– SLIP, PPP, L2F, L2TP, FDDI, ISDN
Carrier Sense Multiple Access
 CSMA/CD (Collision Detection)
– Monitors line to know when it is free
– When cable not busy, data is sent
– Used in Ethernet
 CSMA/CA (Collision Avoidance)
–
–
–
–
Listens to determine is line is busy
Sends out a warning that message is coming
All other nodes go into waiting mode
Used in 802.11 WLANs
Wireless Standards (802.x)







802.11 – 2.4 GHz range at 1-2 Mbps
802.11b – 2.4 GHz up to 11 Mbps
802.11a – 5 GHz up to 54 Mbps
802.11g – 2.4 GHz up to 54 Mbps
802.11i – Security protocol (replace WEP)
802.15 – Wireless PANs
802.16 – Wireless MANs
Access Points
 Connects a wireless network to a wired
network
 Devices must authenticate to the AP before
gaining access to the environment
 AP works on a specific frequency that the
wireless device must “tune itself” to
Service Set ID (SSID)
 WLANs can be logically separated by using
subnet addresses
 Wireless devices and APs use SSID when
authenticating and associating
 Should not be considered a security
mechanism
Authenticating to the AP
 Station sends probe to all channels looking
for the closest AP
 AP will respond with the necessary
information and a request for credentials
 If WEP key is required, AP sends a
challenge to the device and device encrypts
with key and send it back
 If no WEP key, could request SSID value
and MAC value
Wired Equivalent Protocol (WEP)
 Protocol used to encrypt traffic for all IEEE
wireless standards
 Riddled with security flaws
 Improper implementation of security
mechanisms
 No randomness (uses the same password)
 No Automated Dynamic Key Refresh
Method (DKRM), requires manual refresh
More WEP Woes
 Small initialization vector values
– Uses a 24-bit value
– Exhaust randomness is as little as 3 hours
 Uses stream cipher (RC4)
 No data integrity
 Use XORs – flip a bit in ciphertext the
corresponding bit in plaintext is flipped
Wireless Application Protocol (WAP)
 Requires a different protocol stack than
TCP/IP
 WAP allows wireless devices to access the
Internet
 Provides functions at each of the OSI layers
similar to TCP/IP
 Founded in 1997 by cell phone companies
Wireless Transport Layer Security
 Security layer of the WAP
 Provides privacy, integrity, and
authentication for WAP applications
 Data encrypted with WTLS must be
decrypted and reencrypted with SSL or TLS
Common Attacks






Eavesdropping on traffic and spoofing
Erecting a rogue AP
Man-in-the-middle
Unauthorized modification of data
War driving
Cracking WEP
– Birthday attacks
– Weak key attacks (airsnort, WEPCrack)
War Driving
 Necessary Components
– Antenna (omnidirectional is best)
– Sniffers (TCPDump, Ethereal)
– NetStumbler, AirSnort, or WEPCrack
 NetStumbler finds APs and Logs
–
–
–
–
–
Network name
SSID
MAC
Channel ID
WEP (yes or no)
Wireless Countermeasures







Enable WEP
Change default SSID and don’t broadcast
Implement additional authentication
Control the span of the radio waves
Place AP in DMZ
Implement VPN for wireless stations
Configure firewall for known MAC and IP
TCP/IP Suite
 TCP – connection oriented transport layer
protocol that provides end-to-end reliability
 IP – connectionless network layer protocol
that provides the routing function
 Includes other secondary protocols
Port and Protocol Relations
 Well known port numbers are 0-1023
– FTP is 20 and 21
– SMTP is 25
– SNMP is 161
– HTTP is 80
– Telnet is 23
– HTTPS is 443
 Source is usually a high dynamic number
while destination is usually under 1024
Address Resolution Protocol (ARP)
 Maps the IP address to the MAC address
 Data link understands MAC, not IP
 Element in man-in-the middle attacks
– Intruder spoofs its MAC address against the
destination’s IP address into ARP cache
 Countermeasures
– Static ARP, active monitoring, and IDS to detect
anomalies
ARP Poisoning
 Insert bogus IP to MAC addressing mapping
in remote system
 Misdirect traffic to attacker’s computer
 Ideal scenario for man-in-the-middle attack
Internet Control Message Protocol
(ICMP)




Status and error messaging protocol
Ping is an example
Used by hackers for host enumeration
Redirects traffic by sending bogus ICMP
messages to a router
Simple Network Management
Protocol (SNMP)
 Master and agent model
 Agents gather status information about
network devices
 Master polls agent and provides an overall
view of network status
 Runs on ports 161 and 162
Simple Mail Transfer Protocol
(SMTP)
 Transmits mail between different mail
servers
 Security issue with mail servers
– Improperly configured mail relay
– Sendmail functions
Other Protocols
 FTP
 TFTP
 Telnet
Repeater Device




Works at the physical layer
Extends a network
Helps with attenuation
No intelligence built in
Hub Devices





Works at the physical layer
Connects several systems and devices
Also called multipoint repeater/concentrators
All data is broadcast
No intelligence
Bridge Device
 Functions at the data link layer
 Extends a LAN by connecting similar or
dissimilar LANs
 Filtering capabilities
 Uses the MAC address
 Forwards broadcast data
 Transparent – Ethernet
 Source Routing – Token Ring
Switch Device
 Transfers connection from one circuit to
another
 Faster than bridges
 Originally made decisions based on MAC
 Major functionality takes place at Data Link
Layer
 Newer switches work at the Network layer
and use IP addresses
Virtual LAN (VLAN)
 Logical containers used to group users,
systems, and resources
 Does not restrict administration based upon
the physical location of device
 Each VLAN has its own security policy
 Used in switches
 Can be static or dynamic
Router Device






Works at the network layer
Can connect similar or dissimilar networks
Blocks broadcast
Uses routing tables
Bases decisions on IP addresses
Can work as a packet filtering firewall wit the
use of Access Control Lists
Gateway Device
 Translates different protocols or software
formats
 Mail gateways – allows for different mail
applications to communicate
 Data gateways – allow heterogeneous
clients and servers to communicate
 Security gateways – firewalls and perimeter
security devices
Bastion Host Device
 Gateway between an internal network and
an external network; used for security
 Hardened system
– Disable unnecessary accounts
– Disable unnecessary services
– Disable unnecessary subsystems
– Remove administrative tools
– Up to date with patches and fixes
 All systems in DMZ should be Bastion Hosts
Firewall Characteristics






Generation 1 – Packet Filtering
Generation 2 – Proxy
Generation 3 – Stateful
Generation 4 –Dynamic Packet Filtering
Generation 5 – Kernel Proxies
All provide transparent protection to internal
users
Packet Filtering




Simplest and least expensive
Screens with a set of ACL
Referred to as a Layer 3 device
Access depends on network and transport
layer information
 Best in low-risk environments
 1st generation firewall
Circuit Level Proxy
 Makes access decisions based on network
and transport layer information
 Not application or protocol dependent
 More protection than a packet filter
 SOCKS is the most common used
 Hides information about the network they
protect
 2nd generation firewall
Application Layer Proxy
 Access decision is based on data payload
 Must understand the command structure of
payload
 Provides a high level of protection
 Can filter application specific commands
 Logs user activity
 Requires manual configuration of each client
computer
 2nd generation firewall
Stateful Firewall
 Makes access decisions based on IP
addresses, protocol commands, historical
comparisons, and contents of packet
 Uses a state engine and state table
 Monitor connection-oriented and
connectionless protocols
 Expensive and complex to administer
 3rd generation firewall
Dynamic Packet Filtering Firewalls
 Combination of application proxies and state
inspection firewalls
 Dynamically changes filtering rules based
on several different factors
 May examine the contents and not just the
header of packets
 Decisions based on history and admin rules
 4th generation firewall
Firewall Placement
 Segments internal network subnets and
sections to enforce the security policy
 Acts as a ‘choke point’ between trusted and
untrusted entities
 Creates a DMZ
 Could use screened host, dual-homed, or
screened subnet
Screened Host
 Usual configuration is a router filtering for a
firewall
 Reduces the amount of traffic the firewall
has to work with
 Screening device is a filtering router
 Screened host is the firewall
Dual Homed
 Two or more interfaces
 One interface for each network
 Allows for one firewall to create more than
one DMZ
 Forwarding and routing need to be turned
off or packets would not be inspected by
firewall software
 All inbound traffic directed to the Bastion
Host, then proxied, and passed to 2nd router
Screened Subnet
 Buffer zone is created by implementing two
routers or two firewalls and this creating a
single DMZ
 Provides the most protection out of the three
architectures because three devices must
be compromised before attacker can get
through to the internal network.
SLIP Dialup Protocol




Serial Line Internet Protocol
Moves IP data over serial lines
Largely replaced by PPP
SLIP does not provide
– Header and data compression
– Packet sequencing
– Authentication features
– Classless IP addressing
PPP Dial Up Protocol





Point-to-Point Protocol
Moves digital data over telecommunications lines
Full duplex protocol
Can use synchronous and asynchronous
Authentication through
– PAP
– CHAP
– EAP
Authentication Protocols
 Password Authentication Protocol (PAP)
– Authenticates remote users
– Credentials are sent in plain text
 Challenge Handshake Authentication Protocol
(CHAP)
–
–
–
–
Authenticates remote users
Encrypts usernames and passwords
Client uses user’s password to encrypt the challenge
Protects against man-in-the-middle attacks
EAP Authentication
 Extensible Authentication Protocol
 Allows for authentication protocols to be
added to give more flexibility
 Supports multiple frameworks
 Developed for PPP, but now used in LAN
and wireless authentication
VPN Technologies
 Tunneling involves establishing and
maintaining a logical network connection
 Packets are encapsulated within IP packets
and encryption is used for security
 Voluntary tunneling – client manages
connection setup
 Compulsory tunneling – carrier provider
manages connection setup
PPTP Tunneling Protocol
 Encapsulating protocol used more for endto-end VPNs instead of gateway VPNs
 Data link layer protocol that provides single
point-to-point connection
 Works only with TCP/IP
 Works at the Internet layer
L2TP Tunneling Protocol
 Works at the data link layer
 Can provide VPNs over WAN links using
frame relay, X.25, or ATM
 Cannot encrypt data
 Uses IPSec for security
 Developed by CISCO to combine L2F and
PPTP
IPSec Tunneling Protocol
 Provides network layer protection
 Used for gateway-to-gateway VPNs
 Provides authentication, integrity, and
confidentiality
 Only works over IP and is becoming the de
facto standard
Domain Name Services
 Works within a hierarchical naming structure
 Host name to IP address mapping
 DNS server that holds resource records for
a zone is the authority for that zone
 Uses forward-lookup tables and reverselookup tables
 Uses iterative and non-iterative procedures
Network Address Translation
 Invented due to the shortage of IP
addresses
 Allows companies to use private addresses
 Can use static mapping on 1-1 relationship
 Can use dynamic mapping
 Port address translation (PAT)
– One address is used for all hosts
– Older term was hiding NAT
 Can be implemented with software (ICS)
Fiber Distributed Data Interface
(FDDI)




Token passing is the media method
Two rings for fault tolerance
Operates up to 100 Mbps
CDDI is possible with shorted distances
Synchronous Optical Network
(SONET)







Physical layer standard used by telephony
Dual ringed and self-healing
Used to connect T1 and T3 channels
Carries nearly any higher level protocol
Supports 52 Mbps
Built in support for maintenance
SONET 3 is coming with 155.5 Mbps
Dedicated Lines
 Physical communication lines connecting
two locations
 Usually more expensive than other options
 Leased from larger service providers
– T1 – 1.544 Mbps
– T3 – 44.736 Mbps
Public Switched Telephone Network
(PSTN)
 Also known as POTS
 Interconnected systems operated by
different companies
 All digital except for the ‘last mile’
 Analog converted to digital at Central Office
Integrated Services Digital Network
(ISDN)
Moves the ‘last mile’ from analog to digital
Data rates of 64 Kbps
Circuit-switched instead of packet-switched
Uses bearer channels to move data and a
single separate channel (D) to setup
 Used by most companies as backup
 BRI – 2 64-kbps B channels and 1 D
 PRI – 23 64-kbps B channels and 1 D




Digital Subscriber Line (DSL)







Digital solution for the ‘last mile’
Very high frequency
Must be a POP within 2.5 miles
Farther from a POP, lower the bandwidth
‘Always On’ technology
32 Mbps for upstream traffic
32 Kbps for downstream traffic
Cable Modems





Service provided by local cable company
Security issues of neighborhood sniffing
Cable modem converts RF to digital
Could overload cable companies
Most offer speeds up to 2 Mbps but is
shared with neighborhood
X.25
 First WAN packet-switching technology
 Considered a ‘fat’ protocol because of error
detection and correction overhead
 Has been replaced by frame relay
 Virtual circuits are used
 Customers share and pay for the same
network
Frame Relay
 Fastest WAN packet-switching protocol
 Path set up for two locations to
communicate
 Path is permanently configured (PVC)
 Could be dynamically built (SVC)
 Customers are offered a dedicated rate of
flow (CIR)
 Inexpensive with rates from 56K to T1
Asynchronous Transfer Mode (ATM)






Provides the highest bandwidth
Uses 53-byte fixed cells
Intelligence is hardware based
Technology used for Internet’s backbone
Equipment is expensive
Available in Constant Bit Rate (CBR),
Variable Bit Rate (VBR), Available Bit Rate
(ABR) or Unspecified Bit Rate (UBR)
Multiplexing (MUX)
 Receives data from different sources and
places on one communication line
 Combines two or more channels onto one
transmission medium
 Two types
– FDM (used by broadband)
– TDM (used by T1 and T3)
Voice over IP (VoIP)




Moving voice data in packets
Allows combining of voice and data
Long distance calls can be done cheaply
Uses packet switching instead of
telephone’s circuit switching
 Can experience jittering and latency
Private Branch Exchange (PBX)
 Telephone switch that resides on the
customer’s property
 A T1 or T3 connects the switch to the
provider’s central office
 Used for switching calls between internal
lines and the PSTN
 New versions are called Centrex where
switching occurs at Central Office
PBX Considerations
 Not usually included in security assessment
 Compromising and reconfiguring the
telephone switch by hackers
 Attackers obtaining free long distance
 Disclosure of sensitive information
 Phreakers (telephone hackers)