Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.
Network Layer protocols and concepts
Routing protocols are defined at the network level and specify how routers communicate with one another or a WAN.The goals of routing protocols are to automatically learn a network topology, and learn the best routes between all network points.Routing protocols are classified as static or dynamic.
A static routing protocol requieres an administrator to create and update routes manually on the router. A dynamic routing protocol can discover routes and determine the best route to a given destination at any given time.
Metrics are used to determine the “best” route across a network. The simplest metric is hop count.
Distance vector routing protocols use simple metrics such as hop count, and are prone to routing loops, where packets loop between two routers.
- RIP(Routing Information Protocol) is a distance vector routing protocol that uses hop count as its metric.RIP does not have a full view of a network: it can only “see” directly connected routers. Convergence is slow. Convergence means that all routers on a network agree on the state of routing. A network that has had no recent outages is normally “converged”: all routers see all routes as available. Then a circuit goes down. The routers closest to the outage will know right away; routers that are further away will not. The network now lacks convergence. RIP is used by the UNIX routed command, and is the only routing protocol universally supported by UNIX.RIP is quite limited. Each router has a partial view of the network and each sends updates every 30 seconds, regardless of change. Convergence is slow.
Link state routing protocols factor in additional metrics for determining the best route, including bandwidth.
- OSPF (Open Shortest Path First) is an open link state routing protocol. OSPF routers learn the entire network topology for their “area” (the portion of the network they maintain routes for, usually the entire network for small networks). OSPF it’s considered an Interior Gateway Protocol (IGP) because it performs routing within a single autonomous system. An autonomous system (AS) is a group of IP address uder the control of the a single Internet entity.
- BGP (Border Gateway Protocol) is the routing protocol used on the Internet. BGP it’s considered an Exterior Gateway Protocol (EGP) because it performs routing between separate autonomous systems.
Routed protocols are network layer protocols that address packets with routing information, which allows those packets to be transported across networks by using routing protocols.
IP (Internet Protocol) – IPv4 is Internet Protocol version 4, commonly called “IP.” It is the fundamental protocol of the Internet, designed in the 1970s to support packet-switched networking for the United States Defense Advanced Research Projects Agency (DARPA).
IP is a simple protocol, designed to carry data across networks.IP is connectionless and unreliable: it provides “best effort” delivery of packets. If connections or reliability are required, they must be provided by a higher level protocol carried by IP, such as TCP.IPv4 uses 32-bit source and destination addresses.
If a packet exceeds the Maximum Transmission Unit (MTU) of a network, it may be fragmented by a router along the path. An MTU is the maximum PDU size on a network. Fragmentation breaks a large packet into multiple smaller packets.
The original IPv4 networks were “classful”, classified in classes:
|Size of network
number bit field
|Size of rest
|Start address||End address|
|Class A||0||8||24||128 (27)||16,777,216 (224)||0.0.0.0||127.255.255.255|
|Class B||10||16||16||16,384 (214)||65,536 (216)||184.108.40.206||220.127.116.11|
|Class C||110||24||8||2,097,152 (221)||256 (28)||192.0.0.0||18.104.22.168|
|Class D (multicast)||1110||not defined||not defined||not defined||not defined||22.214.171.124||126.96.36.199|
|Class E (reserved)||1111||not defined||not defined||not defined||not defined||240.0.0.0||255.255.255.255|
IPv6 is the successor to IPv4, featuring far larger address space (128 bit addresses compared to IPv4’s 32 bits), simpler routing, and simpler address assignment.IPv6 hosts can statelessly autoconfigure a unique IPv6 address, omitting the need for static addressing or DHCP. IPv6 stateless autoconfiguration takes the host’s MAC address and uses it to configure the IPv6 address.
Stateless autoconfiguration removes the requirement for DHCP (Dynamic Host Configuration Protocol), but DHCP may be used with IPv6: this called “stateful autoconfiguration,” part of DHCPv6.
IPv6’s much larger address space also makes NAT (Network Address Translation) unnecessary, but various IPv6 NAT schemes have been proposed, mainly to allow easier transition from IPv4 to IPv6.
Hosts may also access IPv6 networks via IPv4; this is called tunneling. Another IPv6 address worth noting is the loopback address: ::1. This is equivalent to the IPv4 address of 127.0.0.1.
Hosts may also access IPv6 networks via IPv4; this is called tunneling. Another IPv6 address worth noting is the loopback address: ::1. This is equivalent to the IPv4 address of 127.0.0.1.
An IPv6-enabled system will automatically configure a link-local address (beginning with fe80:…) without the need for any other ipv6-enabled infrastructure. That host can communicate with other link-local addresses on the same LAN. This is true even if the administrators are unaware that IPv6 is now flowing on their network.
Network Address Translation (NAT) is used to translate IP addresses. It is frequently used to translate RFC1918 addresses as they pass from intranets to the Internet.
Three types of NAT are static NAT, pool NAT (also known as dynamic NAT), and Port Address Translation (PAT, also known as NAT overloading). Static NAT makes a one-to-one translation between addresses, such as 192.168.1.47→192.0.2.252. Pool NAT reserves a number of public IP addresses in a pool, such as 192.0.2.10→192.0.2.19. Addresses can be assigned from the pool, and then returned. Finally, PAT typically makes a many-to-one translation from multiple private addresses to one public IP address, such as 192.168.1.⁎ to 192.0.2.20. PAT is a common solution for homes and small offices: multiple internal devices such as laptops, desktops and mobile devices share one public IP address.
Other network layer protocols
- ICMP (Internet Control Message Protocol) – reports errors and other information back to the source regarding the processing of transmitted IP packets.
- SKIP (Simple Key Management for Internet Protocols) – is a key management protocol used to share encryptions keys.
Routers are Layer 3 devices that route traffic from one LAN to another. IP-based routers make routing decisions based on the source and destination IP addresses.For simple routing needs, static routes may suffice. Static routes are fixed routing entries.Most SOHO (Small Office/Home Office) routers have a static “default route” that sends all external traffic to one router (typically controlled by the ISP).
Static routes work fine for simple networks with limited or no redundancy, like SOHO networks. More complex networks with many routers and multiple possible paths between networks have more complicated routing needs.
Transport Layer protocols and concepts
- TCP (Transmission Control Protocol) – TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these four flags is performed in three steps: SYN, SYN-ACK, ACK. TCP connects from a source port to a destination port. The TCP port field is 16 bits, allowing port numbers from 0 to 65535. There are 2 types of ports: reserved and ephemeral. A reserved port is 1023 or lower, ephemeral ports are 1024-65535. TCP is connection-oriented (establishes and manages a direct virtual connection to the remote device), is reliable (guarantees delivery by acknowledging received packets) and slow (because of the additional overhead associated with initial handshaking).
- UDP (User Datagram Protocol) – UDP has no handshake, session or reliability. UDP header fields include source IP, destination IP, packet length (header and data), and a simple (and optional) checksum. If used, the checksum provides limited integrity to the UDP header and data. Unlike TCP, data usually is transferred immediately, in the first UDP packet. UDP operates at Layer 4. So, UDP is connectionless (don’t pre-establish a communication circuit with the remote host), is best-effort (don’t guarantees delivery) and fast (no overhead associated with circuit establishment).
- SPX (Sequenced Packet Exchange) – the protocol is used to guarantee data delivery in older Novell NetWare networks.
SSL/TLS (Secure Sockets Layer/Transport Layer Security) – provides session-based encryption and authentication for secure communication between clients and servers on Internet.
Session Layer protocols and concepts
The session layer is responsible for establishing, coordinating and terminating communication protocols.
Some examples of Session Layer protocols include:
- Telnet – provides terminal emulation over the network; Telnet provides no confidentiality and has limited integrity.
- SSH (Secure Shell) – was designed as a secure replacement for Telnet.
- SIP (Session Initiation Protocol) – protocol for establishing, managing and terminating real-time communications.
Network security is implemented with various technologies, including firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs) and virtual private networks (VPNs).
Firewalls filter traffic between networks. Three basic classification of firewalls have been established:
- packet-filtering – permits or denies trafic based solely on the TCP, UDP ICMP and IP header of the individual packets.This information is compared with predefined rules that have been configured in the access control lists (ACLs) to determine whether a package should be permitted or denied. A packet filter is a simple and fast firewall. It has no concept of “state”: each filtering decision must be made on the basis of a single packet. Stateful firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters, but are far more secure.
- circuit-level gateways – controls access by maintaining state information about established connections. When permuted connection is established between two hosts, a tunnel (or virtual circuit) is created for the session, allowing the packets to flow freely between the two hosts.
- application-level – firewalls operate up to Layer 7. Unlike packet filter and stateful firewalls which make decisions based on layers 3 and 4 only, application-layer proxies can make filtering decisions based on application-layer data, such as HTTP traffic, in addition to layers 3 and 4. Application-layer proxies must understand the protocol that is proxied, so dedicated proxies are often required for each protocol: an FTP proxy for FTP traffic, an HTTP proxy for Web traffic, etc.
Firewall design has evolved over the years, from simple and flat designs such as dual-homed host and screened host, to layered designs such as the screened subnet.
This evolution has incorporated network defense in depth, leading to the use of DMZ.
A bastion host is any host placed on the Internet which is not protected by another device (such as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack.
A dual-homed host has two network interfaces: one connected to a trusted network, and the other connected to an untrusted network, such as the Internet.
A DMZ is a Demilitarized Zone network; the name is based on real-world military DMZ. Network servers that receive traffic from untrusted networks such as the Internet should be placed on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZ host may be compromised.
An Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is a preventive device designed to prevent malicious actions. There are two basic types of IDSs and IPSs: network-based and host-based.
IDS are classified in many different ways, including active (IPS) and passive (IDS), network-based and host-based and knowledge based and behavior-based.
There are four types of IDS events: true positive, true negative, false positive, and false negative.
A Network-based Intrusion Detection System (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor.
The difference between a NIDS and a NIPS is that the NIPS alters the flow of network traffic.
Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS) are host-based cousins to NIDS and NIPS.
Knowledge based and behavior-based IDS
A Pattern Matching IDS works by comparing events to static signatures.Pattern Matching works well for detecting known attacks, but usually does poorly against new attacks. A Protocol Behavior IDS models the way protocols should work, often by analyzing RFCs. An Anomaly Detection IDS works by establishing a baseline of normal traffic. The Anomaly Detection IDS then ignores that traffic, reporting on traffic that fails to meet the baseline.
Unlike Pattern Matching, Anomaly Detection can detect new attacks. The challenge is establishing a baseline of “normal”: this is often straightforward on small predictable networks, but can be quite difficult (if not impossible) on large complex networks.
VPNs (Virtual Private Networks)
Virtual Private Networks (VPNs) secure data sent via insecure networks such as the Internet. Common VPN protocol standards include:
- PPTP (Point-to-Point Tunneling Protocol) – protocol developed by Microsoft for tunneling PPP via IP
- L2F (Layer 2 Forwarding Protocol) – protocol developed by Cisco that offers similar functionality as PPTP
- L2TP (Layer 2 Tunneling Protocol) – combines PPTP and L2F (Layer 2 Forwarding, designed to tunnel PPP). L2TP focuses on authentication and does not provide confidentiality: it is frequently used with IPSec to provide encryption.
- IPSec – IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to provide security. To address this lack of security at Layer 3, IPSec (Internet Protocol Security) was designed to provide confidentiality, integrity, and authentication via encryption for IPv6. IPSec has been ported to IPv4. IPSec is a suite of protocols; the major two are Encapsulating Security Protocol (ESP) and Authentication Header (AH). IPSec has three architectures: host-to-gateway, gateway-to-gateway, and host-to-host. Host-to-gateway mode (also called client mode) is used to connect one system which runs IPSec client software to an IPSec gateway. Gateway-to-gateway (also called point-to-point) connects two IPSec gateways, which form an IPSec connection that acts as a shared routable network connection, like a T1. Finally, host-to-hostmode connects two systems (such as file servers) to each other via IPSec. IPSec can be used in tunnel mode or transport mode. Tunnel mode provides confidentiality (ESP) and/or authentication (AH) to the entire original packet, including the original IP headers. New IP headers are added (with the source and destination addresses of the IPSec gateways). Transport mode protects the IP data (layers 4-7) only, leaving the original IP headers unprotected.
Wireless LAN Security
Wireless Local Area Networks (WLANs) transmit information via electromagnetic waves (such as radio) or light.The most common form of wireless data networking is the 802.11 wireless standard, and the first 802.11 standard with reasonable security is 802.11i.
Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS) are two methods for sending traffic via a radio band. Some bands, like the 2.4-GHz ISM band, can be quite polluted with interference: Bluetooth, some cordless phones, some 802.11 wireless, baby monitors, and even microwaves can broadcast or interfere with this band. Both DSSS and FHSS are designed to maximize throughput while minimizing the effects of interference.
802.11 wireless NICs can operate in four modes: managed, master, ad hoc, and monitor mode.
- managed mode – 802.11 wireless clients connect to an access point in managed mode (also called client mode). Once connected, clients communicate with the access point only; they cannot directly communicate with other clients.
- master mode – (also called infrastructure mode) is the mode used by wireless access points. A wireless card in master mode can only communicate with connected clients in managed mode.
- ad hoc mode – is a peer-to-peer mode with no central access point. A computer connected to the Internet via a wired NIC may advertise an ad hoc WLAN to allow Internet sharing.
- monitor mode – is a read-only mode used for sniffing WLANs. Wireless sniffing tools like Kismet or Wellenreiter use monitor mode to read all 802.11 wireless frames.
802.11 WLANs use a Service Set Identifier (SSID), which acts as a network name. Wireless clients must know the SSID before joining that WLAN, so the SSID is a configuration parameter.
Another common 802.11 wireless security precaution is restricting client access by filtering the wireless MAC address, allowing only trusted clients. This provides limited security: MAC addresses are exposed in plaintext on 802.11 WLANs: trusted MACS can be sniffed, and an attacker may reconfigure a nontrusted device with a trusted MAC address in software.
WEP is the Wired Equivalent Privacy protocol, an early attempt (first ratified in 1999) to provide 802.11 wireless security. WEP has proven to be critically weak: new attacks can break any WEP key in minutes.
802.11i is the first 802.11 wireless security standard that provides reasonable security. 802.11i describes a Robust Security Network (RSN), which allows pluggable authentication modules. RSN is also known as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i. By default, WPA2 uses AES encryption to provide confidentiality, and CCMP (Counter Mode CBC MAC Protocol) to create a Message Integrity Check (MIC), which provides integrity.
The less secure WPA (without the “2”) was designed for access points that lack the power to implement the full 802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for confidentiality and TKIP for integrity.
Bluetooth, described by IEEE standard 802.15, is a Personal Area Network (PAN) wireless technology, operating in the same 2.4 GHz frequency as many types of 802.11 wireless.
The Wireless Application Protocol (WAP) was designed to provide secure Web services to handheld wireless devices such as smart phones. WAP is based on HTML, and includes HDML (Handheld Device Markup Language).
Radio Frequency Identification (RFID) is a technology used to create wirelessly readable tags for animals or objects. There are three types of RFID tags: Active, semi-passive, and passive. Active and semi-passive RFID tags have a battery; an active tag broadcasts a signal; semi-passive RFID tags rely on a RFID reader’s signal for power.