Intrusion Detection System

(My) CISSP Notes – Physical Security

Adrian Citu

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

Physical (Environmental) security protects the Confidentiality, Integrity and Availability  of physical assets: people, buildings, systems, and data. The CISSP® exam considers human safety as the most critical concern of this domain, which trumps all other concerns.

Physical security protects against threats such as unauthorized access and disasters, both man-made and natural. Controls used in this domain are primarily physical (such as locks, fences, guards, etc.); administrative controls (such as policy and procedures) and technical (such as biometrics) are also used.

Physical access control

Physical access control consists of the systems and techniques used to restrict access to a security perimeter and provide boundary protection.

Types of Vehicle Gates :

  • class 1 – residential (home use)
  • class 2 – commercial/general access (parking garage)
  • class 3 – industrial/limited access
  • class 4 – restricted access

A traffic bollard is a strong post designed to stop a car.

Lock picking is the art of opening a lock without a key.

The master key opens any lock for a given security zone in a building.

The core key is used to remove the lock core in interchangeable core locks (where the lock core may be easily removed and replaced with another core).

A smart card is physical access control device which is often used for electronic locks, credit card purchases, or dual-factor authentication systems.

A magnetic stripe card contains a magnetic stripe which stores information.

A mantrap is a preventive physical control with two doors. The first door must close and lock before the second door may be opened. Each door typically requires a separate form of authentication to open.

Turnstiles are designed to prevent tailgating by enforcing a “one person per authentication” rule, just as they do in subway systems.

Technical controls

Technical control include monitoring and surveillance, intrusion detection systems and alarms.

Closed Circuit Television (CCTV) is a detective device used to aid guards in detecting the presence of intruders in restricted areas.Key issues include depth of field (the area that is in focus) and field of view (the entire area viewed by the camera). More light allows a larger depth of field because a smaller aperture places more of the image in focus. CCTV displays may display a fixed camera view, autoscan (show a given camera for a few seconds before moving to the next), or multiplexing (where multiple camera feeds are fed into one display).

Ultrasonic, microwave, and infrared motion sensors are active sensors, which means they actively send energy.

If you see the term “intrusion” on the exam, be sure to look for the context (human or network-based).

Door hinges should face inward, or be otherwise protected. Externally-facing hinges that are not secured pose a security risk: attackers can remove the hinge pins with a hammer and screwdriver, allowing the door to be opened from the hinge side.

Use of simple glass windows in a secure perimeter requires a compensating control such as window burglar alarms.

Environmental and life safety controls

Environmental controls are designed to provide a safe environment for personnel and equipment. Power, HVAC, and fire safety are considered environmental controls.

The following are common types of electrical faults:

  •  Blackout: prolonged loss of power
  • Brownout: prolonged low voltage
  • Fault: short loss of power
  • Surge: prolonged high voltage
  • Spike: temporary high voltage
  • Sag: temporary low

Heat detectors, flame detectors, and smoke detectors provide three methods for detecting fire.

The two primary evacuation roles are safety warden and meeting point leader.

Classes of Fire and Suppression Agents :

  • Class A  – fires are common combustibles such as wood, paper, etc. This type of fire is the most common and should be extinguished with water or soda acid.
  • Class B  – fires are burning alcohol, oil, and other petroleum products such as gasoline. They are extinguished with gas or soda acid. You should never use water to extinguish a class B fire.
  • Class C  – fires are electrical fires which are fed by electricity and may occur in equipment or wiring. Electrical fires are Conductive fires, and the extinguishing agent must be non-Conductive, such as any type of gas.
  • Class D  – fires are burning metals and are extinguished with dry powder.
  • Class K – fires are kitchen fires, such as burning oil or grease. Wet chemicals are used to extinguish class K fires.

Experts always prefer to prevent a fire rather than extinguish one, and are often generous with their time dedicated to preventive measures.

All fire suppression agents work via four methods (sometimes in combination): reducing the temperature of the fire, reducing the supply of oxygen, reducing the supply of fuel, and interfering with the chemical reaction within fire.

Always consider “hire or ask an expert” as a valid choice for any exam question asking about “the best thing to do.” Do not fall for the engineer’s trap of “I will figure this out on my own.”

Water suppresses fire by lowering the temperature below the kindling point (also called the ignition point). Water is the safest of all suppressive agents, and recommended for extinguishing common combustible fires such as burning paper or wood.

In addition to suppressing fire by lowering temperature, soda acid also has additional suppressive properties beyond plain water: it creates foam which can float on the surface of some liquid fires, starving the oxygen supply.

Extinguishing a fire with dry powder (such as sodium chloride) works by lowering temperature and smothering the fire, starving it of oxygen. Dry powder is primarily used to extinguish metal fires.

Wet chemicals are primarily used to extinguish kitchen fires (type K fires in the U.S.; type F in Europe), but may also be used on common combustible fires (type A).

CO2, oxygen, and nitrogen are what we breathe as air. Fires require oxygen as fuel, so fires may be smothered by removing the oxygen: this is how CO2 fire suppression works. A risk associated with CO2 is it is odorless and colorless, and our bodies will breathe it as air. By the time we begin suffocating due to lack of oxygen, it is often too late.

Halon extinguishes fire via a chemical reaction that consumes energy and lowers the temperature of the fire.Halon has ozone-depleting properties. Due to this effect, the 1989 Montreal Protocol (formally called the “Montreal Protocol on Substances That Deplete the Ozone Layer”) banned production and consumption of new halon in developed countries by January 1, 1994.

Recommended replacements for halon include the following systems: • Argon • FE-13 • FM-200

CO2, halon, and halon substitutes such as FM-200 are considered gas-based systems. All gas systems should use a countdown timer (both visible and audible) before gas is released. This is primarily for safety reasons, to allow personnel evacuation before release. A secondary effect is to allow personnel to stop the release in case of false alarm.

Water is usually the recommended fire suppression agent. Water (in the absence of electricity) is the safest suppression agent for people.

Dry pipe systems also have closed sprinkler heads: the difference is the pipes are filled with compressed air. The water is held back by a valve that remains closed as long as sufficient air pressure remains in the pipes. As the dry pipe sprinkler heads open, the air pressure drops in each pipe, allowing the valve to open and send water to that head.

Dry pipes are often used in areas where water may freeze, such as parking garages.

Deluge systems are similar to dry pipes, except the sprinkler heads are open and larger than dry pipe heads. The pipes are empty at normal air pressure; the water is held back by a deluge valve.

(My) CISSP Notes – Telecommunications and network security (II)

Adrian Citu

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

Network Layer protocols and concepts

Routing protocols

Routing protocols are defined at the network level and specify how routers communicate with one another or a WAN.The goals of routing protocols are to automatically learn a network topology, and learn the best routes between all network points.Routing protocols are classified as static or dynamic.

static routing protocol requieres an administrator to create and update routes manually on the router. A dynamic routing protocol can discover routes and determine the best route to a given destination at any given time.

Metrics are used to determine the “best” route across a network. The simplest metric is hop count.

Distance vector routing protocols use simple metrics such as hop count, and are prone to routing loops, where packets loop between two routers.

  • RIP(Routing Information Protocol) is a distance vector routing protocol that uses hop count as its metric.RIP does not have a full view of a network: it can only “see” directly connected routers. Convergence is slow. Convergence means that all routers on a network agree on the state of routing. A network that has had no recent outages is normally “converged”: all routers see all routes as available. Then a circuit goes down. The routers closest to the outage will know right away; routers that are further away will not. The network now lacks convergence. RIP is used by the UNIX routed command, and is the only routing protocol universally supported by UNIX.RIP is quite limited. Each router has a partial view of the network and each sends updates every 30 seconds, regardless of change. Convergence is slow.

Link state routing protocols factor in additional metrics for determining the best route, including bandwidth.

  •  OSPF (Open Shortest Path First) is an open link state routing protocol. OSPF routers learn the entire network topology for their “area” (the portion of the network they maintain routes for, usually the entire network for small networks). OSPF it’s considered an Interior Gateway Protocol (IGP) because it performs routing within a single autonomous system. An autonomous system (AS) is a group of IP address uder the control of the a single Internet entity.
  • BGP (Border Gateway Protocol) is the routing protocol used on the Internet. BGP it’s considered an Exterior Gateway Protocol (EGP) because it performs routing between separate autonomous systems.

Routed protocols

Routed protocols are network layer protocols that address packets with routing information, which allows those packets to be transported across networks by using routing protocols.

IP (Internet Protocol) – IPv4 is Internet Protocol version 4, commonly called “IP.” It is the fundamental protocol of the Internet, designed in the 1970s to support packet-switched networking for the United States Defense Advanced Research Projects Agency (DARPA).

IP is a simple protocol, designed to carry data across networks.IP is connectionless and unreliable: it provides “best effort” delivery of packets. If connections or reliability are required, they must be provided by a higher level protocol carried by IP, such as TCP.IPv4 uses 32-bit source and destination addresses.

If a packet exceeds the Maximum Transmission Unit (MTU) of a network, it may be fragmented by a router along the path. An MTU is the maximum PDU size on a network. Fragmentation breaks a large packet into multiple smaller packets.

The original IPv4 networks were “classful”, classified in classes:

Class Leading
bits		 Size of network
number bit field		 Size of rest
bit field		 Number
of networks		 Addresses
per network		 Start address End address
Class A     0     8     24     128 (27)     16,777,216 (224) 0.0.0.0 127.255.255.255
Class B     10     16     16     16,384 (214)     65,536 (216) 128.0.0.0 191.255.255.255
Class C     110     24     8     2,097,152 (221)     256 (28) 192.0.0.0 223.255.255.255
Class D (multicast)     1110     not defined     not defined     not defined     not defined 224.0.0.0 239.255.255.255
Class E (reserved)     1111     not defined     not defined     not defined     not defined 240.0.0.0 255.255.255.255

IPv6 is the successor to IPv4, featuring far larger address space (128 bit addresses compared to IPv4’s 32 bits), simpler routing, and simpler address assignment.IPv6 hosts can statelessly autoconfigure a unique IPv6 address, omitting the need for static addressing or DHCP. IPv6 stateless autoconfiguration takes the host’s MAC address and uses it to configure the IPv6 address.

Stateless autoconfiguration removes the requirement for DHCP (Dynamic Host Configuration Protocol), but DHCP may be used with IPv6: this called “stateful autoconfiguration,” part of DHCPv6.

IPv6’s much larger address space also makes NAT (Network Address Translation) unnecessary, but various IPv6 NAT schemes have been proposed, mainly to allow easier transition from IPv4 to IPv6.

Hosts may also access IPv6 networks via IPv4; this is called tunneling. Another IPv6 address worth noting is the loopback address: ::1. This is equivalent to the IPv4 address of 127.0.0.1.

Hosts may also access IPv6 networks via IPv4; this is called tunneling. Another IPv6 address worth noting is the loopback address: ::1. This is equivalent to the IPv4 address of 127.0.0.1.

An IPv6-enabled system will automatically configure a link-local address (beginning with fe80:…) without the need for any other ipv6-enabled infrastructure. That host can communicate with other link-local addresses on the same LAN. This is true even if the administrators are unaware that IPv6 is now flowing on their network.

Network Address Translation (NAT) is used to translate IP addresses. It is frequently used to translate RFC1918 addresses as they pass from intranets to the Internet.

Three types of NAT are static NATpool NAT (also known as dynamic NAT), and Port Address Translation (PAT, also known as NAT overloading). Static NAT makes a one-to-one translation between addresses, such as 192.168.1.47→192.0.2.252. Pool NAT reserves a number of public IP addresses in a pool, such as 192.0.2.10→192.0.2.19. Addresses can be assigned from the pool, and then returned. Finally, PAT typically makes a many-to-one translation from multiple private addresses to one public IP address, such as 192.168.1.⁎ to 192.0.2.20. PAT is a common solution for homes and small offices: multiple internal devices such as laptops, desktops and mobile devices share one public IP address.

Other network layer protocols

  • ICMP (Internet Control Message Protocol) – reports errors and other information back to the source regarding the processing of transmitted IP packets.
  • SKIP (Simple Key Management for Internet Protocols) – is a key management protocol used to share encryptions keys.

Network equipement

Routers are Layer 3 devices that route traffic from one LAN to another. IP-based routers make routing decisions based on the source and destination IP addresses.For simple routing needs, static routes may suffice. Static routes are fixed routing entries.Most SOHO (Small Office/Home Office) routers have a static “default route” that sends all external traffic to one router (typically controlled by the ISP).

Static routes work fine for simple networks with limited or no redundancy, like SOHO networks. More complex networks with many routers and multiple possible paths between networks have more complicated routing needs.

Transport Layer protocols and concepts

  • TCP (Transmission Control Protocol) – TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these four flags is performed in three steps: SYN, SYN-ACK, ACK. TCP connects from a source port to a destination port. The TCP port field is 16 bits, allowing port numbers from 0 to 65535. There are 2 types of ports: reserved and ephemeral. A reserved port is 1023 or lower, ephemeral ports are 1024-65535. TCP is connection-oriented (establishes and manages a direct virtual connection to the remote device), is reliable (guarantees delivery by acknowledging received packets) and slow (because of the additional overhead associated with initial handshaking).
  • UDP (User Datagram Protocol) – UDP has no handshake, session or reliability. UDP header fields include source IP, destination IP, packet length (header and data), and a simple (and optional) checksum. If used, the checksum provides limited integrity to the UDP header and data. Unlike TCP, data usually is transferred immediately, in the first UDP packet. UDP operates at Layer 4. So, UDP is connectionless (don’t pre-establish a communication circuit with the remote host), is best-effort (don’t guarantees delivery) and fast (no overhead associated with circuit establishment).
  • SPX (Sequenced Packet Exchange) – the protocol is used to guarantee data delivery in older Novell NetWare networks.

  • SSL/TLS (Secure Sockets Layer/Transport Layer Security) – provides session-based encryption and authentication for secure communication between clients and servers on Internet.

Session Layer protocols and concepts

The session layer is responsible for establishing, coordinating and terminating communication protocols.

Some examples of Session Layer protocols include:

  • Telnet – provides terminal emulation over the network; Telnet provides no confidentiality and has limited integrity.
  • SSH (Secure Shell) – was designed as a secure replacement for Telnet.
  • SIP (Session Initiation Protocol) – protocol for establishing, managing and terminating real-time communications.

Network Security

Network security is implemented with various technologies, including firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs) and virtual private networks (VPNs).

Firewalls

Firewalls filter traffic between networks. Three basic classification of firewalls have been established:

  • packet-filtering – permits or denies trafic based solely on the TCP, UDP ICMP and IP header of the individual packets.This information is compared with predefined rules that have been configured in the access control lists (ACLs) to determine whether a package should be permitted or denied. A packet filter is a simple and fast firewall. It has no concept of “state”: each filtering decision must be made on the basis of a single packet. Stateful firewalls have a state table that allows the firewall to compare current packets to previous ones. Stateful firewalls are slower than packet filters, but are far more secure.
  • circuit-level gateways – controls access by maintaining state information about established connections. When permuted connection is established between two hosts, a tunnel (or virtual circuit) is created for the session, allowing the packets to flow freely between the two hosts.
  • application-level –  firewalls operate up to Layer 7. Unlike packet filter and stateful firewalls which make decisions based on layers 3 and 4 only, application-layer proxies can make filtering decisions based on application-layer data, such as HTTP traffic, in addition to layers 3 and 4. Application-layer proxies must understand the protocol that is proxied, so dedicated proxies are often required for each protocol: an FTP proxy for FTP traffic, an HTTP proxy for Web traffic, etc.

Firewall design has evolved over the years, from simple and flat designs such as dual-homed host and screened host, to layered designs such as the screened subnet.

This evolution has incorporated network defense in depth, leading to the use of DMZ.

A bastion host is any host placed on the Internet which is not protected by another device (such as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack.

A dual-homed host has two network interfaces: one connected to a trusted network, and the other connected to an untrusted network, such as the Internet.

A DMZ is a Demilitarized Zone network; the name is based on real-world military DMZ. Network servers that receive traffic from untrusted networks such as the Internet should be placed on DMZ networks for this reason. A DMZ is designed with the assumption that any DMZ host may be compromised.

IDS/IPS

An Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is a preventive device designed to prevent malicious actions. There are two basic types of IDSs and IPSs: network-based and host-based.

IDS are classified in many different ways, including active (IPS) and passive (IDS), network-based and host-based and knowledge based and behavior-based.

There are four types of IDS events: true positive, true negative, false positive, and false negative.

A Network-based Intrusion Detection System (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor.

The difference between a NIDS and a NIPS is that the NIPS alters the flow of network traffic.

Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS) are host-based cousins to NIDS and NIPS.

Knowledge based and behavior-based IDS

A Pattern Matching IDS works by comparing events to static signatures.Pattern Matching works well for detecting known attacks, but usually does poorly against new attacks. A Protocol Behavior IDS models the way protocols should work, often by analyzing RFCs. An Anomaly Detection IDS works by establishing a baseline of normal traffic. The Anomaly Detection IDS then ignores that traffic, reporting on traffic that fails to meet the baseline.

Unlike Pattern Matching, Anomaly Detection can detect new attacks. The challenge is establishing a baseline of “normal”: this is often straightforward on small predictable networks, but can be quite difficult (if not impossible) on large complex networks.

VPNs (Virtual Private Networks)

Virtual Private Networks (VPNs) secure data sent via insecure networks such as the Internet. Common VPN protocol standards include:

  • PPTP (Point-to-Point Tunneling Protocol) – protocol developed by Microsoft for tunneling PPP via IP
  • L2F (Layer 2 Forwarding Protocol) – protocol developed by Cisco that offers similar functionality as PPTP
  • L2TP (Layer 2 Tunneling Protocol) – combines PPTP and L2F (Layer 2 Forwarding, designed to tunnel PPP). L2TP focuses on authentication and does not provide confidentiality: it is frequently used with IPSec to provide encryption.
  • IPSec – IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to provide security. To address this lack of security at Layer 3, IPSec (Internet Protocol Security) was designed to provide confidentiality, integrity, and authentication via encryption for IPv6. IPSec has been ported to IPv4. IPSec is a suite of protocols; the major two are Encapsulating Security Protocol (ESP) and Authentication Header (AH).  IPSec has three architectures: host-to-gateway, gateway-to-gateway, and host-to-host. Host-to-gateway mode (also called client mode) is used to connect one system which runs IPSec client software to an IPSec gateway. Gateway-to-gateway (also called point-to-point) connects two IPSec gateways, which form an IPSec connection that acts as a shared routable network connection, like a T1. Finally, host-to-hostmode connects two systems (such as file servers) to each other via IPSec. IPSec can be used in tunnel mode or transport mode. Tunnel mode provides confidentiality (ESP) and/or authentication (AH) to the entire original packet, including the original IP headers. New IP headers are added (with the source and destination addresses of the IPSec gateways). Transport mode protects the IP data (layers 4-7) only, leaving the original IP headers unprotected.

Wireless LAN Security

Wireless Local Area Networks (WLANs) transmit information via electromagnetic waves (such as radio) or light.The most common form of wireless data networking is the 802.11 wireless standard, and the first 802.11 standard with reasonable security is 802.11i.

Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS) are two methods for sending traffic via a radio band. Some bands, like the 2.4-GHz ISM band, can be quite polluted with interference: Bluetooth, some cordless phones, some 802.11 wireless, baby monitors, and even microwaves can broadcast or interfere with this band. Both DSSS and FHSS are designed to maximize throughput while minimizing the effects of interference.

802.11 wireless NICs can operate in four modes: managed, master, ad hoc, and monitor mode.

  • managed mode – 802.11 wireless clients connect to an access point in managed mode (also called client mode). Once connected, clients communicate with the access point only; they cannot directly communicate with other clients.
  • master mode  – (also called infrastructure mode) is the mode used by wireless access points. A wireless card in master mode can only communicate with connected clients in managed mode.
  • ad hoc mode  – is a peer-to-peer mode with no central access point. A computer connected to the Internet via a wired NIC may advertise an ad hoc WLAN to allow Internet sharing.
  • monitor mode – is a read-only mode used for sniffing WLANs. Wireless sniffing tools like Kismet or Wellenreiter use monitor mode to read all 802.11 wireless frames.

802.11 WLANs use a Service Set Identifier (SSID), which acts as a network name. Wireless clients must know the SSID before joining that WLAN, so the SSID is a configuration parameter.

Another common 802.11 wireless security precaution is restricting client access by filtering the wireless MAC address, allowing only trusted clients. This provides limited security: MAC addresses are exposed in plaintext on 802.11 WLANs: trusted MACS can be sniffed, and an attacker may reconfigure a nontrusted device with a trusted MAC address in software.

WEP is the Wired Equivalent Privacy protocol, an early attempt (first ratified in 1999) to provide 802.11 wireless security. WEP has proven to be critically weak: new attacks can break any WEP key in minutes.

802.11i is the first 802.11 wireless security standard that provides reasonable security. 802.11i describes a Robust Security Network (RSN), which allows pluggable authentication modules. RSN is also known as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i. By default, WPA2 uses AES encryption to provide confidentiality, and CCMP (Counter Mode CBC MAC Protocol) to create a Message Integrity Check (MIC), which provides integrity.

The less secure WPA (without the “2”) was designed for access points that lack the power to implement the full 802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for confidentiality and TKIP for integrity.

Bluetooth, described by IEEE standard 802.15, is a Personal Area Network (PAN) wireless technology, operating in the same 2.4 GHz frequency as many types of 802.11 wireless.

The Wireless Application Protocol (WAP) was designed to provide secure Web services to handheld wireless devices such as smart phones. WAP is based on HTML, and includes HDML (Handheld Device Markup Language).

Radio Frequency Identification (RFID) is a technology used to create wirelessly readable tags for animals or objects. There are three types of RFID tags: Active, semi-passive, and passive. Active and semi-passive RFID tags have a battery; an active tag broadcasts a signal; semi-passive RFID tags rely on a RFID reader’s signal for power.