Communication and Network Security Domain – Flashcards
Unlock all answers in this set
Unlock answersquestion
Apply secure design principles to network architecture
answer
IP & non-IP protocols, segmentation
question
OSI Model
answer
Application - Network related application programs Presentation - Standardization of data presentation to the applications Session Application - Management of sessions between applications Transport Transport - End-to-end detection and correction Network Internet - Management of connections across the network Data Link Network - Reliable data delivery includes LLC and MAC sub-layers Physical Access - Physical characteristics of the network media.
question
TCP/IP
answer
Application Layer - Layer 4 - includes Application, Presentation, and session Layers "everything related to data payload" Transport Layer - Layer 3 - Transport "everything required to move data between applications" - TCP/UDP Network Layer - Layer 2 - Internet "everything required to move data between networks" - ICMP, IGMP Link Layer - Layer 1 - Physical and Data-link " everything required to implement an Ethernet"
question
IPv4
answer
32-bit address First come, first serve Fragmented routing table No origin authentication Variable length header
question
IPv6
answer
128-bit address subdivided by region Consolidated routing table IPSEC AH required - help to ensure integrity and confidentiality of IP (native authentication of header) Fixed length header
question
TCP & UDP Ports
answer
Well-known ports - 0 - 1023 Registered ports: 1024 - 49151 Dynamic or Private Ports: 49152 - 65535 TCP - connection-oriented UDP - connectionless - useful for attacks because there is not state for routers or firewalls to observe.
question
RFC 1918 - Private address space
answer
Class A - 10.0.0.0 to 10.255.255.255 Class B - 172.16.0.0 to 172.31.255.255 Class C - 192.168.0.0 to 192.168.255.255
question
Class A Class B Class C
answer
1.0.0.0 to 126.0.0.0 128.0.0.0 to 191.0.0.0 192.0.0.0 to 223.0.0.0 127.0.0.0 reserved for computer loop-back
question
Submit Mask
answer
Bits in the subnet mask are 1 when the corresponding bits in the address are used for the subnet. The remaining bits in the mask are 0.
question
Layer 1
answer
Physical layer - Physical signalling transmitted over cables, connections, hubs and repeaters.
question
Layer 2
answer
Data link layer - Frames, ensures error-free using the hardware address (MAC) transmitted over Ethernet, token ring, etc.
question
Layer 3
answer
Network layer - Packets relays on logical addressing (IP address) IP is the most important network layer protocol - Addressing - uses the destination IP address - Fragmentation - subdivide a packet if its size is greater than the maximum size allowed. Routers, OSPF v1 & 2 - interior gateway routing protocol IGMP used to manage multicasting groups, which are a set of hosts anywhere on a network that are interested in a particular transmission. IPv4/IPv6 - Internet protocol DVMRP - distance vector multicast routing protocol IPSec - Internet Protocol Security
question
Layer 4
answer
Transport layer - creates an end-to-end transport between peer hosts. UDP connectionless unreliable protocol - the application will do the error checking rather than the protocol TCP - provide error-free transmission. Three-way Handshake - SYN, ACK & SYN
question
Layer 5
answer
Session layer - provides a logical persistent connection between peer hosts. Responsible for creating, maintaining and tearing down the session. - PAP - password authentication protocol - PPTP - point-to- point tunneling protocol - RPC - remote procedure call protocol
question
Layer 6
answer
Presentation - ensures the peer applications use a common format to represent data.
question
Layer 7
answer
Application - applications portal to network-based services, such as determining the identity and availability of remote applications. Not the application itself. - DHCP/DHCPv6 - DNS - HTTP - LDAP - SMTP - RIP
question
Exploitations
answer
DHCP - there is no security in DHCP, which leaves questions as to the validity of the host and DHCP server. ICMP - can be leveraged for malicious behavior including man-in-the-middle and denial-of-service attacks. PING - Ping of death is a ping that exceeds the maximum frame size and causes the receiving system to crash if not properly programmed. Ping Scanning - an attacker can use one of many tools to ping all of the addresses in a range. Traceroute Exploitation- it can be used maliciously to map a victim network and learn about its routing.
question
RPC
answer
important to note that RPC does not in fact provide any services on its own; rather its provides a brokering service, by providing basic authentication and a way to address the actual service.
question
Privacy Laws:
answer
EU Data Protection Directive - "Privacy is a basic human right" Canada PIPEDA (PHI) US HIPAA (PHI) US Graham-Leach-Bliley (GBLA) (PFI) PCI-DSS (Credit Card Privacy Controls) Contract, not law
question
Supervisory Control and Data Acquisition (SCADA)
answer
Industrial control - (DNP3), is the primary protocol to communicate between SCADA devices - monitors sensors, reports status and can be used to make system infrastructure changes (open/close valves, etc.) - Protocol vulnerabilities - Database insecurities - Session hijacking - Operating system weakness - Device and vendor backdoors
question
Distributed Networking Protocol 3 (DNP3)
answer
DNP has no security features; invented before the internet; physical security assumed - separate infrastructure for industrial control STUXNET attacked Iran's SCADA systems and thus trashed the centrifuges while reporting all was well.
question
FCoE (Converged protocol)
answer
Lightweight encapsulation protocol and lacks the reliable data transport of the TCP layer. It must operate on DCB enabled Ethernet and use lossless traffic classes to prevent Ethernet frame loss under congested network conditions. Must operate at Layer 2 (non routable and short-haul)
question
DCB - Data Center Bridging
answer
- Enhanced Priorities - Priorty-based Flow Control (PFC), 802.1Qbb, allows the network to pause different traffic classes - Enhanced Transmission Selection (ETS) - scheduling behavior and strict priority, - Quantized Congestion Notification (QCN) - End-to-end flow control, fewer errors and retransmissions - Data Center Bridging Exchange - Enhanced bridging capabilities - Single channel over Ethernet for large data centers.
question
iSCSI RFC 3270 (Converged protocol)
answer
used to facilitate data transfers over intranets and to manage storage over long distances.
question
MPLS - Multi-Protocol Label switching
answer
Uses "label switching". Rather than looking at the next hop, it finds the final destination router, then finds a per-determined path from "here" to the final router. It applies a label and future routers will use the label instead of IP lookups.
question
Voice Over IP (VoIP)
answer
SIP vs H.323 Matching codecs Problems: Jitter, packer loss, sequence errors, DoS, Priority Codec is software that converts audio signals into digital frames and vice versa.
question
Session Initiation Protocol (SIP)
answer
is designed to manage multimedia connections. Is is designed to support digest authentication structured by realms and provides integrity protection through MD45 Hash functions.
question
Packet Loss
answer
Packet Loss Concealment (PLC) is used to mask the effect of dropped packets. Zero substitution is the simplest PLC technique that requires the least computational resources. The best algorithms can tolerate upto 20% of packet loss without significant degradation of voice quality.
question
Jitter
answer
Jitter does not occur because of packet delay, but because of a variation of packet timing. @ 150ms, callers will notice the delay.
question
Sequence Errors
answer
Packets will, on occasion, arrive in a different order than transmitted. this will case a degradation in the call quality
question
Wireless
answer
Bluetooth (class 2 10 meters) WiMax/Wireless MAN (802.16) Wireless LAN (AP's) Wireless MAN (microwave) Cellular data
question
Wireless Security
answer
- Open System Authentication - default authentication protocol for the 802.11 standard - Ad Hoc (like crossover cable) varies based on WEP/WPA choice. - Infrastructure mode (uses AP, authentication varies) - Shared Key Authentication - WEP (Wired Equivalent Privacy) shared key, weak OSA, SKU; RC4; 64 or 128 bit; IV 24, integrity 32 CRC; stream cipher. - WPA (WiFi Protected Access) shared key, better than WEP - used RC4 & uses TKIP - Temporal Key Integrity Protocol ; 802.1x has been introduced in this protocol to improve use authentication - WPA2 based on 802.11i (uses AES) strongest available - Stronger authentication control (802.1x), key management, repay attack protection, data integrity.
question
802.1x w/EAP; AES, Counter; 128K, IV=48bits; Integrity CCMP
answer
preshared
question
Client SSL Certificates
answer
used to identify clients to servers via SSL; certificates can also be used for form signing and as part of SSO
question
Server SSL Certificates
answer
Used to identify servers to clients via SSL; may be used with or without client authentication; required for an encrypted SSL session
question
S/MIME Certificates
answer
Used for signed and encrypted email. A single certificate can be used as both the S/MIME and SSL certificate. Can also be used for form signing and SSO.
question
Object-signing certificates
answer
Used to identify signers of program code, scripts, or other signed files
question
Certificate Authority (CA) certificates
answer
Used to identify CA's; client and servers use CA certificates to determine what other certificates can be trusted.
question
Securing Network Components
answer
Deterministic routing means that the WAN connectivity is supplied based upon a limited number of different routes, and traffic only travels by pre-determined routes that are known to be secure. Boundary routers - primarily advertise routes that external hosts can use to reach internal ones. A key feature is the prevention of inbound or outbound IP spoofing attacks. Non-Blind Spoofing: takes place with the attacker is on the same subnet as the victim and are only monitoring the data and not intercepting the data. Blind Spoofing: several packets are sent to the target machine in order to sample sequence numbers, and to eventually detect the correct sequence. If the sequence number was compromised, data could be sent to the target. Man-in-the-middle: Non-Blind and Blind are samples of MITM attacks. The occurs when an attacker routes information between two users through their own systems without the knowledge of the two individuals.
question
Use of Certificates
answer
To identify the site To pass the public key To identify the client machine To identify the user at the machine To validate a received cert To apply a digital signature
question
Internet/Intranet/Extranet
answer
Internet - outside - public Intranet - internal Extranet - outside semi-trusted
question
TKIP Attack
answer
uses a mechanism similar to the WEP attack, in that it tries to decode data one byte at a time by using multiple replays and observing the response over the air. If QOS is enabled, the attacker can further inject up to 15 arbitrary frames for every decrypted packet. ARP poisoning, DNS manipulation, DoS
question
Parking Lot Attack
answer
Where they sit in the organizations parking lot and try to access internal hosts via the wireless network. To reduce the effectiveness of these attacks, the wireless AP's should be connected to the wired network in the DMZ.
question
Shared Key Authentication flaw
answer
Can be exploited through passive attack by evesdropping on both the challenge and response between the AP and authenticating client. This is possible because the attacker can capture both the plaintext challenge and cipertext resposnse.
question
Security Perimeter; network partitioning; Dual-homed host; bastion host
answer
The first line of protection between trusted and untrusted networks. Includes firewall, router, IPS, IDS, proxies, etc., Segmenting networks into domains of trust is an effective way to help enforce security policies. Host with two NIC one each on a separate network. Is a fortified device usually located in the DMZ. It has been hardened.
question
DMZ
answer
also known as a screened subnet, allows an organization to give external hosts limited access to the public resources
question
Networking Hardware
answer
Bridges - layer 2 devices that filter traffic between segments based on MAC addresses and amplify signals. Switches - layer 2, establish a collusion domain per port, enabling more efficient transmissions with CSMA/CD logic withing Ethernet. Layer 3 switches are capable of making "switching decisions" based on either the MAC or IP address Routers - layer 3, route packets to other networks and are commonly referred too as the gateway. Firewalls - layer 3 - Static packet filtering, examines each packet without regard to the packet's context in a session. Uses ports and protocols. Stateful inspection or dynamic packet filtering - Examines each packet in the context of a session which allows it to make dynamic adjustments to the rules to accommodate legitimate traffic and block malicious traffic
question
Fiber Optic
answer
Light pulses move easily down the fiber-optic line because of a principle known as total internal reflection. This principle states that when the angle of incidence exceeds a critical value, light cannot get out of the glass, instead it bounces back in. - Single mode - small diameter core which decreases teh number of light reflections within the cable. 80Km or 50 times further than multimode - Multimode uses larger diameter cable thus light reflections subsequently increase. 400m - Plastic Optical fiber (POF), plastic core, larger diameter. 100m The faster the laser fluctuates, the greater the risk of dispersion.
question
Firewalls
answer
Filter traffic based on a rule set which instructs the firewall to block or forward a packet based on one or more conditions. - by address - will often use the packet's source or destination address or both, to determine if the packet should be filtered. - By service - port or protocol
question
Proxy Firewall
answer
mediates communications between untrusted end-points and trusted end-points.
question
Proxy Types
answer
Circuit-level: creates a conduit through which a trusted hos can communicate with an untrusted one. The lack of application awareness allows it to forward traffic to any TCP and UDP port. Application-level: relays the traffic from a trusted end-point running a specific application to an untrusted end-point. It analyzes the data field for various sorts of common attacks such as buffer overflows.
question
Content-Distribution Networks (CDN)
answer
is a large distributed system of servers deployed in multiple data centers with the goal to serve content to end-users with high availability and high performance.
question
War dialing
answer
Best defense against this attack is to ensure all modems require some two-factor authentication.
question
Instant Messaging
answer
Peer-to-peer Brokered communications Server-oriented networks
question
IRC
answer
is unencrypted and therefore and easy target for sniffing attacks - old, fading. Common platform for social engineering attacks, aimed at inexperienced or technically unskilled users. Authenticity: user identification can be easily faked Confidentiality: many chat systems transmit their information in cleartext Scripting: can execute scripts that are intended to simplify admin tasks Social Engineering; can exploit human nature and good will to claim illicit legitimacy. Spam over IM
question
PPTP
answer
PPTP relies on Generic Routing Encapsulation (GRE) to build the tunnel between the endpoints. Based on PPP so it offers authentication via PAP, CHAP or EAP - Weak Encryption
question
L2TP & L2F do not provide encryption
answer
Based on PPP so it offers authentication via PAP, CHAP or EAP. No native encryption, thus relies on IPSec
question
IPSEC
answer
NAT does not work well with IPSec a suite of protocols for communicating securely with IP by providing mechanisms for authenticating and encryption. - Authentication header (AH) - used to prove the identity of the sender and ensure the transmitted data has not been tampered with - (origin of author - + integrity) - Encapsulating Security Payload (ESP) encrypts IP packets and ensures integrity and confidentiality ESP Header ESP Payload ESP trailer Authentication
question
Security Association
answer
Defines the mechanisms that an endpoint will use to communicate with its partner. Tracks, IPSEC link information such as key, algorithm, cryptoperiod, etc.
question
Transport Mode
answer
The IP payload is protected (encrypted) - shims IPSEC betwen existing Network and Transport headers. Mosly used for end-to-end protection (i.e., client and server)
question
Tunnel Mode
answer
The IP payload and IP header are protected (encrypted) - adds new, routable network header, then shims IPSEC between it and the old network header.
question
IKE - Internet Key Exchange
answer
Allows two devices to exchange symmetric keys for the use of encrypting in AH or ESP. Its uses either Diffie-Hellman (DH) style negotiation Public key certificates DH would be used between devices like routers. Public key certificates would be used in end user VPN connections.
question
High Assurance internet protocol
answer
possesses additional restrictions and enhancements, like the ability to encrypt multicast data using high-assurance hardware encryption which requires that the same key be manually loaded on all communicating devices. Military applications.
question
RADIUS
answer
is an authentication protocol used in networked environments. A centralized authentications mechanism, provides authentication, authorization, and accounting. Commonly used in 802.1x which is a combination of EAP and RADIUS UserID transmitted in plaintext 1-time password encrypted. suffers from: - replay attacks - lacks integrity protection - only specific fields using encryption.
question
DIAMETER and TACACS+
answer
DIAMETER was invented to improve upon RADIUS and to address the security issues of RADIUS. Diameter runs over TCP and SCTP a reliable transport mechanism, secured via IPSec and TLS and must use one of these security features. TACACS+ used TCP to ensure receipt of the user credentials and encrypts the entire transmission.
question
SNMP
answer
Until v2, SNMP did not provide any degree of authentication or transmission security. v3 addresses this weakness with encryption of passwords.
question
Topologies
answer
Bus: one speaks, all hear - a central cable to which all nodes connect. Ethernet / Wireless Ring: each station is a unidirectional repeater - closed loop topology. Token ring / FDDI Mesh: each station is connected to each of the other stations Internet backbone providers airline hub-spoke system Star: Each device is connected to a central station. Modern LAN's employ star topology. Hub: Ethernet MAU/MSAU (multi station access unit) : Token Ring Tree: distributed star: combination of star and bus, central stations are connected to each other - all devices are connected to a branching cable.
question
Unicast, Multicast, and Broadcast Transmissions
answer
Unicast- a transmission with one receiving host. Multicast - designed to deliver a stream to only interested hosts. IGMP is used to tell the local multicast agent that it wants to join a specific multicast group. Best effort, no guarantee that the datagrams are received. Broadcast-a transmission to everyone on its network or sub-network.
question
Network Communications
answer
Circuit Switched: exclusive end to end path is established prior to data transfer Packet Switched: shared path is established, variances allowed. PVC (Permanent Virtual Circuit): path is defined whether in use or not. Predefined path that does not change unless an outage. SVC (Switched Virtual Circuit): path is determined at each use.
question
CMSA
answer
Carrier Sense Multiple Access - contention based protocol and nondeterministic CSMA/CD - detection - wired CSMA/CA - avoidance - wireless
question
Token passing
answer
permission to speak for a limited time on arrival of a token
question
TLS/SSL/SSH
answer
SSH - Secure Shell - include remote log-on, file transfer, and command execution. SSH v1 and v2 incompatible. v2 has improved integrity checks. preventing session hijacking and other man-in-the-middle attacks - v1 is vulnerable to insertion attack SSL v1 & v2 replaced by SSL v3.0 and TLS 1.2 SSL/TLS use public key certs to authenticate each other, mutual authentication SSL (Secure Socket Layer) / TLS (Transport Layer Security) TLS (many servers support all; tradeoff is lesser security for greater backwards compatibility)
question
VLAN
answer
Traditional subdividing of networks (subnetworking) was based on physical proximity Modern subnetworking is done based on logical proximity. - MAC Flooding Attack: more of a limitation of the way switches and bridges work. When the MAC table is full, the traffic directed to addresses that cannot be learned anymore will be permanently flooded. With Port security, preventing any MAC flooding attacks becomes simple as limiting the number of MAC address that can be used by a single port. - 802.1Q and ISL tagging attack: are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN. - Double-encapsulated 802.1Q/Nested VLAN attack: possible for packets associated with the native VLAN could loose their tags, thus use of Native VLAN should be avoided. The idea is that if an attacker is connected to an access port which is in the 802.1q native vlan, that he can cause traffic to hop VLANs by injecting double-tagged packets. ARP attacks: with in the same vlan, the ARP poisoning or ARP spoofing attacks are very effective way to fool end stations or routers into learning counterfeited device identities which can allow a malicious user to pose as intermediary and perform Man-in-the-middle attack.
question
PVLAN
answer
Private VLAN Subdivides a vlan into several secondaries inside a primary Secondaries can be on of three types Promiscuous: can talk to any other secondary routers are always promiscuous Isolated: can only talk to a Promiscuous node Community: can talk to other in the community as well as any promiscuous.
question
SDN - Software Defined Networking
answer
Takes OSI's "swap layers on this machine" concept to a networks services infrastructure Virtual device control (SDN controller) is middleware to talk to any device or application APIs let the control and app layer communicate even if either one is swapped out or if multiple resources use differing technologies The purpose is to separate traditional network traffic into three components: raw data, how the data is sent, and what purpose the data serves. - Application layer: network services, utilities and applications which interface with the control level. - Control layer: the intelligence in devices which works in thru "middle-man" fashion, determining how traffic should flow - Infrastructure layer: network switches and routers and the data itself as well as the process of forwarding data to the appropriate destination.
question
Resource Scaling via SDN and SDS
answer
horzontal: more machines to share the load Vertical; more cpu or storage resources allocated to a single machine SAN: Storage Area network Disks and servers share an optical network for exclusive use of the servers Clients must go through a server to access data NAS: Network attached storage disks, clients and servers share a single network clients may access disk directly
question
SDS Data Availability Mechanisms
answer
Intelligent Data Placement - Data placement and protection are critical because not RAID mechanism does the work of data protection. Controllers: software-based controllers are responsible for making sure that data is read from and written to disk and remains available for use by applications and virtual machines. Software RAID:
question
PVLANS
answer
Primary VLAN Secondary VLAN's Three types of secondary PVLANS - Promiscuous - Isolated - community
question
PEN & Hacking
answer
- Discovery (horizontal Scan) - Enumeration (vertical scan) try ever port known - Vulnerability mapping: identify the OS and App version in order to find known vulnerabilities that might exist. - Exploitation: gaining a foothold or privileges
question
VLAN Attacks
answer
MAC Flooding Attack: 802.1Q and Inter-Switch Link Protocol (ISL) tagging Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack Multicast Brute force Attack - storm vulnerability Spanning-Tree Attack Random Frame Stress Attack - brute force attack
question
Scanning Techniques -
answer
Port Scanning - act of probing for TCP services on a machine. It is performed by establishing the initial handshake for a connection. Also used for fingerprinting an OS. FIN, Null and XMAS scanning - FIN - stealth scanning method, request to close a connection is sent to the target machine. If no application is listening on that port, a TCP RST is sent. (UNIX) Null - no flags are set on the initiating TCP packet to the target. XMAS all flags are set to the target. TCP Sequence Number attacks used for session hijacking.
question
Methodology of an Attack
answer
Attack trees are based upon the goal of the attacker, the risk to the defender, and the vulnerabilities of the defense systems. Attackers view: Target Acquisition (Discovery) - deploy delaying tactics Target Analysis (Enumeration) Target Access (Vulnerability mapping) Target Appropriation (Exploitation)
question
Scan types
answer
Discovery scanning: Compliance scanning: Vulnerability scanning:
question
IP Fragmentation Attacks
answer
Teardrop - IP packet fragments are constructed so that the length indicator does not correspond to the true length of the packet, causing confusion resulting in an overlapped fragment. Overlapping Fragment Attack: are used to subvert packet filters that only inspect the first fragment of a fragmented packet. Solution is for TCP/IP stacks not to allow fragments to overwrite each other. Source Routing Exploitation - if an attacker can abuse source routing so that the packet will be forwarded between network interfaces. Solution is to disable source routing on hosts and block source-routed packets. Smurf (ICMP broadcast) and Fraggle Attacks (uses UDP port 7) - DoS attacks
question
Denial-of-Service Attack
answer
DDoS Sync Flooding - attack using initial handshake in a TCP connection.
question
Spoofing
answer
Packets are sent with bogus source address so that the victim will send a response to a different hosts. Can be used to abuse the three-way handshake that is required to start a TCP session Email spoofing - SMTP does not possess and adequate authentication mechanism, so email spoofing is extremely simple. DNS Spoofing: - recursive - a name server receiving a request will forward it and return the resolution - irerative - a name server receiving a request will respond with a reference. There are two vulnerabilities here: it is possible for a DNS server to respond to a recursive query with information that was not requested and the DNS server will not authenticate information. Later versions of DNS are programmed to ignore responses that do not correspond to a query. Pharming is the manipulation of DNS Session Hijack - act of unauthorized insertion of packets into a data stream
question
SYN Scanning
answer
Half scanning or Syn scanning on complete connection is opened; instead, only the initial steps of the handshake are preformed.
