Software Architecture, Architects and Opinions: Dec 30, 2012

OSI Model

The OSI reference model, is described by ISO Standard 7498. Good way to remember it is "All People Seem To Need Data Processing"(APSTNDP).

Encapsulation - A message is constructed within a program on one computer and then passed down through the protocol's stack. A protocol at each layer adds its own information to the message; thus, the message grows in size as it goes down the protocol stack. The message is then sent to the destination computer, and the encapsulation is reversed.

The application layer, layer 7, works closest to the user and provides file transmissions, message exchanges, terminal sessions, and much more. This layer does not include the actual applications but rather the protocols that support the

applications.

The presentation layer, layer 6, receives information from the application layer protocols and puts it in a format all computers following the OSI model can understand. This layer also handles data compression and encryption issues. Some presentation layer standards include TIFF, ASCII etc.

The session layer, layer 5, sets up connections between applications, maintain dialog control, and negotiate, establish,maintain, and tear down the communication channel.. Examples, Network File System (NFS), SQL, NetBIOS, RPC. Modes:

Simplex: One direction.
Half-duplex: both directions, but only one at a time.
Full-duplex: both at the same time.

Session layer protocols control application-to-application communication, whereas the transport layer protocols handle computer-to-computer communication.

The transport layer receives data from many different applications and assembles the data into a stream to be properly transmitted over the network. Example: TCP, UDP, and Sequenced Packet Exchange (SPX).

Note: SSL is made up of two protocols—one works in the lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP exam, SSL resides in the transport layer.

Network layer, layer 3, inserts information into the packet's header so it can be properly addressed and routed, and then to actually route the packets to their proper destination. Routing protocols build and maintain their routing tables at this layer. The protocols at this layer depend on the protocols at the transport layer to catch any problems and resend packets if necessary. Example, IP, Internet Control Message Protocol (ICMP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), and Internet Group Management Protocol (IGMP).

The protocols at the data link layer convert data into LAN or WAN frames for transmission, convert messages into bits, and define how a computer accesses a network. The data link layer is where the network stack knows what format the data frame must be in to transmit properly over Token Ring, Ethernet, ATM, or Fiber Distributed Data Interface (FDDI) networks. If the network is an Ethernet network, for example, all the computers will expect the header to be a certain length, the flags to be positioned in a certain place within the packet, and the trailer information to be in a certain place with specific fields. On a Token Ring network, the computers would expect most of these parameters to be in different places and the frames to have particular formats.

The data link layer is responsible for proper communication within these technologies and for changing the data into the necessary format for the physical layer. It will also manage to reorder frames that are received out of sequence, and notify upper-layer protocols when there are transmission error conditions.

Two functional sub-layers:

Logical Link Control (LLC): The LLC, defined in the IEEE 802.2 specification, communicates with the protocol immediately above it( network layer).
Media Access Control (MAC): The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11.

Examples are the Serial Line Internet Protocol (SLIP), Point-to-Point Protocol

(PPP), Reverse Address Resolution Protocol (RARP), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), FDDI, and Integrated Services Digital Network (ISDN). The data link layer converts the information into bits, and the physical layer converts those bits into electrical signals. Each network technology (Ethernet, Token Ring, and so on) defines the compatible physical transmission type (coaxial, twisted pair, or fiber) that is required to enable network communication.

The physical layer, layer 1, converts bits into voltage for transmission. Signals and voltage schemes have different meanings for different LAN and WAN technologies. Standard interfaces: High-Speed Serial Interface (HSSI), X.21, EIA/TIA-232 and EIA/TIA-449.

Security services defined in the OSI security model include data integrity, data confidentiality, authentication, and access control services.

A router peels back the header information until it reaches the network layer data and uses this to make its routing decisions.
Bridges understand only up to the data link layer.
Repeaters understand data only at the physical layer.
When an application formats data to be transmitted over the network, the data are called a message.

The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is now a segment. The segment is sent to the network layer.
The network layer adds routing and addressing, and now the bundle is called a datagram.
The network layer passes off the datagram to the data link layer, which frames the datagram with a header and a trailer, and now it is called a frame.

How Does it Map to TCP?

Application = Application, Presentation and Session,

Host-to-Host = Transport
Internet = Network
Network Access = DataLink, Physical.

Transmission Control Protocol/Internet Protocol (TCP/IP) is a reliable and connection-oriented protocol and is a suite of protocols that governs the way data travel from one device to another. IP is a connectionless protocol that provides the addressing and routing capabilities for each package of data.

UDP is a best-effort and connectionless protocol. It has neither packet sequencing nor flow and congestion control, and the destination does not acknowledge every packet it receives(this adds extra overhead for TCP).

Well-Known Ports
Port numbers up to 1023 (0–1023) are called well-known ports and they can be used only by privileged system or root processes.

port 25 is SMTP, port 80 is mapped to HTTP, Telnet port 23, SNMP ports 161 and 162, FTP ports 21 and 20

The TCP Handshake

The host sends a synchronous (SYN) packet to the receiver. The receiver acknowledges this by sending a SYN/ACK packet. The sending host acknowledges this with an acknowledgment (ACK) packet.

IP Addressing

IPv4 uses 32 bits for its addresses, whereas IPv6 uses 128 bits.

Class A: 0.0.0.0 to 127.255.255.255: The first byte is the network portion and the remaining three bytes are the host portion.
Class B: 128.0.0.0 to 191.255.255.255: The first two bytes are the network portion and the remaining two bytes are the host portion.
Class C: 192.0.0.0 to 223.255.255.255: The first three bytes are the network portion and the remaining one byte is the host portion.
Class D: 224.0.0.0 to 239.255.255.255: Used for multicast addresses.
Class E 240.0.0.0 to 255.255.255.255: Reserved for research.

A subnet is created from the host portion of an IP address to designate a "sub" network. This allows us to further break the host portion of the address into two or more logical groupings. A network can be logically partitioned to reduce administration headaches, traffic performance, and potentially security. Subnetting is particularly beneficial in keeping down routing table sizes because external routers can directly send data to the actual network segment without having to worry about the internal architecture of that network and getting the data to individual hosts. This job can be handled by the internal routers, which can determine the individual hosts in a subnetted environment and save the external routers the hassle of analyzing all the 32 bits of an IP address and just look at the "masked" bits.

Note: To slow down depletion of IP addresses, classless interdomain routing (CIDR) was created. A Class B address range is usually too large for most companies, and a class C address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes as necessary. CIDR is the method to specify more flexible IP address classes.
IP provides addressing, packet fragmentation, and packet timeouts. To ensure that packets do not continually traverse a network forever, IP provides a Time to Live (TTL) value that is decremented every time the packet passes through a router. IP can also provide a Type of Service (ToS) capability, which means it can prioritize different packets for time-sensitive functions.

IPv6

increases the IP address size from 32 bits to 128 bits. More addresses.
Scalability of multicast routing is improved by adding a "scope" field to multicast addresses.
new type of address called an anycast address, which is used to send a packet to any one of a group of nodes.
Some IPv4 header fields have been dropped or made optional.
enable the labeling of packets belonging to particular traffic "flows" for which the sender requests special handling, such as nondefault QoS or "real-time" service.
Extensions to support authentication, data integrity, and (optional) data confidentiality. Via IPSec inbuilt into IPv6.

Network Topology

A ring topology has a series of devices connected by unidirectional transmission links, as shown in Figure 7-18. These links form a closed loop and do not connect to a central system. Example: FDDI.
In a simple bus topology, a single cable runs the entire length of the network. Nodes are attached to the network through drop points on this cable. Data communications transmit the length of the medium, and each packet transmitted has the capability of being "looked at" by all nodes.

linear bus topology has a single cable with nodes attached
tree topology has branches from the single cable, and each branch can contain many nodes.
Traditionally, Ethernet uses bus and star topologies.

In a star topology, all nodes connect to a central device such as a switch. Each node has a dedicated link to the central device.

Although Token Ring is usually thought of as a ring and Ethernet is considered a bus implementation, these descriptions apply only to how they work logically, which takes place at the data link layer. They can easily be physically implemented as a star, and they usually are.

Mesh topology is usually a network of interconnected routers and switches that provides multiple paths to all the nodes on the network.

full mesh topology: every node is directly connected to every other node(redundancy).
Partial mesh topology: every node is not directly connected(Internet)

LAN

A LAN is a network that provides shared communication and resources in a relatively small area. A WAN connects LANs over great distances geographically.

When two distinct LANs are connected by a router, the result is an internetwork, not a larger LAN. Each distinct LAN has its own addressing scheme, broadcast domain, and communication mechanisms. If two LANs are connected by a different data link layer technology, such as frame relay or X.25, they are considered a WAN

Ethernet(IEEE 802.3)
LAN-sharing technology that enables several devices to communicate on the same network.

Shares media. (All devices must take turns and collisions can take place.)
Uses broadcast and collision domains.
Uses the carrier sense multiple access with collision detection (CSMA/CD) access method.
Supports full duplex on twisted-pair implementations.
Can use coaxial or twisted-pair media.
Types:

10Base2, ThinNet, coaxial cable. Max length of 185 m,10-Mbps

requires British Naval Connectors (BNCs) to network devices.

10Base5, ThickNet, thicker coaxial cable. 10-Mbps
10Base-T, twisted-pair copper,star topology,RJ-45 connector. 10-Mbps

Fast Ethernet is regular Ethernet, except that it runs at 100 Mbps over twisted-pair wiring instead of at 10 Mbps

Token Ring(IEEE 802.5)
LAN technology. Uses a tokenpassing technology with a star-configured topology. Physically, the topology can be a star but the signals travels in a logical ring. Each computer is connected to a central hub, called a Multistation Access Unit (MAU). A device cannot put data on the network wire without having possession of a token, a control frame that travels in a logical circle and is "picked up" when a system needs to communicate. This is different from Ethernet, in which all the devices attempt to communicate at the same time. This is why Ethernet is referred to as a "chatty protocol" and has collisions. Slow compared to Ethernet. Not used much anymore.

Differences between Ethernet, Token Ring, and FDDI ?
These technologies are data link layer technologies( actually MAC layer). These LAN technologies differ in how they communicate to the protocol stack and what type of functionality they can provide.

Fiber Distributed Data Interface (FDDI)(802.8)
High-speed token-passing media access technology. 100 Mbps and is usually
used as a backbone network using fiber-optic cabling. Also provides fault tolerance by offering a second counter-rotating fiber ring. The benefit of FDDI is that it can work over long distances and at high speeds with minimal interference. It enables several tokens to be present on the ring at the same time, causing more communication to take place simultaneously, and it provides predictable delays that help connected networks and devices know what to expect and when.

Cabling

Attenuation is the loss of signal strength when a cable exceeds its maximum length.
If the cable has an outer foil shielding, it is referred to as shielded twisted pair (STP), which adds protection from radio frequency interference and electromagnetic interference.
Another type of twisted-pair cabling does not have this extra outer shielding and is called unshielded twisted pair (UTP).
STP and UTP are twisted-pair cabling types that are the most popular, cheapest, and easiest to work with. However, they are the easiest to tap into, have crosstalk issues, and are vulnerable to electromagnetic interference (EMI).
Coaxial cable is more expensive than UTP and STP, is more resistant to EMI, and can carry baseband and broadband technologies.
Fiber-optic cabling carries data as light waves, is expensive, can transmit data at high speeds, is difficult to tap into, and is resistant to EMI. If security is extremely important, fiber cabling should be used.
Because it uses glass, fiber-optic cabling has higher transmission speeds that allow signals to travel over longer distances. Fiber cabling is not as affected by attenuation and EMI when compared to cabling that uses copper. It does not radiate signals.

Transmission Methods

Difference between broadcast and multicast is that in a broadcast one-to-all transmission, everyone gets the data, whereas in a multicast, only the few who have chosen to receive the data actually get it ( the local router is informed which informs router above it etc till the whole path is decided).
Internet Group Management Protocol (IGMP) is used to report multicast group memberships to routers. When a user chooses to accept multicast traffic, she becomes a member of a particular multicast group.
IP multicast protocols use a Class D address, which is a special address space designed especially for multicasting. It can be used to send out information, multimedia data, and even real-time video and voice clips.
An MTU(maximum transmission unit) is a parameter that indicates how much data a frame can carry on a specific network. Different types of network technologies may require different MTU sizes, which is why frames are sometimes fragmented.

Ethernet Transmission

Ethernet uses CSMA as an access method to the network cable. There are two distinct types of CSMA: CSMA/CD and CSMA/CA.

Carrier sense multiple access with collision detection (CSMA/CD) protocol, they monitor the transmission activity on the wire so they can determine when would be the best time to transmit data.
Carrier sense multiple access with collision avoidance (CSMA/CA) is an access method in which each computer signals its intent to transmit data before it actually does so. This tells all other computers on the network not to transmit data right now because doing so could cause a collision.The wireless LAN technology, 802.11, uses CSMA/CA for its media access functionality.

An Ethernet network can have broadcast and collision domains. If the same subnet is divided by bridges, the bridges can enable the broadcast traffic to pass between the different parts of a subnet, but not the collisions. Isolating
collision domains reduces the amount of collisions that take place on a network and increases its overall performance. This can also help with security where network sniffers can only look at broadcast and collision traffic within one subnet.

Address Resolution Protocol (ARP).
The data link layer cannot understand the IP address and thus invokes ARP. ARP broadcasts a frame requesting the MAC address that corresponds with the destination IP address. Each computer on the subnet receives this broadcast frame, and all but the computer that has the requested IP address ignore it. The computer that has the destination IP address responds with its MAC address. Sometimes attackers alter a system's ARP table so it contains incorrect information. This is called ARP table poisoning. The attacker's goal is to receive packets intended for another computer. This is a type of masquerading attack.

DHCP based network

The client computer broadcasts a DHCPDISCOVER message on the network.
DHCP server responds with a DHCPOFFER packet, with an IP address.
Once the client responds the server with a DHCPREQUEST packet confirming its acceptance.
The server acknowledges with a DHCPACK packet, mentioning the validity period (lease) for the allocated parameters.
In DHCP, clients can masquerade as valid clients or as unofficial DHCP servers. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems,identified by their MAC addresses. Also, advance network switches now have capability to direct clients toward legitimate DHCP servers to get IP addresses and restrict rogue systems from becoming DHCP servers on the network.

Reverse Address Resolution Protocol (RARP)
Diskless workstations use RARP frames which goes to all systems on the subnet, but only the RARP server responds. RARP server finds which IP address matches the broadcast hardware address and sends the IP address back to the requesting computer. The Boot Protocol (BOOTP) was created after RARP and usually provides more functionality to diskless workstations.RARP evolved into BOOTP, which evolved into DHCP

Internet Control Message Protocol (ICMP)
Delivers status messages, reports errors, replies to certain requests, reports routing information, and is used to test connectivity and troubleshoot problems on IP networks. Example, ping sends out ICMP ECHO REQUEST frames. The router selects the proper ICMP response and sends it back to the requesting host, indicating that problems were encountered with the transmission request.

Loki Attack
Loki is actually a client/server program used by hackers to set up backdoors on systems. To gain access and open a remote shell to this computer, an attacker sends commands inside of ICMP packets. Most routers are configured to allow ICMP traffic to come and go out of the network, based on the assumption that this is safe because ICMP was developed to not hold any data or a payload.

Routing Protocols

Individual networks on the Internet are referred to as autonomous systems (ASs). A dynamic routing protocol can discover routes and build a routing table vs static that requires manual configuration. Route flapping refers to the constant changes in the availability of routes. A black hole is when a router doesn't know a link is down and sends messages.

Distance-vector routing protocols make their routing decisions based on the distance (or number of hops) and a vector (a direction). Example:

Routing Information Protocol RIP is a standard that outlines how routers exchange routing table data. Should be used only in smaller networks.V1 has no authentication, V2 sends passwords in cleartext or hashed with MD5.
Interior Gateway Routing Protocol IGRP is distance-vector as well but uses five criteria to make a "best route" decision.

Link-state routing protocols build a more accurate routing table because they build a topology database of the network. They look at number of hops between two destinations, packet size, link speed, delay, loading, and reliability.

Open Shortest Path First OSPF uses link-state algorithms to send out routing table information. Allows for smaller, more frequent routing table updates to take place.

Exterior gateway protocols (EGPs)
Exterior routing protocols used by routers connecting different ASs. The Border Gateway Protocol (BGP) enables routers on different ASs to share routing information to ensure effective and efficient routing between the different AS networks. BGP is commonly used by ISPs. It uses a combination of link-state and distance-vector routing algorithms.

Attacks

A majority of the attacks have the goal of misdirecting traffic through the use of spoofed ICMP messages.
An attacker can masquerade as another router and submit routing table information to the victim router resulting in incorrect dispatch.
These attacks are successful mainly when routing protocol authentication is not enabled.
Other DoS attacks exist, such as flooding a router port, buffer overflows, and SYN floods.

Most of these countermeasures involve authentication and encryption of routing data through the use of shared keys or IPSec.

Wormhole Attack

An attacker can capture a packet at one location in the network and tunnel it to another location in the network(attacker # 2). This can take place on a wired or wireless network, but it is easier to carry out on a wireless network because the attacker does not need to actually penetrate a physical wire.

The countermeasure is to use a leash, which is just data that are put into a header of the individual packets. The leash restricts the packet's maximum allowed transmission distance. The leash can be either geographical, which ensures that a packet stays within a certain distance of the sender, or temporal, which limits the lifetime of the packet.

Networking Devices

A repeater provides the simplest type of connectivity, because it only repeats and amplifies electrical signals between cable segments.
A hub is a multiport repeater. A hub is often referred to as a concentrator. A hub does not understand or work with IP or MAC addresses. The signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.
A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

A bridge is used to divide overburdened networks into smaller segments to ensure better use of bandwidth and traffic control. A bridge has more intelligence than a repeater.
bridges can forward all broadcast packets and can overwhelm the network and result in a broadcast storm.
If the bridge receives a request to send a frame to a destination that is not in its forwarding table, it sends out a query frame on each network segment except for the source segment. The destination host is the only one that replies to this query. The bridge updates its table with this computer address and the port to which it is connected, and forwards the frame.
Spanning Tree Algorithm (STA) ensures that frames do not circle networks forever, provides redundant paths in case a bridge goes down, assigns unique identifiers to each bridge, assigns priority values to these bridges, and calculates path costs.
If source routing is used instead of transparent bridging, the packets contain the necessary information within them to tell the bridge where they should go. External devices and border routers should not accept packets with source routing information within their headers, because that information will override what is laid out in the forwarding and routing tables. Source routing can be used by attackers to get around certain bridge and router filtering rules.
A local bridge connects two or more LAN segments within a local area.
A remote bridge can connect two or more LAN segments over a MAN
A translation bridge is needed if the two LANs being connected are different types and use different standards and protocols. Example, a connection between a Token Ring network and an Ethernet network.

Routers

Routers are layer 3, or network layer, devices that are used to connect similar or different networks and filter packets based on IP addresses, whereas bridges work at the data link layer and filter frames based on MAC addresses. Routers usually do not pass broadcast information, but bridges do pass broadcast information.
If two LANs are connected with a bridge, the LANs have been extended, and are in the same broadcast domain. A router can be configured not to forward broadcast information, so if two LANs are connected with a router, an internetwork results. An internetwork is a group of networks connected in a way that enables any node on any network to communicate with any other node. The Internet is an example of an internetwork.
A router is used when an administrator wants to divide a network along the lines of departments, workgroups, or other business-oriented divisions. A bridge divides segments based more on the traffic type and load.

Switch

Switches combine the functionality of a repeater and the functionality of a bridge. Any device connected to one port can communicate with a device connected to another port with its own virtual private link. When a frame comes to a hub, the hub sends the frame out through all of its ports. When a frame comes to a bridge, the bridge sends the frame to the port to which the destination network segment is connected. When a frame comes to a switch, the switch sends the frame directly to the destination computer or network.
When switches are used, contention and collisions are not issues.
higher-level switches(layer 3, 4), also called multilayered switches
offer routing functionality, packet inspection, traffic prioritization, and QoS functionality. Most functions are done at the hardware/chip level.
Multiprotocol Label Switching (MPLS), allows for faster routing, addresses service requirements for the different packet types. It basically uses tags to append info to the packet and only look at this tag to speed things up.
switching makes it more difficult for intruders to sniff and monitor network traffic because no broadcast and collision information is continually traveling throughout the network.
Switching makes VLANs possible and it exists on top of the physical network. VLANs enable an administrator to apply particular security policies to respective logical groups.

Gateway

Gateway is a general term for software running on a device that connects or translates two different environments.
A network access server (NAS) can functions as a gateway between telecommunications and network connections.
Examples, e-mail gateway( gateway will convert the message into a standard that all mail servers understand—usually X.400), gateway between a LAN and a backbone such as FDDI backbone.

PBX

is a private telephone switch that is located on a company's property. This switch performs some of the same switching tasks that take place at the telephone company's central office. The PBX has a dedicated connection to its local telephone company's central office, where more intelligent switching takes place.
Many companies, for example, have modems hanging off their PBX (or other transmission access methods) to enable the vendor to dial in and perform maintenance to the system. These modems are usually unprotected doorways into a company's network.
many PBX systems have default system manager passwords that are hardly ever changed. These can be exploited by a phreaker (a phone hacker)

Firewalls

Packet filtering(first generation)
is a security method of controlling what data can flow into and out of a network. Packet filtering takes place by using ACLs, which are lines of text, called rules, that the device applies to each packet it receives.

Packet-filtering firewalls are scalable, not application dependent, have high performance because they do not carry out extensive processing.

weaknesses:

Cannot prevent attacks that employ application-specific vulnerabilities.
The logging functionality present is limited.
Most do not support advanced user authentication schemes.
Many cannot detect a network packet in which the OSI layer 3 addressing information has been altered (spoofed).
Due to the small number of variables used in access control decisions, they are susceptible to security breaches caused by improper configurations.

A stateful-inspection firewall maintains a state table, which is like a score sheet of who said what to whom. They work at the network and transport layers. Unfortunately they have been the victims of many types of Denial-of-Service (DoS) attacks aimed at flooding the state table with bogus information

Proxy firewalls are second-generation firewalls. It stands between a trusted and untrusted network and makes the connection, each way, on behalf of the
source. There is no direct connection to internal computers.

Stateful-Inspection Firewall is considered a third-generation firewall. it makes a copy of each accepted packet before transmitting it and repackages the packet to hide the packet's true origin thus attacker don't get the source info.

Maintains a state table
Provides a high degree of security and does not introduce the performance hit that application proxy firewalls introduce
Is scalable and transparent to users
Provides data for tracking connectionless protocols such as UDP and ICMP
Stores and updates the state and context of the data within the packets

Many firewalls are multihomed, meaning they have more than one NIC. This allows the company to create several independent DMZs. One interface is connected to the untrusted network (usually the Internet), another interface is
connected to the trusted network (internal company network), and the other interfaces can segment different DMZs.

Pros and Cons of Proxy Firewalls
Pros:

Looks at the information within a packet, possibly all the way up to the application layer.
Provides better security than packet filtering.
Breaks the connection between trusted and untrusted systems.

Cons:

Some proxy firewalls support only a limited number of applications.
Degrades traffic performance.
Application-based proxy firewalls may have scalability and performance issues.
Breaks the client/server model, which is good for security but sometimes bad for functionality.

Application-level proxies inspect the packet up through the application layer and make access decisions based on the content of the packet.

Have a different proxy required for each service allowed
Provide more intricate control than circuit-level proxy firewalls
Require more processing per packet and thus are slower than a circuit-level proxy firewall
They have extensive logging capabilities
capable of authenticating users directly
can address spoofing attacks and other sophisticated attacks.
Tend to be limited in terms of support for new network applications and protocols.

A circuit-level proxy creates a circuit between the client computer and the server and provides protection at the session layer. It does not understand or care about the higher-level issues an application-level proxy deals with. It knows the source and destination addresses and makes access decisions based on this type of header information. Similar to packet filtering.

Do not require a proxy for each and every service
Do not provide the detailed access control an application-level proxy firewall provides
Provide security for a wider range of protocols

SOCKS

is an example of a circuit-level proxy gateway that provides a secure channel between two computers. SOCKS proxy firewall intercepts client requests to the internet, applies policies/rules on it and does the same for response from the internet.
The SOCKS server usually sits behind a router, and each SOCKS client must have SOCKS software installed.
It can be resource intensive.
It provides authentication and encryption features similar to other VPN protocols, but is not considered a traditional VPN protocol.

Dynamic Packet Filtering
Fourth-generation firewall. An internal system could choose a source port of 11,111 for its message to the outside system. This frame goes to the dynamic packet-filtering firewall, which builds an ACL, as illustrated in Figure 7-37, that indicates a response from the destination computer to this internal system's IP address and port 11,111 is to be allowed.

A kernel proxy firewall is considered a fifth-generation firewall. It differs from all the previously discussed firewall technologies because it creates dynamic, customized TCP/IP stacks when a packet needs to be evaluated. The packet is scrutinized at every layer of the stack.It is still a proxy based system and it can perform NAT by changing the source address, as do the preceding proxy-based firewalls.

Best practices for any firewall type:

lock ICMP redirect traffic.
ACLs should be simple and direct.
Disallow source routing.
Close unnecessary ports with dangerous services.
Disable unused interfaces.
Block directed IP broadcasts.
Block incoming packets with internal address (they are spoofed).
Block multicast traffic if not needed.
Enable logging.

Bastion host is just another name for a locked-down (or hardened) system. A bastion host is usually a highly exposed device, because it is the front line in a network's security and its existence is known on the Internet.

A screened host(single-tiered configuration) is a firewall that communicates directly with a perimeter router and the internal network( the firewall is screened by the router). If the firewall is an application-based system, protection is provided at the network layer by the router, and at the application layer by the proxy. This arrangement offers a high degree of security, because for an attacker to be successful, she would have to compromise two systems.

A screened-subnet (two-tiered configuration) architecture adds another layer of security to the screened-host architecture. The external firewall screens the data entering the DMZ network. However, instead of the firewall then redirecting the traffic to the internal network, an interior firewall also filters the traffic. The use of these two physical firewalls creates a DMZ. The screened-subnet approach provides more protection than a stand-alone firewall or a screened-host firewall because three devices are working together. This solution provides the highest security, but is the most complex.

Firewall Tips

zombies : some program, on the internal network is spoofing traffic. —the agents used in distributed DoS (DDos) attacks.
If packets are leaving a network with different source addresses, these packets are spoofed and the network is most likely being used as an accomplice in a DDoS attack.
its firewalls should reassemble fragmented packets before being sent on to their destination. With fragmented packet the firewall is seeing only part of the picture.
Deny source routing.
Dual-homed: Must disable a computer's forwarding and routing functionality so the two networks are truly segregated.
Border firewalls provide little protection against the inside attacker.
Firewalls do not protect against rogue modems in listening mode.
Firewalls do not protect against rogue wireless access points (APs).

Network Segregation and Isolation

implement routers that do not pass on broadcast and collision domain information and using different address schemes for different segments.

Within DNS servers, DNS namespaces are split up administratively into zones. For instance, one zone may contain all hostnames for the marketing and accounting department. resource records(map hostnames to IP addresses).

Unauthorized zone transfers(between dns servers) can take place if the DNS servers are not properly configured to restrict it.
DNS pharming attacks
use of stronger authentication mechanisms such as the DNSSEC (DNS security)
split DNS, which means a DNS server in the DMZ handles external resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed by being "Internet facing."
Awareness of domain grabbing and cyber squatting issues will help you better plan out your online presence and allow you to steer clear of these traps.
host file manipulation
attackers also use character encoding to obscure web addresses that may arouse user suspicion
Most directory service databases are built on the X.500 model and use the Lightweight Directory Access Protocol (LDAP) to access the directory database

A meta-directory holds top-level information about the directory itself, which enables a user in one directory to quickly locate an object he is looking for in a totally different directory.
The newest LDAP version, version 3, has an extensive security model embedded that supports Internet security standards such as transport layer security (TLS).

NAT

is a gateway that lies between a network and the Internet (or another network) that performs transparent routing and address translation.

great security benefit by hiding the true IP scheme.
NAT enables a company to use private IP addresses that have been reserved for internal LAN address use, as outlined in RFC 1918
Static mapping: The NAT software has a pool of public IP addresses configured. Each private address is statically mapped to a specific public address. This is generally used for servers that need to keep the same public address at all times.
Dynamic mapping The NAT software has a pool of IP addresses, but instead of statically mapping a public address to a specific private address, it works on a first-come, first-served basis.
Port address translation (PAT) The company owns and uses only one public IP address for all systems that need to communicate outside the internal network.

The NAT device changes the IP address in the computer's packet header to include the source port which is mapped to private ip address and private computers source port..
Most NAT implementations are stateful, meaning they keep track of a communication between the internal host and an external host until that session is ended.
NAT is a service usually performed on routers or firewalls within a company's screened subnet.

Intranets/Extranets/Telecommunications

companies use EDI(electronic data interchange) for internal communication and for communication with other companies.
A value-added network (VAN) is an EDI infrastructure developed and maintained by a service bureau.
A metropolitan area network (MAN) is usually a backbone that connects LANs to each other and LANs to WANs, the Internet, and telecommunications and cable networks. A majority of today's MANs are Synchronous Optical Networks (SONETs) or FDDI rings provided by the telecommunications service providers.
SONET is self-healing, meaning that if a break in the line occurs, it can use a backup redundant ring to ensure transmission continues.
SONET, which transmitted digitized voice signals in packets and is the standard for telecommunications transmission over fiber-optic cables.
T1 trunks, which carried 24 voice communication calls over two pairs of copper wires.
longer-distance call uses T3 lines, which can carry up to 28 T1 lines.
Communication error rates are lower in LAN environments than in WAN environments, because of the complexity of WAN where traffic may have to travel hundreds or thousands of miles/devices. So most LAN MAC protocols are connectionless and most WAN communication protocols are connection oriented.
Asynchronous Transfer Mode (ATM) encapsulates data in fixed cells and can be used to deliver data over the SONET network.
SONET is the standard for North America, while SDH(Synchronous Digital Hierarchy) is the standard for the rest of the world. SDH and SONET are similar but just different enough to be incompatible.

Dedicated Links
A dedicated link is also called a leased line or point-to-point link. Other options include X.25, frame relay, and ATM technologies.

Originally, T1 and T3 lines were used by the carrier companies, but they have been replaced mainly with optical lines.
fractional T lines are split up between companies.
They are expensive and inflexible.
multiplex functionality through time-division multiplexing (TDM).
Statistical time-division multiplexing (STDM):Transmits several types of data simultaneously across a single transmission cable or line (such as a T1 or T3.
Frequency-division multiplexing: An available wireless spectrum is used to move data.Each frequency within the spectrum is used as a channel to move data.

WAN Technologies

A CSU/DSU is necessary because the signals and frames can vary between the LAN equipment and the WAN equipment used by service providers.

DSU device converts digital signals from routers, bridges, and multiplexers into signals that can be transmitted over the telephone company's digital lines.

The CSU/DSU provides a digital interface for Data Terminal Equipment (DTE), such as terminals, multiplexers, or routers,and an interface to the Data Circuit-Terminating Equipment (DCE) device, such as a carrier's switch.

Switching

Circuit switching sets up a virtual connection that acts like a dedicated link between two systems. Eg: ISDN and telephone calls.
Packet switching, on the other hand, does not set up a dedicated virtual link, and packets from one connection can pass through a number of different individual devices. Examples; Internet, X.25, and frame relay.

Packet switching is based on STDM.

Frame relay is a WAN protocol that operates at the data link layer and uses packet-switching technology to share the same WAN media.

companies can pay more to ensure that a higher level of bandwidth will always be available pay a committed information rate(CIR)

Frame relay (and X.25) forwards frames across virtual circuits.

permanent virtual circuit (PVC) works like a private line for a customer with an agreed-upon bandwidth availability.
for switched virtual circuits (SVCs), a circuit must be built.

X.25 is a switching technology that uses carrier switches to provide connectivity for many different networks. Data are divided into 128 bytes and encapsulated in High-level Data Link Control (HDLC) frames.

frame relay is much more advanced and efficient when compared to X.25, because the X.25 protocol was developed and released in the 1970s.
Asynchronous Transfer Mode (ATM) is another switching technology, but it uses a cell-switching method.

Like frame relay, it is a connection-oriented switching technology, and creates and uses a fixed channel.
Transfers data in fixed cells( 53-byte), is a WAN technology
Data at very high rates.Very fast because of the low overhead
virtual circuits used can guarantee bandwidth and QoS. For these reasons, ATM is a good carrier for voice and video transmission.

Quality of Service (QoS)

Constant Bit Rate (CBR) A connection-oriented channel that provides a consistent data throughput for time-sensitive applications, such as voice and video applications.
Variable Bit Rate (VBR) A connection-oriented channel best used for delay-insensitive applications because the data throughput flow is uneven
Unspecified Bit Rate (UBR) A connectionless channel that does not promise a specific data throughput rate.
Available Bit Rate (ABR) A connection-oriented channel that allows the bit rate to be adjusted

Switched Multimegabit Data Service (SMDS) is a high-speed packet-switched technology used to enable customers to extend their LANs across MANs and WANs.
Synchronous Data Link Control (SDLC) protocol is based on networks that use dedicated, leased lines with permanent physical connections.
High-level Data Link Control (HDLC) protocol is also a bit-oriented link layer protocol used for transmission over synchronous lines. HDLC is an extension of SDLC.
High-Speed Serial Interface (HSSI) is an interface used to connect multiplexers and routers to high-speed communications services such as ATM and frame relay.
Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line.
The regular phone system is based on a circuit-switched, voice-centric network, referred to as the public-switched telephone network (PSTN).

The PSTN is being replaced by data-centric, packet-oriented networks that can support voice, data, and video.

When Voice over IP (VoIP) is used, it employs the Session Initiation Protocol (SIP), which sets up and breaks down the call sessions, just as SS7 does for non-IP phone calls.

SIP consists of two major components: the User Agent Client (UAC) and User Agent Server (UAS). The UAC is the application that creates the SIP requests for initiating a communication session. The UAS is the SIP server, which is responsible for handling all routing and signaling involved in VoIP calls.
SIP Handshaking: INVITE packet to destination while a continuous TRYING packet to originator. Then a RINGING packet to origin, then an OK packet. ACK packet from origin to destination.A BYE is send at the end.
The actual voice stream is carried on media protocols such as the Real-time Transport Protocol (RTP).
SIP-based signaling suffers from the lack of encrypted call channels and authentication of control signals. Attackers can tap into the SIP server and client communication to sniff out login IDs, passwords/PINs, and phone numbers.
VoIP devices are also vulnerable to DoS attacks. Attackers can flood RTP servers with call requests in order to overwhelm its processing capabilities.
One can connect laptops simulating IP phones to the Ethernet interfaces that IP phones use and can then be used to carry out intrusions and DoS attacks.
If attackers are able to intercept voice packets, they may eavesdrop onto ongoing conversations as well.
Attackers can also intercept RTP packets to inject arbitrary audio/video data that may be a cause of annoyance to the actual participants.
Attackers can also impersonate a server and issue commands.
SPIT (Spam over Internet Telephony) causes serious loss of VoIP bandwidth and is a time-wasting nuisance. It cannot be deleted like spam on first sight, the victim has to go through the entire message. SPIT is also a major cause of overloaded voicemail servers.

Countermeasures

Authorization of individual IP terminals ensures that only pre-listed devices are allowed to access the network.
It is essential for two communicating VoIP devices to be able to authenticate their identities by using fixed hardware identification parameters, such as MAC addresses or other "soft" codes that may be assigned by servers (for example, layered encryption techniques).
Keep patches updated on each network device.
Install and maintain; Stateful firewalls,VPN,, Intrusion detection.
Filter unnecessary ports on routers, switches, PCs, and IP telephones.
Employ real-time monitoring that looks for attacks, tunneling, and abusive call patterns through IDS/IPS.
Employ content monitoring.
Use encryption when data (voice, fax, video) cross an untrusted network.

Use a two-factor authentication requirement.
Limit the number of calls via media gateways.
Close the media sessions after completion.

Transport Layer Security (TLS) ensures that all SIP packets are
conveyed within an encrypted and secure tunnel.

Skype is a popular Internet telephony application that uses a peer-to-peer communication model rather than the traditional client/server approach of VoIP systems. User records are maintained across distributed member nodes and can quickly accommodate user surges
Applications that are time sensitive, such as voice and video signals, need to work over an isochronous network. An isochronous network contains the necessary protocols and devices that guarantee continuous bandwidth without interruption.
H.323 Gateways

The ITU-T recommendations cover a wide variety of multimedia communication services. H.323 is part of this family of recommendations, but it is also a standard that deals with video, real-time audio, and data packet-based transmissions where multiple users can be involved with the data exchange.
H.323 gateways connect different types of systems and devices and provide the necessary translation functionality
The best of both worlds is to combine IP over ATM or frame relay.

A company has on its premises a PBX, which is a switch between the company and the PSTN, and T1 or T3 lines connecting the PBX to the telephone company's central office, which houses switches that act as ramps onto the PSTN. When WAN technologies are used instead of accessing the PSTN through the central office switches, the data are transmitted over the frame relay, or ATM, cloud

Remote Access

Types of remote connectivity methods used are VPNs, dial-up connections, ISDN, cable modems, and DSL connections. Remote access is usually gained by connecting to a remote access server (RAS), which acts as a gateway and can be an endpoint to a PPP session. RADIUS is a type of access authentication technology used in remote-connection situations.Strong two-factor user authentication should be used via RADIUS or TACACS+ servers.
Caller ID and callback settings, as well as two-factor authentication, can be configured on the RAS server. Callback option requires the RAS to call the user requesting access in return.

If a company has not implemented any (or strong) access control over the RAS, attackers can easily walk into its network without ever having to bother with the firewall.
Wardialing enables an attacker to find all the modems that provide remote access into a network.

Some corporate PBX phone systems have the capability to detect modem signals on analog phone lines and audit/record their usage. This can be implemented to support the appropriate security policy of "no unauthorized devices are to be attached to the data and telephone network."

ISDN

was developed to replace the aging telephone analog systems, but it has yet to catch on to the level expected.
ISDN is a set of telecommunications services that can be used over public and private telecommunications networks and provides a digital point-to-point circuit-switched medium
ISDN provides more functionality and higher bandwidth than a modem on an as-needed basis and can be used for LAN-to-LAN on-demand connectivity, instead of using an expensive dedicated link.
Basic Rate Interface (BRI)

BRI has two B channels that enable data to be transferred and one D channel that provides for call setup, connection management, error control, caller ID, and more. bandwidth available with 144 Kbps

Primary Rate Interface PRI, which has 23 B channels and one D channel, is more commonly used in corporations.64KBPS per channel.
company can also choose to implement dial-on-demand routing (DDR), which can work over ISDN.

It is usually implemented by companies that send out only a small amount of WAN traffic and is a much cheaper solution than a real WAN implementation

Digital Subscriber Line (DSL)

It can provide 6 to 30 times higher bandwidth speeds than ISDN and analog
technologies. You have to be within a 2.5-mile radius of the DSL service provider's equipment otherwise the transmission rates decrease. can provide up to a 52-Mbps transmission.

Symmetrical DSL (SDSL) Data travel upstream and downstream at the same rate.
Asymmetrical DSL (ADSL) Data travel downstream faster than upstream.
ISDN DSL (IDSL) Provides DSL for customers who cannot get SDSL or ADSL because of their distance
High-bit-rate DSL (HDSL) Provides T1 (1.544 Mbps) speeds over regular copper

Cable modems provide high-speed access, up to 50 Mbps, to the Internet through existing cable coaxial and fiber lines.

Virtual private network (VPN)
secure, private connection through a public network or an otherwise unsecure
environment

The protocols that can be used for VPNs are Point-to-Point Tunneling Protocol (PPTP), IPSec, and L2TP.
The user first makes a PPP connection to an ISP, and the ISP makes a full connection for the user to the destination network. PPP encapsulates datagrams to be properly transmitted over a telecommunication link.
VPN can also to provide a connection between two routers (many times called a gateway-to-gateway connection)
VPN can also take place between firewalls that have VPN functionality

Tunneling Protocols

A tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted.
If two networks use IPX and need to communicate across the Internet, these messages must also be encapsulated in a protocol that the Internet can understand, such as IP.
IPSec can be configured to provide transport adjacency, which just means that more than one security protocol (ESP and AH) is applied to a packet. IPSec can also be configured to provide iterated tunneling, in which an IPSec tunnel is tunneled through another IPSec tunnel.
Point-to-Point Protocol (PPP) is not really a tunneling protocol, but an encapsulation protocol. It does not need to wrap up current frames with special headers and trailers, which will be taken off at the destination. Instead, it allows TCP/IP traffic to be transmitted over a medium developed for telephone voice data.

PPP encapsulates the data coming from our computer or network, which means it puts the data into the correct format to travel over the telecommunications link. PPP frames our data with start and stop bits so the other end knows how to process the data. PPP allows us to set up and establish an Internet connection.
PPP encapsulates data to travel over a private network (between you and your ISP), and a tunneling protocol(IP) encapsulates the data to travel over a public network, such as the Internet.
Authentication techniques like PAP,CHAP, EAP are covered later.
Three of the main tunneling protocols used today for setting up a VPN are IPSec, PPTP, and L2TP.
PPP has, for the most part, replaced Serial Line Internet Protocol (SLIP), an older protocol that was used to encapsulate data to be sent over serial connection links. PPP has several capabilities that SLIP does not have.

PPTP

A Microsoft protocol, allows remote users to set up a PPP connection to a local ISP and then create a secure VPN to their destination. PPTP has been the de facto industry-standard tunneling protocol for years, but the new de facto standard for VPNs is IPSec.
PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MS-CHAP or EAP-TLS.
If the user's data are encapsulated within PPP, and then this frame is encapsulated by PPTP with a Generic Routing Encapsulation (GRE) header and IP header. This encapsulation allows the resulting frame to be routable over public networks, such as the Internet.
PPTP can work only over IP networks(not over relay, X.25, and ATM links)

Layer 2 Tunneling Protocol (L2TP)

Combines the best of PPTP and L2F(ayer 2 Forwarding).
it can work over networks other than just IP, and it provides a higher level of security when combined with IPSec.
PPTP is an encryption protocol and L2TP is not; therefore, L2TP lacks the security to be called a true VPN solution.

IPSec:

Handles multiple connections at the same time
Provides secure authentication and encryption
Supports only IP networks
Focuses on LAN-to-LAN communication rather than user-to-user
Works at the network layer, and provides security on top of IP
Can work in tunnel mode, meaning the payload and the header are protected, or transport mode, meaning only the payload is protected

Authentication Protocols

Password Authentication Protocol (PAP) is used by remote users to authenticate over PPP lines.

PAP is one of the least secure authentication methods, because the credentials are sent in cleartext, which renders them easy to capture by network sniffers. Vulnerable to Man in the middle attacks.
Some systems revert to PAP if they cannot agree on any other authentication protocol

Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response mechanism to authenticate the user instead of sending a password.

The server sends the user a challenge, which is a random value. The user encrypts the challenge with the use of a predefined password as an encryption key.
CHAP is not vulnerable to man-in-the-middle attacks because it continues this challenge/response activity throughout the connection to ensure the authentication server is still communicating with a user who holds the necessary credentials.

Extensible Authentication Protocol (EAP) is also supported by PPP. Actually, EAP is not a specific authentication. Instead, it provides a framework to enable many types of authentication techniques( one-time passwords, token cards, biometrics, Kerberos, etc) to be used during PPP connections.

Wireless Technologies

Wireless technology is actually very similar to Ethernet, but it uses CSMA/CA (collision avoidance). The wireless device sends out a broadcast indicating it is going to transmit data. This is received by other devices on the shared medium, which causes them to hold off on transmitting information

Spread Spectrum

the sender spreads its data across the frequencies and this allows for more effective use of the available bandwidth.

Frequency hopping spread spectrum (FHSS) takes the total amount of bandwidth (spectrum) and splits it into smaller subchannels.
FHSS hops between different frequencies so if another device is operating at the same frequency, it will not be drastically affected.

This also makes it much more difficult for eavesdroppers to listen in on and reconstruct the data being transmitted when used in technologies other than WLAN. But in today's WLAN devices, the hopping sequence is known and does not provide any security.

Direct sequence spread spectrum (DSSS) takes a different approach by applying sub-bits to a message. The sub-bits are used by the sending system to generate a different format of the data before the data are transmitted. The receiving end uses these sub-bits to reassemble the signal into the original data format. The sub-bits are called chips and the sequence of how the sub-bits are applied is referred to as the chipping code.

When using wireless transmissions, the data are actually moving over radio signals that work in specific frequencies. Any data to be moved in this fashion must have a carrier signal, and this carrier signal works in its own specific range, which is a frequency.

FHSS uses only a portion of the total bandwidth available at any one time, while the DSSS technology uses all it.
DSSS spreads the signals over a wider frequency band, whereas FHSS uses a narrow band carrier.
Since DSSS sends data across all frequencies at once, it has a higher data throughput than FHSS.

The first WAN standard, 802.11, used FHSS, and it can provide a data throughput of only 1 to 2 Mbps.
By using DSSS instead, 802.11b provides a data throughput of up to 11 Mbps.

Orthogonal frequency-division multiplexing (OFDM) is a digital multicarrier modulation scheme that compacts multiple modulated carriers tightly together, reducing the required bandwidth. The modulated signals are orthogonal (perpendicular) and do not interfere with each other. OFDM uses a composite of narrow channel bands to enhance its performance in high frequency bands.

Wireless LAN (WLAN)

uses a transceiver, called an access point (AP), which connects to an Ethernet cable that is the link wireless devices use to access resources on the wired network.

Any hosts that wish to participate within a particular WLAN must be configured with the proper Service Set ID (SSID). Various hosts can be segmented into different WLANs by using different SSIDs.

An ad hoc WLAN has no APs; the wireless devices communicate with each other through their wireless NICs instead of going through a centralized device.

When wireless devices work in infrastructure mode, the AP and wireless clients form a group referred to as a Basic Service Set (BSS). This group is assigned a name, which is the SSID value.

Authentication

Supplying SSID by devices is not a reliable security mechanism because many APs broadcast their SSIDs, which can be easily sniffed and used by attackers.
The wireless device can authenticate to the AP in two main ways: open system authentication (OSA) and shared key authentication (SKA).
For OSA in many cases, the wireless device needs to provide only the correct SSID value. no encryption is involved.
For SKA, the AP sends a random value to the wireless device. The device encrypts this value with its cryptographic key and returns it.

This method is based on the Wired Equivalent Privacy (WEP) protocol, which also enables data transfers to be encrypted.
With WEP disabled(usually by default), there is no privacy, and the AP is broadcasting its location and identity.

Wireless Standards

802.11b

This standard was the first extension to the 802.11 WLAN standard and is the most common standard used today.
Transfer rate of up to 11 Mbps and works in the 2.4GHz frequency range. It uses DSSS and is backward-compatible with 802.11 implementations.

802.11a(was conceived first but not released due to complexity)

This standard uses a different method of modulating data onto the necessary radio carrier signals. Whereas 802.11b uses DSSS, 802.11a uses OFDM and works in the 5GHz frequency band. Up to 54 Mbps.
Because of these differences, 802.11a is not backward-compatible with 802.11b or 802.11

802.11e

This working group has provided QoS and proper support of multimedia traffic.

802.11f

The conveying of this information between the different APs during roaming is what 802.11f deals with.

The 802.11g

Provides for higher data transfer rates—up to 54 Mbps.
Extends "b"s capability and backwards compatible with it. higher distance compared to "a" but still based on 2.4ghz.

The 802.11h

Works in the 5ghz and builds upon the 802.11a specification to meet the requirements of European wireless rules ( "a" does not).

802.11i.

802.11, has a tremendous number of security flaws
integrated the use of Extensible Authentication Protocol (EAP) and 802.1X (introduced later in this section) to enforce user authentication and mutual authentication.
To detect modifications of bits during transmission, Message Integrity Code (MIC) was also integrated.
And the Temporal Key Integrity Protocol (TKIP) generates random values used in the encryption process, which makes it much harder for an attacker to break.

TKIP actually works with WEP by feeding it keying material, which is data to be used for generating new dynamic keys. WEP uses the RC4 encryption algorithm(very weak). More complexity is added to the key generation process with the use of TKIP, which makes it much more difficult for attackers to uncover the encryption keys. This is just a firmware or software updates.

To allow for an even higher level of encryption protection, the standard also includes the new Advanced Encryption Standard (AES) algorithm to be used in new WLAN implementations.

use of the AES algorithm in counter mode with CBC-MAC (CCM), which is referred to as the CCM Protocol (CCMP).
AES is a more appropriate algorithm for wireless than RC4 but requires more processing power.
AES is not backward-compatible so only good for new WLANs.

802.1X

Port-based network access control that ensures a user cannot make a full network connection until he is properly authenticated.

WEP does not provide this type of strict access control

provides an authentication framework and a method of dynamically distributing encryption keys. The three main entities in this framework are the supplicant (wireless device), the authenticator (AP), and the authentication server (usually a RADIUS server).

If the environment does not have an authentication server, the AP can fulfill the roles of authenticator and authentication server.

It has EAP which allows for mutual authentication to take place between the authentication server and wireless device, and provides flexibility in that users can be authenticated by using passwords, tokens, one-time passwords, certificates, smart cards, or Kerberos.

When using WEP alone, a rogue AP can be set up to capture users' credentials and traffic without the users being aware.

The use of EAP, however, allows different protocols to be used by different vendors:
Cisco uses a purely password-based authentication framework called Lightweight Extensible Authentication Protocol (LEAP).
Microsoft, uses EAP and Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates.

If EAP-TLS is being used, the authentication server and wireless device exchange digital certificates for authentication purposes.

And yet another choice is Protective EAP (PEAP), where only the server uses a digital certificate.

If PEAP is being used instead, the user of the wireless device sends the server a password and the server authenticates to the wireless device with its digital certificate.
Companies may choose to use PEAP instead of EAP-TLS because they don't want the hassle of installing and maintaining digital certificates on every wireless device.

In both cases, some type of public key infrastructure (PKI) needs to be in place. If a company does not have a PKI currently implemented, it can be an overwhelming and costly task to deploy a PKI just to secure wireless transmissions.

A large concern with current WLANs using just WEP is that if individual wireless devices are stolen, they can easily be authenticated to the wired network( symmetric key that was manually programmed into it).

802.11i has added steps to require the user to authenticate to the network instead of just requiring the wireless device to authenticate.
By using EAP, the user must send some type of credential set that is tied to his identity.

Dynamic Keys and the Use of Initialization Vectors

The three core deficiencies with WEP are the use of static encryption keys, the ineffective use of initialization vectors, and the lack of packet integrity assurance.

RC4 uses exact same key for encryption and decryption.
An IV is a numeric seeding value that is used with the symmetric key and RC4 algorithm to provide more randomness to the encryption process.

In most WEP implementations, the same IV values are used over and over again in this process

An attacker can actually change data within the wireless packets by flipping specific bits and altering the Integrity Check Value (ICV) so the receiving end is oblivious to these changes.

The ICV works like a CRC function(for integrity check)
In WEP, there are certain circumstances in which the receiver cannot detect whether an alteration to the frame has taken place; thus, there is no true integrity assurance.

The use of the 802.1X technology in the new 802.11i standard provides access control by restricting network access until full authentication and authorization have been completed, and provides a robust authentication framework that allows for different EAP modules to be plugged in. These two technologies (802.1X and EAP) work together to enforce mutual authentication between the wireless device and authentication server.
Powerful programs, AirSnort and WEP-Crack, can be used to easily crack WEP's encryption.

The use of TKIP provides the ability to rotate encryption keys to help fight against these types of attacks.
The protocol increases the length of the IV value and ensures each and every frame has a different IV value.
WEP key + IV value + MAC address = new encryption key
TKIP also deals with the integrity issues by using a MIC instead of an ICV function. Similar to message authentication code (MAC) function.

Characteristics of Wireless Security Structures Currently in Use

	802.1x Dynamic WEP	Wi-Fi Protected Access (WPA)	Wi-Fi Protected Access 2 (WPA2)
Access Control	802.1x	802.1x or pre-shared key	802.1x or pre-shared key
Authentication	EAP methods	EAP methods or pre-shared key	EAP methods or pre-shared key
Encryption	WEP	TKIP (RC4)	CCMP (AES Counter Mode)
Integrity	None	Michael MIC	CCMP (AES CBC-MAC)

802.11j

The 802.11j task group has been working on bringing together many of the different standards and streamlining their development to allow for better interoperability across borders.

802.11n

802.11n is designed to be much faster, with throughput at 100 Mbps, and it works at the same frequency range of 802.11a (5GHz).
The intent is to maintain some backward-compatibility with current Wi-Fi standards, while combining a mix of the current technologies.
The proposals for this standard use a concept called multiple input, multiple output (MIMO) to increase the throughput. This will necessitate the use of two receive and two transmit antennas to broadcast in parallel using a 20MHz channel.

802.16

All the wireless standards covered so far are WLAN-oriented standards. 802.16 is a metropolitan area network (MAN) wireless standard, which allows for wireless traffic to cover a much wider geographical area.
This technology is also referred to as broadband wireless access.

802.15

This standard deals with a much smaller geographical network, which is referred to as a wireless personal area network (WPAN).
This technology allows for connectivity to take place among local devices, such as a computer communicating with a PDA, a cellular phone communicating with a computer, or a headset communicating with another device.

Bluetooth

wireless technology is actually a portion of the 802.15 standard. It has a 1- to 3-Mbps transfer rate and works in a range of approximately ten meters.
Bluejacking: someone sends an unsolicited message to a device that is Bluetooth-enabled. Often, the Bluejacker is trying to send someone else their business card, which will be added to the victim's contact list in their address book.

The countermeasure is to put the Bluetooth-enabled device into nondiscoverable mode.

Wireless Application Protocol (WAP)

Is not a standard per se. Instead, is a de facto market and industry-driven protocol stack. WAP provides a common architecture for wireless devices to be able to communicate over the Internet.
The WAP model contains protocols that perform similar functionalities to those performed by protocols in the TCP/IP stack.
Because wireless can be a web-based technology, WAP provides a way to present web pages.
Personal computers and servers use HTML or XML to present web-based material and JavaScript to perform the processing in the background.
WAP uses an XML-compliant Wireless Markup Language (WML) and WMLScript to perform these similar tasks.
WAP has its own session and transport protocols and a transport layer security protocol called Wireless Transport Layer Security (WTLS), which is similar to TLS and SSL.
The wireless device has a WAP microbrowser that displays the web pages to the user.
Because the wireless devices use the Internet for transmission, and the Internet does not understand
WTLS, WTLS must be translated into a protocol the Internet does understand. This translation takes place at the service provider's gateway.

A security concern is that these data will be decrypted at the service provider's site and then encrypted with SSL or TLS. That means for a second or two, the data are not protected. This is referred to as the gap in the WAP, and it has caused a lot of concern for businesses and security professionals and is still one of the issues that needs to be dealt with.

WTLS Authentication

Class 1: Anonymous authentication : The wireless device and server do not authenticate to each other.
Class 2 : Server authentication : The server authenticates to the wireless device.
Class 3 : Two-way client and server authentication : The server and the wireless device authenticate to each other.

i-Mode

WAP and i-Mode are the two main protocols used for wireless Internet transmissions by cell phones and other PDA-like devices.
WAP was developed by a consortium of companies with the goal of allowing people to carry out business-oriented activities.
i-Mode was developed by a company in Japan (NTT DoCoMo) and is geared more toward providing an entertainment platform than toward providing functionality for business-oriented individuals.
i-Mode works with a slimmed-down version of HTML, called Compact HTML (cHTML), while WAP uses WML.

Mobile Phone Security

Mobile Phones have sensitive data on them, such as credentials, contacts, company files, and more, none of which is usually encrypted. They also have a camera functionality
Every organization should include this new technology and source of security breaches into their policies and security program.
cell phone must authenticate to a base station before it is allowed to make a call, but the base station is not required to authenticate to the cell phone.

This has opened the door for attackers to set up rogue base stations to capture credentials.

Cell phone cloning

A regular cell phone can be stolen and then reprogrammed with someone else's access credentials. So can SIM(Sub Id Module) chips.

No end to end encryption: If someone encrypts their data and sends it on their cell phone, typically it is encrypted only while it is traveling over the wireless portion of the network and not over the wired portion.
Access to the Internet and bypassing company firewalls.
Short message spamming.
Malicious code can be downloaded.
Universal Mobile Telecommunications System is a proposed new standard for third-generation mobile communications.
Cell phone firewall products to protect against(Implementation is rare today):

VoIP signaling and DoS attacks
Toll fraud
VoIP bandwidth abuses
Virus infections
Restricting file transfer
Voice mail and PBX attacks
Unauthorized employee connections
Wardialing

War Driving for WLANs
Someone either walks or drives around with a wireless device with the intent of identifying APs and breaking into them.

Kismet and NetStumbler are programs that sniff (monitor) for APs. When one of these programs identifies an AP's signal, it logs the network name, the SSID, the MAC address of the AP, the manufacturer of the AP, the channel it was heard on, the signal strength, the signal-to-noise ratio, and whether WEP is enabled.
Airsnarf, AirSnort, and WEP-Crack are utilities that can be used to break and capture the WEP encryption keys, if WEP is enabled.

Best practices :

Enable an 802.11i implementation technology as in WPA.
Change default SSID.
Disable "broadcast SSID" on the AP.
Implement another layer of authentication (RADIUS, Kerberos). Before the user can access the network, require him to authenticate.
Physically put the AP at the center of the building.
Logically put the AP in a DMZ with a firewall between the DMZ and internal network. Allow the firewall to investigate the traffic before it gets to the wired network.
Implement VPN for wireless devices to use for extra layer of protection.
Configure the AP to allow only known MAC addresses into the network. Allow only known devices to authenticate.

But remember that these MAC addresses are sent in cleartext, so an attacker could capture them and masquerade himself as an authenticated device.

Assign static IP addresses to wireless devices and disable DHCP. If an attacker gains access and DHCP is enabled, you have just given the attacker a valid working IP address to use.
Carry out penetration tests on the WLAN. Use the tools described in this section to identify APs and attempt to break the current encryption scheme being used.
Move to a product that follows the 802.11i standard.

Satellites

In most cases, satellite broadband is a hybrid system that uses a regular phone line and modem for data and requests sent

from the user's machine, but employs a satellite link to send data to the user.

3G Wireless Communication

Often referred to as broadband wireless.
The first generation dealt with analog transmissions of voice-only data over circuit-switched networks.
The second generation allows for digitally encoded voice and data to be transmitted between wireless devices, such as cell phones, and content providers. This generation provides a throughput of around 19.2 Kbps. TDMA,CDMA, Global System for Mobile Communications (GSM), and Personal Communications Services (PCS) all fall under 2G.
This technology can transmit data over circuit-switched networks and supports
data encryption, fax transmissions, and short message services (SMSs).

	1g	2G	3G	4G
Spectrum	900MHz	1800MHz	2GHz	40GHz and 60GHZ
Multiplexing Type	Analog FDMA	TDMA	CDMA	OFDM
Voice Support	Basic telephony	Caller ID and voice mail	Conference calls and lowquality video	Telepresence and highdefinition video
Messaging Features	None	Text only	Graphics and formatted text	Full unified messaging
Data Support	None	Circuit switched (packet switched in 2.5G)	Packet switched	Native IPv6
Target Data Rate	N/A	14.4 Kbps (approx. 115 Kbps in 2.5G)	2 Mbps (10 Mbps in 3.5G), 14Mbps with HSPA+	100 Mbps
Real Data Rate	2.4 Kbps 9.6 Kbps (approx. 40 Kbps in 2.5G)	64 Kbps	Unknown
Interface with Other Devices	Acoustic coupler	RS232 serial cable or IrDA	IEEE 802.11 or Bluetooth	Seamless connection via multiple methods

Rootkits

Once the level of access is achieved, the attacker can upload a bundle of
tools, collectively called a rootkit.
The first thing that is usually installed is a backdoor program, which allows the attacker to enter the system at any time without having to go through any authentication steps. (A backdoor is just a service that listens on a specific port.)
Trojaned programs: replaces these default utilities for detecting rootkits with new utilities, which share the same name.
rootkits also contain sniffers, but the system's NIC must be put into promiscuous mode, which just means it can "hear" all the traffic on the
network link. The default ipconfig utility allows the root user to employ a specific parameter to see whether or not the NIC is running in promiscuous mode. So, the rootkit also contains a Trojaned ipconfig program, which hides the fact that the NIC is in promiscuous mode.

In Unix\Linux, this utility is called ifconfig.

Rootkits usually contain "log scrubbers" that remove traces of the attacker's activities from the system logs. They can also contain Trojaned programs that replace find and ls Unix utilities, so that when a user does a listing of what is in a specific directory, the rootkit will not be listed.
more powerful rootkits actually update the kernel of the system. It is also very difficult to detect kernel updates because most host IDS products look at changes to file sizes and modification dates but ignore kernel.
Ironically, sometimes when an attacker compromises a system and installs a rootkit, he fortifies the system against other attackers by patching, disabling unused ports etc.
Countermeasures

Properly hardening the system and running updated antivirus and antispyware software.
Use a host-based IDS.
better to use a monolithic kernel rather than individual kernel modules because rootkit cannot load itself as a module.
proxy server, firewall, IDS are usually installed with monolithic kernels.

Spyware and Adware

Adware is when companies want to track a user's buying and browsing habits

Spyware is usually considered more dangerous than adware because it may be written to capture keystrokes, capture system information, or install a backdoor on a system.

Instant Messaging

Many firewalls do not have the capability to scan for this type of traffic to uncover suspicious activity. Blocking specific ports on the firewalls is not usually effective because the IM traffic may be using common ports that need to be open
(HTTP port 80 and FTP port 21). Many of the IM clients autoconfigure themselves to work on another port if their default port is unavailable and blocked by the firewall.

Instant messaging spam (SPIM) is a type of spamming that uses instant messengers for this malicious act.Not common. One way to prevent SPIM is to enable the option of receiving instant messages only from a known list of users.

Tips
Note Products have been developed to identify adware and spyware, and antivirus vendors are starting to incorporate this functionality into their products.

CISSP: email security is very important now. refer: http://www.logicalsecurity.com/resources/resources_articles. html.

- A protocol is a set of rules that dictates how computers communicate over networks.
- DNS resolves hostnames into IP addresses and has distributed databases all over the Internet to provide name resolution.
- Tunneling protocols move frames from one network to another by placing them inside of routable encapsulated frames.
- Firewalls that use proxies transfer an isolated copy of each approved packet from one network to another network.
- An application proxy requires a proxy for each approved service and can understand and make access decisions on the protocols used and the commands within those protocols.
- Circuit-level firewalls also use proxies but at a lower layer. Circuit-level firewalls do not look as deep within the packet as application proxies do.
- PPTP works at the data link layer. IPSec works at the network layer and can handle multiple tunnels at the same time.
- Ethernet, 802.3, is the most commonly used LAN implementation today and can operate at 10 to 1,000 Mbps.
- A permanent virtual circuit (PVC) is programmed into WAN devices, whereas a switched virtual circuit (SVC) is temporary. SVCs are set up and then torn down quickly when no longer needed.
- Frame relay is an economical choice because the fee is based on bandwidth usage.
- Remote access servers can be configured to call back remote users, but this can be compromised by enabling call forwarding.
- NAT is used when companies do not want systems to know internal hosts' addresses, and it enables companies to use private, nonroutable IP addresses.
- Subnetting allows large IP ranges to be divided into smaller, logical and easier to maintain network segments.
- Open relay is a SMTP server that is configured in such a way that it can transmit e-mail messages from any source to any destination.

Software Architecture, Architects and Opinions

Sunday, December 30, 2012

Security: Network and Telecommunication Security