StaridLabs CISSP Training
Week 7 – Network Security
Pages 381-455
RADIUS
● Used to authenticate a user/machine to a
network.
● Shared secret provided between client
application and server....
Radius Cont.
● Used for low risk authentication to prevent and
locate unauthorized users (IE: An ISP detecting
non-paying ...
SNMP
● Used to receive (get) configuration/state data as well as to configure
(set) configuration
● Uses “community string...
SNMP Stupidities
● String/passphrase often the same for many like
devices (switches, databases, etc) for easy
management.
...
Remote Access Services
● Telnet, rlogin, x11
● Plaintext sessions allow snooping of
session as well as credentials being s...
Telnet Servers
● Available on windows and linux/unix
● More commonly seen on unix
● Server runs as system (trusted applica...
Rlogin/rsh/rcp
● Rlogin:
● Remote shell to machine
● If installed user can setup for other users and
subvert admin when pr...
Screen Scrapers
● Watches & captures a users screen. Can be
legitimate or malicious.
● Legitimate users would be seeing wh...
Virtual Network Terminal Services
● Terminal Services is a server which allows a
web based or Remote Desktop (RDP)
session...
Telecommuting
● Telecommuters should be required to VPN
into the network when working. The end
user machine should use ful...
Analog VS Digital Signals
● Analog singals are a wave and can
represent a voice, etc.
● Digital is only 1's and 0's and da...
Network Topography: BUS
Networks
● All hosts receive all traffic
● Note failure doesn't affect network
● Failure in the bu...
Tree networks
● Uses cable splitters
● All hosts receive all traffic
● Cable failure creates outage for entire
downline
Ring (Token ring)
● Closed loop network
● Data travels one way, passing data to one
neighbor and receiving from the other
...
Mesh
● All nodes have direct connection to each
other
● Common for high availability network gear
● High level of network ...
Star
● “Normal” network topography
● Switch is centralized and end points
connect to switches, and switches connect
to eac...
Unicast
● Normal packet data: A packet is sent from
one host to another
Broadcast
● A single hosts sents to many hosts
● Very noisy
● Commonly seen with ARP and netbios
● 192.168.1.255 will send...
Multicast
● Isn't used as often as it should be (Tim comment)
● Unreliable, best effort transmission
● Uses IGMP to manage...
Circuit Switched Network
● Client/Server keeps continuous session
open
● POTS, ISDN, PPP
● All data sent along same path, ...
Packet Switched Network
● Data broken into packets
● Each packet is routed through the best path
as determined by network ...
Carrier Sense Multiple Access
(CSMA)
● CSMA/CA
● Collision Avoidance
● Broadcasts a jamming signal and then sends
data. Ot...
CSMA/CD
● Collision Detection
● Client checks if line is clear, if clear it sends data
● Collisions occur when both sides ...
Polling
● Client only talks when master device tells it
to.
● Also used by 802.11(wireless)
Ethernet 802.3
● Full duplex mode (mostly) immune to
collisions
● Half duplex uses CSMA/CD
● 802.3 can use coaxil, unshiel...
Token Ring (802.5)
● Physically a star topography
● Uses logical tokens to create ring
● Dead technology
FDDI – Fiber distrubuted Data
Interface
● Fiber networking using two fiber cables & 2
ring networks
● Second cable is stan...
Multiprotocol Label Switching
(MPLS)
● Fast, pre-determined tunnel
● Offers QoS
● Called “IP VPN” - ISP Sets up route and ...
LAN – Local Area Network
● Collection of locally interconnected
computers.
● Local being defined as a building or campus
Vlan – Virtual LAN
● Uses one set of network equipment
● Allows “virtual” paths & lans to be created
● Switch drops traffi...
ISDN
● A legacy model which is faster than dialup
● Dead technology
Point to Point
● Uses continuous fiber cable to directly
connect two points.
● Very expensive
● Example is 2 datacenters o...
T1/T3
●
Uses Time/Dvision Multiplexing (TDM)
● T1 = 24 channels over a copper cable
●
Full T1 = 1.544 Mbps
● Can purchase ...
E1/E3
● Same as T1/T3 but for Europe. E1 has a
slightly higher transmission rate.
● Make sure when buying equipment it's f...
OC1/OC12
● Super High Throughput
● OC1 = 51Mbps
● OC3 = 155 Mbps
● OC192 = 9954 Mbps
DSL
● Uses Cat-3 (Phone line) unfiltered
● ADSL – Downstream faster than upstream
● SDSL – Down and up are same speed
● VD...
Cable Modem
● Modem & Cable Company exchange crypto
keys
● Data is encrypted in transit
● (I know cableone turned this on ...
Network Attacks!
Networks
● Everything is getting an IP nowadays – from
TV's, Generators, Air Conditioners, Ice
Machines, and light bulbs...
Net Defense Basics
● Define Security Domains (Public, Confidential, Restricted)
● Segregate networks based on security dom...
Defense in Depth
● Assumes attack will eventually succeed
● Security layers employed: network
security, OS hardening, Anti...
Confidentiality Attacks
● Purpose is to steal non-public data
● User/passwords, computer code, designs,
business plans, em...
Integrity Attacks
● Attempt to corrupt or change (destroy) data
or systems
● Examples are stuxnet, defacing websites,
SQL ...
Availability Attacks
● Attacks make systems temporarily
unavailable
● Denial Of Service
Domain Names
● Trademark your URL if your an IT company
with a web presence
● Register misspellings of domain name to
redu...
Opem Mail Relay Servers
● Allows email to be sent without
authentication
● Sign of bad sysadmins (see staridlabs.org
hoste...
Spam
● Spam email. Contains viruses, malicious
URLs, etc
● Discuss DHL exploit
Scanning Techniques – Port
Scanning
● Checks what ports are open/accessible on
system
● Fingerprints system
● OS type/vers...
Fin Scan
● Sends connection close signal to port
● Receives rest/icmp packet if port is closed
● Used against UNIX/Linux h...
Null Scan/XMas Scan
● Null Scan:
● No tcp flags are set
● XMAS Scan:
● All tcp flags are set
● Generally useful to compare...
TCP Sequence Number Attack
● Can scan using a zombie legitimate host by
predicting tcp sequence number and
spoofing source...
Attack Trees
● Logical representation of what steps an
attacker would need to take to attack a
system
● Great for explaini...
Methods of attack
● Target Aquisition/Intel Gathering
● Publically available data
● Scans
● Target Analysis
● Identify Vul...
Methods of Attack 2
● Target Access
● Gain access to system (desktop, prompt, process)
● Target Appropriation
● Elevate sy...
Scanners (for good)
● Identifies vulnerabilities
● Finds configuration mistakes/risks
● Tests for compliance
● Example if ...
Penetration Testing
● Verifies vulnerabilities and what risk comes
with a successful attack
● Puts the “human eye” on syst...
Network Taps
● Copies all traffic across a path
● Sometimes required for legal compliance
Malicious Packet Crafting
Teardrop attack
● Packets are fragmented erroneously so
when reassembled the target calculates a
negative fragment length....
Overlapping Fragment Attack
● Packets are fragmented and first fragments
are sent with legitimate dta. Following
packets o...
Source Routing Exploit
● Attacker requests alternate path in packet
header and bypasses firewall rules
Smurfs/Fraggles
● Broadcast denial of service attacks
● Smurf – Spoofed source address to
broadcast using ICMP. All receiv...
NFS Attacks
● Config can allow unintended access to filesystem
● Potential for unauthorized clients by falsifying IP (the
...
NNTP (Newsservers)
● Disable & Block
Finger (port 79)
● Disable & Block
NTP – Time syncing
● Use trusted upline servers (and more than
one)
● Network should have it's own timeserver
DDOS
● Attacks by thousands of machines against a
host or device
● Only so much you can plan for
● Network proxies exist
●...
Syn Floods
● DOS attack – Overloads max connections a
server can handle
Email Spoofing
● You too can be president for an email
DNS Spoofing
● Malicious Entries
● Redirect to malicious hosts
● Host file spoofing
Session Hijacking
● Adding packets to an authenticated,
legitimate session
Syn Scan
● Only sending syn packets and waiting for
responds
● Fast
● Sometimes doesn't get logged (useful)
CISSP Week 7
Upcoming SlideShare
Loading in …5
×

CISSP Week 7

1,448 views
1,328 views

Published on

StaridLabs CISSP Study slides for week 7

Published in: Education, Technology

CISSP Week 7

  1. 1. StaridLabs CISSP Training Week 7 – Network Security Pages 381-455
  2. 2. RADIUS ● Used to authenticate a user/machine to a network. ● Shared secret provided between client application and server. ● Once shared secret is accepted then username/password is sent ● Cheap to setup ● Not all fields are encrypted
  3. 3. Radius Cont. ● Used for low risk authentication to prevent and locate unauthorized users (IE: An ISP detecting non-paying cable modem users) ● In a corporate environment radius can be used to authenticate to servers, applications, networks, vlans, switches, etc. ● For corporate: 2 factor authentication should be used: ● EAP, Tokens, Smartcards
  4. 4. SNMP ● Used to receive (get) configuration/state data as well as to configure (set) configuration ● Uses “community strings” and pass phrases for V2 and above ● Data can be sniffed easily and credentials can be stolen ● V3 supports encryption, but isn't being used much yet. ● Applicable devices: firewalls, routers, switches, OS (windows and linux), applications,embedded devices, etc
  5. 5. SNMP Stupidities ● String/passphrase often the same for many like devices (switches, databases, etc) for easy management. ● A disastrous amount of companies have SNMP open externally. ● SNMP shouldn't be queried outside of your network, remote devices need some other method. V3 helps this but again isn't supported everywhere yet.
  6. 6. Remote Access Services ● Telnet, rlogin, x11 ● Plaintext sessions allow snooping of session as well as credentials being sent plaintext ● All have an SSH encapsulated replacement
  7. 7. Telnet Servers ● Available on windows and linux/unix ● More commonly seen on unix ● Server runs as system (trusted application) ● Encryption is not supported ● Malicious user can easily escalate to root/admin ● Telnet servers should be disabled or blocked unless absolutely necessary. If necessary spend a good amount of time trying to find ways to mitigate risk
  8. 8. Rlogin/rsh/rcp ● Rlogin: ● Remote shell to machine ● If installed user can setup for other users and subvert admin when providing server access ● Rsh/rcp ● Allows file/console access based solely on userid/ip. Userid is ignored.
  9. 9. Screen Scrapers ● Watches & captures a users screen. Can be legitimate or malicious. ● Legitimate users would be seeing what an employee in a bank call center looks at to make sure their not looking at things they shouldn't. ● Malicious would be an attacker adding a screenscraper to a bank call center machine to capture all of the data a user looks at, thus framing the employee.
  10. 10. Virtual Network Terminal Services ● Terminal Services is a server which allows a web based or Remote Desktop (RDP) session which displays the server's desktop to the client in an encrypted tunnel. ● Citrix, Remote desktop/TS (Microsoft) ● Good for distributed employees and road warriors who may have personal or dirty laptops.
  11. 11. Telecommuting ● Telecommuters should be required to VPN into the network when working. The end user machine should use full drive encryptiona nd should comply to security policies such as screen lockout. ● Network connection type & work location should be considered before access is granted.
  12. 12. Analog VS Digital Signals ● Analog singals are a wave and can represent a voice, etc. ● Digital is only 1's and 0's and data such as voice must be converted to binary before sending.
  13. 13. Network Topography: BUS Networks ● All hosts receive all traffic ● Note failure doesn't affect network ● Failure in the bus takes down the whole network
  14. 14. Tree networks ● Uses cable splitters ● All hosts receive all traffic ● Cable failure creates outage for entire downline
  15. 15. Ring (Token ring) ● Closed loop network ● Data travels one way, passing data to one neighbor and receiving from the other ● Generally uses coaxial or fiber ● Single point of failure unless dual ring setup with secondary networking
  16. 16. Mesh ● All nodes have direct connection to each other ● Common for high availability network gear ● High level of network reliability ● Expensive due to cable costs ● (Wireless mesh networks continue to gain popularity)
  17. 17. Star ● “Normal” network topography ● Switch is centralized and end points connect to switches, and switches connect to each other ● Minnimal cables needed ● Switch/hub is single point of failure for star nodes
  18. 18. Unicast ● Normal packet data: A packet is sent from one host to another
  19. 19. Broadcast ● A single hosts sents to many hosts ● Very noisy ● Commonly seen with ARP and netbios ● 192.168.1.255 will send the packet to every host between 192.168.1.1 and 192.168.1.254
  20. 20. Multicast ● Isn't used as often as it should be (Tim comment) ● Unreliable, best effort transmission ● Uses IGMP to manage subscribers ● Clients request to join specific multicast channel ● Server only sends data once, and data is received by all subscribed clients to that multicast channel ● Used for streaming video, etc.
  21. 21. Circuit Switched Network ● Client/Server keeps continuous session open ● POTS, ISDN, PPP ● All data sent along same path, even if shorter path opened later.
  22. 22. Packet Switched Network ● Data broken into packets ● Each packet is routed through the best path as determined by network rules ● Packets re-oredered at destination endpoint and are reassembled
  23. 23. Carrier Sense Multiple Access (CSMA) ● CSMA/CA ● Collision Avoidance ● Broadcasts a jamming signal and then sends data. Other endpoitns wait once receiving the jamming signal. ● Used by 802.11 (wireless)
  24. 24. CSMA/CD ● Collision Detection ● Client checks if line is clear, if clear it sends data ● Collisions occur when both sides see the line as clear and send at the same time causing data to become unusable. ● When collision occurs both sides wait a random amount of time and resend. ● Used by 802.3 Ethernet
  25. 25. Polling ● Client only talks when master device tells it to. ● Also used by 802.11(wireless)
  26. 26. Ethernet 802.3 ● Full duplex mode (mostly) immune to collisions ● Half duplex uses CSMA/CD ● 802.3 can use coaxil, unshielded twisted pair (UTP), or fiber cable
  27. 27. Token Ring (802.5) ● Physically a star topography ● Uses logical tokens to create ring ● Dead technology
  28. 28. FDDI – Fiber distrubuted Data Interface ● Fiber networking using two fiber cables & 2 ring networks ● Second cable is standby in the event of primary ring failure ● Still in active use
  29. 29. Multiprotocol Label Switching (MPLS) ● Fast, pre-determined tunnel ● Offers QoS ● Called “IP VPN” - ISP Sets up route and data flows even if path is not shortest ● Not encrypted – but if ISP sets up right then data is only seen by ISPs which is passes through. ● (Tim Comment) I recommend at least minimal encryption across tunnel to obscure data from prying eyes. Network glitches happen which could send data outside of expected route.
  30. 30. LAN – Local Area Network ● Collection of locally interconnected computers. ● Local being defined as a building or campus
  31. 31. Vlan – Virtual LAN ● Uses one set of network equipment ● Allows “virtual” paths & lans to be created ● Switch drops traffic if port is not configured for the sending vlan ● Known attacks against vlans, but still a good way to segregate ● Attack known as vlan hopping
  32. 32. ISDN ● A legacy model which is faster than dialup ● Dead technology
  33. 33. Point to Point ● Uses continuous fiber cable to directly connect two points. ● Very expensive ● Example is 2 datacenters owned by the same company. If the company doesn't trust the data going through an ISP, it can setup a fiber Point to Point to connect the datacenters.
  34. 34. T1/T3 ● Uses Time/Dvision Multiplexing (TDM) ● T1 = 24 channels over a copper cable ● Full T1 = 1.544 Mbps ● Can purchase anywhere from 1-24 active channels to decrease cost. ● Can bundle T1's for more throughput: ● T2 = 4 X T1 ● T3 = 7 X T2 ● T4 = 6 X T3 ● All can be fractionally purchased
  35. 35. E1/E3 ● Same as T1/T3 but for Europe. E1 has a slightly higher transmission rate. ● Make sure when buying equipment it's for E1 or T1, they must be build compatible or for the correct standard.
  36. 36. OC1/OC12 ● Super High Throughput ● OC1 = 51Mbps ● OC3 = 155 Mbps ● OC192 = 9954 Mbps
  37. 37. DSL ● Uses Cat-3 (Phone line) unfiltered ● ADSL – Downstream faster than upstream ● SDSL – Down and up are same speed ● VDSL – Very Fast, most inner city DSL is VDSL now.
  38. 38. Cable Modem ● Modem & Cable Company exchange crypto keys ● Data is encrypted in transit ● (I know cableone turned this on at one point, last I checked it had been turned off again. Midcontinent is not using encryption last I checked which was last fall)
  39. 39. Network Attacks!
  40. 40. Networks ● Everything is getting an IP nowadays – from TV's, Generators, Air Conditioners, Ice Machines, and light bulbs...
  41. 41. Net Defense Basics ● Define Security Domains (Public, Confidential, Restricted) ● Segregate networks based on security domains ● Thing ahead for incident response ● Have Logs ● Known what systems you have/what they do ● A methodology to contain incidents quickly and manage reaction ● See SANS Top 20 controls for recommendations
  42. 42. Defense in Depth ● Assumes attack will eventually succeed ● Security layers employed: network security, OS hardening, Antivirus, end user firwalls, user training, patching, detection, IPS, NAC
  43. 43. Confidentiality Attacks ● Purpose is to steal non-public data ● User/passwords, computer code, designs, business plans, emails, ebarrassing memos, alien files ● Example is wired/wireless data sniffing
  44. 44. Integrity Attacks ● Attempt to corrupt or change (destroy) data or systems ● Examples are stuxnet, defacing websites, SQL Injection
  45. 45. Availability Attacks ● Attacks make systems temporarily unavailable ● Denial Of Service
  46. 46. Domain Names ● Trademark your URL if your an IT company with a web presence ● Register misspellings of domain name to reduce risk of reputation loss
  47. 47. Opem Mail Relay Servers ● Allows email to be sent without authentication ● Sign of bad sysadmins (see staridlabs.org hosted by cheaplinuxhosting.com!)
  48. 48. Spam ● Spam email. Contains viruses, malicious URLs, etc ● Discuss DHL exploit
  49. 49. Scanning Techniques – Port Scanning ● Checks what ports are open/accessible on system ● Fingerprints system ● OS type/version ● Hardware manfacturer/version ● App versions (banner grab)
  50. 50. Fin Scan ● Sends connection close signal to port ● Receives rest/icmp packet if port is closed ● Used against UNIX/Linux hosts
  51. 51. Null Scan/XMas Scan ● Null Scan: ● No tcp flags are set ● XMAS Scan: ● All tcp flags are set ● Generally useful to compare results of both scans
  52. 52. TCP Sequence Number Attack ● Can scan using a zombie legitimate host by predicting tcp sequence number and spoofing source address. When victim responds back to zombie host, you connect to zombie and count how many tcp numbers were incremented. ● Tcp sequence randomization can be turned on for all common operating systems.
  53. 53. Attack Trees ● Logical representation of what steps an attacker would need to take to attack a system ● Great for explaining to non-management what the risk is (or isn't)
  54. 54. Methods of attack ● Target Aquisition/Intel Gathering ● Publically available data ● Scans ● Target Analysis ● Identify Vulnerabilities ● Identify tools best to exploit vulnerability
  55. 55. Methods of Attack 2 ● Target Access ● Gain access to system (desktop, prompt, process) ● Target Appropriation ● Elevate system access (if needed) ● Steal all the things ● Setup backdoors ● Clean up tracks (if needed
  56. 56. Scanners (for good) ● Identifies vulnerabilities ● Finds configuration mistakes/risks ● Tests for compliance ● Example if the vuln scanner sees the 'games' user in Linux then I know the box didn't have STIGS applied ● Can have lots of false positives
  57. 57. Penetration Testing ● Verifies vulnerabilities and what risk comes with a successful attack ● Puts the “human eye” on systems, often finding things a scanner wont
  58. 58. Network Taps ● Copies all traffic across a path ● Sometimes required for legal compliance
  59. 59. Malicious Packet Crafting
  60. 60. Teardrop attack ● Packets are fragmented erroneously so when reassembled the target calculates a negative fragment length. This is a denial of service attack. ● Fix by vendor patch
  61. 61. Overlapping Fragment Attack ● Packets are fragmented and first fragments are sent with legitimate dta. Following packets overwrite first legitimate packets and are malicious. ● This works because some IPS system sonly scann the first x bytes of a packet
  62. 62. Source Routing Exploit ● Attacker requests alternate path in packet header and bypasses firewall rules
  63. 63. Smurfs/Fraggles ● Broadcast denial of service attacks ● Smurf – Spoofed source address to broadcast using ICMP. All receiving clients respond and DOS victim ● Fraggle – Same as a smurf but using UDP
  64. 64. NFS Attacks ● Config can allow unintended access to filesystem ● Potential for unauthorized clients by falsifying IP (the only auth mechanism) ● Faking userid (permissions) ● Sniffing Connection (unencrypted by default) ● Setuid allows priviledge escalation (disable nfs setuid rendering)
  65. 65. NNTP (Newsservers) ● Disable & Block
  66. 66. Finger (port 79) ● Disable & Block
  67. 67. NTP – Time syncing ● Use trusted upline servers (and more than one) ● Network should have it's own timeserver
  68. 68. DDOS ● Attacks by thousands of machines against a host or device ● Only so much you can plan for ● Network proxies exist ● Configurations can ease congestion if smaller DDOS
  69. 69. Syn Floods ● DOS attack – Overloads max connections a server can handle
  70. 70. Email Spoofing ● You too can be president for an email
  71. 71. DNS Spoofing ● Malicious Entries ● Redirect to malicious hosts ● Host file spoofing
  72. 72. Session Hijacking ● Adding packets to an authenticated, legitimate session
  73. 73. Syn Scan ● Only sending syn packets and waiting for responds ● Fast ● Sometimes doesn't get logged (useful)

×