CISSP Week 7
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


CISSP Week 7



StaridLabs CISSP Study slides for week 7

StaridLabs CISSP Study slides for week 7



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

CISSP Week 7 Presentation Transcript

  • 1. StaridLabs CISSP Training Week 7 – Network Security Pages 381-455
  • 2. RADIUS ● Used to authenticate a user/machine to a network. ● Shared secret provided between client application and server. ● Once shared secret is accepted then username/password is sent ● Cheap to setup ● Not all fields are encrypted
  • 3. Radius Cont. ● Used for low risk authentication to prevent and locate unauthorized users (IE: An ISP detecting non-paying cable modem users) ● In a corporate environment radius can be used to authenticate to servers, applications, networks, vlans, switches, etc. ● For corporate: 2 factor authentication should be used: ● EAP, Tokens, Smartcards
  • 4. SNMP ● Used to receive (get) configuration/state data as well as to configure (set) configuration ● Uses “community strings” and pass phrases for V2 and above ● Data can be sniffed easily and credentials can be stolen ● V3 supports encryption, but isn't being used much yet. ● Applicable devices: firewalls, routers, switches, OS (windows and linux), applications,embedded devices, etc
  • 5. SNMP Stupidities ● String/passphrase often the same for many like devices (switches, databases, etc) for easy management. ● A disastrous amount of companies have SNMP open externally. ● SNMP shouldn't be queried outside of your network, remote devices need some other method. V3 helps this but again isn't supported everywhere yet.
  • 6. Remote Access Services ● Telnet, rlogin, x11 ● Plaintext sessions allow snooping of session as well as credentials being sent plaintext ● All have an SSH encapsulated replacement
  • 7. Telnet Servers ● Available on windows and linux/unix ● More commonly seen on unix ● Server runs as system (trusted application) ● Encryption is not supported ● Malicious user can easily escalate to root/admin ● Telnet servers should be disabled or blocked unless absolutely necessary. If necessary spend a good amount of time trying to find ways to mitigate risk
  • 8. Rlogin/rsh/rcp ● Rlogin: ● Remote shell to machine ● If installed user can setup for other users and subvert admin when providing server access ● Rsh/rcp ● Allows file/console access based solely on userid/ip. Userid is ignored.
  • 9. Screen Scrapers ● Watches & captures a users screen. Can be legitimate or malicious. ● Legitimate users would be seeing what an employee in a bank call center looks at to make sure their not looking at things they shouldn't. ● Malicious would be an attacker adding a screenscraper to a bank call center machine to capture all of the data a user looks at, thus framing the employee.
  • 10. Virtual Network Terminal Services ● Terminal Services is a server which allows a web based or Remote Desktop (RDP) session which displays the server's desktop to the client in an encrypted tunnel. ● Citrix, Remote desktop/TS (Microsoft) ● Good for distributed employees and road warriors who may have personal or dirty laptops.
  • 11. Telecommuting ● Telecommuters should be required to VPN into the network when working. The end user machine should use full drive encryptiona nd should comply to security policies such as screen lockout. ● Network connection type & work location should be considered before access is granted.
  • 12. Analog VS Digital Signals ● Analog singals are a wave and can represent a voice, etc. ● Digital is only 1's and 0's and data such as voice must be converted to binary before sending.
  • 13. Network Topography: BUS Networks ● All hosts receive all traffic ● Note failure doesn't affect network ● Failure in the bus takes down the whole network
  • 14. Tree networks ● Uses cable splitters ● All hosts receive all traffic ● Cable failure creates outage for entire downline
  • 15. Ring (Token ring) ● Closed loop network ● Data travels one way, passing data to one neighbor and receiving from the other ● Generally uses coaxial or fiber ● Single point of failure unless dual ring setup with secondary networking
  • 16. Mesh ● All nodes have direct connection to each other ● Common for high availability network gear ● High level of network reliability ● Expensive due to cable costs ● (Wireless mesh networks continue to gain popularity)
  • 17. Star ● “Normal” network topography ● Switch is centralized and end points connect to switches, and switches connect to each other ● Minnimal cables needed ● Switch/hub is single point of failure for star nodes
  • 18. Unicast ● Normal packet data: A packet is sent from one host to another
  • 19. Broadcast ● A single hosts sents to many hosts ● Very noisy ● Commonly seen with ARP and netbios ● will send the packet to every host between and
  • 20. Multicast ● Isn't used as often as it should be (Tim comment) ● Unreliable, best effort transmission ● Uses IGMP to manage subscribers ● Clients request to join specific multicast channel ● Server only sends data once, and data is received by all subscribed clients to that multicast channel ● Used for streaming video, etc.
  • 21. Circuit Switched Network ● Client/Server keeps continuous session open ● POTS, ISDN, PPP ● All data sent along same path, even if shorter path opened later.
  • 22. Packet Switched Network ● Data broken into packets ● Each packet is routed through the best path as determined by network rules ● Packets re-oredered at destination endpoint and are reassembled
  • 23. Carrier Sense Multiple Access (CSMA) ● CSMA/CA ● Collision Avoidance ● Broadcasts a jamming signal and then sends data. Other endpoitns wait once receiving the jamming signal. ● Used by 802.11 (wireless)
  • 24. CSMA/CD ● Collision Detection ● Client checks if line is clear, if clear it sends data ● Collisions occur when both sides see the line as clear and send at the same time causing data to become unusable. ● When collision occurs both sides wait a random amount of time and resend. ● Used by 802.3 Ethernet
  • 25. Polling ● Client only talks when master device tells it to. ● Also used by 802.11(wireless)
  • 26. Ethernet 802.3 ● Full duplex mode (mostly) immune to collisions ● Half duplex uses CSMA/CD ● 802.3 can use coaxil, unshielded twisted pair (UTP), or fiber cable
  • 27. Token Ring (802.5) ● Physically a star topography ● Uses logical tokens to create ring ● Dead technology
  • 28. FDDI – Fiber distrubuted Data Interface ● Fiber networking using two fiber cables & 2 ring networks ● Second cable is standby in the event of primary ring failure ● Still in active use
  • 29. Multiprotocol Label Switching (MPLS) ● Fast, pre-determined tunnel ● Offers QoS ● Called “IP VPN” - ISP Sets up route and data flows even if path is not shortest ● Not encrypted – but if ISP sets up right then data is only seen by ISPs which is passes through. ● (Tim Comment) I recommend at least minimal encryption across tunnel to obscure data from prying eyes. Network glitches happen which could send data outside of expected route.
  • 30. LAN – Local Area Network ● Collection of locally interconnected computers. ● Local being defined as a building or campus
  • 31. Vlan – Virtual LAN ● Uses one set of network equipment ● Allows “virtual” paths & lans to be created ● Switch drops traffic if port is not configured for the sending vlan ● Known attacks against vlans, but still a good way to segregate ● Attack known as vlan hopping
  • 32. ISDN ● A legacy model which is faster than dialup ● Dead technology
  • 33. Point to Point ● Uses continuous fiber cable to directly connect two points. ● Very expensive ● Example is 2 datacenters owned by the same company. If the company doesn't trust the data going through an ISP, it can setup a fiber Point to Point to connect the datacenters.
  • 34. T1/T3 ● Uses Time/Dvision Multiplexing (TDM) ● T1 = 24 channels over a copper cable ● Full T1 = 1.544 Mbps ● Can purchase anywhere from 1-24 active channels to decrease cost. ● Can bundle T1's for more throughput: ● T2 = 4 X T1 ● T3 = 7 X T2 ● T4 = 6 X T3 ● All can be fractionally purchased
  • 35. E1/E3 ● Same as T1/T3 but for Europe. E1 has a slightly higher transmission rate. ● Make sure when buying equipment it's for E1 or T1, they must be build compatible or for the correct standard.
  • 36. OC1/OC12 ● Super High Throughput ● OC1 = 51Mbps ● OC3 = 155 Mbps ● OC192 = 9954 Mbps
  • 37. DSL ● Uses Cat-3 (Phone line) unfiltered ● ADSL – Downstream faster than upstream ● SDSL – Down and up are same speed ● VDSL – Very Fast, most inner city DSL is VDSL now.
  • 38. Cable Modem ● Modem & Cable Company exchange crypto keys ● Data is encrypted in transit ● (I know cableone turned this on at one point, last I checked it had been turned off again. Midcontinent is not using encryption last I checked which was last fall)
  • 39. Network Attacks!
  • 40. Networks ● Everything is getting an IP nowadays – from TV's, Generators, Air Conditioners, Ice Machines, and light bulbs...
  • 41. Net Defense Basics ● Define Security Domains (Public, Confidential, Restricted) ● Segregate networks based on security domains ● Thing ahead for incident response ● Have Logs ● Known what systems you have/what they do ● A methodology to contain incidents quickly and manage reaction ● See SANS Top 20 controls for recommendations
  • 42. Defense in Depth ● Assumes attack will eventually succeed ● Security layers employed: network security, OS hardening, Antivirus, end user firwalls, user training, patching, detection, IPS, NAC
  • 43. Confidentiality Attacks ● Purpose is to steal non-public data ● User/passwords, computer code, designs, business plans, emails, ebarrassing memos, alien files ● Example is wired/wireless data sniffing
  • 44. Integrity Attacks ● Attempt to corrupt or change (destroy) data or systems ● Examples are stuxnet, defacing websites, SQL Injection
  • 45. Availability Attacks ● Attacks make systems temporarily unavailable ● Denial Of Service
  • 46. Domain Names ● Trademark your URL if your an IT company with a web presence ● Register misspellings of domain name to reduce risk of reputation loss
  • 47. Opem Mail Relay Servers ● Allows email to be sent without authentication ● Sign of bad sysadmins (see hosted by!)
  • 48. Spam ● Spam email. Contains viruses, malicious URLs, etc ● Discuss DHL exploit
  • 49. Scanning Techniques – Port Scanning ● Checks what ports are open/accessible on system ● Fingerprints system ● OS type/version ● Hardware manfacturer/version ● App versions (banner grab)
  • 50. Fin Scan ● Sends connection close signal to port ● Receives rest/icmp packet if port is closed ● Used against UNIX/Linux hosts
  • 51. Null Scan/XMas Scan ● Null Scan: ● No tcp flags are set ● XMAS Scan: ● All tcp flags are set ● Generally useful to compare results of both scans
  • 52. TCP Sequence Number Attack ● Can scan using a zombie legitimate host by predicting tcp sequence number and spoofing source address. When victim responds back to zombie host, you connect to zombie and count how many tcp numbers were incremented. ● Tcp sequence randomization can be turned on for all common operating systems.
  • 53. Attack Trees ● Logical representation of what steps an attacker would need to take to attack a system ● Great for explaining to non-management what the risk is (or isn't)
  • 54. Methods of attack ● Target Aquisition/Intel Gathering ● Publically available data ● Scans ● Target Analysis ● Identify Vulnerabilities ● Identify tools best to exploit vulnerability
  • 55. Methods of Attack 2 ● Target Access ● Gain access to system (desktop, prompt, process) ● Target Appropriation ● Elevate system access (if needed) ● Steal all the things ● Setup backdoors ● Clean up tracks (if needed
  • 56. Scanners (for good) ● Identifies vulnerabilities ● Finds configuration mistakes/risks ● Tests for compliance ● Example if the vuln scanner sees the 'games' user in Linux then I know the box didn't have STIGS applied ● Can have lots of false positives
  • 57. Penetration Testing ● Verifies vulnerabilities and what risk comes with a successful attack ● Puts the “human eye” on systems, often finding things a scanner wont
  • 58. Network Taps ● Copies all traffic across a path ● Sometimes required for legal compliance
  • 59. Malicious Packet Crafting
  • 60. Teardrop attack ● Packets are fragmented erroneously so when reassembled the target calculates a negative fragment length. This is a denial of service attack. ● Fix by vendor patch
  • 61. Overlapping Fragment Attack ● Packets are fragmented and first fragments are sent with legitimate dta. Following packets overwrite first legitimate packets and are malicious. ● This works because some IPS system sonly scann the first x bytes of a packet
  • 62. Source Routing Exploit ● Attacker requests alternate path in packet header and bypasses firewall rules
  • 63. Smurfs/Fraggles ● Broadcast denial of service attacks ● Smurf – Spoofed source address to broadcast using ICMP. All receiving clients respond and DOS victim ● Fraggle – Same as a smurf but using UDP
  • 64. NFS Attacks ● Config can allow unintended access to filesystem ● Potential for unauthorized clients by falsifying IP (the only auth mechanism) ● Faking userid (permissions) ● Sniffing Connection (unencrypted by default) ● Setuid allows priviledge escalation (disable nfs setuid rendering)
  • 65. NNTP (Newsservers) ● Disable & Block
  • 66. Finger (port 79) ● Disable & Block
  • 67. NTP – Time syncing ● Use trusted upline servers (and more than one) ● Network should have it's own timeserver
  • 68. DDOS ● Attacks by thousands of machines against a host or device ● Only so much you can plan for ● Network proxies exist ● Configurations can ease congestion if smaller DDOS
  • 69. Syn Floods ● DOS attack – Overloads max connections a server can handle
  • 70. Email Spoofing ● You too can be president for an email
  • 71. DNS Spoofing ● Malicious Entries ● Redirect to malicious hosts ● Host file spoofing
  • 72. Session Hijacking ● Adding packets to an authenticated, legitimate session
  • 73. Syn Scan ● Only sending syn packets and waiting for responds ● Fast ● Sometimes doesn't get logged (useful)