CISSP Week 6
Upcoming SlideShare
Loading in...5

CISSP Week 6



StaridLabs CISSP Study slides for week 6

StaridLabs CISSP Study slides for week 6



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

CISSP Week 6 CISSP Week 6 Presentation Transcript

  • CISSP p316-380
  • Securing Network Components Deterministic Routing -traffic only travels on pre-determined routes Boundary Routers -advertise routes that external hosts can use to reach internal destinations -filters external traffic Design and Set up a perimeter! (IDS,FW,filtering)
  • Network Partitioning -segment networks into domains of trust -control what is forwarded between segments Dual-Homed Host -has two NICS, each on a separate network Bastion Host -gateway between trusted & untrusted that gives limited, authorized access to untrusted hosts -data diode = simplex communication
  • Demilitarized Zone (DMZ) -aka Screened Subnet -allows an org to give external host limited access to public resources, like a web server that contains the org's site, without giving access to the org's internal network
  • Hardware Modems - analog Concentrators - multiplex connected devices into a signal signal Front-End Processors - purpose is to off-load from the host computer the work of managing the peripheral devices Multiplexers-elects one of several analog or digital input signals and forwards the selected input into a single line Concentrators vs. Multiplexers
  • Hubs & Repeaters -Hubs used for star topology -All devices receive each other's broadcasts -All devices can read & modify others traffic -Repeaters repeat to help stop signal degradation
  • Bridges -layer 2 device (Data link) -filters traffic between segments based on MAC addys -also amplifies signals for large networks -filters frames not destined for another segment
  • Switches -only forwards frames to devices specified in the frame -forwards broadcasts to all
  • Routers -forwards packets to other networks -the read the destination from layer 3 (IP addy) -based on it's view of the network it will determine the next device on the network to send the packet
  • Transmission Media
  • Wired Throughput:rate that the data will be transmitted Distance:how far in between devices, degrading signal Data Sensitivity:will someone try to tap this cable? Environment:bent cables, EMI, RMI, temp
  • Twisted Pair -copper wires twisted together to reduce EMI -each wire is coated then surrounded by jacket -twists/in, type of insulation, conductive material Cat 1-6
  • Unshielded Twisted Pair (UTP) -no shielding, duh -EMI and RMI will kill signal -easy to tap with radiation monitoring -cheap and common
  • Shielded Twisted Pair (STP) -UTP except it has an electronically grounded shield inside the cable -expensive and bulky
  • Coaxial Cable (Coax) -one thick conductor surrounded by a grounding braid of wire -great bandwidth and longer runs than TP -very well insulated -expensive and bulky
  • Patch Panels -alternative to directly connecting devices -use patch cables to change connections easily -need to be neat
  • Wireless
  • Direct-Sequence Spread Spectrum (DSSS) -spreads a transmission over a large frequency band with small amplitude -wider band = less interference -sender & receiver communicate which frequencies are too cluttered to send data over
  • Frequency-Hopping Spread Spectrum (FHSS) -spreads signal over rapidly changing frequencies -signals rapidly change among sub-frequencies in an order that is agreed upon between s&r -can interfere with DSSS -this rapid changing keeps interference minimized
  • Orthogonal Frequency Division Multiplexing (OFDM) -signal is divided into sub-frequency bands, each band is manipulated so they broadcast together so they don't interfere with each other
  • Frequency Division Multiple Access (FDMA) -analog -old cellular technology -divides band into sub-bands and assigns an analog conversation to each sub-band -replaced by GSM & CDMA
  • Time Division Multiple Access (TDMA) -multiplexes several digital calls (voice or data) at each sub-band by devoting a small time slice in a round-robin to each call in the band -2 sub-bands are required for each call 1 for each sender
  • Mobile Cellular Telephony
  • Code Division Multiple Access (CDMA) -spread spectrum cellular tech -runs like DSSS CDMA 2000 improves capability by 10 (153 Mbps) Wideband CDMA: this is 3G
  • Global Service for Mobile Communications (GSM) -most popular cell tech -divides frequency bands into simplex channels -users ID: Subscriber Identity Module, SIM card -phone talks to network, but network doesn't talk to phone, makes it easy to masquerade as another user
  • Wireless LANs Authentication is the 1st line of defense Open System Authentication -client is permitted to join if it's SSID matches the wireless network's Shared-Key Authentication -WEP, will talk about later
  • MAC Address Tables -Authenticates based on a MAC address -Easy to spoof, so its not very effective Service Set Identifier (SSID) Broadcasting -name of wireless LAN -wireless clients send probe asking for SSID response -router will beacon out the name at all times -Don't make your SSID "TOP SECRET SECRETS of Wells Fargo"
  • Placement -keep your wireless routers in central locations to keep the network radiation from getting outside the walls -don't keep it in a microwave
  • Encryption
  • Wired Equivalent Privacy (WEP) -uses a shared secret -before each packet is sent a CRC-32 checksum is appended to it, then both are encrypted using RC4 with the shared secret & initialization vector -its weak
  • WiFi Protected Access (WPA) -improved use of RC4 -uses Temporal Key Integrity Protocol (TKIP) so there is a new key for each packet -CRC-32 checksum was replaced with a message integrity check called Michael, it protects heady & data from tamper, also has a frame counter
  • WPA2 - IEEE 802.11i -RC4 is replaced with Advanced Encryption Standard (AES) -TKIP & Michael replaced with Counter Mode/CBC-Mac Protocol (CCMP) -Supports Extensible Authentication Protocol (EAP)
  • WiFi Variants 802.11b -1st version of WiFi -uses DSSS -2.4 GHz band 802.11a -won't work with 'b' -uses OPDM -5 GHz band
  • 802.11g -works with 'b' 2.4 GHz Bluetooth 802.15.1 -uses FHSS on 2.4 GHz band -Blue Jacking: allows anonymous message to show on device -Buffer Overflow: remotely exploit bugs in software -Blue Bug Attack: uses AT commands on victims' phone to initiate calls and send messages
  • Address Resolution Protocol (ARP) -given a layer 3 address (IP), ARP determines the layer 2 address (MAC) -ARP tracks IP addresses and their MACs in a dynamic table called ARP cache
  • Point-to-Point Protocol (PPP) -used to connect a device to a network over a serial line -dial up -Password Authentication Protocol (PAP) - cleartext -Challenge Handshake Authentication Protocol (CHAP) - 3 way handshake -Uses EAP
  • Broadband Wireless IEEE 802.16 -WiMAX -doesn't work like cell towers -Metro Area Network (MAN) -channel sizes are flexable
  • Fiber -uses glass/plastic to transmit light Needs -light source -optics cable -light detector LEDS: cheap, less bandwidth, only good over short distances, use in LANS Diode Laser:expensive, great distances Wavelength Division Multiplexing (WDM) 32x capacity
  • Multimode Fiber:transmitted in different modes, cable is 50-100 microns thick light disperses too much when using medium/long cable runs Single Mode Fiber: 10 microns thick, light goes down the middle, long runs, great bandwidth, internet backbone
  • Network Access Control Devices Firewalls: -filters traffic based on set of rules -should always be on internet gateways, and in between trust domains Filtering: blocks or forwards packets -by source/destination address -by service, port number
  • Network Address Translation (NAT): firewalls can change the source addy of a packet on its way out Port Address Translation (PAT): translates all addresses to one routable IP addy & translate the source port number in the pack to a unique value Static Packet Filtering: hard line that cannot be temporarily changed to accept legit
  • Stateful Inspection/Dynamic Packet Filtering: stateful inspection examines each packet in the context of the session, FTP provides a good example Proxies: User talks to a proxy server, the proxy communicates with the untrusted host and gives that host's response back to the user Circuit Level Proxy: does not inspect any traffic it forwards
  • Application Level Proxy: -relays traffic from trusted endpoint running a specific application to an untrusted host -analyzes the traffic for manipulation/attacks -Example: Web Proxy - everyone's browser goes through it Personal Firewalls: for security in depth, workstation firewalls should be used in tandem with network firewalls
  • End-Point Security -update antivirus/antimalware -configured firewall -hardened configuration/no unneeded services -patched/updated OS -encrypt the entire disk -Remote Management -wipe -geolocate -update operation
  • Secure Communication Channels Virtual Private Network (VPN) -encrypted tunnel between 2 hosts/gateways IPSec Authentication & VPN Confidentiality IPSec:suite of protocols for communicating securely through IP
  • Authentication Header (AH): -used to prove id of sender and prove its not been tampered with -Hash value of packets contents, based on the shared secret, is inserted into the last field of the AH -each pack has a sequence number during the security association -ensures integraty no confidentiality
  • Encapsulating Security Payload (ESP): -encrypts IP and ensures integrity ESP Header: contains info showing which security association to use and the sequence number ESP Payload:contains the encrypted part of the packet, endpoints negotiate which encryption to use ESP Trailer:padding to align fields Authentication:if used it contains the hash of the ESP packet
  • Security Associations (SA) -defines the mechanisms that an endpoint will use to communicate with its partner -second SA is needed for 2-way communication
  • Transport Mode & Tunnel Mode IPSec will use one of these Transport Mode: IP payload is protected, client to server, end to end Tunnel Mode:IP payload & header are protected, the entire protected packet becomes a payload of new IP packet & heady -used between networks
  • Internet Key Exchange (IKE) -authentication component of IPSec -Two Phases
  • Phase 1: Partners authenticate with each other using one of the following: 1.Shared Secret:Key is exchanged by man 2.Public Key Encryption:Digital certs 3.Revised mode of Public Key Encryption: uses a nonce is encrypted with the partners public key
  • Phase 2: -Establishes a temporary security association, using the secure tunnel created at the end of Phase 1
  • High Assurance Internet Protocol Encryptor (HAIPE) -based on IPSec -possesses additional restrictions & enhancements -encrypts multicast data -requires manual loading of keys -military grade security
  • Tunneling
  • Point-to-Point Tunneling Protocol (PPTP) -VPN protocol that runs over other protocols -relies on Generic Routing Encapsulation (GRE) to build the tunnel -user authenticates with MSCHAPv2, then a Point-to-Point Ptcl (PPP) session creates a tunnel -vulnerable to password guessing -derives its encryption key from the users password
  • Layer 2 Tunnel Protocol (L2TP) -Hybrid of PPTP and Layer 2 Forwarding (L2F) -allows callers over a serial line using PPP to connect over the Internet to a remote network -no encryption of its own
  • TLS/SSL Secure Shell (SSH): -allows user to securely access resources on remote computers over an encrypted tunnel -remote log on, file transfer, command execution, port forwarding -strong authenticaiton
  • SOCKS: -popular circuit proxy server -client connects to SOCKS, then can act as a VPN SSL/TLS VPNs -remote users use a web browser to access applications -easy to deploy and set up access -no network-to-network tunnels
  • VLAN -not necessarily on the same physical media, but are part of the same logical routing subnet
  • Voice Modems & Public Switched Telephone Networks (PSTN) -PSTN is a circuit-switched network that was originally used for analog voice -uses hierarchical tree to route transmissions
  • War Dialing: dial a range of numbers to id modems, best defense is to shut off modems Plain Old Telephone Service (POTS): bi- directional analog voice, high reliability, low bandwidth Private Branch Exchange (PBX): enterprise class phone system used in business/large orgs -internal switching network -analog
  • VoIP: -replacing telephony networks -more configurable/more breakable -no geo-spatial coordinates with IPs so 911 will leave you to die Session Initiation Protocol (SIP) -manages multimedia connections
  • Multimedia Collaboration Peer to Peer Applications & Protocols -monitor p2p apps in your org -bandwidth consumption/security risks/legality -it opens uncontrolled channels through your network boundaries Remote Meeting Technology: -web based -usually browser extensions -desktop sharing/remote control -vendor backdoors
  • Instant Messaging (IM) 3 classes 1.Peer to peer networks 2.Brokered Communication 3.Server-oriented networks -All support 1 to 1 and many to many
  • Open Protocols, Applications, and Services Extensible Messaging and Presence Protocol (XMPP) & Jabber -Jabber is an open IM protocol -XMPP is the formalized name of Jabber -server based, so a server operator can eavesdrop
  • Internet Relay Chat (IRC) -good anonymity -no security -client/server based -IDs can be easily falsed -most have no confidentiality -IRC clients can execute scripts