CISSP Week 6


Published on

StaridLabs CISSP Study slides for week 6

Published in: Education, Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CISSP Week 6

  1. 1. CISSP p316-380
  2. 2. Securing Network Components Deterministic Routing -traffic only travels on pre-determined routes Boundary Routers -advertise routes that external hosts can use to reach internal destinations -filters external traffic Design and Set up a perimeter! (IDS,FW,filtering)
  3. 3. Network Partitioning -segment networks into domains of trust -control what is forwarded between segments Dual-Homed Host -has two NICS, each on a separate network Bastion Host -gateway between trusted & untrusted that gives limited, authorized access to untrusted hosts -data diode = simplex communication
  4. 4. Demilitarized Zone (DMZ) -aka Screened Subnet -allows an org to give external host limited access to public resources, like a web server that contains the org's site, without giving access to the org's internal network
  5. 5. Hardware Modems - analog Concentrators - multiplex connected devices into a signal signal Front-End Processors - purpose is to off-load from the host computer the work of managing the peripheral devices Multiplexers-elects one of several analog or digital input signals and forwards the selected input into a single line Concentrators vs. Multiplexers
  6. 6. Hubs & Repeaters -Hubs used for star topology -All devices receive each other's broadcasts -All devices can read & modify others traffic -Repeaters repeat to help stop signal degradation
  7. 7. Bridges -layer 2 device (Data link) -filters traffic between segments based on MAC addys -also amplifies signals for large networks -filters frames not destined for another segment
  8. 8. Switches -only forwards frames to devices specified in the frame -forwards broadcasts to all
  9. 9. Routers -forwards packets to other networks -the read the destination from layer 3 (IP addy) -based on it's view of the network it will determine the next device on the network to send the packet
  10. 10. Transmission Media
  11. 11. Wired Throughput:rate that the data will be transmitted Distance:how far in between devices, degrading signal Data Sensitivity:will someone try to tap this cable? Environment:bent cables, EMI, RMI, temp
  12. 12. Twisted Pair -copper wires twisted together to reduce EMI -each wire is coated then surrounded by jacket -twists/in, type of insulation, conductive material Cat 1-6
  13. 13. Unshielded Twisted Pair (UTP) -no shielding, duh -EMI and RMI will kill signal -easy to tap with radiation monitoring -cheap and common
  14. 14. Shielded Twisted Pair (STP) -UTP except it has an electronically grounded shield inside the cable -expensive and bulky
  15. 15. Coaxial Cable (Coax) -one thick conductor surrounded by a grounding braid of wire -great bandwidth and longer runs than TP -very well insulated -expensive and bulky
  16. 16. Patch Panels -alternative to directly connecting devices -use patch cables to change connections easily -need to be neat
  17. 17. Wireless
  18. 18. Direct-Sequence Spread Spectrum (DSSS) -spreads a transmission over a large frequency band with small amplitude -wider band = less interference -sender & receiver communicate which frequencies are too cluttered to send data over
  19. 19. Frequency-Hopping Spread Spectrum (FHSS) -spreads signal over rapidly changing frequencies -signals rapidly change among sub-frequencies in an order that is agreed upon between s&r -can interfere with DSSS -this rapid changing keeps interference minimized
  20. 20. Orthogonal Frequency Division Multiplexing (OFDM) -signal is divided into sub-frequency bands, each band is manipulated so they broadcast together so they don't interfere with each other
  21. 21. Frequency Division Multiple Access (FDMA) -analog -old cellular technology -divides band into sub-bands and assigns an analog conversation to each sub-band -replaced by GSM & CDMA
  22. 22. Time Division Multiple Access (TDMA) -multiplexes several digital calls (voice or data) at each sub-band by devoting a small time slice in a round-robin to each call in the band -2 sub-bands are required for each call 1 for each sender
  23. 23. Mobile Cellular Telephony
  24. 24. Code Division Multiple Access (CDMA) -spread spectrum cellular tech -runs like DSSS CDMA 2000 improves capability by 10 (153 Mbps) Wideband CDMA: this is 3G
  25. 25. Global Service for Mobile Communications (GSM) -most popular cell tech -divides frequency bands into simplex channels -users ID: Subscriber Identity Module, SIM card -phone talks to network, but network doesn't talk to phone, makes it easy to masquerade as another user
  26. 26. Wireless LANs Authentication is the 1st line of defense Open System Authentication -client is permitted to join if it's SSID matches the wireless network's Shared-Key Authentication -WEP, will talk about later
  27. 27. MAC Address Tables -Authenticates based on a MAC address -Easy to spoof, so its not very effective Service Set Identifier (SSID) Broadcasting -name of wireless LAN -wireless clients send probe asking for SSID response -router will beacon out the name at all times -Don't make your SSID "TOP SECRET SECRETS of Wells Fargo"
  28. 28. Placement -keep your wireless routers in central locations to keep the network radiation from getting outside the walls -don't keep it in a microwave
  29. 29. Encryption
  30. 30. Wired Equivalent Privacy (WEP) -uses a shared secret -before each packet is sent a CRC-32 checksum is appended to it, then both are encrypted using RC4 with the shared secret & initialization vector -its weak
  31. 31. WiFi Protected Access (WPA) -improved use of RC4 -uses Temporal Key Integrity Protocol (TKIP) so there is a new key for each packet -CRC-32 checksum was replaced with a message integrity check called Michael, it protects heady & data from tamper, also has a frame counter
  32. 32. WPA2 - IEEE 802.11i -RC4 is replaced with Advanced Encryption Standard (AES) -TKIP & Michael replaced with Counter Mode/CBC-Mac Protocol (CCMP) -Supports Extensible Authentication Protocol (EAP)
  33. 33. WiFi Variants 802.11b -1st version of WiFi -uses DSSS -2.4 GHz band 802.11a -won't work with 'b' -uses OPDM -5 GHz band
  34. 34. 802.11g -works with 'b' 2.4 GHz Bluetooth 802.15.1 -uses FHSS on 2.4 GHz band -Blue Jacking: allows anonymous message to show on device -Buffer Overflow: remotely exploit bugs in software -Blue Bug Attack: uses AT commands on victims' phone to initiate calls and send messages
  35. 35. Address Resolution Protocol (ARP) -given a layer 3 address (IP), ARP determines the layer 2 address (MAC) -ARP tracks IP addresses and their MACs in a dynamic table called ARP cache
  36. 36. Point-to-Point Protocol (PPP) -used to connect a device to a network over a serial line -dial up -Password Authentication Protocol (PAP) - cleartext -Challenge Handshake Authentication Protocol (CHAP) - 3 way handshake -Uses EAP
  37. 37. Broadband Wireless IEEE 802.16 -WiMAX -doesn't work like cell towers -Metro Area Network (MAN) -channel sizes are flexable
  38. 38. Fiber -uses glass/plastic to transmit light Needs -light source -optics cable -light detector LEDS: cheap, less bandwidth, only good over short distances, use in LANS Diode Laser:expensive, great distances Wavelength Division Multiplexing (WDM) 32x capacity
  39. 39. Multimode Fiber:transmitted in different modes, cable is 50-100 microns thick light disperses too much when using medium/long cable runs Single Mode Fiber: 10 microns thick, light goes down the middle, long runs, great bandwidth, internet backbone
  40. 40. Network Access Control Devices Firewalls: -filters traffic based on set of rules -should always be on internet gateways, and in between trust domains Filtering: blocks or forwards packets -by source/destination address -by service, port number
  41. 41. Network Address Translation (NAT): firewalls can change the source addy of a packet on its way out Port Address Translation (PAT): translates all addresses to one routable IP addy & translate the source port number in the pack to a unique value Static Packet Filtering: hard line that cannot be temporarily changed to accept legit
  42. 42. Stateful Inspection/Dynamic Packet Filtering: stateful inspection examines each packet in the context of the session, FTP provides a good example Proxies: User talks to a proxy server, the proxy communicates with the untrusted host and gives that host's response back to the user Circuit Level Proxy: does not inspect any traffic it forwards
  43. 43. Application Level Proxy: -relays traffic from trusted endpoint running a specific application to an untrusted host -analyzes the traffic for manipulation/attacks -Example: Web Proxy - everyone's browser goes through it Personal Firewalls: for security in depth, workstation firewalls should be used in tandem with network firewalls
  44. 44. End-Point Security -update antivirus/antimalware -configured firewall -hardened configuration/no unneeded services -patched/updated OS -encrypt the entire disk -Remote Management -wipe -geolocate -update operation
  45. 45. Secure Communication Channels Virtual Private Network (VPN) -encrypted tunnel between 2 hosts/gateways IPSec Authentication & VPN Confidentiality IPSec:suite of protocols for communicating securely through IP
  46. 46. Authentication Header (AH): -used to prove id of sender and prove its not been tampered with -Hash value of packets contents, based on the shared secret, is inserted into the last field of the AH -each pack has a sequence number during the security association -ensures integraty no confidentiality
  47. 47. Encapsulating Security Payload (ESP): -encrypts IP and ensures integrity ESP Header: contains info showing which security association to use and the sequence number ESP Payload:contains the encrypted part of the packet, endpoints negotiate which encryption to use ESP Trailer:padding to align fields Authentication:if used it contains the hash of the ESP packet
  48. 48. Security Associations (SA) -defines the mechanisms that an endpoint will use to communicate with its partner -second SA is needed for 2-way communication
  49. 49. Transport Mode & Tunnel Mode IPSec will use one of these Transport Mode: IP payload is protected, client to server, end to end Tunnel Mode:IP payload & header are protected, the entire protected packet becomes a payload of new IP packet & heady -used between networks
  50. 50. Internet Key Exchange (IKE) -authentication component of IPSec -Two Phases
  51. 51. Phase 1: Partners authenticate with each other using one of the following: 1.Shared Secret:Key is exchanged by man 2.Public Key Encryption:Digital certs 3.Revised mode of Public Key Encryption: uses a nonce is encrypted with the partners public key
  52. 52. Phase 2: -Establishes a temporary security association, using the secure tunnel created at the end of Phase 1
  53. 53. High Assurance Internet Protocol Encryptor (HAIPE) -based on IPSec -possesses additional restrictions & enhancements -encrypts multicast data -requires manual loading of keys -military grade security
  54. 54. Tunneling
  55. 55. Point-to-Point Tunneling Protocol (PPTP) -VPN protocol that runs over other protocols -relies on Generic Routing Encapsulation (GRE) to build the tunnel -user authenticates with MSCHAPv2, then a Point-to-Point Ptcl (PPP) session creates a tunnel -vulnerable to password guessing -derives its encryption key from the users password
  56. 56. Layer 2 Tunnel Protocol (L2TP) -Hybrid of PPTP and Layer 2 Forwarding (L2F) -allows callers over a serial line using PPP to connect over the Internet to a remote network -no encryption of its own
  57. 57. TLS/SSL Secure Shell (SSH): -allows user to securely access resources on remote computers over an encrypted tunnel -remote log on, file transfer, command execution, port forwarding -strong authenticaiton
  58. 58. SOCKS: -popular circuit proxy server -client connects to SOCKS, then can act as a VPN SSL/TLS VPNs -remote users use a web browser to access applications -easy to deploy and set up access -no network-to-network tunnels
  59. 59. VLAN -not necessarily on the same physical media, but are part of the same logical routing subnet
  60. 60. Voice Modems & Public Switched Telephone Networks (PSTN) -PSTN is a circuit-switched network that was originally used for analog voice -uses hierarchical tree to route transmissions
  61. 61. War Dialing: dial a range of numbers to id modems, best defense is to shut off modems Plain Old Telephone Service (POTS): bi- directional analog voice, high reliability, low bandwidth Private Branch Exchange (PBX): enterprise class phone system used in business/large orgs -internal switching network -analog
  62. 62. VoIP: -replacing telephony networks -more configurable/more breakable -no geo-spatial coordinates with IPs so 911 will leave you to die Session Initiation Protocol (SIP) -manages multimedia connections
  63. 63. Multimedia Collaboration Peer to Peer Applications & Protocols -monitor p2p apps in your org -bandwidth consumption/security risks/legality -it opens uncontrolled channels through your network boundaries Remote Meeting Technology: -web based -usually browser extensions -desktop sharing/remote control -vendor backdoors
  64. 64. Instant Messaging (IM) 3 classes 1.Peer to peer networks 2.Brokered Communication 3.Server-oriented networks -All support 1 to 1 and many to many
  65. 65. Open Protocols, Applications, and Services Extensible Messaging and Presence Protocol (XMPP) & Jabber -Jabber is an open IM protocol -XMPP is the formalized name of Jabber -server based, so a server operator can eavesdrop
  66. 66. Internet Relay Chat (IRC) -good anonymity -no security -client/server based -IDs can be easily falsed -most have no confidentiality -IRC clients can execute scripts