2. RADIUS
● Used to authenticate a user/machine to a
network.
● Shared secret provided between client
application and server.
● Once shared secret is accepted then
username/password is sent
● Cheap to setup
● Not all fields are encrypted
3. Radius Cont.
● Used for low risk authentication to prevent and
locate unauthorized users (IE: An ISP detecting
non-paying cable modem users)
● In a corporate environment radius can be used to
authenticate to servers, applications, networks,
vlans, switches, etc.
● For corporate: 2 factor authentication should be
used:
● EAP, Tokens, Smartcards
4. SNMP
● Used to receive (get) configuration/state data as well as to configure
(set) configuration
● Uses “community strings” and pass phrases for V2 and above
● Data can be sniffed easily and credentials can be stolen
● V3 supports encryption, but isn't being used much yet.
● Applicable devices: firewalls, routers, switches, OS (windows and
linux), applications,embedded devices, etc
5. SNMP Stupidities
● String/passphrase often the same for many like
devices (switches, databases, etc) for easy
management.
● A disastrous amount of companies have SNMP
open externally.
● SNMP shouldn't be queried outside of your
network, remote devices need some other
method. V3 helps this but again isn't supported
everywhere yet.
6. Remote Access Services
● Telnet, rlogin, x11
● Plaintext sessions allow snooping of
session as well as credentials being sent
plaintext
● All have an SSH encapsulated replacement
7. Telnet Servers
● Available on windows and linux/unix
● More commonly seen on unix
● Server runs as system (trusted application)
● Encryption is not supported
● Malicious user can easily escalate to root/admin
● Telnet servers should be disabled or blocked unless
absolutely necessary. If necessary spend a good
amount of time trying to find ways to mitigate risk
8. Rlogin/rsh/rcp
● Rlogin:
● Remote shell to machine
● If installed user can setup for other users and
subvert admin when providing server access
● Rsh/rcp
● Allows file/console access based solely on
userid/ip. Userid is ignored.
9. Screen Scrapers
● Watches & captures a users screen. Can be
legitimate or malicious.
● Legitimate users would be seeing what an
employee in a bank call center looks at to make
sure their not looking at things they shouldn't.
● Malicious would be an attacker adding a
screenscraper to a bank call center machine to
capture all of the data a user looks at, thus
framing the employee.
10. Virtual Network Terminal Services
● Terminal Services is a server which allows a
web based or Remote Desktop (RDP)
session which displays the server's desktop
to the client in an encrypted tunnel.
● Citrix, Remote desktop/TS (Microsoft)
● Good for distributed employees and road
warriors who may have personal or dirty
laptops.
11. Telecommuting
● Telecommuters should be required to VPN
into the network when working. The end
user machine should use full drive
encryptiona nd should comply to security
policies such as screen lockout.
● Network connection type & work location
should be considered before access is
granted.
12. Analog VS Digital Signals
● Analog singals are a wave and can
represent a voice, etc.
● Digital is only 1's and 0's and data such as
voice must be converted to binary before
sending.
13. Network Topography: BUS
Networks
● All hosts receive all traffic
● Note failure doesn't affect network
● Failure in the bus takes down the whole
network
14. Tree networks
● Uses cable splitters
● All hosts receive all traffic
● Cable failure creates outage for entire
downline
15. Ring (Token ring)
● Closed loop network
● Data travels one way, passing data to one
neighbor and receiving from the other
● Generally uses coaxial or fiber
● Single point of failure unless dual ring setup
with secondary networking
16. Mesh
● All nodes have direct connection to each
other
● Common for high availability network gear
● High level of network reliability
● Expensive due to cable costs
● (Wireless mesh networks continue to gain
popularity)
17. Star
● “Normal” network topography
● Switch is centralized and end points
connect to switches, and switches connect
to each other
● Minnimal cables needed
● Switch/hub is single point of failure for star
nodes
19. Broadcast
● A single hosts sents to many hosts
● Very noisy
● Commonly seen with ARP and netbios
● 192.168.1.255 will send the packet to every
host between 192.168.1.1 and
192.168.1.254
20. Multicast
● Isn't used as often as it should be (Tim comment)
● Unreliable, best effort transmission
● Uses IGMP to manage subscribers
● Clients request to join specific multicast channel
● Server only sends data once, and data is received by all
subscribed clients to that multicast channel
● Used for streaming video, etc.
21. Circuit Switched Network
● Client/Server keeps continuous session
open
● POTS, ISDN, PPP
● All data sent along same path, even if
shorter path opened later.
22. Packet Switched Network
● Data broken into packets
● Each packet is routed through the best path
as determined by network rules
● Packets re-oredered at destination endpoint
and are reassembled
23. Carrier Sense Multiple Access
(CSMA)
● CSMA/CA
● Collision Avoidance
● Broadcasts a jamming signal and then sends
data. Other endpoitns wait once receiving the
jamming signal.
● Used by 802.11 (wireless)
24. CSMA/CD
● Collision Detection
● Client checks if line is clear, if clear it sends data
● Collisions occur when both sides see the line as
clear and send at the same time causing data to
become unusable.
● When collision occurs both sides wait a random
amount of time and resend.
● Used by 802.3 Ethernet
25. Polling
● Client only talks when master device tells it
to.
● Also used by 802.11(wireless)
26. Ethernet 802.3
● Full duplex mode (mostly) immune to
collisions
● Half duplex uses CSMA/CD
● 802.3 can use coaxil, unshielded twisted
pair (UTP), or fiber cable
27. Token Ring (802.5)
● Physically a star topography
● Uses logical tokens to create ring
● Dead technology
28. FDDI – Fiber distrubuted Data
Interface
● Fiber networking using two fiber cables & 2
ring networks
● Second cable is standby in the event of
primary ring failure
● Still in active use
29. Multiprotocol Label Switching
(MPLS)
● Fast, pre-determined tunnel
● Offers QoS
● Called “IP VPN” - ISP Sets up route and data flows even if
path is not shortest
● Not encrypted – but if ISP sets up right then data is only
seen by ISPs which is passes through.
● (Tim Comment) I recommend at least minimal encryption
across tunnel to obscure data from prying eyes. Network
glitches happen which could send data outside of expected
route.
30. LAN – Local Area Network
● Collection of locally interconnected
computers.
● Local being defined as a building or campus
31. Vlan – Virtual LAN
● Uses one set of network equipment
● Allows “virtual” paths & lans to be created
● Switch drops traffic if port is not configured
for the sending vlan
● Known attacks against vlans, but still a
good way to segregate
● Attack known as vlan hopping
32. ISDN
● A legacy model which is faster than dialup
● Dead technology
33. Point to Point
● Uses continuous fiber cable to directly
connect two points.
● Very expensive
● Example is 2 datacenters owned by the
same company. If the company doesn't trust
the data going through an ISP, it can setup
a fiber Point to Point to connect the
datacenters.
34. T1/T3
●
Uses Time/Dvision Multiplexing (TDM)
● T1 = 24 channels over a copper cable
●
Full T1 = 1.544 Mbps
● Can purchase anywhere from 1-24 active channels to
decrease cost.
●
Can bundle T1's for more throughput:
● T2 = 4 X T1
●
T3 = 7 X T2
● T4 = 6 X T3
● All can be fractionally purchased
35. E1/E3
● Same as T1/T3 but for Europe. E1 has a
slightly higher transmission rate.
● Make sure when buying equipment it's for
E1 or T1, they must be build compatible or
for the correct standard.
36. OC1/OC12
● Super High Throughput
● OC1 = 51Mbps
● OC3 = 155 Mbps
● OC192 = 9954 Mbps
37. DSL
● Uses Cat-3 (Phone line) unfiltered
● ADSL – Downstream faster than upstream
● SDSL – Down and up are same speed
● VDSL – Very Fast, most inner city DSL is
VDSL now.
38. Cable Modem
● Modem & Cable Company exchange crypto
keys
● Data is encrypted in transit
● (I know cableone turned this on at one
point, last I checked it had been turned off
again. Midcontinent is not using encryption
last I checked which was last fall)
40. Networks
● Everything is getting an IP nowadays – from
TV's, Generators, Air Conditioners, Ice
Machines, and light bulbs...
41. Net Defense Basics
● Define Security Domains (Public, Confidential, Restricted)
● Segregate networks based on security domains
● Thing ahead for incident response
● Have Logs
● Known what systems you have/what they do
● A methodology to contain incidents quickly and manage reaction
● See SANS Top 20 controls for recommendations
42. Defense in Depth
● Assumes attack will eventually succeed
● Security layers employed: network
security, OS hardening, Antivirus, end user
firwalls, user training, patching, detection,
IPS, NAC
43. Confidentiality Attacks
● Purpose is to steal non-public data
● User/passwords, computer code, designs,
business plans, emails, ebarrassing
memos, alien files
● Example is wired/wireless data sniffing
44. Integrity Attacks
● Attempt to corrupt or change (destroy) data
or systems
● Examples are stuxnet, defacing websites,
SQL Injection
47. Domain Names
● Trademark your URL if your an IT company
with a web presence
● Register misspellings of domain name to
reduce risk of reputation loss
48. Opem Mail Relay Servers
● Allows email to be sent without
authentication
● Sign of bad sysadmins (see staridlabs.org
hosted by cheaplinuxhosting.com!)
50. Scanning Techniques – Port
Scanning
● Checks what ports are open/accessible on
system
● Fingerprints system
● OS type/version
● Hardware manfacturer/version
● App versions (banner grab)
51. Fin Scan
● Sends connection close signal to port
● Receives rest/icmp packet if port is closed
● Used against UNIX/Linux hosts
52. Null Scan/XMas Scan
● Null Scan:
● No tcp flags are set
● XMAS Scan:
● All tcp flags are set
● Generally useful to compare results of both
scans
53. TCP Sequence Number Attack
● Can scan using a zombie legitimate host by
predicting tcp sequence number and
spoofing source address. When victim
responds back to zombie host, you connect
to zombie and count how many tcp
numbers were incremented.
● Tcp sequence randomization can be turned
on for all common operating systems.
54. Attack Trees
● Logical representation of what steps an
attacker would need to take to attack a
system
● Great for explaining to non-management
what the risk is (or isn't)
55. Methods of attack
● Target Aquisition/Intel Gathering
● Publically available data
● Scans
● Target Analysis
● Identify Vulnerabilities
● Identify tools best to exploit vulnerability
56. Methods of Attack 2
● Target Access
● Gain access to system (desktop, prompt, process)
● Target Appropriation
● Elevate system access (if needed)
● Steal all the things
● Setup backdoors
● Clean up tracks (if needed
57. Scanners (for good)
● Identifies vulnerabilities
● Finds configuration mistakes/risks
● Tests for compliance
● Example if the vuln scanner sees the 'games'
user in Linux then I know the box didn't have
STIGS applied
● Can have lots of false positives
58. Penetration Testing
● Verifies vulnerabilities and what risk comes
with a successful attack
● Puts the “human eye” on systems, often
finding things a scanner wont
59. Network Taps
● Copies all traffic across a path
● Sometimes required for legal compliance
61. Teardrop attack
● Packets are fragmented erroneously so
when reassembled the target calculates a
negative fragment length. This is a denial of
service attack.
● Fix by vendor patch
62. Overlapping Fragment Attack
● Packets are fragmented and first fragments
are sent with legitimate dta. Following
packets overwrite first legitimate packets
and are malicious.
● This works because some IPS system sonly
scann the first x bytes of a packet
63. Source Routing Exploit
● Attacker requests alternate path in packet
header and bypasses firewall rules
64. Smurfs/Fraggles
● Broadcast denial of service attacks
● Smurf – Spoofed source address to
broadcast using ICMP. All receiving clients
respond and DOS victim
● Fraggle – Same as a smurf but using UDP
65. NFS Attacks
● Config can allow unintended access to filesystem
● Potential for unauthorized clients by falsifying IP (the
only auth mechanism)
● Faking userid (permissions)
● Sniffing Connection (unencrypted by default)
● Setuid allows priviledge escalation (disable nfs
setuid rendering)
68. NTP – Time syncing
● Use trusted upline servers (and more than
one)
● Network should have it's own timeserver
69. DDOS
● Attacks by thousands of machines against a
host or device
● Only so much you can plan for
● Network proxies exist
● Configurations can ease congestion if
smaller DDOS
70. Syn Floods
● DOS attack – Overloads max connections a
server can handle