Uploaded byjemtallon
PDF, PPTX1,560 views

CISSP Week 6

This document summarizes network components and security techniques. It discusses network segmentation, demilitarized zones, firewalls, routers, switches, wireless networking, encryption, and VPNs. It also covers securing communication channels, voice over IP, multimedia collaboration, and instant messaging protocols. The key topics covered are network design principles, routing, wireless standards, encryption methods, and virtual private networks.

Embed presentation

Download as PDF, PPTX
CISSP p316-380
Securing Network Components Deterministic Routing -traffic only travels on pre-determined routes Boundary Routers -advertise routes that external hosts can use to reach internal destinations -filters external traffic Design and Set up a perimeter! (IDS,FW,filtering)
Network Partitioning -segment networks into domains of trust -control what is forwarded between segments Dual-Homed Host -has two NICS, each on a separate network Bastion Host -gateway between trusted & untrusted that gives limited, authorized access to untrusted hosts -data diode = simplex communication
Demilitarized Zone (DMZ) -aka Screened Subnet -allows an org to give external host limited access to public resources, like a web server that contains the org's site, without giving access to the org's internal network
Hardware Modems - analog Concentrators - multiplex connected devices into a signal signal Front-End Processors - purpose is to off-load from the host computer the work of managing the peripheral devices Multiplexers-elects one of several analog or digital input signals and forwards the selected input into a single line Concentrators vs. Multiplexers
Hubs & Repeaters -Hubs used for star topology -All devices receive each other's broadcasts -All devices can read & modify others traffic -Repeaters repeat to help stop signal degradation
Bridges -layer 2 device (Data link) -filters traffic between segments based on MAC addys -also amplifies signals for large networks -filters frames not destined for another segment
Switches -only forwards frames to devices specified in the frame -forwards broadcasts to all
Routers -forwards packets to other networks -the read the destination from layer 3 (IP addy) -based on it's view of the network it will determine the next device on the network to send the packet
Transmission Media
Wired Throughput:rate that the data will be transmitted Distance:how far in between devices, degrading signal Data Sensitivity:will someone try to tap this cable? Environment:bent cables, EMI, RMI, temp
Twisted Pair -copper wires twisted together to reduce EMI -each wire is coated then surrounded by jacket -twists/in, type of insulation, conductive material Cat 1-6
Unshielded Twisted Pair (UTP) -no shielding, duh -EMI and RMI will kill signal -easy to tap with radiation monitoring -cheap and common
Shielded Twisted Pair (STP) -UTP except it has an electronically grounded shield inside the cable -expensive and bulky
Coaxial Cable (Coax) -one thick conductor surrounded by a grounding braid of wire -great bandwidth and longer runs than TP -very well insulated -expensive and bulky
Patch Panels -alternative to directly connecting devices -use patch cables to change connections easily -need to be neat
Wireless
Direct-Sequence Spread Spectrum (DSSS) -spreads a transmission over a large frequency band with small amplitude -wider band = less interference -sender & receiver communicate which frequencies are too cluttered to send data over
Frequency-Hopping Spread Spectrum (FHSS) -spreads signal over rapidly changing frequencies -signals rapidly change among sub-frequencies in an order that is agreed upon between s&r -can interfere with DSSS -this rapid changing keeps interference minimized
Orthogonal Frequency Division Multiplexing (OFDM) -signal is divided into sub-frequency bands, each band is manipulated so they broadcast together so they don't interfere with each other
Frequency Division Multiple Access (FDMA) -analog -old cellular technology -divides band into sub-bands and assigns an analog conversation to each sub-band -replaced by GSM & CDMA
Time Division Multiple Access (TDMA) -multiplexes several digital calls (voice or data) at each sub-band by devoting a small time slice in a round-robin to each call in the band -2 sub-bands are required for each call 1 for each sender
Mobile Cellular Telephony
Code Division Multiple Access (CDMA) -spread spectrum cellular tech -runs like DSSS CDMA 2000 improves capability by 10 (153 Mbps) Wideband CDMA: this is 3G
Global Service for Mobile Communications (GSM) -most popular cell tech -divides frequency bands into simplex channels -users ID: Subscriber Identity Module, SIM card -phone talks to network, but network doesn't talk to phone, makes it easy to masquerade as another user
Wireless LANs Authentication is the 1st line of defense Open System Authentication -client is permitted to join if it's SSID matches the wireless network's Shared-Key Authentication -WEP, will talk about later
MAC Address Tables -Authenticates based on a MAC address -Easy to spoof, so its not very effective Service Set Identifier (SSID) Broadcasting -name of wireless LAN -wireless clients send probe asking for SSID response -router will beacon out the name at all times -Don't make your SSID "TOP SECRET SECRETS of Wells Fargo"
Placement -keep your wireless routers in central locations to keep the network radiation from getting outside the walls -don't keep it in a microwave
Encryption
Wired Equivalent Privacy (WEP) -uses a shared secret -before each packet is sent a CRC-32 checksum is appended to it, then both are encrypted using RC4 with the shared secret & initialization vector -its weak
WiFi Protected Access (WPA) -improved use of RC4 -uses Temporal Key Integrity Protocol (TKIP) so there is a new key for each packet -CRC-32 checksum was replaced with a message integrity check called Michael, it protects heady & data from tamper, also has a frame counter
WPA2 - IEEE 802.11i -RC4 is replaced with Advanced Encryption Standard (AES) -TKIP & Michael replaced with Counter Mode/CBC-Mac Protocol (CCMP) -Supports Extensible Authentication Protocol (EAP)
WiFi Variants 802.11b -1st version of WiFi -uses DSSS -2.4 GHz band 802.11a -won't work with 'b' -uses OPDM -5 GHz band
802.11g -works with 'b' 2.4 GHz Bluetooth 802.15.1 -uses FHSS on 2.4 GHz band -Blue Jacking: allows anonymous message to show on device -Buffer Overflow: remotely exploit bugs in software -Blue Bug Attack: uses AT commands on victims' phone to initiate calls and send messages
Address Resolution Protocol (ARP) -given a layer 3 address (IP), ARP determines the layer 2 address (MAC) -ARP tracks IP addresses and their MACs in a dynamic table called ARP cache
Point-to-Point Protocol (PPP) -used to connect a device to a network over a serial line -dial up -Password Authentication Protocol (PAP) - cleartext -Challenge Handshake Authentication Protocol (CHAP) - 3 way handshake -Uses EAP
Broadband Wireless IEEE 802.16 -WiMAX -doesn't work like cell towers -Metro Area Network (MAN) -channel sizes are flexable
Fiber -uses glass/plastic to transmit light Needs -light source -optics cable -light detector LEDS: cheap, less bandwidth, only good over short distances, use in LANS Diode Laser:expensive, great distances Wavelength Division Multiplexing (WDM) 32x capacity
Multimode Fiber:transmitted in different modes, cable is 50-100 microns thick light disperses too much when using medium/long cable runs Single Mode Fiber: 10 microns thick, light goes down the middle, long runs, great bandwidth, internet backbone
Network Access Control Devices Firewalls: -filters traffic based on set of rules -should always be on internet gateways, and in between trust domains Filtering: blocks or forwards packets -by source/destination address -by service, port number
Network Address Translation (NAT): firewalls can change the source addy of a packet on its way out Port Address Translation (PAT): translates all addresses to one routable IP addy & translate the source port number in the pack to a unique value Static Packet Filtering: hard line that cannot be temporarily changed to accept legit
Stateful Inspection/Dynamic Packet Filtering: stateful inspection examines each packet in the context of the session, FTP provides a good example Proxies: User talks to a proxy server, the proxy communicates with the untrusted host and gives that host's response back to the user Circuit Level Proxy: does not inspect any traffic it forwards
Application Level Proxy: -relays traffic from trusted endpoint running a specific application to an untrusted host -analyzes the traffic for manipulation/attacks -Example: Web Proxy - everyone's browser goes through it Personal Firewalls: for security in depth, workstation firewalls should be used in tandem with network firewalls
End-Point Security -update antivirus/antimalware -configured firewall -hardened configuration/no unneeded services -patched/updated OS -encrypt the entire disk -Remote Management -wipe -geolocate -update operation
Secure Communication Channels Virtual Private Network (VPN) -encrypted tunnel between 2 hosts/gateways IPSec Authentication & VPN Confidentiality IPSec:suite of protocols for communicating securely through IP
Authentication Header (AH): -used to prove id of sender and prove its not been tampered with -Hash value of packets contents, based on the shared secret, is inserted into the last field of the AH -each pack has a sequence number during the security association -ensures integraty no confidentiality
Encapsulating Security Payload (ESP): -encrypts IP and ensures integrity ESP Header: contains info showing which security association to use and the sequence number ESP Payload:contains the encrypted part of the packet, endpoints negotiate which encryption to use ESP Trailer:padding to align fields Authentication:if used it contains the hash of the ESP packet
Security Associations (SA) -defines the mechanisms that an endpoint will use to communicate with its partner -second SA is needed for 2-way communication
Transport Mode & Tunnel Mode IPSec will use one of these Transport Mode: IP payload is protected, client to server, end to end Tunnel Mode:IP payload & header are protected, the entire protected packet becomes a payload of new IP packet & heady -used between networks
Internet Key Exchange (IKE) -authentication component of IPSec -Two Phases
Phase 1: Partners authenticate with each other using one of the following: 1.Shared Secret:Key is exchanged by man 2.Public Key Encryption:Digital certs 3.Revised mode of Public Key Encryption: uses a nonce is encrypted with the partners public key
Phase 2: -Establishes a temporary security association, using the secure tunnel created at the end of Phase 1
High Assurance Internet Protocol Encryptor (HAIPE) -based on IPSec -possesses additional restrictions & enhancements -encrypts multicast data -requires manual loading of keys -military grade security
Tunneling
Point-to-Point Tunneling Protocol (PPTP) -VPN protocol that runs over other protocols -relies on Generic Routing Encapsulation (GRE) to build the tunnel -user authenticates with MSCHAPv2, then a Point-to-Point Ptcl (PPP) session creates a tunnel -vulnerable to password guessing -derives its encryption key from the users password
Layer 2 Tunnel Protocol (L2TP) -Hybrid of PPTP and Layer 2 Forwarding (L2F) -allows callers over a serial line using PPP to connect over the Internet to a remote network -no encryption of its own
TLS/SSL Secure Shell (SSH): -allows user to securely access resources on remote computers over an encrypted tunnel -remote log on, file transfer, command execution, port forwarding -strong authenticaiton
SOCKS: -popular circuit proxy server -client connects to SOCKS, then can act as a VPN SSL/TLS VPNs -remote users use a web browser to access applications -easy to deploy and set up access -no network-to-network tunnels
VLAN -not necessarily on the same physical media, but are part of the same logical routing subnet
Voice Modems & Public Switched Telephone Networks (PSTN) -PSTN is a circuit-switched network that was originally used for analog voice -uses hierarchical tree to route transmissions
War Dialing: dial a range of numbers to id modems, best defense is to shut off modems Plain Old Telephone Service (POTS): bi- directional analog voice, high reliability, low bandwidth Private Branch Exchange (PBX): enterprise class phone system used in business/large orgs -internal switching network -analog
VoIP: -replacing telephony networks -more configurable/more breakable -no geo-spatial coordinates with IPs so 911 will leave you to die Session Initiation Protocol (SIP) -manages multimedia connections
Multimedia Collaboration Peer to Peer Applications & Protocols -monitor p2p apps in your org -bandwidth consumption/security risks/legality -it opens uncontrolled channels through your network boundaries Remote Meeting Technology: -web based -usually browser extensions -desktop sharing/remote control -vendor backdoors
Instant Messaging (IM) 3 classes 1.Peer to peer networks 2.Brokered Communication 3.Server-oriented networks -All support 1 to 1 and many to many
Open Protocols, Applications, and Services Extensible Messaging and Presence Protocol (XMPP) & Jabber -Jabber is an open IM protocol -XMPP is the formalized name of Jabber -server based, so a server operator can eavesdrop
Internet Relay Chat (IRC) -good anonymity -no security -client/server based -IDs can be easily falsed -most have no confidentiality -IRC clients can execute scripts

More Related Content

PDF
CISSP Week 5
byjemtallon
 
ODP
CISSP Week 21
byjemtallon
 
PPTX
Wi fi security
byVirendra Thakur
 
PPT
Wireless security presentation
byMuhammad Zia
 
PPT
Hacking Cisco
byguestd05b31
 
PPTX
Wireless Attacks
byprimeteacher32
 
PPTX
Gateway and firewall
byvinayh.vaghamshi _
 
PPT
Wireless Device and Network level security
byChetan Kumar S
 
CISSP Week 5
byjemtallon
 
CISSP Week 21
byjemtallon
 
Wi fi security
byVirendra Thakur
 
Wireless security presentation
byMuhammad Zia
 
Hacking Cisco
byguestd05b31
 
Wireless Attacks
byprimeteacher32
 
Gateway and firewall
byvinayh.vaghamshi _
 
Wireless Device and Network level security
byChetan Kumar S
 

What's hot

PPTX
Network protocols and vulnerabilities
byPrachi Gulihar
 
PPT
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
bySystem ID Warehouse
 
PPT
Session 2 Tp 2
bygithe26200
 
PDF
The Complete Questionnaires About Firewall
byVishal Kumar
 
PPTX
Wpa vs Wpa2
byNzava Luwawa
 
DOCX
Packet sniffer repot
byKunal Thakur
 
PPT
A Complete Guide Cloud Computing
bySripati Mahapatra
 
PPTX
Linux and firewall
byMhmud Khraibene
 
PDF
Sniffing via dsniff
byKshitij Tayal
 
PPTX
Presentation on ccna
byHoneyKumar34
 
PDF
Wireless Cracking using Kali
byn|u - The Open Security Community
 
PPTX
Packet sniffers
byRavi Teja Reddy
 
PPTX
Wireless security
byparipec
 
PPTX
Cyber security tutorial1
bysweta dargad
 
PPTX
Cyber security tutorial2
bysweta dargad
 
PPT
Firewall Essentials
bySylvain Maret
 
PPT
Wireless router
byroza921
 
PDF
Packet sniffing
byTanmay 'Unsinkable'
 
PPT
Module 5 Sniffers
byleminhvuong
 
PPTX
Wpa2 psk security measure
byShivam Singh
 
Network protocols and vulnerabilities
byPrachi Gulihar
 
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
bySystem ID Warehouse
 
Session 2 Tp 2
bygithe26200
 
The Complete Questionnaires About Firewall
byVishal Kumar
 
Wpa vs Wpa2
byNzava Luwawa
 
Packet sniffer repot
byKunal Thakur
 
A Complete Guide Cloud Computing
bySripati Mahapatra
 
Linux and firewall
byMhmud Khraibene
 
Sniffing via dsniff
byKshitij Tayal
 
Presentation on ccna
byHoneyKumar34
 
Wireless Cracking using Kali
byn|u - The Open Security Community
 
Packet sniffers
byRavi Teja Reddy
 
Wireless security
byparipec
 
Cyber security tutorial1
bysweta dargad
 
Cyber security tutorial2
bysweta dargad
 
Firewall Essentials
bySylvain Maret
 
Wireless router
byroza921
 
Packet sniffing
byTanmay 'Unsinkable'
 
Module 5 Sniffers
byleminhvuong
 
Wpa2 psk security measure
byShivam Singh
 

Viewers also liked

PDF
CISSP Week 7
byjemtallon
 
ODP
Cissp Week 24
byjemtallon
 
ODP
CISSP Week 18
byjemtallon
 
PPTX
CISSP week 25
byjemtallon
 
PPTX
Cissp d5-cryptography v2012-mini coursev2
byinfosecedu
 
ODP
CISSP Week 22
byjemtallon
 
PPTX
Access Control - Week 4
byjemtallon
 
ODP
CISSP Week 14
byjemtallon
 
ODP
Cissp Week 23
byjemtallon
 
PPTX
CISSP week 26
byjemtallon
 
PDF
access-control-week-3
byjemtallon
 
PDF
access-control-week-2
byjemtallon
 
PPTX
CISSP Proposal
byjemtallon
 
ODP
CISSP Week 20
byjemtallon
 
ODP
CISSP Week 16
byjemtallon
 
ODP
CISSP Week 13
byjemtallon
 
ODP
CISSP Week 9
byjemtallon
 
ODP
CISSP Week 12
byjemtallon
 
PDF
SlideShare 101
byAmit Ranjan
 
CISSP Week 7
byjemtallon
 
Cissp Week 24
byjemtallon
 
CISSP Week 18
byjemtallon
 
CISSP week 25
byjemtallon
 
Cissp d5-cryptography v2012-mini coursev2
byinfosecedu
 
CISSP Week 22
byjemtallon
 
Access Control - Week 4
byjemtallon
 
CISSP Week 14
byjemtallon
 
Cissp Week 23
byjemtallon
 
CISSP week 26
byjemtallon
 
access-control-week-3
byjemtallon
 
access-control-week-2
byjemtallon
 
CISSP Proposal
byjemtallon
 
CISSP Week 20
byjemtallon
 
CISSP Week 16
byjemtallon
 
CISSP Week 13
byjemtallon
 
CISSP Week 9
byjemtallon
 
CISSP Week 12
byjemtallon
 
SlideShare 101
byAmit Ranjan
 

Similar to CISSP Week 6

PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
PDF
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 
PDF
ccna practical notes
byRaghav Bisht
 
PPT
Fundamentals of Networking
byIsrael Marcus
 
PPTX
class 12 network kdksksisisisieiekekkekd.pptx
bysangitanayani1880
 
PPS
It infrastructure
byraptrovic
 
PPT
Networking Brief Overview
byKristof De Brouwer
 
PPTX
Networking and telecommunication.pptx
bysanskritisubedi2007
 
PPT
cloud presentation asdfsd sdfsdafsdfsdsdf .ppt
bysivangsantonino
 
PDF
Introduction to networking
byMohsen Sarakbi
 
PPTX
Comm. & net. concepts
byAshwin Kumar
 
PPTX
Networking essentials lect1
byRoman Brovko
 
PPTX
CCNA ppt Day 1
byVISHNU N
 
PPTX
internet network for o level
bySamit Singh
 
PDF
Computer Networks a group of interconnected computing devices that can exchan...
byDivyanSR
 
PDF
NIM module 1 31122017.pdf
byADARSHN40
 
PPTX
Computer Networking 1fffffffffffffffffff
bycrackedkiller4
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
PPTX
Networks presentation file for university level
bywazirashfaq0
 
PPTX
Computer Networks Part 1.pptx
byzjjsjsnn
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
bySam Bowne
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 
ccna practical notes
byRaghav Bisht
 
Fundamentals of Networking
byIsrael Marcus
 
class 12 network kdksksisisisieiekekkekd.pptx
bysangitanayani1880
 
It infrastructure
byraptrovic
 
Networking Brief Overview
byKristof De Brouwer
 
Networking and telecommunication.pptx
bysanskritisubedi2007
 
cloud presentation asdfsd sdfsdafsdfsdsdf .ppt
bysivangsantonino
 
Introduction to networking
byMohsen Sarakbi
 
Comm. & net. concepts
byAshwin Kumar
 
Networking essentials lect1
byRoman Brovko
 
CCNA ppt Day 1
byVISHNU N
 
internet network for o level
bySamit Singh
 
Computer Networks a group of interconnected computing devices that can exchan...
byDivyanSR
 
NIM module 1 31122017.pdf
byADARSHN40
 
Computer Networking 1fffffffffffffffffff
bycrackedkiller4
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
Networks presentation file for university level
bywazirashfaq0
 
Computer Networks Part 1.pptx
byzjjsjsnn
 

Recently uploaded

PPTX
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PDF
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
PPTX
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
PDF
BP502T Industrial Pharmacy I (Theory) UNIT– I (Part 1)
byRushi Mandali
 
PPTX
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
PDF
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
PDF
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
PDF
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
PDF
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PPTX
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PDF
Conservation of Earthen Structures in India Preserving Traditional and Sustai...
byAman Kumar Singh
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
Artificial Intelligence in Research and Academic Writing, Workshop on Researc...
byProf. Vinod Kumar Kanvaria
 
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
BP502T Industrial Pharmacy I (Theory) UNIT– I (Part 1)
byRushi Mandali
 
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
Conservation of Earthen Structures in India Preserving Traditional and Sustai...
byAman Kumar Singh
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 

CISSP Week 6

  • 1.
  • 2.
    Securing Network Components DeterministicRouting -traffic only travels on pre-determined routes Boundary Routers -advertise routes that external hosts can use to reach internal destinations -filters external traffic Design and Set up a perimeter! (IDS,FW,filtering)
  • 3.
    Network Partitioning -segment networksinto domains of trust -control what is forwarded between segments Dual-Homed Host -has two NICS, each on a separate network Bastion Host -gateway between trusted & untrusted that gives limited, authorized access to untrusted hosts -data diode = simplex communication
  • 4.
    Demilitarized Zone (DMZ) -akaScreened Subnet -allows an org to give external host limited access to public resources, like a web server that contains the org's site, without giving access to the org's internal network
  • 5.
    Hardware Modems - analog Concentrators- multiplex connected devices into a signal signal Front-End Processors - purpose is to off-load from the host computer the work of managing the peripheral devices Multiplexers-elects one of several analog or digital input signals and forwards the selected input into a single line Concentrators vs. Multiplexers
  • 6.
    Hubs & Repeaters -Hubsused for star topology -All devices receive each other's broadcasts -All devices can read & modify others traffic -Repeaters repeat to help stop signal degradation
  • 7.
    Bridges -layer 2 device(Data link) -filters traffic between segments based on MAC addys -also amplifies signals for large networks -filters frames not destined for another segment
  • 8.
    Switches -only forwards framesto devices specified in the frame -forwards broadcasts to all
  • 9.
    Routers -forwards packets toother networks -the read the destination from layer 3 (IP addy) -based on it's view of the network it will determine the next device on the network to send the packet
  • 10.
  • 11.
    Wired Throughput:rate that thedata will be transmitted Distance:how far in between devices, degrading signal Data Sensitivity:will someone try to tap this cable? Environment:bent cables, EMI, RMI, temp
  • 12.
    Twisted Pair -copper wirestwisted together to reduce EMI -each wire is coated then surrounded by jacket -twists/in, type of insulation, conductive material Cat 1-6
  • 13.
    Unshielded Twisted Pair(UTP) -no shielding, duh -EMI and RMI will kill signal -easy to tap with radiation monitoring -cheap and common
  • 14.
    Shielded Twisted Pair(STP) -UTP except it has an electronically grounded shield inside the cable -expensive and bulky
  • 15.
    Coaxial Cable (Coax) -onethick conductor surrounded by a grounding braid of wire -great bandwidth and longer runs than TP -very well insulated -expensive and bulky
  • 16.
    Patch Panels -alternative todirectly connecting devices -use patch cables to change connections easily -need to be neat
  • 18.
  • 19.
    Direct-Sequence Spread Spectrum (DSSS) -spreadsa transmission over a large frequency band with small amplitude -wider band = less interference -sender & receiver communicate which frequencies are too cluttered to send data over
  • 20.
    Frequency-Hopping Spread Spectrum (FHSS) -spreadssignal over rapidly changing frequencies -signals rapidly change among sub-frequencies in an order that is agreed upon between s&r -can interfere with DSSS -this rapid changing keeps interference minimized
  • 21.
    Orthogonal Frequency Division Multiplexing(OFDM) -signal is divided into sub-frequency bands, each band is manipulated so they broadcast together so they don't interfere with each other
  • 22.
    Frequency Division MultipleAccess (FDMA) -analog -old cellular technology -divides band into sub-bands and assigns an analog conversation to each sub-band -replaced by GSM & CDMA
  • 23.
    Time Division MultipleAccess (TDMA) -multiplexes several digital calls (voice or data) at each sub-band by devoting a small time slice in a round-robin to each call in the band -2 sub-bands are required for each call 1 for each sender
  • 24.
  • 25.
    Code Division MultipleAccess (CDMA) -spread spectrum cellular tech -runs like DSSS CDMA 2000 improves capability by 10 (153 Mbps) Wideband CDMA: this is 3G
  • 26.
    Global Service forMobile Communications (GSM) -most popular cell tech -divides frequency bands into simplex channels -users ID: Subscriber Identity Module, SIM card -phone talks to network, but network doesn't talk to phone, makes it easy to masquerade as another user
  • 27.
    Wireless LANs Authentication isthe 1st line of defense Open System Authentication -client is permitted to join if it's SSID matches the wireless network's Shared-Key Authentication -WEP, will talk about later
  • 28.
    MAC Address Tables -Authenticatesbased on a MAC address -Easy to spoof, so its not very effective Service Set Identifier (SSID) Broadcasting -name of wireless LAN -wireless clients send probe asking for SSID response -router will beacon out the name at all times -Don't make your SSID "TOP SECRET SECRETS of Wells Fargo"
  • 29.
    Placement -keep your wirelessrouters in central locations to keep the network radiation from getting outside the walls -don't keep it in a microwave
  • 30.
  • 31.
    Wired Equivalent Privacy(WEP) -uses a shared secret -before each packet is sent a CRC-32 checksum is appended to it, then both are encrypted using RC4 with the shared secret & initialization vector -its weak
  • 32.
    WiFi Protected Access(WPA) -improved use of RC4 -uses Temporal Key Integrity Protocol (TKIP) so there is a new key for each packet -CRC-32 checksum was replaced with a message integrity check called Michael, it protects heady & data from tamper, also has a frame counter
  • 33.
    WPA2 - IEEE802.11i -RC4 is replaced with Advanced Encryption Standard (AES) -TKIP & Michael replaced with Counter Mode/CBC-Mac Protocol (CCMP) -Supports Extensible Authentication Protocol (EAP)
  • 34.
    WiFi Variants 802.11b -1st versionof WiFi -uses DSSS -2.4 GHz band 802.11a -won't work with 'b' -uses OPDM -5 GHz band
  • 35.
    802.11g -works with 'b' 2.4GHz Bluetooth 802.15.1 -uses FHSS on 2.4 GHz band -Blue Jacking: allows anonymous message to show on device -Buffer Overflow: remotely exploit bugs in software -Blue Bug Attack: uses AT commands on victims' phone to initiate calls and send messages
  • 36.
    Address Resolution Protocol(ARP) -given a layer 3 address (IP), ARP determines the layer 2 address (MAC) -ARP tracks IP addresses and their MACs in a dynamic table called ARP cache
  • 37.
    Point-to-Point Protocol (PPP) -usedto connect a device to a network over a serial line -dial up -Password Authentication Protocol (PAP) - cleartext -Challenge Handshake Authentication Protocol (CHAP) - 3 way handshake -Uses EAP
  • 38.
    Broadband Wireless IEEE802.16 -WiMAX -doesn't work like cell towers -Metro Area Network (MAN) -channel sizes are flexable
  • 39.
    Fiber -uses glass/plastic totransmit light Needs -light source -optics cable -light detector LEDS: cheap, less bandwidth, only good over short distances, use in LANS Diode Laser:expensive, great distances Wavelength Division Multiplexing (WDM) 32x capacity
  • 40.
    Multimode Fiber:transmitted indifferent modes, cable is 50-100 microns thick light disperses too much when using medium/long cable runs Single Mode Fiber: 10 microns thick, light goes down the middle, long runs, great bandwidth, internet backbone
  • 42.
    Network Access ControlDevices Firewalls: -filters traffic based on set of rules -should always be on internet gateways, and in between trust domains Filtering: blocks or forwards packets -by source/destination address -by service, port number
  • 43.
    Network Address Translation(NAT): firewalls can change the source addy of a packet on its way out Port Address Translation (PAT): translates all addresses to one routable IP addy & translate the source port number in the pack to a unique value Static Packet Filtering: hard line that cannot be temporarily changed to accept legit
  • 44.
    Stateful Inspection/Dynamic PacketFiltering: stateful inspection examines each packet in the context of the session, FTP provides a good example Proxies: User talks to a proxy server, the proxy communicates with the untrusted host and gives that host's response back to the user Circuit Level Proxy: does not inspect any traffic it forwards
  • 45.
    Application Level Proxy: -relaystraffic from trusted endpoint running a specific application to an untrusted host -analyzes the traffic for manipulation/attacks -Example: Web Proxy - everyone's browser goes through it Personal Firewalls: for security in depth, workstation firewalls should be used in tandem with network firewalls
  • 46.
    End-Point Security -update antivirus/antimalware -configuredfirewall -hardened configuration/no unneeded services -patched/updated OS -encrypt the entire disk -Remote Management -wipe -geolocate -update operation
  • 47.
    Secure Communication Channels VirtualPrivate Network (VPN) -encrypted tunnel between 2 hosts/gateways IPSec Authentication & VPN Confidentiality IPSec:suite of protocols for communicating securely through IP
  • 48.
    Authentication Header (AH): -usedto prove id of sender and prove its not been tampered with -Hash value of packets contents, based on the shared secret, is inserted into the last field of the AH -each pack has a sequence number during the security association -ensures integraty no confidentiality
  • 49.
    Encapsulating Security Payload(ESP): -encrypts IP and ensures integrity ESP Header: contains info showing which security association to use and the sequence number ESP Payload:contains the encrypted part of the packet, endpoints negotiate which encryption to use ESP Trailer:padding to align fields Authentication:if used it contains the hash of the ESP packet
  • 50.
    Security Associations (SA) -definesthe mechanisms that an endpoint will use to communicate with its partner -second SA is needed for 2-way communication
  • 51.
    Transport Mode &Tunnel Mode IPSec will use one of these Transport Mode: IP payload is protected, client to server, end to end Tunnel Mode:IP payload & header are protected, the entire protected packet becomes a payload of new IP packet & heady -used between networks
  • 52.
    Internet Key Exchange(IKE) -authentication component of IPSec -Two Phases
  • 53.
    Phase 1: Partners authenticatewith each other using one of the following: 1.Shared Secret:Key is exchanged by man 2.Public Key Encryption:Digital certs 3.Revised mode of Public Key Encryption: uses a nonce is encrypted with the partners public key
  • 54.
    Phase 2: -Establishes atemporary security association, using the secure tunnel created at the end of Phase 1
  • 55.
    High Assurance InternetProtocol Encryptor (HAIPE) -based on IPSec -possesses additional restrictions & enhancements -encrypts multicast data -requires manual loading of keys -military grade security
  • 56.
  • 57.
    Point-to-Point Tunneling Protocol (PPTP) -VPNprotocol that runs over other protocols -relies on Generic Routing Encapsulation (GRE) to build the tunnel -user authenticates with MSCHAPv2, then a Point-to-Point Ptcl (PPP) session creates a tunnel -vulnerable to password guessing -derives its encryption key from the users password
  • 58.
    Layer 2 TunnelProtocol (L2TP) -Hybrid of PPTP and Layer 2 Forwarding (L2F) -allows callers over a serial line using PPP to connect over the Internet to a remote network -no encryption of its own
  • 59.
    TLS/SSL Secure Shell (SSH): -allowsuser to securely access resources on remote computers over an encrypted tunnel -remote log on, file transfer, command execution, port forwarding -strong authenticaiton
  • 60.
    SOCKS: -popular circuit proxyserver -client connects to SOCKS, then can act as a VPN SSL/TLS VPNs -remote users use a web browser to access applications -easy to deploy and set up access -no network-to-network tunnels
  • 61.
    VLAN -not necessarily onthe same physical media, but are part of the same logical routing subnet
  • 62.
    Voice Modems & PublicSwitched Telephone Networks (PSTN) -PSTN is a circuit-switched network that was originally used for analog voice -uses hierarchical tree to route transmissions
  • 63.
    War Dialing: diala range of numbers to id modems, best defense is to shut off modems Plain Old Telephone Service (POTS): bi- directional analog voice, high reliability, low bandwidth Private Branch Exchange (PBX): enterprise class phone system used in business/large orgs -internal switching network -analog
  • 64.
    VoIP: -replacing telephony networks -moreconfigurable/more breakable -no geo-spatial coordinates with IPs so 911 will leave you to die Session Initiation Protocol (SIP) -manages multimedia connections
  • 65.
    Multimedia Collaboration Peer toPeer Applications & Protocols -monitor p2p apps in your org -bandwidth consumption/security risks/legality -it opens uncontrolled channels through your network boundaries Remote Meeting Technology: -web based -usually browser extensions -desktop sharing/remote control -vendor backdoors
  • 66.
    Instant Messaging (IM) 3classes 1.Peer to peer networks 2.Brokered Communication 3.Server-oriented networks -All support 1 to 1 and many to many
  • 67.
    Open Protocols, Applications,and Services Extensible Messaging and Presence Protocol (XMPP) & Jabber -Jabber is an open IM protocol -XMPP is the formalized name of Jabber -server based, so a server operator can eavesdrop
  • 68.
    Internet Relay Chat(IRC) -good anonymity -no security -client/server based -IDs can be easily falsed -most have no confidentiality -IRC clients can execute scripts