From: CISSP Training Guide by Roberta Bragg
Telecommunications and Network Security domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media.
Application layer (Layer 7) â€” Primarily responsible for interfacing with the user. This is the application interface that the user experiences.
Email, chat, database apps, www apps.
Presentation layer (Layer 6) â€” Primarily responsible for translating the data from something the user expects to something the network expects.
Encryption, data conversion: graphics, media, redirectors: SMB, NCP .
Session layer (Layer 5) â€” Primarily responsible for dialog control between systems and applications.
NFS, RPC, SQL
Transport layer (Layer 4) â€” Primarily responsible for handling end-to-end data transport services.
End-to-end comm., segmentation, re-assembly, TCP & UDP .
Network layer (Layer 3) â€” Primarily responsible for logical addressing.
Logical addressing of packets.
Data Link layer (Layer 2) â€” Primarily responsible for physical addressing.
Physical addressing of frames and translation of packets to/from network layer into bits for the physical layer.
Does error checking and correction.
Switches and bridges are datalink-layer devices.
Broadcast and unicast.
Media Access Control (MAC)
Physical layer (Layer 1) â€” Primarily responsible for physical delivery and specifications.
Send and receive data over electrical signals.
DTE (Data Terminal Equipment) and the DCE (Data Circuit-Terminating Equipment)
Hubs and repeaters are considered physical-layer devices.
Ethernet Local Area Networks (LANs) typically utilize three types of cablingâ€”coax, unshielded twisted pair (UTP), and fiber optic as well as wireless transmissions.
- Linear bus â€“ devices in a row on a segment ; 1 signal at a time-contention; coax ; termination.
- Star â€“ devices connected to a hub.
- Ring – loop of cable to interconnect the devices.
- Tree – is based in part on the bus and the star topology.
- Mesh – that every node on a network is connected to every other node.
LANs Transmission Techniques
- Unicast – The packet is addressed to a specific destination host, both physically and logically.
- Broadcast – The packet is destined to all hosts on a subnet or network. .. ARP is sometimes referred to as a directed broadcast.
- Multicastâ€” The packet is addressed to multiple hosts via the use of group membership addresses. Multicasts play the middle ground between needing to repeatedly send unicasts to multiple destinations and broadcasting to all destinations.
Ethernet is the single most predominant technology in use today.
Ethernet is specified in the IEEE 802.3 specification as a Carrier Sense, Multiple Access/Collision Detection (CSMA/CD) methodology.
Today’s networks are primarily made up of five categories or types of devices:
Hubs and repeaters are physical-layer devices.
Switches and bridges are datalink-layer devices.
Routers are network-layer devices.
- Packet filtering
– .. layer-3 or layer-4 information in a packet before making a filtering decision.
– first-generation firewalls.
- Application proxy
– Application-filtering firewalls function by reading the entire packet up to the Application layer before making a filtering decision.
– sometimes referred to as an ALG (Application Level Gateway) and is considered a second-generation firewall.
- Circuit proxy
– Circuit proxy firewalls are a bit of a hybrid between application proxies and packet-filtering firewalls.
- Stateful inspection
– network connection state is tracked by the firewall and then used in determining what traffic should be allowed to pass back through the firewall.
– “connectionless,” such as UDP or certain types of remote procedure call traffic.
– third-generation firewalls.
- Dynamic packet filtering
– limited support of connectionless protocols like UDP.
- Kernel proxy
– .. are typically highly customized and specialized firewalls that are designed to function in kernel mode of the operating system.
- Pf Ap Cp Si Dp Kp
Three primary technologies are used for providing remote access VPN capabilities:
PPTP (Point to Point Tunneling Protocol) – PPTP is a Microsoft-developed technology that provides remote access by encapsulating PPP inside a PPTP packet. PPTP uses the PPP authentication mechanisms of PAP, CHAP, or MS-CHAP for authentication and RSA RC4 and 40-bit or 128-bit session keys and encryption. PPTP supports multi-protocol tunneling.
L2TP (Layer 2 Tunneling Protocol) – L2TP is similar in function to PPTP, but it does not use any vendor-specific encryption technologies. In addition, L2TP supports the use of RADIUS and TACACS for authentication, and IPSec (Internet Protocol Security) and IKE (Internet Key Exchange) for encryption and key exchange respectively. L2TP supports multi-protocol tunneling.
IPSec – IPSec is a network-layer encryption and security mechanism that can be used as a standalone VPN solution, or as a component of an L2TP VPN solution. IPSec supports the use of DES (Data Encryption Standard) and 3DES (Triple DES), (DES scheme was hacked in 1999, use 3DES). Use 128-bit MD5-HMAC (Message Digest 5â€”Hash Message Authentication Code) or 160-bit SHA-HMAC (Secure Hash Algorithmâ€”Hash Message Authentication Code). IPSec supports the use of AH (Authentication Header) security, in which the IP header is secured but the data is not, or ESP (Encapsulation Security Payload) in which the entire packet is encrypted and secured.
Remote Access Authentication
RADIUS (Remote Authentication Dial In User Service) is a UDP-based de facto industry standard for providing remote access authentication via a client/server model. .. uses a combined authentication and authorization profile, which means that RADIUS access is typically “all or none.” You are either allowed to connect, or you are not.
TACACS (Terminal Access Controller Access Control System) is an older authentication technology that has been largely marked “end-of-life,”.
TACACS+, which sounds similar, is actually an entirely new protocol. Similar in function to RADIUS, .. separating the authentication and authorization capabilities, as well as using TCP for connectivity. As a result, TACACS+ is generally regarded as being more reliable than RADIUS.
DOD protocol: Network, Internet, Transport (Host to Host), Application.
- Application Layer Protocols
BootP, FTP, LPD, NFS, POP3, SMTP, SNMP, Telnet, TFTP, X-Windows
- Transport Layer Protocols
TCP: Connection oriented, end-to-end. Reliable. SYNs and ACKs. Acknowledged transfer. Re-assembled packets.
UDP: Connectionless, faster than TCP. Unreliable. Un-acknowledged transfer.
- Internet Layer Protocols
IP, ICMP, ARP, RARP
Protecting CIA of Network Data
– data transmitted is to be read only by the intended recipient. (security, encryption)
– assurance that the data that was received is the data that was transmitted. (non-repudiation, firewalls, IDS)
– reliability and stability of network systems and applications. (DoS prevention measures, fault tolerance, usable performance)
Trusted Network Interpretation
DOD, The Rainbow books, the â€œOrangeâ€ book defines Trusted Computer Security Evaluation Criteria – TCSEC .
Division D – Specifies the minimal protection is available.
Division C – Specifies that, through the use of auditing, discretionary protection and accountability of subjects and the actions they initiate are covered.
Division B – Specifies that mandatory access control rules are required. Systems in this division are required to carry sensitivity labels with major data structures in the system.
Division A – These systems use formal security verification to assure that all of the security controls employed can effectively protect classified or other sensitive information via a stringent design verification.
Intrusion Detection Systems (IDSs)
IDS is detective (after the fact).
Network- vs host-based IDSs
Knowledge- vs Behavior-based IDSs.
Network-based IDSs are essentially raw packetâ€“parsing engines, basically a network sniffer on steroids. They capture traffic in promiscuous mode, allowing it to capture all traffic on the segment, and will generally analyze the packets in what is considered real time.
Most Host-based IDS are designed to monitor logins and processes, typically through the use of auditing system logs.
- Can be network- or host-based.
- .. maintains a database of known attacks and vulnerabilities (in other words, knowledge) and detects whether attempts to exploit these vulnerabilities are occurring.
- .. sometimes referred to as signature based.
- Benefits: Low degree of false positives ; Alarms are standard and easy to understand.
- Drawbacks: Resource intensive.. IDS must be constantly updated ; New attacks can go unnoticed – if signatures not available or updated.
- is more complex than knowledge-based IDS
- functions by attempting to “learn” normal user behavior patterns and then alarm when activity occurs that is outside of the normal use.
- Behavior-based IDS is sometimes referred to as anomaly-based IDS.
- Benefits: Systems can dynamically respond to new, original, or unique exploits and attacks ; Not dependent on specific operating systems.
- Drawbacks: High false alarm rates are very common.. too many false alarms mask real attacks. ; In environments with frequently changing patterns, the IDS has difficulty establishing a baseline.
Intrusion response is the principle of defining how to respond when an intrusion is detected.
Intrusion response is often defined as part of the responsibilities of a Computer Incident Response Team (CIRT).
The primary responsibility of the CIRT is to define and execute the company’s response to an incident via a process known as Incident
- Coordinate how the notification and distribution of incidents should occur.
- Mitigate the risk of an incident by minimizing disruptions and the costs involved in remediating the incident.
- Assemble teams of people to investigate and resolve potential incidents.
- Provide active input in the design and development of the company security policy.
- Manage and monitor logs.
- Manage the resolution of incidents, including post mortems of incidents.
Common Attacks and Countermeasures
||Social engineering, Brute force
||PBX fraud and abuse, Email and Internet abuse
||Network sniffing, Dumpster diving, Keystroke recording
||Denial of service
||SYN flooding, Buffer overflows, Teardrop attacks, LAND attacks, SMURF attacks, Distributed denial-of-service (DDoS) attacks
||Network intrusion and prevention
||Spoof attacks, Trojans, Viruses and worms, Back doors, TCP hijacking, Piggy-backing
||Port scans, Banner abuse, sniffing