Unit 9: Network Security (OSI)
Terms in this set (36)
1. Recall the layers of the OSI network model and the Internet Protocol Suite and discuss their characteristics.
1 The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers.
2 The Data Link Layer: Main job is to move pkt to the next hop using the MAC address (src= curr hop, dst=next hop).
Physical addressing (MAC) and access to media. Two sublayers: Logical Link Control (LLC) and Media Access Control (MAC). It is the lowest layer at which meaning is assigned to the bits that are transmitted over the network. Data-link protocols address things, such as the size of each packet of data to be sent, a means of addressing each packet so that it's delivered to the intended recipient, and a way to ensure that two or more nodes don't try to transmit data on the network at the same time. The Data Link Layer also provides basic error detection and correction to ensure that the data sent is the same as the data received. If an uncorrectable error occurs, the data-link standard must specify how the node is to be informed of the error so it can retransmit the data. Each device on the network has an address known as the Media Access Control address, which is the actual hardware address, assigned to the device at the factory.
3. The Network Layer: Logical addressing and path determination. Routing. Reporting delivery errors. It handles the task of routing network messages from one computer to another. The two most popular Layer-3 protocols are IP (which is usually paired with TCP) and IPX (normally paired with SPX for use with Novell and Windows networks).
Layer 4: The Transport Layer: End-to-end connections and reliability. Segmentation / desegmentation of data in proper sequence. Flow control. The Transport Layer is the basic layer at which one network computer communicates with another network computer. The Transport Layer is where you'll find one of the most popular networking protocols: TCP. The main purpose of the Transport Layer is to ensure that packets move over the network reliably and without errors. The Transport Layer does this by establishing connections between network devices, acknowledging the receipt of packets, and resending packets that aren't received or are corrupted when they arrive. In many cases, the Transport Layer protocol divides large messages into smaller packets that can be sent over the network efficiently. The Transport Layer protocol reassembles the message on the receiving end, making sure that all packets contained in a single transmission are received and no data is lost.
Layer 5: The Session Layer
The Session Layer establishes sessions (instances of communication and data exchange) between network nodes. A session must be established before data can be transmitted over the network. The Session Layer makes sure that these sessions are properly established and maintained.
Layer 6: The Presentation Layer. Standard interface to data for the application layer. MIME encoding, data encryption, conversion, formatting, compression. The Presentation Layer is responsible for converting the data sent over the network from one type of representation to another. For example, the Presentation Layer can apply sophisticated compression techniques so fewer bytes of data are required to represent the information when it's sent over the network. At the other end of the transmission the Transport Layer then uncompresses the data. The Presentation Layer also can scramble the data before it's transmitted and then unscramble it at the other end, using a sophisticated encryption technique.
Layer 7: The Application Layer
The highest layer of the OSI model, the Application Layer, deals with the techniques that application programs use to communicate with the network. The name of this layer is a little confusing because application programs (such as Excel or Word) aren't actually part of the layer. Rather, the Application Layer represents the level at which application programs interact with the network, using programming interfaces to request network services. One of the most commonly used application layer protocols is HTTP, which stands for HyperText Transfer Protocol. HTTP is the basis of the World Wide Web.
1.1 OSI (7) vs TCP/IP (4)
Nothing : Network
1. Network interface: Specifies details of how data is physically sent through the network, including how bits are electrically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted-pair copper wire.
2. Internet: Packages data into IP datagrams, which contain source and destination address information that is used to forward the datagrams between hosts and across networks. Performs routing of IP datagrams.
3. Transport: Provides communication session management between host computers. Defines the level of service and status of the connection used when transporting data.
4 . Application: Defines TCP/IP application protocols and how host programs interface with transport layer services to use the network.
1.2 OSI layer mapping to TCP/IP:
2 Data = 1 Network Access
3 Network = 2. Internet
4 Transport = 3 Transport
5 Session = 4 Application.
2. Discuss the inherent security shortcomings of common network protocols (e.g., TCP/IP).
TCP/IP along with the applications that use the services have vulnerabilities.
Attacks on the routing protocols.
Packet sniffing is the act of intercepting and reading any or all network traffic that is being transmitted across a shared network communication channel. Some traffic is sent in the clear allowing someone to read the traffic.
IP spoofing. To gain access, intruders create packets with spoofed source IP addresses. This exploits
apps that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system.
Sequence Number Guessing: If TCP sequence numbers are predictable, a hacker can forge a connection from another machine. The hacker doesn't need to see the packets from the server; the server believes the
hacker is the trusted client. This is easily done on any Internet machines where the hacker has full privileges: Macs, Windows etc.
Denial of service is about without permission knocking off services, for example through
crashing the whole system. This kind of attacks are easy to launch and it is hard to protect a system against them.
3. Discuss the process and objectives of a DNS Poisoning attack. Describe how Domain Name System Security Extensions (DNSSEC) can be used to mitigate vulnerabilities associated with this type of attack.
A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (often an attacker's).
DNSSEC is a set of security extensions to DNS that provides the means for authenticating DNS records. digitally 'signing' data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.
4. Distinguish between various Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks and describe the processes that they utilize
In a DoS attack, one computer and one internet connection is used to flood a server with packets, with the aim of overloading the targeted server's bandwidth and resources.
DDoS attack, uses many devices and multiple Internet connections, often distributed globally into what is referred to as a botnet.
2. ping of death
3. Smurf attack Slide 26
4. SYN Flood Slide 27
1. In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.
2. attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command. The dst computer is not able to reassemble the packets so it becomes unstable/crashes.
3. Attacker spoofs src node & sends ICMP request to all nodes (B-CAST) on a subnet: 1.2.3.* The receiving nodes respond to the ping and send it to the spoofed sender (the victim). The protocol does not validate the src node.
4. Attacking a machine by spoofing the src machine and numerous TCP requests. Creates many half opened connections. Eventually, the targeted machine runs out of resources.
5. Explain the operation of a botnet and its components. Give examples of botnet attacks and describe other botnet uses.
6. Discuss mitigation techniques to reduce the effectiveness of DoS and DDoS attacks.
Active defense - one technique is to configure routers to drop traffic. Working as far upstream as possible to block or divert traffic from reaching the destination network.
overprovisioning-that is, buying excess bandwidth or redundant network devices to handle any spikes in demand.
Limit inbound traffic
Don't let spoofed IP addresses leave a network.
7. Classify firewall implementations according to their functionality (i.e., what they do) and their techniques (i.e., how they do it). Slide 59
A network device used as a door into or out of a network.
Static - Packet filtering: These firewalls use ACLs to inspect the data that they forward down to the IP layer. This inspection allows them to classify data based on the TCP or UDP ports, as well as the source and destination IP addresses. This filtering allows you to make forwarding decisions. Some organizations use packet filtering to allow only traffic that meets approved criteria to pass out of the firewall.
Stateful inspection: Also known as Stateful Packet Inspection (SPI) firewalls, these firewalls not only allow packet filtering, but it pays attention to the flow of the packets. Rather than evaluating each packet as a separate entity, it looks at the flow of the traffic and identifies packets that are replies to others. SPI can evaluate packets that are suspicious and part of an attack profile.
Application layer firewall: This firewall can be a specific firewall, but it tends to fall in the category of proxy and reverse proxy servers. In this case, there can be a deep packet inspection into the data to validate that it is not only allowed, but also not part of an attack on the systems that make up your network.
These firewalls tend to be specific for the application layer protocol that they are protecting. Common choices here are HTTP, FTP, and SMTP.
---Application Gateway (Proxy Server)
1 Centralized point of enforcement
2 Centralized logging of network traffic.
1. Single point of failure
2. Potential bottleneck
Doesn't protect against insider problems.
7.3 What is an application gateway (proxy server)
Also known as application proxy or application-level proxy, an application gateway is an application program that runs on a firewall system between two networks. When a client program establishes a connection to a destination service, it connects to an application gateway, or proxy. The client then negotiates with the proxy server in order to communicate with the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This creates two connections: one between the client and the proxy server and one between the proxy server and the destination. Once connected, the proxy makes all packet-forwarding decisions. Since all communication is conducted through the proxy server, computers behind the firewall are protected.
While this is considered a highly secure method of firewall protection, application gateways require great memory and processor resources compared to other firewall technologies, such as stateful inspection.
8. Discuss the strengths and weaknesses of specific types of firewall implementations.
They do provide a layer of protecting by inspecting in/outbound traffic and in many circumstances require user interaction to authorize. Viruses that work within a network are not detected until they try to call home. Once traffic is allowed to enter/exit firewalls to not monitor for malicious traffic.
8.1 What can be done with a firewall
Restrict services & ports
Restrict traffic flow
9. Compare and contrast packet filters and application-level gateways and discuss the strengths and limitations of each.
Packet Filtering mechanisms work in the network layer of the OSI model. In packet filtering, each packet passing through a firewall is compared to a set of rules before it is allowed to pass through. Depending on the packet and the rule, the packet can be either dropped, sent through or a message can be forwarded to the originator.
Certain application layer "control/data" protocols such as FTP, RTSP, file transfer in IM applications, etc. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings (firewall pinhole) dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria. Application level firewalls ensure protocol conformance. For example, attacks over http that violates the protocol policies like sending Non-ASCII data in the header fields or overly long string along with Non-ASCII characters in the host field would be dropped because they have been tampered with, by the intruders.
Application level firewalls can look in to individual sessions and decide to drop a packet based on information in the application protocol h
10. Define Demilitarized Zone (DMZ) in the context of network security and discuss its utilization.
A DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. Traditional DMZs allow computers behind the firewall to initiate requests outbound to the DMZ. Computers in the DMZ in turn respond, forward or re-issue requests out to the Internet or other public network, as proxy servers do. (Many DMZ implementations, in fact, simply utilize a proxy server or servers as the computers within the DMZ.) The LAN firewall, though, prevents computers in the DMZ from initiating inbound requests.
12. Explain the purpose of a Virtual Private Networks (VPN).
A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. Major implementations of VPNs include OpenVPN and IPsec.
Secure - Private network connects over the public internet. Tunneling protocol encrypts data. Even sniffing won't work as data is encrypted.
VPN data encryption does not provide end-to-end data encryption. End-to-end encryption is data encryption between the client application and the server hosting the resource or service that is accessed by the client application. To get end-to-end data encryption, you can use IPSec to create a secure connection after the VPN connection is made.
IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
11. Define packet sniffing and discuss its use in both network attack and network defense.
11.1 Sniffing with inductance (slide 36
An intruder making use of wire emissions by taping into a wire and using a device pick up the signals being transmitted. This would give you easy access to traffic that uses cleartext protocols
11.2 Wireless sniffing slide 37
By gaining access to a wireless access point an intruder could sniff packets.
11.3 how to defend against packet sniffing
Establish an encrypted tunnel between your computer and a trusted network. (e.g. VPN). This encrypts any and all traffic from your machine to any destination over the untrusted part of it's journey.
Use only applications that encrypt their communications. (e.g. HTTPS). This encrypts your communications with just that application over the whole journey.
Encrypt sensitive files before sending them over the network. (e.g. zip them with AES enabled). This only works for the very specific scenario where you are sending discrete files.
Don't use the network at all. (e.g. go home) This is safest and should be your default position. If your attackers can sniff, they may well be able to alter, and then you have to start worrying about Man-In-The-Middle.
14. Define the term "split tunneling" and describe vulnerabilities introduced if it is allowed. SLide 51
(split tun´&l-ing) (n.) The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN. This method of network access enables the user to access remote devices, such as a networked printer, at the same time as accessing the public network.
An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server. A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network.
13. Describe VPN implementation to include encryption, addressing, packet routing, and the role of VPN gateways and clients.
A packet leaves the source host and reaches the Security Gateway.
The Security Gateway encrypts the packet.
The packet goes down the VPN tunnel to the second Security Gateway. In actual fact, the packets are standard IP packets passing through the Internet. However, because the packets are encrypted, they can be considered as passing through a private "virtual" tunnel.
The second Security Gateway decrypts the packet.
The packet is delivered in the clear to the destination host. From the hosts' perspectives, they are connecting directly.
Creating VPN tunnels between Security Gateways is made easier through the configuration of VPN communities. A VPN community is a collection of VPN enabled gateways capable of communicating via VPN tunnels.
13.1 Where is data in the clear and where is it encrypted:
1. End to End (slide 40)
3 VPN (gateway to gateway) slide 46.
1. Encr takes place as src and dst node. You do see IP data so you can do traffic analysis.
2. Link encryption (sometimes called link level or link layer encryption) is the data security process of encrypting information at the data link level as it is transmitted between two points within a network. Data, which is plaintext in the host server, is encrypted when it leaves the host, decrypted at the next link (which may be a host or a relay point), and then reencrypted before it continues to the next link. Each link may use a different key or even a different algorithm for data encryption. The process is repeated until the data has reached the recipient.
3. Encr takes place at the gateway
15. Compare and contrast End-to-End Encryption and Link Encryption. Trace message delivery across networks and identify where encryption and decryption occurs in both schemes.
Slides 41, 42, 43
Encryption can be performed at different communication levels, each with different types of protection and implications. Two general modes of encryption implementation are link encryption and end-to-end encryption. Link encryption encrypts all the data along a specific communication path, as in a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. The only traffic not encrypted in this technology is the data link control messaging information, which includes instructions and parameters that the different link devices use to synchronize communication methods. Link encryption provides protection against packet sniffers and eavesdroppers.
In end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted, enabling attackers to learn more about a captured packet and where it is headed.
With end-to-end encryption, the packets do not need to be decrypted and then encrypted again at each hop, because the headers and trailers are not encrypted. The devices in between the origin and destination just read the necessary routing information and pass the packets on their way.
End-to-end encryption is usually initiated by the user of the originating computer. It provides more flexibility for the user to be able to determine whether or not certain messages will get encrypted. It is called "end-to-end encryption" because the message stays encrypted from one end of its journey to the other. Link encryption has to decrypt the packets at every device between the two ends.
15.1 Link Encryption
Link encryption occurs at the data link and physical layers. Hardware encryption devices interface with the physical layer and encrypt all data that pass through them. Because no part of the data is available to an attacker, the attacker cannot learn basic information about how data flows through the environment. This is referred to as traffic-flow security.
The following list outlines the advantages and disadvantages of end-to-end and link encryption methods.
Advantages of end-to-end encryption include the following:
• It provides more flexibility to the user in choosing what gets encrypted and how.
• Higher granularity of functionality is available because each application or user can choose specific configurations.
• Each hop computer on the network does not need to have a key to decrypt each packet.
Disadvantages of end-to-end encryption include the following:
• Headers, addresses, and routing information are not encrypted, and therefore not protected.
Advantages of link encryption include the following:
• All data are encrypted, including headers, addresses, and routing information.
• Users do not need to do anything to initiate it. It works at a lower layer in the OSI model.
Disadvantages of link encryption include the following:
• Key distribution and management are more complex because each hop device must receive a key, and when the keys change, each must be updated.
• Packets are decrypted at each hop; thus, more points of vulnerability exist.
15.2 Link Encrypter
Each device has to be able to decrypt header info and reencrypt and then route the packet. Each device needs to know how to do this. Mainly used in point to point connection (satellite) where there are no hops. Routing can take place after the final decrypt.
16. Differentiate between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
At its most basic, an IDS device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.
At its most basic, an IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they're sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.
In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.
17. Compare and contrast Signature-Based Intrusion Detection and Anomaly-Based Intrusion Detection and discuss the strengths and limitations of both.
18. Describe common IDS architectures including Host-Based and Network-Based systems.
Both are sequentialrecords that reflect specific actions and indirectly reflect behavior.
Network-based technology examines events as packets of information exchange between computers (network traffic).
Host-based technology examines events like what files were accessed and what applications were executed.
19. Define the term "honeypot" and describe its use in network security.
20. Describe the requirements for anonymous networking in lay terms and discuss situations (both legitimate and illegitimate) in which anonymous networking might be desirable.
Difference between a:
1. Hub: repeat everything they receive and can be used to extend the network. However, this can result in a lot of unnecessary traffic being sent to all devices on the network. Hubs pass on traffic to the network regardless of the intended destination; the PCs to which the packets are sent use the address information in each packet to work out which packets are meant for them. In a small network repeating is not a problem but for a larger, more heavily used network, another piece of networking equipment (such as a switch) may be required to help reduce the amount of unnecessary traffic being generated.
2. In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. Switches control the flow of network traffic based on the address information in each packet. A switch learns which devices are connected to its ports (by monitoring the packets it receives), and then forwards on packets to the appropriate port only. This allows simultaneous communication across the switch, improving bandwidth.
This switching operation reduces the amount of unnecessary traffic that would have occurred if the same information had been sent from every port (as with a hub).
3. In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.