© Copyright 2005 (ISC) 2® All Rights Reserved. 1 Telecommunications, Network and Internet Security v5.0 Telecommunications, Network, and Internet Security

© Copyright 2005 (ISC)2® All Rights Reserved.

1Telecommunications, Network and Internet Security v5.0

Telecommunications, Network, and Internet Security



Introduction

• The telecommunications, network, and Internet security domain discusses the:– Network structures– Transmission methods– Transport formats– Security measures used to provide

availability, integrity, and confidentiality– Authentication for transmission over private

and public communications networks and media.



Objectives

• The CISSP should be able to:– Describe the telecommunications and

network security elements as they relate to the transmission of information in local area, wide area, and remote access.

– Define the concepts associated with the Internet, intranet, and extranet communications, such as firewalls, gateways, and associated protocols.



Objectives (cont.)

• The CISSP should be able to:

– Identify the communications security management and techniques that prevent, detect, and correct errors so that the protection of information transmitted over networks is maintained.



Goals of Network Security

• The common thread among good information security objectives is that they address all three core security principles.

AvailabilityAvailability

Con

fiden

tialit

y

Prevents unauthorized

disclosure of systems and

information.

IntegrityPrevents unauthorized

modification of systems and

information.

Prevents disruption of

service and productivity.



Specific Network Security Objectives

• The objectives of network security:– Transmission channels and services

are secure and accessible.– Interoperability of network security

mechanisms are operational.– Messages sent are the messages that

are received.– Message link is between valid source

and destination nodes.



Specific Network Security Objectives (cont.)

• Message non-repudiation is available.• Prevent unauthorized disclosure of

messages. • Prevent unauthorized disclosure of traffic

flows.• Remote access mechanisms are secure.• Security mechanisms are easy to

implement and maintain.• Security mechanisms are transparent to

end-users.



Subtopics

• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities



Section Objectives

• Describe various network architectures

• List the elements and devices that comprise a data network

• Describe data network technologies



Data Network Structures

Examples ….

• Personal Area Network

• Wireless Personal Area Network

• Local Area Network• Metropolitan Area

Network• Campus Area

Network

• Wide Area Network• Internet• Intranet• Extranet• Value Added

Network• World Wide Web• Global Area Network



Data Network Components

• Data network components include:– Mainframe/Server Hosts

– File Servers

– Workstations

– Software - Network Operating System and Applications



Data Network Components (cont.)

• Data network components include:– Network Adapter/Network Interface

Card – Hub/Concentrator/Repeater– Bridges– Switches - Layer 2, 3, 4, etc.– Routers– Gateways



Data Network Components (cont.)

• Data network components include:– Physical Cabling

• Twisted Pair/Coaxial Cable/Fiber Optics

– Wireless• Radio Frequency/

Infrared/Optical/ Satellite



Circuit Switched Networks

• Information is segmented into pieces that fit within a channel or time slot (usually 8 bits).

• A connection is established permanently or on demand and is maintained between switches in order to route traffic to the correct destination.

• Traffic is switched based on Time Division Multiplexing (TDM).



Packet Switched Networks

• Each data packet contains information such as addresses and sequence numbers.

• A connection is established permanently, or on demand, and maintained between switches in order to switch traffic to the correct destination.

• Switches switch the packets to the final destination based on the header information.

• Traffic is switched based on Statistical Time Division Multiplexing (STDM)



Circuit vs. Packet Switching

Circuit-Switched • Designed for constant

traffic• Typically experience

fixed delays• Connection-oriented• Traffic is sensitive to

loss of connection• Voice/video oriented• Can waste resources

Packet-Switched• Designed for bursty

traffic• Typically experience

variable delays• Connection-less oriented• Traffic is sensitive to loss

of data• Data oriented• Can introduce delays



Virtual Circuits

• A logical circuit created over a packet switched network

• Two types– Permanent Virtual Circuits (PVCs) -

permanently established circuits that remain in place till the network administrators delete them from the switches.

– Switched Virtual Circuits (SVCs)- dynamically established when requested and removed when transmission is finished



LAN Network Topologies

LANs are logically or physically organized as:

Bus

Ring

Mesh

Tree

Star



LAN Transmission Methods

• Unicast - packet is sent from source to destination address

• Multicast - packet is copied and sent to a specific subset of nodes on the network

• Broadcast - packet is copied and sent to all nodes on the network



LAN Media Access Methods

• Three types of methods are used by hosts to access the physical network medium.– Carrier Sense Multiple Access (CSMA)

• With Collision Avoidance (CSMA/CA)• With Collision Detection (CSMA/CD)

– Polling– Token Passing



LAN ImplementationsSubtopics

• Wireless – Bluetooth / IEEE

802.15– 802.11a– 802.11b– 802.11g

• Wired– Ethernet / IEEE

802.3– Fiber Distributed

Data Interface (FDDI)

– Token Ring / IEEE 802.5



LAN Implementations - Wired

Ethernet/IEEE 802.3• Usage

– Most widely used LAN implementation.

• Access Method– CSMA/CD, probabilistic

• Topology– Logically a bus topology, often implemented as a

physical star or sometimes point-to-point.

• Speeds • Ethernet (10 Mbps), Fast Ethernet (100 Mbps),

Gigabit Ethernet (1 Gbps)




Fiber Distributed Data Interface (FDDI)• Usage

– Standard originally designed for fiber optic networks.– Typically used as backbones for LANs/WANs.– FDDI-2 extension provides for voice, video, and data.

• Access Method– Token passing, deterministic

• Topology– Ring

• Speeds– 100 mps–1000 mps




Token ring IEEE 802.5• Usage

– Promoted by IBM as their networking standard

• Access Method– Token passing, single token contains priority mechanism. – Nodes insert, copy, or remove data. – Data sent sequentially bit by bit around ring.

• Topology– Star wired ring topology.

• Speeds– 16-100mps



Introduction to Wireless

Cell Phones

PDAs

WLANs

Toys

Appliances

Cordless

Phones



Wireless Radio Frequency Band

0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz 10GHz 28GHz 38GHz

AM Radio (535 – 1605 KHz)

VHF TV (174 – 216 MHz)

FM Radio (88 – 108 MHz)

UHF TV (512 – 806 MHz)

Analog Cellular (824-894 MHz)

Digital Cellular (1850-1900 MHz)

Cordless Phones, Baby Monitors, Toys (900 MHz)

802.11b/g, Bluetooth, Phones (2.4 GHz)

802.11a/h, Phones (5 GHz)

Unlicensed Radio Frequencies

Licensed Radio Frequencies



Wireless Network Standards

• Bluetooth– Used as short distance

replacement for cabling– Less than 1 Mbps – 2.4 GHz frequency band– Frequency Hopping Spread

Spectrum (FHSS)• 802.11b

– Extension to 802.11 Wireless LAN standard

– 11 Mbps data rate– 2.4 GHz frequency band– Direct Sequence Spread

Spectrum (DSSS)

• 802.11a– Extension to 802.11 Wireless

LAN standard– 54 Mbps data rate– 5 GHz frequency band– Orthogonal Frequency Division

Multiplexing (OFDM)• 802.11g

– 54Mbps data rate– 2.4 GHz frequency band– OFDM– 802.11b compatible



Wide Area Networks

• Connects LANs together through technologies such as: – Dedicated leased lines

– Dial-up phone lines

– Satellite and other wireless links

– Data packet carrier services



WAN Network TechnologiesSubtopics

• Integrated Services Digital Network

• Point-to-Point Lines• Digital Subscriber Line

and Cable Modem• Synchronous Data Link

Control and Derivatives

• X.25

• Frame Relay• Asynchronous

Transfer Mode• Wireless Wide Area• WAP• i-Mode• IP Telephony



ISDN and Point to Point Lines

Integrated Services Digital Network (ISDN)Attributes:

1. End-to-End digital connectivity2. Integrated access3. Small family of standard interfaces4. Message-oriented signaling 5. Customer control

Point to Point LinesTypes

– Leased Lines– Digital Circuits– Optical Circuits.



DSL and Cable Modems

DSL and Cable Modems • “Always-on” technologies (as opposed to on-demand),

that provide high-speed connections that pose risks to unprotected computers.

DSL– Provides high-bandwidth data transport– Uses existing twisted pair telephone lines

Cable Modem– High-speed access to the Internet over television

cable lines.– Uses a modem that filters the coaxial cable

connection.



SDLC and HDLC

• SDLC and HDLC– Data link layer protocols.– Designed for point-to-point connections.– Developed to carry data.

• Synchronous Data Link Control (SDLC)– Protocol developed by IBM for their SNA

networks

• High Level Data Link Control (HDLC)– Based on SLDC but standardized by ISO



X.25

• International protocol for a packet-switched network technology– Defines how connections between user devices and

network devices are established and maintained.– Operates at the Network and Data Link Layers.– It uses PVCs and SVCs.

• Used by telecommunication carriers.• Overhead requirements limit it to lower speeds.• Data-only support.



Remote

Host

Frame Relay

High performance packet switching technology– Operates at the physical and data link layers of the OSI

model. – Designed to replace X.25. Originally, data-only support,

implementation supports voice and video as well.– Uses PVCs and SVCs.



Asynchronous Transfer Mode (ATM)

• Very high speed cell relay service, similar in a number of ways to frame relay.

• Transfers data in cells that are a fixed size.• Small, constant cell size allows video, audio,

and computer data to be transmitted over the same network.

• It uses PVCs and SVCs. • It is packet switched.• Designed to replace frame relay with a faster

technology designed to carry all traffic types.



Wireless Wide Area

• Satellites provide global coverage in areas where terrestrial cable facilities are not available.

• Microwave technology also supports wide area connections.



Generations of Wireless Wide Area Protocols

• 1G Wireless– First wave of analog

phones– Heavy and bulky– Not many services

other than voice

• 2G Wireless– Commonly deployed– Smaller size– Caller id, paging,

email

• 2.5G Wireless– Addition of always on

Internet email and alerts (GPRS)

– Higher data rates

• 3G Wireless– First hit in Japan late

2001– Packet technology– Higher connection

speeds (video conferencing, MPEG)



Wireless Application Protocol (WAP)

• Standard protocol for enabling wireless data access via small portable terminals to secure transaction services.

• It supports wireless browsing, messaging, and other applications.

• It uses less resources (i.e., CPU, memory) and is simpler than TCP/IP.

• WAP supported networks include:– CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX,

ReFLEX, iDEN, TETRA, DECT, DataTAC, and Mobitex



i-Mode

• Mobile Internet service• First introduced in Japan by NTT DoCoMo, Inc.• Now available in European markets through i-mode partners

including Belgium, France, Germany, Greece, Italy, Spain, Netherlands, etc.

• Wide variety of specialized services including– Online shopping– Banking– Ticket reservation– Restaurant advice– Multimedia e-mailing of still and moving images– Java-based application for downloading and storing

sophisticated content



Mobile Phone Vulnerabilities

• Lack of policies and awareness• Theft of mobile phones, Personal Digital

Assistants (PDAs) and their data• Subscriber Identity Module cloning• False Base Stations• Stealing secrets using phone-based or

PDA-based cameras, email, storage chips, etc.

• Access to the Internet, bypassing the firewalls



Mobile Phone Vulnerabilities (cont.)

• Short Message Service spamming• Malicious downloadable code or content• Encryption is weak or non-existent• Turning on wireless encryption does not

mean data is protected end-to-end – Wired portion of the traffic may travel in the

clear

• Bluetooth vulnerabilities– Pin length, lack of encryption, bluejacking, etc.



IP Telephony

• Integrates existing voice network with data networks.

• Combines data, voice, and video over a single packet.

• Uses “isochronous” (i.e., time-dependent) processes where data must be delivered within certain time constraints -- used for video that requires synchronization.

• Includes: Voice over IP, Voice over Frame Relay, Voice over Asynchronous Transfer Mode, etc.



Quick Quiz

• What is the difference between synchronous and asynchronous communication?

• What is the difference between a circuit-switched network and a packet-switched network?



Section Summary

• Synchronous communication is the transfer of data that relies on the presence of a clocking system at both ends of the transmission.

• Asynchronous communication is the transfer of data by sending bits sequentially, with start bits and stop bits to mark beginning and end, without a shared clock.

• A circuit-switched network is a connection established on demand and maintained between data stations in order to allow exclusive use of a circuit (transmission line) until the connection is released.

• A packet-switched network has segmented data, with each packet containing information such as a destination address, source address, and packet sequence number. Network devices route the packets to the final destination.



Subtopics




Section Objectives

• Describe various standard network protocols

• Describe the OSI network model

• Describe the TCP/IP network protocol

• Identify network protocol vulnerabilities



Network Protocol Definition

• A standard set of rules that governs the exchange of data between hardware and/or software components in a communications network.

• A Network Protocol also describes the format of a message and how it is exchanged.– When computers communicate with one another, they

exchange a series of messages. – To understand and act on these messages,

computers must agree on what a message means.



Subtopics

• Open System Interconnection (OSI) Model

• Transmission Control Protocol/Internet Protocol (TCP/IP)



OSI Model

• Seven Layers• Data transfer is accomplished by a layer interacting with

the layer above or below through the use of interface control information.

• ISO 7498 – Describes the OSI model – Defines the security services that are available and where they

fit in the layered model.

• Authentication Exchange• Traffic Padding• Routing Control• Notarization

• Encipherment• Digital Signatures• Access Control• Data Integrity



Layer Interaction

7 Application

6 Present.

5 Session

4 Transport

3 Network

2 Data Link

1 Physical

Application

Presentatio

n

Session

Transport

Network

Data Link

Protocol Layer

Hdr1Hdr2 Hdr3 Message Tlr3 Tlr2 Tlr1Host 2Host 1

Physical

Original

Message

Hdr3 Tlr3

Hdr2

Hdr1

Tlr2

Tlr1

Data 3

Data 2

Data 1

Protocol Layer



Application Layer

• Provides a user interface through which the user gains access to the communication services.

• Ideal place for end-to-end encryption and access control.



Presentation Layer

• Ensures compatible syntax in how the information is represented for exchange by applications.

• Not used extensively.



Session Layer

• Coordinates communications dialogue between cooperating application processes.

• Maintains a logical connection between two processes on end hosts.

• Ideal place for identification and authentication.



Transport Layer

• Ensures host-to-host information transfer.

• Provides reliable, transparent data transfers between session entities.

• Isolates the user from any concerns about the actual movement of the information.

• A place to implement end-to-end encryption.



Network Layer

• Selects and manages a route chosen from the available links arranged as a network.

• Can determine alternate routes to avoid congestion or node failure.

• A place to implement link, or end-to-end encryption.



Data Link Layer

• Responsible for reliable delivery of information over a point-to-point or multi-point network.

• Can be divided into Logical Link Control and Media Access Control.

• Common place to implement link encryption.



Physical Layer

• Provides for the transparent transfer of a bit stream over a physical circuit.

• Provides physical or virtual connection for transmission between data link entities.



TCP/IP

Suite of protocols.• Transmission Control Protocol (TCP) • Internet Protocol (IP) • De facto standard for networking.• Architecture-independent.• Security was not originally designed into

the protocols. Therefore, security-specific protocols have been devised for use on TCP/IP networks.



OSI vs. TCP/IP

TCP/IP Implementation

OSI Model



TCP/IP Application Layer

• Includes the functionality of the OSI application, presentation, and session layers.

• Sends to and retrieves data from the transport layer.

• Converts received data to a usable, viewable format.



TCP/IP Transport Layer

Transfers data between different applications on end hosts.Can construct data in two ways:• Transmission Control

Protocol (TCP)• User Datagram Protocol

(UDP)



TCP/IP Network Layer

• Defines how information is sent between hosts. It contains the:– Internet Protocol (IP)– Internet Control Message

Protocol (ICMP)– Internet Group

Management Protocol (IGMP)



TCP/IP Data Link Layer

• Defines how the physical layer transmits the network layer packets between adjacent or broadcast computers

• Resolves information into bits that control construction and exchange of packets.

• Mediates access to the physical layer.



TCP/IP Physical Layer

• Defines the encoded signaling on the transmission channel.

• Specifies the characteristics of the wire that connects the machines in a network.

• Specifies how network cards encode the bits they transmit.

• Includes the transmission medium.



Data Encapsulation

• To transmit data across a layered network, the data passes through each layer of the protocol stack.

• It begins at the application layer with the application software passing the data to the next lower protocol in the stack.

• At each layer the data is encapsulated – the protocol processes the data in the format that the next protocol layer requires.



Data Encapsulation

Application Layer (Program)

Transport Layer (TCP Module)

Network Layer (IP Module)

Data Link Layer

Data

Data

Data

Data

TCP Header

TCP HeaderIP Header

TCP HeaderIP HeaderDL Header

Send Receive



Data Structure Terminology

Application Layer

Transport Layer

Internet (Network) Layer

Network Access (Data Link) Layer

TCP UDP

stream message

segment packet

datagram datagram

frame frame



TCP/IP Implementation

Transport Layer

Network Layer

Data Link Layer

Physical LayerNetwork Cable

PPPHardwareInterface

IGMP ICMPIP

UDPTCP

ProgramApplication Layer

ARP

Program



TCP/IP

• The protocols in the TCP/IP suite work together to:– Break the data into small pieces that can be

efficiently handled by the network.– Communicate the destination of the data to

the network.– Verify the receipt of the data on the other end

of the transmission.– Reconstruct the data in its original form.



Network ProtocolsSubtopics

• Internet Protocol (IP)• Transmission Control

Protocol (TCP)• User Datagram

Protocol (UDP)• Internet Control

Message Protocol (ICMP)

• Internet Group Management Protocol (IGMP)

• Point-to-Point Protocol (PPP)

• Domain Name System (DNS)

• Address Resolution Protocol (ARP)

• Simple Network Management Protocol (SNMP)

• Routing Protocols



Internet Protocol (IP)

• The Internet Protocol is a packet-based protocol used to exchange data over computer networks.

• Network layer protocol.• Handles addressing and control

information to allow packets to travel through the network.

• IP is a best-effort protocol.



IP Functions

• Define the datagram (the basic unit of transmission in the Internet).

• Define the Internet addressing scheme.• Move data between Network Layer and

Transport Layer.• Route datagrams to remote hosts.• Perform fragmentation and reassembly of

datagrams.



IP Addresses

• Composed of 32-bit addresses that are often displayed in the form of four groups of decimal digits separated by a period/dot.

• Each group of numbers cannot be larger than 254.

1 1 0 1 10 0 0 0 0 0 1 1 0 0 1 0 1 1 0 1 0 0 0 1 1 0 0 1 1 1 1

216 . 25 . 104 . 207



IP version 6 (IPv6)

• Expands the address to 128 bit.• Simplifies the header format.• Provides support for extensions and

options.• Adds quality of service capabilities.• Adds address authentication and

message confidentiality and integrity.



IP Security Issues

• IP Fragmentation Attacks– Tiny fragment attack – Overlapping fragment attack– Teardrop Denial of Service Attack

• IP Address Spoofing• Source Routing• Smurf and Fraggle• IP Tunneling over other protocols



Transmission Control Protocol (TCP)

• Provides reliable data transmission.• Retransmits lost/damaged data

segments.• Sequences incoming segments to

match original order.• Marks every TCP packet with a source

host and port number, as well as a destination host and port number.



TCP Provides:

• Connection-oriented data management

• Reliable data transfer

• Stream-oriented data transfer

• Push functions

• Resequencing

• Flow Control

• Multiplexing

• Full-duplex transmission

• Identification of urgent data

• Graceful close



Connection Oriented TCP

• TCP maintains status and state information about each user data stream flowing into and out of the TCP module.

• TCP provides end-to-end transfer of data across one network or multiple networks to a receiving user application.



Sample TCP Session

Host A Host B

SYN(2000), ACK(1001)

ACK(2001)

ACK, data

ACK(2300), FIN(1500)

ACK(1501)

ACK(2401)

SYN(1000)Active open Passive open

Connectionestablished

Connectionestablished

Host A close

Host B close

Connection closed Connection closed

ACK(1501), FIN(2400)



TCP Security Issues

• TCP Sequence Number Attacks

• Session Hijacking

• SYN Flood



User Datagram Protocol (UDP)

• Transport layer protocol

• Provides quick and simple service

• Provides unreliable, connectionless, service for applications



UDP Security Issues

• Does not offer error correction, retransmission, or protection from lost, duplicated, or re-ordered packets.

• Easier to spoof since there are no session identifiers (handshake, sequence number and ACK bit)



Internet Control Message Protocols (ICMP)

• Used to exchange control messages between gateways and hosts regarding the low-level operation of the Internet.

• Also used for diagnostic tools such as Ping and Traceroute.

• The ICMP message is encapsulated within the IP packet.



ICMP Security Issues

• Denial of Service– Ping of Death

– Host/Network Not Reachable messages

• ICMP Redirect

• Traceroute



Internet Group Management Protocol (IGMP)

• Supports multicast transmissions (IP only supports broadcast and unicast).

• When a message is sent to a particular multicast group, all computers in that group will get a copy of the message.

• It is used by hosts to report multicast group memberships to neighboring multicast routers.



Point-to-Point Protocol (PPP)

• Data link layer protocol.

• Standardized encapsulation protocol for transporting packets over dial-up and dedicated transmission links.

• Supports other protocols, including authentication protocols.



Domain Name System (DNS)

• Distributed Internet directory service.

• Global network of “name servers” that translate host names to numerical IP addresses.– www.ISC2.org = 209.164.6.194

• Internet services rely on DNS to work, if DNS fails, web sites cannot be located and email delivery stalls.



DNS (cont.)

• It is tree structured.• Contains two elements:

– Name Server - responds to client requests by supplying name to address conversions.

– Resolver - when it does not know the answer, the resolver element will ask another name server for the information.



DNS Security Issues

• Attackers have been known to corrupt the tree and obtain access to a trusted machine.

• The name servers can be poisoned so that legitimate addresses are replaced.

• Unauthorized users could discover sensitive information if querying is allowed by users.



Address Resolution Protocol (ARP)

• Used when a node knows the network layer address, but needs the data link layer address to forward the encapsulating frame.

• The ARP software maintains a table of translations between IP addresses and data link addresses.



ARP (cont.)

• The table is built dynamically - if a destination data link address is not found in the table, the node will broadcast a message on the data link asking for the host with the chosen IP address to respond with its data link address.



Reverse ARP (RARP)

• Used to discover the IP address which corresponds to a known data link address (MAC).

• Sometimes used by diskless workstations to learn their own IP address.



ARP Security Issues

• ARP is unauthenticated, thus an attacker can poison the ARP table to spoof another host by sending unsolicited ARP replies.

• An attacker can send an ARP reply mapping the attacker’s MAC address to the default router’s IP address, the target will then send all traffic destined for the router to the attacker’s node. The attacker “sniffs” the traffic, then forwards it to the real router.



ARP Poisoning



Simple Network Management Protocol (SNMP)

• Provides remote administration of network devices.

• SNMP is referred to as "simple" because the agent requires minimal software.

• SNMP accesses particular instances of an object and each object belongs to a community.

• Community strings are used to provide read-only or read-write access controls. They authenticate messages sent between the SNMP manager and agent.



Routing Protocols

• Routing is the process of selecting a path through a network.

• At each router in the network, the datagrams are examined, and the destination address is mapped to a routing table kept in memory. The table tells the router which outgoing link to use to continue sending the datagram.

• Routing protocols are used by routers to determine the appropriate path that data should travel.



Routing Protocols

• Routing protocols specify how routers share information with other routers in the network that they can reach.

• Routing Protocol examples:– Routing Information Protocol (RIP)– Exterior Gateway Protocol (EGP)– Border Gateway Protocol (BGP)– Open Shortest Path First Protocol (OSPF)



Routing Protocols Security Issues

• A routing table can be compromised or altered to:– Reduce availability– Reroute traffic from a secure network to a

compromised network

• Networks may not use any authentication for their routing protocols which might result in a lack of security for the network infrastructure.



Routing Protocols Security Issues (cont.)

Attackers can also use source routed packets or ICMP redirect messages to bypass controls.



Quick Quiz

• What network protocol is used for internet communications?

• What is the difference between UDP and TCP?

• What vulnerabilities exist with ICMP?• What OSI layer maintains

communications between processes?• What is IPv6? Why is it important?



Section Summary

• Network protocols provide a standard set of rules that governs the exchange of data among hardware and software components in a communications network.

• Network protocols contain many security vulnerabilities.

• Some protocols are designed to control specific vulnerabilities.



Subtopics




• Describe telephony components

• Discuss telephony vulnerabilities

• Describe IP telephony

• Understand how traditional security concepts can address IP telephony security concerns

Section Objectives



TelephonyTraditional Voice Network

•Simple analog and digital phones•Separate cabling systems (data and voice)•Closed and proprietary PBX (Private Branch Exchange) systems•The Public Switched Telephone Network (PSTN)



TelephonyVoice System Vulnerability



Telephony Authorized Modem Vulnerability

LAN

Servers

Workstations

ISP

PBX

VoicemailTelephones

Modems

PSTN

InternetIDS

Firewall

CentralOffice

CentralOffice

Attacker

AuthorizedModem



Telephony Outbound Modem Vulnerability

LAN

Servers

Workstations

ISP

PBX

VoicemailTelephones

Modems

PSTN

InternetIDS

Firewall

CentralOffice

CentralOffice

Attacker



Telephony Voice Eavesdropping

LAN

Servers

Workstations

ISP

PBX

VoicemailTelephones

Modems

PSTN

InternetIDS

Firewall

CentralOffice

CentralOffice

Toronto Office

Winnipeg Office

PBX

PBX



Traditional Voice & Data Network



Concept of IP Telephony with Wireless

• IP phones and softphones that can run PC applications

•Voice servers providing IP PBX, Voice Mail, Messaging, etc.

•Media gateways to connect to the PSTN and TDM components

•TDM trunks and IP trunks

PSTN

IP Phones

Corporate LAN

Internet

Server

Router

Telephony Server

Access

Points

Wireless LAN

Phones



IP Telephony Network Issues

• Inherits security issues of traditional IP networks– Uses Non-secure operating systems– IP/Web based administration– Susceptible to Denial of Service (DoS) against

media sometimes makes it unusable– Connected to an un-trusted IP network– Authentication should be user-transparent

• IP Telephony intelligence advancing rapidly



IP Telephony Vulnerabilities

• Voice System– Operating System/Support Software Implementation– Application implementation– Application manipulation (Toll Fraud, Blocking)– Unauthorized administrative access

• Network and media:– DoS on media and signaling– DoS against media gateway / TDM sites– DoS against any shared network resource– Eavesdropping on conversations– Media Tunneling



IP Phone attacks

• IP Phone attacks

• ‘Rogue’ softphones

• Implementation attacks (DoS and access controls)

• Remote access attacks

• Local access attacks

• Unauthorized firmware / applications

• Protocol attacks



Telephony SecuritySubtopics

• Apply the IP security safeguards to the voice network:–Firewalls

–Strong Authentication

–Virtual Private Networks

–Intrusion Detection



Telephony SecurityVoice Firewall Application

•Unauthorized calls should be blocked by the firewall

X

Alert



Strong Authentication

•Modem calls should require two-factor authentication

Audit Trail Produced



Voice, Fax, Modem, Video VPN

•Calls between sites should use encryption



Intrusion Detection

• Real-time monitoring of abusive call patterns, DTMF-based attacks

• Modem/Fax Recording and Content Monitoring

Alert Sent to IDS

Call Monitored!!



IP Telephony Security Recommendations

• Voice Servers– Secure the operating system/network services– Patch maintenance– Use strong authentication for authorized hosts– Maintain strong physical security– Follow best practices for basic server/IP security– Consider using host-based security– Consider deploying a firewall and IDS– Control access by IP Phones and softphones




Engineer the network to have proper security– Maintain strong security on all networking components– Limit the number of calls over media gateways

• Infrastructure requirements– Switched networks– Firewalls and NIDS

• Perimeter firewalls block unauthorized IP Telephony

– VLANs

• Encryption– Encrypting phones– Un-trusted parts of the network




• Engineer the network to have proper security– Deploy IP Telephony aware perimeter devices

for end-to-end security• Perform high speed processing of the media (and

NAT)• Open and close ports for media sessions• Inspect media for tunneling, illegal flow levels, and

DoS• Provide intrusion prevention functions for signaling• Implement VPN functions, if desired• Support appropriate QoS standards




• IP Phones– Update default administrator passwords– Disable unnecessary remote access features– Prevent casual local configuration of the IP

Phone– Secure the firmware upgrade process– Insist upon IP Phones that support security

features– Limit use of the web server– Enable logging– Cautiously use IP softphones



Quick Quiz

• What are some examples of telephony vulnerabilities?

• What are the advantages and disadvantages of IP telephony?



Section Summary• The traditional voice network has known

vulnerabilities.• These security issues can be addressed by applying

technologies with parallels in the data network, such as firewalls, intrusion detection, VPN’s, etc.

• IP Telephony introduces new vulnerabilities.• IP Telephony vulnerabilities can be addressed with

a combination of existing and new technologies.• Voice is a unique application and security should be

managed similarly for the current and IP Telephony networks.



Subtopics

• Data Networks• Network Protocols• Telephony• Remote Access

– Remote Access Security Methods– Tunneling Standards– Virtual Private Networks

• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities



Section Objectives

• Describe various methods of remote access to a network

• Discuss remote access control techniques

• Describe remote access tunneling protocols

• Describe virtual private networks (VPNs)



Remote Access Services

Typically conducted over an untrusted network.• Increased risk to disclosure, modification, and

denial of service.• Remote access security minimums

– Strong identification and authentication services

• Rapid growth of remote access via the Internet– Wide availability– Economical



Telecommuter

Mobile User

Network Access Server

Branch Office

Remote Access Technologies

Allows users to access network information through a dial-in or wireless connection.



Internet Access

Allows users to access network information through an Internet Service Provider (ISP) connection.

Mobile User

Corporate Gateway



General Remote Access Safeguards

• Publish a clear/definitive remote access policy and enforce it through audit.

• Justify all remote users and review regularly, such as yearly.

• Identify and periodically audit all remote access facilities, lines and connections.

• Consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ.



General Remote Access Safeguards (cont.)

• Use phone lines restricted to outbound access for dial-out services.

• Set modems to answer after a pre-determined number of rings; counters “war dialers.”

• Use secure modems for single-port diagnostic and administrative access, or unplug when not in use.

• Consolidate remote access facilities when practical.



General Remote Access Safeguards (cont.)

• Implement two-factor user authentication and network access restrictions for remote access to all resources on private WAN/LANs.

• Use Virtual Private Networks for sensitive data communications on public networks.

• Use personal firewalls and anti-virus tools on remote computers.



Remote Access Controls

Three basic methods to restrict dial-up remote access are:• Restricted Access – Only accepts incoming calls

from addresses on approved list.• Caller ID – Checks each caller’s telephone

number against an approved list.• Callback – Callers identify themselves to the

server with passcodes or ID numbers. The server terminates connection and calls the user back at pre-determined phone number.



Tunneling

• Tunneling is the act of packaging one network packet (the tunneled packet) inside another (the transport packet).

• The tunnel is the vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network.

• For confidentiality and integrity, the tunnels should be encrypted.



Tunneling (cont.)

• Tunneling can allow different protocols to travel over a public IP network.

• Protocols being used are:– Point to Point Tunneling Protocol– Layer 2 Forwarding Protocol– Layer 2 Tunneling Protocol– IPSec Protocol– MPLS (Multi-Protocol Label Switching)– SOCKS– SSH



PPTP

Point to Point Tunneling Protocol (PPTP)

• One of the first protocols deployed for Internet-based virtual private networks.

• It is a client/server architecture that allows the Point-to-Point Protocol (PPP) to be tunneled through an IP-network.



L2F Protocol

Layer 2 Forwarding (L2F) Protocol

• Permits tunneling at the link layer.

• Designed as a protocol for tunneling traffic from users to their corporate site.

• Provides mutual authentication of user and server.

• Does not offer encryption.



L2TP

Layer 2 Tunneling Protocol (L2TP)• Hybrid of Layer 2 Forwarding (L2F) and

Point-to-Point Tunneling Protocol (PPTP).• Designed for single user point-to-point

client/server connection.• Multiple protocols can be encapsulated

within the tunnel.• No encryption, but is often deployed over

IPSec.



IPSec Protocol

• IP standard for encryption and node authentication.

• It has enough functionality to encrypt, authenticate, and carry IP-only data through a shared network.

• While PPTP, L2F, and L2TP are aimed at end users, IPSec focuses on LAN-to-LAN or host-to-host tunnels.

• Allows multiple, simultaneous tunnels per end host.

• No user authentication method defined in the standard.



IPSec AH and ESP

• The IP Authentication Header (AH) – provides connectionless integrity, data origin

authentication, & an optional anti-replay service

• The Encapsulating Security Payload (ESP) – provides confidentiality (encryption) & limited

traffic flow confidentiality – may provide connectionless integrity, data

origin authentication, & anti-replay service



IPSec Protocol Security Associations

All implementations must support a Security Association (SA)– Simplex (i.e., one-way) “connection” that affords security

services to the traffic carried by it– To secure typical, bi-directional communication, 2

Security Associations (one in each direction) are required

• Security services are provided using AH or ESP– If both AH & ESP protection is applied to a traffic

stream, then 2 (or more) SAs are created



Security Association Triplet

• A security association is uniquely identified by a triplet:– An IP destination address

– Security protocol (AH or ESP) identifier

– Security parameter index (SPI) • Distinguishes among different SAs

terminating at the same destination



Security Association Combinations

Security associations may be combined in two ways:• Transport adjacency: using the same IP datagram to apply

multiple security protocols , without invoking tunneling– Allows for only one level of combination; further nesting

yields no additional benefit• Transport mode: encrypts normal communication between

end-node to end-node(peer to peer).– Iterated tunneling: applying multiple layers of security

protocols through IP tunnels– allows for multiple levels of nesting – each tunnel can originate or terminate at a different

IPSec site along the path – Iterated tunneling mode is designed to be used by VPN

gateways (LAN to LAN/office to office).



IPSec Protocol

• IPSec imposes computational performance costs on the hosts or security gateways. – Memory needed for IPSec code and data structures. – Computation of integrity check values. – Encryption and decryption. – Added per-packet handling - manifested by increased

latency and possibly, reduced throughput – Use of SA/key management protocols, especially those

that employ public key cryptography, also adds computational performance costs to use of IPSec



Multi-Protocol Label Switching (MPLS)

• Does not rely on encapsulation and encryption to maintain high-level of security– Service providers create IP tunnels throughout their

network without encryption

• Uses forwarding tables and ‘labels’ to create a secure connection

• Used to guarantee a certain level of performance, to route around network congestion, or to create IP tunnels for network-based virtual private networks



MPLS Benefits

• MPLS brings benefits to IP-based networks, such as:– Traffic Engineering - the ability to set

performance characteristics and the path a particular class of traffic will use

– VPNs – gives service providers the ability to provide IP tunnels through their network without need end-user applications or encryption



Socket Security (SOCKS)

• Circuit-level proxy that contains authentication and encryption features.

– Usually used to allow internal computers access to the external Internet

– Can be used for tunneling to allow external users access to the internal network.

– Requires client applications to be SOCKS-ified.



Secure Shell (SSH, SSH2)

• SSH– Powerful method of performing client authentication– Safeguards multiple service sessions between two

systems.

• Provides support for:– Host and user authentication– Data compression– Data confidentiality and integrity

• Credentials are validated by digital certificate exchange using RSA.



Virtual Private Networks (VPN)

• Virtual Private Network (VPN)– Dynamically established secure

network link between two specific network nodes or subnets using a secure encapsulation method.

– Uses tunneling AND encryption to protect private traffic over an un-trusted network.



VPN LAN-to-LAN Configuration

Internet

LAN LANFirewallFirewall

VPNServer

VPNServer

VPN Server is behind the firewall

VPN Server is on DMZ

DMZ

Encrypted



Mobile User-to-LAN VPN

Internet

LANFirewall and VPN Server on same box

Mobile User

Laptop with VPN client software

Encrypted



IPSec Compatible VPN Devices

• IPSec Compatible VPN Devices – Derive confidentiality and integrity from

workstation IP address and either machine certificate or shared secret key.

– Require least user intervention since IPSec authentication and encryption are not user-based.

– Work only with IP, not multi-protocol.– Operate at the Network Layer of OSI model.



IPSec Compatible VPN Devices (cont.)

Key management is a critical component of using IPSec for a VPN.

IPSEC Key Exchange



Non-IPSec Compatible VPN Devices

Non-IPSec Compatible VPN Devices

• Use protocols such as PPTP, SOCKS, or MPLS.

• Provide advantages over IPSEC– Two-factor authentication

– Better integration with proxy servers and NAT.



Firewall based VPN Devices

• Integrated with many firewall systems.• Central VPN administration is integrated on

firewall system.• Often uses proprietary, non-standard protocols.• Allows VPN traffic to be securely transmitted and

filtered by the firewall.• Typically does not provide any user

authentication, but relies on the firewall authentication service to perform the user identification and authentication.



Quick Quiz

• What functions does a VPN provide?

• What is IPSec?

• What is tunneling?

• Name a few tunneling protocols.



Section Summary

• Remote access typically refers to accessing a trusted network from outside the network.

• Identification and authentication is critical prior to establishing remote access.

• A VPN can be used to help support remote access.

• Various protocols exist to support and control remote access.



Subtopics




Section Objectives

• Understand the categories of attacks that can impact network security

• Identify wireless network components• Describe wireless protocols• Discuss wireless threats and vulnerabilities• Describe wireless controls components• Understand Instant Messaging vulnerabilities• Describe the steps in a successful network attack



Various Network Threats & Attacks

• Denial of Service (DoS)

• Distributed DoS• Mobile Code• Malicious Code• Wireless LAN

Vulnerabilities

• Spoofing

• Sniffing

• Eavesdropping

• Masquerading

• Instant Messaging (IM) Vulnerabilities



Remote Access Threat

• Often provides undetected access to unprotected back doors.

• Brute force attack on location’s prefix using “war dialer” is an example.

• Targets of opportunity include:– Insecure Internet connections– Unsecured modem access – Diagnostic ports on various network devices– Administrative ports on voice mail systems, PBX, fax

servers– Unauthenticated sessions



The Target

• Sensitive and critical information.• Computing services, such as storage

space and other resources.• Toll telephone services• Voice mail• Network access to interconnected

networks, such as customers or business partners.



Wireless Lan VulnerabilitiesSubtopics

• Detection• Eavesdropping• Modification• Injection• Hijacking• WLAN Architecture• Radio Frequency

Management

Corporate Intranet

Internet



Detection & Eavesdropping

• Detection– WLAN will generate and

broadcast detectable radio waves for a great distance

• Eavesdropping– WLAN signals extend

beyond physical security boundaries



Eavesdropping

• Service Set Identifier (SSID) may be broadcasted.

• SSID string may identify your organization.



Eavesdropping

• Standard Wired Equivalent Privacy (WEP) encryption is often not used.

• When used, WEP is flawed and vulnerable.• No user authentication in WEP.

Clear Text Passwords

IP Addresses

Company Data



Modification, Injection & Hijacking

• Modification– Standard Wired Equivalent Privacy (WEP)

encryption has no effective integrity protection.

• Injection– Static WEP keys can be determined by analysis.– Adversaries can attach to the network without

authorization.

• Hijacking– Adversaries can hijack authenticated sessions

protected only by WEP.



• Security Architecture

Firewall

Internal Network

Internet

DMZ

WLAN Architecture

Rogue AP



Radio Frequency Management

• Poor RF management will lead to unnecessary transmission of your RF signal into unwanted areas.

• Also consider other devices which may cause interference.

Building A

Parking Lot



Wireless LAN Security ControlsSubtopics

1. SSID Broadcasting

2. MAC Address Filtering

3. Security Architecture

4. Radio Frequency Management

5. Encryption

6. Authentication

7. New Wireless LAN Security Protocols



SSID Broadcasting

• Disable the broadcasting of the SSID.– Not possible on all Access Points

– Easily bypassed

– Only useful on low-value networks

– SSID should also not be easily correlated to your organization name



MAC Address Filtering

• Some Access Points allow the administrator to specify which link layer (MAC) addresses can attach.– Easily bypassed

– Does not scale

– Only useful for low-value networks



Security Architecture

Firewall

Internal Network

Internet DMZ (VPN Server)

DMZ (VPN Server) Firewall



Radio Frequency Management

Building A

Parking Lot

•Use a scanner to determine your RF footprint•Monitor interference sources



Wireless Encryption

• Static WEP keys are insufficient for many networks

• New secure protocols are being designed for WLAN

• Layered VPN is a common solution for WLAN networks



Subtopics

Wireless LAN Security Mechanisms:• Access Control• Authentication• Encryption• Integrity802.11 Wireless LAN Security Protocols:• 802.1X / Dynamic WEP• Wi-Fi Protected Access• Robust Security Network



Access Control: 802.1X

Client APAuthentication

Server802.1X Port Blocked

802.1X Port Open

Probe, Authenticate, Associate

802.1X EAP Request/Response

802.1X EAP SuccessEAP Success / Key Material

Nonce Exchange / Derive Keys

EAP Authentication Exchange and Key Material

RADIUS Encapsulation



Authentication

• Wireless LAN needs an authenticated key exchange mechanism

• Most secure WLAN implementations use Extensible Authentication Protocol (EAP)

• Many EAP methods are available– One factor include EAP-MD5, LEAP, PEAP-

MSCHAP, TTLS-MSCHAP, EAP-SIM– Two factor methods include EAP-TLS, TTLS

with OTP, and PEAP-GTC• Need mutual authentication



Encryption

• Static WEP• Dynamic WEP• Temporal Key Integrity Protocol (TKIP)

– Uses RC4 Stream Cipher with 128 bit per-packet keys

• Counter-Mode-CBC-MAC Protocol (CCMP)– Uses Advanced Encryption Standard

(AES) with 128 bit keys



Integrity Protection

• WEP has no cryptographically strong integrity protection

• TKIP uses a new Message Integrity Code called “Michael”

• CCMP uses AES in CBC-MAC mode



802.11 Security Solutions

802.1x Dynamic WEP

Wi-Fi Protected Access

Wi-Fi Protected Access 2

Access Control 802.1X 802.1X or Pre-Shared Key

802.1X or Pre-Shared Key

Authentication EAP methods EAP methods or Pre-Shared Key

EAP methods or Pre-Shared Key

Encryption WEP TKIP (RC4) CCMP (AES Counter Mode)

Integrity None Michael MIC CCMP (AES CBC-MAC)



Instant Messaging Threats

• Many of today’s IM systems were built for chatting rather than secure corporate communications.

• Rapidly working their way into corporations because of their efficiency and convenience.

• Few organizations have standards, therefore, leaving users to choose for themselves and potentially compromise security within the organization.

• Create new and hidden vulnerabilities.• Companies need to create and implement a strategy

to fully reap the benefits of IM systems, while reducing exposure to security attacks.



IM Security Issues

• Most lack encryption capabilities.

• Most have features to bypass traditional corporate firewalls.

• Insecure password management.

• Increased exposure to account hijacking and spoofing.



IM Security Issues (cont.)

• May contain bugs that can be exploited by attackers, such as buffer overflows, allowing access to PC with vulnerable IM client.

• Vulnerable to denial-of-service attacks.• Ideal platform for fast-spreading malicious

software and worms.• Easy to locate new targets (buddy lists) that can

be controlled by easy-to-write scripts.• Susceptible to eavesdropping .• Enables users to exchange files.



Instant Messaging Security

• Establish corporate IM usage policies• Deploy desktop firewall to block usage of

unapproved IM programs and prevent attacks to and from systems

• Deploy anti-virus software and personal firewalls on all desktops

• Restrict sending confidential information over public IM systems

• Properly configure corporate firewalls to block unapproved IM traffic



Instant Messaging Security (cont.)

• Deploy private corporate IM servers to isolate corporate messaging system from the outside world

• Enforce client-side IM settings (refuse file transfers, etc.)

• Install patches to IM software as soon as possible

• Use vulnerability management solutions to ensure IM client policy compliance



Network Threats and AttacksMethodology - Subtopics

Attack Methodology

1. Identify the target and collect information

2. Analyze the target to identify a vulnerability

3. Gain access to the target

4. Escalate privileges

5. Complete the attack



Attack Step One

Identify the target and collect information• Systematically map the target’s network.

– Traceroute, Ping scanning, Port scanning, TCP half scanning, FIN scanning, OS fingerprinting.

• Information wanted:– Domain names and network numbers – IP addresses– Names/phone numbers of personnel– Network map, including services that are available or

running.– Operating System type and version



Attack Step Two

Analyze the target to identify a vulnerability• Query to gather detailed information such as:

– Operating system and services running -- many systems will freely volunteer the product name and version number in a greeting banner.

– List of user ids, shared file systems, system information.

– Probe telephone lines for modems that answer.



Attack Step Three

Gain access to the target• Make connection attempts using:

– Direct login attempts to reach hosts– Modems to attack remote access servers and

modems attached to individual computers.• Try to guess passwords• Exploit known security vulnerabilities • Perform piggybacking/hijacking/spoofing• Use social engineering• Perform a denial of service attack



Attack Step Four

Escalate privileges• Try to gain administrative or operator privileges.• Try to utilize the compromised system to gain

access to more valuable systems.• Techniques:

– Buffer overflows– Trojan horses– Password guessing or install a password

sniffing/gathering/cracking tool.– Exploit trust relationships



Attack Step Five

Complete the attack• Install a backdoor mechanism that allows

the attacker to bypass access control and avoid detection, such as a rootkit.

• Create rogue user account.• Close the original vulnerability so no one

else can compromise the system.• Modify audit logs if they are stored locally

to prevent discovery of the attack.



Network Attacks

• Threat agents: External attackers, internal attackers, disgruntled employees, viruses, Internet worms, etc.

• Active Attacks:

– Vulnerabilities in the network systems– Attacks on “perimeter defenses” (network infiltration)– Malicious code – viruses, worms, Trojan horses, etc.– Login/Password Brute-force attacks– Vulnerabilities in Web Applications– Denial of Service (DoS) attacks: network flood, session consumption,

buffer overflow, etc.• Passive Attacks:

– Network sniffing and eavesdropping– Wiretapping– Spyware/adware



BusinessPartner

DMZ

Internal Zone

RegionUsers

RegionNetwork

InternetPublic Access

CentralControl

RegionData

Public Zone

GeneralPublic

Public Zone

Computer

RemoteUser

Server

Mainframe

Printer

Workstation

Firewall FirewallFirewall

Users

Web Server

Minicomputer

Mainframe

Server

RemoteUser

PersonalComputer

PersonalComputer

Router

Security Risk Example # 1Internet Firewall

• Security risk scenario: “vulnerability in external perimeter controls” – a flaw in the firewall rules



BusinessPartner

DMZ

Internal Zone

RegionUsers

RegionNetwork


CentralControl

RegionData

Public Zone

GeneralPublic

Public Zone

Computer

RemoteUser

Server

Mainframe

Printer

Workstation


Users

Web Server

Minicomputer

Mainframe

Server

RemoteUser

PersonalComputer

PersonalComputer

Router

Security Risk Example # 1Attack Illustration

• An attacker scans the network, firewall blocks all attempts except…

• The attacker finds an open MS SQL port (1433/tcp) on “CUSTOMERDB1” (firewall admin opened it during a test and forgot to close)

• This is a good starting point for “penetrating the network”

• Server Banner (MS SQL) Default User “sa”/NULL Brute-force attack



Security Risk Example # 1Countermeasures

• Compensating access controls – “Tightly configured” Firewall

– Firewall rules should be configured according to the organization’s standard or approved network zone specifications

– Best practices – allow only “firewall friendly ports”:

• HTTP (80/tcp), HTTPS (443/tcp) - for Web servers

• FTP (20/21/tcp) - for File Transfer servers

• SMTP (25/tcp) - for Email servers

• DNS (53/udp/tcp) - for Domain Name servers

• IPSec-IKE (500/udp) - for IPSec/VPN access



BusinessPartner

DMZ

Internal Zone

RegionUsers

RegionNetwork


CentralControl

RegionData

Public Zone

GeneralPublic

Public Zone

Computer

RemoteUser

Server

Mainframe

Printer

Workstation


Users

Web Server

Minicomputer

Mainframe

Server

RemoteUser

PersonalComputer

PersonalComputer

Router

Security Risk Example # 2 Network Device

• Security risk scenario: “vulnerability in network perimeter controls” - a flaw in the router configuration



BusinessPartner

DMZ

Internal Zone

RegionUsers

RegionNetwork


CentralControl

RegionData

Public Zone

GeneralPublic

Public Zone

Computer

RemoteUser

Server

Mainframe

Printer

Workstation


Users

Web Server

Minicomputer

Mainframe

Server

RemoteUser

PersonalComputer

PersonalComputer

Router

Security Risk Example # 2Attack Illustration• An external attacker scans the network, identifies a router and …• Finds port 80/tcp (HTTP) open on that router• Connects to the router via a web browser and gets to a “Login Prompt”• Tries the following URL: http://router.company.com/level5/show/config • The router configuration file is displayed• Using “weak password encryption” password is recovered • Router configuration can now be changed




• A Few Common Best Security Practices - Switches / Routers:– Shut down unnecessary and dangerous services (HTTP, NTP,

TCP-small-services, UDP-small services, BOOTP, Finger, etc.)– Shutdown unused interfaces– Do not allow “source routing”– Block directed IP broadcasts – to prevent DoS attacks (e.g.

Smurf)– Define Access Control Lists – try to make it simple and easy (if it

looks too complex you may need a stateful firewall)• Block “spoofed” IP traffic – outside packets that are obviously

fake• Block broadcast and IP multicast packets (if not used)• Block ICMP redirect packets




– Protect access to the Telnet VTY (only authorized IP’s should have access)

– Turn on logging and log all security exceptions, such as “access denied”

– Use encrypted, “strong” community strings for SNMP – disable ‘SNMP-write’ if it not used

– Use “strong” passwords (MD5 password encryption for Cisco)



BusinessPartner

DMZ

Internal Zone

RegionUsers

RegionNetwork


CentralControl

RegionData

Public Zone

GeneralPublic

Public Zone

Computer

RemoteUser

Server

Mainframe

Printer

Workstation


Users

Web Server

Minicomputer

Mainframe

Server

RemoteUser

PersonalComputer

PersonalComputer

Router

Security Risk Example # 3Internal Windows Server• Security risk scenario: “vulnerability in the server’s network configuration”• An internal attacker scans the network looking for only one port (161/udp) • Finds the SNMP service running on server “WIN2KB001” (“public”

community)• Queries System Configuration via SNMP-GET (system, resources, users,

file shares) and attempts to access these resources• Runs an exploit code for Windows SNMP Buffer Overflow (MS02-006)



Security Risk example # 3Countermeasures• Best Security Practices for configuring network access

controls on servers:– Shut down unnecessary and dangerous network

services – SNMP, – File Sharing (139/tcp), – NetBios Messenger (138/tcp), – Computer browser (137/udp broadcasts), – Rlogin, Rshell, TFP (on Unix)– RPC services (if it is not used)– Telnet

– Define IP filters using IPSec rules (Windows) or IP Tables/IP Firewall on Unix



Security Risk example # 3Countermeasures

– Turn on logging and log all security exceptions, such as “access denied”

– If SNMP is required, use encrypted, “strong” community strings for SNMP, but disable SNMP-write (it is not usually required for servers)

– For terminal access use Citrix or Windows Terminal Services, do not use “simple” freeware software like VNC



Other Network Threats

• Denial-of-Service Attacks (DoS)• Distributed DoS attacks• TCP Syn Attack, Ping of death, Land attack, Teardrop attack• SMURF (ICMP broadcast traffic flood)

• Brute force (dictionary driven attacks)

• Buffer overflows• Many examples of vulnerable services: SNMP, RPC, SSH, FTP…

• Viruses/Worms• Automated “unleashed” versions of the above

• Spoofing• Where the IP address is manipulated to bypass IP-level access controls

(e.g. if two systems “trust” each other based on their IP addresses)

• Network Traffic Sniffing (passive attack)

• Man-in-the-middle attacks

• Network session hijacking/piggybacking



Network Maintenance Process

Trigger

• Network Access Controls maintenance process:

– Trigger events: New requirement, New vulnerability, Time-to-review

– Assess/analyze – any new risks/vulnerabilities in the environment

– Implement – update rules, and configurations to mitigate the risk

– Test – test the rules and configurations to ensure that they work as expected

– Deploy – put in the production environment, document the change, including the trigger, analyze, test the results and

– Monitor activities to ensure that the network access controls work properly



Quick Quiz

• What is the primary difference between 802.11b and 802.11g?

• What type of encryption is typically available on wireless networks?

• True or False:– Steel walls will contain wireless signals.

– Concrete walls will contain wireless signals.



Section Summary • Wireless networks have become very prevalent.• Wireless networks introduce new risks into a network

environment.• New controls need to be evaluated for wireless

networks:– Access Control– Authentication– Encryption– Integrity

• Instant Messaging can be an effective organizational tool, but needs to be protected accordingly.

• Perimeter security controls need to be implemented properly to ensure adequate security.



Subtopics




Section Objectives

• Describe various types of network authentication protocols

• Describe methods of network user authentication

• Identify various firewall and perimeter security approaches



Network Access ControlsSubtopics

• Network Access Controls– Identification and Authentication

• PPP Authentication• Centralized Authentication• Network User Authentication

–Perimeter Security



Identification and Authentication

• Network identification and authentication processes are used to identify and verify the source attempting to establish the connection.

• Authentication should be used for:– Node authentication– End user authentication



Identification and Authentication

• Node authentication is knowing the source (node) that is attempting to establish the connection.– When the node is authenticated, it is possible to

identify the location and type of device.

• End user authentication verifies the identity of the remote user.– It is preferred to network node authentication.– It should be two factor, such as using both a

password and token device or smart card.



Remote Access Authentication

1. Remote User requests authentication from Network Access Server.

2. Network Access Server then sends requests to the Centralized Authentication Server.









PPP Authentication Protocols

• Authentication of source. • Commonly used to establish a remote access

session.• Supports several security protocols to verify the

network device and/or location of the originating connection point.

• Deployed to authenticate the end-user.• PPP authentication protocols include:

– Password Authentication Protocol (PAP)– Challenge Handshake Authentication Protocol (CHAP)– Extensible Authentication Protocol (EAP)



PAP

• A simple, standards-based password protocol.

• Provides automated identification and authentication of remote entity.



PAP (cont.)

• Authentication is accomplished using a cleartext, reusable (static) password.

• Supported by most network devices.

• Decreasing use due to weakness of authentication process.



CHAP

• Standards based authentication service

• Periodically validating users with a sophisticated challenge-handshake protocol.



CHAP (cont.)

• Authentication process uses non-replayable, challenge/response dialog to verify the identification of the remote entity (because of the nonce).

• Authentication step takes place at the initial connection and can be repeated at any time during the session.

• Standard password database is unencrypted on end nodes. MSCHAP stores one-way encrypted passwords.

• Password is sent as a one-way hash over the transmission link.



Extensible Authentication Protocol (EAP)

Flexible authentication framework



EAP (cont.)

• Framework for a variety of embedded authentication methods – Password, S/Key, token card, or digital

certificate. • S/Key uses the MD4 hash function to

generate one-time passwords.

– Supports new authentication methods as they become available.









Centralized Authentication Protocols

• With large remote access network it becomes impractical to store security information on each network access server.

• Standards-based centralized authentication databases simplify maintaining user lists, passwords, user profiles, and accounting records.

• Authentication database can be utilized by all remote access equipment. Unless properly designed, this could be a single point of failure.



Centralized Authentication Protocols (cont.)

• Any system that authenticates in a central location.

• Should provide three services: – Authentication - verifies who the user is and

whether access is allowed.– Authorization - what the user is allowed to do.– Accountability - tracks what the user (or device,

service) did and when it was done.



Subtopics

• Remote Authentication Dial-In User Service (RADIUS)

• Terminal Access Controller Access Control Systems (TACACS)– TACACS+

• DIAMETER



RADIUS

• Three components of RADIUS

– Server resides on a central computer at site

– Client resides in dial-up or network access servers (NAS)

– Protocol that utilizes UDP/IP



TACACS and TACACS+

• Similar functionality to RADIUS.• TACACS does not support dynamic passwords,

but TACACS+ does.• RADIUS only encrypts some parts of the

communication like the user password.• All communication between the network access

server (TACACS+ client) and the TACACS+ server are sent over TCP.

• TACACS+ communication is encrypted with a secret key that is never sent over the network.



DIAMETER

• Supports roaming applications and overcomes limitations of RADIUS.

• Uses peer-to-peer rather than client/server configuration to offer scalability.

• Has two parts:– Base Protocol - defines message format,

transport, error reporting, and security services– Extensions - modules designed to conduct

specific types of AAA transactions, such as NAS, Mobile-IP, and Secure Proxy









Network User Authentication

• Network user authentication is when a user is trying to login to an intelligent client node, such as a server, but must receive further authorization to access the resources.

• Need to protect against replay attacks and brute force password guessing.



Lightweight Directory Access Protocol (LDAP)

• Widely accepted, industry standard for access to directory information and application services

• Multi-vendor interoperability.• Open, extensible, vendor-independent,

platform-independent• LDAP directories provide repositories for

security-related data (e.g. userIDs, passwords, URLs, pointers, binary data, Public Key Certificates, etc.)



Network Information System

• A distributed database system that lets computers share a set of system files.



Network Information System (NIS)

• A central server stores a shared database with one-way encrypted passwords.

• Use of these shared files allows users to access any of a set of computers, using credentials stored in a centrally administered database.

• NIS uses only IP addresses to authenticate the client and server nodes.

• NIS+ is a hierarchical and secure NIS implementation.



Distributed Computing Environment (DCE)

• Standard promoted by the Open Group.• Network authentication is derived from

Kerberos. – Adds extensions for authorization attributes

(privileges).– Uses Universal Unique Identifiers instead of

user names to identify users.– Requires synchronized time clocks to

generate time stamps to prevent replay attacks.



NT/LAN Manager (NTLM)

• NTLM authentication protocol provides challenge/response authentication for client/server networks.

• The user’s password is hashed and used as a key to encrypt a challenge sent by the server.




• Network Access Controls– Identification and Authentication–Perimeter Security

• Perimeter Security Overview

• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices



Network Perimeter

• Refers to the concept that public, sensitive private networks and non-sensitive private sub-networks are segregated and entry is controlled.

• Access from one network or segment to another is controlled through a “Choke Point”.

• Network security policy is defined and enforced by some type of mechanism at each boundary router and secure gateway.



Boundary Routers

• Provide entry to and from network perimeters; i.e., boundary routers interconnect networks at their perimeter entry points.

• Permit or deny predefined traffic (via ACLs) and implement safeguards against IP spoofing and other network attacks.

• Forward permitted traffic to and from secure gateways and networks.



DeMilitarized Zone (DMZ)

• DMZ networks function as a small and isolated network positioned between the untrusted network and the private network.

• Typically systems on the untrusted network and some systems on the private network can access a limited number of services on the DMZ.

• The goal is to prevent the transmission of traffic directly between the untrusted network and the private network.



Bastion Host

• A computer system that is highly secured because it is vulnerable to attack, usually because it is exposed to an untrusted network.

• An application-level gateway is a type of “bastion host” because it is a designated system that is specifically armored and protected against attacks.





• Perimeter Security Overview• Perimeter Security Technologies

• Perimeter Security Architecture• Firewall Security Best Practices



Network Access ControlsPerimeter Security Technologies

Subtopics • Perimeter Security Techniques/Technologies

– Filtering• By Protocol/Service• By Address

– Network Partitioning

– Data Inspection

– Network Address Translation (NAT) / Port Address Translation (PAT)

– Firewalls



Filtering by Protocol/Service

• Filtering by communications protocol/service. – Reduces risk by blocking all but authorized

protocols and services. – Filtering accomplished by Access Control

Lists (ACLs) on various network devices such as routers, firewalls, gateways, and bridges.

– Protocol examples include ICMP, UDP– Service examples include HTTP, Telnet



Filtering by Address

• Used to restrict network connections and routing – Enables only authorized nodes/network segments to

communicate -- blocks out all others. • Different than filtering by protocol/services but

often used in conjunction with it.• Filtering done by Access Control Lists (ACLs) on

various devices, such as routers, gateways, etc.





– Filtering


– Data Inspection


– Firewalls



Network Segment / Subdomain Isolation

• Concept of filtering by protocol/services/source and destination address to isolate network traffic and services from private or sensitive parts of the network; e.g., traffic restricted to an extranet.

• Design the network architecture to separate “untrusted” traffic apart from “private” and “trusted” network segments/subdomains.

• Accomplished by: – Filtering by protocol/services – Filtering by source and destination address – Network design (e.g. Switches, VLANs, etc.)





– Filtering


– Data Inspection


– Firewalls



Data Inspection

• Concept of monitoring and examining predefined communication layers of transmitted data and taking appropriate action if not allowed by security rules.

• Volume of network traffic, degree of analysis and the seriousness of the transmitted data determines how implemented; i.e., real-time analysis or off-line analysis and type of alarm/response.



Data Inspection Applications

• Common applications of network data inspection: – Computer virus scanning

– Stateful inspection of network packets/frames

– Content inspection for Web mobile code, such as Java or ActiveX content

– Intrusion Detection Systems





– Filtering


– Data Inspection


– Firewalls



Network Address Translation

• Address translation is when an address is converted from one value to another.

• Typically used to hide the internal network IP address from external systems.

• Translates each private IP address to a registered IP address.



NAT and RFC 1918

• RFC 1918 lists three segments of private addresses that are not to be used on the Internet, so they can be used safely behind a NAT environment.

• They are:– 10.0.0.0 - 10.255.255.255– 172.16.0.0 - 172.31.255.255– 192.168.0.0 - 192.168.255.255



Port Address Translation

• Multiplexes many internal IP addresses into one external address.

• Changes source TCP/UDP port number of outgoing datagrams.



NAT/PAT

Network and Port Address Translation

Source IP – 199.53.72.2Destination IP – 206.121.73.5Source Port – 1058Destination Port - 80

Source IP – 192.168.1.50Destination IP – 206.121.73.5Source Port – 1037Destination Port - 80





– Filtering


– Data Inspection


– Firewalls



Firewalls

• Firewalls enforce security rules between two or more networks.

• Evaluate each network packet against a network security policy.



Firewalls TechnologiesSubtopics

• Packet filtering firewalls

• Stateful inspection firewalls

• Proxy firewalls– Circuit-level

– Application level

• Personal firewalls



Packet Filtering Firewalls

• A method or device for limiting network traffic between two networks by enforcing security rules.

• Examines packet headers to either block or pass packets.

• Uses Access Control Lists (ACLs) that allow it to accept or deny access.



Packet Filtering Firewalls (cont.)

• Considers the following information:– Source and destination addresses– Data session’s protocol (TCP, UDP, ICMP,

etc.)– Source and destination application port for

the desired service (FTP, Telnet, HTTP, etc.).– Whether packet is the start of a connection

request (lack of ACK bit in the TCP header).



Stateful Inspection Firewalls

• Transmitted data packets or frames are captured and analyzed at all communication layers.

• “State” and “context” data are stored and updated dynamically.

• Provides information for tracking connectionless protocols; e.g., Remote Procedure Call (RPC) and UDP-based applications.



Stateful Inspection Firewalls (cont.)

• A secure method of analyzing data packets.

• Places extensive information about a data packet into a table. In order for a session to be established, information about the connection must match information stored in the table.

• Examines the content of each packet to an arbitrary level of detail. For example, it may be able to associate incoming UDP replies with an old outgoing UDP request.



Proxy Firewalls

A proxy acts on another’s behalf.



Proxy Firewalls (cont.)

• Proxy clients talk to proxy servers. • Proxy servers relay approved client

requests to external servers and relay answers back to clients.

• Conceptually, outsiders are not allowed to “talk” directly to private nodes.

• There are two types of proxies:– Circuit-level– Application-level



Circuit-Level Proxy Firewalls

• Do not require special proxy for each service (i.e., FTP, HTTP, TELNET, etc.).

• Can require user authentication before allowing access.

• Create a circuit between client and server without requiring knowledge about the service.

• Have no application specific controls.• An example is a SOCKS server.



Application-Level Proxy Firewalls

• Perform the highest level of security because it allows the greatest level of control.

• A different proxy is needed for each service.

• Provide information on the type and amount of traffic.

• Can require user authentication for each service, which provides accountability.



Application-Level Proxy Firewalls (cont.)

• Can impact network performance because they must analyze packets and make decisions about access control.

• Good place to do content inspection for mobile code and viruses.

• FTP Example - restrict whether external users can only read file (use the GET command) or also write file (use the PUT command).



Personal Firewalls

• Individual hosts are protected with firewall software that provides stateful packet filtering and intrusion detection.

• Increasing availability of “always on” broadband connections for Small Office/Home Office users is increasing exposure to compromise.



Firewall Type OSI Model Layer Characteristics

Packet Filtering Network Layer •Routers using ACLs dictate acceptable access to a network

•Looks at destination and source addresses, ports and services requested

Application-level Proxy

Application layer •Deconstructs packets and makes granular access control decisions

•Requires one proxy per service

Circuit-level Proxy Session Layer •Deconstructs packets

•Protects wider range of protocols and services than app-level proxy, but not as detailed a level of control

Stateful Network Layer •Keeps track of each conversation using a state table

•Looks at state and context of packets

Firewall Comparison





• Perimeter Security Overview• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices



Perimeter Security ConfigurationsSubtopics

• Packet Filtering• Dual-Homed Host• Screened Host• Screened Subnet• Multi-Legged Firewall



Packet Filtering

• Place a packet-filtering router between private network and the untrusted network.

Packet FilterNetwork



Dual-Homed Host

• Single computer with two network interface cards that acts as a dividing line between local network and the Internet.

Host ComputerWith Two Network Cards



Screened Host

• Uses both a packet-filtering router and a bastion host.

Network

Bastion Host

Router



Screened Subnet

• Uses two separate packet filters or stateful inspection firewalls and a network of bastion hosts.

DMZ

Network

Firewall Firewall

Switch



3-Legged Firewall

• Configuration with a third network interface, usually for the DMZ.

• The DMZ segment allows both internal and external users to access common servers

• Does not allow external users to access non-DMZ resources.

FirewallDMZ

Network





• Perimeter Security Overview• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices



Firewall Security - Concepts

Policies and Procedures

Environmental

Operating System

People and Processes

Cabling & Switching

Firewall configuration Application Layer

Operating System Controls

Architecture Controls

Data-Link




Environmental

Operating System


Cabling & Switching

Router and routing protocols Application Layer



Data-Link

Firewall Security - Environmental

• Document and clearly communicate who is authorized to – Install, de-install and move firewalls– Perform hardware maintenance and changes to

physical configuration– Make physical connections to the firewall

• Define procedures for – Locating and securing firewalls by zone– Securing console physical access – Recovering in the event of physical damage– Escalating in the event of firewalls tampering




Environmental

Operating System


Cabling & Switching




Data-Link Firewall Security - Data Link

• Use VLAN’s sparingly on critical firewalls.

• If VLANs are necessary consider using known firewall virtualization (e.g. VSX)

VLAN Enabled




Environmental

Operating System


Cabling & Switching




Data-Link

Firewall Security – Operating System• Ensure that the operating systems have

been appropriately hardened.• Ensure that unnecessary services have

been disabled.• Turn on operating system logging

mechanism• Use double intervention controls for critical

functions (e.g. access to the operating system)




Environmental

Operating System


Cabling & Switching




Data-Link

Firewall Security – Application Layer

• Use appropriate stealth, cleanup and silent rules.

Stealth Rule

Cleanup Rule




Environmental

Operating System


Cabling & Switching




Data-Link

Firewall Security – Application Layer

• Use negate in preference over a permitted destination.

Preferred




Environmental

Operating System


Cabling & Switching




Data-Link

Firewall Security – Define Appropriate Global Rules

• Limit the use of implied rules



Group Exercise

• An electronics company wishes to make their product documentation available on the Internet. They have decided to use a packet filtering security architecture to protect the server housing the documentation. What are the pros and cons of this approach?



Section Summary

• In order to access a network, you must authenticate to the network.

• Authentication should be done at two levels, user level and node level.

• Authentication can be controlled in various ways.• Firewalls should be used to protect your internal

network from unauthenticated and unauthorized access.

• Various firewall and perimeter security approaches exist, using a combination of technologies and architectures can give you adequate security.



Subtopics




Network Availability TechnologiesSubtopics

• Network Availability Technologies – Network Disaster Prevention

• Cabling• Topology• Single Points of Failure• Saving Configuration Files

– Server Disaster Prevention



Section Objectives

• Understand how to prevent network disasters from happening

• Describe methods of protecting important network elements such as servers



Cabling

• The cabling that is used will impact how resilient the network is to failure.

• Test and certify all cabling before use on the network.

• Segment problem areas with switches.

• Use fiber to avoid electromagnetic interference.

• Avoid excessive cable lengths.



Topology

• Some topologies do a better job of recovering from problems that can happen on networks.

• Ethernet, when used with twisted-pair cabling, can be extremely resistant to cabling problems.

• Token Ring was designed to be fault tolerant, but is subject to faulty network interface cards.

• Fiber Distributed Data Interface (FDDI) if implemented with dual counter-rotating rings is very reliable.



Single Points of Failure

• Leased lines can introduce a single point of failure.

• Frame Relay– provides wide area network connectivity

across a shared public switched network.– If any segment in the frame relay cloud has a

failure, traffic is diverted across other links.– The link to the Central Office from the

customer site is still a single point of failure.



Single Points of Failure Countermeasures

• Best way to minimize disasters is to identify single points of failure and build in redundancy.

• Creating single points of failure is a common mistake made in network design.

• Be careful of consolidated equipment, such as routers or switches.

• Deploy redundant equipment.



Single Points of Failure Countermeasures (cont.)

• Take advantage of redundant LAN routes.• Provide on-demand backup for WAN

connections.• Build systems that are:

– Basic Availability - sufficient components to satisfy system’s functional requirements

– High Availability - also has sufficient redundancy– Continuous Availability - also has components to

apply to planned outages (i.e., upgrades, backups)



Saving Configuration Files

• When network devices fail, chances are local configurations will be lost.

• Terminal logging - allows saving of configuration files by logging what appears on the terminal as device is locally programmed.

• Trivial File Transfer Protocol (TFTP) - supports saving or retrieving configuration information. A single server can archive configuration files for every device on the network.



Network Availability TechnologiesSubtopics

• Network Disaster Prevention• Server Disaster Prevention

– Uninterruptible Power Supply (UPS)– Redundant Array of Independent Disks

(RAID)– Redundant Servers– Clustering– Backup Technologies– Server Recovery



UPS, RAID & MAID

• Uninterruptible Power Supply (UPS)– Provides a source of clean and steady power.

• Redundant Array of Independent Disks (RAID)– Provides fault tolerance against hard disk crashes

and can improve system performance.• Massive Array of Inactive Disks (MAID)

– Similar to RAID, except disks remain dormant until requested.

– By reducing number of disks that are concurrently active, disk controller costs can be significantly reduced.



Redundant Servers

• Keep a redundant idle computer available for failover -- server fault tolerance

• Provide one or more entire systems to be available in case primary one crashes.



Clustering

• Similar to redundant servers except all systems take part in processing.

• Cluster acts as a single intelligent unit in order to balance traffic load.

• More attractive than server redundancy because secondary systems actually provide processing time.

• Boosts availability and performance.



Backups

• Safeguard the information that is stored on the server. Three types are:– Full backup - complete archive of every file– Differential backup - copies only files that

have changed since a full backup was last performed

– Incremental backup - copies only files that have recently been added or changed since the last backup of any kind



Tape Arrays

Tape Arrays • Redundant Array of Independent Tapes

(RAIT) - similar to RAID technologyOther technologies:• NAS (Network Attached Storage)• S-ATA (Serial-Advanced Technology

Architecture)• Others



Online Backup

Continuous Online Backup with Hierarchical Storage Management (HSM)• Combines hard disk technology with use of

slower and cheaper optical or tape juke boxes.• Continuous online backup package.Storage Area Network (SAN)• Shared network that connects hosts to storage

devices.• Often used to implement server-less backups.



Quick Quiz

• What are some of the ways to prevent disasters from happening on a network?

• How can we provide protection for servers on a network?



Section Summary

• Preventing disasters on a network can be minimized by using the correct cabling and topologies, as well as addressing single points of failure and building in redundancy.

• There are several ways to protect servers, they include mirroring, clustering, backing up, RAID, etc.



Subtopics

• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols

– Data Link Layer Security Protocols– Network Layer Security Protocols– Transport Layer Security Protocols– Application Layer Security Protocols

• Multimedia and Quality of Service• Information Security Activities



Section Objectives

• List some of the protocols available to provide security, in relation to the TCP/IP layers.

• Understand how to address security for specialized multimedia applications.

• Understand the objectives of Quality of Service.

• Understand the activities that need to be addressed by security professionals in order to ensure adequate network security.



Data Link Layer Security Protocols

• Tunneling and VPN Protocols are the mechanisms to protect transmission at the Data Link Layer.– Point to Point Tunneling Protocol– Layer 2 Forwarding– Layer 2 Tunneling Protocol– 802.11 Wireless LAN Security Protocols– Other Layer 2 Solutions



Network/Internet Layer Security Protocols

• Several protocols have been proposed.

• Most notable is IPSec.– It can be implemented in various types

of network equipment.

– Designed to support multiple encryption and authentication protocols.



Transport Layer Security Protocols

• Some examples:– Secure Shell (SSH)

– Secure Sockets Layer (SSL)

– Transport Layer Security Protocol (TLS)

– Wireless Transport Layer Security (WTLS)



Secure Sockets Layer (SSL)

• Enables client/server applications to communicate securely, minimizing the risk of eavesdropping, tampering, or message forgery.

• Provides data confidentiality, integrity control, server authentication, and optionally, client authentication

• Two layer protocol:– SSL Record Protocol - used to pass messages– SSL Handshake Protocol - used to establish an SSL

connection



SSL Handshake – Step One

• A link is established to the secure server over TCP/IP. The client sends the server a ‘Client.Hello’ message including the client’s SSL version number, cipher settings, and a random number.



SSL Handshake – Step Two

•The server sends back a response (Server.Hello).

•The response includes the server’s public key certificate, SSL version number, cipher settings, and a random number.



SSL Handshake – Step Three

• The client can now authenticate the server. It sends an encrypted message using the server’s public key. The server decrypts the message. It is used to generate a session key, the secret for HMAC, and the IV (if needed).



SSL Handshake – Step Four

• The client sends a message encrypted with the session key, closing the client side of the handshake. The server responds with a message encrypted with the session key, closing the server side. Communication is now secure.



Transport Layer Security Protocol (TLS)

• The TLS Working Group was established in 1996 to standardize a 'transport layer' security protocol. – Based on, and backward compatible

with, SSL version 3.0

• TLS provides for authentication and data protection for communication between two entities.



Wireless Transport Layer Security (WTLS)

• Security in the Wireless Application Protocol v1.2 uses WTLS instead of standard SSL.

• Wireless gateway must use WTLS to secure the channel to the wireless device and SSL to secure the channel from the destination web server.

• A security issue is that the information on the gateway is unencrypted.



Application Layer Security Protocols

Examples:• Secure Remote Procedure Call (S-RPC) • Domain Name System Security

(DNSSec)• Secure WWW Transactions (S-HTTP)• Electronic Payment Schemes (SET,

Ecash, Netcash, Mondex, Cybercash, etc.)



Subtopics




Multimedia Security

• Growing concern in competitive global market for confidentiality and privacy.

• Increased susceptibility to industrial and economic espionage.

• Effective security via encryption. For example, can use virtual private networks with encryption services.



Multimedia Security

• Protocols at network level can provide end-to-end security.

• Applications can also provide some security.

• Use of encryption and security protocols impose a performance penalty.– Bandwidth overhead – Processing time



Quality of Service (QoS)

QoS refers to the capability of the network to provide better service to selected network traffic over various technologies.



Primary Goals of QoS

• Dedicated bandwidth

• Controlling jitter and latency

• Enabling coexistence of real-time traffic, such as voice/video, with best efforts traffic, such as data.

Jitter is the variation in arrival times of frames (latency) and is caused by queuing in routers, switches, and by carrier switched networks.



Types of QoS

• Best-effort service is basic connectivity with no guarantees.

• Differentiated service is when some traffic is more important than the rest (i.e., more bandwidth on average, lower loss rate on average).

• Guaranteed service is a complete reservation of network resources for specific traffic.



Traffic QoS Needs

• Data (Best Effort) - bursty, intolerant of errors, tolerant of jitter

• Audio/Video (Real Time) - constant bandwidth, tolerant of errors, intolerant of jitter

• Interactive (Terminal Emulation) - similar to Best Effort but more impacted by end-to-end latency than by jitter.



Subtopics




Information Security Activities

• Audit Log Processing– Host audit logs– Network device logs– Intrusion Detection reports

• Security Reviews• Vulnerability Assessment

– Network Audit– Penetration Test– Rogue Wireless Access Point Detection




• Sound Network Design (no single points of failure, defense in depth, etc.)

• Network scans (to know what is on it)

• Secure configuration

• Change management

• Configuration management




• Awareness and Training– Train systems personnel so they know how to use

systems properly– All employees should be aware of system security

responsibilities.• Support and manage activities related to

security of the network• Perform vulnerability assessments• Perform security reviews• Choose correct technologies and protocols to

ensure adequate security of all network elements



Quick Quiz

• What are some of the Transport layer security protocols?

• What is Quality of Service?• What is the best way to protect multimedia transmissions across an un-trusted network?

• What are some of the activities that security professionals need to be involved in, related to network security?



Section Summary

• Transport layer security protocols include SSL, TLS, WTLS.• Quality of service refers to the concept of making sure that

your networks address the level of service that is required by specific applications. We do this mostly by addressing redundancy and controlling jitter and latency.

• Best way to protect any transmission, including multi-media is to use encryption and secure protocols at the network layer.

• Security activities include awareness and training, promoting sound network design, performing vulnerability assessments, security reviews, change management, choosing the correct security technologies and controls, etc.



Documents

© Copyright 2005 (ISC) 2® All Rights Reserved. 1 Telecommunications, Network and Internet Security v5.0 Telecommunications, Network, and Internet Security