Upload
aldous-ryan
View
220
Download
2
Embed Size (px)
Citation preview
© Copyright 2005 (ISC)2® All Rights Reserved.
1Telecommunications, Network and Internet Security v5.0
Telecommunications, Network, and Internet Security
© Copyright 2005 (ISC)2® All Rights Reserved.
2Telecommunications, Network and Internet Security v5.0
Introduction
• The telecommunications, network, and Internet security domain discusses the:– Network structures– Transmission methods– Transport formats– Security measures used to provide
availability, integrity, and confidentiality– Authentication for transmission over private
and public communications networks and media.
© Copyright 2005 (ISC)2® All Rights Reserved.
3Telecommunications, Network and Internet Security v5.0
Objectives
• The CISSP should be able to:– Describe the telecommunications and
network security elements as they relate to the transmission of information in local area, wide area, and remote access.
– Define the concepts associated with the Internet, intranet, and extranet communications, such as firewalls, gateways, and associated protocols.
© Copyright 2005 (ISC)2® All Rights Reserved.
4Telecommunications, Network and Internet Security v5.0
Objectives (cont.)
• The CISSP should be able to:
– Identify the communications security management and techniques that prevent, detect, and correct errors so that the protection of information transmitted over networks is maintained.
© Copyright 2005 (ISC)2® All Rights Reserved.
5Telecommunications, Network and Internet Security v5.0
Goals of Network Security
• The common thread among good information security objectives is that they address all three core security principles.
AvailabilityAvailability
Con
fiden
tialit
y
Prevents unauthorized
disclosure of systems and
information.
IntegrityPrevents unauthorized
modification of systems and
information.
Prevents disruption of
service and productivity.
© Copyright 2005 (ISC)2® All Rights Reserved.
6Telecommunications, Network and Internet Security v5.0
Specific Network Security Objectives
• The objectives of network security:– Transmission channels and services
are secure and accessible.– Interoperability of network security
mechanisms are operational.– Messages sent are the messages that
are received.– Message link is between valid source
and destination nodes.
© Copyright 2005 (ISC)2® All Rights Reserved.
7Telecommunications, Network and Internet Security v5.0
Specific Network Security Objectives (cont.)
• Message non-repudiation is available.• Prevent unauthorized disclosure of
messages. • Prevent unauthorized disclosure of traffic
flows.• Remote access mechanisms are secure.• Security mechanisms are easy to
implement and maintain.• Security mechanisms are transparent to
end-users.
© Copyright 2005 (ISC)2® All Rights Reserved.
8Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
9Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various network architectures
• List the elements and devices that comprise a data network
• Describe data network technologies
© Copyright 2005 (ISC)2® All Rights Reserved.
10Telecommunications, Network and Internet Security v5.0
Data Network Structures
Examples ….
• Personal Area Network
• Wireless Personal Area Network
• Local Area Network• Metropolitan Area
Network• Campus Area
Network
• Wide Area Network• Internet• Intranet• Extranet• Value Added
Network• World Wide Web• Global Area Network
© Copyright 2005 (ISC)2® All Rights Reserved.
11Telecommunications, Network and Internet Security v5.0
Data Network Components
• Data network components include:– Mainframe/Server Hosts
– File Servers
– Workstations
– Software - Network Operating System and Applications
© Copyright 2005 (ISC)2® All Rights Reserved.
12Telecommunications, Network and Internet Security v5.0
Data Network Components (cont.)
• Data network components include:– Network Adapter/Network Interface
Card – Hub/Concentrator/Repeater– Bridges– Switches - Layer 2, 3, 4, etc.– Routers– Gateways
© Copyright 2005 (ISC)2® All Rights Reserved.
13Telecommunications, Network and Internet Security v5.0
Data Network Components (cont.)
• Data network components include:– Physical Cabling
• Twisted Pair/Coaxial Cable/Fiber Optics
– Wireless• Radio Frequency/
Infrared/Optical/ Satellite
© Copyright 2005 (ISC)2® All Rights Reserved.
14Telecommunications, Network and Internet Security v5.0
Circuit Switched Networks
• Information is segmented into pieces that fit within a channel or time slot (usually 8 bits).
• A connection is established permanently or on demand and is maintained between switches in order to route traffic to the correct destination.
• Traffic is switched based on Time Division Multiplexing (TDM).
© Copyright 2005 (ISC)2® All Rights Reserved.
15Telecommunications, Network and Internet Security v5.0
Packet Switched Networks
• Each data packet contains information such as addresses and sequence numbers.
• A connection is established permanently, or on demand, and maintained between switches in order to switch traffic to the correct destination.
• Switches switch the packets to the final destination based on the header information.
• Traffic is switched based on Statistical Time Division Multiplexing (STDM)
© Copyright 2005 (ISC)2® All Rights Reserved.
16Telecommunications, Network and Internet Security v5.0
Circuit vs. Packet Switching
Circuit-Switched • Designed for constant
traffic• Typically experience
fixed delays• Connection-oriented• Traffic is sensitive to
loss of connection• Voice/video oriented• Can waste resources
Packet-Switched• Designed for bursty
traffic• Typically experience
variable delays• Connection-less oriented• Traffic is sensitive to loss
of data• Data oriented• Can introduce delays
© Copyright 2005 (ISC)2® All Rights Reserved.
17Telecommunications, Network and Internet Security v5.0
Virtual Circuits
• A logical circuit created over a packet switched network
• Two types– Permanent Virtual Circuits (PVCs) -
permanently established circuits that remain in place till the network administrators delete them from the switches.
– Switched Virtual Circuits (SVCs)- dynamically established when requested and removed when transmission is finished
© Copyright 2005 (ISC)2® All Rights Reserved.
18Telecommunications, Network and Internet Security v5.0
LAN Network Topologies
LANs are logically or physically organized as:
Bus
Ring
Mesh
Tree
Star
© Copyright 2005 (ISC)2® All Rights Reserved.
19Telecommunications, Network and Internet Security v5.0
LAN Transmission Methods
• Unicast - packet is sent from source to destination address
• Multicast - packet is copied and sent to a specific subset of nodes on the network
• Broadcast - packet is copied and sent to all nodes on the network
© Copyright 2005 (ISC)2® All Rights Reserved.
20Telecommunications, Network and Internet Security v5.0
LAN Media Access Methods
• Three types of methods are used by hosts to access the physical network medium.– Carrier Sense Multiple Access (CSMA)
• With Collision Avoidance (CSMA/CA)• With Collision Detection (CSMA/CD)
– Polling– Token Passing
© Copyright 2005 (ISC)2® All Rights Reserved.
21Telecommunications, Network and Internet Security v5.0
LAN ImplementationsSubtopics
• Wireless – Bluetooth / IEEE
802.15– 802.11a– 802.11b– 802.11g
• Wired– Ethernet / IEEE
802.3– Fiber Distributed
Data Interface (FDDI)
– Token Ring / IEEE 802.5
© Copyright 2005 (ISC)2® All Rights Reserved.
22Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Ethernet/IEEE 802.3• Usage
– Most widely used LAN implementation.
• Access Method– CSMA/CD, probabilistic
• Topology– Logically a bus topology, often implemented as a
physical star or sometimes point-to-point.
• Speeds • Ethernet (10 Mbps), Fast Ethernet (100 Mbps),
Gigabit Ethernet (1 Gbps)
© Copyright 2005 (ISC)2® All Rights Reserved.
23Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Fiber Distributed Data Interface (FDDI)• Usage
– Standard originally designed for fiber optic networks.– Typically used as backbones for LANs/WANs.– FDDI-2 extension provides for voice, video, and data.
• Access Method– Token passing, deterministic
• Topology– Ring
• Speeds– 100 mps–1000 mps
© Copyright 2005 (ISC)2® All Rights Reserved.
24Telecommunications, Network and Internet Security v5.0
LAN Implementations - Wired
Token ring IEEE 802.5• Usage
– Promoted by IBM as their networking standard
• Access Method– Token passing, single token contains priority mechanism. – Nodes insert, copy, or remove data. – Data sent sequentially bit by bit around ring.
• Topology– Star wired ring topology.
• Speeds– 16-100mps
© Copyright 2005 (ISC)2® All Rights Reserved.
25Telecommunications, Network and Internet Security v5.0
Introduction to Wireless
Cell Phones
PDAs
WLANs
Toys
Appliances
Cordless
Phones
© Copyright 2005 (ISC)2® All Rights Reserved.
26Telecommunications, Network and Internet Security v5.0
Wireless Radio Frequency Band
0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz 10GHz 28GHz 38GHz
AM Radio (535 – 1605 KHz)
VHF TV (174 – 216 MHz)
FM Radio (88 – 108 MHz)
UHF TV (512 – 806 MHz)
Analog Cellular (824-894 MHz)
Digital Cellular (1850-1900 MHz)
Cordless Phones, Baby Monitors, Toys (900 MHz)
802.11b/g, Bluetooth, Phones (2.4 GHz)
802.11a/h, Phones (5 GHz)
Unlicensed Radio Frequencies
Licensed Radio Frequencies
© Copyright 2005 (ISC)2® All Rights Reserved.
27Telecommunications, Network and Internet Security v5.0
Wireless Network Standards
• Bluetooth– Used as short distance
replacement for cabling– Less than 1 Mbps – 2.4 GHz frequency band– Frequency Hopping Spread
Spectrum (FHSS)• 802.11b
– Extension to 802.11 Wireless LAN standard
– 11 Mbps data rate– 2.4 GHz frequency band– Direct Sequence Spread
Spectrum (DSSS)
• 802.11a– Extension to 802.11 Wireless
LAN standard– 54 Mbps data rate– 5 GHz frequency band– Orthogonal Frequency Division
Multiplexing (OFDM)• 802.11g
– 54Mbps data rate– 2.4 GHz frequency band– OFDM– 802.11b compatible
© Copyright 2005 (ISC)2® All Rights Reserved.
28Telecommunications, Network and Internet Security v5.0
Wide Area Networks
• Connects LANs together through technologies such as: – Dedicated leased lines
– Dial-up phone lines
– Satellite and other wireless links
– Data packet carrier services
© Copyright 2005 (ISC)2® All Rights Reserved.
29Telecommunications, Network and Internet Security v5.0
WAN Network TechnologiesSubtopics
• Integrated Services Digital Network
• Point-to-Point Lines• Digital Subscriber Line
and Cable Modem• Synchronous Data Link
Control and Derivatives
• X.25
• Frame Relay• Asynchronous
Transfer Mode• Wireless Wide Area• WAP• i-Mode• IP Telephony
© Copyright 2005 (ISC)2® All Rights Reserved.
30Telecommunications, Network and Internet Security v5.0
ISDN and Point to Point Lines
Integrated Services Digital Network (ISDN)Attributes:
1. End-to-End digital connectivity2. Integrated access3. Small family of standard interfaces4. Message-oriented signaling 5. Customer control
Point to Point LinesTypes
– Leased Lines– Digital Circuits– Optical Circuits.
© Copyright 2005 (ISC)2® All Rights Reserved.
31Telecommunications, Network and Internet Security v5.0
DSL and Cable Modems
DSL and Cable Modems • “Always-on” technologies (as opposed to on-demand),
that provide high-speed connections that pose risks to unprotected computers.
DSL– Provides high-bandwidth data transport– Uses existing twisted pair telephone lines
Cable Modem– High-speed access to the Internet over television
cable lines.– Uses a modem that filters the coaxial cable
connection.
© Copyright 2005 (ISC)2® All Rights Reserved.
32Telecommunications, Network and Internet Security v5.0
SDLC and HDLC
• SDLC and HDLC– Data link layer protocols.– Designed for point-to-point connections.– Developed to carry data.
• Synchronous Data Link Control (SDLC)– Protocol developed by IBM for their SNA
networks
• High Level Data Link Control (HDLC)– Based on SLDC but standardized by ISO
© Copyright 2005 (ISC)2® All Rights Reserved.
33Telecommunications, Network and Internet Security v5.0
X.25
• International protocol for a packet-switched network technology– Defines how connections between user devices and
network devices are established and maintained.– Operates at the Network and Data Link Layers.– It uses PVCs and SVCs.
• Used by telecommunication carriers.• Overhead requirements limit it to lower speeds.• Data-only support.
© Copyright 2005 (ISC)2® All Rights Reserved.
34Telecommunications, Network and Internet Security v5.0
Remote
Host
Frame Relay
High performance packet switching technology– Operates at the physical and data link layers of the OSI
model. – Designed to replace X.25. Originally, data-only support,
implementation supports voice and video as well.– Uses PVCs and SVCs.
© Copyright 2005 (ISC)2® All Rights Reserved.
35Telecommunications, Network and Internet Security v5.0
Asynchronous Transfer Mode (ATM)
• Very high speed cell relay service, similar in a number of ways to frame relay.
• Transfers data in cells that are a fixed size.• Small, constant cell size allows video, audio,
and computer data to be transmitted over the same network.
• It uses PVCs and SVCs. • It is packet switched.• Designed to replace frame relay with a faster
technology designed to carry all traffic types.
© Copyright 2005 (ISC)2® All Rights Reserved.
36Telecommunications, Network and Internet Security v5.0
Wireless Wide Area
• Satellites provide global coverage in areas where terrestrial cable facilities are not available.
• Microwave technology also supports wide area connections.
© Copyright 2005 (ISC)2® All Rights Reserved.
37Telecommunications, Network and Internet Security v5.0
Generations of Wireless Wide Area Protocols
• 1G Wireless– First wave of analog
phones– Heavy and bulky– Not many services
other than voice
• 2G Wireless– Commonly deployed– Smaller size– Caller id, paging,
• 2.5G Wireless– Addition of always on
Internet email and alerts (GPRS)
– Higher data rates
• 3G Wireless– First hit in Japan late
2001– Packet technology– Higher connection
speeds (video conferencing, MPEG)
© Copyright 2005 (ISC)2® All Rights Reserved.
38Telecommunications, Network and Internet Security v5.0
Wireless Application Protocol (WAP)
• Standard protocol for enabling wireless data access via small portable terminals to secure transaction services.
• It supports wireless browsing, messaging, and other applications.
• It uses less resources (i.e., CPU, memory) and is simpler than TCP/IP.
• WAP supported networks include:– CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX,
ReFLEX, iDEN, TETRA, DECT, DataTAC, and Mobitex
© Copyright 2005 (ISC)2® All Rights Reserved.
39Telecommunications, Network and Internet Security v5.0
i-Mode
• Mobile Internet service• First introduced in Japan by NTT DoCoMo, Inc.• Now available in European markets through i-mode partners
including Belgium, France, Germany, Greece, Italy, Spain, Netherlands, etc.
• Wide variety of specialized services including– Online shopping– Banking– Ticket reservation– Restaurant advice– Multimedia e-mailing of still and moving images– Java-based application for downloading and storing
sophisticated content
© Copyright 2005 (ISC)2® All Rights Reserved.
40Telecommunications, Network and Internet Security v5.0
Mobile Phone Vulnerabilities
• Lack of policies and awareness• Theft of mobile phones, Personal Digital
Assistants (PDAs) and their data• Subscriber Identity Module cloning• False Base Stations• Stealing secrets using phone-based or
PDA-based cameras, email, storage chips, etc.
• Access to the Internet, bypassing the firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
41Telecommunications, Network and Internet Security v5.0
Mobile Phone Vulnerabilities (cont.)
• Short Message Service spamming• Malicious downloadable code or content• Encryption is weak or non-existent• Turning on wireless encryption does not
mean data is protected end-to-end – Wired portion of the traffic may travel in the
clear
• Bluetooth vulnerabilities– Pin length, lack of encryption, bluejacking, etc.
© Copyright 2005 (ISC)2® All Rights Reserved.
42Telecommunications, Network and Internet Security v5.0
IP Telephony
• Integrates existing voice network with data networks.
• Combines data, voice, and video over a single packet.
• Uses “isochronous” (i.e., time-dependent) processes where data must be delivered within certain time constraints -- used for video that requires synchronization.
• Includes: Voice over IP, Voice over Frame Relay, Voice over Asynchronous Transfer Mode, etc.
© Copyright 2005 (ISC)2® All Rights Reserved.
43Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What is the difference between synchronous and asynchronous communication?
• What is the difference between a circuit-switched network and a packet-switched network?
© Copyright 2005 (ISC)2® All Rights Reserved.
44Telecommunications, Network and Internet Security v5.0
Section Summary
• Synchronous communication is the transfer of data that relies on the presence of a clocking system at both ends of the transmission.
• Asynchronous communication is the transfer of data by sending bits sequentially, with start bits and stop bits to mark beginning and end, without a shared clock.
• A circuit-switched network is a connection established on demand and maintained between data stations in order to allow exclusive use of a circuit (transmission line) until the connection is released.
• A packet-switched network has segmented data, with each packet containing information such as a destination address, source address, and packet sequence number. Network devices route the packets to the final destination.
© Copyright 2005 (ISC)2® All Rights Reserved.
45Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
46Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various standard network protocols
• Describe the OSI network model
• Describe the TCP/IP network protocol
• Identify network protocol vulnerabilities
© Copyright 2005 (ISC)2® All Rights Reserved.
47Telecommunications, Network and Internet Security v5.0
Network Protocol Definition
• A standard set of rules that governs the exchange of data between hardware and/or software components in a communications network.
• A Network Protocol also describes the format of a message and how it is exchanged.– When computers communicate with one another, they
exchange a series of messages. – To understand and act on these messages,
computers must agree on what a message means.
© Copyright 2005 (ISC)2® All Rights Reserved.
48Telecommunications, Network and Internet Security v5.0
Subtopics
• Open System Interconnection (OSI) Model
• Transmission Control Protocol/Internet Protocol (TCP/IP)
© Copyright 2005 (ISC)2® All Rights Reserved.
49Telecommunications, Network and Internet Security v5.0
OSI Model
• Seven Layers• Data transfer is accomplished by a layer interacting with
the layer above or below through the use of interface control information.
• ISO 7498 – Describes the OSI model – Defines the security services that are available and where they
fit in the layered model.
• Authentication Exchange• Traffic Padding• Routing Control• Notarization
• Encipherment• Digital Signatures• Access Control• Data Integrity
© Copyright 2005 (ISC)2® All Rights Reserved.
50Telecommunications, Network and Internet Security v5.0
Layer Interaction
7 Application
6 Present.
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Application
Presentatio
n
Session
Transport
Network
Data Link
Protocol Layer
Hdr1Hdr2 Hdr3 Message Tlr3 Tlr2 Tlr1Host 2Host 1
Physical
Original
Message
Hdr3 Tlr3
Hdr2
Hdr1
Tlr2
Tlr1
Data 3
Data 2
Data 1
Protocol Layer
© Copyright 2005 (ISC)2® All Rights Reserved.
51Telecommunications, Network and Internet Security v5.0
Application Layer
• Provides a user interface through which the user gains access to the communication services.
• Ideal place for end-to-end encryption and access control.
© Copyright 2005 (ISC)2® All Rights Reserved.
52Telecommunications, Network and Internet Security v5.0
Presentation Layer
• Ensures compatible syntax in how the information is represented for exchange by applications.
• Not used extensively.
© Copyright 2005 (ISC)2® All Rights Reserved.
53Telecommunications, Network and Internet Security v5.0
Session Layer
• Coordinates communications dialogue between cooperating application processes.
• Maintains a logical connection between two processes on end hosts.
• Ideal place for identification and authentication.
© Copyright 2005 (ISC)2® All Rights Reserved.
54Telecommunications, Network and Internet Security v5.0
Transport Layer
• Ensures host-to-host information transfer.
• Provides reliable, transparent data transfers between session entities.
• Isolates the user from any concerns about the actual movement of the information.
• A place to implement end-to-end encryption.
© Copyright 2005 (ISC)2® All Rights Reserved.
55Telecommunications, Network and Internet Security v5.0
Network Layer
• Selects and manages a route chosen from the available links arranged as a network.
• Can determine alternate routes to avoid congestion or node failure.
• A place to implement link, or end-to-end encryption.
© Copyright 2005 (ISC)2® All Rights Reserved.
56Telecommunications, Network and Internet Security v5.0
Data Link Layer
• Responsible for reliable delivery of information over a point-to-point or multi-point network.
• Can be divided into Logical Link Control and Media Access Control.
• Common place to implement link encryption.
© Copyright 2005 (ISC)2® All Rights Reserved.
57Telecommunications, Network and Internet Security v5.0
Physical Layer
• Provides for the transparent transfer of a bit stream over a physical circuit.
• Provides physical or virtual connection for transmission between data link entities.
© Copyright 2005 (ISC)2® All Rights Reserved.
58Telecommunications, Network and Internet Security v5.0
TCP/IP
Suite of protocols.• Transmission Control Protocol (TCP) • Internet Protocol (IP) • De facto standard for networking.• Architecture-independent.• Security was not originally designed into
the protocols. Therefore, security-specific protocols have been devised for use on TCP/IP networks.
© Copyright 2005 (ISC)2® All Rights Reserved.
59Telecommunications, Network and Internet Security v5.0
OSI vs. TCP/IP
TCP/IP Implementation
OSI Model
© Copyright 2005 (ISC)2® All Rights Reserved.
60Telecommunications, Network and Internet Security v5.0
TCP/IP Application Layer
• Includes the functionality of the OSI application, presentation, and session layers.
• Sends to and retrieves data from the transport layer.
• Converts received data to a usable, viewable format.
© Copyright 2005 (ISC)2® All Rights Reserved.
61Telecommunications, Network and Internet Security v5.0
TCP/IP Transport Layer
Transfers data between different applications on end hosts.Can construct data in two ways:• Transmission Control
Protocol (TCP)• User Datagram Protocol
(UDP)
© Copyright 2005 (ISC)2® All Rights Reserved.
62Telecommunications, Network and Internet Security v5.0
TCP/IP Network Layer
• Defines how information is sent between hosts. It contains the:– Internet Protocol (IP)– Internet Control Message
Protocol (ICMP)– Internet Group
Management Protocol (IGMP)
© Copyright 2005 (ISC)2® All Rights Reserved.
63Telecommunications, Network and Internet Security v5.0
TCP/IP Data Link Layer
• Defines how the physical layer transmits the network layer packets between adjacent or broadcast computers
• Resolves information into bits that control construction and exchange of packets.
• Mediates access to the physical layer.
© Copyright 2005 (ISC)2® All Rights Reserved.
64Telecommunications, Network and Internet Security v5.0
TCP/IP Physical Layer
• Defines the encoded signaling on the transmission channel.
• Specifies the characteristics of the wire that connects the machines in a network.
• Specifies how network cards encode the bits they transmit.
• Includes the transmission medium.
© Copyright 2005 (ISC)2® All Rights Reserved.
65Telecommunications, Network and Internet Security v5.0
Data Encapsulation
• To transmit data across a layered network, the data passes through each layer of the protocol stack.
• It begins at the application layer with the application software passing the data to the next lower protocol in the stack.
• At each layer the data is encapsulated – the protocol processes the data in the format that the next protocol layer requires.
© Copyright 2005 (ISC)2® All Rights Reserved.
66Telecommunications, Network and Internet Security v5.0
Data Encapsulation
Application Layer (Program)
Transport Layer (TCP Module)
Network Layer (IP Module)
Data Link Layer
Data
Data
Data
Data
TCP Header
TCP HeaderIP Header
TCP HeaderIP HeaderDL Header
Send Receive
© Copyright 2005 (ISC)2® All Rights Reserved.
67Telecommunications, Network and Internet Security v5.0
Data Structure Terminology
Application Layer
Transport Layer
Internet (Network) Layer
Network Access (Data Link) Layer
TCP UDP
stream message
segment packet
datagram datagram
frame frame
© Copyright 2005 (ISC)2® All Rights Reserved.
68Telecommunications, Network and Internet Security v5.0
TCP/IP Implementation
Transport Layer
Network Layer
Data Link Layer
Physical LayerNetwork Cable
PPPHardwareInterface
IGMP ICMPIP
UDPTCP
ProgramApplication Layer
ARP
Program
© Copyright 2005 (ISC)2® All Rights Reserved.
69Telecommunications, Network and Internet Security v5.0
TCP/IP
• The protocols in the TCP/IP suite work together to:– Break the data into small pieces that can be
efficiently handled by the network.– Communicate the destination of the data to
the network.– Verify the receipt of the data on the other end
of the transmission.– Reconstruct the data in its original form.
© Copyright 2005 (ISC)2® All Rights Reserved.
70Telecommunications, Network and Internet Security v5.0
Network ProtocolsSubtopics
• Internet Protocol (IP)• Transmission Control
Protocol (TCP)• User Datagram
Protocol (UDP)• Internet Control
Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Point-to-Point Protocol (PPP)
• Domain Name System (DNS)
• Address Resolution Protocol (ARP)
• Simple Network Management Protocol (SNMP)
• Routing Protocols
© Copyright 2005 (ISC)2® All Rights Reserved.
71Telecommunications, Network and Internet Security v5.0
Internet Protocol (IP)
• The Internet Protocol is a packet-based protocol used to exchange data over computer networks.
• Network layer protocol.• Handles addressing and control
information to allow packets to travel through the network.
• IP is a best-effort protocol.
© Copyright 2005 (ISC)2® All Rights Reserved.
72Telecommunications, Network and Internet Security v5.0
IP Functions
• Define the datagram (the basic unit of transmission in the Internet).
• Define the Internet addressing scheme.• Move data between Network Layer and
Transport Layer.• Route datagrams to remote hosts.• Perform fragmentation and reassembly of
datagrams.
© Copyright 2005 (ISC)2® All Rights Reserved.
73Telecommunications, Network and Internet Security v5.0
IP Addresses
• Composed of 32-bit addresses that are often displayed in the form of four groups of decimal digits separated by a period/dot.
• Each group of numbers cannot be larger than 254.
1 1 0 1 10 0 0 0 0 0 1 1 0 0 1 0 1 1 0 1 0 0 0 1 1 0 0 1 1 1 1
216 . 25 . 104 . 207
© Copyright 2005 (ISC)2® All Rights Reserved.
74Telecommunications, Network and Internet Security v5.0
IP version 6 (IPv6)
• Expands the address to 128 bit.• Simplifies the header format.• Provides support for extensions and
options.• Adds quality of service capabilities.• Adds address authentication and
message confidentiality and integrity.
© Copyright 2005 (ISC)2® All Rights Reserved.
75Telecommunications, Network and Internet Security v5.0
IP Security Issues
• IP Fragmentation Attacks– Tiny fragment attack – Overlapping fragment attack– Teardrop Denial of Service Attack
• IP Address Spoofing• Source Routing• Smurf and Fraggle• IP Tunneling over other protocols
© Copyright 2005 (ISC)2® All Rights Reserved.
76Telecommunications, Network and Internet Security v5.0
Transmission Control Protocol (TCP)
• Provides reliable data transmission.• Retransmits lost/damaged data
segments.• Sequences incoming segments to
match original order.• Marks every TCP packet with a source
host and port number, as well as a destination host and port number.
© Copyright 2005 (ISC)2® All Rights Reserved.
77Telecommunications, Network and Internet Security v5.0
TCP Provides:
• Connection-oriented data management
• Reliable data transfer
• Stream-oriented data transfer
• Push functions
• Resequencing
• Flow Control
• Multiplexing
• Full-duplex transmission
• Identification of urgent data
• Graceful close
© Copyright 2005 (ISC)2® All Rights Reserved.
78Telecommunications, Network and Internet Security v5.0
Connection Oriented TCP
• TCP maintains status and state information about each user data stream flowing into and out of the TCP module.
• TCP provides end-to-end transfer of data across one network or multiple networks to a receiving user application.
© Copyright 2005 (ISC)2® All Rights Reserved.
79Telecommunications, Network and Internet Security v5.0
Sample TCP Session
Host A Host B
SYN(2000), ACK(1001)
ACK(2001)
ACK, data
ACK(2300), FIN(1500)
ACK(1501)
ACK(2401)
SYN(1000)Active open Passive open
Connectionestablished
Connectionestablished
Host A close
Host B close
Connection closed Connection closed
ACK(1501), FIN(2400)
© Copyright 2005 (ISC)2® All Rights Reserved.
80Telecommunications, Network and Internet Security v5.0
TCP Security Issues
• TCP Sequence Number Attacks
• Session Hijacking
• SYN Flood
© Copyright 2005 (ISC)2® All Rights Reserved.
81Telecommunications, Network and Internet Security v5.0
User Datagram Protocol (UDP)
• Transport layer protocol
• Provides quick and simple service
• Provides unreliable, connectionless, service for applications
© Copyright 2005 (ISC)2® All Rights Reserved.
82Telecommunications, Network and Internet Security v5.0
UDP Security Issues
• Does not offer error correction, retransmission, or protection from lost, duplicated, or re-ordered packets.
• Easier to spoof since there are no session identifiers (handshake, sequence number and ACK bit)
© Copyright 2005 (ISC)2® All Rights Reserved.
83Telecommunications, Network and Internet Security v5.0
Internet Control Message Protocols (ICMP)
• Used to exchange control messages between gateways and hosts regarding the low-level operation of the Internet.
• Also used for diagnostic tools such as Ping and Traceroute.
• The ICMP message is encapsulated within the IP packet.
© Copyright 2005 (ISC)2® All Rights Reserved.
84Telecommunications, Network and Internet Security v5.0
ICMP Security Issues
• Denial of Service– Ping of Death
– Host/Network Not Reachable messages
• ICMP Redirect
• Traceroute
© Copyright 2005 (ISC)2® All Rights Reserved.
85Telecommunications, Network and Internet Security v5.0
Internet Group Management Protocol (IGMP)
• Supports multicast transmissions (IP only supports broadcast and unicast).
• When a message is sent to a particular multicast group, all computers in that group will get a copy of the message.
• It is used by hosts to report multicast group memberships to neighboring multicast routers.
© Copyright 2005 (ISC)2® All Rights Reserved.
86Telecommunications, Network and Internet Security v5.0
Point-to-Point Protocol (PPP)
• Data link layer protocol.
• Standardized encapsulation protocol for transporting packets over dial-up and dedicated transmission links.
• Supports other protocols, including authentication protocols.
© Copyright 2005 (ISC)2® All Rights Reserved.
87Telecommunications, Network and Internet Security v5.0
Domain Name System (DNS)
• Distributed Internet directory service.
• Global network of “name servers” that translate host names to numerical IP addresses.– www.ISC2.org = 209.164.6.194
• Internet services rely on DNS to work, if DNS fails, web sites cannot be located and email delivery stalls.
© Copyright 2005 (ISC)2® All Rights Reserved.
88Telecommunications, Network and Internet Security v5.0
DNS (cont.)
• It is tree structured.• Contains two elements:
– Name Server - responds to client requests by supplying name to address conversions.
– Resolver - when it does not know the answer, the resolver element will ask another name server for the information.
© Copyright 2005 (ISC)2® All Rights Reserved.
89Telecommunications, Network and Internet Security v5.0
DNS Security Issues
• Attackers have been known to corrupt the tree and obtain access to a trusted machine.
• The name servers can be poisoned so that legitimate addresses are replaced.
• Unauthorized users could discover sensitive information if querying is allowed by users.
© Copyright 2005 (ISC)2® All Rights Reserved.
90Telecommunications, Network and Internet Security v5.0
Address Resolution Protocol (ARP)
• Used when a node knows the network layer address, but needs the data link layer address to forward the encapsulating frame.
• The ARP software maintains a table of translations between IP addresses and data link addresses.
© Copyright 2005 (ISC)2® All Rights Reserved.
91Telecommunications, Network and Internet Security v5.0
ARP (cont.)
• The table is built dynamically - if a destination data link address is not found in the table, the node will broadcast a message on the data link asking for the host with the chosen IP address to respond with its data link address.
© Copyright 2005 (ISC)2® All Rights Reserved.
92Telecommunications, Network and Internet Security v5.0
Reverse ARP (RARP)
• Used to discover the IP address which corresponds to a known data link address (MAC).
• Sometimes used by diskless workstations to learn their own IP address.
© Copyright 2005 (ISC)2® All Rights Reserved.
93Telecommunications, Network and Internet Security v5.0
ARP Security Issues
• ARP is unauthenticated, thus an attacker can poison the ARP table to spoof another host by sending unsolicited ARP replies.
• An attacker can send an ARP reply mapping the attacker’s MAC address to the default router’s IP address, the target will then send all traffic destined for the router to the attacker’s node. The attacker “sniffs” the traffic, then forwards it to the real router.
© Copyright 2005 (ISC)2® All Rights Reserved.
94Telecommunications, Network and Internet Security v5.0
ARP Poisoning
© Copyright 2005 (ISC)2® All Rights Reserved.
95Telecommunications, Network and Internet Security v5.0
Simple Network Management Protocol (SNMP)
• Provides remote administration of network devices.
• SNMP is referred to as "simple" because the agent requires minimal software.
• SNMP accesses particular instances of an object and each object belongs to a community.
• Community strings are used to provide read-only or read-write access controls. They authenticate messages sent between the SNMP manager and agent.
© Copyright 2005 (ISC)2® All Rights Reserved.
96Telecommunications, Network and Internet Security v5.0
Routing Protocols
• Routing is the process of selecting a path through a network.
• At each router in the network, the datagrams are examined, and the destination address is mapped to a routing table kept in memory. The table tells the router which outgoing link to use to continue sending the datagram.
• Routing protocols are used by routers to determine the appropriate path that data should travel.
© Copyright 2005 (ISC)2® All Rights Reserved.
97Telecommunications, Network and Internet Security v5.0
Routing Protocols
• Routing protocols specify how routers share information with other routers in the network that they can reach.
• Routing Protocol examples:– Routing Information Protocol (RIP)– Exterior Gateway Protocol (EGP)– Border Gateway Protocol (BGP)– Open Shortest Path First Protocol (OSPF)
© Copyright 2005 (ISC)2® All Rights Reserved.
98Telecommunications, Network and Internet Security v5.0
Routing Protocols Security Issues
• A routing table can be compromised or altered to:– Reduce availability– Reroute traffic from a secure network to a
compromised network
• Networks may not use any authentication for their routing protocols which might result in a lack of security for the network infrastructure.
© Copyright 2005 (ISC)2® All Rights Reserved.
99Telecommunications, Network and Internet Security v5.0
Routing Protocols Security Issues (cont.)
Attackers can also use source routed packets or ICMP redirect messages to bypass controls.
© Copyright 2005 (ISC)2® All Rights Reserved.
100Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What network protocol is used for internet communications?
• What is the difference between UDP and TCP?
• What vulnerabilities exist with ICMP?• What OSI layer maintains
communications between processes?• What is IPv6? Why is it important?
© Copyright 2005 (ISC)2® All Rights Reserved.
101Telecommunications, Network and Internet Security v5.0
Section Summary
• Network protocols provide a standard set of rules that governs the exchange of data among hardware and software components in a communications network.
• Network protocols contain many security vulnerabilities.
• Some protocols are designed to control specific vulnerabilities.
© Copyright 2005 (ISC)2® All Rights Reserved.
102Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
103Telecommunications, Network and Internet Security v5.0
• Describe telephony components
• Discuss telephony vulnerabilities
• Describe IP telephony
• Understand how traditional security concepts can address IP telephony security concerns
Section Objectives
© Copyright 2005 (ISC)2® All Rights Reserved.
104Telecommunications, Network and Internet Security v5.0
TelephonyTraditional Voice Network
•Simple analog and digital phones•Separate cabling systems (data and voice)•Closed and proprietary PBX (Private Branch Exchange) systems•The Public Switched Telephone Network (PSTN)
© Copyright 2005 (ISC)2® All Rights Reserved.
105Telecommunications, Network and Internet Security v5.0
TelephonyVoice System Vulnerability
© Copyright 2005 (ISC)2® All Rights Reserved.
106Telecommunications, Network and Internet Security v5.0
Telephony Authorized Modem Vulnerability
LAN
Servers
Workstations
ISP
PBX
VoicemailTelephones
Modems
PSTN
InternetIDS
Firewall
CentralOffice
CentralOffice
Attacker
AuthorizedModem
© Copyright 2005 (ISC)2® All Rights Reserved.
107Telecommunications, Network and Internet Security v5.0
Telephony Outbound Modem Vulnerability
LAN
Servers
Workstations
ISP
PBX
VoicemailTelephones
Modems
PSTN
InternetIDS
Firewall
CentralOffice
CentralOffice
Attacker
© Copyright 2005 (ISC)2® All Rights Reserved.
108Telecommunications, Network and Internet Security v5.0
Telephony Voice Eavesdropping
LAN
Servers
Workstations
ISP
PBX
VoicemailTelephones
Modems
PSTN
InternetIDS
Firewall
CentralOffice
CentralOffice
Toronto Office
Winnipeg Office
PBX
PBX
© Copyright 2005 (ISC)2® All Rights Reserved.
109Telecommunications, Network and Internet Security v5.0
Traditional Voice & Data Network
© Copyright 2005 (ISC)2® All Rights Reserved.
110Telecommunications, Network and Internet Security v5.0
Concept of IP Telephony with Wireless
• IP phones and softphones that can run PC applications
•Voice servers providing IP PBX, Voice Mail, Messaging, etc.
•Media gateways to connect to the PSTN and TDM components
•TDM trunks and IP trunks
PSTN
IP Phones
Corporate LAN
Internet
Server
Router
Telephony Server
Access
Points
Wireless LAN
Phones
© Copyright 2005 (ISC)2® All Rights Reserved.
111Telecommunications, Network and Internet Security v5.0
IP Telephony Network Issues
• Inherits security issues of traditional IP networks– Uses Non-secure operating systems– IP/Web based administration– Susceptible to Denial of Service (DoS) against
media sometimes makes it unusable– Connected to an un-trusted IP network– Authentication should be user-transparent
• IP Telephony intelligence advancing rapidly
© Copyright 2005 (ISC)2® All Rights Reserved.
112Telecommunications, Network and Internet Security v5.0
IP Telephony Vulnerabilities
• Voice System– Operating System/Support Software Implementation– Application implementation– Application manipulation (Toll Fraud, Blocking)– Unauthorized administrative access
• Network and media:– DoS on media and signaling– DoS against media gateway / TDM sites– DoS against any shared network resource– Eavesdropping on conversations– Media Tunneling
© Copyright 2005 (ISC)2® All Rights Reserved.
113Telecommunications, Network and Internet Security v5.0
IP Phone attacks
• IP Phone attacks
• ‘Rogue’ softphones
• Implementation attacks (DoS and access controls)
• Remote access attacks
• Local access attacks
• Unauthorized firmware / applications
• Protocol attacks
© Copyright 2005 (ISC)2® All Rights Reserved.
114Telecommunications, Network and Internet Security v5.0
Telephony SecuritySubtopics
• Apply the IP security safeguards to the voice network:–Firewalls
–Strong Authentication
–Virtual Private Networks
–Intrusion Detection
© Copyright 2005 (ISC)2® All Rights Reserved.
115Telecommunications, Network and Internet Security v5.0
Telephony SecurityVoice Firewall Application
•Unauthorized calls should be blocked by the firewall
X
Alert
© Copyright 2005 (ISC)2® All Rights Reserved.
116Telecommunications, Network and Internet Security v5.0
Strong Authentication
•Modem calls should require two-factor authentication
Audit Trail Produced
© Copyright 2005 (ISC)2® All Rights Reserved.
117Telecommunications, Network and Internet Security v5.0
Voice, Fax, Modem, Video VPN
•Calls between sites should use encryption
© Copyright 2005 (ISC)2® All Rights Reserved.
118Telecommunications, Network and Internet Security v5.0
Intrusion Detection
• Real-time monitoring of abusive call patterns, DTMF-based attacks
• Modem/Fax Recording and Content Monitoring
Alert Sent to IDS
Call Monitored!!
© Copyright 2005 (ISC)2® All Rights Reserved.
119Telecommunications, Network and Internet Security v5.0
IP Telephony Security Recommendations
• Voice Servers– Secure the operating system/network services– Patch maintenance– Use strong authentication for authorized hosts– Maintain strong physical security– Follow best practices for basic server/IP security– Consider using host-based security– Consider deploying a firewall and IDS– Control access by IP Phones and softphones
© Copyright 2005 (ISC)2® All Rights Reserved.
120Telecommunications, Network and Internet Security v5.0
IP Telephony Security Recommendations
Engineer the network to have proper security– Maintain strong security on all networking components– Limit the number of calls over media gateways
• Infrastructure requirements– Switched networks– Firewalls and NIDS
• Perimeter firewalls block unauthorized IP Telephony
– VLANs
• Encryption– Encrypting phones– Un-trusted parts of the network
© Copyright 2005 (ISC)2® All Rights Reserved.
121Telecommunications, Network and Internet Security v5.0
IP Telephony Security Recommendations
• Engineer the network to have proper security– Deploy IP Telephony aware perimeter devices
for end-to-end security• Perform high speed processing of the media (and
NAT)• Open and close ports for media sessions• Inspect media for tunneling, illegal flow levels, and
DoS• Provide intrusion prevention functions for signaling• Implement VPN functions, if desired• Support appropriate QoS standards
© Copyright 2005 (ISC)2® All Rights Reserved.
122Telecommunications, Network and Internet Security v5.0
IP Telephony Security Recommendations
• IP Phones– Update default administrator passwords– Disable unnecessary remote access features– Prevent casual local configuration of the IP
Phone– Secure the firmware upgrade process– Insist upon IP Phones that support security
features– Limit use of the web server– Enable logging– Cautiously use IP softphones
© Copyright 2005 (ISC)2® All Rights Reserved.
123Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some examples of telephony vulnerabilities?
• What are the advantages and disadvantages of IP telephony?
© Copyright 2005 (ISC)2® All Rights Reserved.
124Telecommunications, Network and Internet Security v5.0
Section Summary• The traditional voice network has known
vulnerabilities.• These security issues can be addressed by applying
technologies with parallels in the data network, such as firewalls, intrusion detection, VPN’s, etc.
• IP Telephony introduces new vulnerabilities.• IP Telephony vulnerabilities can be addressed with
a combination of existing and new technologies.• Voice is a unique application and security should be
managed similarly for the current and IP Telephony networks.
© Copyright 2005 (ISC)2® All Rights Reserved.
125Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access
– Remote Access Security Methods– Tunneling Standards– Virtual Private Networks
• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
126Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various methods of remote access to a network
• Discuss remote access control techniques
• Describe remote access tunneling protocols
• Describe virtual private networks (VPNs)
© Copyright 2005 (ISC)2® All Rights Reserved.
127Telecommunications, Network and Internet Security v5.0
Remote Access Services
Typically conducted over an untrusted network.• Increased risk to disclosure, modification, and
denial of service.• Remote access security minimums
– Strong identification and authentication services
• Rapid growth of remote access via the Internet– Wide availability– Economical
© Copyright 2005 (ISC)2® All Rights Reserved.
128Telecommunications, Network and Internet Security v5.0
Telecommuter
Mobile User
Network Access Server
Branch Office
Remote Access Technologies
Allows users to access network information through a dial-in or wireless connection.
© Copyright 2005 (ISC)2® All Rights Reserved.
129Telecommunications, Network and Internet Security v5.0
Internet Access
Allows users to access network information through an Internet Service Provider (ISP) connection.
Mobile User
Corporate Gateway
© Copyright 2005 (ISC)2® All Rights Reserved.
130Telecommunications, Network and Internet Security v5.0
General Remote Access Safeguards
• Publish a clear/definitive remote access policy and enforce it through audit.
• Justify all remote users and review regularly, such as yearly.
• Identify and periodically audit all remote access facilities, lines and connections.
• Consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ.
© Copyright 2005 (ISC)2® All Rights Reserved.
131Telecommunications, Network and Internet Security v5.0
General Remote Access Safeguards (cont.)
• Use phone lines restricted to outbound access for dial-out services.
• Set modems to answer after a pre-determined number of rings; counters “war dialers.”
• Use secure modems for single-port diagnostic and administrative access, or unplug when not in use.
• Consolidate remote access facilities when practical.
© Copyright 2005 (ISC)2® All Rights Reserved.
132Telecommunications, Network and Internet Security v5.0
General Remote Access Safeguards (cont.)
• Implement two-factor user authentication and network access restrictions for remote access to all resources on private WAN/LANs.
• Use Virtual Private Networks for sensitive data communications on public networks.
• Use personal firewalls and anti-virus tools on remote computers.
© Copyright 2005 (ISC)2® All Rights Reserved.
133Telecommunications, Network and Internet Security v5.0
Remote Access Controls
Three basic methods to restrict dial-up remote access are:• Restricted Access – Only accepts incoming calls
from addresses on approved list.• Caller ID – Checks each caller’s telephone
number against an approved list.• Callback – Callers identify themselves to the
server with passcodes or ID numbers. The server terminates connection and calls the user back at pre-determined phone number.
© Copyright 2005 (ISC)2® All Rights Reserved.
134Telecommunications, Network and Internet Security v5.0
Tunneling
• Tunneling is the act of packaging one network packet (the tunneled packet) inside another (the transport packet).
• The tunnel is the vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network.
• For confidentiality and integrity, the tunnels should be encrypted.
© Copyright 2005 (ISC)2® All Rights Reserved.
135Telecommunications, Network and Internet Security v5.0
Tunneling (cont.)
• Tunneling can allow different protocols to travel over a public IP network.
• Protocols being used are:– Point to Point Tunneling Protocol– Layer 2 Forwarding Protocol– Layer 2 Tunneling Protocol– IPSec Protocol– MPLS (Multi-Protocol Label Switching)– SOCKS– SSH
© Copyright 2005 (ISC)2® All Rights Reserved.
136Telecommunications, Network and Internet Security v5.0
PPTP
Point to Point Tunneling Protocol (PPTP)
• One of the first protocols deployed for Internet-based virtual private networks.
• It is a client/server architecture that allows the Point-to-Point Protocol (PPP) to be tunneled through an IP-network.
© Copyright 2005 (ISC)2® All Rights Reserved.
137Telecommunications, Network and Internet Security v5.0
L2F Protocol
Layer 2 Forwarding (L2F) Protocol
• Permits tunneling at the link layer.
• Designed as a protocol for tunneling traffic from users to their corporate site.
• Provides mutual authentication of user and server.
• Does not offer encryption.
© Copyright 2005 (ISC)2® All Rights Reserved.
138Telecommunications, Network and Internet Security v5.0
L2TP
Layer 2 Tunneling Protocol (L2TP)• Hybrid of Layer 2 Forwarding (L2F) and
Point-to-Point Tunneling Protocol (PPTP).• Designed for single user point-to-point
client/server connection.• Multiple protocols can be encapsulated
within the tunnel.• No encryption, but is often deployed over
IPSec.
© Copyright 2005 (ISC)2® All Rights Reserved.
139Telecommunications, Network and Internet Security v5.0
IPSec Protocol
• IP standard for encryption and node authentication.
• It has enough functionality to encrypt, authenticate, and carry IP-only data through a shared network.
• While PPTP, L2F, and L2TP are aimed at end users, IPSec focuses on LAN-to-LAN or host-to-host tunnels.
• Allows multiple, simultaneous tunnels per end host.
• No user authentication method defined in the standard.
© Copyright 2005 (ISC)2® All Rights Reserved.
140Telecommunications, Network and Internet Security v5.0
IPSec AH and ESP
• The IP Authentication Header (AH) – provides connectionless integrity, data origin
authentication, & an optional anti-replay service
• The Encapsulating Security Payload (ESP) – provides confidentiality (encryption) & limited
traffic flow confidentiality – may provide connectionless integrity, data
origin authentication, & anti-replay service
© Copyright 2005 (ISC)2® All Rights Reserved.
141Telecommunications, Network and Internet Security v5.0
IPSec Protocol Security Associations
All implementations must support a Security Association (SA)– Simplex (i.e., one-way) “connection” that affords security
services to the traffic carried by it– To secure typical, bi-directional communication, 2
Security Associations (one in each direction) are required
• Security services are provided using AH or ESP– If both AH & ESP protection is applied to a traffic
stream, then 2 (or more) SAs are created
© Copyright 2005 (ISC)2® All Rights Reserved.
142Telecommunications, Network and Internet Security v5.0
Security Association Triplet
• A security association is uniquely identified by a triplet:– An IP destination address
– Security protocol (AH or ESP) identifier
– Security parameter index (SPI) • Distinguishes among different SAs
terminating at the same destination
© Copyright 2005 (ISC)2® All Rights Reserved.
143Telecommunications, Network and Internet Security v5.0
Security Association Combinations
Security associations may be combined in two ways:• Transport adjacency: using the same IP datagram to apply
multiple security protocols , without invoking tunneling– Allows for only one level of combination; further nesting
yields no additional benefit• Transport mode: encrypts normal communication between
end-node to end-node(peer to peer).– Iterated tunneling: applying multiple layers of security
protocols through IP tunnels– allows for multiple levels of nesting – each tunnel can originate or terminate at a different
IPSec site along the path – Iterated tunneling mode is designed to be used by VPN
gateways (LAN to LAN/office to office).
© Copyright 2005 (ISC)2® All Rights Reserved.
144Telecommunications, Network and Internet Security v5.0
IPSec Protocol
• IPSec imposes computational performance costs on the hosts or security gateways. – Memory needed for IPSec code and data structures. – Computation of integrity check values. – Encryption and decryption. – Added per-packet handling - manifested by increased
latency and possibly, reduced throughput – Use of SA/key management protocols, especially those
that employ public key cryptography, also adds computational performance costs to use of IPSec
© Copyright 2005 (ISC)2® All Rights Reserved.
145Telecommunications, Network and Internet Security v5.0
Multi-Protocol Label Switching (MPLS)
• Does not rely on encapsulation and encryption to maintain high-level of security– Service providers create IP tunnels throughout their
network without encryption
• Uses forwarding tables and ‘labels’ to create a secure connection
• Used to guarantee a certain level of performance, to route around network congestion, or to create IP tunnels for network-based virtual private networks
© Copyright 2005 (ISC)2® All Rights Reserved.
146Telecommunications, Network and Internet Security v5.0
MPLS Benefits
• MPLS brings benefits to IP-based networks, such as:– Traffic Engineering - the ability to set
performance characteristics and the path a particular class of traffic will use
– VPNs – gives service providers the ability to provide IP tunnels through their network without need end-user applications or encryption
© Copyright 2005 (ISC)2® All Rights Reserved.
147Telecommunications, Network and Internet Security v5.0
Socket Security (SOCKS)
• Circuit-level proxy that contains authentication and encryption features.
– Usually used to allow internal computers access to the external Internet
– Can be used for tunneling to allow external users access to the internal network.
– Requires client applications to be SOCKS-ified.
© Copyright 2005 (ISC)2® All Rights Reserved.
148Telecommunications, Network and Internet Security v5.0
Secure Shell (SSH, SSH2)
• SSH– Powerful method of performing client authentication– Safeguards multiple service sessions between two
systems.
• Provides support for:– Host and user authentication– Data compression– Data confidentiality and integrity
• Credentials are validated by digital certificate exchange using RSA.
© Copyright 2005 (ISC)2® All Rights Reserved.
149Telecommunications, Network and Internet Security v5.0
Virtual Private Networks (VPN)
• Virtual Private Network (VPN)– Dynamically established secure
network link between two specific network nodes or subnets using a secure encapsulation method.
– Uses tunneling AND encryption to protect private traffic over an un-trusted network.
© Copyright 2005 (ISC)2® All Rights Reserved.
150Telecommunications, Network and Internet Security v5.0
VPN LAN-to-LAN Configuration
Internet
LAN LANFirewallFirewall
VPNServer
VPNServer
VPN Server is behind the firewall
VPN Server is on DMZ
DMZ
Encrypted
© Copyright 2005 (ISC)2® All Rights Reserved.
151Telecommunications, Network and Internet Security v5.0
Mobile User-to-LAN VPN
Internet
LANFirewall and VPN Server on same box
Mobile User
Laptop with VPN client software
Encrypted
© Copyright 2005 (ISC)2® All Rights Reserved.
152Telecommunications, Network and Internet Security v5.0
IPSec Compatible VPN Devices
• IPSec Compatible VPN Devices – Derive confidentiality and integrity from
workstation IP address and either machine certificate or shared secret key.
– Require least user intervention since IPSec authentication and encryption are not user-based.
– Work only with IP, not multi-protocol.– Operate at the Network Layer of OSI model.
© Copyright 2005 (ISC)2® All Rights Reserved.
153Telecommunications, Network and Internet Security v5.0
IPSec Compatible VPN Devices (cont.)
Key management is a critical component of using IPSec for a VPN.
IPSEC Key Exchange
© Copyright 2005 (ISC)2® All Rights Reserved.
154Telecommunications, Network and Internet Security v5.0
Non-IPSec Compatible VPN Devices
Non-IPSec Compatible VPN Devices
• Use protocols such as PPTP, SOCKS, or MPLS.
• Provide advantages over IPSEC– Two-factor authentication
– Better integration with proxy servers and NAT.
© Copyright 2005 (ISC)2® All Rights Reserved.
155Telecommunications, Network and Internet Security v5.0
Firewall based VPN Devices
• Integrated with many firewall systems.• Central VPN administration is integrated on
firewall system.• Often uses proprietary, non-standard protocols.• Allows VPN traffic to be securely transmitted and
filtered by the firewall.• Typically does not provide any user
authentication, but relies on the firewall authentication service to perform the user identification and authentication.
© Copyright 2005 (ISC)2® All Rights Reserved.
156Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What functions does a VPN provide?
• What is IPSec?
• What is tunneling?
• Name a few tunneling protocols.
© Copyright 2005 (ISC)2® All Rights Reserved.
157Telecommunications, Network and Internet Security v5.0
Section Summary
• Remote access typically refers to accessing a trusted network from outside the network.
• Identification and authentication is critical prior to establishing remote access.
• A VPN can be used to help support remote access.
• Various protocols exist to support and control remote access.
© Copyright 2005 (ISC)2® All Rights Reserved.
158Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
159Telecommunications, Network and Internet Security v5.0
Section Objectives
• Understand the categories of attacks that can impact network security
• Identify wireless network components• Describe wireless protocols• Discuss wireless threats and vulnerabilities• Describe wireless controls components• Understand Instant Messaging vulnerabilities• Describe the steps in a successful network attack
© Copyright 2005 (ISC)2® All Rights Reserved.
160Telecommunications, Network and Internet Security v5.0
Various Network Threats & Attacks
• Denial of Service (DoS)
• Distributed DoS• Mobile Code• Malicious Code• Wireless LAN
Vulnerabilities
• Spoofing
• Sniffing
• Eavesdropping
• Masquerading
• Instant Messaging (IM) Vulnerabilities
© Copyright 2005 (ISC)2® All Rights Reserved.
161Telecommunications, Network and Internet Security v5.0
Remote Access Threat
• Often provides undetected access to unprotected back doors.
• Brute force attack on location’s prefix using “war dialer” is an example.
• Targets of opportunity include:– Insecure Internet connections– Unsecured modem access – Diagnostic ports on various network devices– Administrative ports on voice mail systems, PBX, fax
servers– Unauthenticated sessions
© Copyright 2005 (ISC)2® All Rights Reserved.
162Telecommunications, Network and Internet Security v5.0
The Target
• Sensitive and critical information.• Computing services, such as storage
space and other resources.• Toll telephone services• Voice mail• Network access to interconnected
networks, such as customers or business partners.
© Copyright 2005 (ISC)2® All Rights Reserved.
163Telecommunications, Network and Internet Security v5.0
Wireless Lan VulnerabilitiesSubtopics
• Detection• Eavesdropping• Modification• Injection• Hijacking• WLAN Architecture• Radio Frequency
Management
Corporate Intranet
Internet
© Copyright 2005 (ISC)2® All Rights Reserved.
164Telecommunications, Network and Internet Security v5.0
Detection & Eavesdropping
• Detection– WLAN will generate and
broadcast detectable radio waves for a great distance
• Eavesdropping– WLAN signals extend
beyond physical security boundaries
© Copyright 2005 (ISC)2® All Rights Reserved.
165Telecommunications, Network and Internet Security v5.0
Eavesdropping
• Service Set Identifier (SSID) may be broadcasted.
• SSID string may identify your organization.
© Copyright 2005 (ISC)2® All Rights Reserved.
166Telecommunications, Network and Internet Security v5.0
Eavesdropping
• Standard Wired Equivalent Privacy (WEP) encryption is often not used.
• When used, WEP is flawed and vulnerable.• No user authentication in WEP.
Clear Text Passwords
IP Addresses
Company Data
© Copyright 2005 (ISC)2® All Rights Reserved.
167Telecommunications, Network and Internet Security v5.0
Modification, Injection & Hijacking
• Modification– Standard Wired Equivalent Privacy (WEP)
encryption has no effective integrity protection.
• Injection– Static WEP keys can be determined by analysis.– Adversaries can attach to the network without
authorization.
• Hijacking– Adversaries can hijack authenticated sessions
protected only by WEP.
© Copyright 2005 (ISC)2® All Rights Reserved.
168Telecommunications, Network and Internet Security v5.0
• Security Architecture
Firewall
Internal Network
Internet
DMZ
WLAN Architecture
Rogue AP
© Copyright 2005 (ISC)2® All Rights Reserved.
169Telecommunications, Network and Internet Security v5.0
Radio Frequency Management
• Poor RF management will lead to unnecessary transmission of your RF signal into unwanted areas.
• Also consider other devices which may cause interference.
Building A
Parking Lot
© Copyright 2005 (ISC)2® All Rights Reserved.
170Telecommunications, Network and Internet Security v5.0
Wireless LAN Security ControlsSubtopics
1. SSID Broadcasting
2. MAC Address Filtering
3. Security Architecture
4. Radio Frequency Management
5. Encryption
6. Authentication
7. New Wireless LAN Security Protocols
© Copyright 2005 (ISC)2® All Rights Reserved.
171Telecommunications, Network and Internet Security v5.0
SSID Broadcasting
• Disable the broadcasting of the SSID.– Not possible on all Access Points
– Easily bypassed
– Only useful on low-value networks
– SSID should also not be easily correlated to your organization name
© Copyright 2005 (ISC)2® All Rights Reserved.
172Telecommunications, Network and Internet Security v5.0
MAC Address Filtering
• Some Access Points allow the administrator to specify which link layer (MAC) addresses can attach.– Easily bypassed
– Does not scale
– Only useful for low-value networks
© Copyright 2005 (ISC)2® All Rights Reserved.
173Telecommunications, Network and Internet Security v5.0
Security Architecture
Firewall
Internal Network
Internet DMZ (VPN Server)
DMZ (VPN Server) Firewall
© Copyright 2005 (ISC)2® All Rights Reserved.
174Telecommunications, Network and Internet Security v5.0
Radio Frequency Management
Building A
Parking Lot
•Use a scanner to determine your RF footprint•Monitor interference sources
© Copyright 2005 (ISC)2® All Rights Reserved.
175Telecommunications, Network and Internet Security v5.0
Wireless Encryption
• Static WEP keys are insufficient for many networks
• New secure protocols are being designed for WLAN
• Layered VPN is a common solution for WLAN networks
© Copyright 2005 (ISC)2® All Rights Reserved.
176Telecommunications, Network and Internet Security v5.0
Subtopics
Wireless LAN Security Mechanisms:• Access Control• Authentication• Encryption• Integrity802.11 Wireless LAN Security Protocols:• 802.1X / Dynamic WEP• Wi-Fi Protected Access• Robust Security Network
© Copyright 2005 (ISC)2® All Rights Reserved.
177Telecommunications, Network and Internet Security v5.0
Access Control: 802.1X
Client APAuthentication
Server802.1X Port Blocked
802.1X Port Open
Probe, Authenticate, Associate
802.1X EAP Request/Response
802.1X EAP SuccessEAP Success / Key Material
Nonce Exchange / Derive Keys
EAP Authentication Exchange and Key Material
RADIUS Encapsulation
© Copyright 2005 (ISC)2® All Rights Reserved.
178Telecommunications, Network and Internet Security v5.0
Authentication
• Wireless LAN needs an authenticated key exchange mechanism
• Most secure WLAN implementations use Extensible Authentication Protocol (EAP)
• Many EAP methods are available– One factor include EAP-MD5, LEAP, PEAP-
MSCHAP, TTLS-MSCHAP, EAP-SIM– Two factor methods include EAP-TLS, TTLS
with OTP, and PEAP-GTC• Need mutual authentication
© Copyright 2005 (ISC)2® All Rights Reserved.
179Telecommunications, Network and Internet Security v5.0
Encryption
• Static WEP• Dynamic WEP• Temporal Key Integrity Protocol (TKIP)
– Uses RC4 Stream Cipher with 128 bit per-packet keys
• Counter-Mode-CBC-MAC Protocol (CCMP)– Uses Advanced Encryption Standard
(AES) with 128 bit keys
© Copyright 2005 (ISC)2® All Rights Reserved.
180Telecommunications, Network and Internet Security v5.0
Integrity Protection
• WEP has no cryptographically strong integrity protection
• TKIP uses a new Message Integrity Code called “Michael”
• CCMP uses AES in CBC-MAC mode
© Copyright 2005 (ISC)2® All Rights Reserved.
181Telecommunications, Network and Internet Security v5.0
802.11 Security Solutions
802.1x Dynamic WEP
Wi-Fi Protected Access
Wi-Fi Protected Access 2
Access Control 802.1X 802.1X or Pre-Shared Key
802.1X or Pre-Shared Key
Authentication EAP methods EAP methods or Pre-Shared Key
EAP methods or Pre-Shared Key
Encryption WEP TKIP (RC4) CCMP (AES Counter Mode)
Integrity None Michael MIC CCMP (AES CBC-MAC)
© Copyright 2005 (ISC)2® All Rights Reserved.
182Telecommunications, Network and Internet Security v5.0
Instant Messaging Threats
• Many of today’s IM systems were built for chatting rather than secure corporate communications.
• Rapidly working their way into corporations because of their efficiency and convenience.
• Few organizations have standards, therefore, leaving users to choose for themselves and potentially compromise security within the organization.
• Create new and hidden vulnerabilities.• Companies need to create and implement a strategy
to fully reap the benefits of IM systems, while reducing exposure to security attacks.
© Copyright 2005 (ISC)2® All Rights Reserved.
183Telecommunications, Network and Internet Security v5.0
IM Security Issues
• Most lack encryption capabilities.
• Most have features to bypass traditional corporate firewalls.
• Insecure password management.
• Increased exposure to account hijacking and spoofing.
© Copyright 2005 (ISC)2® All Rights Reserved.
184Telecommunications, Network and Internet Security v5.0
IM Security Issues (cont.)
• May contain bugs that can be exploited by attackers, such as buffer overflows, allowing access to PC with vulnerable IM client.
• Vulnerable to denial-of-service attacks.• Ideal platform for fast-spreading malicious
software and worms.• Easy to locate new targets (buddy lists) that can
be controlled by easy-to-write scripts.• Susceptible to eavesdropping .• Enables users to exchange files.
© Copyright 2005 (ISC)2® All Rights Reserved.
185Telecommunications, Network and Internet Security v5.0
Instant Messaging Security
• Establish corporate IM usage policies• Deploy desktop firewall to block usage of
unapproved IM programs and prevent attacks to and from systems
• Deploy anti-virus software and personal firewalls on all desktops
• Restrict sending confidential information over public IM systems
• Properly configure corporate firewalls to block unapproved IM traffic
© Copyright 2005 (ISC)2® All Rights Reserved.
186Telecommunications, Network and Internet Security v5.0
Instant Messaging Security (cont.)
• Deploy private corporate IM servers to isolate corporate messaging system from the outside world
• Enforce client-side IM settings (refuse file transfers, etc.)
• Install patches to IM software as soon as possible
• Use vulnerability management solutions to ensure IM client policy compliance
© Copyright 2005 (ISC)2® All Rights Reserved.
187Telecommunications, Network and Internet Security v5.0
Network Threats and AttacksMethodology - Subtopics
Attack Methodology
1. Identify the target and collect information
2. Analyze the target to identify a vulnerability
3. Gain access to the target
4. Escalate privileges
5. Complete the attack
© Copyright 2005 (ISC)2® All Rights Reserved.
188Telecommunications, Network and Internet Security v5.0
Attack Step One
Identify the target and collect information• Systematically map the target’s network.
– Traceroute, Ping scanning, Port scanning, TCP half scanning, FIN scanning, OS fingerprinting.
• Information wanted:– Domain names and network numbers – IP addresses– Names/phone numbers of personnel– Network map, including services that are available or
running.– Operating System type and version
© Copyright 2005 (ISC)2® All Rights Reserved.
189Telecommunications, Network and Internet Security v5.0
Attack Step Two
Analyze the target to identify a vulnerability• Query to gather detailed information such as:
– Operating system and services running -- many systems will freely volunteer the product name and version number in a greeting banner.
– List of user ids, shared file systems, system information.
– Probe telephone lines for modems that answer.
© Copyright 2005 (ISC)2® All Rights Reserved.
190Telecommunications, Network and Internet Security v5.0
Attack Step Three
Gain access to the target• Make connection attempts using:
– Direct login attempts to reach hosts– Modems to attack remote access servers and
modems attached to individual computers.• Try to guess passwords• Exploit known security vulnerabilities • Perform piggybacking/hijacking/spoofing• Use social engineering• Perform a denial of service attack
© Copyright 2005 (ISC)2® All Rights Reserved.
191Telecommunications, Network and Internet Security v5.0
Attack Step Four
Escalate privileges• Try to gain administrative or operator privileges.• Try to utilize the compromised system to gain
access to more valuable systems.• Techniques:
– Buffer overflows– Trojan horses– Password guessing or install a password
sniffing/gathering/cracking tool.– Exploit trust relationships
© Copyright 2005 (ISC)2® All Rights Reserved.
192Telecommunications, Network and Internet Security v5.0
Attack Step Five
Complete the attack• Install a backdoor mechanism that allows
the attacker to bypass access control and avoid detection, such as a rootkit.
• Create rogue user account.• Close the original vulnerability so no one
else can compromise the system.• Modify audit logs if they are stored locally
to prevent discovery of the attack.
© Copyright 2005 (ISC)2® All Rights Reserved.
193Telecommunications, Network and Internet Security v5.0
Network Attacks
• Threat agents: External attackers, internal attackers, disgruntled employees, viruses, Internet worms, etc.
• Active Attacks:
– Vulnerabilities in the network systems– Attacks on “perimeter defenses” (network infiltration)– Malicious code – viruses, worms, Trojan horses, etc.– Login/Password Brute-force attacks– Vulnerabilities in Web Applications– Denial of Service (DoS) attacks: network flood, session consumption,
buffer overflow, etc.• Passive Attacks:
– Network sniffing and eavesdropping– Wiretapping– Spyware/adware
© Copyright 2005 (ISC)2® All Rights Reserved.
194Telecommunications, Network and Internet Security v5.0
BusinessPartner
DMZ
Internal Zone
RegionUsers
RegionNetwork
InternetPublic Access
CentralControl
RegionData
Public Zone
GeneralPublic
Public Zone
Computer
RemoteUser
Server
Mainframe
Printer
Workstation
Firewall FirewallFirewall
Users
Web Server
Minicomputer
Mainframe
Server
RemoteUser
PersonalComputer
PersonalComputer
Router
Security Risk Example # 1Internet Firewall
• Security risk scenario: “vulnerability in external perimeter controls” – a flaw in the firewall rules
© Copyright 2005 (ISC)2® All Rights Reserved.
195Telecommunications, Network and Internet Security v5.0
BusinessPartner
DMZ
Internal Zone
RegionUsers
RegionNetwork
InternetPublic Access
CentralControl
RegionData
Public Zone
GeneralPublic
Public Zone
Computer
RemoteUser
Server
Mainframe
Printer
Workstation
Firewall FirewallFirewall
Users
Web Server
Minicomputer
Mainframe
Server
RemoteUser
PersonalComputer
PersonalComputer
Router
Security Risk Example # 1Attack Illustration
• An attacker scans the network, firewall blocks all attempts except…
• The attacker finds an open MS SQL port (1433/tcp) on “CUSTOMERDB1” (firewall admin opened it during a test and forgot to close)
• This is a good starting point for “penetrating the network”
• Server Banner (MS SQL) Default User “sa”/NULL Brute-force attack
© Copyright 2005 (ISC)2® All Rights Reserved.
196Telecommunications, Network and Internet Security v5.0
Security Risk Example # 1Countermeasures
• Compensating access controls – “Tightly configured” Firewall
– Firewall rules should be configured according to the organization’s standard or approved network zone specifications
– Best practices – allow only “firewall friendly ports”:
• HTTP (80/tcp), HTTPS (443/tcp) - for Web servers
• FTP (20/21/tcp) - for File Transfer servers
• SMTP (25/tcp) - for Email servers
• DNS (53/udp/tcp) - for Domain Name servers
• IPSec-IKE (500/udp) - for IPSec/VPN access
© Copyright 2005 (ISC)2® All Rights Reserved.
197Telecommunications, Network and Internet Security v5.0
BusinessPartner
DMZ
Internal Zone
RegionUsers
RegionNetwork
InternetPublic Access
CentralControl
RegionData
Public Zone
GeneralPublic
Public Zone
Computer
RemoteUser
Server
Mainframe
Printer
Workstation
Firewall FirewallFirewall
Users
Web Server
Minicomputer
Mainframe
Server
RemoteUser
PersonalComputer
PersonalComputer
Router
Security Risk Example # 2 Network Device
• Security risk scenario: “vulnerability in network perimeter controls” - a flaw in the router configuration
© Copyright 2005 (ISC)2® All Rights Reserved.
198Telecommunications, Network and Internet Security v5.0
BusinessPartner
DMZ
Internal Zone
RegionUsers
RegionNetwork
InternetPublic Access
CentralControl
RegionData
Public Zone
GeneralPublic
Public Zone
Computer
RemoteUser
Server
Mainframe
Printer
Workstation
Firewall FirewallFirewall
Users
Web Server
Minicomputer
Mainframe
Server
RemoteUser
PersonalComputer
PersonalComputer
Router
Security Risk Example # 2Attack Illustration• An external attacker scans the network, identifies a router and …• Finds port 80/tcp (HTTP) open on that router• Connects to the router via a web browser and gets to a “Login Prompt”• Tries the following URL: http://router.company.com/level5/show/config • The router configuration file is displayed• Using “weak password encryption” password is recovered • Router configuration can now be changed
© Copyright 2005 (ISC)2® All Rights Reserved.
199Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2Countermeasures
• A Few Common Best Security Practices - Switches / Routers:– Shut down unnecessary and dangerous services (HTTP, NTP,
TCP-small-services, UDP-small services, BOOTP, Finger, etc.)– Shutdown unused interfaces– Do not allow “source routing”– Block directed IP broadcasts – to prevent DoS attacks (e.g.
Smurf)– Define Access Control Lists – try to make it simple and easy (if it
looks too complex you may need a stateful firewall)• Block “spoofed” IP traffic – outside packets that are obviously
fake• Block broadcast and IP multicast packets (if not used)• Block ICMP redirect packets
© Copyright 2005 (ISC)2® All Rights Reserved.
200Telecommunications, Network and Internet Security v5.0
Security Risk Example # 2Countermeasures
– Protect access to the Telnet VTY (only authorized IP’s should have access)
– Turn on logging and log all security exceptions, such as “access denied”
– Use encrypted, “strong” community strings for SNMP – disable ‘SNMP-write’ if it not used
– Use “strong” passwords (MD5 password encryption for Cisco)
© Copyright 2005 (ISC)2® All Rights Reserved.
201Telecommunications, Network and Internet Security v5.0
BusinessPartner
DMZ
Internal Zone
RegionUsers
RegionNetwork
InternetPublic Access
CentralControl
RegionData
Public Zone
GeneralPublic
Public Zone
Computer
RemoteUser
Server
Mainframe
Printer
Workstation
Firewall FirewallFirewall
Users
Web Server
Minicomputer
Mainframe
Server
RemoteUser
PersonalComputer
PersonalComputer
Router
Security Risk Example # 3Internal Windows Server• Security risk scenario: “vulnerability in the server’s network configuration”• An internal attacker scans the network looking for only one port (161/udp) • Finds the SNMP service running on server “WIN2KB001” (“public”
community)• Queries System Configuration via SNMP-GET (system, resources, users,
file shares) and attempts to access these resources• Runs an exploit code for Windows SNMP Buffer Overflow (MS02-006)
© Copyright 2005 (ISC)2® All Rights Reserved.
202Telecommunications, Network and Internet Security v5.0
Security Risk example # 3Countermeasures• Best Security Practices for configuring network access
controls on servers:– Shut down unnecessary and dangerous network
services – SNMP, – File Sharing (139/tcp), – NetBios Messenger (138/tcp), – Computer browser (137/udp broadcasts), – Rlogin, Rshell, TFP (on Unix)– RPC services (if it is not used)– Telnet
– Define IP filters using IPSec rules (Windows) or IP Tables/IP Firewall on Unix
© Copyright 2005 (ISC)2® All Rights Reserved.
203Telecommunications, Network and Internet Security v5.0
Security Risk example # 3Countermeasures
– Turn on logging and log all security exceptions, such as “access denied”
– If SNMP is required, use encrypted, “strong” community strings for SNMP, but disable SNMP-write (it is not usually required for servers)
– For terminal access use Citrix or Windows Terminal Services, do not use “simple” freeware software like VNC
© Copyright 2005 (ISC)2® All Rights Reserved.
204Telecommunications, Network and Internet Security v5.0
Other Network Threats
• Denial-of-Service Attacks (DoS)• Distributed DoS attacks• TCP Syn Attack, Ping of death, Land attack, Teardrop attack• SMURF (ICMP broadcast traffic flood)
• Brute force (dictionary driven attacks)
• Buffer overflows• Many examples of vulnerable services: SNMP, RPC, SSH, FTP…
• Viruses/Worms• Automated “unleashed” versions of the above
• Spoofing• Where the IP address is manipulated to bypass IP-level access controls
(e.g. if two systems “trust” each other based on their IP addresses)
• Network Traffic Sniffing (passive attack)
• Man-in-the-middle attacks
• Network session hijacking/piggybacking
© Copyright 2005 (ISC)2® All Rights Reserved.
205Telecommunications, Network and Internet Security v5.0
Network Maintenance Process
Trigger
• Network Access Controls maintenance process:
– Trigger events: New requirement, New vulnerability, Time-to-review
– Assess/analyze – any new risks/vulnerabilities in the environment
– Implement – update rules, and configurations to mitigate the risk
– Test – test the rules and configurations to ensure that they work as expected
– Deploy – put in the production environment, document the change, including the trigger, analyze, test the results and
– Monitor activities to ensure that the network access controls work properly
© Copyright 2005 (ISC)2® All Rights Reserved.
206Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What is the primary difference between 802.11b and 802.11g?
• What type of encryption is typically available on wireless networks?
• True or False:– Steel walls will contain wireless signals.
– Concrete walls will contain wireless signals.
© Copyright 2005 (ISC)2® All Rights Reserved.
207Telecommunications, Network and Internet Security v5.0
Section Summary • Wireless networks have become very prevalent.• Wireless networks introduce new risks into a network
environment.• New controls need to be evaluated for wireless
networks:– Access Control– Authentication– Encryption– Integrity
• Instant Messaging can be an effective organizational tool, but needs to be protected accordingly.
• Perimeter security controls need to be implemented properly to ensure adequate security.
© Copyright 2005 (ISC)2® All Rights Reserved.
208Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
209Telecommunications, Network and Internet Security v5.0
Section Objectives
• Describe various types of network authentication protocols
• Describe methods of network user authentication
• Identify various firewall and perimeter security approaches
© Copyright 2005 (ISC)2® All Rights Reserved.
210Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication
• PPP Authentication• Centralized Authentication• Network User Authentication
–Perimeter Security
© Copyright 2005 (ISC)2® All Rights Reserved.
211Telecommunications, Network and Internet Security v5.0
Identification and Authentication
• Network identification and authentication processes are used to identify and verify the source attempting to establish the connection.
• Authentication should be used for:– Node authentication– End user authentication
© Copyright 2005 (ISC)2® All Rights Reserved.
212Telecommunications, Network and Internet Security v5.0
Identification and Authentication
• Node authentication is knowing the source (node) that is attempting to establish the connection.– When the node is authenticated, it is possible to
identify the location and type of device.
• End user authentication verifies the identity of the remote user.– It is preferred to network node authentication.– It should be two factor, such as using both a
password and token device or smart card.
© Copyright 2005 (ISC)2® All Rights Reserved.
213Telecommunications, Network and Internet Security v5.0
Remote Access Authentication
1. Remote User requests authentication from Network Access Server.
2. Network Access Server then sends requests to the Centralized Authentication Server.
© Copyright 2005 (ISC)2® All Rights Reserved.
214Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication
• PPP Authentication• Centralized Authentication• Network User Authentication
–Perimeter Security
© Copyright 2005 (ISC)2® All Rights Reserved.
215Telecommunications, Network and Internet Security v5.0
PPP Authentication Protocols
• Authentication of source. • Commonly used to establish a remote access
session.• Supports several security protocols to verify the
network device and/or location of the originating connection point.
• Deployed to authenticate the end-user.• PPP authentication protocols include:
– Password Authentication Protocol (PAP)– Challenge Handshake Authentication Protocol (CHAP)– Extensible Authentication Protocol (EAP)
© Copyright 2005 (ISC)2® All Rights Reserved.
216Telecommunications, Network and Internet Security v5.0
PAP
• A simple, standards-based password protocol.
• Provides automated identification and authentication of remote entity.
© Copyright 2005 (ISC)2® All Rights Reserved.
217Telecommunications, Network and Internet Security v5.0
PAP (cont.)
• Authentication is accomplished using a cleartext, reusable (static) password.
• Supported by most network devices.
• Decreasing use due to weakness of authentication process.
© Copyright 2005 (ISC)2® All Rights Reserved.
218Telecommunications, Network and Internet Security v5.0
CHAP
• Standards based authentication service
• Periodically validating users with a sophisticated challenge-handshake protocol.
© Copyright 2005 (ISC)2® All Rights Reserved.
219Telecommunications, Network and Internet Security v5.0
CHAP (cont.)
• Authentication process uses non-replayable, challenge/response dialog to verify the identification of the remote entity (because of the nonce).
• Authentication step takes place at the initial connection and can be repeated at any time during the session.
• Standard password database is unencrypted on end nodes. MSCHAP stores one-way encrypted passwords.
• Password is sent as a one-way hash over the transmission link.
© Copyright 2005 (ISC)2® All Rights Reserved.
220Telecommunications, Network and Internet Security v5.0
Extensible Authentication Protocol (EAP)
Flexible authentication framework
© Copyright 2005 (ISC)2® All Rights Reserved.
221Telecommunications, Network and Internet Security v5.0
EAP (cont.)
• Framework for a variety of embedded authentication methods – Password, S/Key, token card, or digital
certificate. • S/Key uses the MD4 hash function to
generate one-time passwords.
– Supports new authentication methods as they become available.
© Copyright 2005 (ISC)2® All Rights Reserved.
222Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication
• PPP Authentication• Centralized Authentication• Network User Authentication
–Perimeter Security
© Copyright 2005 (ISC)2® All Rights Reserved.
223Telecommunications, Network and Internet Security v5.0
Centralized Authentication Protocols
• With large remote access network it becomes impractical to store security information on each network access server.
• Standards-based centralized authentication databases simplify maintaining user lists, passwords, user profiles, and accounting records.
• Authentication database can be utilized by all remote access equipment. Unless properly designed, this could be a single point of failure.
© Copyright 2005 (ISC)2® All Rights Reserved.
224Telecommunications, Network and Internet Security v5.0
Centralized Authentication Protocols (cont.)
• Any system that authenticates in a central location.
• Should provide three services: – Authentication - verifies who the user is and
whether access is allowed.– Authorization - what the user is allowed to do.– Accountability - tracks what the user (or device,
service) did and when it was done.
© Copyright 2005 (ISC)2® All Rights Reserved.
225Telecommunications, Network and Internet Security v5.0
Subtopics
• Remote Authentication Dial-In User Service (RADIUS)
• Terminal Access Controller Access Control Systems (TACACS)– TACACS+
• DIAMETER
© Copyright 2005 (ISC)2® All Rights Reserved.
226Telecommunications, Network and Internet Security v5.0
RADIUS
• Three components of RADIUS
– Server resides on a central computer at site
– Client resides in dial-up or network access servers (NAS)
– Protocol that utilizes UDP/IP
© Copyright 2005 (ISC)2® All Rights Reserved.
227Telecommunications, Network and Internet Security v5.0
TACACS and TACACS+
• Similar functionality to RADIUS.• TACACS does not support dynamic passwords,
but TACACS+ does.• RADIUS only encrypts some parts of the
communication like the user password.• All communication between the network access
server (TACACS+ client) and the TACACS+ server are sent over TCP.
• TACACS+ communication is encrypted with a secret key that is never sent over the network.
© Copyright 2005 (ISC)2® All Rights Reserved.
228Telecommunications, Network and Internet Security v5.0
DIAMETER
• Supports roaming applications and overcomes limitations of RADIUS.
• Uses peer-to-peer rather than client/server configuration to offer scalability.
• Has two parts:– Base Protocol - defines message format,
transport, error reporting, and security services– Extensions - modules designed to conduct
specific types of AAA transactions, such as NAS, Mobile-IP, and Secure Proxy
© Copyright 2005 (ISC)2® All Rights Reserved.
229Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication
• PPP Authentication• Centralized Authentication• Network User Authentication
–Perimeter Security
© Copyright 2005 (ISC)2® All Rights Reserved.
230Telecommunications, Network and Internet Security v5.0
Network User Authentication
• Network user authentication is when a user is trying to login to an intelligent client node, such as a server, but must receive further authorization to access the resources.
• Need to protect against replay attacks and brute force password guessing.
© Copyright 2005 (ISC)2® All Rights Reserved.
231Telecommunications, Network and Internet Security v5.0
Lightweight Directory Access Protocol (LDAP)
• Widely accepted, industry standard for access to directory information and application services
• Multi-vendor interoperability.• Open, extensible, vendor-independent,
platform-independent• LDAP directories provide repositories for
security-related data (e.g. userIDs, passwords, URLs, pointers, binary data, Public Key Certificates, etc.)
© Copyright 2005 (ISC)2® All Rights Reserved.
232Telecommunications, Network and Internet Security v5.0
Network Information System
• A distributed database system that lets computers share a set of system files.
© Copyright 2005 (ISC)2® All Rights Reserved.
233Telecommunications, Network and Internet Security v5.0
Network Information System (NIS)
• A central server stores a shared database with one-way encrypted passwords.
• Use of these shared files allows users to access any of a set of computers, using credentials stored in a centrally administered database.
• NIS uses only IP addresses to authenticate the client and server nodes.
• NIS+ is a hierarchical and secure NIS implementation.
© Copyright 2005 (ISC)2® All Rights Reserved.
234Telecommunications, Network and Internet Security v5.0
Distributed Computing Environment (DCE)
• Standard promoted by the Open Group.• Network authentication is derived from
Kerberos. – Adds extensions for authorization attributes
(privileges).– Uses Universal Unique Identifiers instead of
user names to identify users.– Requires synchronized time clocks to
generate time stamps to prevent replay attacks.
© Copyright 2005 (ISC)2® All Rights Reserved.
235Telecommunications, Network and Internet Security v5.0
NT/LAN Manager (NTLM)
• NTLM authentication protocol provides challenge/response authentication for client/server networks.
• The user’s password is hashed and used as a key to encrypt a challenge sent by the server.
© Copyright 2005 (ISC)2® All Rights Reserved.
236Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication–Perimeter Security
• Perimeter Security Overview
• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices
© Copyright 2005 (ISC)2® All Rights Reserved.
237Telecommunications, Network and Internet Security v5.0
Network Perimeter
• Refers to the concept that public, sensitive private networks and non-sensitive private sub-networks are segregated and entry is controlled.
• Access from one network or segment to another is controlled through a “Choke Point”.
• Network security policy is defined and enforced by some type of mechanism at each boundary router and secure gateway.
© Copyright 2005 (ISC)2® All Rights Reserved.
238Telecommunications, Network and Internet Security v5.0
Boundary Routers
• Provide entry to and from network perimeters; i.e., boundary routers interconnect networks at their perimeter entry points.
• Permit or deny predefined traffic (via ACLs) and implement safeguards against IP spoofing and other network attacks.
• Forward permitted traffic to and from secure gateways and networks.
© Copyright 2005 (ISC)2® All Rights Reserved.
239Telecommunications, Network and Internet Security v5.0
DeMilitarized Zone (DMZ)
• DMZ networks function as a small and isolated network positioned between the untrusted network and the private network.
• Typically systems on the untrusted network and some systems on the private network can access a limited number of services on the DMZ.
• The goal is to prevent the transmission of traffic directly between the untrusted network and the private network.
© Copyright 2005 (ISC)2® All Rights Reserved.
240Telecommunications, Network and Internet Security v5.0
Bastion Host
• A computer system that is highly secured because it is vulnerable to attack, usually because it is exposed to an untrusted network.
• An application-level gateway is a type of “bastion host” because it is a designated system that is specifically armored and protected against attacks.
© Copyright 2005 (ISC)2® All Rights Reserved.
241Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication–Perimeter Security
• Perimeter Security Overview• Perimeter Security Technologies
• Perimeter Security Architecture• Firewall Security Best Practices
© Copyright 2005 (ISC)2® All Rights Reserved.
242Telecommunications, Network and Internet Security v5.0
Network Access ControlsPerimeter Security Technologies
Subtopics • Perimeter Security Techniques/Technologies
– Filtering• By Protocol/Service• By Address
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port Address Translation (PAT)
– Firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
243Telecommunications, Network and Internet Security v5.0
Filtering by Protocol/Service
• Filtering by communications protocol/service. – Reduces risk by blocking all but authorized
protocols and services. – Filtering accomplished by Access Control
Lists (ACLs) on various network devices such as routers, firewalls, gateways, and bridges.
– Protocol examples include ICMP, UDP– Service examples include HTTP, Telnet
© Copyright 2005 (ISC)2® All Rights Reserved.
244Telecommunications, Network and Internet Security v5.0
Filtering by Address
• Used to restrict network connections and routing – Enables only authorized nodes/network segments to
communicate -- blocks out all others. • Different than filtering by protocol/services but
often used in conjunction with it.• Filtering done by Access Control Lists (ACLs) on
various devices, such as routers, gateways, etc.
© Copyright 2005 (ISC)2® All Rights Reserved.
245Telecommunications, Network and Internet Security v5.0
Network Access ControlsPerimeter Security Technologies
Subtopics • Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port Address Translation (PAT)
– Firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
246Telecommunications, Network and Internet Security v5.0
Network Segment / Subdomain Isolation
• Concept of filtering by protocol/services/source and destination address to isolate network traffic and services from private or sensitive parts of the network; e.g., traffic restricted to an extranet.
• Design the network architecture to separate “untrusted” traffic apart from “private” and “trusted” network segments/subdomains.
• Accomplished by: – Filtering by protocol/services – Filtering by source and destination address – Network design (e.g. Switches, VLANs, etc.)
© Copyright 2005 (ISC)2® All Rights Reserved.
247Telecommunications, Network and Internet Security v5.0
Network Access ControlsPerimeter Security Technologies
Subtopics • Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port Address Translation (PAT)
– Firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
248Telecommunications, Network and Internet Security v5.0
Data Inspection
• Concept of monitoring and examining predefined communication layers of transmitted data and taking appropriate action if not allowed by security rules.
• Volume of network traffic, degree of analysis and the seriousness of the transmitted data determines how implemented; i.e., real-time analysis or off-line analysis and type of alarm/response.
© Copyright 2005 (ISC)2® All Rights Reserved.
249Telecommunications, Network and Internet Security v5.0
Data Inspection Applications
• Common applications of network data inspection: – Computer virus scanning
– Stateful inspection of network packets/frames
– Content inspection for Web mobile code, such as Java or ActiveX content
– Intrusion Detection Systems
© Copyright 2005 (ISC)2® All Rights Reserved.
250Telecommunications, Network and Internet Security v5.0
Network Access ControlsPerimeter Security Technologies
Subtopics • Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port Address Translation (PAT)
– Firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
251Telecommunications, Network and Internet Security v5.0
Network Address Translation
• Address translation is when an address is converted from one value to another.
• Typically used to hide the internal network IP address from external systems.
• Translates each private IP address to a registered IP address.
© Copyright 2005 (ISC)2® All Rights Reserved.
252Telecommunications, Network and Internet Security v5.0
NAT and RFC 1918
• RFC 1918 lists three segments of private addresses that are not to be used on the Internet, so they can be used safely behind a NAT environment.
• They are:– 10.0.0.0 - 10.255.255.255– 172.16.0.0 - 172.31.255.255– 192.168.0.0 - 192.168.255.255
© Copyright 2005 (ISC)2® All Rights Reserved.
253Telecommunications, Network and Internet Security v5.0
Port Address Translation
• Multiplexes many internal IP addresses into one external address.
• Changes source TCP/UDP port number of outgoing datagrams.
© Copyright 2005 (ISC)2® All Rights Reserved.
254Telecommunications, Network and Internet Security v5.0
NAT/PAT
Network and Port Address Translation
Source IP – 199.53.72.2Destination IP – 206.121.73.5Source Port – 1058Destination Port - 80
Source IP – 192.168.1.50Destination IP – 206.121.73.5Source Port – 1037Destination Port - 80
© Copyright 2005 (ISC)2® All Rights Reserved.
255Telecommunications, Network and Internet Security v5.0
Network Access ControlsPerimeter Security Technologies
Subtopics • Perimeter Security Techniques/Technologies
– Filtering
– Network Partitioning
– Data Inspection
– Network Address Translation (NAT) / Port Address Translation (PAT)
– Firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
256Telecommunications, Network and Internet Security v5.0
Firewalls
• Firewalls enforce security rules between two or more networks.
• Evaluate each network packet against a network security policy.
© Copyright 2005 (ISC)2® All Rights Reserved.
257Telecommunications, Network and Internet Security v5.0
Firewalls TechnologiesSubtopics
• Packet filtering firewalls
• Stateful inspection firewalls
• Proxy firewalls– Circuit-level
– Application level
• Personal firewalls
© Copyright 2005 (ISC)2® All Rights Reserved.
258Telecommunications, Network and Internet Security v5.0
Packet Filtering Firewalls
• A method or device for limiting network traffic between two networks by enforcing security rules.
• Examines packet headers to either block or pass packets.
• Uses Access Control Lists (ACLs) that allow it to accept or deny access.
© Copyright 2005 (ISC)2® All Rights Reserved.
259Telecommunications, Network and Internet Security v5.0
Packet Filtering Firewalls (cont.)
• Considers the following information:– Source and destination addresses– Data session’s protocol (TCP, UDP, ICMP,
etc.)– Source and destination application port for
the desired service (FTP, Telnet, HTTP, etc.).– Whether packet is the start of a connection
request (lack of ACK bit in the TCP header).
© Copyright 2005 (ISC)2® All Rights Reserved.
260Telecommunications, Network and Internet Security v5.0
Stateful Inspection Firewalls
• Transmitted data packets or frames are captured and analyzed at all communication layers.
• “State” and “context” data are stored and updated dynamically.
• Provides information for tracking connectionless protocols; e.g., Remote Procedure Call (RPC) and UDP-based applications.
© Copyright 2005 (ISC)2® All Rights Reserved.
261Telecommunications, Network and Internet Security v5.0
Stateful Inspection Firewalls (cont.)
• A secure method of analyzing data packets.
• Places extensive information about a data packet into a table. In order for a session to be established, information about the connection must match information stored in the table.
• Examines the content of each packet to an arbitrary level of detail. For example, it may be able to associate incoming UDP replies with an old outgoing UDP request.
© Copyright 2005 (ISC)2® All Rights Reserved.
262Telecommunications, Network and Internet Security v5.0
Proxy Firewalls
A proxy acts on another’s behalf.
© Copyright 2005 (ISC)2® All Rights Reserved.
263Telecommunications, Network and Internet Security v5.0
Proxy Firewalls (cont.)
• Proxy clients talk to proxy servers. • Proxy servers relay approved client
requests to external servers and relay answers back to clients.
• Conceptually, outsiders are not allowed to “talk” directly to private nodes.
• There are two types of proxies:– Circuit-level– Application-level
© Copyright 2005 (ISC)2® All Rights Reserved.
264Telecommunications, Network and Internet Security v5.0
Circuit-Level Proxy Firewalls
• Do not require special proxy for each service (i.e., FTP, HTTP, TELNET, etc.).
• Can require user authentication before allowing access.
• Create a circuit between client and server without requiring knowledge about the service.
• Have no application specific controls.• An example is a SOCKS server.
© Copyright 2005 (ISC)2® All Rights Reserved.
265Telecommunications, Network and Internet Security v5.0
Application-Level Proxy Firewalls
• Perform the highest level of security because it allows the greatest level of control.
• A different proxy is needed for each service.
• Provide information on the type and amount of traffic.
• Can require user authentication for each service, which provides accountability.
© Copyright 2005 (ISC)2® All Rights Reserved.
266Telecommunications, Network and Internet Security v5.0
Application-Level Proxy Firewalls (cont.)
• Can impact network performance because they must analyze packets and make decisions about access control.
• Good place to do content inspection for mobile code and viruses.
• FTP Example - restrict whether external users can only read file (use the GET command) or also write file (use the PUT command).
© Copyright 2005 (ISC)2® All Rights Reserved.
267Telecommunications, Network and Internet Security v5.0
Personal Firewalls
• Individual hosts are protected with firewall software that provides stateful packet filtering and intrusion detection.
• Increasing availability of “always on” broadband connections for Small Office/Home Office users is increasing exposure to compromise.
© Copyright 2005 (ISC)2® All Rights Reserved.
268Telecommunications, Network and Internet Security v5.0
Firewall Type OSI Model Layer Characteristics
Packet Filtering Network Layer •Routers using ACLs dictate acceptable access to a network
•Looks at destination and source addresses, ports and services requested
Application-level Proxy
Application layer •Deconstructs packets and makes granular access control decisions
•Requires one proxy per service
Circuit-level Proxy Session Layer •Deconstructs packets
•Protects wider range of protocols and services than app-level proxy, but not as detailed a level of control
Stateful Network Layer •Keeps track of each conversation using a state table
•Looks at state and context of packets
Firewall Comparison
© Copyright 2005 (ISC)2® All Rights Reserved.
269Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication–Perimeter Security
• Perimeter Security Overview• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices
© Copyright 2005 (ISC)2® All Rights Reserved.
270Telecommunications, Network and Internet Security v5.0
Perimeter Security ConfigurationsSubtopics
• Packet Filtering• Dual-Homed Host• Screened Host• Screened Subnet• Multi-Legged Firewall
© Copyright 2005 (ISC)2® All Rights Reserved.
271Telecommunications, Network and Internet Security v5.0
Packet Filtering
• Place a packet-filtering router between private network and the untrusted network.
Packet FilterNetwork
© Copyright 2005 (ISC)2® All Rights Reserved.
272Telecommunications, Network and Internet Security v5.0
Dual-Homed Host
• Single computer with two network interface cards that acts as a dividing line between local network and the Internet.
Host ComputerWith Two Network Cards
© Copyright 2005 (ISC)2® All Rights Reserved.
273Telecommunications, Network and Internet Security v5.0
Screened Host
• Uses both a packet-filtering router and a bastion host.
Network
Bastion Host
Router
© Copyright 2005 (ISC)2® All Rights Reserved.
274Telecommunications, Network and Internet Security v5.0
Screened Subnet
• Uses two separate packet filters or stateful inspection firewalls and a network of bastion hosts.
DMZ
Network
Firewall Firewall
Switch
© Copyright 2005 (ISC)2® All Rights Reserved.
275Telecommunications, Network and Internet Security v5.0
3-Legged Firewall
• Configuration with a third network interface, usually for the DMZ.
• The DMZ segment allows both internal and external users to access common servers
• Does not allow external users to access non-DMZ resources.
FirewallDMZ
Network
© Copyright 2005 (ISC)2® All Rights Reserved.
276Telecommunications, Network and Internet Security v5.0
Network Access ControlsSubtopics
• Network Access Controls– Identification and Authentication–Perimeter Security
• Perimeter Security Overview• Perimeter Security Technologies• Perimeter Security Architecture• Firewall Security Best Practices
© Copyright 2005 (ISC)2® All Rights Reserved.
277Telecommunications, Network and Internet Security v5.0
Firewall Security - Concepts
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Firewall configuration Application Layer
Operating System Controls
Architecture Controls
Data-Link
© Copyright 2005 (ISC)2® All Rights Reserved.
278Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link
Firewall Security - Environmental
• Document and clearly communicate who is authorized to – Install, de-install and move firewalls– Perform hardware maintenance and changes to
physical configuration– Make physical connections to the firewall
• Define procedures for – Locating and securing firewalls by zone– Securing console physical access – Recovering in the event of physical damage– Escalating in the event of firewalls tampering
© Copyright 2005 (ISC)2® All Rights Reserved.
279Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link Firewall Security - Data Link
• Use VLAN’s sparingly on critical firewalls.
• If VLANs are necessary consider using known firewall virtualization (e.g. VSX)
VLAN Enabled
© Copyright 2005 (ISC)2® All Rights Reserved.
280Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link
Firewall Security – Operating System• Ensure that the operating systems have
been appropriately hardened.• Ensure that unnecessary services have
been disabled.• Turn on operating system logging
mechanism• Use double intervention controls for critical
functions (e.g. access to the operating system)
© Copyright 2005 (ISC)2® All Rights Reserved.
281Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link
Firewall Security – Application Layer
• Use appropriate stealth, cleanup and silent rules.
Stealth Rule
Cleanup Rule
© Copyright 2005 (ISC)2® All Rights Reserved.
282Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link
Firewall Security – Application Layer
• Use negate in preference over a permitted destination.
Preferred
© Copyright 2005 (ISC)2® All Rights Reserved.
283Telecommunications, Network and Internet Security v5.0
Policies and Procedures
Environmental
Operating System
People and Processes
Cabling & Switching
Router and routing protocols Application Layer
Operating System Controls
Architecture Controls
Data-Link
Firewall Security – Define Appropriate Global Rules
• Limit the use of implied rules
© Copyright 2005 (ISC)2® All Rights Reserved.
284Telecommunications, Network and Internet Security v5.0
Group Exercise
• An electronics company wishes to make their product documentation available on the Internet. They have decided to use a packet filtering security architecture to protect the server housing the documentation. What are the pros and cons of this approach?
© Copyright 2005 (ISC)2® All Rights Reserved.
285Telecommunications, Network and Internet Security v5.0
Section Summary
• In order to access a network, you must authenticate to the network.
• Authentication should be done at two levels, user level and node level.
• Authentication can be controlled in various ways.• Firewalls should be used to protect your internal
network from unauthenticated and unauthorized access.
• Various firewall and perimeter security approaches exist, using a combination of technologies and architectures can give you adequate security.
© Copyright 2005 (ISC)2® All Rights Reserved.
286Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
287Telecommunications, Network and Internet Security v5.0
Network Availability TechnologiesSubtopics
• Network Availability Technologies – Network Disaster Prevention
• Cabling• Topology• Single Points of Failure• Saving Configuration Files
– Server Disaster Prevention
© Copyright 2005 (ISC)2® All Rights Reserved.
288Telecommunications, Network and Internet Security v5.0
Section Objectives
• Understand how to prevent network disasters from happening
• Describe methods of protecting important network elements such as servers
© Copyright 2005 (ISC)2® All Rights Reserved.
289Telecommunications, Network and Internet Security v5.0
Cabling
• The cabling that is used will impact how resilient the network is to failure.
• Test and certify all cabling before use on the network.
• Segment problem areas with switches.
• Use fiber to avoid electromagnetic interference.
• Avoid excessive cable lengths.
© Copyright 2005 (ISC)2® All Rights Reserved.
290Telecommunications, Network and Internet Security v5.0
Topology
• Some topologies do a better job of recovering from problems that can happen on networks.
• Ethernet, when used with twisted-pair cabling, can be extremely resistant to cabling problems.
• Token Ring was designed to be fault tolerant, but is subject to faulty network interface cards.
• Fiber Distributed Data Interface (FDDI) if implemented with dual counter-rotating rings is very reliable.
© Copyright 2005 (ISC)2® All Rights Reserved.
291Telecommunications, Network and Internet Security v5.0
Single Points of Failure
• Leased lines can introduce a single point of failure.
• Frame Relay– provides wide area network connectivity
across a shared public switched network.– If any segment in the frame relay cloud has a
failure, traffic is diverted across other links.– The link to the Central Office from the
customer site is still a single point of failure.
© Copyright 2005 (ISC)2® All Rights Reserved.
292Telecommunications, Network and Internet Security v5.0
Single Points of Failure Countermeasures
• Best way to minimize disasters is to identify single points of failure and build in redundancy.
• Creating single points of failure is a common mistake made in network design.
• Be careful of consolidated equipment, such as routers or switches.
• Deploy redundant equipment.
© Copyright 2005 (ISC)2® All Rights Reserved.
293Telecommunications, Network and Internet Security v5.0
Single Points of Failure Countermeasures (cont.)
• Take advantage of redundant LAN routes.• Provide on-demand backup for WAN
connections.• Build systems that are:
– Basic Availability - sufficient components to satisfy system’s functional requirements
– High Availability - also has sufficient redundancy– Continuous Availability - also has components to
apply to planned outages (i.e., upgrades, backups)
© Copyright 2005 (ISC)2® All Rights Reserved.
294Telecommunications, Network and Internet Security v5.0
Saving Configuration Files
• When network devices fail, chances are local configurations will be lost.
• Terminal logging - allows saving of configuration files by logging what appears on the terminal as device is locally programmed.
• Trivial File Transfer Protocol (TFTP) - supports saving or retrieving configuration information. A single server can archive configuration files for every device on the network.
© Copyright 2005 (ISC)2® All Rights Reserved.
295Telecommunications, Network and Internet Security v5.0
Network Availability TechnologiesSubtopics
• Network Disaster Prevention• Server Disaster Prevention
– Uninterruptible Power Supply (UPS)– Redundant Array of Independent Disks
(RAID)– Redundant Servers– Clustering– Backup Technologies– Server Recovery
© Copyright 2005 (ISC)2® All Rights Reserved.
296Telecommunications, Network and Internet Security v5.0
UPS, RAID & MAID
• Uninterruptible Power Supply (UPS)– Provides a source of clean and steady power.
• Redundant Array of Independent Disks (RAID)– Provides fault tolerance against hard disk crashes
and can improve system performance.• Massive Array of Inactive Disks (MAID)
– Similar to RAID, except disks remain dormant until requested.
– By reducing number of disks that are concurrently active, disk controller costs can be significantly reduced.
© Copyright 2005 (ISC)2® All Rights Reserved.
297Telecommunications, Network and Internet Security v5.0
Redundant Servers
• Keep a redundant idle computer available for failover -- server fault tolerance
• Provide one or more entire systems to be available in case primary one crashes.
© Copyright 2005 (ISC)2® All Rights Reserved.
298Telecommunications, Network and Internet Security v5.0
Clustering
• Similar to redundant servers except all systems take part in processing.
• Cluster acts as a single intelligent unit in order to balance traffic load.
• More attractive than server redundancy because secondary systems actually provide processing time.
• Boosts availability and performance.
© Copyright 2005 (ISC)2® All Rights Reserved.
299Telecommunications, Network and Internet Security v5.0
Backups
• Safeguard the information that is stored on the server. Three types are:– Full backup - complete archive of every file– Differential backup - copies only files that
have changed since a full backup was last performed
– Incremental backup - copies only files that have recently been added or changed since the last backup of any kind
© Copyright 2005 (ISC)2® All Rights Reserved.
300Telecommunications, Network and Internet Security v5.0
Tape Arrays
Tape Arrays • Redundant Array of Independent Tapes
(RAIT) - similar to RAID technologyOther technologies:• NAS (Network Attached Storage)• S-ATA (Serial-Advanced Technology
Architecture)• Others
© Copyright 2005 (ISC)2® All Rights Reserved.
301Telecommunications, Network and Internet Security v5.0
Online Backup
Continuous Online Backup with Hierarchical Storage Management (HSM)• Combines hard disk technology with use of
slower and cheaper optical or tape juke boxes.• Continuous online backup package.Storage Area Network (SAN)• Shared network that connects hosts to storage
devices.• Often used to implement server-less backups.
© Copyright 2005 (ISC)2® All Rights Reserved.
302Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some of the ways to prevent disasters from happening on a network?
• How can we provide protection for servers on a network?
© Copyright 2005 (ISC)2® All Rights Reserved.
303Telecommunications, Network and Internet Security v5.0
Section Summary
• Preventing disasters on a network can be minimized by using the correct cabling and topologies, as well as addressing single points of failure and building in redundancy.
• There are several ways to protect servers, they include mirroring, clustering, backing up, RAID, etc.
© Copyright 2005 (ISC)2® All Rights Reserved.
304Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols
– Data Link Layer Security Protocols– Network Layer Security Protocols– Transport Layer Security Protocols– Application Layer Security Protocols
• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
305Telecommunications, Network and Internet Security v5.0
Section Objectives
• List some of the protocols available to provide security, in relation to the TCP/IP layers.
• Understand how to address security for specialized multimedia applications.
• Understand the objectives of Quality of Service.
• Understand the activities that need to be addressed by security professionals in order to ensure adequate network security.
© Copyright 2005 (ISC)2® All Rights Reserved.
306Telecommunications, Network and Internet Security v5.0
Data Link Layer Security Protocols
• Tunneling and VPN Protocols are the mechanisms to protect transmission at the Data Link Layer.– Point to Point Tunneling Protocol– Layer 2 Forwarding– Layer 2 Tunneling Protocol– 802.11 Wireless LAN Security Protocols– Other Layer 2 Solutions
© Copyright 2005 (ISC)2® All Rights Reserved.
307Telecommunications, Network and Internet Security v5.0
Network/Internet Layer Security Protocols
• Several protocols have been proposed.
• Most notable is IPSec.– It can be implemented in various types
of network equipment.
– Designed to support multiple encryption and authentication protocols.
© Copyright 2005 (ISC)2® All Rights Reserved.
308Telecommunications, Network and Internet Security v5.0
Transport Layer Security Protocols
• Some examples:– Secure Shell (SSH)
– Secure Sockets Layer (SSL)
– Transport Layer Security Protocol (TLS)
– Wireless Transport Layer Security (WTLS)
© Copyright 2005 (ISC)2® All Rights Reserved.
309Telecommunications, Network and Internet Security v5.0
Secure Sockets Layer (SSL)
• Enables client/server applications to communicate securely, minimizing the risk of eavesdropping, tampering, or message forgery.
• Provides data confidentiality, integrity control, server authentication, and optionally, client authentication
• Two layer protocol:– SSL Record Protocol - used to pass messages– SSL Handshake Protocol - used to establish an SSL
connection
© Copyright 2005 (ISC)2® All Rights Reserved.
310Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step One
• A link is established to the secure server over TCP/IP. The client sends the server a ‘Client.Hello’ message including the client’s SSL version number, cipher settings, and a random number.
© Copyright 2005 (ISC)2® All Rights Reserved.
311Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Two
•The server sends back a response (Server.Hello).
•The response includes the server’s public key certificate, SSL version number, cipher settings, and a random number.
© Copyright 2005 (ISC)2® All Rights Reserved.
312Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Three
• The client can now authenticate the server. It sends an encrypted message using the server’s public key. The server decrypts the message. It is used to generate a session key, the secret for HMAC, and the IV (if needed).
© Copyright 2005 (ISC)2® All Rights Reserved.
313Telecommunications, Network and Internet Security v5.0
SSL Handshake – Step Four
• The client sends a message encrypted with the session key, closing the client side of the handshake. The server responds with a message encrypted with the session key, closing the server side. Communication is now secure.
© Copyright 2005 (ISC)2® All Rights Reserved.
314Telecommunications, Network and Internet Security v5.0
Transport Layer Security Protocol (TLS)
• The TLS Working Group was established in 1996 to standardize a 'transport layer' security protocol. – Based on, and backward compatible
with, SSL version 3.0
• TLS provides for authentication and data protection for communication between two entities.
© Copyright 2005 (ISC)2® All Rights Reserved.
315Telecommunications, Network and Internet Security v5.0
Wireless Transport Layer Security (WTLS)
• Security in the Wireless Application Protocol v1.2 uses WTLS instead of standard SSL.
• Wireless gateway must use WTLS to secure the channel to the wireless device and SSL to secure the channel from the destination web server.
• A security issue is that the information on the gateway is unencrypted.
© Copyright 2005 (ISC)2® All Rights Reserved.
316Telecommunications, Network and Internet Security v5.0
Application Layer Security Protocols
Examples:• Secure Remote Procedure Call (S-RPC) • Domain Name System Security
(DNSSec)• Secure WWW Transactions (S-HTTP)• Electronic Payment Schemes (SET,
Ecash, Netcash, Mondex, Cybercash, etc.)
© Copyright 2005 (ISC)2® All Rights Reserved.
317Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
318Telecommunications, Network and Internet Security v5.0
Multimedia Security
• Growing concern in competitive global market for confidentiality and privacy.
• Increased susceptibility to industrial and economic espionage.
• Effective security via encryption. For example, can use virtual private networks with encryption services.
© Copyright 2005 (ISC)2® All Rights Reserved.
319Telecommunications, Network and Internet Security v5.0
Multimedia Security
• Protocols at network level can provide end-to-end security.
• Applications can also provide some security.
• Use of encryption and security protocols impose a performance penalty.– Bandwidth overhead – Processing time
© Copyright 2005 (ISC)2® All Rights Reserved.
320Telecommunications, Network and Internet Security v5.0
Quality of Service (QoS)
QoS refers to the capability of the network to provide better service to selected network traffic over various technologies.
© Copyright 2005 (ISC)2® All Rights Reserved.
321Telecommunications, Network and Internet Security v5.0
Primary Goals of QoS
• Dedicated bandwidth
• Controlling jitter and latency
• Enabling coexistence of real-time traffic, such as voice/video, with best efforts traffic, such as data.
Jitter is the variation in arrival times of frames (latency) and is caused by queuing in routers, switches, and by carrier switched networks.
© Copyright 2005 (ISC)2® All Rights Reserved.
322Telecommunications, Network and Internet Security v5.0
Types of QoS
• Best-effort service is basic connectivity with no guarantees.
• Differentiated service is when some traffic is more important than the rest (i.e., more bandwidth on average, lower loss rate on average).
• Guaranteed service is a complete reservation of network resources for specific traffic.
© Copyright 2005 (ISC)2® All Rights Reserved.
323Telecommunications, Network and Internet Security v5.0
Traffic QoS Needs
• Data (Best Effort) - bursty, intolerant of errors, tolerant of jitter
• Audio/Video (Real Time) - constant bandwidth, tolerant of errors, intolerant of jitter
• Interactive (Terminal Emulation) - similar to Best Effort but more impacted by end-to-end latency than by jitter.
© Copyright 2005 (ISC)2® All Rights Reserved.
324Telecommunications, Network and Internet Security v5.0
Subtopics
• Data Networks• Network Protocols• Telephony• Remote Access• Network Threats, Attacks and Countermeasures• Network Access Controls• Network Availability Technologies• Internet and Web Security Protocols• Multimedia and Quality of Service• Information Security Activities
© Copyright 2005 (ISC)2® All Rights Reserved.
325Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Audit Log Processing– Host audit logs– Network device logs– Intrusion Detection reports
• Security Reviews• Vulnerability Assessment
– Network Audit– Penetration Test– Rogue Wireless Access Point Detection
© Copyright 2005 (ISC)2® All Rights Reserved.
326Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Sound Network Design (no single points of failure, defense in depth, etc.)
• Network scans (to know what is on it)
• Secure configuration
• Change management
• Configuration management
© Copyright 2005 (ISC)2® All Rights Reserved.
327Telecommunications, Network and Internet Security v5.0
Information Security Activities
• Awareness and Training– Train systems personnel so they know how to use
systems properly– All employees should be aware of system security
responsibilities.• Support and manage activities related to
security of the network• Perform vulnerability assessments• Perform security reviews• Choose correct technologies and protocols to
ensure adequate security of all network elements
© Copyright 2005 (ISC)2® All Rights Reserved.
328Telecommunications, Network and Internet Security v5.0
Quick Quiz
• What are some of the Transport layer security protocols?
• What is Quality of Service?• What is the best way to protect multimedia transmissions across an un-trusted network?
• What are some of the activities that security professionals need to be involved in, related to network security?
© Copyright 2005 (ISC)2® All Rights Reserved.
329Telecommunications, Network and Internet Security v5.0
Section Summary
• Transport layer security protocols include SSL, TLS, WTLS.• Quality of service refers to the concept of making sure that
your networks address the level of service that is required by specific applications. We do this mostly by addressing redundancy and controlling jitter and latency.
• Best way to protect any transmission, including multi-media is to use encryption and secure protocols at the network layer.
• Security activities include awareness and training, promoting sound network design, performing vulnerability assessments, security reviews, change management, choosing the correct security technologies and controls, etc.
© Copyright 2005 (ISC)2® All Rights Reserved.
330Telecommunications, Network and Internet Security v5.0