Computer Security - Discussion
312
Chap ter 11 Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 4: Com mu ni ca tion and Net work Se cu rity 4.1 Im ple ment se cure de sign prin ci ples in net work ar chi tec tures
4.1.1 Open Sys tem In ter con nec tion (OSI) and Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) mod els
4.1.2 In ter net Pro to col (IP) net work ing
4.1.3 Im pli ca tions of mul ti layer pro to cols
4.1.4 Con verged pro to cols
4.1.5 Soft ware-de fined net works
4.1.6 Wire less net works
4.2 Se cure net work com po nents
4.2.1 Op er a tion of hard ware
4.2.2 Trans mis sion me dia
4.2.3 Net work Ac cess Con trol (NAC) de vices
4.2.4 End point se cu rity
4.2.5 Con tent-dis tri bu tion net works
Com put ers and net works emerge from the in te gra tion of com mu ni ca tion de vices, stor age de vices, pro cess ing de vices, se cu rity de vices, in put de vices, out put de vices, op er at ing sys tems, soft ware, ser vices, data, and peo ple. This chap ter dis cusses the Open Sys tems In ter con nec tion (OSI) model as a guid ing prin ci ple in net work ing, ca bling, wire less con nec tiv ity, Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) and re lated pro to cols, net work ing de vices, and fire walls.
The Com mu ni ca tion and Net work Se cu rity do main for the CISSP cer ti fi ca tion exam deals with top ics re lated to net work com po nents (i.e., net work de vices and pro to cols), specif i cally, how they func tion and how they are rel e vant to se cu rity. This do main is dis cussed in this chap ter and in Chap ter 12, “Se cure Com mu ni ca tions and Net work At tacks.” Be sure to read and study the ma te ri als in both chap ters to en sure com plete cov er age of the es sen tial ma te rial for the CISSP cer ti fi ca tion exam.
OSI Model Com mu ni ca tions be tween com put ers over net works are made pos si ble by pro to cols. A pro to col is a set of
rules and re stric tions that de fine how data is trans mit ted over a net work medium (e.g., twisted-pair ca ble, wire less trans mis sion). In the early days of net work de vel op ment, many com pa nies had their own pro pri etary pro to cols, which meant in ter ac tion be tween com put ers of dif fer ent ven dors was of ten dif fi cult, if not im pos si ble. In an ef fort to elim i nate this prob lem, the In ter na tional Or ga ni za tion for Stan dard iza tion (ISO) de vel oped the Open Sys tems In ter con nec tion (OSI) Ref er ence Model for pro to cols in the early 1980s. Specif i cally, ISO 7498 de fines the OSI Ref er ence Model (more com monly called the OSI model). Un der stand ing the OSI model and how it re lates to net work de sign, de ploy ment, and se cu rity is es sen tial in pre par ing for the CISSP exam.
In or der to prop erly im ple ment se cure de sign prin ci ples in net work ar chi tec tures, it is im por tant to fully un der stand all of the tech nolo gies in volved in com puter com mu ni ca tions. From hard ware and soft ware to pro to cols and en cryp tion and be yond, there are lots of de tails to know, stan dards to un der stand, and pro ce dures to fol low. Ad di tion ally, the ba sis of se cure net work ar chi tec ture and de sign is a thor ough knowl edge of the OSI and TCP/IP mod els as well as In ter net Pro to col (IP) net work ing in gen eral.
313
His tory of the OSI Model The OSI model wasn’t the first or only at tempt to stream line net work ing pro to cols or es tab lish a com mon
com mu ni ca tions stan dard. In fact, the most widely used pro to col to day, TCP/IP (which is based on the DARPA model, also known now as the TCP/IP model), was de vel oped in the early 1970s. The OSI model was not de vel oped un til the late 1970s.
The OSI pro to col was de vel oped to es tab lish a com mon com mu ni ca tion struc ture or stan dard for all com puter sys tems. The ac tual OSI pro to col was never widely adopted, but the the ory be hind the OSI pro to col, the OSI model, was read ily ac cepted. The OSI model serves as an ab stract frame work, or the o ret i cal model, for how pro to cols should func tion in an ideal world on ideal hard ware. Thus, the OSI model has be come a com mon ref er ence point against which all pro to cols can be com pared and con trasted.
OSI Func tion al ity
The OSI model di vides net work ing tasks into seven dis tinct lay ers. Each layer is re spon si ble for per form ing spe cific tasks or op er a tions for the ul ti mate goal of sup port ing data ex change (in other words, net work com mu ni ca tion) be tween two com put ers. The lay ers are al ways num bered from bot tom to top (see Fig ure 11.1). They are re ferred to by ei ther their name or their layer num ber. For ex am ple, layer 3 is also known as the Net work layer. The lay ers are or dered specif i cally to in di cate how in for ma tion flows through the var i ous lev els of com mu ni ca tion. Each layer com mu ni cates di rectly with the layer above it as well as the layer be low it, plus the peer layer on a com mu ni ca tion part ner sys tem.
FIG URE 11.1 Rep re sen ta tion of the OSI model
The OSI model is an open net work ar chi tec ture guide for net work prod uct ven dors. This stan dard, or guide, pro vides a com mon foun da tion for the de vel op ment of new pro to cols, net work ing ser vices, and even hard ware de vices. By work ing from the OSI model, ven dors are able to en sure that their prod ucts will in te grate with prod ucts from other com pa nies and be sup ported by a wide range of op er at ing sys tems. If all ven dors de vel oped their own net work ing frame work, in ter op er abil ity be tween prod ucts from dif fer ent ven dors would be next to im pos si ble.
The real ben e fit of the OSI model is its ex pres sion of how net work ing ac tu ally func tions. In the most tan gi ble sense, net work com mu ni ca tions oc cur over a phys i cal con nec tion (whether that phys i cal con nec tion is elec trons over cop per, pho tons over fiber, or ra dio sig nals through the air). Phys i cal de vices es tab lish chan nels through which elec tronic sig nals can pass from one com puter to an other. These phys i cal de vice chan nels are only one type of the seven log i cal com mu ni ca tion types de fined by the OSI model. Each layer of the OSI model com mu ni cates via a log i cal chan nel with its peer layer on an other com puter. This en ables pro to cols based on the OSI model to sup port a type of au then ti ca tion by be ing able to iden tify the re mote com mu ni ca tion en tity as well as au then ti cate the source of the re ceived data.
En cap su la tion/Deen cap su la tion
Pro to cols based on the OSI model em ploy a mech a nism called en cap su la tion. En cap su la tion is the ad di tion of a header, and pos si bly a footer, to the data re ceived by each layer from the layer above be fore it’s handed off to the layer be low. As the mes sage is en cap su lated at each layer, the pre vi ous layer’s header and
314
pay load com bine to be come the pay load of the cur rent layer. En cap su la tion oc curs as the data moves down through the OSI model lay ers from Ap pli ca tion to Phys i cal. The in verse ac tion oc cur ring as data moves up through the OSI model lay ers from Phys i cal to Ap pli ca tion is known as deen cap su la tion. The en cap su la tion/deen cap su la tion process is as fol lows:
1. The Ap pli ca tion layer cre ates a mes sage.
2. The Ap pli ca tion layer passes the mes sage to the Pre sen ta tion layer.
3. The Pre sen ta tion layer en cap su lates the mes sage by adding in for ma tion to it. In for ma tion is usu ally added only at the be gin ning of the mes sage (called a header); how ever, some lay ers also add ma te rial at the end of the mes sage (called a footer), as shown in Fig ure 11.2.
4. The process of pass ing the mes sage down and adding layer-spe cific in for ma tion con tin ues un til the mes sage reaches the Phys i cal layer.
5. At the Phys i cal layer, the mes sage is con verted into elec tri cal im pulses that rep re sent bits and is trans mit ted over the phys i cal con nec tion.
6. The re ceiv ing com puter cap tures the bits from the phys i cal con nec tion and re-cre ates the mes sage in the Phys i cal layer.
7. The Phys i cal layer con verts the mes sage from bits into a Data Link frame and sends the mes sage up to the Data Link layer.
8. The Data Link layer strips its in for ma tion and sends the mes sage up to the Net work layer.
9. This process of deen cap su la tion is per formed un til the mes sage reaches the Ap pli ca tion layer.
10. When the mes sage reaches the Ap pli ca tion layer, the data in the mes sage is sent to the in tended soft ware re cip i ent.
FIG URE 11.2 Rep re sen ta tion of OSI model en cap su la tion
The in for ma tion re moved by each layer con tains in struc tions, check sums, and so on that can be un der stood only by the peer layer that orig i nally added or cre ated the in for ma tion (see Fig ure 11.3). This in for ma tion is what cre ates the log i cal chan nel that en ables peer lay ers on dif fer ent com put ers to com mu ni cate.
315
FIG URE 11.3 Rep re sen ta tion of the OSI model peer layer log i cal chan nels
The mes sage sent into the pro to col stack at the Ap pli ca tion layer (layer 7) is called the data stream. It re tains the la bel of data stream (or some times the la bel of pro to col data unit [PDU] is ap plied) un til it reaches the Trans port layer (layer 4), where it is called a seg ment (TCP pro to cols) or a data gram (User Data gram Pro to col [UDP] pro to cols). In the Net work layer (layer 3), it is called a packet. In the Data Link layer (layer 2), it is called a frame. In the Phys i cal layer (layer 1), the data has been con verted into bits for trans mis sion over the phys i cal con nec tion medium. Fig ure 11.4 shows how each layer changes the data through this process.
FIG URE 11.4 OSI model data names
OSI Lay ers Un der stand ing the func tions and re spon si bil i ties of each layer of the OSI model will help you un der stand
how net work com mu ni ca tions func tion, how at tacks can be per pe trated against net work com mu ni ca tions, and how se cu rity can be im ple mented to pro tect net work com mu ni ca tions. We dis cuss each layer, start ing with the bot tom layer, in the fol low ing sec tions.
For more in for ma tion on the TCP/IP stack, search for TCP/IP on Wikipedia
(http://en.wikipedia.org).
Re mem ber the OSI To make the most of the OSI, you must first be able to re mem ber the names of the seven lay ers in their proper or der. One com mon method of mem o riz ing them is to cre ate a mnemonic from the ini tial let ters of the layer names so they are eas ier to re mem ber. One of our fa vorites is Please Do Not Teach Surly Peo ple Acronyms. Do take note that this mem o riza tion mnemonic works from the Phys i cal layer
316
up to the Ap pli ca tion layer. A mnemonic work ing from the Ap pli ca tion layer down is All Pres i dents Since Tru man Never Did Pot. There are many other OSI mem o riza tion schemes out there; just be sure you know whether they are top-down or bot tom-up.
Phys i cal Layer
The Phys i cal layer (layer 1) ac cepts the frame from the Data Link layer and con verts the frame into bits for trans mis sion over the phys i cal con nec tion medium. The Phys i cal layer is also re spon si ble for re ceiv ing bits from the phys i cal con nec tion medium and con vert ing them into a frame to be used by the Data Link layer.
The Phys i cal layer con tains the de vice driv ers that tell the pro to col how to em ploy the hard ware for the trans mis sion and re cep tion of bits. Lo cated within the Phys i cal layer are elec tri cal spec i fi ca tions, pro to cols, and in ter face stan dards such as the fol low ing:
EIA/TIA-232 and EIA/TIA-449
X.21
High-Speed Se rial In ter face (HSSI)
Syn chro nous Op ti cal Net work ing (SONET)
V.24 and V.35
Through the de vice driv ers and these stan dards, the Phys i cal layer con trols through put rates, han dles syn chro niza tion, man ages line noise and medium ac cess, and de ter mines whether to use dig i tal or ana log sig nals or light pulses to trans mit or re ceive data over the phys i cal hard ware in ter face.
Net work hard ware de vices that func tion at layer 1, the Phys i cal layer, are net work in ter face cards (NICs), hubs, re peaters, con cen tra tors, and am pli fiers. These de vices per form hard ware-based sig nal op er a tions, such as send ing a sig nal from one con nec tion port out on all other ports (a hub) or am pli fy ing the sig nal to sup port greater trans mis sion dis tances (a re peater).
Data Link Layer
The Data Link layer (layer 2) is re spon si ble for for mat ting the packet from the Net work layer into the proper for mat for trans mis sion. The proper for mat is de ter mined by the hard ware and the tech nol ogy of the net work. There are nu mer ous pos si bil i ties, such as Eth er net (IEEE 802.3), To ken Ring (IEEE 802.5), asyn chro nous trans fer mode (ATM), Fiber Dis trib uted Data In ter face (FDDI), and Cop per DDI (CDDI). How ever, only Eth er net re mains a com mon Data Link layer tech nol ogy in use in mod ern net works. Within the Data Link layer re sides the tech nol ogy-spe cific pro to cols that con vert the packet into a prop erly for mat ted frame. Once the frame is for mat ted, it is sent to the Phys i cal layer for trans mis sion.
The fol low ing list in cludes some of the pro to cols found within the Data Link layer:
Se rial Line In ter net Pro to col (SLIP)
Point-to-Point Pro to col (PPP)
Ad dress Res o lu tion Pro to col (ARP)
Layer 2 For ward ing (L2F)
Layer 2 Tun nel ing Pro to col (L2TP)
Point-to-Point Tun nel ing Pro to col (PPTP)
In te grated Ser vices Dig i tal Net work (ISDN)
Part of the pro cess ing per formed on the data within the Data Link layer in cludes adding the hard ware source and des ti na tion ad dresses to the frame. The hard ware ad dress is the Me dia Ac cess Con trol (MAC) ad dress, which is a 6-byte (48-bit) bi nary ad dress writ ten in hexa dec i mal no ta tion (for ex am ple, 00-13-02-1F- 58-F5). The first 3 bytes (24 bits) of the ad dress de note the ven dor or man u fac turer of the phys i cal net work in ter face. This is known as the Or ga ni za tion ally Unique Iden ti fier (OUI). OUIs are reg is tered with the In sti tute of Elec tri cal and Elec tron ics En gi neers (IEEE), which con trols their is suance. The OUI can be used to dis cover the man u fac turer of a NIC through the IEEE web site at http://stan dards.ieee.org/re gauth/oui/in dex.shtml. The last 3 bytes (24 bits) rep re sent a unique num ber as signed to that in ter face by the man u fac turer. No two de vices can have the same MAC ad dress in the same lo cal Eth er net broad cast do main; oth er wise an ad dress con flict oc curs. It is also good prac tice to en sure that all MAC ad dresses across a pri vate en ter prise net work are unique. While the de sign of MAC ad dresses should make them unique, ven dor er rors have pro duced du pli cate MAC ad dresses. When this hap pens ei ther the NIC hard ware must be re placed or the MAC ad dress must be mod i fied (i.e., spoofed) to a non con flict ing al ter na tive ad dress.
317
EUI-48 to EUI-64
The MAC ad dress has been 48 bits for decades. A sim i lar ad dress ing method is the EUI-48. EUI stands for Ex tended Unique Iden ti fier. The orig i nal 48-bit MAC ad dress ing scheme for IEEE 802 was adopted from the orig i nal Xe rox Eth er net ad dress ing method. MAC ad dresses typ i cally are used to iden tify net work hard ware, while EUI is used to iden tity other types of hard ware as well as soft ware.
The IEEE has de cided that MAC-48 is an ob so lete term and should be dep re cated in fa vor of EUI-48.
There is also a move to con vert from EUI-48 to EUI-64. This is prepa ra tion for fu ture world wide adop tion of IPv6 as well as the ex po nen tial growth of the num ber of net work ing de vices and net work soft ware pack ages, all of which need a unique iden ti fier.
A MAC-48 or EUI-48 ad dress can be rep re sented by an EUI-64. In the case of MAC-48, two ad di tional octets of FF:FF are added be tween the OUI (first 3 bytes) and the unique NIC spec i fi ca tion (last 3 bytes)—for ex am ple, cc:cc:cc:FF:FF:ee:ee:ee. In the case of EUI-48, the two ad di tional octets are FF:FE—for ex am ple, cc:cc:cc:FF:FE:ee:ee:ee.
Among the pro to cols at the Data Link layer (layer 2) of the OSI model, you should be fa mil iar with Ad dress Res o lu tion Pro to col (ARP). ARP is used to re solve IP ad dresses into MAC ad dresses. Traf fic on a net work seg ment is di rected from its source sys tem to its des ti na tion sys tem us ing MAC ad dresses.
ARP is car ried as the pay load of an Eth er net frame. Since Eth er net is layer 2, it makes sense to con sider ARP layer 3. How ever, ARP does not op er ate as a true layer 3 pro to col as it does not use a source/des ti na tion ad dress ing scheme to di rect com mu ni ca tions in its header (sim i lar to IP head ers). In stead, it is de pen dent upon Eth er net’s source and des ti na tion MAC ad dresses. Thus, ARP is not a true layer 3. ARP is also not truly a full layer 2 pro to col as it de pends upon Eth er net to serve as its trans porta tion host. Thus, at best it is a de pen dent layer 2 pro to col. The OSI model is a con cep tual model and not an ex act ing de scrip tion of how real pro to cols op er ate. Thus, ARP does not fit cleanly in the OSI or ga ni za tion.
The Data Link layer con tains two sub lay ers: the Log i cal Link Con trol (LLC) sub layer and the MAC sub layer. De tails about these sub lay ers are not crit i cal for the CISSP exam.
Net work hard ware de vices that func tion at layer 2, the Data Link layer, are switches and bridges. These de vices sup port MAC-based traf fic rout ing. Switches re ceive a frame on one port and send it out an other port based on the des ti na tion MAC ad dress. MAC ad dress des ti na tions are used to de ter mine whether a frame is trans ferred over the bridge from one net work to an other.
Net work Layer
The Net work layer (layer 3) is re spon si ble for adding rout ing and ad dress ing in for ma tion to the data. The Net work layer ac cepts the seg ment from the Trans port layer and adds in for ma tion to it to cre ate a packet. The packet in cludes the source and des ti na tion IP ad dresses.
The rout ing pro to cols are lo cated at this layer and in clude the fol low ing:
In ter net Con trol Mes sage Pro to col (ICMP)
Rout ing In for ma tion Pro to col (RIP)
Open Short est Path First (OSPF)
Bor der Gate way Pro to col (BGP)
In ter net Group Man age ment Pro to col (IGMP)
In ter net Pro to col (IP)
In ter net Pro to col Se cu rity (IPSec)
In ter net work Packet Ex change (IPX)
Net work Ad dress Trans la tion (NAT)
Sim ple Key Man age ment for In ter net Pro to cols (SKIP)
The Net work layer is re spon si ble for pro vid ing rout ing or de liv ery in for ma tion, but it is not re spon si ble for ver i fy ing guar an teed de liv ery (that is the re spon si bil ity of the Trans port layer). The Net work layer also man ages er ror de tec tion and node data traf fic (in other words, traf fic con trol).
318
Non-IP Pro to cols
Non-IP pro to cols are pro to cols that serve as an al ter na tive to IP at the OSI Net work layer (3). In the past, non-IP pro to cols were widely used. How ever, with the dom i nance and suc cess of TCP/IP, non-IP pro to cols have be come the purview of spe cial-pur pose net works. The three most rec og nized non-IP pro to cols are IPX, Ap pleTalk, and Net BEUI. In ter net work Packet Ex change (IPX) is part of the IPX/Se quenced Packet Ex change (SPX) pro to col suite com monly used (al though not strictly re quired) on Nov ell Net Ware net works in the 1990s. Ap pleTalk is a suite of pro to cols de vel oped by Ap ple for net work ing of Mac in tosh sys tems, orig i nally re leased in 1984. Sup port for Ap pleTalk was re moved from the Ap ple op er at ing sys tem as of the re lease of Mac OS X v10.6 in 2009. Both IPX and Ap pleTalk can be used as IP al ter na tives in a dead-zone net work im ple men ta tion us ing IP-to-al ter nate-pro to col gate ways (a dead zone is a net work seg ment us ing an al ter na tive Net work layer pro to col in stead of IP). Net BIOS Ex tended User In ter face (Net BEUI, aka Net BIOS Frame pro to col, or NBF) is most widely known as a Mi cro soft pro to col de vel oped in 1985 to sup port file and printer shar ing. Mi cro soft has en abled sup port of Net BEUI on mod ern net works by de vis ing Net BIOS over TCP/IP (NBT). This in turn sup ports the Win dows shar ing pro to col of Server Mes sage Block (SMB), which is also known as Com mon In ter net File Sys tem (CIFS). Net BEUI is no longer sup ported as a lower-layer pro to col; only its SMB and CIFS vari ants are still in use.
A po ten tial se cu rity risk ex ists when non-IP pro to cols are in use in a pri vate net work. Be cause non-IP pro to cols are rare, most fire walls are un able to per form packet header, ad dress, or pay load con tent fil ter ing on those pro to cols. Thus, when it comes to non-IP pro to cols, a fire wall typ i cally must ei ther block all or al low. If your or ga ni za tion is de pen dent on a ser vice that op er ates over only a non-IP pro to col, then you may have to live with the risk of pass ing all non-IP pro to cols through your fire wall. This is mostly a con cern within a pri vate net work when non-IP pro to cols tra verse be tween net work seg ments. How ever, non-IP pro to cols can be en cap su lated in IP to be com mu ni cated across the in ter net. In an en cap su la tion sit u a tion, IP fire walls are rarely able to per form con tent fil ter ing on such en cap su la tion and thus se cu rity has to be set to an al low-all or deny-all con fig u ra tion.
Routers and bridge routers (brouters) are among the net work hard ware de vices that func tion at layer 3. Routers de ter mine the best log i cal path for the trans mis sion of pack ets based on speed, hops, pref er ence, and so on. Routers use the des ti na tion IP ad dress to guide the trans mis sion of pack ets. A brouter, work ing pri mar ily in layer 3 but in layer 2 when nec es sary, is a de vice that at tempts to route first, but if that fails, it de faults to bridg ing.
Rout ing Pro to cols
There are two broad cat e gories of rout ing pro to cols: dis tance vec tor and link state. Dis tance vec tor rout ing pro to cols main tain a list of des ti na tion net works along with met rics of di rec tion and dis tance as mea sured in hops (in other words, the num ber of routers to cross to reach the des ti na tion). Link state rout ing pro to cols main tain a to pog ra phy map of all con nected net works and use this map to de ter mine the short est path to the des ti na tion. Com mon ex am ples of dis tance vec tor rout ing pro to cols are Rout ing In for ma tion Pro to col (RIP) and In te rior Gate way Rout ing Pro to col (IGRP), while com mon ex am ples of link state rout ing pro to cols are Open Short est Path First (OSPF) and In te rior Gate way Rout ing Pro to col (IGRP).
Trans port Layer
The Trans port layer (layer 4) is re spon si ble for man ag ing the in tegrity of a con nec tion and con trol ling the ses sion. It ac cepts a PDU (vari ably spelled out as Pro to col Data Unit, Packet Data Unit, or Pay load Data Unit —i.e., a con tainer of in for ma tion or data passed be tween net work lay ers). A PDU com ing from the Ses sion layer is con verted into a seg ment. The Trans port layer, which con trols how de vices on the net work are ad dressed or ref er enced, es tab lishes com mu ni ca tion con nec tions be tween nodes (also known as de vices) and de fines the rules of a ses sion. Ses sion rules spec ify how much data each seg ment can con tain, how to ver ify the in tegrity of data trans mit ted, and how to de ter mine whether data has been lost. Ses sion rules are es tab lished through a hand shak ing process, so the com mu ni cat ing de vices are in agree ment on the rules. (Please see the sec tion “Trans port Layer Pro to cols” later in this chap ter for the dis cus sion of the SYN/ACK three-way hand shake of TCP.)
The Trans port layer es tab lishes a log i cal con nec tion be tween two de vices and pro vides end-to-end trans port ser vices to en sure data de liv ery. This layer in cludes mech a nisms for seg men ta tion, se quenc ing, er ror check ing, con trol ling the flow of data, er ror cor rec tion, mul ti plex ing, and net work ser vice op ti miza tion. The fol low ing pro to cols op er ate within the Trans port layer:
319
Trans mis sion Con trol Pro to col (TCP)
User Data gram Pro to col (UDP)
Se quenced Packet Ex change (SPX)
Se cure Sock ets Layer (SSL)
Trans port Layer Se cu rity (TLS)
Ses sion Layer
The Ses sion layer (layer 5) is re spon si ble for es tab lish ing, main tain ing, and ter mi nat ing com mu ni ca tion ses sions be tween two com put ers. It man ages di a logue dis ci pline or di a logue con trol (sim plex, half-du plex, full-du plex), es tab lishes check points for group ing and re cov ery, and re trans mits PDUs that have failed or been lost since the last ver i fied check point. The fol low ing pro to cols op er ate within the Ses sion layer:
Net work File Sys tem (NFS)
Struc tured Query Lan guage (SQL)
Re mote Pro ce dure Call (RPC)
Com mu ni ca tion ses sions can op er ate in one of three dif fer ent dis ci pline or con trol modes:
Sim plex One-way com mu ni ca tion
Half-Du plex Two-way com mu ni ca tion, but only one di rec tion can send data at a time
Full-Du plex Two-way com mu ni ca tion, in which data can be sent in both di rec tions si mul ta ne ously
Pre sen ta tion Layer
The Pre sen ta tion layer (layer 6) is re spon si ble for trans form ing data re ceived from the Ap pli ca tion layer into a for mat that any sys tem fol low ing the OSI model can un der stand. It im poses com mon or stan dard ized struc ture and for mat ting rules onto the data. The Pre sen ta tion layer is also re spon si ble for en cryp tion and com pres sion. Thus, it acts as an in ter face be tween the net work and ap pli ca tions. This layer is what al lows var i ous ap pli ca tions to in ter act over a net work, and it does so by en sur ing that the data for mats are sup ported by both sys tems. Most file or data for mats op er ate within this layer. This in cludes for mats for im ages, video, sound, doc u ments, email, web pages, con trol ses sions, and so on. The fol low ing list in cludes some of the for mat stan dards that ex ist within the Pre sen ta tion layer:
Amer i can Stan dard Code for In for ma tion In ter change (ASCII)
Ex tended Bi nary-Coded Dec i mal In ter change Mode (EBCDICM)
Tagged Im age File For mat (TIFF)
Joint Pho to graphic Ex perts Group (JPEG)
Mov ing Pic ture Ex perts Group (MPEG)
Mu si cal In stru ment Dig i tal In ter face (MIDI)
So Many Pro to cols, So Many Lay ers
With seven lay ers and more than 50 pro to cols, it may seem daunt ing to re mem ber the layer in which each pro to col re sides. One way to learn this is to cre ate flash cards. On the front of each card, write the name of the pro to col; then on the back, write the layer name. Af ter shuf fling the cards, put the card for each pro to col in a pile rep re sent ing its sup posed layer. Once you have placed all the pro to cols, check your work by view ing the backs of the cards. Re peat this process un til you are able to place each one cor rectly.
Ap pli ca tion Layer
The Ap pli ca tion layer (layer 7) is re spon si ble for in ter fac ing user ap pli ca tions, net work ser vices, or the op er at ing sys tem with the pro to col stack. It al lows ap pli ca tions to com mu ni cate with the pro to col stack. The Ap pli ca tion layer de ter mines whether a re mote com mu ni ca tion part ner is avail able and ac ces si ble. It also en sures that suf fi cient re sources are avail able to sup port the re quested com mu ni ca tions.
320
The ap pli ca tion is not lo cated within this layer; rather, the pro to cols and ser vices re quired to trans mit files, ex change mes sages, con nect to re mote ter mi nals, and so on are found here. Nu mer ous ap pli ca tion- spe cific pro to cols are found within this layer, such as the fol low ing:
Hy per text Trans fer Pro to col (HTTP)
File Trans fer Pro to col (FTP)
Line Print Dae mon (LPD)
Sim ple Mail Trans fer Pro to col (SMTP)
Tel net
Triv ial File Trans fer Pro to col (TFTP)
Elec tronic Data In ter change (EDI)
Post Of fice Pro to col ver sion 3 (POP3)
In ter net Mes sage Ac cess Pro to col (IMAP)
Sim ple Net work Man age ment Pro to col (SNMP)
Net work News Trans port Pro to col (NNTP)
Se cure Re mote Pro ce dure Call (S-RPC)
Se cure Elec tronic Trans ac tion (SET)
There is a net work de vice (or ser vice) that works at the Ap pli ca tion layer, namely, the gate way. How ever, an Ap pli ca tion layer gate way is a spe cific type of com po nent. It serves as a pro to col trans la tion tool. For ex am ple, an IP-to-IPX gate way takes in bound com mu ni ca tions from TCP/IP and trans lates them over to IPX/SPX for out bound trans mis sion. Ap pli ca tion layer fire walls also op er ate at this layer. Other net work ing de vices or fil ter ing soft ware may ob serve or mod ify traf fic at this layer.
TCP/IP Model The TCP/IP model (also called the DARPA or the DOD model) con sists of only four lay ers, as op posed to
the OSI Ref er ence Model’s seven. The four lay ers of the TCP/IP model are Ap pli ca tion (also known as Process), Trans port (also known as Host-to-Host), In ter net (some times In ter net work ing), and Link (al though Net work In ter face and some times Net work Ac cess are used). Fig ure 11.5 shows how they com pare to the seven lay ers of the OSI model. The TCP/IP pro to col suite was de vel oped be fore the OSI Ref er ence Model was cre ated. The de sign ers of the OSI Ref er ence Model took care to en sure that the TCP/IP pro to col suite fit their model be cause of its es tab lished de ploy ment in net work ing.
321
FIG URE 11.5 Com par ing the OSI model with the TCP/IP model
The TCP/IP model’s Ap pli ca tion layer cor re sponds to lay ers 5, 6, and 7 of the OSI model. The TCP/IP model’s Trans port layer cor re sponds to layer 4 from the OSI model. The TCP/IP model’s in ter net layer cor re sponds to layer 3 from the OSI model. The TCP/IP model’s Link layer cor re sponds to lay ers 1 and 2 from the OSI model.
It has be come com mon prac tice (through con fu sion, mis un der stand ing, and prob a bly lazi ness) to also call the TCP/IP model lay ers by their OSI model layer equiv a lent names. The TCP/IP model’s Ap pli ca tion layer is al ready us ing a name bor rowed from the OSI, so that one is a snap. The TCP/IP model’s Host-to-Host layer is some times called the Trans port layer (the OSI model’s fourth layer). The TCP/IP model’s in ter net layer is some times called the Net work layer (the OSI model’s third layer). And the TCP/IP model’s Link layer is some times called the Data Link or the Net work Ac cess layer (the OSI model’s sec ond layer).
Since the TCP/IP model layer names and the OSI model layer names can be used
in ter change ably, it is im por tant to know which model is be ing ad dressed in var i ous con texts. Un less in formed oth er wise, al ways as sume that the OSI model pro vides the ba sis for dis cus sion be cause it’s the most widely used net work ref er ence model.
TCP/IP Pro to col Suite Over view
The most widely used pro to col suite is TCP/IP, but it is not just a sin gle pro to col; rather, it is a pro to col stack com pris ing dozens of in di vid ual pro to cols (see Fig ure 11.6). TCP/IP is a plat form-in de pen dent pro to col based on open stan dards. How ever, this is both a ben e fit and a draw back. TCP/IP can be found in just about ev ery avail able op er at ing sys tem, but it con sumes a sig nif i cant amount of re sources and is rel a tively easy to hack into be cause it was de signed for ease of use rather than for se cu rity.
322
FIG URE 11.6 The four lay ers of TCP/IP and its com po nent pro to cols
TCP/IP can be se cured us ing vir tual pri vate net work (VPN) links be tween sys tems. VPN links are en crypted to add pri vacy, con fi den tial ity, and au then ti ca tion and to main tain data in tegrity. Pro to cols used to es tab lish VPNs are Point-to-Point Tun nel ing Pro to col (PPTP), Layer 2 Tun nel ing Pro to col (L2TP), Se cure Shell (SSH), Open VPN (SSL/TLS VPNs), and In ter net Pro to col Se cu rity (IPSec). An other method to pro vide pro to col-level se cu rity is to em ploy TCP wrap pers. A TCP wrap per is an ap pli ca tion that can serve as a ba sic fire wall by re strict ing ac cess to ports and re sources based on user IDs or sys tem IDs. Us ing TCP wrap pers is a form of port-based ac cess con trol.
Trans port Layer Pro to cols
The two pri mary Trans port layer pro to cols of TCP/IP are TCP and UDP. Trans mis sion Con trol Pro to col (TCP) is a full-du plex con nec tion-ori ented pro to col, whereas User Data gram Pro to col (UDP) is a sim plex con nec tion less pro to col. When a com mu ni ca tion con nec tion is es tab lished be tween two sys tems, it is done us ing ports. TCP and UDP each have 65,536 ports. Since port num bers are 16-digit bi nary num bers, the to tal num ber of ports is 2^16, or 65,536, num bered from 0 through 65,535. A port is lit tle more than an ad dress num ber that both ends of the com mu ni ca tion link agree to use when trans fer ring data within the Trans port layer. Ports al low a sin gle IP ad dress to be able to sup port mul ti ple si mul ta ne ous com mu ni ca tions, each us ing a dif fer ent port num ber. The com bi na tion of an IP ad dress and a port num ber is known as a socket.
The first 1,024 of these ports (0–1,023) are called the well-known ports or the ser vice ports. This is be cause they have stan dard ized as sign ments as to the ser vices they sup port. For ex am ple, port 80 is the stan dard port for web (HTTP) traf fic, port 23 is the stan dard port for Tel net, and port 25 is the stan dard port for SMTP. These ports are re served for use ex clu sively by servers (in other words, they can not be used as the source port by a re quest ing client). You can find a list of ports worth know ing for the exam in the sec tion “Com mon Ap pli ca tion Layer Pro to cols” later in this chap ter.
Ports 1,024 to 49151 are known as the reg is tered soft ware ports. These are ports that have one or more net work ing soft ware prod ucts specif i cally reg is tered with the In ter na tional As signed Num bers Au thor ity (IANA, www.iana.org) in or der to pro vide a stan dard ized port-num ber ing sys tem for clients at tempt ing to con nect to their prod ucts.
Ports 49152 to 65535 are known as the ran dom, dy namic, or ephemeral ports be cause they are of ten used ran domly and tem po rar ily by clients as a source port. These ran dom ports are also used by sev eral net work ing ser vices when ne go ti at ing a data trans fer pipe line be tween client and server out side the ini tial ser vice or reg is tered ports, such as per formed by com mon FTP.
Port Num bers
The IANA rec om mends that ports 49152 to 65535 be used as dy namic and/or pri vate ports. How ever, not all OSs abide by this. A site that has a list of ex am ples of the var i ous ranges used by OSs for ran dom source ports is https://www.cymru.com/jtk/misc/ephemer al ports.html. The key is that other than the lower 0-1,023 ports be ing re served for server use only, any other port can be used as a client source port as long as it is not al ready in use on that lo cal sys tem.
Trans mis sion Con trol Pro to col (TCP) op er ates at layer 4 (the Trans port layer) of the OSI model. It sup ports full-du plex com mu ni ca tions, is con nec tion ori ented, and em ploys re li able ses sions. TCP is con nec tion ori ented be cause it em ploys a hand shake process be tween two sys tems to es tab lish a com mu ni ca tion ses sion. Upon com ple tion of this hand shake process, a com mu ni ca tion ses sion that can
323
sup port data trans mis sion be tween the client and server is es tab lished. The three-way hand shake process (Fig ure 11.7) is as fol lows:
1. The client sends a SYN (syn chro nize) flagged packet to the server.
2. The server re sponds with a SYN/ACK (syn chro nize and ac knowl edge) flagged packet back to the client.
3. The client re sponds with an ACK (ac knowl edge) flagged packet back to the server.
FIG URE 11.7 The TCP three-way hand shake
When a com mu ni ca tion ses sion is com plete, there are two meth ods to dis con nect the TCP ses sion. First, and most com mon, is the use of FIN (fin ish) flagged pack ets in stead of SYN flagged pack ets. Each side of a con ver sa tion will trans mit a FIN flagged packet once all of its data is trans mit ted, trig ger ing the op pos ing side to con firm with an ACK flagged packet. Thus, it takes four pack ets to grace fully tear down a TCP ses sion. Sec ond is the use of an RST (re set) flagged packet, which causes an im me di ate and abrupt ses sion ter mi na tion. (Please see the dis cus sion of the TCP header flag later in this sec tion.)
The seg ments of a TCP trans mis sion are tagged with a se quence num ber. This al lows the re ceiver to re build the orig i nal com mu ni ca tion by re order ing re ceived seg ments back into their proper ar range ment in spite of the or der in which they were re ceived. Data com mu ni cated through a TCP ses sion is pe ri od i cally ver i fied with an ac knowl edg ment. The ac knowl edg ment is sent by the re ceiver back to the sender by set ting the TCP header’s ac knowl edg ment se quence value to the last se quence num ber re ceived from the sender within the trans mis sion win dow. The num ber of pack ets trans mit ted be fore an ac knowl edge packet is sent is known as the trans mis sion win dow. Data flow is con trolled through a mech a nism called slid ing win dows. TCP is able to use dif fer ent sizes of win dows (in other words, a dif fer ent num ber of trans mit ted pack ets) be fore send ing an ac knowl edg ment. Larger win dows al low for faster data trans mis sion, but they should be used only on re li able con nec tions where lost or cor rupted data is min i mal. Smaller win dows should be used when the com mu ni ca tion con nec tion is un re li able. TCP should be em ployed when the de liv ery of data is re quired. Slid ing win dows al low this size to vary dy nam i cally be cause the re li a bil ity of the TCP ses sion changes while in use. In the event that all pack ets of a trans mis sion win dow were not re ceived, no ac knowl edg ment is sent. Af ter a time out pe riod, the sender will re send the en tire trans mis sion win dow set of pack ets again.
The TCP header is rel a tively com plex when com pared to the other com mon Trans port layer pro to col, UDP. A TCP header is 20 to 60 bytes long. This header is di vided into sev eral sec tions, or fields, as de tailed in Ta ble 11.1.
324
TA BLE 11.1 TCP header con struc tion (or dered from be gin ning of header to end)
Size in bits Field 16 Source port 16 Des ti na tion port 32 Se quence num ber 4 Data off set 4 Re served for fu ture use 8 Flags (see Ta ble 11.2) 16 Win dow size 16 Check sum 16 Ur gent pointer Vari able Var i ous op tions; must be a mul ti ple of 32 bits
All of these fields have unique pa ram e ters and re quire ments, most of which are be yond the scope of the CISSP exam. How ever, you should be fa mil iar with the de tails of the flags field. The flags field can con tain a des ig na tion of one or more flags, or con trol bits. These flags in di cate the func tion of the TCP packet and re quest that the re cip i ent re spond in a spe cific man ner. The flags field is 8 bits long. Each of the bit po si tions rep re sents a sin gle flag, or con trol set ting. Each po si tion can be set on with a value of 1 or off with a value of 0. There are some con di tions in which mul ti ple flags can be en abled at once (in other words, the sec ond packet in the TCP three-way hand shake when both the SYN and ACK flags are set). Ta ble 11.2 de tails the flag con trol bits.
TA BLE 11.2 The TCP header flag field val ues
Flag bit des ig na tor
Name De scrip tion
CWR Con ges tion Win dow Re duced Used to man age trans mis sion over con gested links; see RFC 3168
ECE ECN-Echo (Ex plicit Con ges tion No ti fi ca tion)
Used to man age trans mis sion over con gested links; see RFC 3168
URG Ur gent In di cates ur gent data ACK Ac knowl edg ment Ac knowl edges syn chro niza tion or shut down re quest PSH Push In di cates need to push data im me di ately to
ap pli ca tion RST Re set Causes im me di ate dis con nect of TCP ses sion SYN Syn chro niza tion Re quests syn chro niza tion with new se quenc ing
num bers FIN Fin ish Re quests grace ful shut down of TCP ses sion
An ad di tional im por tant tid bit is that the IP header pro to col field value for TCP is 6 (0x06). The pro to col field value is the la bel or flag found in the header of ev ery IP packet that tells the re ceiv ing sys tem what type of packet it is. The IP header’s pro to col field in di cates the iden tity of the next en cap su lated pro to col (in other words, the pro to col con tained in the pay load from the cur rent pro to col layer, such as ICMP or IGMP, or the next layer up, such as TCP or UDP). Think of it as like the la bel on a mys tery-meat pack age wrapped in butcher pa per you pull out of the freezer. With out the la bel, you would have to open it and in spect it to fig ure out what it was. But with the la bel, you can search or fil ter quickly to find items of in ter est. For a list of other pro to col field val ues, please visit www.iana.org/as sign ments/pro to col-num bers.
325
Un skilled At tack ers Pester Real Se cu rity Folk
It might be a good idea to mem o rize at least the last six of the eight TCP header flags in their cor rect or der. The first two flags (CWR and ECE) are rarely used to day and thus are gen er ally ig nored/over looked. How ever, the last six (URG, ACK, PSH, RST, SYN, and FIN) are still in com mon wide spread use.
Keep in mind that these eight flags are eight bi nary po si tions (i.e., a byte) that can be pre sented in ei ther hex or bi nary for mat. For ex am ple, 0x12 is the hex pre sen ta tion of the byte 00010010. This spe cific byte lay out in di cates that the fourth and sev enth flags are en abled. With the flag lay out (us ing one let ter per flag and leav ing out CWR and ECE and re plac ing them with XX), XXU APRSF is 000A00S0, or the SYN/ACK flag set. Note: the hex pre sen ta tion of the TCP header flag byte is typ i cally lo cated in the raw data dis play of a packet cap tur ing tool, such as Wire shark, in off set po si tion 0x2F. This is based on a stan dard Eth er net Type II header, a stan dard 20-byte IP header, and a stan dard TCP header.
You can mem o rize this flag or der us ing the phrase “Un skilled At tack ers Pester Real Se cu rity Folk,” in which the first let ter of each word cor re sponds to the first let ter of the flags in po si tions 3 through 8.
Pro to col Dis cov ery
Hun dreds of pro to cols are in use on a typ i cal TCP/IP net work at any given mo ment. Us ing a snif fer, you can dis cover what pro to cols are in use on your cur rent net work. Be fore us ing a snif fer, though, make sure you have the proper per mis sion or au tho riza tion. With out ap proval, us ing a snif fer can be con sid ered a se cu rity vi o la tion be cause it en ables you to eaves drop on un pro tected net work com mu ni ca tions. If you can’t ob tain per mis sion at work, try this on your home net work in stead. Down load and in stall a snif fer, such as Wire shark. Then use the snif fer to mon i tor the ac tiv ity on your net work. Dis cover just how many pro to cols (in other words, sub pro to cols of TCP/IP) are in use on your net work.
An other step in us ing a snif fer is to an a lyze the con tents of cap tured pack ets. Pick out a few dif fer ent pro to col pack ets and in spect their head ers. Look for TCP, ICMP, ARP, and UDP pack ets. Com pare the con tents of their head ers. Try to lo cate any spe cial flags or field codes used by the pro to cols. You’ll likely dis cover that there is a lot more go ing on within a pro to col than you ever imag ined.
If per form ing packet cap tur ing is a task that you are un able to ac com plish or should not (due to rules, reg u la tions, poli cies, laws, etc.), then con sider pe rus ing the sam ples pro vided by Wire shark at https://wiki.wire shark.org/Sam ple Cap tures.
User Data gram Pro to col (UDP) also op er ates at layer 4 (the Trans port layer) of the OSI model. It is a con nec tion less “best-ef fort” com mu ni ca tions pro to col. It of fers no er ror de tec tion or cor rec tion, does not use se quenc ing, does not use flow con trol mech a nisms, does not use a preestab lished ses sion, and is con sid ered un re li able. UDP has very low over head and thus can trans mit data quickly. How ever, UDP should be used only when the de liv ery of data is not es sen tial. UDP is of ten em ployed by real-time or stream ing com mu ni ca tions for au dio and/or video. The IP header pro to col field value for UDP is 17 (0x11).
As men tioned ear lier, the UDP header is rel a tively sim ple in com par i son with the TCP header. A UDP header is 8 bytes (64 bits) long. This header is di vided into four sec tions, or fields (each 16 bits long):
Source port
Des ti na tion port
Mes sage length
Check sum
Net work Layer Pro to cols and IP Net work ing Ba sics
An other im por tant pro to col in the TCP/IP pro to col suite op er ates at the Net work layer of the OSI model, namely, In ter net Pro to col (IP). IP pro vides route ad dress ing for data pack ets. It is this route ad dress ing that is the foun da tion of global in ter net com mu ni ca tions be cause it pro vides a means of iden tity and pre scribes trans mis sion paths. Sim i lar to UDP, IP is con nec tion less and is an un re li able data gram ser vice. IP does not of fer guar an tees that pack ets will be de liv ered or that pack ets will be de liv ered in the cor rect or der, and it does
326
not guar an tee that pack ets will be de liv ered only once. Thus, you must em ploy TCP on IP to gain re li able and con trolled com mu ni ca tion ses sions.
IPv4 vs. IPv6
IPv4 is the ver sion of In ter net Pro to col that is most widely used around the world. How ever, a ver sion known as IPv6 is be ing adopted both for pri vate and pub lic net work use. IPv4 uses a 32-bit ad dress ing scheme, while IPv6 uses 128 bits for ad dress ing. IPv6 of fers many new fea tures that are not avail able in IPv4. Some of IPv6’s new fea tures are scoped ad dresses, au to con fig u ra tion, and Qual ity of Ser vice (QoS) pri or ity val ues. Scoped ad dresses give ad min is tra tors the abil ity to group and then block or al low ac cess to net work ser vices, such as file servers or print ing. Au to con fig u ra tion re moves the need for both Dy namic Host Con fig u ra tion Pro to col (DHCP) and Net work Ad dress Trans la tion (NAT). QoS pri or ity val ues al low for traf fic man age ment based on pri or i tized con tent.
IPv6 is sup ported by most op er at ing sys tems re leased since 2000, ei ther na tively or via an add-in. How ever, IPv6 has been slowly adopted. Most of the IPv6 net works are cur rently lo cated in pri vate net works such as those in large cor po ra tions, re search lab o ra to ries, and uni ver si ties. For a glimpse into the sta tus of IPv4 to IPv6 con ver sion on the in ter net, see the IPv6 sta tis tics at https://www.google.com/intl/en/ipv6/sta tis tics.html.
IP classes
Ba sic knowl edge of IP ad dress ing and IP classes is a must for any se cu rity pro fes sional. If you are rusty on ad dress ing, sub net ting, classes, and other re lated top ics, take the time to re fresh your self. Ta ble 11.3 and Ta ble 11.4 pro vide a quick over view of the key de tails of classes and de fault sub nets. A full Class A sub net sup ports 16,777,214 hosts; a full class B sub net sup ports 65,534 hosts; and a full Class C sub net sup ports 254 hosts. Class D is used for mul ti cas t ing, while Class E is re served for fu ture use.
TA BLE 11.3 IP classes
Class First bi nary dig its Dec i mal range of first octet A 0 1–126 B 10 128–191 C 110 192–223 D 1110 224–239 E 1111 240–255
TA BLE 11.4 IP classes’ de fault sub net masks
Class De fault sub net mask CIDR equiv a lent A 255.0.0.0 /8 B 255.255.0.0 /16 C 255.255.255.0 /24
Note that the en tire Class A net work of 127 was set aside for the loop back ad dress, al though only a sin gle ad dress is ac tu ally needed for that pur pose.
An other op tion for sub net ting is to use Class less In ter-Do main Rout ing (CIDR) no ta tion. CIDR uses mask bits rather than a full dot ted-dec i mal no ta tion sub net mask. Thus, in stead of 255.255.0.0, a CIDR is added to the IP ad dress af ter a slash, as in 172.16.1.1/16, for ex am ple. One sig nif i cant ben e fit of CIDR over tra di tional sub net-mask ing tech niques is the abil ity to com bine mul ti ple non con tigu ous sets of ad dresses into a sin gle sub net. For ex am ple, it is pos si ble to com bine sev eral Class C sub nets into a sin gle larger sub net group ing. If CIDR piques your in ter est, see the CIDR ar ti cle on Wikipedia or visit the IETF’s RFC for CIDR at http://tools.ietf.org/html/rfc4632.
ICMP and IGMP are other pro to cols in the Net work layer of the OSI model:
ICMP In ter net Con trol Mes sage Pro to col (ICMP) is used to de ter mine the health of a net work or a spe cific link. ICMP is uti lized by ping, tracer oute, path ping, and other net work man age ment tools. The ping util ity em ploys ICMP echo pack ets and bounces them off re mote sys tems. Thus, you can use ping to de ter mine whether the re mote sys tem is on line, whether the re mote sys tem is re spond ing promptly, whether the in ter me di ary sys tems are sup port ing com mu ni ca tions, and the level of per for mance ef fi ciency at which the in ter me di ary sys tems are com mu ni cat ing. The ping util ity in cludes a re di rect func tion that al lows the echo re sponses to be sent to a dif fer ent des ti na tion than the sys tem of ori gin.
327
Un for tu nately, the fea tures of ICMP were of ten ex ploited in var i ous forms of band width-based de nial-of- ser vice (DoS) at tacks, (DoS), such as ping of death, smurf at tacks, and ping floods. This fact has shaped how net works han dle ICMP traf fic to day, re sult ing in many net works lim it ing the use of ICMP or at least lim it ing its through put rates. Ping of death sends a mal formed ping larger than 65,535 bytes (larger than the max i mum IPv4 packet size) to a com puter to at tempt to crash it. Smurf at tacks gen er ate enor mous amounts of traf fic on a tar get net work by spoof ing broad cast pings, and ping floods are a ba sic DoS at tack re ly ing on con sum ing all of the band width that a tar get has avail able.
You should be aware of sev eral im por tant de tails re gard ing ICMP. First, the IP header pro to col field value for ICMP is 1 (0x01). Sec ond, the type field in the ICMP header de fines the type or pur pose of the mes sage con tained within the ICMP pay load. There are more than 40 de fined types, but only 7 are com monly used (see Ta ble 11.5). You can find a com plete list of the ICMP type field val ues at www.iana.org/as sign ments/icmp- pa ram e ters. It may be worth not ing that many of the types listed may also sup port codes. A code is sim ply an ad di tional data pa ram e ter of fer ing more de tail about the func tion or pur pose of the ICMP mes sage pay load. One ex am ple of an event that would cause an ICMP re sponse is when an at tempt is made to con nect to a UDP ser vice port when that ser vice and port are not ac tu ally in use on the tar get server; this would cause an ICMP Type 3 re sponse back to the ori gin. Since UDP does not have a means to send back er rors, the pro to col stack switches to ICMP for that pur pose.
TA BLE 11.5 Com mon ICMP type field val ues
Type Func tion 0 Echo re ply 3 Des ti na tion un reach able 5 Re di rect 8 Echo re quest 9 Router ad ver tise ment 10 Router so lic i ta tion 11 Time ex ceeded
IGMP In ter net Group Man age ment Pro to col (IGMP) al lows sys tems to sup port mul ti cas t ing. Mul ti cas t ing is the trans mis sion of data to mul ti ple spe cific re cip i ents. (RFC 1112 dis cusses the re quire ments to per form IGMP mul ti cas t ing.) IGMP is used by IP hosts to reg is ter their dy namic mul ti cast group mem ber ship. It is also used by con nected routers to dis cover these groups. Through the use of IGMP mul ti cas t ing, a server can ini tially trans mit a sin gle data sig nal for the en tire group rather than a sep a rate ini tial data sig nal for each in tended re cip i ent. With IGMP, the sin gle ini tial sig nal is mul ti plied at the router if di ver gent path ways ex ist to the in tended re cip i ents. The IP header pro to col field value for IGMP is 2 (0x02).
ARP Ad dress Res o lu tion Pro to col (ARP) is es sen tial to the in ter op er abil ity of log i cal and phys i cal ad dress ing schemes. ARP is used to re solve IP ad dresses (32-bit bi nary num ber for log i cal ad dress ing) into Me dia Ac cess Con trol (MAC) ad dresses (48-bit bi nary num ber for phys i cal ad dress ing)—or EUI-48 or even EUI-64. Traf fic on a net work seg ment (for ex am ple, ca bles across a hub) is di rected from its source sys tem to its des ti na tion sys tem us ing MAC ad dresses.
ARP uses caching and broad cast ing to per form its op er a tions. The first step in re solv ing an IP ad dress into a MAC ad dress, or vice versa, is to check the lo cal ARP cache. If the needed in for ma tion is al ready present in the ARP cache, it is used. This ac tiv ity is some times abused us ing a tech nique called ARP cache poi son ing, where an at tacker in serts bo gus in for ma tion into the ARP cache. If the ARP cache does not con tain the nec es sary in for ma tion, an ARP re quest in the form of a broad cast is trans mit ted. If the owner of the queried ad dress is in the lo cal sub net, it can re spond with the nec es sary in for ma tion. If not, the sys tem will de fault to us ing its de fault gate way to trans mit its com mu ni ca tions. Then, the de fault gate way (in other words, a router) will need to per form its own ARP process.
Com mon Ap pli ca tion Layer Pro to cols
In the Ap pli ca tion layer of the TCP/IP model (which in cludes the Ses sion, Pre sen ta tion, and Ap pli ca tion lay ers of the OSI model) re side nu mer ous ap pli ca tion- or ser vice-spe cific pro to cols. A ba sic knowl edge of these pro to cols and their rel e vant ser vice ports is im por tant for the CISSP exam:
Tel net, TCP Port 23 This is a ter mi nal em u la tion net work ap pli ca tion that sup ports re mote con nec tiv ity for ex e cut ing com mands and run ning ap pli ca tions but does not sup port trans fer of files.
File Trans fer Pro to col (FTP), TCP Ports 20 (Pas sive Data)/Ephemeral (Ac tive Data) and 21 (Con trol Con nec tion) This is a net work ap pli ca tion that sup ports an ex change of files that re quires anony mous or spe cific au then ti ca tion.
Triv ial File Trans fer Pro to col (TFTP), UDP Port 69 This is a net work ap pli ca tion that sup ports an ex change of files that does not re quire au then ti ca tion.
328
Sim ple Mail Trans fer Pro to col (SMTP), TCP Port 25 This is a pro to col used to trans mit email mes sages from a client to an email server and from one email server to an other.
Post Of fice Pro to col (POP3), TCP Port 110 This is a pro to col used to pull email mes sages from an in box on an email server down to an email client.
In ter net Mes sage Ac cess Pro to col (IMAP), TCP Port 143 This is a pro to col used to pull email mes sages from an in box on an email server down to an email client. IMAP is more se cure than POP3 and of fers the abil ity to pull head ers down from the email server as well as to delete mes sages di rectly off the email server with out hav ing to down load to the lo cal client first.
Dy namic Host Con fig u ra tion Pro to col (DHCP), UDP Ports 67 and 68 DHCP uses port 67 as the des ti na tion port on the server to re ceive client com mu ni ca tions and port 68 as the source port for client re quests. It is used to as sign TCP/IP con fig u ra tion set tings to sys tems upon bootup. DHCP en ables cen tral ized con trol of net work ad dress ing.
Hy per text Trans fer Pro to col (HTTP), TCP Port 80 This is the pro to col used to trans mit web page el e ments from a web server to web browsers.
Se cure Sock ets Layer (SSL), TCP Port 443 (for HTTP En cryp tion) This is a VPN-like se cu rity pro to col that op er ates at the Trans port layer. SSL was orig i nally de signed to sup port se cured web com mu ni ca tions (HTTPS) but is ca pa ble of se cur ing any Ap pli ca tion layer pro to col com mu ni ca tions.
Line Print Dae mon (LPD), TCP Port 515 This is a net work ser vice that is used to spool print jobs and to send print jobs to print ers.
X Win dow, TCP Ports 6000–6063 This is a GUI API for com mand-line op er at ing sys tems.
Net work File Sys tem (NFS), TCP Port 2049 This is a net work ser vice used to sup port file shar ing be tween dis sim i lar sys tems.
Sim ple Net work Man age ment Pro to col (SNMP), UDP Port 161 (UDP Port 162 for Trap Mes sages) This is a net work ser vice used to col lect net work health and sta tus in for ma tion by polling mon i tor ing de vices from a cen tral mon i tor ing sta tion.
SN MPv3
Sim ple Net work Man age ment Pro to col (SNMP) is a stan dard net work-man age ment pro to col sup ported by most net work de vices and TCP/IP-com pli ant hosts. These in clude routers, switches, bridges, wire less ac cess points (WAPs), fire walls, VPN ap pli ances, modems, print ers, and so on. Through the use of a man age ment con sole, you can use SNMP to in ter act with var i ous net work de vices to ob tain sta tus in for ma tion, per for mance data, sta tis tics, and con fig u ra tion de tails. Some de vices sup port the mod i fi ca tion of con fig u ra tion set tings through SNMP.
Early ver sions of SNMP re lied on plain text trans mis sion of com mu nity strings as au then ti ca tion. Com mu ni ties were named col lec tions of net work de vices that SNMP man age ment con soles could in ter act with. The orig i nal de fault com mu nity names were pub lic and pri vate. The lat est ver sion of SNMP al lows for en crypted com mu ni ca tions be tween de vices and the man age ment con sole, as well as au then ti ca tion fac tors that are cus tom ized for ro bust au then ti ca tion pro tec tion.
SNMP op er ates over UDP ports 161 and 162. UDP port 161 is used by the SNMP agent (that is, net work de vice) to re ceive re quests, and UDP port 162 is used by the man age ment con sole to re ceive re sponses and no ti fi ca tions (also known as trap mes sages). Trap mes sages in form the man age ment con sole when an event or thresh old vi o la tion oc curs on a mon i tored sys tem.
Im pli ca tions of Mul ti layer Pro to cols
As you can see from the pre vi ous sec tions, TCP/IP as a pro to col suite com prises dozens of in di vid ual pro to cols spread across the var i ous pro to col stack lay ers. TCP/IP is there fore a mul ti layer pro to col. TCP/IP de rives sev eral ben e fits from its mul ti layer de sign, specif i cally in re la tion to its mech a nism of en cap su la tion. For ex am ple, when com mu ni cat ing be tween a web server and a web browser over a typ i cal net work con nec tion, HTTP is en cap su lated in TCP, which in turn is en cap su lated in IP, which is in turn en cap su lated in Eth er net. This could be pre sented as fol lows:
[ Ethernet [ IP [ TCP [ HTTP ] ] ] ]
How ever, this is not the ex tent of TCP/IP’s en cap su la tion sup port. It is also pos si ble to add ad di tional lay ers of en cap su la tion. For ex am ple, adding SSL/TLS en cryp tion to the com mu ni ca tion would in sert a new en cap su la tion be tween HTTP and TCP:
329
[ Ethernet [ IP [ TCP [ SSL [ HTTP ] ] ] ] ]
This in turn could be fur ther en cap su lated with a Net work layer en cryp tion such as IPSec:
[ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ] ] ] ] ]
How ever, en cap su la tion is not al ways im ple mented for be nign pur poses. There are nu mer ous covert chan nel com mu ni ca tion mech a nisms that use en cap su la tion to hide or iso late an unau tho rized pro to col in side an other au tho rized one. For ex am ple, if a net work blocks the use of FTP but al lows HTTP, then tools such as HTTP Tun nel can be used to by pass this re stric tion. This could re sult in an en cap su la tion struc ture such as this:
[ Ethernet [ IP [ TCP [ HTTP [ FTP ] ] ] ]
Nor mally, HTTP car ries its own web-re lated pay load, but with the HTTP Tun nel tool, the stan dard pay load is re placed with an al ter na tive pro to col. This false en cap su la tion can even oc cur lower in the pro to col stack. For ex am ple, ICMP is typ i cally used for net work health test ing and not for gen eral com mu ni ca tion. How ever, with util i ties such as Loki, ICMP is trans formed into a tun nel pro to col to sup port TCP com mu ni ca tions. The en cap su la tion struc ture of Loki is as fol lows:
[ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ] ] ] ]
An other area of con cern caused by un bounded en cap su la tion sup port is the abil ity to jump be tween vir tual lo cal area net works (VLANs). VLANs are net work seg ments that are log i cally sep a rated by tags. This at tack, known as VLAN hop ping, is per formed by cre at ing a dou ble-en cap su lated IEEE 802.1Q VLAN tag:
[ Ethernet [ VLAN1 [ VLAN2 [ IP [ TCP [ HTTP ] ] ] ] ] ]
With this dou ble en cap su la tion, the first en coun tered switch will strip away the first VLAN tag, and then the next switch will be fooled by the in te rior VLAN tag and move the traf fic into the other VLAN.
Mul ti layer pro to cols pro vide the fol low ing ben e fits:
A wide range of pro to cols can be used at higher lay ers.
En cryp tion can be in cor po rated at var i ous lay ers.
Flex i bil ity and re siliency in com plex net work struc tures is sup ported.
There are a few draw backs of mul ti layer pro to cols:
Covert chan nels are al lowed.
Fil ters can be by passed.
Log i cally im posed net work seg ment bound aries can be over stepped.
330
DNP3
DNP3 (Dis trib uted Net work Pro to col) is pri mar ily used in the elec tric and wa ter util ity and man age ment in dus tries. It is used to sup port com mu ni ca tions be tween data ac qui si tion sys tems and the sys tem con trol equip ment. This in cludes sub sta tion com put ers, RTUs (re mote ter mi nal units) (de vices con trolled by an em bed ded mi cro pro ces sor), IEDs (In tel li gent Elec tronic De vices), and SCADA mas ter sta tions (i.e., con trol cen ters). DNP3 is an open and pub lic stan dard. DNP3 is a mul ti layer pro to col that func tions sim i larly to that of TCP/IP, in that it has link, trans port, and trans porta tion lay ers. For more de tails on DNP3, please view the pro to col primer at https://www.dnp.org/Abou tUs/DNP3%20Primer%20Rev%20A.pdf.
TCP/IP Vul ner a bil i ties
TCP/IP’s vul ner a bil i ties are nu mer ous. Im prop erly im ple mented TCP/IP stacks in var i ous op er at ing sys tems are vul ner a ble to buf fer over flows, SYN flood at tacks, var i ous de nial-of-ser vice (DoS) at tacks, frag ment at tacks, over sized packet at tacks, spoof ing at tacks, man-in-the-mid dle at tacks, hi jack at tacks, and cod ing er ror at tacks.
TCP/IP (as well as most pro to cols) is also sub ject to pas sive at tacks via mon i tor ing or sniff ing. Net work mon i tor ing is the act of mon i tor ing traf fic pat terns to ob tain in for ma tion about a net work. Packet sniff ing is the act of cap tur ing pack ets from the net work in hopes of ex tract ing use ful in for ma tion from the packet con tents. Ef fec tive packet snif fers can ex tract user names, pass words, email ad dresses, en cryp tion keys, credit card num bers, IP ad dresses, sys tem names, and so on.
Packet sniff ing and other at tacks are dis cussed in more de tail in Chap ter 13.
Do main Name Sys tem
Ad dress ing and nam ing are im por tant com po nents that make net work com mu ni ca tions pos si ble. With out ad dress ing schemes, net worked com put ers would not be able to dis tin guish one com puter from an other or spec ify the des ti na tion of a com mu ni ca tion. Like wise, with out nam ing schemes, hu mans would have to re mem ber and rely on num ber ing sys tems to iden tify com put ers. It is much eas ier to re mem ber Google.com than 64.233.187.99. Thus, most nam ing schemes were en acted for hu man use rather than com puter use.
It is rea son ably im por tant to grasp the ba sic ideas of ad dress ing and num ber ing as used on TCP/IP-based net works. There are three dif fer ent lay ers to be aware of. They’re pre sented in re verse or der here be cause the third layer is the most ba sic:
The third, or bot tom, layer is the MAC ad dress. The MAC ad dress, or hard ware ad dress, is a “per ma nent” phys i cal ad dress.
The sec ond, or mid dle, layer is the IP ad dress. The IP ad dress is a “tem po rary” log i cal ad dress as signed over or onto the MAC ad dress.
The top layer is the do main name. The do main name or com puter name is a “tem po rary” hu man-friendly con ven tion as signed over or onto the IP ad dress.
“Per ma nent” and “Tem po rary” Ad dresses
The rea son these two ad jec tives are within quo ta tion marks is that they are not com pletely ac cu rate. MAC ad dresses are de signed to be per ma nent phys i cal ad dresses. How ever, some NICs sup port MAC ad dress changes, and most mod ern op er at ing sys tems (in clud ing Win dows and Linux) do as well. When the NIC sup ports the change, the change oc curs on the hard ware. When the OS sup ports the change, the change is only in mem ory, but it looks like a hard ware change to all other net work en ti ties.
An IP ad dress is tem po rary be cause it is a log i cal ad dress and could be changed at any time, ei ther by DHCP or by an ad min is tra tor. How ever, there are in stances where sys tems are stat i cally as signed an IP ad dress. Like wise, com puter names or DNS names might ap pear per ma nent, but they are log i cal and thus able to be mod i fied by an ad min is tra tor.
This sys tem of nam ing and ad dress ing grants each net work ing com po nent the in for ma tion it needs while mak ing its use of that in for ma tion as sim ple as pos si ble. Hu mans get hu man-friendly do main names, net work ing pro to cols get router-friendly IP ad dresses, and the net work in ter faces get phys i cal ad dresses. How ever, all three of these schemes must be linked to gether to al low in ter op er abil ity. Thus, the Do main Name Sys tem (DNS) and the ARP sys tem were de vel oped to in ter change or re solve be tween do main names and IP ad dresses or IP ad dresses and MAC ad dresses re spec tively. DNS re solves a hu man-friendly do main
331
name into its IP ad dress equiv a lent. Then, ARP re solves the IP ad dress into its MAC ad dress equiv a lent. It is also pos si ble to re solve an IP ad dress into a do main name via a DNS re verse lookup, if a PTR record is de fined (see “Do main Name Sys tem” later in this chap ter).
The DNS is the hi er ar chi cal nam ing scheme used in both pub lic and pri vate net works. DNS links IP ad dresses and hu man-friendly fully qual i fied do main names (FQDNs) to gether. An FQDN con sists of three main parts:
Top-level do main (TLD)—The com in www.google.com
Reg is tered do main name—The google in www.google.com
Sub do main(s) or host name—The www in www.google.com
The TLD can be any num ber of of fi cial op tions, in clud ing six of the orig i nal seven TLDs—com, org, edu, mil, gov, and net—as well as many newer ones, such as info, mu seum, tele phone, mobi, biz, and so on. There are also coun try vari a tions known as coun try codes. (See www.iana.org/do mains/root/db/ for de tails on cur rent TLDs and coun try codes.) Note that the sev enth orig i nal TLD was int, for in ter na tional, which was re placed by the two-let ter coun try codes.
The reg is tered do main name must be of fi cially reg is tered with one of any num ber of ap proved do main reg is trars, such as Net work So lu tions or 1and1.com.
The far-left sec tion of an FQDN can be ei ther a sin gle host name, such as www, ftp, and so on, or a mul ti sec tioned sub do main des ig na tion, such as server1.group3.bldg5 .my company.com.
The to tal length of an FQDN can’t ex ceed 253 char ac ters (in clud ing the dots). Any sin gle sec tion can’t ex ceed 63 char ac ters. FQDNs can only con tain let ters, num bers, and hy phens.
Ev ery reg is tered do main name has an as signed au thor i ta tive name server. The pri mary au thor i ta tive name server hosts the orig i nal zone file for the do main. Sec ondary au thor i ta tive name servers can be used to host read-only copies of the zone file. A zone file is the col lec tion of re source records or de tails about the spe cific do main. There are dozens of pos si ble re source records (see http://en.wikipedia.org/wiki/List_of_DNS_record_ types); the most com mon are listed in Ta ble 11.6.
TA BLE 11.6 Com mon re source records
Record Type De scrip tion A Ad dress record Links an FQDN to an IPv4 ad dress AAAA Ad dress record Links an FQDN to an IPv6 ad dress PTR Pointer record Links an IP ad dress to a FQDN (for re verse lookups) CNAME Canon i cal
name Links an FQDN alias to an other FQDN
MX Mail ex change Links a mail- and mes sag ing-re lated FQDN to an IP ad dress NS Name server
record Des ig nates the FQDN and IP ad dress of an au tho rized name server
SOA Start of au thor ity record
Spec i fies au thor i ta tive in for ma tion about the zone file, such as pri mary name server, se rial num ber, time-outs, and re fresh in ter vals
Orig i nally, DNS was han dled by a static lo cal file known as the HOSTS file. This file still ex ists, but a dy namic DNS query sys tem has mostly re placed it, es pe cially for large pri vate net works as well as the in ter net. When client soft ware points to an FQDN, the pro to col stack ini ti ates a DNS query in or der to re solve the name into an IP ad dress that can be used in the con struc tion of the IP header. The res o lu tion process first checks the lo cal DNS cache to see whether the an swer is al ready known. The DNS cache con sists of pre loaded con tent from the lo cal HOSTS file plus any DNS queries per formed dur ing the cur rent boot ses sion (that haven’t timed out). If the needed an swer isn’t in the cache, a DNS query is sent to the DNS server in di cated in the lo cal IP con fig u ra tion. The process of re solv ing the query is in ter est ing and com plex, but most of it isn’t rel e vant to the (ISC)2 CISSP exam.
DNS op er ates over TCP and UDP port 53. TCP port 53 is used for zone trans fers. These are zone file ex changes be tween DNS servers, for spe cial man ual queries, or when a re sponse ex ceeds 512 bytes. UDP port 53 is used for most typ i cal DNS queries.
Do main Name Sys tem Se cu rity Ex ten sions (DNSSEC) is a se cu rity im prove ment to the ex ist ing DNS in fra struc ture. The pri mary func tion of DNSSEC is to pro vide re li able au then ti ca tion be tween de vices dur ing DNS op er a tions. DNSSEC has been im ple mented across a sig nif i cant por tion of the DNS sys tem. Each DNS server is is sued a dig i tal cer tifi cate, which is then used to per form mu tual cer tifi cate au then ti ca tion. The goal
332
of DNSSEC is to pre vent a range of DNS abuses where false data can be in jected into the res o lu tion process. Once fully im ple mented, DNSSEC will sig nif i cantly re duce server-fo cused DNS abuses.
Fur ther Read ing on DNS
For an ex cel lent primer to ad vanced dis cus sion on DNS, its op er a tion, known is sues, and the Dan Kamin sky vul ner a bil ity, please visit “An Il lus trated Guide to the Kamin sky DNS Vul ner a bil ity”:
http://unixwiz.net/techtips/igu ide-kamin sky-dns-vuln.html
For a look into the fu ture of DNS, specif i cally the de fense against the Kamin sky vul ner a bil ity, visit www.dnssec.net.
DNS Poi son ing
DNS poi son ing is the act of fal si fy ing the DNS in for ma tion used by a client to reach a de sired sys tem. It can take place in many ways. When ever a client needs to re solve a DNS name into an IP ad dress, it may go through the fol low ing process:
1. Check the lo cal cache (which in cludes con tent from the HOSTS file).
2. Send a DNS query to a known DNS server.
3. Send a broad cast query to any pos si ble lo cal sub net DNS server. (This step isn’t widely sup ported.)
If the client doesn’t ob tain a DNS-to-IP res o lu tion from any of these steps, the res o lu tion fails, and the com mu ni ca tion can’t be sent. DNS poi son ing can take place at any of these steps, but the eas i est way is to cor rupt the HOSTS file or the DNS server query.
There are many ways to at tack or ex ploit DNS. An at tacker might use one of these tech niques:
De ploy a rogue DNS server (also known as DNS spoof ing or DNS pharm ing). A rogue DNS server can lis ten in on net work traf fic for any DNS query or spe cific DNS queries re lated to a tar get site. Then the rogue DNS server sends a DNS re sponse to the client with false IP in for ma tion. This at tack re quires that the rogue DNS server get its re sponse back to the client be fore the real DNS server re sponds. Once the client re ceives the re sponse from the rogue DNS server, the client closes the DNS query ses sion, which causes the re sponse from the real DNS server to be dropped and ig nored as an out-of-ses sion packet.
DNS queries are not au then ti cated, but they do con tain a 16-bit value known as the query ID (QID). The DNS re sponse must in clude the same QID as the query to be ac cepted. Thus, a rogue DNS server must in clude the re quest ing QID in the false re ply.
Per form DNS poi son ing. DNS poi son ing in volves at tack ing the real DNS server and plac ing in cor rect in for ma tion into its zone file. This causes the real DNS server to send false data back to clients.
Al ter the HOSTS file. Mod i fy ing the HOSTS file on the client by plac ing false DNS data into it redi rects users to false lo ca tions.
Cor rupt the IP con fig u ra tion. Cor rupt ing the IP con fig u ra tion can re sult in a client hav ing a false DNS server def i ni tion. This can be ac com plished ei ther di rectly on the client or on the net work’s DHCP server.
Use proxy fal si fi ca tion. This method works only against web com mu ni ca tions. This at tack plants false web proxy data into a client’s browser, and then the at tacker op er ates the rogue proxy server. A rogue proxy server can mod ify HTTP traf fic pack ets to reroute re quests to what ever site the hacker wants.
Al though there are many DNS poi son ing meth ods, here are some ba sic se cu rity mea sures you can take that can greatly re duce their threat:
Limit zone trans fers from in ter nal DNS servers to ex ter nal DNS servers. This is ac com plished by block ing in bound TCP port 53 (zone trans fer re quests) and UDP port 53 (queries).
Limit the ex ter nal DNS servers from which in ter nal DNS servers pull zone trans fers.
De ploy a net work in tru sion de tec tion sys tem (NIDS) to watch for ab nor mal DNS traf fic.
Prop erly harden all DNS, server, and client sys tems in your pri vate net work.
Use DNSSEC to se cure your DNS in fra struc ture.
Re quire in ter nal clients to re solve all do main names through the in ter nal DNS. This will re quire that you block out bound UDP port 53 (for queries) while keep ing open out bound TCP port 53 (for zone trans fers).
An other at tack closely re lated to DNS poi son ing and/or DNS spoof ing is DNS pharm ing. Pharm ing is the ma li cious re di rect ion of a valid web site’s URL or IP ad dress to a fake web site that hosts a false ver sion of
333
the orig i nal valid site. This is of ten part of a phish ing at tack where the at tacker is at tempt ing to trick vic tims into giv ing up their lo gon cre den tials. If po ten tial vic tims aren’t care ful or pay ing at ten tion, they may be tricked into pro vid ing their lo gon in for ma tion to the false, pharmed web site. Pharm ing typ i cally oc curs ei ther by mod i fy ing the lo cal HOSTS file on a sys tem or by poi son ing or spoof ing DNS res o lu tion. Pharm ing is an in creas ingly prob lem atic ac tiv ity be cause hack ers have dis cov ered means to ex ploit DNS vul ner a bil i ties to pharm var i ous do main names for large groups of tar geted users.
Do main Hi jack ing
Do main hi jack ing, or do main theft, is the ma li cious ac tion of chang ing the reg is tra tion of a do main name with out the au tho riza tion of the valid owner. This may be ac com plished by steal ing the owner’s lo gon cre den tials, us ing XSRF, hi jack ing a ses sion, us ing MitM (see Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks,” for cov er age of these at tacks), or ex ploit ing a flaw in the do main reg is trar’s sys tems.
Some times when an other per son reg is ters a do main name im me di ately af ter the orig i nal owner’s reg is tra tion ex pires, it is called do main hi jack ing, but it should not be. This is a po ten tially un eth i cal prac tice, but it is not an ac tual hack or at tack. It is tak ing ad van tage of the over sight of the orig i nal owner’s fail ure to man u ally ex tend their reg is tra tion or con fig ure au tore newal. If an orig i nal owner loses their do main name by fail ing to main tain reg is tra tion, there is of ten no re course other than to con tact the new owner and in quire re gard ing re ob tain ing con trol. Many reg is trars have a “you snooze, you lose” pol icy for lapsed reg is tra tions.
When an or ga ni za tion loses their do main and some one else takes over con trol, this can be a dev as tat ing event both to the or ga ni za tion and its cus tomers and vis i tors. The orig i nal web site or on line con tent will no longer be avail able (or at least not avail able on the same do main name). And the new owner might host com pletely dif fer ent con tent or host a false du pli cate of the pre vi ous site. This later ac tiv ity might re sult in fool ing vis i tors, sim i lar to a phish ing at tack, where per son ally iden ti fi able in for ma tion (PII) might be ex tracted and col lected.
An ex am ple of a do main hi jack is the theft of the Fox-IT.com do main in Sep tem ber 2017; you can read about this at tack at https://www.fox-it.com/en/in sights/blogs/blog/fox-hit-cy ber-at tack/.
Con verged Pro to cols Con verged pro to cols are the merg ing of spe cialty or pro pri etary pro to cols with stan dard pro to cols, such as
those from the TCP/IP suite. The pri mary ben e fit of con verged pro to cols is the abil ity to use ex ist ing TCP/IP sup port ing net work in fra struc ture to host spe cial or pro pri etary ser vices with out the need for unique de ploy ments of al ter nate net work ing hard ware. This can re sult in sig nif i cant cost sav ings. How ever, not all con verged pro to cols pro vide the same level of through put or re li a bil ity as their pro pri etary im ple men ta tions. Some com mon ex am ples of con verged pro to cols are de scribed here:
Fi bre Chan nel over Eth er net (FCoE) Fi bre Chan nel is a form of net work data-stor age so lu tion (stor age area net work [SAN] or net work-at tached stor age [NAS]) that al lows for high-speed file trans fers up ward of 128 Gbps. It was de signed to be op er ated over fiber-op tic ca bles; sup port for cop per ca bles was added later to of fer less-ex pen sive op tions. Fi bre Chan nel typ i cally re quires its own ded i cated in fra struc ture (sep a rate ca bles). How ever, Fi bre Chan nel over Eth er net (FCoE) can be used to sup port it over the ex ist ing net work in fra struc ture. FCoE is used to en cap su late Fi bre Chan nel com mu ni ca tions over Eth er net net works. It typ i cally re quires 10 Gbps Eth er net in or der to sup port the Fi bre Chan nel pro to col. With this tech nol ogy, Fi bre Chan nel op er ates as a Net work layer or OSI layer 3 pro to col, re plac ing IP as the pay load of a stan dard Eth er net net work.
MPLS (Mul ti pro to col La bel Switch ing) MPLS (Mul ti pro to col La bel Switch ing) is a high-through put high-per for mance net work tech nol ogy that di rects data across a net work based on short path la bels rather than longer net work ad dresses. This tech nique saves sig nif i cant time over tra di tional IP-based rout ing pro cesses, which can be quite com plex. Fur ther more, MPLS is de signed to han dle a wide range of pro to cols through en cap su la tion. Thus, the net work is not lim ited to TCP/IP and com pat i ble pro to cols. This en ables the use of many other net work ing tech nolo gies, in clud ing T1/E1, ATM, Frame Re lay, SONET, and Dig i tal Sub scriber Line (DSL).
In ter net Small Com puter Sys tem In ter face (iSCSI) In ter net Small Com puter Sys tem In ter face (iSCSI) is a net work ing stor age stan dard based on IP. This tech nol ogy can be used to en able lo ca tion- in de pen dent file stor age, trans mis sion, and re trieval over LAN, WAN, or pub lic in ter net con nec tions. iSCSI is of ten viewed as a low-cost al ter na tive to Fi bre Chan nel.
Voice over IP (VoIP) Voice over IP (VoIP) is a tun nel ing mech a nism used to trans port voice and/or data over a TCP/IP net work. VoIP has the po ten tial to re place or sup plant PSTN be cause it’s of ten less ex pen sive and of fers a wider va ri ety of op tions and fea tures. VoIP can be used as a di rect tele phone re place ment on com puter net works as well as mo bile de vices. How ever, VoIP is able to sup port video and data trans mis sion to al low video con fer enc ing and re mote col lab o ra tion on projects. VoIP is avail able in both com mer cial and open-source op tions. Some VoIP so lu tions re quire spe cial ized hard ware to ei ther re place
334
tra di tional tele phone hand sets/base sta tions or al low these to con nect to and func tion over the VoIP sys tem. Some VoIP so lu tions are soft ware only, such as Skype, and al low the user’s ex ist ing speak ers, mi cro phone, or head set to re place the tra di tional tele phone hand set. Oth ers are more hard ware based, such as mag ic Jack, which al lows the use of ex ist ing PSTN phone de vices plugged into a Uni ver sal Se rial Bus (USB) adapter to take ad van tage of VoIP over the in ter net. Of ten, VoIP-to-VoIP calls are free (as sum ing the same or com pat i ble VoIP tech nol ogy), whereas VoIP-to-land line calls are usu ally charged a per-minute fee.
Soft ware-De fined Net work ing (SDN) Soft ware-de fined net work ing (SDN) is a unique ap proach to net work op er a tion, de sign, and man age ment. The con cept is based on the the ory that the com plex i ties of a tra di tional net work with on-de vice con fig u ra tion (i.e., routers and switches) of ten force an or ga ni za tion to stick with a sin gle de vice ven dor, such as Cisco, and limit the flex i bil ity of the net work to re spond to chang ing phys i cal and busi ness con di tions. SDN aims at sep a rat ing the in fra struc ture layer (i.e., hard ware and hard ware-based set tings) from the con trol layer (i.e., net work ser vices of data trans mis sion man age ment). Fur ther more, this also re moves the tra di tional net work ing con cepts of IP ad dress ing, sub nets, rout ing, and so on from need ing to be pro grammed into or be de ci phered by hosted ap pli ca tions.
SDN of fers a new net work de sign that is di rectly pro gram mable from a cen tral lo ca tion, is flex i ble, is ven dor neu tral, and is open-stan dards based. Us ing SDN frees an or ga ni za tion from hav ing to pur chase de vices from a sin gle ven dor. It in stead al lows or ga ni za tions to mix and match hard ware as needed, such as to se lect the most cost-ef fec tive or high est through put–rated de vices re gard less of ven dor. The con fig u ra tion and man age ment of hard ware is then con trolled through a cen tral ized man age ment in ter face. Ad di tion ally, the set tings ap plied to the hard ware can be changed and ad justed dy nam i cally as needed.
An other way of think ing about SDN is that it is ef fec tively net work vir tu al iza tion. It al lows data trans mis sion paths, com mu ni ca tion de ci sion trees, and flow con trol to be vir tu al ized in the SDN con trol layer rather than be ing han dled on the hard ware on a per-de vice ba sis.
Con tent Dis tri bu tion Net works A con tent dis tri bu tion net work (CDN), or con tent de liv ery net work, is a col lec tion of re source ser vices
de ployed in nu mer ous data cen ters across the in ter net in or der to pro vide low la tency, high per for mance, and high avail abil ity of the hosted con tent. CDNs pro vide the de sired mul ti me dia per for mance qual ity de manded by cus tomers through the con cept of dis trib uted data hosts. Rather than hav ing me dia con tent stored in a sin gle lo ca tion to be trans mit ted to all parts of the in ter net, the me dia is dis trib uted to nu mer ous lo ca tions across the in ter net. This re sults in a type of ge o graphic and log i cal load-bal anc ing. No one server or clus ter of servers will be strained un der the load of all re source re quests, and the host ing servers are lo cated closer to the re quest ing cus tomers. The over all re sult is lower-la tency and higher-qual ity through put. There are many CDN ser vice providers, in clud ing Cloud Flare, Aka mai, Ama zon Cloud Front, CacheFly, and Level 3 Com mu ni ca tions.
While most CDNs fo cus on the phys i cal dis tri bu tion of servers, client-based CDN is also pos si ble. This is of ten re ferred to by the term P2P (peer-to-peer). The most widely rec og nized P2P CDN is Bit Tor rent.
Wire less Net works Wire less net work ing is a pop u lar method of con nect ing cor po rate and home sys tems be cause of the ease
of de ploy ment and rel a tively low cost. It has made net work ing more ver sa tile than ever be fore. Work sta tions and por ta ble sys tems are no longer tied to a ca ble but can roam freely within the sig nal range of the de ployed wire less ac cess points. How ever, with this free dom come ad di tional vul ner a bil i ties. His tor i cally, wire less net work ing has been fairly in se cure, mainly be cause of a lack of knowl edge by end users and or ga ni za tions as well as in se cure de fault con fig u ra tions set by de vice man u fac tur ers. Wire less net works are sub ject to the same vul ner a bil i ties, threats, and risks as any ca bled net work in ad di tion to dis tance eaves drop ping, packet sniff ing, and new forms of DoS and in tru sion. Prop erly man ag ing wire less net work ing for re li able ac cess as well as se cu rity isn’t al ways an easy or straight for ward propo si tion. This sec tion ex am ines var i ous wire less se cu rity is sues.
Data em a na tion is the trans mis sion of data across elec tro mag netic sig nals. Al most all ac tiv i ties within a com puter or across a net work are per formed us ing some form of data em a na tion. How ever, this term is of ten used to fo cus on em a na tions that are un wanted or on data that is at risk due to the em a na tions.
Em a na tions oc cur when ever elec trons move. Move ment of elec trons cre ates a mag netic field. If you can read that mag netic field, you could re-cre ate it else where in or der to re pro duce the elec tron stream. If the orig i nal elec tron stream was used to com mu ni cate data, then the re-cre ated elec tron stream is also a re- cre ation of the orig i nal data. This form of elec tronic eaves drop ping sounds like sci ence fic tion, but it is sci en tific fact. The United States (U.S.) gov ern ment has been re search ing em a na tion se cu rity since the 1950s un der the TEM PEST project.
Pro tect ing against eaves drop ping and data theft re quires a mul ti pronged ef fort. First, you must main tain phys i cal ac cess con trol over all elec tronic equip ment. Sec ond, where phys i cal ac cess or prox im ity is still
335
pos si ble for unau tho rized per son nel, you must use shielded de vices and me dia. Third, you should al ways trans mit any sen si tive data us ing se cure en cryp tion pro to cols.
Se cur ing Wire less Ac cess Points Wire less cells are the ar eas within a phys i cal en vi ron ment where a wire less de vice can con nect to a
wire less ac cess point. Wire less cells can leak out side the se cured en vi ron ment and al low in trud ers easy ac cess to the wire less net work. You should ad just the strength of the wire less ac cess point to max i mize au tho rized user ac cess and min i mize in truder ac cess. Do ing so may re quire unique place ment of wire less ac cess points, shield ing, and noise trans mis sion.
802.11 is the IEEE stan dard for wire less net work com mu ni ca tions. Var i ous ver sions (tech ni cally called amend ments) of the stan dard have been im ple mented in wire less net work ing hard ware, in clud ing 802.11a, 802.11b, 802.11g, and 802.11n. 802.11x is some times used to col lec tively re fer to all of these spe cific im ple men ta tions as a group; how ever, 802.11 is pre ferred be cause 802.11x is eas ily con fused with 802.1x, which is an au then ti ca tion tech nol ogy in de pen dent of wire less. Each ver sion or amend ment to the 802.11 stan dard of fered slightly bet ter through put: 2 MB, 11 MB, 54 MB, and 200 MB+, re spec tively, as de scribed in Ta ble 11.7. The b, g, and n amend ments all use the same fre quency; thus, they main tain back ward com pat i bil ity.
TA BLE 11.7 802.11 wire less net work ing amend ments
Amend ment Speed Fre quency 802.11 2 Mbps 2.4 GHz 802.11a 54 Mbps 5 GHz 802.11b 11 Mbps 2.4 GHz 802.11g 54 Mbps 2.4 GHz 802.11n 200+ Mbps 2.4 GHz or 5 GHz 802.11ac 1 Gbps 5 GHz
When you’re de ploy ing wire less net works, you should de ploy wire less ac cess points con fig ured to use in fra struc ture mode rather than ad hoc mode. Ad hoc mode means that any two wire less net work ing de vices, in clud ing two wire less net work in ter face cards (NICs), can com mu ni cate with out a cen tral ized con trol au thor ity. In fra struc ture mode means that a wire less ac cess point is re quired, wire less NICs on sys tems can’t in ter act di rectly, and the re stric tions of the wire less ac cess point for wire less net work ac cess are en forced.
Within the in fra struc ture mode con cept are sev eral vari a tions, in clud ing stand-alone, wired ex ten sion, en ter prise ex tended, and bridge. A stand-alone mode in fra struc ture oc curs when there is a wire less ac cess point con nect ing wire less clients to each other but not to any wired re sources. The wire less ac cess point serves as a wire less hub ex clu sively. A wired ex ten sion mode in fra struc ture oc curs when the wire less ac cess point acts as a con nec tion point to link the wire less clients to the wired net work. An en ter prise ex tended mode in fra struc ture oc curs when mul ti ple wire less ac cess points (WAPs) are used to con nect a large phys i cal area to the same wired net work. Each wire less ac cess point will use the same ex tended ser vice set iden ti fier (ES SID) so clients can roam the area while main tain ing net work con nec tiv ity, even while their wire less NICs change as so ci a tions from one wire less ac cess point to an other. A bridge mode in fra struc ture oc curs when a wire less con nec tion is used to link two wired net works. This of ten uses ded i cated wire less bridges and is used when wired bridges are in con ve nient, such as when link ing net works be tween floors or build ings.
The term SSID (which stands for ser vice set iden ti fier) is typ i cally mis used to in di cate the
name of a wire less net work. Tech ni cally there are two types of SSIDs, namely ex tended ser vice set iden ti fier (ES SID) and ba sic ser vice set iden ti fier (BSSID). An ES SID is the name of a wire less net work when a wire less base sta tion or WAP is used (i.e., in fra struc ture mode). In de pen dent ser vice set iden ti fier (IS SID) is the name of a wire less net work when in ad hoc or peer-to-peer mode (i.e., when a base sta tion or WAP is not used). How ever, when op er at ing in in fra struc ture mode, the BSSID is the MAC ad dress of the base sta tion host ing the ES SID in or der to dif fer en ti ate mul ti ple base sta tions sup port ing a sin gle ex tended wire less net work.
336
Wire less Chan nels
Within the as signed fre quency of the wire less sig nal are sub di vi sions of that fre quency known as chan nels. Think of chan nels as lanes on the same high way. In the United States there are 11 chan nels, in Eu rope there are 13, and in Japan there are 14. The dif fer ences stem from lo cal laws reg u lat ing fre quency man age ment (think in ter na tional ver sions of the United States’ Fed eral Com mu ni ca tions Com mis sion).
Wire less com mu ni ca tions take place be tween a client and ac cess point over a sin gle chan nel. How ever, when two or more ac cess points are rel a tively close to each other phys i cally, sig nals on one chan nel can in ter fere with sig nals on an other chan nel. One way to avoid this is to set the chan nels of phys i cally close ac cess points as dif fer ently as pos si ble to min i mize chan nel over lap in ter fer ence. For ex am ple, if a build ing has four ac cess points ar ranged in a line along the length of the build ing, the chan nel set tings could be 1, 11, 1, and 11. How ever, if the build ing is square and an ac cess point is in each cor ner, the chan nel set tings may need to be 1, 4, 8, and 11.
Think of the sig nal within a sin gle chan nel as be ing like a wide-load truck in a lane on the high way. The wide-load truck is us ing part of each lane to ei ther side of it, thus mak ing pass ing the truck in those lanes dan ger ous. Like wise, wire less sig nals in ad ja cent chan nels will in ter fere with each other.
Se cur ing the SSID Wire less net works are as signed a ser vice set iden ti fier (SSID) (ei ther BSSID or ES SID) to dif fer en ti ate one
wire less net work from an other. If mul ti ple base sta tions or wire less ac cess points are in volved in the same wire less net work, an ex tended sta tion set iden ti fier (ES SID) is de fined. The SSID is sim i lar to the name of a work group. If a wire less client knows the SSID, they can con fig ure their wire less NIC to com mu ni cate with the as so ci ated WAP. Knowl edge of the SSID does not al ways grant en try, though, be cause the WAP can use nu mer ous se cu rity fea tures to block un wanted ac cess. SSIDs are de fined by de fault by ven dors, and since these de fault SSIDs are well known, stan dard se cu rity prac tice dic tates that the SSID should be changed to some thing unique be fore de ploy ment.
The SSID is broad cast by the WAP via a spe cial trans mis sion called a bea con frame. This al lows any wire less NIC within range to see the wire less net work and make con nect ing as sim ple as pos si ble. How ever, this de fault broad cast ing of the SSID should be dis abled to keep the wire less net work se cret. Even so, at tack ers can still dis cover the SSID with a wire less snif fer since the SSID must still be used in trans mis sions be tween wire less clients and the WAP. Thus, dis abling SSID broad cast ing is not a true mech a nism of se cu rity. In stead, use WPA2 as a re li able au then ti ca tion and en cryp tion so lu tion rather than try ing to hide the ex is tence of the wire less net work.
Dis able SSID Broad cast
Wire less net works tra di tion ally an nounce their SSID on a reg u lar ba sis within a spe cial packet known as the bea con frame. When the SSID is broad cast, any de vice with an au to matic de tect and con nect fea ture not only is able to see the net work but can also ini ti ate a con nec tion with the net work. Net work ad min is tra tors may choose to dis able SSID broad cast to hide their net work from unau tho rized per son nel. How ever, the SSID is still needed to di rect pack ets to and from the base sta tion, so it is still a dis cov er able value to any one with a wire less packet snif fer. Thus, the SSID should be dis abled if the net work is not for pub lic use, but re al ize that hid ing the SSID is not true se cu rity be cause any hacker with ba sic wire less knowl edge can eas ily dis cover the SSID.
Con duct ing a Site Sur vey
One method used to dis cover ar eas of a phys i cal en vi ron ment where un wanted wire less ac cess might be pos si ble is to per form a site sur vey. A site sur vey is the process of in ves ti gat ing the pres ence, strength, and reach of wire less ac cess points de ployed in an en vi ron ment. This task usu ally in volves walk ing around with a por ta ble wire less de vice, tak ing note of the wire less sig nal strength, and map ping this on a plot or schematic of the build ing.
Site sur veys should be con ducted to en sure that suf fi cient sig nal strength is avail able at all lo ca tions that are likely lo ca tions for wire less de vice us age, while at the same time min i miz ing or elim i nat ing the wire less sig nal from lo ca tions where wire less ac cess shouldn’t be per mit ted (pub lic ar eas, across floors, into other rooms, or out side the build ing). A site sur vey is use ful for eval u at ing ex ist ing wire less net work de ploy ments, plan ning ex pan sion of cur rent de ploy ments, and plan ning for fu ture de ploy ments.
337
Us ing Se cure En cryp tion Pro to cols The IEEE 802.11 stan dard de fines two meth ods that wire less clients can use to au then ti cate to WAPs
be fore nor mal net work com mu ni ca tions can oc cur across the wire less link. These two meth ods are open sys tem au then ti ca tion (OSA) and shared key au then ti ca tion (SKA). OSA means there is no real au then ti ca tion re quired. As long as a ra dio sig nal can be trans mit ted be tween the client and WAP, com mu ni ca tions are al lowed. It is also the case that wire less net works us ing OSA typ i cally trans mit ev ery thing in clear text, thus pro vid ing no se crecy or se cu rity. SKA means that some form of au then ti ca tion must take place be fore net work com mu ni ca tions can oc cur. The 802.11 stan dard de fines one op tional tech nique for SKA known as Wired Equiv a lent Pri vacy (WEP). Later amend ments to the orig i nal 802.11 stan dard added WPA, WPA2, and other tech nolo gies.
WEP
Wired Equiv a lent Pri vacy (WEP) is de fined by the IEEE 802.11 stan dard. It was de signed to pro vide the same level of se cu rity and en cryp tion on wire less net works as is found on wired or ca bled net works. WEP pro vides pro tec tion from packet sniff ing and eaves drop ping against wire less trans mis sions.
A sec ondary ben e fit of WEP is that it can be con fig ured to pre vent unau tho rized ac cess to the wire less net work. WEP uses a pre de fined shared se cret key; how ever, rather than be ing a typ i cal dy namic sym met ric cryp tog ra phy so lu tion, the shared key is static and shared among all wire less ac cess points and de vice in ter faces. This key is used to en crypt pack ets be fore they are trans mit ted over the wire less link, thus pro vid ing con fi den tial ity pro tec tion. A hash value is used to ver ify that re ceived pack ets weren’t mod i fied or cor rupted while in tran sit; thus WEP also pro vides in tegrity pro tec tion. Knowl edge or pos ses sion of the key not only al lows en crypted com mu ni ca tion but also serves as a rudi men tary form of au then ti ca tion be cause, with out it, ac cess to the wire less net work is pro hib ited.
WEP was cracked al most as soon as it was re leased. To day, it is pos si ble to crack WEP in less than a minute, thus ren der ing it a worth less se cu rity pre cau tion. For tu nately, there are al ter na tives to WEP, namely WPA and WPA2. WPA is an im prove ment over WEP in that it does not use the same static key to en crypt all com mu ni ca tions. In stead, it ne go ti ates a unique key set with each host. How ever, a sin gle passphrase is used to au tho rize the as so ci a tion with the base sta tion (i.e., al low a new client to set up a con nec tion). If the passphrase is not long enough, it could be guessed. Usu ally 14 char ac ters or more for the passphrase is rec om mended.
WEP en cryp tion em ploys Rivest Ci pher 4 (RC4), a sym met ric stream ci pher (see Chap ter 6, “Cryp tog ra phy and Sym met ric Key Al go rithms,” and Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions,” for more on en cryp tion in gen eral). Due to flaws in its de sign and im ple men ta tion of RC4, WEP is weak in sev eral ar eas, two of which are the use of a static com mon key and poor im ple men ta tion of IVs (ini ti a tion vec tors). Due to these weak nesses, a WEP crack can re veal the WEP key af ter it finds enough poorly used IVs. This at tack can now be per formed in less than 60 sec onds. When the WEP key is dis cov ered, the at tacker can join the net work and then lis ten in on all other wire less client com mu ni ca tions. There fore, WEP should not be used. It of fers no real pro tec tion and may lead to a false sense of se cu rity.
WPA
Wi-Fi Pro tected Ac cess (WPA) was de signed as the re place ment for WEP; it was a tem po rary fix un til the new 802.11i amend ment was com pleted. The process of craft ing the new amend ment took years, and thus WPA es tab lished a foothold in the mar ket place and is still widely used to day. Ad di tion ally, WPA can be used on most de vices, whereas the fea tures of 802.11i ex clude some lower-end hard ware.
802.11i is the amend ment that de fines a cryp to graphic so lu tion to re place WEP. How ever, when 802.11i was fi nal ized, the WPA so lu tion was al ready widely used, so they could not use the WPA name as orig i nally planned; thus it was branded WPA2. But this does not in di cate that 802.11i is the sec ond ver sion of WPA. In fact, they are two com pletely dif fer ent sets of tech nolo gies. 802.11i, or WPA2, im ple ments con cepts sim i lar to IPSec to bring the best-to-date en cryp tion and se cu rity to wire less com mu ni ca tions.
Wi-Fi Pro tected Ac cess is based on the LEAP and Tem po ral Key In tegrity Pro to col (TKIP) cryp tosys tems and of ten em ploys a se cret passphrase for au then ti ca tion. Un for tu nately, the use of a sin gle static passphrase is the down fall of WPA. An at tacker can sim ply run a brute-force guess ing at tack against a WPA net work to dis cover the passphrase. If the passphrase is 14 char ac ters or more, this is usu ally a time-pro hib i tive propo si tion but not an im pos si ble one. Ad di tion ally, both the LEAP and TKIP en cryp tion op tions for WPA are now crack able us ing a va ri ety of crack ing tech niques. While it is more com plex than a WEP com pro mise, WPA no longer pro vides long-term re li able se cu rity.
WPA2
Even tu ally, a new method of se cur ing wire less was de vel oped that is still gen er ally con sid ered se cure. This is the amend ment known as 802.11i or Wi-Fi Pro tected Ac cess 2 (WPA2). It is a new en cryp tion scheme known as the Counter Mode Ci pher Block Chain ing Mes sage Au then ti ca tion Code Pro to col (CCMP), which is
338
based on the AES en cryp tion scheme. In late 2017, a con cept of at tack known as KRACK (Key Re in stal la tion At taCKs) was dis closed that is able to cor rupt the ini tial four-way hand shake be tween a client and WAP into reusing a pre vi ously used key and in some cases use a key com posed of only ze ros. Most vul ner a ble wire less de vices have been up dated or an up date is avail able to re solve this is sue. For more in for ma tion, see https://www.krack at tacks.com/.
802.1X/EAP
Both WPA and WPA2 sup port the en ter prise au then ti ca tion known as 802.1X/EAP, a stan dard port-based net work ac cess con trol that en sures that clients can not com mu ni cate with a re source un til proper au then ti ca tion has taken place. Ef fec tively, 802.1X is a hand-off sys tem that al lows the wire less net work to lever age the ex ist ing net work in fra struc ture’s au then ti ca tion ser vices. Through the use of 802.1X, other tech niques and so lu tions such as Re mote Au then ti ca tion Dial-In User Ser vice (RA DIUS), Ter mi nal Ac cess Con troller Ac cess Con trol Sys tem (TACACS), cer tifi cates, smart cards, to ken de vices, and bio met rics can be in te grated into wire less net works pro vid ing tech niques for both mu tual and mul ti fac tor au then ti ca tion.
Ex ten si ble Au then ti ca tion Pro to col (EAP) is not a spe cific mech a nism of au then ti ca tion; rather it is an au then ti ca tion frame work. Ef fec tively, EAP al lows for new au then ti ca tion tech nolo gies to be com pat i ble with ex ist ing wire less or point-to-point con nec tion tech nolo gies. More than 40 dif fer ent EAP meth ods of au then ti ca tion are widely sup ported. These in clude the wire less meth ods of LEAP, EAP-TLS, EAP-SIM, EAP- AKA, and EAP-TTLS. Not all EAP meth ods are se cure. For ex am ple, EAP-MD5 and a pre-re lease EAP known as LEAP are also crack able.
PEAP
Pro tected Ex ten si ble Au then ti ca tion Pro to col (PEAP) en cap su lates EAP meth ods within a TLS tun nel that pro vides au then ti ca tion and po ten tially en cryp tion. Since EAP was orig i nally de signed for use over phys i cally iso lated chan nels and hence as sumed se cured path ways, EAP is usu ally not en crypted. So PEAP can pro vide en cryp tion for EAP meth ods.
LEAP
Light weight Ex ten si ble Au then ti ca tion Pro to col (LEAP) is a Cisco pro pri etary al ter na tive to TKIP for WPA. This was de vel oped to ad dress de fi cien cies in TKIP be fore the 802.11i/WPA2 sys tem was rat i fied as a stan dard. An at tack tool known as Asleap was re leased in 2004 that could ex ploit the ul ti mately weak pro tec tion pro vided by LEAP. LEAP should be avoided when pos si ble; use of EAP-TLS as an al ter na tive is rec om mended, but if LEAP is used, a com plex pass word is strongly rec om mended.
MAC Fil ter
A MAC fil ter is a list of au tho rized wire less client in ter face MAC ad dresses that is used by a wire less ac cess point to block ac cess to all nonau tho rized de vices. While a use ful fea ture to im ple ment, it can be dif fi cult to man age and tends to be used only in small, static en vi ron ments. Ad di tion ally, a hacker with ba sic wire less hack ing tools can dis cover the MAC ad dress of a valid client and then spoof that ad dress onto their at tack wire less client.
TKIP
Tem po ral Key In tegrity Pro to col (TKIP) was de signed as the re place ment for WEP with out re quir ing re place ment of legacy wire less hard ware. TKIP was im ple mented into 802.11 wire less net work ing un der the name WPA (Wi-Fi Pro tected Ac cess). TKIP im prove ments in clude a key-mix ing func tion that com bines the ini tial iza tion vec tor (IV) (i.e., a ran dom num ber) with the se cret root key be fore us ing that key with RC4 to per form en cryp tion; a se quence counter is used to pre vent packet re play at tacks; and a strong in tegrity check named Michael is used.
TKIP and WPA were of fi cially re placed by WPA2 in 2004. Ad di tion ally, at tacks spe cific to WPA and TKIP (i.e., coW PAtty and a GPU-based crack ing tool) have ren dered WPA’s se cu rity un re li able.
CCMP
CCMP (Counter Mode with Ci pher Block Chain ing Mes sage Au then ti ca tion Code Pro to col) was cre ated to re place WEP and TKIP/WPA. CCMP uses AES (Ad vanced En cryp tion Stan dard) with a 128-bit key. CCMP is the pre ferred stan dard se cu rity pro to col of 802.11 wire less net work ing in di cated by 802.11i. To date, no at tacks have yet been suc cess ful against the AES/CCMP en cryp tion.
De ter min ing An tenna Place ment An tenna place ment should be a con cern when de ploy ing a wire less net work. Do not fix ate on a spe cific
lo ca tion be fore a proper site sur vey has been per formed. Place the wire less ac cess point and/or its an tenna in
339
a likely po si tion; then test var i ous lo ca tions for sig nal strength and con nec tion qual ity. Only af ter con firm ing that a po ten tial an tenna place ment pro vides sat is fac tory con nec tiv ity should it be made per ma nent.
Con sider the fol low ing guide lines when seek ing op ti mal an tenna place ment:
Use a cen tral lo ca tion.
Avoid solid phys i cal ob struc tions.
Avoid re flec tive or other flat metal sur faces.
Avoid elec tri cal equip ment.
If a base sta tion has ex ter nal om ni di rec tional an ten nas, typ i cally they should be po si tioned point ing straight up ver ti cally. If a di rec tional an tenna is used, point the fo cus to ward the area of de sired use. Keep in mind that wire less sig nals are af fected by in ter fer ence, dis tance, and ob struc tions. When de sign ing a se cure wire less net work en gi neers may se lect di rec tional an ten nas to avoid broad cast ing in ar eas where they do not wish to pro vide sig nal or to specif i cally cover an area with a stronger sig nal.
An tenna Types A wide va ri ety of an tenna types can be used for wire less clients and base sta tions. Many de vices can have
their stan dard an ten nas re placed with stronger (i.e., sig nal-boost ing) an ten nas.
The stan dard straight or pole an tenna is an om ni di rec tional an tenna that can send and re ceive sig nals in all di rec tions per pen dic u lar to the line of the an tenna it self. This is the type of an tenna found on most base sta tions and some client de vices. This type of an tenna is some times also called a base an tenna or a rub ber duck an tenna (due to the fact that most are cov ered in a flex i ble rub ber coat ing).
Most other types of an ten nas are di rec tional, mean ing they fo cus their send ing and re ceiv ing ca pa bil i ties in one pri mary di rec tion. Some ex am ples of di rec tional an ten nas in clude Yagi, can tenna, panel, and par a bolic. A Yagi an tenna is sim i lar in struc ture to that of tra di tional roof TV an ten nas. Yagi an ten nas are crafted from a straight bar with cross sec tions to catch spe cific ra dio fre quen cies in the di rec tion of the main bar. Can ten nas are con structed from tubes with one sealed end. They fo cus along the di rec tion of the open end of the tube. Some of the first can ten nas were crafted from Pringles cans. Panel an ten nas are flat de vices that fo cus from only one side of the panel. Par a bolic an ten nas are used to fo cus sig nals from very long dis tances or weak sources.
Ad just ing Power Level Con trols
Some wire less ac cess points pro vide a phys i cal or log i cal ad just ment of the an tenna power lev els. Power level con trols are typ i cally set by the man u fac turer to a set ting that is suit able for most sit u a tions. How ever, if af ter per form ing site sur veys and ad just ing an tenna place ment, wire less sig nals are still not sat is fac tory, power level ad just ment might be nec es sary. How ever, keep in mind that chang ing chan nels, avoid ing re flec tive and sig nal-scat ter ing sur faces, and re duc ing in ter fer ence can of ten be more sig nif i cant in terms of im prov ing con nec tiv ity re li a bil ity.
When ad just ing power lev els, make mi nor ad just ments in stead of at tempt ing to max i mize or min i mize the set ting. Also, take note of the ini tial/de fault set ting so you can re turn to that set ting if de sired. Af ter each power level ad just ment, re set/re boot the wire less ac cess point be fore re-per form ing site sur vey and qual ity tests. Some times low er ing the power level can im prove per for mance. It is im por tant to keep in mind that some wire less ac cess points are ca pa ble of pro vid ing higher power lev els than are al lowed by reg u la tions in coun tries where they are avail able.
WPS Wi-Fi Pro tected Setup (WPS) is a se cu rity stan dard for wire less net works. It is in tended to sim plify the
ef fort in volved in adding new clients to a well-se cured wire less net work. It op er ates by au to con nect ing the first new wire less client to seek the net work once the ad min is tra tor trig gered the fea ture by press ing the WPS but ton on the base sta tion. How ever, the stan dard also calls for a code or per sonal iden ti fi ca tion num ber (PIN) that can be sent to the base sta tion re motely in or der to trig ger WPS ne go ti a tion with out the need to phys i cally press the but ton. This led to a brute-force guess ing at tack that could en able a hacker to guess the WPS code in hours (usu ally less than six hours), which in turn en abled the hacker to con nect their own unau tho rized sys tem to the wire less net work.
The PIN code is com posed of two four-digit seg ments, which can be guessed one seg ment
at a time with con fir ma tion from the base sta tion.
340
WPS is a fea ture that is en abled by de fault on most wire less ac cess points be cause it is a re quire ment for de vice Wi-Fi Al liance cer ti fi ca tion. It’s im por tant to dis able it as part of a se cu rity-fo cused pre de ploy ment process. If a de vice doesn’t of fer the abil ity to turn off WPS (or the Off switch doesn’t work), up grade or re place the base sta tion’s firmware or re place the whole de vice.
Gen er ally, leave WPS turned off. Each time you up grade your firmware, per form your se cu rity-fo cused pre de ploy ment process again to en sure that all set tings, in clud ing WPS, are set prop erly. If you need to add nu mer ous clients to a net work, you can tem po rar ily reen able WPS—just be sure to dis able it im me di ately af ter ward.
Us ing Cap tive Por tals A cap tive por tal is an au then ti ca tion tech nique that redi rects a newly con nected wire less web client to a
por tal ac cess con trol page. The por tal page may re quire the user to in put pay ment in for ma tion, pro vide lo gon cre den tials, or in put an ac cess code. A cap tive por tal is also used to dis play an ac cept able use pol icy, pri vacy pol icy, and track ing pol icy to the user, who must con sent to the poli cies be fore be ing able to com mu ni cate across the net work. Cap tive por tals are most of ten lo cated on wire less net works im ple mented for pub lic use, such as at ho tels, restau rants, bars, air ports, li braries, and so on. How ever, they can be used on ca bled Eth er net con nec tions as well.
Gen eral Wi-Fi Se cu rity Pro ce dure
Based on the de tails of wire less se cu rity and con fig u ra tion op tions, here is a gen eral guide or pro ce dure to fol low when de ploy ing a Wi-Fi net work. These steps are in or der of con sid er a tion and ap pli ca tion/in stal la tion. Ad di tion ally, this or der does not im ply which step of fers more se cu rity. For ex am ple, us ing WPA2 is a real se cu rity fea ture as op posed to SSID broad cast dis abling. Here are the steps:
1. Change the de fault ad min is tra tor pass word.
2. De cide whether to dis able the SSID broad cast based on your de ploy ment re quire ments.
3. Change the SSID to some thing unique.
4. En able MAC fil ter ing if the pool of wire less clients is rel a tively small (usu ally less than 20) and static.
5. Con sider us ing static IP ad dresses, or con fig ure DHCP with reser va tions (ap pli ca ble only for small de ploy ments).
6. Turn on the high est form of au then ti ca tion and en cryp tion sup ported, which is cur rently WPA2 and may soon be WPA3 (a new se cu rity mode in de vel op ment as of the start of 2018: https://www.net work world.com/ar ti cle/3247658/wi-fi/wi-fi-al liance-an nounces-wpa3-to-se cure- mod ern-net works.html). If WPA2 or a newer/stronger so lu tion is not avail able on your de vice, then you need to ob tain new wire less equip ment.
7. Treat wire less as re mote ac cess, and man age ac cess us ing 802.1X.
8. Treat wire less as ex ter nal ac cess, and sep a rate the WAP from the wired net work us ing a fire wall.
9. Treat wire less as an en try point for at tack ers, and mon i tor all WAP-to-wired-net work com mu ni ca tions with an in tru sion de tec tion sys tem (IDS).
10. Re quire all trans mis sions be tween wire less clients and WAPs to be en crypted; in other words, re quire a VPN link.
Of ten, adding lay ers of data en cryp tion (WPA2 and IPSec VPN) and other forms of
fil ter ing to a wire less link can re duce the ef fec tive through put by as much as 80 per cent. In ad di tion, greater dis tances from the base sta tion and the pres ence of in ter fer ence will re duce the ef fec tive through put even fur ther.
Wire less At tacks Wire less com mu ni ca tion is a quickly ex pand ing field of tech nolo gies for net work ing, con nec tiv ity,
com mu ni ca tion, and data ex change. Lit er ally thou sands of pro to cols, stan dards, and tech niques can be la beled as wire less. These in clude cell phones, Blue tooth, cord less phones, and wire less net work ing. As wire less tech nolo gies con tinue to pro lif er ate, your or ga ni za tion’s se cu rity must go be yond lock ing down its lo cal net work. Se cu rity should be an end-to-end so lu tion that ad dresses all forms, meth ods, and tech niques of com mu ni ca tion.
341
Wire less net work ing has be come com mon on both cor po rate and home net works. Prop erly man ag ing wire less net work ing for re li able ac cess as well as se cu rity isn’t al ways a straight for ward propo si tion. Even with wire less se cu rity present, wire less at tacks can still oc cur. There is an ever-in creas ing va ri ety of at tacks against net works, and many of these work against both wired and wire less en vi ron ments. A few fo cus on wire less net works alone. This sec tion ex am ines var i ous wire less se cu rity is sues.
War Driv ing
War driv ing is the act of us ing a de tec tion tool to look for wire less net work ing sig nals. Of ten, war driv ing refers to some one look ing for wire less net works they aren’t au tho rized to ac cess. In a way, war driv ing is per form ing a site sur vey for pos si bly ma li cious or at least unau tho rized pur poses. The name comes from the legacy at tack con cept of war di al ing, which was used to dis cover ac tive com puter modems by di al ing all the num bers in a pre fix or an area code.
War driv ing can be per formed with a ded i cated hand held de tec tor, with a per sonal elec tronic de vice (PED) or mo bile de vice with Wi-Fi ca pa bil i ties, or with a note book that has a wire less net work card. It can be per formed us ing na tive fea tures of the OS or us ing spe cial ized scan ning and de tect ing tools.
Once a wire less net work is de tected, the next step is to de ter mine whether the net work is open or closed. An open net work has no tech ni cal lim i ta tions to what de vices can con nect to it, whereas a closed net work has tech ni cal lim i ta tions to pre vent unau tho rized con nec tions. If the net work is closed, an at tacker may try to guess or crack the tech nolo gies pre vent ing the con nec tion. Of ten, the set ting mak ing a wire less net work closed (or at least hid den) is the dis abling of ser vice set iden ti fier (SSID) broad cast ing. This re stric tion is eas ily over come with a wire less SSID scan ner. Af ter this, the hacker de ter mines whether en cryp tion is be ing used, what type it is, and whether it can be com pro mised. From there, at tack ers can grab ded i cated crack ing tools to at tempt to break into the con nec tion or at tempt to con duct man-in-the-mid dle at tacks. The older and weaker your pro tec tions, the faster and more suc cess ful such at tacks are likely to be.
War Chalk ing
War chalk ing is a type of geek graf fiti that some wire less hack ers used dur ing the early years of wire less (1997–2002). It’s a way to phys i cally mark an area with in for ma tion about the pres ence of a wire less net work. A closed cir cle in di cated a closed or se cured wire less net work, and two back-to-back half cir cles in di cated an open net work. War chalk ing was of ten used to dis close to oth ers the pres ence of a wire less net work in or der to share a dis cov ered in ter net link. How ever, now that in ter net con nec tiv ity is nearly ubiq ui tous, with most of us car ry ing an in ter net-con nected de vice on our per son (usu ally a smart phone), the pop u lar ity of por ta ble Wi-Fi hotspots, and many re tail es tab lish ments of fer ing free Wi-Fi as an in cen tive for cus tomers, the need for and oc cur rence of war chalk ing has faded. When an at tacker uses war di al ing to lo cate a wire less tar get to com pro mise, they don’t mark up the area with spe cial sym bols to in form oth ers of their in ten tions.
Re play
A re play at tack is the re trans mis sion of cap tured com mu ni ca tions in the hope of gain ing ac cess to the tar geted sys tem. Re play at tacks in re la tion to wire less en vi ron ments specif i cally may con tinue to fo cus on ini tial au then ti ca tion abuse. How ever, many other wire less re play at tack vari ants ex ist. They in clude cap tur ing new con nec tion re quests of a typ i cal client and then re play ing that con nect re quest in or der to fool the base sta tion into re spond ing as if an other new client con nec tion re quest was ini ti ated. Wire less re play at tacks can also fo cus on DoS by re trans mit ting con nec tion re quests or re source re quests of the base sta tion in or der to keep it busy fo cus ing on man ag ing new con nec tions rather than main tain ing and pro vid ing ser vice for ex ist ing con nec tions.
Wire less re play at tacks can be mit i gated by keep ing the firmware of the base sta tion up dated as well as op er at ing a wire less-fo cused net work in tru sion de tec tion sys tem (NIDS). A W-IDS or W-NIDS will be able to de tect such abuses and in form the ad min is tra tors promptly about the sit u a tion.
IV
IV stands for ini tial iza tion vec tor, a math e mat i cal and cryp to graphic term for a ran dom num ber. Most mod ern crypto func tions use IVs to in crease their se cu rity by re duc ing pre dictabil ity and re peata bil ity. An IV be comes a point of weak ness when it’s too short, ex changed in plain text, or se lected im prop erly. Thus, an IV at tack is an ex ploita tion of how the IV is han dled (or mis han dled). One ex am ple of an IV at tack is that of crack ing Wire less Equiv a lent Pri vacy (WEP) en cryp tion.
WEP is the orig i nal en cryp tion op tion of 802.11 wire less net work ing. It’s based on RC4. How ever, be cause of mis takes in its de sign and im ple men ta tion, WEP’s pri mary flaw is re lated to its IV. The WEP IV is only 24 bits long and is trans mit ted in plain text. This, cou pled with the fact that WEP doesn’t check for packet fresh ness, al lows a live WEP crack to be suc cess ful in less than 60 sec onds (see the Wes side-ng tool from the Air crack-ng suite at www.air crack-ng.org).
Rogue Ac cess Points
342
A se cu rity con cern com monly dis cov ered dur ing a site sur vey is the pres ence of rogue wire less ac cess points. A rogue WAP may be planted by an em ployee for con ve nience, or it may be op er ated ex ter nally by an at tacker.
A wire less ac cess point planted by an em ployee can be con nected to any open net work port. Such unau tho rized ac cess points usu ally aren’t con fig ured for se cu rity or, if they are, aren’t con fig ured prop erly or in line with the or ga ni za tion’s ap proved ac cess points. Rogue wire less ac cess points should be dis cov ered and re moved in or der to elim i nate an un reg u lated ac cess path into your oth er wise se cured net work.
It’s com mon for an at tacker to find a way to visit a com pany (via a friend who is an em ployee or by go ing on a com pany tour, pos ing as a re pair tech ni cian or break fast taco seller, or even break ing in at night) in or der to plant a rogue ac cess point. Af ter a rogue ac cess point is po si tioned, an at tacker can gain en try to the net work eas ily from a mod est dis tance away from your front door.
A rogue WAP can also be de ployed by an at tacker ex ter nally to tar get your ex ist ing wire less clients or fu ture vis it ing wire less clients. An at tack against ex ist ing wire less clients re quires that the rogue WAP be con fig ured to du pli cate the SSID, MAC ad dress, and wire less chan nel of the valid WAP, al though op er at ing at a higher power rat ing. This may cause clients with saved wire less pro files to in ad ver tently se lect or pre fer to con nect to the rogue WAP in stead of the valid orig i nal WAP.
The sec ond method fo cuses on at tract ing new vis it ing wire less clients. This type of rogue WAP is con fig ured with a so cial en gi neer ing trick by set ting the SSID to an al ter nate name that ap pears le git i mate or even pre ferred over the orig i nal valid wire less net work’s SSID. For ex am ple, if the orig i nal SSID is “ABC cafe,” then the rogue WAP SSID could be “ABC cafe-2,” “ABC cafe-LTE,” or “ABC cafe-VIP.” The rogue WAP’s MAC ad dress and chan nel do not need to be clones of the orig i nal WAP. These al ter nate names may seem like bet ter net work op tions to new vis i tors and thus trick them into elect ing to con nect to the false net work in stead of the le git i mate one.
The de fense against rogue WAPs is to be aware of the cor rect and valid SSID. It would also be ben e fi cial for an or ga ni za tion to op er ate a wire less IDS to mon i tor the wire less sig nals for abuses, such as newly ap pear ing WAPs, es pe cially those op er at ing with mim icked or sim i lar SSID and MAC val ues.
Evil Twin
Evil twin is an at tack in which a hacker op er ates a false ac cess point that will au to mat i cally clone, or twin, the iden tity of an ac cess point based on a client de vice’s re quest to con nect. Each time a de vice suc cess fully con nects to a wire less net work, it re tains a wire less pro file in its his tory. These wire less pro files are used to au to mat i cally re con nect to a net work when ever the de vice is in range of the re lated base sta tion. Each time the wire less adapter is en abled on a de vice, it wants to con nect to a net work, so it sends out re con nec tion re quests to each of the net works in its wire less pro file his tory. These re con nect re quests in clude the orig i nal base sta tion’s MAC ad dress and the net work’s SSID. The evil twin at tack sys tem eaves drops on the wire less sig nal for these re con nect re quests. Once the evil twin sees a re con nect re quest, it spoofs its iden tity with those pa ram e ters and of fers a plain text con nec tion to the client. The client ac cepts the re quest and es tab lishes a con nec tion with the false evil twin base sta tion. This en ables the hacker to eaves drop on com mu ni ca tions through a man-in-the-mid dle at tack, which could lead to ses sion hi jack ing, data ma nip u la tion cre den tial theft, and iden tity theft.
This at tack works be cause au then ti ca tion and en cryp tion are man aged by the base sta tion, not en forced by the client. Thus, even though the client’s wire less pro file will in clude au then ti ca tion cre den tials and en cryp tion in for ma tion, the client will ac cept what ever type of con nec tion is of fered by the base sta tion, in clud ing plain text.
To de fend against evil twin at tacks, pay at ten tion to the wire less net work your de vices con nect to. If you con nect to a net work that you know is not lo cated nearby, it is a likely sign that you are un der at tack. Dis con nect and go else where for in ter net ac cess. You should also prune un nec es sary and old wire less pro files from your his tory list to give at tack ers fewer op tions to tar get.
Se cure Net work Com po nents The in ter net is host to count less in for ma tion ser vices and nu mer ous ap pli ca tions, in clud ing the Web,
email, FTP, Tel net, news groups, chat, and so on. The in ter net is also home to ma li cious peo ple whose pri mary goal is to lo cate your com puter and ex tract valu able data from it, use it to launch fur ther at tacks, or dam age it in some way. You should be fa mil iar with the in ter net and able to read ily iden tify its ben e fits and draw backs from your own on line ex pe ri ences. Be cause of the suc cess and global use of the in ter net, many of its tech nolo gies were adapted or in te grated into the pri vate busi ness net work. This cre ated two new forms of net work seg ments: in tranets and ex tranets.
An in tranet is a pri vate net work that is de signed to host the same in for ma tion ser vices found on the in ter net. Net works that rely on ex ter nal servers (in other words, ones po si tioned on the pub lic in ter net) to pro vide in for ma tion ser vices in ter nally are not con sid ered in tranets. In tranets pro vide users with ac cess to
343
the web, email, and other ser vices on in ter nal servers that are not ac ces si ble to any one out side the pri vate net work.
An ex tranet is a cross be tween the in ter net and an in tranet. An ex tranet is a sec tion of an or ga ni za tion’s net work that has been sec tioned off so that it acts as an in tranet for the pri vate net work but also serves in for ma tion to the pub lic in ter net. An ex tranet is of ten re served for use by spe cific part ners or cus tomers. It is rarely on a pub lic net work. An ex tranet for pub lic con sump tion is typ i cally la beled a de mil i ta rized zone (DMZ) or perime ter net work.
Net works are not typ i cally con fig ured as a sin gle large col lec tion of sys tems. Usu ally net works are seg mented or sub di vided into smaller or ga ni za tional units. These smaller units, group ing, seg ments, or sub net works (i.e., sub nets) can be used to im prove var i ous as pects of the net work:
Boost ing Per for mance Net work seg men ta tion can im prove per for mance through an or ga ni za tional scheme in which sys tems that of ten com mu ni cate are lo cated in the same seg ment, while sys tems that rarely or never com mu ni cate are lo cated in other seg ments. Of ten the use of routers is em ployed for the pur pose of di vid ing broad cast do mains, which can sig nif i cantly im prove per for mance for larger net works.
Re duc ing Com mu ni ca tion Prob lems Net work seg men ta tion of ten re duces con ges tion and con tains com mu ni ca tion prob lems, such as broad cast storms, to in di vid ual sub sec tions of the net work.
Pro vid ing Se cu rity Net work seg men ta tion can also im prove se cu rity by iso lat ing traf fic and user ac cess to those seg ments where they are au tho rized.
Seg ments can be cre ated by us ing switch-based VLANs, routers, or fire walls, in di vid u ally or in com bi na tion. A pri vate LAN or in tranet, a DMZ, and an ex tranet are all types of net work seg ments.
When you’re de sign ing a se cure net work (whether a pri vate net work, an in tranet, or an ex tranet), you must eval u ate nu mer ous net work ing de vices. Not all of these com po nents are nec es sary for a se cure net work, but they are all com mon net work de vices that may have an im pact on net work se cu rity.
Net work Ac cess Con trol Net work Ac cess Con trol (NAC) is a con cept of con trol ling ac cess to an en vi ron ment through strict
ad her ence to and im ple men ta tion of se cu rity pol icy. The goals of NAC are as fol lows:
Pre vent/re duce zero-day at tacks
En force se cu rity pol icy through out the net work
Use iden ti ties to per form ac cess con trol
The goals of NAC can be achieved through the use of strong de tailed se cu rity poli cies that de fine all as pects of se cu rity con trol, fil ter ing, pre ven tion, de tec tion, and re sponse for ev ery de vice from client to server and for ev ery in ter nal or ex ter nal com mu ni ca tion. NAC acts as an au to mated de tec tion and re sponse sys tem that can re act in real time to stop threats as they oc cur and be fore they cause dam age or a breach.
Orig i nally, 802.1X (which pro vides port-based NAC) was thought to em body NAC, but most sup port ers be lieve that 802.1X is only a sim ple form of NAC or just one com po nent in a com plete NAC so lu tion.
NAC can be im ple mented with a pread mis sion phi los o phy or a postad mis sion phi los o phy, or as pects of both:
The pread mis sion phi los o phy re quires a sys tem to meet all cur rent se cu rity re quire ments (such as patch ap pli ca tion and an tivirus up dates) be fore it is al lowed to com mu ni cate with the net work.
The postad mis sion phi los o phy al lows and de nies ac cess based on user ac tiv ity, which is based on a pre de fined au tho riza tion ma trix.
Other is sues around NAC in clude client/sys tem agent ver sus over all net work mon i tor ing (agent-less); out- of-band ver sus in-band mon i tor ing; and re solv ing any re me di a tion, quar an tine, or cap tive por tal strate gies. These and other NAC con cerns must be con sid ered and eval u ated prior to im ple men ta tion.
Fire walls
Fire walls are es sen tial tools in man ag ing and con trol ling net work traf fic. A fire wall is a net work de vice used to fil ter traf fic. It is typ i cally de ployed be tween a pri vate net work and a link to the in ter net, but it can be de ployed be tween de part ments within an or ga ni za tion. With out fire walls, it would not be pos si ble to pre vent ma li cious traf fic from the in ter net from en ter ing into your pri vate net work. Fire walls fil ter traf fic based on a de fined set of rules, also called fil ters or ac cess con trol lists. They are ba si cally a set of in struc tions that are used to dis tin guish au tho rized traf fic from unau tho rized and/or ma li cious traf fic. Only au tho rized traf fic is al lowed to cross the se cu rity bar rier pro vided by the fire wall.
344
Fire walls are use ful for block ing or fil ter ing traf fic. They are most ef fec tive against un re quested traf fic and at tempts to con nect from out side the pri vate net work and can also be used for block ing known ma li cious data, mes sages, or pack ets based on con tent, ap pli ca tion, pro to col, port, or source ad dress. They are ca pa ble of hid ing the struc ture and ad dress ing scheme of a pri vate net work from the pub lic. Most fire walls of fer ex ten sive log ging, au dit ing, and mon i tor ing ca pa bil i ties as well as alarms and ba sic in tru sion de tec tion sys tem (IDS) func tions.
Fire walls are typ i cally un able to block viruses or ma li cious code (i.e., fire walls do not typ i cally scan traf fic as an an tivirus scan ner would) trans mit ted through oth er wise au tho rized com mu ni ca tion chan nels, pre vent unau tho rized but ac ci den tal or in tended dis clo sure of in for ma tion by users, pre vent at tacks by ma li cious users al ready be hind the fire wall, or pro tect data af ter it passes out of or into the pri vate net work. How ever, you can add these fea tures through spe cial add-in mod ules or com pan ion prod ucts, such as an tivirus scan ners and IDS tools. There are fire wall ap pli ances that are pre con fig ured to per form all (or most) of these add-on func tions na tively.
In ad di tion to log ging net work traf fic ac tiv ity, fire walls should log sev eral other events as well:
A re boot of the fire wall
Prox ies or de pen den cies be ing un able to start or not start ing
Prox ies or other im por tant ser vices crash ing or restart ing
Changes to the fire wall con fig u ra tion file
A con fig u ra tion or sys tem er ror while the fire wall is run ning
Fire walls are only one part of an over all se cu rity so lu tion. With a fire wall, many of the se cu rity mech a nisms are con cen trated in one place, and thus a fire wall can be a sin gle point of fail ure. Fire wall fail ure is most com monly caused by hu man er ror and mis con fig u ra tion. Fire walls pro vide pro tec tion only against traf fic that crosses the fire wall from one sub net to an other. They of fer no pro tec tion against traf fic within a sub net (in other words, be hind the fire wall).
There are sev eral ba sic types of fire walls, in clud ing static packet-fil ter ing fire walls, ap pli ca tion-level gate way fire walls, cir cuit-level gate way fire walls, and state ful in spec tion fire walls. There are also ways to cre ate hy brid or com plex gate way fire walls by com bin ing two or more of these fire wall types into a sin gle fire wall so lu tion. In most cases, hav ing a mul ti level fire wall pro vides greater con trol over fil ter ing traf fic. Re gard less, we’ll cover the var i ous fire wall types and dis cuss fire wall de ploy ment ar chi tec tures as well:
Static Packet-Fil ter ing Fire walls A static packet-fil ter ing fire wall fil ters traf fic by ex am in ing data from a mes sage header. Usu ally, the rules are con cerned with source, des ti na tion, and port ad dresses. Us ing static fil ter ing, a fire wall is un able to pro vide user au then ti ca tion or to tell whether a packet orig i nated from in side or out side the pri vate net work, and it is eas ily fooled with spoofed pack ets. Static packet-fil ter ing fire walls are known as first-gen er a tion fire walls; they op er ate at layer 3 (the Net work layer) of the OSI model. They can also be called screen ing routers.
Ap pli ca tion-Level Gate way Fire walls An ap pli ca tion-level gate way fire wall is also called a proxy fire wall. A proxy is a mech a nism that copies pack ets from one net work into an other; the copy process also changes the source and des ti na tion ad dresses to pro tect the iden tity of the in ter nal or pri vate net work. An ap pli ca tion-level gate way fire wall fil ters traf fic based on the in ter net ser vice (in other words, the ap pli ca tion) used to trans mit or re ceive the data. Each type of ap pli ca tion must have its own unique proxy server. Thus, an ap pli ca tion-level gate way fire wall com prises nu mer ous in di vid ual proxy servers. This type of fire wall neg a tively af fects net work per for mance be cause each packet must be ex am ined and pro cessed as it passes through the fire wall. Ap pli ca tion-level gate ways are known as sec ond-gen er a tion fire walls, and they op er ate at the Ap pli ca tion layer (layer 7) of the OSI model.
Cir cuit-Level Gate way Fire walls Cir cuit-level gate way fire walls are used to es tab lish com mu ni ca tion ses sions be tween trusted part ners. They op er ate at the Ses sion layer (layer 5) of the OSI model. SOCKS (from Socket Se cure, as in TCP/IP ports) is a com mon im ple men ta tion of a cir cuit-level gate way fire wall. Cir cuit- level gate way fire walls, also known as cir cuit prox ies, man age com mu ni ca tions based on the cir cuit, not the con tent of traf fic. They per mit or deny for ward ing de ci sions based solely on the end point des ig na tions of the com mu ni ca tion cir cuit (in other words, the source and des ti na tion ad dresses and ser vice port num bers). Cir cuit-level gate way fire walls are con sid ered sec ond-gen er a tion fire walls be cause they rep re sent a mod i fi ca tion of the ap pli ca tion-level gate way fire wall con cept.
State ful In spec tion Fire walls State ful in spec tion fire walls (also known as dy namic packet fil ter ing fire walls) eval u ate the state or the con text of net work traf fic. By ex am in ing source and des ti na tion ad dresses, ap pli ca tion us age, source of ori gin, and re la tion ship be tween cur rent pack ets and the pre vi ous pack ets of the same ses sion, state ful in spec tion fire walls are able to grant a broader range of ac cess for au tho rized users and ac tiv i ties and ac tively watch for and block unau tho rized users and ac tiv i ties. State ful in spec tion fire walls gen er ally op er ate more ef fi ciently than ap pli ca tion-level gate way fire walls. They are known as third- gen er a tion fire walls, and they op er ate at the Net work and Trans port lay ers (lay ers 3 and 4) of the OSI model.
345
Deep Packet In spec tion Fire walls Deep packet in spec tion (DPI) fire walls is a fil ter ing mech a nism that op er ates typ i cally at the ap pli ca tion layer in or der to fil ter the pay load con tents of a com mu ni ca tion rather than only on the header val ues. DPI can also be known as com plete packet in spec tion and in for ma tion ex trac tion (IX). DPI fil ter ing is able to block do main names, mal ware, spam, or other iden ti fi able el e ments in the pay load of a com mu ni ca tion. DPI is of ten in te grated with ap pli ca tion layer fire walls and/or state ful in spec tion fire walls.
Next-Gen Fire walls A next-gen fire wall is a mul ti func tion de vice (MFD) com posed of sev eral se cu rity fea tures in ad di tion to a fire wall; in te grated com po nents can in clude an IDS, an in tru sion pre ven tion sys tem (IPS), a TLS/SSL proxy, web fil ter ing, QoS man age ment, band width throt tling, NAT ing, VPN an chor ing, and an tivirus.
Mul ti homed Fire walls
Some fire wall sys tems have more than one in ter face. For in stance, a mul ti homed fire wall must have at least two in ter faces to fil ter traf fic (they’re also known as dual-homed fire walls). All mul ti homed fire walls should have IP for ward ing, which au to mat i cally sends traf fic to an other in ter face, dis abled. This will force the fil ter ing rules to con trol all traf fic rather than al low ing a soft ware-sup ported short cut be tween one in ter face and an other. A bas tion host is a com puter or ap pli ance that is ex posed on the in ter net and has been hard ened by re mov ing all un nec es sary el e ments, such as ser vices, pro grams, pro to cols, and ports. A screened host is a fire wall-pro tected sys tem log i cally po si tioned just in side a pri vate net work. All in bound traf fic is routed to the screened host, which in turn acts as a proxy for all the trusted sys tems within the pri vate net work. It is re spon si ble for fil ter ing traf fic com ing into the pri vate net work as well as for pro tect ing the iden tity of the in ter nal client.
The word bas tion comes from me dieval cas tle ar chi tec ture. A bas tion guard house was
po si tioned in front of the main en trance to serve as a first layer of pro tec tion. Us ing this term to de scribe a host in di cates that the sys tem is act ing as a sac ri fi cial host that will re ceive all in bound at tacks.
A screened sub net is sim i lar to the screened host in con cept, ex cept a sub net is placed be tween two routers or fire walls and the bas tion host(s) is lo cated within that sub net. All in bound traf fic is di rected to the bas tion host, and only au tho rized traf fic can pass through the sec ond router/fire wall into the pri vate net work. This cre ates a sub net where some ex ter nal vis i tors are al lowed to com mu ni cate with re sources of fered by the net work. This is the con cept of a DMZ, which is a net work area (usu ally a sub net) that is de signed to be ac cessed by out side vis i tors but that is still iso lated from the pri vate net work of the or ga ni za tion. The DMZ is of ten the host of pub lic web, email, file, and other re source servers.
Fire wall De ploy ment Ar chi tec tures
There are three com monly rec og nized fire wall de ploy ment ar chi tec tures: sin gle tier, two tier, and three tier (also known as mul ti tier).
As you can see in Fig ure 11.8, a sin gle-tier de ploy ment places the pri vate net work be hind a fire wall, which is then con nected through a router to the in ter net (or some other un trusted net work). Sin gle-tier de ploy ments are use ful against generic at tacks only. This ar chi tec ture of fers only min i mal pro tec tion.
A two-tier de ploy ment ar chi tec ture may be one of two dif fer ent de signs. One uses a fire wall with three or more in ter faces. The other uses two fire walls in a se ries. This al lows for a DMZ or a pub licly ac ces si ble ex tranet. In the first de sign, the DMZ is lo cated off one of the in ter faces of the pri mary fire wall, while in the sec ond de sign the DMZ is lo cated be tween the two se rial fire walls. The DMZ is used to host in for ma tion server sys tems to which ex ter nal users should have ac cess. The fire wall routes traf fic to the DMZ or the trusted net work ac cord ing to its strict fil ter ing rules. This ar chi tec ture in tro duces a mod er ate level of rout ing and fil ter ing com plex ity.
346
FIG URE 11.8 Sin gle-, two-, and three-tier fire wall de ploy ment ar chi tec tures
A three-tier de ploy ment ar chi tec ture is the de ploy ment of mul ti ple sub nets be tween the pri vate net work and the in ter net sep a rated by fire walls. Each sub se quent fire wall has more strin gent fil ter ing rules to re strict traf fic to only trusted sources. The out er most sub net is usu ally a DMZ. A mid dle sub net can serve as a trans ac tion sub net where sys tems needed to sup port com plex web ap pli ca tions in the DMZ re side. The third, or back-end, sub net can sup port the pri vate net work. This ar chi tec ture is the most se cure of these op tions; how ever, it is also the most com plex to de sign, im ple ment, and man age.
End point Se cu rity
End point se cu rity is the con cept that each in di vid ual de vice must main tain lo cal se cu rity whether or not its net work or telecom mu ni ca tions chan nels also pro vide or of fer se cu rity. Some times this is ex pressed as “the end de vice is re spon si ble for its own se cu rity.” How ever, a clearer per spec tive is that any weak ness in a net work, whether on the bor der, on a server, or on a client, presents a risk to all el e ments within the or ga ni za tion.
Tra di tional se cu rity has de pended on net work bor der sen tries, such as ap pli ance fire walls, prox ies, cen tral ized virus scan ners, and even IDS/IPS/IDP so lu tions, to pro vide se cu rity for all of the in te rior nodes of a net work. This is no longer con sid ered best busi ness prac tice be cause threats ex ist from within as well as with out. A net work is only as se cure as its weak est el e ment.
Lack of in ter nal se cu rity is even more prob lem atic when re mote ac cess ser vices, in clud ing dial-up, wire less, and VPN, might al low an ex ter nal en tity (au tho rized or not) to gain ac cess to the pri vate net work with out hav ing to go through the bor der se cu rity gaunt let.
End point se cu rity should there fore be viewed as an as pect of the ef fort to pro vide suf fi cient se cu rity on each in di vid ual host. Ev ery sys tem should have an ap pro pri ate com bi na tion of a lo cal host fire wall, anti- mal ware scan ners, au then ti ca tion, au tho riza tion, au dit ing, spam fil ters, and IDS/IPS ser vices.
Se cure Op er a tion of Hard ware
347
You’ll use nu mer ous hard ware de vices when con struct ing a net work. Strong fa mil iar ity with these se cure net work com po nents can as sist you in de sign ing an IT in fra struc ture that avoids sin gle points of fail ure and pro vides strong sup port for avail abil ity.
Col li sions vs. Broad casts
A col li sion oc curs when two sys tems trans mit data at the same time onto a con nec tion medium that sup ports only a sin gle trans mis sion path. A broad cast oc curs when a sin gle sys tem trans mits data to all pos si ble re cip i ents. Gen er ally, col li sions are some thing to avoid and pre vent, while broad casts have use ful pur poses from time to time. The man age ment of col li sions and broad casts in tro duces a new term known as do mains.
A col li sion do main is a group of net worked sys tems that could cause a col li sion if any two (or more) of the sys tems in that group trans mit ted si mul ta ne ously. Any sys tem out side the col li sion do main can not cause a col li sion with any mem ber of that col li sion do main.
A broad cast do main is a group of net worked sys tems in which all other mem bers re ceive a broad cast sig nal when one of the mem bers of the group trans mits it. Any sys tem out side a broad cast do main would not re ceive a broad cast from that broad cast do main.
As you de sign and de ploy a net work, you should con sider how col li sion do mains and broad cast do mains will be man aged. Col li sion do mains are di vided by us ing any layer 2 or higher de vice, and broad cast do mains are di vided by us ing any layer 3 or higher de vice. When a do main is di vided, it means that sys tems on op po site sides of the de ployed de vice are mem bers of dif fer ent do mains.
These are some of the hard ware de vices in a net work:
Re peaters, Con cen tra tors, and Am pli fiers Re peaters, con cen tra tors, and am pli fiers are used to strengthen the com mu ni ca tion sig nal over a ca ble seg ment as well as con nect net work seg ments that use the same pro to col. These de vices can be used to ex tend the max i mum length of a spe cific ca ble type by de ploy ing one or more re peaters along a lengthy ca ble run. Re peaters, con cen tra tors, and am pli fiers op er ate at OSI layer 1. Sys tems on ei ther side of a re peater, con cen tra tor, or am pli fier are part of the same col li sion do main and broad cast do main.
Hubs Hubs were used to con nect mul ti ple sys tems and con nect net work seg ments that use the same pro to col. A hub is a mul ti port re peater. Hubs op er ate at OSI layer 1. Sys tems on ei ther side of a hub are part of the same col li sion and broad cast do mains. This en sures that the traf fic will reach its in tended host, but at the cost that all mem bers of the same col li sion do main and broad cast do main will re ceive the com mu ni ca tion as well. Most or ga ni za tions have a no-hub se cu rity pol icy to limit or re duce the risk of sniff ing at tacks since they are an out moded tech nol ogy and switches are pre ferred.
Modems A tra di tional land line mo dem (mod u la tor-de mod u la tor) is a com mu ni ca tions de vice that cov ers or mod u lates be tween an ana log car rier sig nal and dig i tal in for ma tion in or der to sup port com puter com mu ni ca tions of pub lic switched tele phone net work (PSTN) lines. From about 1960 un til the mid-1990s, modems were a com mon means of WAN com mu ni ca tions. Modems have gen er ally been re placed by dig i tal broad band tech nolo gies in clud ing ISDN, ca ble modems, DSL modems, 802.11 wire less, and var i ous forms of wire less modems.
The term mo dem is used in cor rectly on any de vice that does not ac tu ally per form
mod u la tion. Most mod ern de vices la beled as modems (ca ble, DSL, ISDN, wire less, etc.) are routers, not modems.
Bridges A bridge is used to con nect two net works to gether—even net works of dif fer ent topolo gies, ca bling types, and speeds—in or der to con nect net work seg ments that use the same pro to col. A bridge for wards traf fic from one net work to an other. Bridges that con nect net works us ing dif fer ent trans mis sion speeds may have a buf fer to store pack ets un til they can be for warded to the slower net work. This is known as a store-and-for ward de vice. Bridges op er ate at OSI layer 2. Sys tems on ei ther side of a bridge are part of the same broad cast do main but are in dif fer ent col li sion do mains.
Switches Rather than us ing a hub, you might con sider us ing a switch, or in tel li gent hub. Switches know the ad dresses of the sys tems con nected on each out bound port. In stead of re peat ing traf fic on ev ery out bound port, a switch re peats traf fic only out of the port on which the des ti na tion is known to ex ist. Switches of fer greater ef fi ciency for traf fic de liv ery, cre ate sep a rate col li sion do mains, and im prove the over all through put of data. Switches can also cre ate sep a rate broad cast do mains when used to cre ate VLANs. In such con fig u ra tions, broad casts are al lowed within a sin gle VLAN but not al lowed to cross un hin dered from one VLAN to an other. Switches op er ate pri mar ily at OSI layer 2. When switches have ad di tional fea tures, such as rout ing, they can op er ate at OSI layer 3 as well (such as when rout ing be tween VLANs). Sys tems on ei ther side
348
of a switch op er at ing at layer 2 are part of the same broad cast do main but are in dif fer ent col li sion do mains. Sys tems on ei ther side of a switch op er at ing at layer 3 are part of dif fer ent broad cast do mains and dif fer ent col li sion do mains. Switches are used to con nect net work seg ments that use the same pro to col.
Routers Routers are used to con trol traf fic flow on net works and are of ten used to con nect sim i lar net works and con trol traf fic flow be tween the two. They can func tion us ing stat i cally de fined rout ing ta bles, or they can em ploy a dy namic rout ing sys tem. There are nu mer ous dy namic rout ing pro to cols, such as RIP, OSPF, and BGP. Routers op er ate at OSI layer 3. Sys tems on ei ther side of a router are part of dif fer ent broad cast do mains and dif fer ent col li sion do mains. Routers are used to con nect net work seg ments that use the same pro to col.
Brouters Brouters are com bi na tion de vices com pris ing a router and a bridge. A brouter at tempts to route first, but if that fails, it de faults to bridg ing. Thus, a brouter op er ates pri mar ily at layer 3 but can op er ate at layer 2 when nec es sary. Sys tems on ei ther side of a brouter op er at ing at layer 3 are part of dif fer ent broad cast do mains and dif fer ent col li sion do mains. Sys tems on ei ther side of a brouter op er at ing at layer 2 are part of the same broad cast do main but are in dif fer ent col li sion do mains. Brouters are used to con nect net work seg ments that use the same pro to col.
Gate ways A gate way con nects net works that are us ing dif fer ent net work pro to cols. A gate way is re spon si ble for trans fer ring traf fic from one net work to an other by trans form ing the for mat of that traf fic into a form com pat i ble with the pro to col or trans port method used by each net work. Gate ways, also known as pro to col trans la tors, can be stand-alone hard ware de vices or a soft ware ser vice (for ex am ple, an IP-to-IPX gate way). Sys tems on ei ther side of a gate way are part of dif fer ent broad cast do mains and dif fer ent col li sion do mains. Gate ways are used to con nect net work seg ments that use dif fer ent pro to cols. There are many types of gate ways, in clud ing data, mail, ap pli ca tion, se cure, and in ter net. Gate ways typ i cally op er ate at OSI layer 7.
Prox ies A proxy is a form of gate way that does not trans late across pro to cols. In stead, prox ies serve as me di a tors, fil ters, caching servers, and even NAT/PAT servers for a net work. A proxy per forms a func tion or re quests a ser vice on be half of an other sys tem and con nects net work seg ments that use the same pro to col. Prox ies are most of ten used in the con text of pro vid ing clients on a pri vate net work with in ter net ac cess while pro tect ing the iden tity of the clients. A proxy ac cepts re quests from clients, al ters the source ad dress of the re quester, main tains a map ping of re quests to clients, and sends the al tered re quest pack ets out. This mech a nism is com monly known as Net work Ad dress Trans la tion (NAT). Once a re ply is re ceived, the proxy server de ter mines which client it is des tined for by re view ing its map pings and then sends the pack ets on to the client. Sys tems on ei ther side of a proxy are part of dif fer ent broad cast do mains and dif fer ent col li sion do mains.
Net work In fra struc ture In ven tory
If you can gain ap proval from your or ga ni za tion, per form a gen eral sur vey or in ven tory of the sig nif i cant com po nents that make up your net work. See how many dif fer ent net work de vices you can lo cate within your net work. Also, do you no tice any pat terns of de vice de ploy ment, such as de vices al ways de ployed in par al lel or in se ries? Is the ex te rior of a de vice usu ally suf fi cient to in di cate its func tion, or must you look up its model num ber?
LAN Ex ten ders A LAN ex ten der is a re mote ac cess, mul ti layer switch used to con nect dis tant net works over WAN links. This is a strange beast of a de vice in that it cre ates WANs, but mar keters of this de vice steer clear of the term WAN and use only LAN and ex tended LAN. The idea be hind this de vice was to make the ter mi nol ogy eas ier to un der stand and thus make the prod uct eas ier to sell than a nor mal WAN de vice with com plex con cepts and terms tied to it. Ul ti mately, it was the same prod uct as a WAN switch or WAN router.
While man ag ing net work se cu rity with fil ter ing de vices such as fire walls and prox ies is
im por tant, we must not over look the need for end point se cu rity. End points are the ends of a net work com mu ni ca tion link. One end is of ten at a server where a re source re sides, and the other end is of ten a client mak ing a re quest to use a net work re source. Even with se cured com mu ni ca tion pro to cols, it is still pos si ble for abuse, mis use, over sight, or ma li cious ac tion to oc cur across the net work be cause it orig i nated at an end point. All as pects of se cu rity from one end to the other, of ten called end-to-end se cu rity, must be ad dressed. Any un se cured point will be dis cov ered even tu ally and abused.
Ca bling, Wire less, Topol ogy, Com mu ni ca tions, and Trans mis sion Me dia Tech nol ogy
Es tab lish ing se cu rity on a net work in volves more than just man ag ing the op er at ing sys tem and soft ware. You must also ad dress phys i cal is sues, in clud ing ca bling, wire less, topol ogy, and com mu ni ca tions tech nol ogy.
349
LANs vs. WANs
There are two ba sic types of net works: LANs and WANs. A lo cal area net work (LAN) is a net work typ i cally span ning a sin gle floor or build ing. This is com monly a lim ited ge o graph i cal area. Wide area net work (WAN) is the term usu ally as signed to the long-dis tance con nec tions be tween ge o graph i cally re mote net works.
WAN con nec tions and com mu ni ca tion links can in clude pri vate cir cuit tech nolo gies and packet- switch ing tech nolo gies. Com mon pri vate cir cuit tech nolo gies in clude ded i cated or leased lines and PPP, SLIP, ISDN, and DSL con nec tions. Packet-switch ing tech nolo gies in clude X.25, Frame Re lay, asyn chro nous trans fer mode (ATM), Syn chro nous Data Link Con trol (SDLC), and High-Level Data Link Con trol (HDLC). Packet-switch ing tech nolo gies use vir tual cir cuits in stead of ded i cated phys i cal cir cuits. A vir tual cir cuit is cre ated only when needed, which makes for ef fi cient use of the trans mis sion medium and is ex tremely cost-ef fec tive.
Trans mis sion Me dia The type of con nec tiv ity me dia em ployed in a net work is im por tant to the net work’s de sign, lay out, and
ca pa bil i ties. With out the right ca bling or trans mis sion me dia, a net work may not be able to span your en tire en ter prise, or it may not sup port the nec es sary traf fic vol ume. In fact, the most com mon causes of net work fail ure (in other words, vi o la tions of avail abil ity) are ca ble fail ures or mis con fig u ra tions. It is im por tant for you to un der stand that dif fer ent types of net work de vices and tech nolo gies are used with dif fer ent types of ca bling. Each ca ble type has unique use ful lengths, through put rates, and con nec tiv ity re quire ments.
Coax ial Ca ble
Coax ial ca ble, also called coax, was a pop u lar net work ing ca ble type used through out the 1970s and 1980s. In the early 1990s, its use quickly de clined be cause of the pop u lar ity and ca pa bil i ties of twisted-pair wiring (ex plained in more de tail later). In the 2000s, you are un likely to en counter coax be ing used as a net work ca ble but may still see some use of it as an au dio/vis ual con nec tion ca ble (such as with some ca ble tele vi sion equip ment or satel lite dish equip ment, al though the fi nal con nec tion from the ser vice equip ment to your tele vi sion is most likely HDMI to day).
Coax ial ca ble has a cen ter core of cop per wire sur rounded by a layer of in su la tion, which is in turn sur rounded by a con duc tive braided shield ing and en cased in a fi nal in su la tion sheath.
The cen ter cop per core and the braided shield ing layer act as two in de pen dent con duc tors, thus al low ing two-way com mu ni ca tions over a coax ial ca ble. The de sign of coax ial ca ble makes it fairly re sis tant to elec tro mag netic in ter fer ence (EMI) and makes it able to sup port high band widths (in com par i son to other tech nolo gies of the time pe riod), and it of fers longer us able lengths than twisted-pair. It ul ti mately failed to re tain its place as the pop u lar net work ing ca ble tech nol ogy be cause of twisted-pair’s much lower cost and ease of in stal la tion. Coax ial ca ble re quires the use of seg ment ter mi na tors, whereas twisted-pair ca bling does not. Coax ial ca ble is bulkier and has a larger min i mum arc ra dius than twisted-pair. (The arc ra dius is the max i mum dis tance the ca ble can be bent be fore dam ag ing the in ter nal con duc tors.) Ad di tion ally, with the wide spread de ploy ment of switched net works, the is sues of ca ble dis tance be came moot be cause of the im ple men ta tion of hi er ar chi cal wiring pat terns.
There are two main types of coax ial ca ble: thin net and thick net. Thin net, also known as 10Base2, was com monly used to con nect sys tems to back bone trunks of thick net ca bling. Thin net can span dis tances of 185 me ters and pro vide through put up to 10 Mbps. Thick net, also known as 10Base5, can span 500 me ters and pro vide through put up to 10 Mbps (megabits per sec ond).
The most com mon prob lems with coax ca ble are or were as fol lows:
Bend ing the coax ca ble past its max i mum arc ra dius and thus break ing the cen ter con duc tor
De ploy ing the coax ca ble in a length greater than its max i mum rec om mended length (which is 185 me ters for 10Base2 or 500 me ters for 10Base5)
Not prop erly ter mi nat ing the ends of the coax ca ble with a 50 ohm re sis tor
Not ground ing at least one end of a ter mi nated coax ca ble
Base band and Broad band Ca bles
The nam ing con ven tion used to la bel most net work ca ble tech nolo gies fol lows the syn tax XXyyyyZZ. XX rep re sents the max i mum speed the ca ble type of fers, such as 10 Mbps for a 10Base2 ca ble. The next se ries of let ters, yyyy, rep re sents the base band or broad band as pect of the ca ble, such as base band for a 10Base2 ca ble. Base band ca bles can trans mit only a sin gle sig nal at a time, and broad band ca bles can trans mit mul ti ple
350
sig nals si mul ta ne ously. Most net work ing ca bles are base band ca bles. How ever, when used in spe cific con fig u ra tions, coax ial ca ble can be used as a broad band con nec tion, such as with ca ble modems. ZZ ei ther rep re sents the max i mum dis tance the ca ble can be used or acts as short hand to rep re sent the tech nol ogy of the ca ble, such as the ap prox i mately 200 me ters for 10Base2 ca ble (ac tu ally 185 me ters, but it’s rounded up to 200) or T or TX for twisted-pair in 10BaseT or 100BaseTX. (Note that 100BaseTX is im ple mented us ing two Cat 5 UTP or STP ca bles—one is sued for re ceiv ing, the other for trans mit ting.)
Ta ble 11.8 shows the im por tant char ac ter is tics for the most com mon net work ca bling types.
TA BLE 11.8 Im por tant char ac ter is tics for com mon net work ca bling types
Type Max speed Dis tance Dif fi culty of in stal la tion Sus cep ti bil ity to EMI 10Base2 10 Mbps 185 me ters Medium Medium 10Base5 10 Mbps 500 me ters High Low 10BaseT (UTP) 10 Mbps 100 me ters Low High STP 155 Mbps 100 me ters Medium Medium 100BaseT/100BaseTX 100 Mbps 100 me ters Low High 1000BaseT 1 Gbps 100 me ters Low High Fiber-op tic 2+ Gbps 2+ kilo me ters High to medium None
Twisted-Pair
Twisted-pair ca bling is ex tremely thin and flex i ble com pared to coax ial ca ble. It con sists of four pairs of wires that are twisted around each other and then sheathed in a PVC in su la tor. If there is a metal foil wrap per around the wires un der neath the ex ter nal sheath, the wire is known as shielded twisted-pair (STP). The foil pro vides ad di tional pro tec tion from ex ter nal EMI. Twisted-pair ca bling with out the foil is known as un shielded twisted-pair (UTP). UTP is most of ten used to re fer to 10BaseT, 100BaseT, or 1000BaseT.
The wires that make up UTP and STP are small, thin cop per wires that are twisted in pairs. The twist ing of the wires pro vides pro tec tion from ex ter nal ra dio fre quen cies and elec tric and mag netic in ter fer ence and re duces crosstalk be tween pairs. Crosstalk oc curs when data trans mit ted over one set of wires is picked up by an other set of wires due to ra di at ing elec tro mag netic fields pro duced by the elec tri cal cur rent. Each wire pair within the ca ble is twisted at a dif fer ent rate (in other words, twists per inch); thus, the sig nals trav el ing over one pair of wires can not cross over onto an other pair of wires (at least within the same ca ble). The tighter the twist (the more twists per inch), the more re sis tant the ca ble is to in ter nal and ex ter nal in ter fer ence and crosstalk, and thus the ca pac ity for through put (that is, higher band width) is greater.
There are sev eral classes of UTP ca bling. The var i ous cat e gories are cre ated through the use of tighter twists of the wire pairs, vari a tions in the qual ity of the con duc tor, and vari a tions in the qual ity of the ex ter nal shield ing. Ta ble 11.9 shows the orig i nal UTP cat e gories.
TA BLE 11.9 UTP cat e gories
UTP cat e gory
Through put Notes
Cat 1 Voice only Not suit able for net works but us able by modems Cat 2 4 Mbps Not suit able for most net works; of ten em ployed for host-to-ter mi nal con nec tions
on main frames Cat 3 10 Mbps Pri mar ily used in 10BaseT Eth er net net works (of fers only 4 Mbps when used on
To ken Ring net works) and as tele phone ca bles Cat 4 16 Mbps Pri mar ily used in To ken Ring net works Cat 5 100 Mbps Used in 100BaseTX, FDDI, and ATM net works Cat 6 1,000 Mbps Used in high-speed net works Cat 7 10 Gbps Used on 10 gi ga bit-speed net works
Cat 5e is an en hanced ver sion of Cat 5 de signed to pro tect against far-end crosstalk. In
2001, the TIA/EIA-568-B no longer rec og nized the orig i nal Cat 5 spec i fi ca tion. Now, the Cat 5e stan dard is rated for use by 100BaseT and even 1000BaseT de ploy ments.
The fol low ing prob lems are the most com mon with twisted-pair ca bling:
Us ing the wrong cat e gory of twisted-pair ca ble for high-through put net work ing
351
De ploy ing a twisted-pair ca ble longer than its max i mum rec om mended length (in other words, 100 me ters)
Us ing UTP in en vi ron ments with sig nif i cant in ter fer ence
Con duc tors
The dis tance lim i ta tions of con duc tor-based net work ca bling stem from the re sis tance of the metal used as a con duc tor. Cop per, the most pop u lar con duc tor, is one of the best and least ex pen sive room-tem per a ture con duc tors avail able. How ever, it is still re sis tant to the flow of elec trons. This re sis tance re sults in a degra da tion of sig nal strength and qual ity over the length of the ca ble.
Plenum ca ble is a type of ca bling sheathed with a spe cial ma te rial that does not re lease
toxic fumes when burned, as does tra di tional PVC coated wiring. Of ten plenum-grade ca ble must be used to com ply with build ing codes, es pe cially if the build ing has en closed spa ces that could trap gases.
The max i mum length de fined for each ca ble type in di cates the point at which the level of degra da tion could be gin to in ter fere with the ef fi cient trans mis sion of data. This degra da tion of the sig nal is known as at ten u a tion. It is of ten pos si ble to use a ca ble seg ment that is longer than the ca ble is rated for, but the num ber of er rors and re trans mis sions will be in creased over that ca ble seg ment, ul ti mately re sult ing in poor net work per for mance. At ten u a tion is more pro nounced as the speed of the trans mis sion in creases. It is rec om mended that you use shorter ca ble lengths as the speed of the trans mis sion in creases.
Long ca ble lengths can of ten be sup ple mented through the use of re peaters or con cen tra tors. A re peater is a sig nal am pli fi ca tion de vice, much like the am pli fier for your car or home stereo. The re peater boosts the sig nal strength of an in com ing data stream and re broad casts it through its sec ond port. A con cen tra tor does the same thing ex cept it has more than two ports. How ever, us ing more than four re peaters (or hubs) in a row is dis cour aged (see the side bar “5-4-3 Rule”).
5-4-3 Rule
The 5-4-3 rule was used when ever Eth er net or other IEEE 802.3 shared-ac cess net works are de ployed us ing hubs and re peaters as net work con nec tion de vices in a tree topol ogy (in other words, a cen tral trunk with var i ous split ting branches). This rule de fines the num ber of re peaters/con cen tra tors and seg ments that can be used in a net work de sign. The rule states that be tween any two nodes (a node can be any type of pro cess ing en tity, such as a server, client, or router), there can be a max i mum of five seg ments con nected by four re peaters/con cen tra tors, and it states that only three of those five seg ments can be pop u lated (in other words, have ad di tional or other user, server, or net work ing de vice con nec tions).
The 5-4-3 rule does not ap ply to switched net works or the use of bridges or routers.
An al ter na tive to con duc tor-based net work ca bling is fiber-op tic ca ble. Fiber-op tic ca bles trans mit pulses of light rather than elec tric ity. This gives fiber-op tic ca ble the ad van tage of be ing ex tremely fast and nearly im per vi ous to tap ping and in ter fer ence. Fiber will typ i cally cost more to de ploy than twisted pair, but its price pre mium has de creased to be more in line with other de ploy ments and is of ten well worth the ex pense for its se cu rity, in ter fer ence re silience, and per for mance.
Net work Topolo gies The phys i cal lay out and or ga ni za tion of com put ers and net work ing de vices is known as the net work
topol ogy. The log i cal topol ogy is the group ing of net worked sys tems into trusted col lec tives. The phys i cal topol ogy is not al ways the same as the log i cal topol ogy. There are four ba sic topolo gies of the phys i cal lay out of a net work: ring, bus, star, and mesh.
Ring Topol ogy A ring topol ogy con nects each sys tem as points on a cir cle (see Fig ure 11.9). The con nec tion medium acts as a uni di rec tional trans mis sion loop. Only one sys tem can trans mit data at a time. Traf fic man age ment is per formed by a to ken. A to ken is a dig i tal hall pass that trav els around the ring un til a sys tem grabs it. A sys tem in pos ses sion of the to ken can trans mit data. Data and the to ken are trans mit ted to a spe cific des ti na tion. As the data trav els around the loop, each sys tem checks to see whether it is the in tended re cip i ent of the data. If not, it passes the to ken on. If so, it reads the data. Once the data is re ceived, the to ken is re leased and re turns to trav el ing around the loop un til an other sys tem grabs it. If any one seg ment of the loop is bro ken, all com mu ni ca tion around the loop ceases. Some im ple men ta tions of ring topolo gies em ploy a fault tol er ance mech a nism, such as dual loops run ning in op po site di rec tions, to pre vent sin gle points of fail ure.
352
FIG URE 11.9 A ring topol ogy
Bus Topol ogy A bus topol ogy con nects each sys tem to a trunk or back bone ca ble. All sys tems on the bus can trans mit data si mul ta ne ously, which can re sult in col li sions. A col li sion oc curs when two sys tems trans mit data at the same time; the sig nals in ter fere with each other. To avoid this, the sys tems em ploy a col li sion avoid ance mech a nism that ba si cally “lis tens” for any other cur rently oc cur ring traf fic. If traf fic is heard, the sys tem waits a few mo ments and lis tens again. If no traf fic is heard, the sys tem trans mits its data. When data is trans mit ted on a bus topol ogy, all sys tems on the net work hear the data. If the data is not ad dressed to a spe cific sys tem, that sys tem just ig nores the data. The ben e fit of a bus topol ogy is that if a sin gle seg ment fails, com mu ni ca tions on all other seg ments con tinue un in ter rupted. How ever, the cen tral trunk line re mains a sin gle point of fail ure.
There are two types of bus topolo gies: lin ear and tree. A lin ear bus topol ogy em ploys a sin gle trunk line with all sys tems di rectly con nected to it. A tree topol ogy em ploys a sin gle trunk line with branches that can sup port mul ti ple sys tems. Fig ure 11.10 il lus trates both types. The pri mary rea son a bus is rarely if ever used to day is that it must be ter mi nated at both ends and any dis con nec tion can take down the en tire net work.
FIG URE 11.10 A lin ear bus topol ogy and a tree bus topol ogy
Star Topol ogy A star topol ogy em ploys a cen tral ized con nec tion de vice. This de vice can be a sim ple hub or switch. Each sys tem is con nected to the cen tral hub by a ded i cated seg ment (see Fig ure 11.11). If any one seg ment fails, the other seg ments can con tinue to func tion. How ever, the cen tral hub is a sin gle point of
353
fail ure. Gen er ally, the star topol ogy uses less ca bling than other topolo gies and makes the iden ti fi ca tion of dam aged ca bles eas ier.
A log i cal bus and a log i cal ring can be im ple mented as a phys i cal star. Eth er net is a bus-based tech nol ogy. It can be de ployed as a phys i cal star, but the hub or switch de vice is ac tu ally a log i cal bus con nec tion de vice. Like wise, To ken Ring is a ring-based tech nol ogy. It can be de ployed as a phys i cal star us ing a mul ti sta tion ac cess unit (MAU). An MAU al lows for the ca ble seg ments to be de ployed as a star while in ter nally the de vice makes log i cal ring con nec tions.
FIG URE 11.11 A star topol ogy
Mesh Topol ogy A mesh topol ogy con nects sys tems to other sys tems us ing nu mer ous paths (see Fig ure 11.12). A full mesh topol ogy con nects each sys tem to all other sys tems on the net work. A par tial mesh topol ogy con nects many sys tems to many other sys tems. Mesh topolo gies pro vide re dun dant con nec tions to sys tems, al low ing mul ti ple seg ment fail ures with out se ri ously af fect ing con nec tiv ity.
354
FIG URE 11.12 A mesh topol ogy
Wire less Com mu ni ca tions and Se cu rity Wire less com mu ni ca tion is a quickly ex pand ing field of tech nolo gies for net work ing, con nec tiv ity,
com mu ni ca tion, and data ex change. There are lit er ally thou sands of pro to cols, stan dards, and tech niques that can be la beled as wire less. These in clude cell phones, Blue tooth, cord less phones, and wire less net work ing. As wire less tech nolo gies con tinue to pro lif er ate, your or ga ni za tion’s se cu rity ef forts must go be yond lock ing down its lo cal net work. Se cu rity should be an end-to-end so lu tion that ad dresses all forms, meth ods, and tech niques of com mu ni ca tion.
Gen eral Wire less Con cepts
Wire less com mu ni ca tions em ploy ra dio waves to trans mit sig nals over a dis tance. There is a fi nite amount of ra dio wave spec trum; thus, its use must be man aged prop erly to al low mul ti ple si mul ta ne ous uses with lit tle to no in ter fer ence. The ra dio spec trum is mea sured or dif fer en ti ated us ing fre quency. Fre quency is a mea sure ment of the num ber of wave os cil la tions within a spe cific time and iden ti fied us ing the unit Hertz (Hz), or os cil la tions per sec ond. Ra dio waves have a fre quency be tween 3 Hz and 300 GHz. Dif fer ent ranges of fre quen cies have been des ig nated for spe cific uses, such as AM and FM ra dio, VHF and UHF tele vi sion, and so on. Cur rently, the 900 MHz, 2.4 GHz, and 5 GHz fre quen cies are the most com monly used in wire less prod ucts be cause of their un li censed cat e go riza tion. How ever, to man age the si mul ta ne ous use of the lim ited ra dio fre quen cies, sev eral spec trum-use tech niques were de vel oped. These in cluded spread spec trum, FHSS, DSSS, and OFDM.
Most de vices op er ate within a small sub sec tion of fre quen cies rather than all avail able
fre quen cies. This is be cause of fre quency-use reg u la tions (in other words, the FCC in the United States), power con sump tion, and the ex pec ta tion of in ter fer ence.
Spread spec trum means that com mu ni ca tion oc curs over mul ti ple fre quen cies at the same time. Thus, a mes sage is bro ken into pieces, and each piece is sent at the same time but us ing a dif fer ent fre quency. Ef fec tively this is a par al lel com mu ni ca tion rather than a se rial com mu ni ca tion.
Fre quency Hop ping Spread Spec trum (FHSS) was an early im ple men ta tion of the spread spec trum con cept. How ever, in stead of send ing data in a par al lel fash ion, it trans mits data in a se ries while con stantly
355
chang ing the fre quency in use. The en tire range of avail able fre quen cies is em ployed, but only one fre quency at a time is used. As the sender changes from one fre quency to the next, the re ceiver has to fol low the same hop ping pat tern to pick up the sig nal. FHSS was de signed to help min i mize in ter fer ence by not us ing only a sin gle fre quency that could be af fected. In stead, by con stantly shift ing fre quen cies, it min i mizes in ter fer ence.
Di rect Se quence Spread Spec trum (DSSS) em ploys all the avail able fre quen cies si mul ta ne ously in par al lel. This pro vides a higher rate of data through put than FHSS. DSSS also uses a spe cial en cod ing mech a nism known as chip ping code to al low a re ceiver to re con struct data even if parts of the sig nal were dis torted be cause of in ter fer ence. This oc curs in much the same way that the par ity of RAID-5 al lows the data on a miss ing drive to be re-cre ated.
Or thog o nal Fre quency-Di vi sion Mul ti plex ing (OFDM) is yet an other vari a tion on fre quency use. OFDM em ploys a dig i tal mul ti car rier mod u la tion scheme that al lows for a more tightly com pacted trans mis sion. The mod u lated sig nals are per pen dic u lar (or thog o nal) and thus do not cause in ter fer ence with each other. Ul ti mately, OFDM re quires a smaller fre quency set (aka chan nel bands) but can of fer greater data through put.
Cell Phones
Cell phone wire less com mu ni ca tions con sist of us ing a por ta ble de vice over a spe cific set of ra dio wave fre quen cies to in ter act with the cell phone car rier’s net work and ei ther other cell phone de vices or the in ter net. The tech nolo gies used by cell phone providers are nu mer ous and are of ten con fus ing. One point of con fu sion is the use of terms like 2G and 3G. These do not re fer to tech nolo gies specif i cally but in stead to the gen er a tion of cell phone tech nol ogy. Thus, 1G is the first gen er a tion (mostly ana log), 2G is the sec ond (mostly dig i tal, as are 3G and 4G), and so forth. There are even dis cus sions of 2.5G when sys tems in te grate sec ond- and third-gen er a tion tech nolo gies. Ta ble 11.10 at tempts to clar ify some of these con fus ing is sues (this is only a par tial list ing of the tech nolo gies).
TA BLE 11.10 Mo bile ser vice tech nolo gies
Tech nol ogy Gen er a tion NMT 1G AMPS 1G TACS 1G GSM 2G iDEN 2G TDMA 2G CDMA 2G PDC 2G HSCSD 2.5G GPRS 2.5G W-CDMA 3G TD-CDMA 3G UWC 3G EDGE 3G DECT 3G UMTS 3G HSPDA 3.5G WiMax – IEEE 802.16 4G XOHM (Brand name of WiMax) 4G Mo bile Broad band – IEEE 802.20 4G LTE (Long Term Evo lu tion) 4G 4G/IMT-Ad vanced stan dards us ing mil lime ter wave bands (28, 38, and 60 GHz) 5G
Some of the tech nolo gies listed in this ta ble are la beled and mar keted as 4G while not ac tu ally meet ing the tech ni cal re quire ments to be clas si fied as 4G. The In ter na tional Telecom mu ni ca tions Union-Ra dio com mu ni ca tions sec tor (ITU-R) de fined the re quire ments for 4G in 2008 but in 2010 ac qui esced that car ri ers can call their non com pli ant tech nolo gies 4G as long as they lead to fu ture com pli ant ser vices. 5G tech nolo gies are in de vel op ment, and in 2018 a few test net works have al ready been de ployed.
There are a few key is sues to keep in mind with re gard to cell phone wire less trans mis sions. First, not all cell phone traf fic is voice; of ten cell phone sys tems are used to trans mit text and even com puter data. Sec ond,
356
com mu ni ca tions over a cell phone provider’s net work, whether voice, text, or data, are not nec es sar ily se cure. Third, with spe cific wire less-sniff ing equip ment, your cell phone trans mis sions can be in ter cepted. In fact, your provider’s tow ers can be sim u lated to con duct man-in-the-mid dle at tacks. Fourth, us ing your cell phone con nec tiv ity to ac cess the in ter net or your of fice net work pro vides at tack ers with yet an other po ten tial av enue of at tack, ac cess, and com pro mise. Many of these de vices can po ten tially act as bridges, cre at ing un se cured ac cess into your net work.
Blue tooth (802.15)
Blue tooth, or IEEE 802.15, per sonal area net works (PANs) are an other area of wire less se cu rity con cern. Head sets for cell phones, mice, key boards, Global Po si tion ing Sys tem (GPS) de vices, and many other in ter face de vices and pe riph er als are con nected via Blue tooth. Many of these con nec tions are set up us ing a tech nique known as pair ing, where the pri mary de vice scans the 2.4 GHz ra dio fre quen cies for avail able de vices, and then, once a de vice is dis cov ered, a four-digit PIN is used to “au tho rize” the pair ing. This process does re duce the num ber of ac ci den tal pair ings; how ever, a four-digit PIN is not se cure (not to men tion that the de fault PIN is of ten 0000). In ad di tion, there are at tacks against Blue tooth-en abled de vices. One tech nique, known as blue jack ing, al lows an at tacker to trans mit Short Mes sage Ser vice (SMS)-like mes sages to your de vice. Blues narf ing al lows hack ers to con nect with your Blue tooth de vices with out your knowl edge and ex tract in for ma tion from them. This form of at tack can of fer at tack ers ac cess to your con tact lists, your data, and even your con ver sa tions. Blue bug ging is an at tack that grants hack ers re mote con trol over the fea ture and func tions of a Blue tooth de vice. This could in clude the abil ity to turn on the mi cro phone to use the phone as an au dio bug. For tu nately, Blue tooth typ i cally has a lim ited range of 30 feet, but some de vices can func tion from more than 100 me ters away. Blue tooth ra dios and an ten nas are clas si fied by their max i mum per mit ted power. The classes are shown in Ta ble 11.11.
TA BLE 11.11 Classes of Blue tooth de vices
Class Max i mum per mit ted power Typ i cal range 1 100 mW 100 m 2 2.5 mW 10 m 3 1 mW 1 m 4 .5 mW .5 m
Blue tooth de vices some times em ploy en cryp tion, but it is not dy namic and can usu ally be cracked with mod est ef fort. Use Blue tooth for those ac tiv i ties that are not sen si tive or con fi den tial. When ever pos si ble, change the de fault PINs on your de vices. Do not leave your de vices in dis cov ery mode, and al ways turn off Blue tooth when it’s not in ac tive use.
RFID
Ra dio Fre quency Iden ti fi ca tion (RFID) is a track ing tech nol ogy based on the abil ity to power a ra dio trans mit ter us ing cur rent gen er ated in an an tenna when placed in a mag netic field. RFID can be trig gered/pow ered and read from a con sid er able dis tance away (of ten hun dreds of me ters). RFID can be at tached to de vices or in te grated into their struc ture, such as note book com put ers, tablets, routers, switches, USB flash drives, por ta ble hard drives, and so on. This can al low for quick in ven tory track ing with out hav ing to be in di rect phys i cal prox im ity of the de vice. Sim ply walk ing into a room with an RFID reader can col lect the in for ma tion trans mit ted by the ac ti vated chips in the area.
There is some con cern that RFID can be a pri vacy-vi o lat ing tech nol ogy. If you are in pos ses sion of a de vice with an RFID chip, then any one with an RFID reader can take note of the sig nal from your chip. When an RFID chip is awak ened or re sponds to be ing near a reader, the chip (also called the RFID tag) trans mits a unique code or se rial num ber. That unique num ber is mean ing less with out the cor re spond ing data base that as so ciates the num ber with the spe cific ob ject (or per son). How ever, if you are noted or recorded as the only one around while a reader de tects your RFID chip code, then they can as so ciate you and/or your de vice with that code for all fu ture de tec tions of the same code.
NFC
Near-field com mu ni ca tion (NFC) is a stan dard that es tab lishes ra dio com mu ni ca tions be tween de vices in close prox im ity (like a few inches ver sus feet for pas sive RFID). It lets you per form a type of au to matic syn chro niza tion and as so ci a tion be tween de vices by touch ing them to gether or bring ing them within inches of each other. NFC is a de riv a tive tech nol ogy from RFID and is it self a form of field-pow ered or trig gered de vice.
NFC is com monly found on smart phones and many mo bile de vice ac ces sories. It’s of ten used to per form de vice-to-de vice data ex changes, set up di rect com mu ni ca tions, or ac cess more com plex ser vices such as WPA2 en crypted wire less net works by link ing with the wire less ac cess point via NFC. Be cause NFC is a ra dio- based tech nol ogy, it isn’t with out its vul ner a bil i ties. NFC at tacks can in clude man-in-the-mid dle, eaves drop ping, data ma nip u la tion, and re play at tacks.
357
Cord less Phones
Cord less phones rep re sent an of ten-over looked se cu rity is sue. Cord less phones are de signed to use any one of the un li censed fre quen cies, in other words, 900 MHz, 2.4 GHz, or 5 GHz. These three un li censed fre quency ranges are em ployed by many dif fer ent types of de vices, from cord less phones and baby mon i tors to Blue tooth and wire less net work ing de vices. The is sue that is of ten over looked is that some one could eas ily eaves drop on a con ver sa tion on a cord less phone since its sig nal is rarely en crypted. With a fre quency scan ner, any one can lis ten in on your con ver sa tions.
Mo bile De vices
Smart phones and other mo bile de vices present an ever-in creas ing se cu rity risk as they be come more and more ca pa ble of in ter act ing with the in ter net as well as cor po rate net works. Mo bile de vices of ten sup port mem ory cards and can be used to smug gle ma li cious code into or con fi den tial data out of or ga ni za tions. Many mo bile de vices also sup port USB con nec tions to per form syn chro niza tion of com mu ni ca tions and con tacts with desk top and/or note book com put ers as well as the trans fer of files, doc u ments, mu sic, video, and so on. The de vices them selves of ten con tain sen si tive data such as con tacts, text mes sages, email, and even notes and doc u ments.
The loss or theft of a mo bile de vice could mean the com pro mise of per sonal and/or cor po rate se crets.
Mo bile de vices are also be com ing the tar get of hack ers and ma li cious code. It’s im por tant to keep nonessen tial in for ma tion off por ta ble de vices, run a fire wall and an tivirus prod uct (if avail able), and keep the sys tem locked and/or en crypted (if pos si ble).
Many mo bile de vices also sup port USB con nec tions to per form syn chro niza tion of com mu ni ca tions and con tacts with desk top and/or note book com put ers as well as the trans fer of files, doc u ments, mu sic, video, and so on.
Ad di tion ally, mo bile de vices aren’t im mune to eaves drop ping. With the right type of so phis ti cated equip ment, most mo bile phone con ver sa tions can be tapped into—not to men tion the fact that any one within 15 feet can hear you talk ing. Em ploy ees should be coached to be dis creet about what they dis cuss over mo bile phones in pub lic spa ces.
A wide range of se cu rity fea tures is avail able on mo bile de vices. How ever, sup port for a fea ture isn’t the same thing as hav ing a fea ture prop erly con fig ured and en abled. A se cu rity ben e fit is gained only when the se cu rity func tion is in force. Be sure to check that all de sired se cu rity fea tures are op er at ing as ex pected on any de vice al lowed to con nect to the or ga ni za tion’s net work.
A de vice owned by an in di vid ual can be ref er enced us ing any of these terms: por ta ble
de vice, mo bile de vice, per sonal mo bile de vice (PMD), per sonal elec tronic de vice or por ta ble elec tronic de vice (PED), and per son ally owned de vice (POD).
For more in for ma tion on man ag ing the se cu rity of mo bile de vices, please see Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures,” specif i cally the sec tion “As sess and Mit i gate Vul ner a bil i ties in Mo bile Sys tems.”
LAN Tech nolo gies There are three main types of LAN tech nolo gies: Eth er net, To ken Ring, and FDDI. A hand ful of other LAN
tech nolo gies are avail able, but they are not as widely used. Only the main three are ad dressed on the CISSP exam. Most of the dif fer ences be tween LAN tech nolo gies ex ist at and be low the Data Link layer.
Eth er net
Eth er net is a shared-me dia LAN tech nol ogy (also known as a broad cast tech nol ogy). That means it al lows nu mer ous de vices to com mu ni cate over the same medium but re quires that the de vices take turns com mu ni cat ing and per form ing col li sion de tec tion and avoid ance. Eth er net em ploys broad cast and col li sion do mains. A broad cast do main is a phys i cal group ing of sys tems in which all the sys tems in the group re ceive a broad cast sent by a sin gle sys tem in the group. A broad cast is a mes sage trans mit ted to a spe cific ad dress that in di cates that all sys tems are the in tended re cip i ents.
A col li sion do main con sists of group ings of sys tems within which a data col li sion oc curs if two sys tems trans mit si mul ta ne ously. A data col li sion takes place when two trans mit ted mes sages at tempt to use the net work medium at the same time. It causes one or both of the mes sages to be cor rupted.
Eth er net can sup port full-du plex com mu ni ca tions (in other words, full two-way) and usu ally em ploys twisted-pair ca bling. (Coax ial ca bling was orig i nally used.) Eth er net is most of ten de ployed on star or bus topolo gies. Eth er net is based on the IEEE 802.3 stan dard. In di vid ual units of Eth er net data are called frames.
358
Fast Eth er net sup ports 100 Mbps through put. Gi ga bit Eth er net sup ports 1,000 Mbps (1 Gbps) through put. 10 Gi ga bit Eth er net sup port 10,000 Mbps (10 Gbps) through put.
To ken Ring
To ken Ring em ploys a to ken-pass ing mech a nism to con trol which sys tems can trans mit data over the net work medium. The to ken trav els in a log i cal loop among all mem bers of the LAN. To ken Ring can be em ployed on ring or star net work topolo gies. It is rarely used to day be cause of its per for mance lim i ta tions, higher cost com pared to Eth er net, and in creased dif fi culty in de ploy ment and man age ment. To ken Ring hasn’t been seen in most net works for a decade or more.
To ken Ring can be de ployed as a phys i cal star us ing a mul ti sta tion ac cess unit (MAU). A MAU al lows for the ca ble seg ments to be de ployed as a star while in ter nally the de vice makes log i cal ring con nec tions.
Fiber Dis trib uted Data In ter face (FDDI)
Fiber Dis trib uted Data In ter face (FDDI) is a high-speed to ken-pass ing tech nol ogy that em ploys two rings with traf fic flow ing in op po site di rec tions. FDDI is of ten used as a back bone for large en ter prise net works. Its dual-ring de sign al lows for self-heal ing by re mov ing the failed seg ment from the loop and cre at ing a sin gle loop out of the re main ing in ner and outer ring por tions. FDDI is ex pen sive but was of ten used in cam pus en vi ron ments be fore Fast Eth er net and Gi ga bit Eth er net were de vel oped. A less-ex pen sive, dis tance-lim ited, and slower ver sion known as Cop per Dis trib uted Data In ter face (CDDI) uses twisted-pair ca bles. CDDI is also more vul ner a ble to in ter fer ence and eaves drop ping.
Sub tech nolo gies
Most net works com prise nu mer ous tech nolo gies rather than a sin gle tech nol ogy. For ex am ple, Eth er net is not just a sin gle tech nol ogy but a su per set of sub tech nolo gies that sup port its com mon and ex pected ac tiv ity and be hav ior. Eth er net in cludes the tech nolo gies of dig i tal com mu ni ca tions, syn chro nous com mu ni ca tions, and base band com mu ni ca tions, and it sup ports broad cast, mul ti cast, and uni cast com mu ni ca tions and Car rier-Sense Mul ti ple Ac cess with Col li sion De tec tion (CSMA/CD). Many of the LAN tech nolo gies, such as Eth er net, To ken Ring, and FDDI, may in clude many of the sub tech nolo gies de scribed in the fol low ing sec tions.
Ana log and Dig i tal
One sub tech nol ogy com mon to many forms of net work com mu ni ca tions is the mech a nism used to ac tu ally trans mit sig nals over a phys i cal medium, such as a ca ble. There are two types: ana log and dig i tal.
Ana log com mu ni ca tions oc cur with a con tin u ous sig nal that varies in fre quency, am pli tude, phase, volt age, and so on. The vari ances in the con tin u ous sig nal pro duce a wave shape (as op posed to the square shape of a dig i tal sig nal). The ac tual com mu ni ca tion oc curs by vari ances in the con stant sig nal.
Dig i tal com mu ni ca tions oc cur through the use of a dis con tin u ous elec tri cal sig nal and a state change or on-off pulses.
Dig i tal sig nals are more re li able than ana log sig nals over long dis tances or when in ter fer ence is present. This is be cause of a dig i tal sig nal’s de fin i tive in for ma tion stor age method em ploy ing di rect cur rent volt age where volt age on rep re sents a value of 1 and volt age off rep re sents a value of 0. These on-off pulses cre ate a stream of bi nary data. Ana log sig nals be come al tered and cor rupted be cause of at ten u a tion over long dis tances and in ter fer ence. Since an ana log sig nal can have an in fi nite num ber of vari a tions used for sig nal en cod ing as op posed to dig i tal’s two states, un wanted al ter ations to the sig nal make ex trac tion of the data more dif fi cult as the degra da tion in creases.
Syn chro nous and Asyn chro nous
Some com mu ni ca tions are syn chro nized with some sort of clock or tim ing ac tiv ity. Com mu ni ca tions are ei ther syn chro nous or asyn chro nous:
Syn chro nous com mu ni ca tions rely on a tim ing or clock ing mech a nism based on ei ther an in de pen dent clock or a time stamp em bed ded in the data stream. Syn chro nous com mu ni ca tions are typ i cally able to sup port very high rates of data trans fer.
Asyn chro nous com mu ni ca tions rely on a stop and start de lim iter bit to man age the trans mis sion of data. Be cause of the use of de lim iter bits and the stop and start na ture of its trans mis sion, asyn chro nous com mu ni ca tion is best suited for smaller amounts of data. Pub lic switched tele phone net work (PSTN) modems are good ex am ples of asyn chro nous com mu ni ca tion de vices.
Base band and Broad band
359
How many com mu ni ca tions can oc cur si mul ta ne ously over a ca ble seg ment de pends on whether you use base band tech nol ogy or broad band tech nol ogy:
Base band tech nol ogy can sup port only a sin gle com mu ni ca tion chan nel. It uses a di rect cur rent ap plied to the ca ble. A cur rent that is at a higher level rep re sents the bi nary sig nal of 1, and a cur rent that is at a lower level rep re sents the bi nary sig nal of 0. Base band is a form of dig i tal sig nal. Eth er net is a base band tech nol ogy.
Broad band tech nol ogy can sup port mul ti ple si mul ta ne ous sig nals. Broad band uses fre quency mod u la tion to sup port nu mer ous chan nels, each sup port ing a dis tinct com mu ni ca tion ses sion. Broad band is suit able for high through put rates, es pe cially when sev eral chan nels are mul ti plexed. Broad band is a form of ana log sig nal. Ca ble tele vi sion and ca ble modems, ISDN, DSL, T1, and T3 are ex am ples of broad band tech nolo gies.
Broad cast, Mul ti cast, and Uni cast
Broad cast, mul ti cast, and uni cast tech nolo gies de ter mine how many des ti na tions a sin gle trans mis sion can reach:
Broad cast tech nol ogy sup ports com mu ni ca tions to all pos si ble re cip i ents.
Mul ti cast tech nol ogy sup ports com mu ni ca tions to mul ti ple spe cific re cip i ents.
Uni cast tech nol ogy sup ports only a sin gle com mu ni ca tion to a spe cific re cip i ent.
LAN Me dia Ac cess
There are at least five LAN me dia ac cess tech nolo gies that are used to avoid or pre vent trans mis sion col li sions. These tech nolo gies de fine how mul ti ple sys tems all within the same col li sion do main are to com mu ni cate. Some of these tech nolo gies ac tively pre vent col li sions, while oth ers re spond to col li sions.
Car rier-Sense Mul ti ple Ac cess (CSMA) This is the LAN me dia ac cess tech nol ogy that per forms com mu ni ca tions us ing the fol low ing steps:
1. The host lis tens to the LAN me dia to de ter mine whether it is in use.
2. If the LAN me dia is not be ing used, the host trans mits its com mu ni ca tion.
3. The host waits for an ac knowl edg ment.
4. If no ac knowl edg ment is re ceived af ter a time-out pe riod, the host starts over at step 1.
CSMA does not di rectly ad dress col li sions. If a col li sion oc curs, the com mu ni ca tion would not have been suc cess ful, and thus an ac knowl edg ment would not be re ceived. This causes the send ing sys tem to re trans mit the data and per form the CSMA process again.
Car rier-Sense Mul ti ple Ac cess with Col li sion Avoid ance (CSMA/CA) This is the LAN me dia ac cess tech nol ogy that per forms com mu ni ca tions us ing the fol low ing steps:
1. The host has two con nec tions to the LAN me dia: in bound and out bound. The host lis tens on the in bound con nec tion to de ter mine whether the LAN me dia is in use.
2. If the LAN me dia is not be ing used, the host re quests per mis sion to trans mit.
3. If per mis sion is not granted af ter a time-out pe riod, the host starts over at step 1.
4. If per mis sion is granted, the host trans mits its com mu ni ca tion over the out bound con nec tion.
5. The host waits for an ac knowl edg ment.
6. If no ac knowl edg ment is re ceived af ter a time-out pe riod, the host starts over at step 1.
Ap pleTalk and 802.11 wire less net work ing are ex am ples of net works that em ploy CSMA/CA tech nolo gies. CSMA/CA at tempts to avoid col li sions by grant ing only a sin gle per mis sion to com mu ni cate at any given time. This sys tem re quires des ig na tion of a mas ter or pri mary sys tem, which re sponds to the re quests and grants per mis sion to send data trans mis sions.
Car rier-Sense Mul ti ple Ac cess with Col li sion De tec tion (CSMA/CD) This is the LAN me dia ac cess tech nol ogy that per forms com mu ni ca tions us ing the fol low ing steps:
1. The host lis tens to the LAN me dia to de ter mine whether it is in use.
2. If the LAN me dia is not be ing used, the host trans mits its com mu ni ca tion.
3. While trans mit ting, the host lis tens for col li sions (in other words, two or more hosts trans mit ting si mul ta ne ously).
360
4. If a col li sion is de tected, the host trans mits a jam sig nal.
5. If a jam sig nal is re ceived, all hosts stop trans mit ting. Each host waits a ran dom pe riod of time and then starts over at step 1.
Eth er net net works em ploy the CSMA/CD tech nol ogy. CSMA/CD re sponds to col li sions by hav ing each mem ber of the col li sion do main wait for a short but ran dom pe riod of time be fore start ing the process over. Un for tu nately, al low ing col li sions to oc cur and then re spond ing or re act ing to col li sions causes de lays in trans mis sions as well as a re quired rep e ti tion of trans mis sions. This re sults in about 40 per cent loss in po ten tial through put.
To ken Pass ing This is the LAN me dia ac cess tech nol ogy that per forms com mu ni ca tions us ing a dig i tal to ken. Pos ses sion of the to ken al lows a host to trans mit data. Once its trans mis sion is com plete, it re leases the to ken to the next sys tem. To ken pass ing is used by To ken Ring net works, such as FDDI. To ken Ring pre vents col li sions since only the sys tem pos sess ing the to ken is al lowed to trans mit data.
Polling This is the LAN me dia ac cess tech nol ogy that per forms com mu ni ca tions us ing a mas ter-slave con fig u ra tion. One sys tem is la beled as the pri mary sys tem. All other sys tems are la beled as sec ondary. The pri mary sys tem polls or in quires of each sec ondary sys tem in turn whether they have a need to trans mit data. If a sec ondary sys tem in di cates a need, it is granted per mis sion to trans mit. Once its trans mis sion is com plete, the pri mary sys tem moves on to poll the next sec ondary sys tem. Syn chro nous Data Link Con trol (SDLC) uses polling.
Polling ad dresses col li sions by at tempt ing to pre vent them from us ing a per mis sion sys tem. Polling is an in verse of the CSMA/CA method. Both use mas ters and slaves (or pri mary and sec ondary), but while CSMA/CA al lows the slaves to re quest per mis sions, polling has the mas ter of fer per mis sion. Polling can be con fig ured to grant one (or more) sys tem pri or ity over other sys tems. For ex am ple, if the stan dard polling pat tern was 1, 2, 3, 4, then to give sys tem 1 pri or ity, the polling pat tern could be changed to 1, 2, 1, 3, 1, 4.
Sum mary The tasks of de sign ing, de ploy ing, and main tain ing se cu rity on a net work re quire in ti mate knowl edge of
the tech nolo gies in volved in net work ing. This in cludes pro to cols, ser vices, com mu ni ca tion mech a nisms, topolo gies, ca bling, end points, and net work ing de vices.
The OSI model is a stan dard against which all pro to cols are eval u ated. Un der stand ing how the OSI model is used and how it ap plies to real-world pro to cols can help sys tem de sign ers and sys tem ad min is tra tors im prove se cu rity. The TCP/IP model is de rived di rectly from the pro to col and roughly maps to the OSI model.
Most net works em ploy TCP/IP as the pri mary pro to col. How ever, nu mer ous sub pro to cols, sup port ing pro to cols, ser vices, and se cu rity mech a nisms can be found in a TCP/IP net work. A ba sic un der stand ing of these var i ous en ti ties can help you when de sign ing and de ploy ing a se cure net work.
In ad di tion to routers, hubs, switches, re peaters, gate ways, and prox ies, fire walls are an im por tant part of a net work’s se cu rity. There are sev eral types of fire walls: static packet fil ter ing, ap pli ca tion-level gate way, cir cuit-level gate way, state ful in spec tion, deep-packet in spec tion, and next-gen.
Con verged pro to cols are com mon on mod ern net works, in clud ing FCoE, MPLS, VoIP, and iSCSI. Soft ware-de fined net works and con tent-dis tri bu tion net works have ex panded the def i ni tion of net work as well as ex panded the use cases for it. A wide range of hard ware com po nents can be used to con struct a net work, not the least of which is the ca bling used to tie all the de vices to gether. Un der stand ing the strengths and weak nesses of each ca bling type is part of de sign ing a se cure net work.
Wire less com mu ni ca tions oc cur in many forms, in clud ing cell phone, Blue tooth (802.15), RFID, NFC, and net work ing (802.11). Wire less com mu ni ca tion is more vul ner a ble to in ter fer ence, eaves drop ping, de nial of ser vice, and man-in-the-mid dle at tacks.
The most com mon LAN tech nol ogy is Eth er net. There are also sev eral com mon net work topolo gies: ring, bus, star, and mesh.
Exam Es sen tials Know the OSI model lay ers and which pro to cols are found in each. The seven lay ers and the
pro to cols sup ported by each of the lay ers of the OSI model are as fol lows:
Ap pli ca tion: HTTP, FTP, LPD, SMTP, Tel net, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC, and SET
Pre sen ta tion: En cryp tion pro to cols and for mat types, such as ASCII, EBCDICM, TIFF, JPEG, MPEG, and MIDI
Ses sion: NFS, SQL, and RPC
361
Trans port: SPX, SSL, TLS, TCP, and UDP
Net work: ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT, and SKIP
Data Link: SLIP, PPP, ARP, L2F, L2TP, PPTP, FDDI, ISDN
Phys i cal: EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET, V.24, and V.35
Have a thor ough knowl edge of TCP/IP. Know the dif fer ence be tween TCP and UDP; be fa mil iar with the four TCP/IP lay ers (Ap pli ca tion, Trans port, In ter net, and Link) and how they cor re spond to the OSI model. In ad di tion, un der stand the us age of the well-known ports and be fa mil iar with the sub pro to cols.
Know the dif fer ent ca bling types and their lengths and max i mum through put rates. This in cludes STP, 10BaseT (UTP), 10Base2 (thin net), 10Base5 (thick net), 100BaseT, 1000BaseT, and fiber-op tic. You should also be fa mil iar with UTP cat e gories 1 through 7.
Be fa mil iar with the com mon LAN tech nolo gies. The most com mon LAN tech nol ogy is Eth er net. Also be fa mil iar with ana log ver sus dig i tal com mu ni ca tions; syn chro nous vs. asyn chro nous com mu ni ca tions; base band vs. broad band com mu ni ca tions; broad cast, mul ti cast, and uni cast com mu ni ca tions; CSMA, CSMA/CA, and CSMA/CD; to ken pass ing; and polling.
Un der stand se cure net work ar chi tec ture and de sign. Net work se cu rity should take into ac count IP and non-IP pro to cols, net work ac cess con trol, us ing se cu rity ser vices and de vices, man ag ing mul ti layer pro to cols, and im ple ment ing end point se cu rity.
Un der stand the var i ous types and pur poses of net work seg men ta tion. Net work seg men ta tion can be used to man age traf fic, im prove per for mance, and en force se cu rity. Ex am ples of net work seg ments or sub net works in clude in tranet, ex tranet, and DMZ.
Un der stand the dif fer ent wire less tech nolo gies. Cell phones, Blue tooth (802.15), and wire less net work ing (802.11) are all called wire less tech nolo gies, even though they are all dif fer ent. Be aware of their dif fer ences, strengths, and weak nesses. Un der stand the ba sics of se cur ing 802.11 net work ing.
Un der stand Fi bre Chan nel. Fi bre Chan nel is a form of net work data stor age so lu tion (i.e., SAN (stor age area net work) or NAS (net work-at tached stor age)) that al lows for high-speed file trans fers.
Un der stand FCoE. FCoE (Fi bre Chan nel over Eth er net) is used to en cap su late Fi bre Chan nel com mu ni ca tions over Eth er net net works.
Un der stand iSCSI. iSCSI (In ter net Small Com puter Sys tem In ter face) is a net work ing stor age stan dard based on IP.
Un der stand 802.11 and 802.11a, b, g, n, and ac. 802.11 is the IEEE stan dard for wire less net work com mu ni ca tions. Ver sions in clude 802.11 (2 Mbps), 802.11a (54 Mbps), 802.11b (11 Mbps), 802.11g (54 Mbps), 802.11n (600 Mbps), and 802.11ac (1.3+ Mbps). The 802.11 stan dard also de fines Wired Equiv a lent Pri vacy (WEP).
Un der stand site sur vey. A site sur vey is the process of in ves ti gat ing the pres ence, strength, and reach of wire less ac cess points de ployed in an en vi ron ment. This task usu ally in volves walk ing around with a por ta ble wire less de vice, tak ing note of the wire less sig nal strength, and map ping this on a plot or schematic of the build ing.
Un der stand WPA2. WPA2 is a new en cryp tion scheme known as the Counter Mode with Ci pher Block Chain ing Mes sage Au then ti ca tion Code Pro to col (CCMP), which is based on the AES en cryp tion scheme.
Un der stand EAP. EAP (Ex ten si ble Au then ti ca tion Pro to col) is not a spe cific mech a nism of au then ti ca tion; rather it is an au then ti ca tion frame work. Ef fec tively, EAP al lows for new au then ti ca tion tech nolo gies to be com pat i ble with ex ist ing wire less or point-to-point con nec tion tech nolo gies.
Un der stand PEAP. PEAP (Pro tected Ex ten si ble Au then ti ca tion Pro to col) en cap su lates EAP meth ods within a TLS tun nel that pro vides au then ti ca tion and po ten tially en cryp tion.
Un der stand LEAP. LEAP (Light weight Ex ten si ble Au then ti ca tion Pro to col) is a Cisco pro pri etary al ter na tive to TKIP for WPA. This was de vel oped to ad dress de fi cien cies in TKIP be fore the 802.11i/WPA2 sys tem was rat i fied as a stan dard.
Un der stand MAC Fil ter ing. A MAC fil ter is a list of au tho rized wire less client in ter face MAC ad dresses that is used by a wire less ac cess point to block ac cess to all nonau tho rized de vices.
Un der stand SSID Broad cast. Wire less net works tra di tion ally an nounce their SSID on a reg u lar ba sis within a spe cial packet known as the bea con frame. When the SSID is broad cast, any de vice with an au to matic de tect and con nect fea ture is not only able to see the net work, but it can also ini ti ate a con nec tion with the net work.
Un der stand TKIP. TKIP (Tem po ral Key In tegrity Pro to col) was de signed as the re place ment for WEP with out re quir ing re place ment of legacy wire less hard ware. TKIP was im ple mented into 802.11 wire less