Information Systems Security - PowerPoint PPT Presentation

About This Presentation

Title:

Information Systems Security

Description:

Cabling Types - Coaxial. Copper wire insulated by braided metallic ground shield. Less vulnerable to EMI. Two main types. 10BASE2 (Thinnet) (185 meters) – PowerPoint PPT presentation

Number of Views:172

Avg rating:3.0/5.0

Slides: 87

Provided by: cltAstate91

Learn more at: http://clt.astate.edu

Category:

more less

Transcript and Presenter's Notes

Title: Information Systems Security

1
Information Systems Security

Telecommunications
Domain 7

2
OSI Reference Model

Physical
Datalink
Network
Transport
Session
Presentation
Application

3
Routing

Dynamic
RIP I
RIP II
OSPF
BGP

4
Cabling Types - Coaxial

Copper wire insulated by braided metallic ground
shield
Less vulnerable to EMI
Two main types
10BASE2 (Thinnet) (185 meters)
10BASE5 (Thicknet) (500 meters)
Mainly used in one-way networks (TV)
Two-way networks required special equipment
Larger minimum arc radius than TP

5
(No Transcript)
6
Cabling Type - TP

Copper-based
Two major types
UTP
Least secure
Susceptible to EMI, cross-talk, and eavesdropping
Less security than fiber or coaxial
Most commonly used today
STP
Extra outer foil shielding

7
Cabling Type - Fiber

Data travels as photons
Higher speed, less attenuation, more secure
Expensive and harder to work with
Two major types
Multimode
Less expensive with slower speed
Single mode
Faster speeds available but more and delicate

8
Signal Issues

Attenuation
Interference from environment
Cable runs are too long
Poor quality cable
Cross Talk
Signals radiate from a wire and interfere with
other wires
Data corruption
More of a problem with UTP

9
Transmission Types

Analog
Carrier signal used to move data
Signal works at different frequencies
Used in broadband networks
Digital
Discrete units of voltage
Moves data in binary representation
Cleaner signal compared to analog

10
Encoding Techniques
Parameter AM FM Digital
Signal-to-noise ratio Low Moderate High
Cost Moderate Moderate High
Performance over time Moderate Excellent Excellent
Installation Adjustments required No adjustments No adjustments
11
Synchronous or Asynchronous

Sync
Prior agreement of data TX rules
Sending system sends a clocking pulse
Stop and start bits are not required
T-lines optical lines use synchronous
Asynchronous
Must use start/stop bits
Dial-up connections use asynchronous

12
Broadband or Baseband

Baseband
TX media only uses one channel
Digital signaling
Used over TP or Coax
Broadband
Multiple channels
TXs more data at one time
Can use analog signaling
Used over coax or fiber (at 100Mbps or more)
Can carry video, audio, data, and images

13
Plenum Cable

Polyvinyl chloride can give off dangerous
chemicals if burned
Plenum rated cable is made of safe fluoropolymers
Should be used in dropped ceilings and raised
floorings and other ventilation areas

14
Number of Receivers

Unicast
One system communicates to one system
Multicast
One system communicates to many systems
Class D addresses dedicated to this
Opt-in method (webcasts, streaming video)
Broadcast
One system communicates to all systems
Destination address contains specific values

15
Types of Networks

Local Area Network (LAN)
Limited geographical area
Ethernet and Token Ring
Metropolitan Area Network (MAN)
Covers a city or town
SONET, FDDI
Wide Area Network (WAN)
ATM, Frame Relay, X.25

16
Network Terms

Internet
Network of networks providing a communication
infrastructure
The web runs on top of this Internet
infrastructure
Intranet
Employs Internet technology for internal use
HTTP, web browsers, TCP/IP

17
Network Terms

Extranet
Intranet type of network that allows specific
entities to communicate
Usually business partners and suppliers
B2B networks
Shared DMZ area or VPN over the Internet

18
Network Configuration

DMZ
Network segment that is between the protected
internal network and the external (non-trusted)
network
Creates a buffer zone
Systems in DMZ will be the 1st to come under
attack and must be properly fortified

19
Physical Layer

Network Topologies
Physical connection of system and devices
Architectural layout of network
Choice determined by higher level technologies
that will run on it
Types (Bus, Ring, Star, Mesh)

20
BUS

Nodes are connected to a backbone through drops
Linear bus one cable with no branches
Tree network with branches
Easy to extend
Single node failure affects ALL participants
Cable is the single point of failure

21
Ring

Interconnection of nodes in circle
Each node is dependent upon the physical
connection of the upstream node
Data travels unidirectionally
One node failure CAN affect surrounding nodes
Used more in smaller networks

22
Star

All computers are connected to central device
Central device is single point of failure
No node-to-node dependencies

23
Mesh

Network using many paths between points
Provides transparent rerouting when links are
down
High degree of fault tolerance
Partial Mesh Not every link is redundant
Internet is an example
Full Mesh All nodes have redundancy

24
Media Access

Dictates how system will access the media
Frames packets with specific headers
Different media access technologies
CSMA
Token Ring
Polling
Protocols within the data link
SLIP, PPP, L2F, L2TP, FDDI, ISDN

25
Carrier Sense Multiple Access

CSMA/CD (Collision Detection)
Monitors line to know when it is free
When cable not busy, data is sent
Used in Ethernet
CSMA/CA (Collision Avoidance)
Listens to determine is line is busy
Sends out a warning that message is coming
All other nodes go into waiting mode
Used in 802.11 WLANs

26
Wireless Standards (802.x)

802.11 2.4 GHz range at 1-2 Mbps
802.11b 2.4 GHz up to 11 Mbps
802.11a 5 GHz up to 54 Mbps
802.11g 2.4 GHz up to 54 Mbps
802.11i Security protocol (replace WEP)
802.15 Wireless PANs
802.16 Wireless MANs

27
Access Points

Connects a wireless network to a wired network
Devices must authenticate to the AP before
gaining access to the environment
AP works on a specific frequency that the
wireless device must tune itself to

28
Service Set ID (SSID)

WLANs can be logically separated by using subnet
addresses
Wireless devices and APs use SSID when
authenticating and associating
Should not be considered a security mechanism

29
Authenticating to the AP

Station sends probe to all channels looking for
the closest AP
AP will respond with the necessary information
and a request for credentials
If WEP key is required, AP sends a challenge to
the device and device encrypts with key and send
it back
If no WEP key, could request SSID value and MAC
value

30
Wired Equivalent Protocol (WEP)

Protocol used to encrypt traffic for all IEEE
wireless standards
Riddled with security flaws
Improper implementation of security mechanisms
No randomness (uses the same password)
No Automated Dynamic Key Refresh Method (DKRM),
requires manual refresh

31
More WEP Woes

Small initialization vector values
Uses a 24-bit value
Exhaust randomness is as little as 3 hours
Uses stream cipher (RC4)
No data integrity
Use XORs flip a bit in ciphertext the
corresponding bit in plaintext is flipped

32
Wireless Application Protocol (WAP)

Requires a different protocol stack than TCP/IP
WAP allows wireless devices to access the
Internet
Provides functions at each of the OSI layers
similar to TCP/IP
Founded in 1997 by cell phone companies

33
Wireless Transport Layer Security

Security layer of the WAP
Provides privacy, integrity, and authentication
for WAP applications
Data encrypted with WTLS must be decrypted and
reencrypted with SSL or TLS

34
Common Attacks

Eavesdropping on traffic and spoofing
Erecting a rogue AP
Man-in-the-middle
Unauthorized modification of data
War driving
Cracking WEP
Birthday attacks
Weak key attacks (airsnort, WEPCrack)

35
War Driving

Necessary Components
Antenna (omnidirectional is best)
Sniffers (TCPDump, Ethereal)
NetStumbler, AirSnort, or WEPCrack
NetStumbler finds APs and Logs
Network name
SSID
MAC
Channel ID
WEP (yes or no)

36
Wireless Countermeasures

Enable WEP
Change default SSID and dont broadcast
Implement additional authentication
Control the span of the radio waves
Place AP in DMZ
Implement VPN for wireless stations
Configure firewall for known MAC and IP

37
TCP/IP Suite

TCP connection oriented transport layer
protocol that provides end-to-end reliability
IP connectionless network layer protocol that
provides the routing function
Includes other secondary protocols

38
Port and Protocol Relations

Well known port numbers are 0-1023
FTP is 20 and 21
SMTP is 25
SNMP is 161
HTTP is 80
Telnet is 23
HTTPS is 443
Source is usually a high dynamic number while
destination is usually under 1024

39
Address Resolution Protocol (ARP)

Maps the IP address to the MAC address
Data link understands MAC, not IP
Element in man-in-the middle attacks
Intruder spoofs its MAC address against the
destinations IP address into ARP cache
Countermeasures
Static ARP, active monitoring, and IDS to detect
anomalies

40
ARP Poisoning

Insert bogus IP to MAC addressing mapping in
remote system
Misdirect traffic to attackers computer
Ideal scenario for man-in-the-middle attack

41
Internet Control Message Protocol (ICMP)

Status and error messaging protocol
Ping is an example
Used by hackers for host enumeration
Redirects traffic by sending bogus ICMP messages
to a router

42
Simple Network Management Protocol (SNMP)

Master and agent model
Agents gather status information about network
devices
Master polls agent and provides an overall view
of network status
Runs on ports 161 and 162

43
Simple Mail Transfer Protocol (SMTP)

Transmits mail between different mail servers
Security issue with mail servers
Improperly configured mail relay
Sendmail functions

44
Other Protocols

FTP
TFTP
Telnet

45
Repeater Device

Works at the physical layer
Extends a network
Helps with attenuation
No intelligence built in

46
Hub Devices

Works at the physical layer
Connects several systems and devices
Also called multipoint repeater/concentrators
All data is broadcast
No intelligence

47
Bridge Device

Functions at the data link layer
Extends a LAN by connecting similar or dissimilar
LANs
Filtering capabilities
Uses the MAC address
Forwards broadcast data
Transparent Ethernet
Source Routing Token Ring

48
Switch Device

Transfers connection from one circuit to another
Faster than bridges
Originally made decisions based on MAC
Major functionality takes place at Data Link
Layer
Newer switches work at the Network layer and use
IP addresses

49
Virtual LAN (VLAN)

Logical containers used to group users, systems,
and resources
Does not restrict administration based upon the
physical location of device
Each VLAN has its own security policy
Used in switches
Can be static or dynamic

50
Router Device

Works at the network layer
Can connect similar or dissimilar networks
Blocks broadcast
Uses routing tables
Bases decisions on IP addresses
Can work as a packet filtering firewall wit the
use of Access Control Lists

51
Gateway Device

Translates different protocols or software
formats
Mail gateways allows for different mail
applications to communicate
Data gateways allow heterogeneous clients and
servers to communicate
Security gateways firewalls and perimeter
security devices

52
Bastion Host Device

Gateway between an internal network and an
external network used for security
Hardened system
Disable unnecessary accounts
Disable unnecessary services
Disable unnecessary subsystems
Remove administrative tools
Up to date with patches and fixes
All systems in DMZ should be Bastion Hosts

53
Firewall Characteristics

Generation 1 Packet Filtering
Generation 2 Proxy
Generation 3 Stateful
Generation 4 Dynamic Packet Filtering
Generation 5 Kernel Proxies
All provide transparent protection to internal
users

54
Packet Filtering

Simplest and least expensive
Screens with a set of ACL
Referred to as a Layer 3 device
Access depends on network and transport layer
information
Best in low-risk environments
1st generation firewall

55
Circuit Level Proxy

Makes access decisions based on network and
transport layer information
Not application or protocol dependent
More protection than a packet filter
SOCKS is the most common used
Hides information about the network they protect
2nd generation firewall

56
Application Layer Proxy

Access decision is based on data payload
Must understand the command structure of payload
Provides a high level of protection
Can filter application specific commands
Logs user activity
Requires manual configuration of each client
computer
2nd generation firewall

57
Stateful Firewall

Makes access decisions based on IP addresses,
protocol commands, historical comparisons, and
contents of packet
Uses a state engine and state table
Monitor connection-oriented and connectionless
protocols
Expensive and complex to administer
3rd generation firewall

58
Dynamic Packet Filtering Firewalls

Combination of application proxies and state
inspection firewalls
Dynamically changes filtering rules based on
several different factors
May examine the contents and not just the header
of packets
Decisions based on history and admin rules
4th generation firewall

59
Firewall Placement

Segments internal network subnets and sections to
enforce the security policy
Acts as a choke point between trusted and
untrusted entities
Creates a DMZ
Could use screened host, dual-homed, or screened
subnet

60
Screened Host

Usual configuration is a router filtering for a
firewall
Reduces the amount of traffic the firewall has to
work with
Screening device is a filtering router
Screened host is the firewall

61
Dual Homed

Two or more interfaces
One interface for each network
Allows for one firewall to create more than one
DMZ
Forwarding and routing need to be turned off or
packets would not be inspected by firewall
software
All inbound traffic directed to the Bastion Host,
then proxied, and passed to 2nd router

62
Screened Subnet

Buffer zone is created by implementing two
routers or two firewalls and this creating a
single DMZ
Provides the most protection out of the three
architectures because three devices must be
compromised before attacker can get through to
the internal network.

63
SLIP Dialup Protocol

Serial Line Internet Protocol
Moves IP data over serial lines
Largely replaced by PPP
SLIP does not provide
Header and data compression
Packet sequencing
Authentication features
Classless IP addressing

64
PPP Dial Up Protocol

Point-to-Point Protocol
Moves digital data over telecommunications lines
Full duplex protocol
Can use synchronous and asynchronous
Authentication through
PAP
CHAP
EAP

65
Authentication Protocols

Password Authentication Protocol (PAP)
Authenticates remote users
Credentials are sent in plain text
Challenge Handshake Authentication Protocol
(CHAP)
Authenticates remote users
Encrypts usernames and passwords
Client uses users password to encrypt the
challenge
Protects against man-in-the-middle attacks

66
EAP Authentication

Extensible Authentication Protocol
Allows for authentication protocols to be added
to give more flexibility
Supports multiple frameworks
Developed for PPP, but now used in LAN and
wireless authentication

67
VPN Technologies

Tunneling involves establishing and maintaining a
logical network connection
Packets are encapsulated within IP packets and
encryption is used for security
Voluntary tunneling client manages connection
setup
Compulsory tunneling carrier provider manages
connection setup

68
PPTP Tunneling Protocol

Encapsulating protocol used more for end-to-end
VPNs instead of gateway VPNs
Data link layer protocol that provides single
point-to-point connection
Works only with TCP/IP
Works at the Internet layer

69
L2TP Tunneling Protocol

Works at the data link layer
Can provide VPNs over WAN links using frame
relay, X.25, or ATM
Cannot encrypt data
Uses IPSec for security
Developed by CISCO to combine L2F and PPTP

70
IPSec Tunneling Protocol

Provides network layer protection
Used for gateway-to-gateway VPNs
Provides authentication, integrity, and
confidentiality
Only works over IP and is becoming the de facto
standard

71
Domain Name Services

Works within a hierarchical naming structure
Host name to IP address mapping
DNS server that holds resource records for a zone
is the authority for that zone
Uses forward-lookup tables and reverse-lookup
tables
Uses iterative and non-iterative procedures

72
Network Address Translation

Invented due to the shortage of IP addresses
Allows companies to use private addresses
Can use static mapping on 1-1 relationship
Can use dynamic mapping
Port address translation (PAT)
One address is used for all hosts
Older term was hiding NAT
Can be implemented with software (ICS)

73
Fiber Distributed Data Interface (FDDI)

Token passing is the media method
Two rings for fault tolerance
Operates up to 100 Mbps
CDDI is possible with shorted distances

74
Synchronous Optical Network(SONET)

Physical layer standard used by telephony
Dual ringed and self-healing
Used to connect T1 and T3 channels
Carries nearly any higher level protocol
Supports 52 Mbps
Built in support for maintenance
SONET 3 is coming with 155.5 Mbps

75
Dedicated Lines

Physical communication lines connecting two
locations
Usually more expensive than other options
Leased from larger service providers
T1 1.544 Mbps
T3 44.736 Mbps

76
Public Switched Telephone Network (PSTN)

Also known as POTS
Interconnected systems operated by different
companies
All digital except for the last mile
Analog converted to digital at Central Office

77
Integrated Services Digital Network (ISDN)

Moves the last mile from analog to digital
Data rates of 64 Kbps
Circuit-switched instead of packet-switched
Uses bearer channels to move data and a single
separate channel (D) to setup
Used by most companies as backup
BRI 2 64-kbps B channels and 1 D
PRI 23 64-kbps B channels and 1 D

78
Digital Subscriber Line (DSL)

Digital solution for the last mile
Very high frequency
Must be a POP within 2.5 miles
Farther from a POP, lower the bandwidth
Always On technology
32 Mbps for upstream traffic
32 Kbps for downstream traffic

79
Cable Modems

Service provided by local cable company
Security issues of neighborhood sniffing
Cable modem converts RF to digital
Could overload cable companies
Most offer speeds up to 2 Mbps but is shared with
neighborhood

80
X.25

First WAN packet-switching technology
Considered a fat protocol because of error
detection and correction overhead
Has been replaced by frame relay
Virtual circuits are used
Customers share and pay for the same network

81
Frame Relay

Fastest WAN packet-switching protocol
Path set up for two locations to communicate
Path is permanently configured (PVC)
Could be dynamically built (SVC)
Customers are offered a dedicated rate of flow
(CIR)
Inexpensive with rates from 56K to T1

82
Asynchronous Transfer Mode (ATM)

Provides the highest bandwidth
Uses 53-byte fixed cells
Intelligence is hardware based
Technology used for Internets backbone
Equipment is expensive
Available in Constant Bit Rate (CBR), Variable
Bit Rate (VBR), Available Bit Rate (ABR) or
Unspecified Bit Rate (UBR)

83
Multiplexing (MUX)