Telecommunications, Network, and Internet Security - PowerPoint PPT Presentation

Loading...

PPT – Telecommunications, Network, and Internet Security PowerPoint presentation | free to download - id: 74f722-NzFkM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Telecommunications, Network, and Internet Security

Description:

Telecommunications, Network, and Internet Security – PowerPoint PPT presentation

Number of Views:262
Avg rating:3.0/5.0
Slides: 331
Provided by: JohnBe178
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Telecommunications, Network, and Internet Security


1
Telecommunications, Network, and Internet Security
2
Introduction
  • The telecommunications, network, and Internet
    security domain discusses the
  • Network structures
  • Transmission methods
  • Transport formats
  • Security measures used to provide availability,
    integrity, and confidentiality
  • Authentication for transmission over private and
    public communications networks and media.

3
Objectives
  • The CISSP should be able to
  • Describe the telecommunications and network
    security elements as they relate to the
    transmission of information in local area, wide
    area, and remote access.
  • Define the concepts associated with the Internet,
    intranet, and extranet communications, such as
    firewalls, gateways, and associated protocols.

4
Objectives (cont.)
  • The CISSP should be able to
  • Identify the communications security management
    and techniques that prevent, detect, and correct
    errors so that the protection of information
    transmitted over networks is maintained.

5
Goals of Network Security
  • The common thread among good information security
    objectives is that they address all three core
    security principles.

6
Specific Network Security Objectives
  • The objectives of network security
  • Transmission channels and services are secure and
    accessible.
  • Interoperability of network security mechanisms
    are operational.
  • Messages sent are the messages that are received.
  • Message link is between valid source and
    destination nodes.

7
Specific Network Security Objectives (cont.)
  • Message non-repudiation is available.
  • Prevent unauthorized disclosure of messages.
  • Prevent unauthorized disclosure of traffic flows.
  • Remote access mechanisms are secure.
  • Security mechanisms are easy to implement and
    maintain.
  • Security mechanisms are transparent to end-users.

8
Subtopics
  • Data Networks
  • Network Protocols
  • Telephony
  • Remote Access
  • Network Threats, Attacks and Countermeasures
  • Network Access Controls
  • Network Availability Technologies
  • Internet and Web Security Protocols
  • Multimedia and Quality of Service
  • Information Security Activities

9
Section Objectives
  • Describe various network architectures
  • List the elements and devices that comprise a
    data network
  • Describe data network technologies

10
Data Network Structures
  • Examples .
  • Personal Area Network
  • Wireless Personal Area Network
  • Local Area Network
  • Metropolitan Area Network
  • Campus Area Network
  • Wide Area Network
  • Internet
  • Intranet
  • Extranet
  • Value Added Network
  • World Wide Web
  • Global Area Network

11
Data Network Components
  • Data network components include
  • Mainframe/Server Hosts
  • File Servers
  • Workstations
  • Software - Network Operating System and
    Applications

12
Data Network Components (cont.)
  • Data network components include
  • Network Adapter/Network Interface Card
  • Hub/Concentrator/Repeater
  • Bridges
  • Switches - Layer 2, 3, 4, etc.
  • Routers
  • Gateways

13
Data Network Components (cont.)
  • Data network components include
  • Physical Cabling
  • Twisted Pair/Coaxial Cable/Fiber Optics
  • Wireless
  • Radio Frequency/ Infrared/Optical/ Satellite

14
Circuit Switched Networks
  • Information is segmented into pieces that fit
    within a channel or time slot (usually 8 bits).
  • A connection is established permanently or on
    demand and is maintained between switches in
    order to route traffic to the correct
    destination.
  • Traffic is switched based on Time Division
    Multiplexing (TDM).

15
Packet Switched Networks
  • Each data packet contains information such as
    addresses and sequence numbers.
  • A connection is established permanently, or on
    demand, and maintained between switches in order
    to switch traffic to the correct destination.
  • Switches switch the packets to the final
    destination based on the header information.
  • Traffic is switched based on Statistical Time
    Division Multiplexing (STDM)

16
Circuit vs. Packet Switching
  • Circuit-Switched
  • Designed for constant traffic
  • Typically experience fixed delays
  • Connection-oriented
  • Traffic is sensitive to loss of connection
  • Voice/video oriented
  • Can waste resources
  • Packet-Switched
  • Designed for bursty traffic
  • Typically experience variable delays
  • Connection-less oriented
  • Traffic is sensitive to loss of data
  • Data oriented
  • Can introduce delays

17
Virtual Circuits
  • A logical circuit created over a packet switched
    network
  • Two types
  • Permanent Virtual Circuits (PVCs) - permanently
    established circuits that remain in place till
    the network administrators delete them from the
    switches.
  • Switched Virtual Circuits (SVCs)- dynamically
    established when requested and removed when
    transmission is finished

18
LAN Network Topologies
  • LANs are logically or physically organized as

Bus
Tree
Ring
Mesh
Star
19
LAN Transmission Methods
  • Unicast - packet is sent from source to
    destination address
  • Multicast - packet is copied and sent to a
    specific subset of nodes on the network
  • Broadcast - packet is copied and sent to all
    nodes on the network

20
LAN Media Access Methods
  • Three types of methods are used by hosts to
    access the physical network medium.
  • Carrier Sense Multiple Access (CSMA)
  • With Collision Avoidance (CSMA/CA)
  • With Collision Detection (CSMA/CD)
  • Polling
  • Token Passing

21
LAN ImplementationsSubtopics
  • Wireless
  • Bluetooth / IEEE 802.15
  • 802.11a
  • 802.11b
  • 802.11g
  • Wired
  • Ethernet / IEEE 802.3
  • Fiber Distributed Data Interface (FDDI)
  • Token Ring / IEEE 802.5

22
LAN Implementations - Wired
  • Ethernet/IEEE 802.3
  • Usage
  • Most widely used LAN implementation.
  • Access Method
  • CSMA/CD, probabilistic
  • Topology
  • Logically a bus topology, often implemented as a
    physical star or sometimes point-to-point.
  • Speeds
  • Ethernet (10 Mbps), Fast Ethernet (100 Mbps),
    Gigabit Ethernet (1 Gbps)

23
LAN Implementations - Wired
  • Fiber Distributed Data Interface (FDDI)
  • Usage
  • Standard originally designed for fiber optic
    networks.
  • Typically used as backbones for LANs/WANs.
  • FDDI-2 extension provides for voice, video, and
    data.
  • Access Method
  • Token passing, deterministic
  • Topology
  • Ring
  • Speeds
  • 100 mps1000 mps

24
LAN Implementations - Wired
  • Token ring IEEE 802.5
  • Usage
  • Promoted by IBM as their networking standard
  • Access Method
  • Token passing, single token contains priority
    mechanism.
  • Nodes insert, copy, or remove data.
  • Data sent sequentially bit by bit around ring.
  • Topology
  • Star wired ring topology.
  • Speeds
  • 16-100mps

25
Introduction to Wireless
Cordless Phones
26
Wireless Radio Frequency Band
0 100 200 300 400 500
600 700 800 900 1GHz
3GHz 5GHz 10GHz
28GHz 38GHz
802.11a/h, Phones (5 GHz)
802.11b/g, Bluetooth, Phones (2.4 GHz)
Digital Cellular (1850-1900 MHz)
Cordless Phones, Baby Monitors, Toys (900 MHz)
Analog Cellular (824-894 MHz)
UHF TV (512 806 MHz)
FM Radio (88 108 MHz)
VHF TV (174 216 MHz)
AM Radio (535 1605 KHz)
27
Wireless Network Standards
  • Bluetooth
  • Used as short distance replacement for cabling
  • Less than 1 Mbps
  • 2.4 GHz frequency band
  • Frequency Hopping Spread Spectrum (FHSS)
  • 802.11b
  • Extension to 802.11 Wireless LAN standard
  • 11 Mbps data rate
  • 2.4 GHz frequency band
  • Direct Sequence Spread Spectrum (DSSS)
  • 802.11a
  • Extension to 802.11 Wireless LAN standard
  • 54 Mbps data rate
  • 5 GHz frequency band
  • Orthogonal Frequency Division Multiplexing (OFDM)
  • 802.11g
  • 54Mbps data rate
  • 2.4 GHz frequency band
  • OFDM
  • 802.11b compatible

28
Wide Area Networks
  • Connects LANs together through technologies such
    as
  • Dedicated leased lines
  • Dial-up phone lines
  • Satellite and other wireless links
  • Data packet carrier services

29
WAN Network TechnologiesSubtopics
  • Integrated Services Digital Network
  • Point-to-Point Lines
  • Digital Subscriber Line and Cable Modem
  • Synchronous Data Link Control and Derivatives
  • X.25
  • Frame Relay
  • Asynchronous Transfer Mode
  • Wireless Wide Area
  • WAP
  • i-Mode
  • IP Telephony

30
ISDN and Point to Point Lines
  • Integrated Services Digital Network (ISDN)
  • Attributes
  • End-to-End digital connectivity
  • Integrated access
  • Small family of standard interfaces
  • Message-oriented signaling
  • Customer control
  • Point to Point Lines
  • Types
  • Leased Lines
  • Digital Circuits
  • Optical Circuits.

31
DSL and Cable Modems
  • DSL and Cable Modems
  • Always-on technologies (as opposed to
    on-demand), that provide high-speed connections
    that pose risks to unprotected computers.
  • DSL
  • Provides high-bandwidth data transport
  • Uses existing twisted pair telephone lines
  • Cable Modem
  • High-speed access to the Internet over television
    cable lines.
  • Uses a modem that filters the coaxial cable
    connection.

32
SDLC and HDLC
  • SDLC and HDLC
  • Data link layer protocols.
  • Designed for point-to-point connections.
  • Developed to carry data.
  • Synchronous Data Link Control (SDLC)
  • Protocol developed by IBM for their SNA networks
  • High Level Data Link Control (HDLC)
  • Based on SLDC but standardized by ISO

33
X.25
  • International protocol for a packet-switched
    network technology
  • Defines how connections between user devices and
    network devices are established and maintained.
  • Operates at the Network and Data Link Layers.
  • It uses PVCs and SVCs.
  • Used by telecommunication carriers.
  • Overhead requirements limit it to lower speeds.
  • Data-only support.

34
Frame Relay
  • High performance packet switching technology
  • Operates at the physical and data link layers of
    the OSI model.
  • Designed to replace X.25. Originally, data-only
    support, implementation supports voice and video
    as well.
  • Uses PVCs and SVCs.

35
Asynchronous Transfer Mode (ATM)
  • Very high speed cell relay service, similar in a
    number of ways to frame relay.
  • Transfers data in cells that are a fixed size.
  • Small, constant cell size allows video, audio,
    and computer data to be transmitted over the same
    network.
  • It uses PVCs and SVCs.
  • It is packet switched.
  • Designed to replace frame relay with a faster
    technology designed to carry all traffic types.

36
Wireless Wide Area
  • Satellites provide global coverage in areas where
    terrestrial cable facilities are not available.
  • Microwave technology also supports wide area
    connections.

37
Generations of Wireless Wide Area Protocols
  • 1G Wireless
  • First wave of analog phones
  • Heavy and bulky
  • Not many services other than voice
  • 2G Wireless
  • Commonly deployed
  • Smaller size
  • Caller id, paging, email
  • 2.5G Wireless
  • Addition of always on Internet email and alerts
    (GPRS)
  • Higher data rates
  • 3G Wireless
  • First hit in Japan late 2001
  • Packet technology
  • Higher connection speeds (video conferencing,
    MPEG)

38
Wireless Application Protocol (WAP)
  • Standard protocol for enabling wireless data
    access via small portable terminals to secure
    transaction services.
  • It supports wireless browsing, messaging, and
    other applications.
  • It uses less resources (i.e., CPU, memory) and is
    simpler than TCP/IP.
  • WAP supported networks include
  • CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX, ReFLEX,
    iDEN, TETRA, DECT, DataTAC, and Mobitex

39
i-Mode
  • Mobile Internet service
  • First introduced in Japan by NTT DoCoMo, Inc.
  • Now available in European markets through i-mode
    partners including Belgium, France, Germany,
    Greece, Italy, Spain, Netherlands, etc.
  • Wide variety of specialized services including
  • Online shopping
  • Banking
  • Ticket reservation
  • Restaurant advice
  • Multimedia e-mailing of still and moving images
  • Java-based application for downloading and
    storing sophisticated content

40
Mobile Phone Vulnerabilities
  • Lack of policies and awareness
  • Theft of mobile phones, Personal Digital
    Assistants (PDAs) and their data
  • Subscriber Identity Module cloning
  • False Base Stations
  • Stealing secrets using phone-based or PDA-based
    cameras, email, storage chips, etc.
  • Access to the Internet, bypassing the firewalls

41
Mobile Phone Vulnerabilities (cont.)
  • Short Message Service spamming
  • Malicious downloadable code or content
  • Encryption is weak or non-existent
  • Turning on wireless encryption does not mean data
    is protected end-to-end
  • Wired portion of the traffic may travel in the
    clear
  • Bluetooth vulnerabilities
  • Pin length, lack of encryption, bluejacking, etc.

42
IP Telephony
  • Integrates existing voice network with data
    networks.
  • Combines data, voice, and video over a single
    packet.
  • Uses isochronous (i.e., time-dependent)
    processes where data must be delivered within
    certain time constraints -- used for video that
    requires synchronization.
  • Includes Voice over IP, Voice over Frame Relay,
    Voice over Asynchronous Transfer Mode, etc.

43
Quick Quiz
  • What is the difference between synchronous and
    asynchronous communication?
  • What is the difference between a circuit-switched
    network and a packet-switched network?

44
Section Summary
  • Synchronous communication is the transfer of data
    that relies on the presence of a clocking system
    at both ends of the transmission.
  • Asynchronous communication is the transfer of
    data by sending bits sequentially, with start
    bits and stop bits to mark beginning and end,
    without a shared clock.
  • A circuit-switched network is a connection
    established on demand and maintained between data
    stations in order to allow exclusive use of a
    circuit (transmission line) until the connection
    is released.
  • A packet-switched network has segmented data,
    with each packet containing information such as a
    destination address, source address, and packet
    sequence number. Network devices route the
    packets to the final destination.

45
Subtopics
  • Data Networks
  • Network Protocols
  • Telephony
  • Remote Access
  • Network Threats, Attacks and Countermeasures
  • Network Access Controls
  • Network Availability Technologies
  • Internet and Web Security Protocols
  • Multimedia and Quality of Service
  • Information Security Activities

46
Section Objectives
  • Describe various standard network protocols
  • Describe the OSI network model
  • Describe the TCP/IP network protocol
  • Identify network protocol vulnerabilities

47
Network Protocol Definition
  • A standard set of rules that governs the exchange
    of data between hardware and/or software
    components in a communications network.
  • A Network Protocol also describes the format of a
    message and how it is exchanged.
  • When computers communicate with one another, they
    exchange a series of messages.
  • To understand and act on these messages,
    computers must agree on what a message means.

48
Subtopics
  • Open System Interconnection (OSI) Model
  • Transmission Control Protocol/Internet Protocol
    (TCP/IP)

49
OSI Model
  • Seven Layers
  • Data transfer is accomplished by a layer
    interacting with the layer above or below through
    the use of interface control information.
  • ISO 7498
  • Describes the OSI model
  • Defines the security services that are available
    and where they fit in the layered model.
  • Authentication Exchange
  • Traffic Padding
  • Routing Control
  • Notarization
  • Encipherment
  • Digital Signatures
  • Access Control
  • Data Integrity

50
Layer Interaction
Protocol Layer
Protocol Layer
7 Application 6 Present. 5 Session 4
Transport 3 Network 2 Data Link 1
Physical
Application Presentation Session Transpo
rt Network Data Link
Original
Message
Hdr3
Tlr3
Data 3
Hdr2
Tlr2
Data 2
Hdr1
Tlr1
Data 1
Physical
Host 2
Host 1
Hdr1Hdr2 Hdr3 Message Tlr3 Tlr2 Tlr1
51
Application Layer
  • Provides a user interface through which the user
    gains access to the communication services.
  • Ideal place for end-to-end encryption and access
    control.

52
Presentation Layer
  • Ensures compatible syntax in how the information
    is represented for exchange by applications.
  • Not used extensively.

53
Session Layer
  • Coordinates communications dialogue between
    cooperating application processes.
  • Maintains a logical connection between two
    processes on end hosts.
  • Ideal place for identification and authentication.

54
Transport Layer
  • Ensures host-to-host information transfer.
  • Provides reliable, transparent data transfers
    between session entities.
  • Isolates the user from any concerns about the
    actual movement of the information.
  • A place to implement end-to-end encryption.

55
Network Layer
  • Selects and manages a route chosen from the
    available links arranged as a network.
  • Can determine alternate routes to avoid
    congestion or node failure.
  • A place to implement link, or end-to-end
    encryption.

56
Data Link Layer
  • Responsible for reliable delivery of information
    over a point-to-point or multi-point network.
  • Can be divided into Logical Link Control and
    Media Access Control.
  • Common place to implement link encryption.

57
Physical Layer
  • Provides for the transparent transfer of a bit
    stream over a physical circuit.
  • Provides physical or virtual connection for
    transmission between data link entities.

58
TCP/IP
  • Suite of protocols.
  • Transmission Control Protocol (TCP)
  • Internet Protocol (IP)
  • De facto standard for networking.
  • Architecture-independent.
  • Security was not originally designed into the
    protocols. Therefore, security-specific
    protocols have been devised for use on TCP/IP
    networks.

TCP/IP
59
OSI vs. TCP/IP
OSI Model
TCP/IP Implementation
60
TCP/IP Application Layer
  • Includes the functionality of the OSI
    application, presentation, and session layers.
  • Sends to and retrieves data from the transport
    layer.
  • Converts received data to a usable, viewable
    format.

61
TCP/IP Transport Layer
  • Transfers data between different applications on
    end hosts.
  • Can construct data in two ways
  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)

62
TCP/IP Network Layer
  • Defines how information is sent between hosts.
    It contains the
  • Internet Protocol (IP)
  • Internet Control Message Protocol (ICMP)
  • Internet Group Management Protocol (IGMP)

63
TCP/IP Data Link Layer
  • Defines how the physical layer transmits the
    network layer packets between adjacent or
    broadcast computers
  • Resolves information into bits that control
    construction and exchange of packets.
  • Mediates access to the physical layer.

64
TCP/IP Physical Layer
  • Defines the encoded signaling on the transmission
    channel.
  • Specifies the characteristics of the wire that
    connects the machines in a network.
  • Specifies how network cards encode the bits they
    transmit.
  • Includes the transmission medium.

65
Data Encapsulation
  • To transmit data across a layered network, the
    data passes through each layer of the protocol
    stack.
  • It begins at the application layer with the
    application software passing the data to the next
    lower protocol in the stack.
  • At each layer the data is encapsulated the
    protocol processes the data in the format that
    the next protocol layer requires.

66
Data Encapsulation
Send
Receive
Application Layer (Program)
Data
Transport Layer (TCP Module)
Data
TCP Header
Network Layer (IP Module)
IP Header
Data
TCP Header
Data Link Layer
Data
DL Header
TCP Header
IP Header
67
Data Structure Terminology
TCP
UDP
Application Layer
stream
message
Transport Layer
segment
packet
Internet (Network) Layer
datagram
datagram
Network Access (Data Link) Layer
frame
frame
68
TCP/IP Implementation
Application Layer
Program
Program
UDP
TCP
Transport Layer
Network Layer
IGMP
ICMP
IP
Hardware Interface
Data Link Layer
PPP
ARP
Physical Layer
Network Cable
69
TCP/IP
  • The protocols in the TCP/IP suite work together
    to
  • Break the data into small pieces that can be
    efficiently handled by the network.
  • Communicate the destination of the data to the
    network.
  • Verify the receipt of the data on the other end
    of the transmission.
  • Reconstruct the data in its original form.

70
Network ProtocolsSubtopics
  • Point-to-Point Protocol (PPP)
  • Domain Name System (DNS)
  • Address Resolution Protocol (ARP)
  • Simple Network Management Protocol (SNMP)
  • Routing Protocols
  • Internet Protocol (IP)
  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP)
  • Internet Group Management Protocol (IGMP)

71
Internet Protocol (IP)
  • The Internet Protocol is a packet-based protocol
    used to exchange data over computer networks.
  • Network layer protocol.
  • Handles addressing and control information to
    allow packets to travel through the network.
  • IP is a best-effort protocol.

72
IP Functions
  • Define the datagram (the basic unit of
    transmission in the Internet).
  • Define the Internet addressing scheme.
  • Move data between Network Layer and Transport
    Layer.
  • Route datagrams to remote hosts.
  • Perform fragmentation and reassembly of datagrams.

73
IP Addresses
  • Composed of 32-bit addresses that are often
    displayed in the form of four groups of decimal
    digits separated by a period/dot.
  • Each group of numbers cannot be larger than 254.

1 1 0 1 10 0 0 0 0 0 1 1 0 0 1 0 1 1 0 1 0
0 0 1 1 0 0 1 1 1 1 216 . 25
. 104 . 207
74
IP version 6 (IPv6)
  • Expands the address to 128 bit.
  • Simplifies the header format.
  • Provides support for extensions and options.
  • Adds quality of service capabilities.
  • Adds address authentication and message
    confidentiality and integrity.

75
IP Security Issues
  • IP Fragmentation Attacks
  • Tiny fragment attack
  • Overlapping fragment attack
  • Teardrop Denial of Service Attack
  • IP Address Spoofing
  • Source Routing
  • Smurf and Fraggle
  • IP Tunneling over other protocols

76
Transmission Control Protocol (TCP)
  • Provides reliable data transmission.
  • Retransmits lost/damaged data segments.
  • Sequences incoming segments to match original
    order.
  • Marks every TCP packet with a source host and
    port number, as well as a destination host and
    port number.

77
TCP Provides
  • Connection-oriented data management
  • Reliable data transfer
  • Stream-oriented data transfer
  • Push functions
  • Resequencing
  • Flow Control
  • Multiplexing
  • Full-duplex transmission
  • Identification of urgent data
  • Graceful close

78
Connection Oriented TCP
  • TCP maintains status and state information about
    each user data stream flowing into and out of the
    TCP module.
  • TCP provides end-to-end transfer of data across
    one network or multiple networks to a receiving
    user application.

79
Sample TCP Session
80
TCP Security Issues
  • TCP Sequence Number Attacks
  • Session Hijacking
  • SYN Flood

81
User Datagram Protocol (UDP)
  • Transport layer protocol
  • Provides quick and simple service
  • Provides unreliable, connectionless, service for
    applications

82
UDP Security Issues
  • Does not offer error correction, retransmission,
    or protection from lost, duplicated, or
    re-ordered packets.
  • Easier to spoof since there are no session
    identifiers (handshake, sequence number and ACK
    bit)

83
Internet Control Message Protocols (ICMP)
  • Used to exchange control messages between
    gateways and hosts regarding the low-level
    operation of the Internet.
  • Also used for diagnostic tools such as Ping and
    Traceroute.
  • The ICMP message is encapsulated within the IP
    packet.

84
ICMP Security Issues
  • Denial of Service
  • Ping of Death
  • Host/Network Not Reachable messages
  • ICMP Redirect
  • Traceroute

85
Internet Group Management Protocol (IGMP)
  • Supports multicast transmissions (IP only
    supports broadcast and unicast).
  • When a message is sent to a particular multicast
    group, all computers in that group will get a
    copy of the message.
  • It is used by hosts to report multicast group
    memberships to neighboring multicast routers.

86
Point-to-Point Protocol (PPP)
  • Data link layer protocol.
  • Standardized encapsulation protocol for
    transporting packets over dial-up and dedicated
    transmission links.
  • Supports other protocols, including
    authentication protocols.

87
Domain Name System (DNS)
  • Distributed Internet directory service.
  • Global network of name servers that translate
    host names to numerical IP addresses.
  • www.ISC2.org 209.164.6.194
  • Internet services rely on DNS to work, if DNS
    fails, web sites cannot be located and email
    delivery stalls.

88
DNS (cont.)
  • It is tree structured.
  • Contains two elements
  • Name Server - responds to client requests by
    supplying name to address conversions.
  • Resolver - when it does not know the answer, the
    resolver element will ask another name server for
    the information.

89
DNS Security Issues
  • Attackers have been known to corrupt the tree and
    obtain access to a trusted machine.
  • The name servers can be poisoned so that
    legitimate addresses are replaced.
  • Unauthorized users could discover sensitive
    information if querying is allowed by users.

90
Address Resolution Protocol (ARP)
  • Used when a node knows the network layer address,
    but needs the data link layer address to forward
    the encapsulating frame.
  • The ARP software maintains a table of
    translations between IP addresses and data link
    addresses.

91
ARP (cont.)
  • The table is built dynamically - if a destination
    data link address is not found in the table, the
    node will broadcast a message on the data link
    asking for the host with the chosen IP address to
    respond with its data link address.

92
Reverse ARP (RARP)
  • Used to discover the IP address which corresponds
    to a known data link address (MAC).
  • Sometimes used by diskless workstations to learn
    their own IP address.

93
ARP Security Issues
  • ARP is unauthenticated, thus an attacker can
    poison the ARP table to spoof another host by
    sending unsolicited ARP replies.
  • An attacker can send an ARP reply mapping the
    attackers MAC address to the default routers IP
    address, the target will then send all traffic
    destined for the router to the attackers node.
    The attacker sniffs the traffic, then forwards
    it to the real router.

94
ARP Poisoning
95
Simple Network Management Protocol (SNMP)
  • Provides remote administration of network
    devices.
  • SNMP is referred to as "simple" because the agent
    requires minimal software.
  • SNMP accesses particular instances of an object
    and each object belongs to a community.
  • Community strings are used to provide read-only
    or read-write access controls. They authenticate
    messages sent between the SNMP manager and agent.

96
Routing Protocols
  • Routing is the process of selecting a path
    through a network.
  • At each router in the network, the datagrams are
    examined, and the destination address is mapped
    to a routing table kept in memory. The table
    tells the router which outgoing link to use to
    continue sending the datagram.
  • Routing protocols are used by routers to
    determine the appropriate path that data should
    travel.

97
Routing Protocols
  • Routing protocols specify how routers share
    information with other routers in the network
    that they can reach.
  • Routing Protocol examples
  • Routing Information Protocol (RIP)
  • Exterior Gateway Protocol (EGP)
  • Border Gateway Protocol (BGP)
  • Open Shortest Path First Protocol (OSPF)

98
Routing Protocols Security Issues
  • A routing table can be compromised or altered to
  • Reduce availability
  • Reroute traffic from a secure network to a
    compromised network
  • Networks may not use any authentication for their
    routing protocols which might result in a lack of
    security for the network infrastructure.

99
Routing Protocols Security Issues (cont.)
  • Attackers can also use source routed packets or
    ICMP redirect messages to bypass controls.

100
Quick Quiz
  • What network protocol is used for internet
    communications?
  • What is the difference between UDP and TCP?
  • What vulnerabilities exist with ICMP?
  • What OSI layer maintains communications between
    processes?
  • What is IPv6? Why is it important?

101
Section Summary
  • Network protocols provide a standard set of rules
    that governs the exchange of data among hardware
    and software components in a communications
    network.
  • Network protocols contain many security
    vulnerabilities.
  • Some protocols are designed to control specific
    vulnerabilities.

102
Subtopics
  • Data Networks
  • Network Protocols
  • Telephony
  • Remote Access
  • Network Threats, Attacks and Countermeasures
  • Network Access Controls
  • Network Availability Technologies
  • Internet and Web Security Protocols
  • Multimedia and Quality of Service
  • Information Security Activities

103
Section Objectives
  • Describe telephony components
  • Discuss telephony vulnerabilities
  • Describe IP telephony
  • Understand how traditional security concepts can
    address IP telephony security concerns

104
TelephonyTraditional Voice Network
  • Simple analog and digital phones
  • Separate cabling systems (data and voice)
  • Closed and proprietary PBX (Private Branch
    Exchange) systems
  • The Public Switched Telephone Network (PSTN)

105
Telephony Voice System Vulnerability
106
Telephony Authorized Modem Vulnerability
Telephones
Voicemail
PBX
Modems
Authorized Modem
ISP
Attacker
LAN
Servers
Workstations
107
Telephony Outbound Modem Vulnerability
Telephones
Voicemail
PBX
Modems
ISP
Attacker
LAN
Servers
Workstations
108
Telephony Voice Eavesdropping
Winnipeg Office
Telephones
Voicemail
PBX
PBX
Modems
Toronto Office
ISP
IDS
LAN
PBX
Firewall
Servers
Workstations
109
Traditional Voice Data Network
110
Concept of IP Telephony with Wireless
  • IP phones and softphones that can run PC
    applications
  • Voice servers providing IP PBX, Voice Mail,
    Messaging, etc.
  • Media gateways to connect to the PSTN and TDM
    components
  • TDM trunks and IP trunks

111
IP Telephony Network Issues
  • Inherits security issues of traditional IP
    networks
  • Uses Non-secure operating systems
  • IP/Web based administration
  • Susceptible to Denial of Service (DoS) against
    media sometimes makes it unusable
  • Connected to an un-trusted IP network
  • Authentication should be user-transparent
  • IP Telephony intelligence advancing rapidly

112
IP Telephony Vulnerabilities
  • Voice System
  • Operating System/Support Software Implementation
  • Application implementation
  • Application manipulation (Toll Fraud, Blocking)
  • Unauthorized administrative access
  • Network and media
  • DoS on media and signaling
  • DoS against media gateway / TDM sites
  • DoS against any shared network resource
  • Eavesdropping on conversations
  • Media Tunneling

113
IP Phone attacks
  • IP Phone attacks
  • Rogue softphones
  • Implementation attacks (DoS and access controls)
  • Remote access attacks
  • Local access attacks
  • Unauthorized firmware / applications
  • Protocol attacks

114
Telephony SecuritySubtopics
  • Apply the IP security safeguards to the voice
    network
  • Firewalls
  • Strong Authentication
  • Virtual Private Networks
  • Intrusion Detection

115
Telephony SecurityVoice Firewall Application
X
Alert
  • Unauthorized calls should be blocked by the
    firewall

116
Strong Authentication
Audit Trail Produced
  • Modem calls should require two-factor
    authentication

117
Voice, Fax, Modem, Video VPN
  • Calls between sites should use encryption

118
Intrusion Detection
Call Monitored!!
Alert Sent to IDS
  • Real-time monitoring of abusive call patterns,
    DTMF-based attacks
  • Modem/Fax Recording and Content Monitoring

119
IP Telephony Security Recommendations
  • Voice Servers
  • Secure the operating system/network services
  • Patch maintenance
  • Use strong authentication for authorized hosts
  • Maintain strong physical security
  • Follow best practices for basic server/IP
    security
  • Consider using host-based security
  • Consider deploying a firewall and IDS
  • Control access by IP Phones and softphones

120
IP Telephony Security Recommendations
  • Engineer the network to have proper security
  • Maintain strong security on all networking
    components
  • Limit the number of calls over media gateways
  • Infrastructure requirements
  • Switched networks
  • Firewalls and NIDS
  • Perimeter firewalls block unauthorized IP
    Telephony
  • VLANs
  • Encryption
  • Encrypting phones
  • Un-trusted parts of the network

121
IP Telephony Security Recommendations
  • Engineer the network to have proper security
  • Deploy IP Telephony aware perimeter devices for
    end-to-end security
  • Perform high speed processing of the media (and
    NAT)
  • Open and close ports for media sessions
  • Inspect media for tunneling, illegal flow levels,
    and DoS
  • Provide intrusion prevention functions for
    signaling
  • Implement VPN functions, if desired
  • Support appropriate QoS standards

122
IP Telephony Security Recommendations
  • IP Phones
  • Update default administrator passwords
  • Disable unnecessary remote access features
  • Prevent casual local configuration of the IP
    Phone
  • Secure the firmware upgrade process
  • Insist upon IP Phones that support security
    features
  • Limit use of the web server
  • Enable logging
  • Cautiously use IP softphones

123
Quick Quiz
  • What are some examples of telephony
    vulnerabilities?
  • What are the advantages and disadvantages of IP
    telephony?

124
Section Summary
  • The traditional voice network has known
    vulnerabilities.
  • These security issues can be addressed by
    applying technologies with parallels in the data
    network, such as firewalls, intrusion detection,
    VPNs, etc.
  • IP Telephony introduces new vulnerabilities.
  • IP Telephony vulnerabilities can be addressed
    with a combination of existing and new
    technologies.
  • Voice is a unique application and security should
    be managed similarly for the current and IP
    Telephony networks.

125
Subtopics
  • Data Networks
  • Network Protocols
  • Telephony
  • Remote Access
  • Remote Access Security Methods
  • Tunneling Standards
  • Virtual Private Networks
  • Network Threats, Attacks and Countermeasures
  • Network Access Controls
  • Network Availability Technologies
  • Internet and Web Security Protocols
  • Multimedia and Quality of Service
  • Information Security Activities

126
Section Objectives
  • Describe various methods of remote access to a
    network
  • Discuss remote access control techniques
  • Describe remote access tunneling protocols
  • Describe virtual private networks (VPNs)

127
Remote Access Services
  • Typically conducted over an untrusted network.
  • Increased risk to disclosure, modification, and
    denial of service.
  • Remote access security minimums
  • Strong identification and authentication services
  • Rapid growth of remote access via the Internet
  • Wide availability
  • Economical

128
Remote Access Technologies
  • Allows users to access network information
    through a dial-in or wireless connection.

129
Internet Access
  • Allows users to access network information
    through an Internet Service Provider (ISP)
    connection.

130
General Remote Access Safeguards
  • Publish a clear/definitive remote access policy
    and enforce it through audit.
  • Justify all remote users and review regularly,
    such as yearly.
  • Identify and periodically audit all remote access
    facilities, lines and connections.
  • Consolidate all general user dial-up facilities
    into a central bank that is positioned on a DMZ.

131
General Remote Access Safeguards (cont.)
  • Use phone lines restricted to outbound access for
    dial-out services.
  • Set modems to answer after a pre-determined
    number of rings counters war dialers.
  • Use secure modems for single-port diagnostic and
    administrative access, or unplug when not in use.
  • Consolidate remote access facilities when
    practical.

132
General Remote Access Safeguards (cont.)
  • Implement two-factor user authentication and
    network access restrictions for remote access to
    all resources on private WAN/LANs.
  • Use Virtual Private Networks for sensitive data
    communications on public networks.
  • Use personal firewalls and anti-virus tools on
    remote computers.

133
Remote Access Controls
  • Three basic methods to restrict dial-up remote
  • access are
  • Restricted Access Only accepts incoming calls
    from addresses on approved list.
  • Caller ID Checks each callers telephone number
    against an approved list.
  • Callback Callers identify themselves to the
    server with passcodes or ID numbers. The server
    terminates connection and calls the user back at
    pre-determined phone number.

134
Tunneling
  • Tunneling is the act of packaging one network
    packet (the tunneled packet) inside another (the
    transport packet).
  • The tunnel is the vehicle for encapsulating
    packets inside a protocol that is understood at
    the entry and exit points of a given network.
  • For confidentiality and integrity, the tunnels
    should be encrypted.

135
Tunneling (cont.)
  • Tunneling can allow different protocols to travel
    over a public IP network.
  • Protocols being used are
  • Point to Point Tunneling Protocol
  • Layer 2 Forwarding Protocol
  • Layer 2 Tunneling Protocol
  • IPSec Protocol
  • MPLS (Multi-Protocol Label Switching)
  • SOCKS
  • SSH

136
PPTP
  • Point to Point Tunneling Protocol (PPTP)
  • One of the first protocols deployed for
    Internet-based virtual private networks.
  • It is a client/server architecture that allows
    the Point-to-Point Protocol (PPP) to be tunneled
    through an IP-network.

137
L2F Protocol
  • Layer 2 Forwarding (L2F) Protocol
  • Permits tunneling at the link layer.
  • Designed as a protocol for tunneling traffic from
    users to their corporate site.
  • Provides mutual authentication of user and
    server.
  • Does not offer encryption.

138
L2TP
  • Layer 2 Tunneling Protocol (L2TP)
  • Hybrid of Layer 2 Forwarding (L2F) and
    Point-to-Point Tunneling Protocol (PPTP).
  • Designed for single user point-to-point
    client/server connection.
  • Multiple protocols can be encapsulated within the
    tunnel.
  • No encryption, but is often deployed over IPSec.

139
IPSec Protocol
  • IP standard for encryption and node
    authentication.
  • It has enough functionality to encrypt,
    authenticate, and carry IP-only data through a
    shared network.
  • While PPTP, L2F, and L2TP are aimed at end users,
    IPSec focuses on LAN-to-LAN or host-to-host
    tunnels.
  • Allows multiple, simultaneous tunnels per end
    host.
  • No user authentication method defined in the
    standard.

140
IPSec AH and ESP
  • The IP Authentication Header (AH)
  • provides connectionless integrity, data origin
    authentication, an optional anti-replay service
  • The Encapsulating Security Payload (ESP)
  • provides confidentiality (encryption) limited
    traffic flow confidentiality
  • may provide connectionless integrity, data origin
    authentication, anti-replay service

141
IPSec Protocol Security Associations
  • All implementations must support a Security
    Association (SA)
  • Simplex (i.e., one-way) connection that affords
    security services to the traffic carried by it
  • To secure typical, bi-directional communication,
    2 Security Associations (one in each direction)
    are required
  • Security services are provided using AH or ESP
  • If both AH ESP protection is applied to a
    traffic stream, then 2 (or more) SAs are created

142
Security Association Triplet
  • A security association is uniquely identified by
    a triplet
  • An IP destination address
  • Security protocol (AH or ESP) identifier
  • Security parameter index (SPI)
  • Distinguishes among different SAs terminating at
    the same destination

143
Security Association Combinations
  • Security associations may be combined in two
    ways
  • Transport adjacency using the same IP datagram
    to apply multiple security protocols , without
    invoking tunneling
  • Allows for only one level of combination further
    nesting yields no additional benefit
  • Transport mode encrypts normal communication
    between end-node to end-node(peer to peer).
  • Iterated tunneling applying multiple layers of
    security protocols through IP tunnels
  • allows for multiple levels of nesting
  • each tunnel can originate or terminate at a
    different IPSec site along the path
  • Iterated tunneling mode is designed to be used by
    VPN gateways (LAN to LAN/office to office).

144
IPSec Protocol
  • IPSec imposes computational performance costs on
    the hosts or security gateways.
  • Memory needed for IPSec code and data structures.
  • Computation of integrity check values.
  • Encryption and decryption.
  • Added per-packet handling - manifested by
    increased latency and possibly, reduced
    throughput
  • Use of SA/key management protocols, especially
    those that employ public key cryptography, also
    adds computational performance costs to use of
    IPSec

145
Multi-Protocol Label Switching (MPLS)
  • Does not rely on encapsulation and encryption to
    maintain high-level of security
  • Service providers create IP tunnels throughout
    their network without encryption
  • Uses forwarding tables and labels to create a
    secure connection
  • Used to guarantee a certain level of performance,
    to route around network congestion, or to create
    IP tunnels for network-based virtual private
    networks

146
MPLS Benefits
  • MPLS brings benefits to IP-based networks, such
    as
  • Traffic Engineering - the ability to set
    performance characteristics and the path a
    particular class of traffic will use
  • VPNs gives service providers the ability to
    provide IP tunnels through their network without
    need end-user applications or encryption

147
Socket Security (SOCKS)
  • Circuit-level proxy that contains authentication
    and encryption features.
  • Usually used to allow internal computers access
    to the external Internet
  • Can be used for tunneling to allow external users
    access to the internal network.
  • Requires client applications to be SOCKS-ified.

148
Secure Shell (SSH, SSH2)
  • SSH
  • Powerful method of performing client
    authentication
  • Safeguards multiple service sessions between two
    systems.
  • Provides support for
  • Host and user authentication
  • Data compression
  • Data confidentiality and integrity
  • Credentials are validated by digital certificate
    exchange using RSA.

149
Virtual Private Networks (VPN)
  • Virtual Private Network (VPN)
  • Dynamically established secure network link
    between two specific network nodes or subnets
    using a secure encapsulation method.
  • Uses tunneling AND encryption to protect private
    traffic over an un-trusted network.

150
VPN LAN-to-LAN Configuration
VPN Server
VPN Server
Internet
DMZ
Encrypted
LAN
LAN
Firewall
Firewall
VPN Server is on DMZ
VPN Server is behind the firewall
151
Mobile User-to-LAN VPN
152
IPSec Compatible VPN Devices
  • IPSec Compatible VPN Devices
  • Derive confidentiality and integrity from
    workstation IP address and either machine
    certificate or shared secret key.
  • Require least user intervention since IPSec
    authentication and encryption are not user-based.
  • Work only with IP, not multi-protocol.
  • Operate at the Network Layer of OSI model.

153
IPSec Compatible VPN Devices (cont.)
  • Key management is a critical component of using
    IPSec for a VPN.

IPSEC Key Exchange
154
Non-IPSec Compatible VPN Devices
  • Non-IPSec Compatible VPN Devices
  • Use protocols such as PPTP, SOCKS, or MPLS.
  • Provide advantages over IPSEC
  • Two-factor authentication
  • Better integration with proxy servers and NAT.

155
Firewall based VPN Devices
  • Integrated with many firewall systems.
  • Central VPN administration is integrated on
    firewall system.
  • Often uses proprietary, non-standard protocols.
  • Allows VPN traffic to be securely transmitted and
    filtered by the firewall.
  • Typically does not provide any user
    authentication, but relies on the firewall
    authentication service to perform the user
    identification and authentication.

156
Quick Quiz
  • What functions does a VPN provide?
  • What is IPSec?
  • What is tunneling?
  • Name a few tunneling protocols.

157
Section Summary
  • Remote access typically refers to accessing a
    trusted network from outside the network.
  • Identification and authentication is critical
    prior to establishing remote access.
  • A VPN can be used to help support remote access.
  • Various protocols exist to support and control
    remote access.

158
Subtopics
  • Data Networks
  • Network Protocols
  • Telephony
  • Remote Access
  • Network Threats, Attacks and Countermeasures
  • Network Access Controls
  • Network Availability Technologies
  • Internet and Web Security Protocols
  • Multimedia and Quality of Service
  • Information Security Activities

159
Section Objectives
  • Understand the categories of attacks that can
    impact network security
  • Identify wireless network components
  • Describe wireless protocols
  • Discuss wireless threats and vulnerabilities
  • Describe wireless controls components
  • Understand Instant Messaging vulnerabilities
  • Describe the steps in a successful network attack

160
Various Network Threats Attacks
  • Denial of Service (DoS)
  • Distributed DoS
  • Mobile Code
  • Malicious Code
  • Wireless LAN Vulnerabilities
  • Spoofing
  • Sniffing
  • Eavesdropping
  • Masquerading
  • Instant Messaging (IM) Vulnerabilities

161
Remote Access Threat
  • Often provides undetected access to unprotected
    back doors.
  • Brute force attack on locations prefix using
    war dialer is an example.
  • Targets of opportunity include
  • Insecure Internet connections
  • Unsecured modem access
  • Diagnostic ports on various network devices
  • Administrative ports on voice mail systems, PBX,
    fax servers
  • Unauthenticated sessions

162
The Target
  • Sensitive and critical information.
  • Computing services, such as storage space and
    other resources.
  • Toll telephone services
  • Voice mail
  • Network access to interconnected networks, such
    as customers or business partners.

163
Wireless Lan VulnerabilitiesSubtopics
  • Detection
  • Eavesdropping
  • Modification
  • Injection
  • Hijacking
  • WLAN Architecture
  • Radio Frequency Management

164
Detection Eavesdropping
  • Detection
  • WLAN will generate and broadcast detectable radio
    waves for a great distance
  • Eavesdropping
  • WLAN signals extend beyond physical security
    boundaries

165
Eavesdropping
  • Service Set Identifier (SSID) may be broadcasted.
  • SSID string may identify your organization.

166
Eavesdropping
  • Standard Wired Equivalent Privacy (WEP)
    encryption is often not used.
  • When used, WEP is flawed and vulnerable.
  • No user authentication in WEP.

167
Modification, Injection Hijacking
  • Modification
  • Standard Wired Equivalent Privacy (WEP)
    encryption has no effective integrity protection.
  • Injection
  • Static WEP keys can be determined by analysis.
  • Adversaries can attach to the network without
    authorization.
  • Hijacking
  • Adversaries can hijack authenticated sessions
    protected only by WEP.

168
WLAN Architecture
  • Security Architecture

DMZ
Firewall
Internal Network
Rogue AP
169
Radio Frequency Management
  • Poor RF management will lead to unnecessary
    transmission of your RF signal into unwanted
    areas.
  • Also consider other devices which may cause
    interference.

Parking Lot
Building A
170
Wireless LAN Security ControlsSubtopics
  1. SSID Broadcasting
  2. MAC Address Filtering
  3. Security Architecture
  4. Radio Frequency Management
  5. Encryption
  6. Authentication
  7. New Wireless LAN Security Protocols

171
SSID Broadcasting
  • Disable the broadcasting of the SSID.
  • Not possible on all Access Points
  • Easily bypassed
  • Only useful on low-value networks
  • SSID should also not be easily correlated to your
    organization name

172
MAC Address Filtering
  • Some Access Points allow the administrator to
    specify which link layer (MAC) addresses can
    attach.
  • Easily bypassed
  • Does not scale
  • Only useful for low-value networks

173
Security Architecture
DMZ (VPN Server)
Firewall
Firewall
DMZ (VPN Server)
Internal Network
174
Radio Frequency Management
  • Use a scanner to determine your RF footprint
  • Monitor interference sources

Parking Lot
Building A
175
Wireless Encryption
  • Static WEP keys are insufficient for many
    networks
  • New secure protocols are being designed for WLAN
  • Layered VPN is a common solution for WLAN networks

176
Subtopics
  • Wireless LAN Security Mechanisms
  • Access Control
  • Authentication
  • Encryption
  • Integrity
  • 802.11 Wireless LAN Security Protocols
  • 802.1X / Dynamic WEP
  • Wi-Fi Protected Access
  • Robust Security Network

177
Access Control 802.1X
802.1X Port Blocked
802.1X Port Open
178
Authentication
  • Wireless LAN needs an authenticated key exchange
    mechanism
  • Most secure WLAN implementations use Extensible
    Authentication Protocol (EAP)
  • Many EAP methods are available
  • One factor include EAP-MD5, LEAP, PEAP-MSCHAP,
    TTLS-MSCHAP, EAP-SIM
  • Two factor methods include EAP-TLS, TTLS with
    OTP, and PEAP-GTC
  • Need mutual authentication

179
Encryption
  • Static WEP
  • Dynamic WEP
  • Temporal Key Integrity Protocol (TKIP)
  • Uses RC4 Stream Cipher with 128 bit per-packet
    keys
  • Counter-Mode-CBC-MAC Protocol (CCMP)
  • Uses Advanced Encryption Standard (AES) with 128
    bit keys

180
Integrity Protection
  • WEP has no cryptographically strong integrity
    protection
  • TKIP uses a new Message Integrity Code called
    Michael
  • CCMP uses AES in CBC
About PowerShow.com