Domain 2

Network Security
Domain Objectives

• A Security+ candidate is expected to:

• Implement security configuration parameters on
network devices and other technologies
• Given a scenario, use secure network
administration principles
• Explain network design elements and
components
• Given a scenario, implement common protocols
and services
• Given a scenario, troubleshoot security issues
related to wireless networking
• Explain types of wireless attacks
 OSI Model

OSI Usage
Application •Main interface between network and application
Presentatio •Puts into a format all computers can understand
n •Encryption, translation, compression
•No security
Session
•Connection establishment between applications
•Keeps track of segments
Transport
•Handles error recovery and flow control
•Creates packets
Network •End-to-end communication across one or more
subnetworks
•Transmission of frames over a single network
Data-Link
connection
Physical •Converts bits into voltage
 OSI Model

User
Programs Protocol Examples Hardware

7-Application FTP Telnet SMTP HTTP SIP

6-Presentation JPG MPEG GIF MP3 HTML

5-Session RPC SQL NFS NetBIOS ASP

4-Transport SCTP TCP UDP NetBEUI RTP

3-Network IGMP ICMP IPX IPv4, v6 IPsec Router

2-Data Link PPP PPTP L2TP ARP 802.3 Switch, Bridge, NIC

1-Physical USB DSL Firewire ISDN ATM Hub, Modem, NIC

Cable
 OSI and TCP/IP Model Comparison

OSI Model TCP/IP Model

7 Application
6 Presentation 4 Application
5 Session
4 Transport 3 Host to Host
3 Network 2 Internet
2 Data Link
1 Network Interface
1 Physical
TCP/IP Protocol Suite

• A suite of protocols working together to enable network

communications
• The most widely used networking protocol suite
• Key protocols in the suite include:
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
Encapsulation

• Networking Models
• OSI Model
• TCP/IP Model
• Data chunks of upper layer is wrapped with data of the
lower layer
• Headers
• Footers
 Encapsulation Example

Application HTTP

PDUs Presentation HTML

Session [Link]

SRC DST
Segment Transport Port Port
PDUs

SRC DST Protocol

Packet Network IP IP Number
Segment

SRC DST
Frame Data Link Ethernet Packet
FCS
MAC MAC

Bits Physical 10100010010101001101010110100110011010101

Common Definitions

• Addresses
• Identifies networks and devices on a network
• Messages
• Typically addressed to both the device and the port number of
the service
• Port Numbers
• Identifies specific services running on a device
Common Definitions

• Socket
• IP address:port number ([Link]:8080)
• Socket Pairs
• Client IP address:port number and the Servers IP address:port
number
• [Link]:3022 communicating to [Link]:80
• Half-duplex communication
• Virtual circuit
Port Assignments

• Assigned by IANA (Internet Assigned

Numbers Authority)
• [Link]
• Well-Known Ports: 0 – 1023
• TCP or UDP ports that direct packets to the
appropriate application on the server
• Registered Ports: 1024 – 49151
• Dynamic and/or Private Ports: 49152 – 65535
• Ephemeral Ports: Ports used when an application
service does not bind the socket to a specific port
number
 Ports and Protocols

PORT Service PORT Service

20/21 FTP Data/Control 161/162 SNMP
22 SSH/SFTP/SCP 389 LDAP
23 Telnet 443 HTTPS / SSTP
25 SMTP 465 SMTPS
49 TACACS+ 514 SYSLOG
53 DNS 636 LDAPS
67/68 DHCP 989/990 FTPS (Implicit)
69 TFTP 993 IMAPS
80 HTTP 995 POP3S
88 Kerberos 1701 L2TP
110 POP3 1723 PPTP
123 NTP 1812 RADIUS
137-139, 445 NetBIOS 3389 RDP
143 IMAPv4 5060 SIP
Transport Layer Protocols

• Manages data segments between nodes

• UDP
• User Datagram Protocol
• TCP
• Transmission Control Protocol
• SCTP
• Stream Control Transmission Protocol
UDP

• Provides “best effort” delivery

• Connectionless
• Lacks flow control
• Lacks error recovery
• Has little overhead so it is faster than TCP
• Streaming data
TCP

• Reliable, connection-oriented protocol

• 3-way handshake
• Provides flow control
• Sliding window
• Provides error detection
• Provides error correction
• Noteworthy status flags:
• SYN, ACK, FIN, URG, PSH, RST
TCP 3-way Handshake

SYN

SYN
ACK

ACK
SCTP

• Connection-oriented
• Resources aren't allocated until 4-way handshake is completed
• Multi-homing
• Multiple NICS to transmit and receive with
• Multi-streaming
• Streaming data
• Telephony
• Network Congestion aware
SCTP 4-way Handshake

INIT

INIT
ACK

COOKIE
ECHO
COOKIE
ACK
Network Layer Protocols

• ICMP
• Internet Control Message Protocol
• IPv4
• Internet Protocol version 4
• IPv6
• Internet Protocol version 6
ICMP

• Used for network troubleshooting

• Reports errors and replies to requests
• ping and traceroute use ICMP
• Several different types
• 0- Echo Reply
• 3- Destination Unreachable
• 8- Echo
• 30- Traceroute
IP Addressing

• Unique identifier to differentiate one host from another

host
• “A name indicates what we seek. An address indicates where it is. A route
indicates how to get there. The Internet Protocol deals primarily with
addresses.”
• Two addressing schemes for TCP/IP
• IPv4
• 32-bit address
• More common than IPv6
• IPv6
• 128-bit address
 IPv4 Addressing

• Made up of a 32-bit address or four-octet address

• Referred to as dotted decimal representation of a binary number
• Example: the IP address of [Link] is actually the following
binary:

11000011 10001111 01000011 00000010

195 143 67 2
IPv4 Public Classes

• IP addresses are grouped into different classes

• Can determine which class any IP address is in by examining the
first 4 bits of the IP address
• Address classes supported by IPv4:
• Class A: 0 to 127 decimal
• Class B: 128 to 191 decimal
• Class C: 192 to 223 decimal
• Class D: 224 to 239 decimal (multicasting)
• Class E: 240 to 254 decimal (experimental)
IPv4 Private Classes

• RFC 1918: address allocation for private internets

• Used for networks not connecting directly to the Internet
• Internet Assigned Numbers Authority (IANA) set aside
addresses for intranets:

Class A [Link] – [Link]

Class B [Link] – [Link]

Class C [Link] – [Link]

APIPA

• Automatic Private Internet Protocol Address

• Assigned by own operating system when a static or dynamic IP
address has not been assigned
• [Link] – [Link]
• Non-routable IP address
• Allows peer-to-peer communications within a workgroup
 Subnet Mask

• Determines:
• The network address from the host address
• Whether a packet should be delivered to the internal LAN interface or
the external WAN interface at the gateway

192 . 168 . 10 . 20
IP Address: 11000000 . 10101000 . 00001010 . 00010100
Subnet Mask: 11111111 . 11111111 . 11111111 . 00000000

255 . 255 . 255 . 0

Network Host
CIDR

• Classless Inter-Domain Routing

• CIDR is based on variable-length subnet masking (VLSM) to
allow allocation on arbitrary-length prefixes
• Ignores classful addressing
• CIDR notation example:
• [Link]/29 (subnet mask [Link])
• CIDR mask of /29 gives: 232-29 = 23 = 8 addresses
• If /32: indicates this specific address and no others
IPv4 Subnetting

• Used to divide large groups of hosts within a larger network

into smaller, manageable network collections
• More efficiently manages traffic
• Creates multiple, smaller broadcast domains
• Allows an IP address to be split within 32 bits
 IPv4 Subnetting

• Example [Link]/24
• IP address + subnet mask defines IP schema
IP Address: 192 . 168 . 10 . 20
Subnet Mask: 11111111 . 11111111 . 11111111 . 00000000
255 . 255 . 255 . 0
nnnnnnnn nnnnnnnn nnnnnnnn hhhhhhhh
Network: 192 . 168 . 10 . 0
Host 1 192 . 168 . 10 . 1
Host + 1 192 . 168 . 10 . h+1
Host 254 192 . 168 . 10 . 254
Broadcast: 192 . 168 . 10 . 255
 IPv4 Subnetting

• Example: from [Link]/24 to /26

IP Address: 192 . 168 . 10 . 20
Subnet Mask: 255 . 255 . 255 . 192
nnnnnnnn nnnnnnnn nnnnnnnn nnhhhhhh

Network #1: 192 . 168 . 10 . 0

Broadcast #1: 192 . 168 . 10 . 63

Network #2: 192 . 168 . 10 . 64

Broadcast #2: 192 . 168 . 10 . 127

Network #3: 192 . 168 . 10 . 128

Broadcast #3: 192 . 168 . 10 . 191

Network #4: 192 . 168 . 10 . 192

Broadcast #4: 192 . 168 . 10 . 255
IPv4 Subnetting Advantages

• Decreased network traffic

• Broadcasts limited to individual subnets
• Improved troubleshooting
• Faster to trace a problem on a subnet
• Improved utilization of addresses
• Less IPs wasted
• Flexibility
• Customization of number of hosts on a subnet
IPv6 Addressing

• Allows for growth of addresses

• 3.4 x 1038 address space
• 128 bits total: 8 sets (4 hexadecimal digits)
[Link]
• Zero compression rule
• Drop more than one grouping of zero octets
[Link]
IPv6 Addresses

• Global address
• Link-local address
• Local address
• Loopback address
IPv6 Global Address

• Equivalent to IPv4 public address

• Internet routable
• The address prefix used (first block) is 2000-3FFF.
IPv6 Link-Local Address

• Similar to IPv4 APIPA address

• [Link]/16
• Self-configured
• Non-routable.
• Begins with “fe80” in the first block.
IPv6 – Unique Local Addresses

• Similar to IPv4 private address.

• Non-routable on the internet
• They are routable between subnets on a private network
• Begins with ”fd”
IPv6 Loopback Address

• Loopback address is used to talk to one’s own machine

• Used for troubleshooting
• Loopback address is:
[Link]
iSCSI

• Internet Small Computer System Interface

• IP-based protocol
• Encapsulates SCSI commands into IP
• Routable across networks
• Provides links to storage warehouses
• Storage Area Network (SAN)
• Authentication
• Uses CHAP by default
• Eavesdropping issues
• Use VLANs and IPsec
Fibre Channel

• SAN communication protocol

• High speed: 16 Gbps
• Uses fiber optics or copper-based wiring
• LUN masking can be used to hide or mask certain devices from
other devices
• Expensive hardware and cabling
• Fibre Channel switch
• Natural isolation
• Separate architecture isolates backup data from the rest of the network
FCoE

• Fibre Channel over Ethernet

• Ethernet and Fibre Channel standards are modified and then
merged into a single standard
• Fibre Channel commands are encapsulated inside of modified Ethernet
frames
• Can be used within the Ethernet LAN but is not routable by itself to other
networks
• Supports 10Gbps Ethernet support
Network Name Resolution

• Provides a way too convert a network address to a network

node name, and vice-versa
• NetBIOS
• DNS
NetBIOS

• Network Basic Input Output Systems

• 15-character naming convention for resources within a LAN
• Broadcast oriented network protocol
• Uses ports 137, 138, 139, 445
• Filter traffic on NetBIOS ports
• Disable NetBIOS to reduce null sessions
DNS

• Domain Name Service

• IETF standard for FQDN to IP address lookups
• Fully Qualified Domain Name
• Uses a hierarchical, inverted tree structure
• Root DNS server
• Top-Level Domain (TLD) DNS servers Root
• .com, .gov, .edu, .org, .mil
• Intermediate DNS servers

TLD’s

Intermediates
DNS

• Local host file

• Stores information about nodes in a network
• etc/hosts
• Maps hostnames to IP addresses
• The hosts file is used as a supplement to DNS
• Can be poisoned
 DNS

• DNS Zones
• The portion of the DNS domain namespace over which a DNS
server has authority
• DNS server’s zone can comprise:
ACME
• A single domain
• Some or all subdomains
• Multiple separate domains Corp
Sales Engr QA
• DNS queries: UDP port 53
• Zone transfers: TCP port 53 HR
Acct

Retail Web

Zone 1: ACME, Sales, Retail, Web

Zone 2: Engineering
Zone 3: Quality Assurance 4 zones -
Zone 4: Corporate, Accounting, HR 9 domains
DNS

• DNS Zone Transfers

• Publishes information about the domain and the name servers of
any domains subordinate
• A hacker can gain sensitive information about all systems within
the domain
• Footprinting
DNSSEC

• DNS Security
• Zone transfer tamper protection mechanism
• Digital signatures
• Mitigates
• Man-in-the-Middle attacks between DNS servers
• DNS poisoning
DNS Record Types

• DNS implements a distributed, hierarchical, and redundant

database for information associated with Internet domain
names and addresses
• Different record types are used for different
purposes
• A- IPv4 address
• MX- Email server
• NS- authoritative name servers
• AAAA - IPv6 Address
DNS Poisoning

• Incorrect DNS data that is injected into a DNS namespace

• Redirects traffic to incorrect sites
• Can be also called “DNS Cache poisoning”
DNS Kiting

• DNS Tasting
• Legitimate 5-day grace period

• DNS Kiting
• Attacker cancels domain registration before 5-day grace period
ends, then later re-registers
• Fraud: domain is never paid for
• Ties up legitimate domain names from being hosted legitimately
Email

• Email protocols
• SMTP
• POP3
• IMAP
• Email security standards
• SSL/TLS
• S/MIME
• PGP
SMTP

• Simple Mail Transport Protocol

• Delivers email to an email server on TCP 25
• Plaintext issues
• Use SMTPS on TCP 465
• SPAM issues
• Disable HTML formatting, use text-based only
• Avoid SMTP open relay
• Implement blacklisting
• Implement whitelisting
• Malware issues
• Use antivirus scanning
Downloading Email

• POP3
• Post Office Protocol version 3
• TCP 110 plaintext issue
• POP3S uses TCP 995
• IMAP4
• Internet Message Access Protocol version 4
• TCP 143 plaintext issue
• IMAPS uses TCP 993
 Email Security Standards

• S/MIME • PGP
Secure MIME Pretty Good Privacy
• Centralized • Decentralized
• PKI – Hierarchical trust • P2P – Web of Trust
• X.509 Digital Certificates • PGP-based Digital Certificates
• CA’s Digital Signature • Peers’ Digital Signatures
• Built into most email programs • Must be downloaded and
• Hybrid cryptosystem installed
• Symmetric: AES, 3DES, DES, RC2 • Hybrid cryptosystem
• Symmetric: AES, 3DES, CAST,
IDEA, Twofish
Protecting Web Communications

• Secure Socket Layer (SSL)

• Enforces a secure channel between two TCP-based endpoints
• Last version implemented was SSL 3.0
• Hybrid cryptosystem
• Asymmetric Cryptography
• Provides Key Distribution of the symmetric session key
• X.509v3 Digital Certificates
• Mutual Authentication
• Symmetric Cryptography
• MAC
Protecting Web Communications

• Secures various protocols

• HTTPS 443
• SMTPS 465
• LDAPS 636
• IMAPS 993
• Vulnerabilities
• Smaller key sizes because no longer updated
• Compromised root CA’s
• Outdated Digital Certificates
Protecting Web Communications

• Transport Layer Security (TLS)

• Enforces a secure channel between two TCP-based endpoints
• Standard created by IETF to replace SSL
• Hybrid cryptosystem
• Asymmetric Cryptography
• Provides Key Distribution of the symmetric session key
• X.509v3 Digital Certificates
• Mutual Authentication
• Symmetric Cryptography
• HMAC
 HTTPS Process

CA
 Client authenticates the server’s
public key with the CA.
 HTTPS request made

 Server sends certificate

 
Browser generates session key, Server decrypts session
encrypts it with server public key, key using its private key
and sends to server

 Secure Channel Using Session Key

Communications proceeds securely using the generated session key
HTTPS vs. S-HTTP

• HTTPS
• HTTP over SSL (port 443)
• Encrypts communication channels (session)
• S-HTTP (Secure HTTP)
• Developed by Netscape to provide security over standard page
requests on port 80
• Encrypts individual messages
• Lacks Mutual Authentication
SSH

• Secure Shell
• Secures remote access and remote terminal communications
• Secure replacement for Telnet and FTP
• Protects against man-in-the-middle attacks and spoofing
• SSH suite (SCP, SSH, SFTP, Slogin)
• Uses TCP Port 22
• OpenSSH, Putty
• Hybrid Cryptosystem
• Symmetric cryptography for encryption
• PKC for connection/authentication
FTP

• File Transfer Protocol

• Used to transfer files between systems on the Internet
• Ports TCP 20 and TCP 21
• Active/Passive
• Vulnerabilities:
• Plaintext issues
• Man-in-the-middle attacks
• Bounce attacks
FTP Alternatives

• File Transfer Protocol Secure (FTPS)

• Session is encrypted using SSL/TLS protocols
• TCP 989 and 990
• Secure File Transfer Protocol (SFTP)
• Tunneling protocol that uses SSH
• TCP 22
• Secure Copy (SCP)
• Transfers the file using SSH
• TCP 22
Telephony

• Streaming data
• Web conferencing
• VoIP
• Video chat
• CCTV
• Supporting protocols:
• SIP
• RTP
• SCTP
VoIP

• Voice over Internet Protocol

• IP-based protocol that converts analog voice signals into digital
packets.
• Uses SIP to manage session
• Implement IEEE 802.1p QoS
• Implement VLANs
• Implement IPsec
• Implement Voice Firewalls
• Issues:
• Eavesdropping
• SPIT
VoIP Protocols

• Session Initiation Protocol (SIP)

• Decentralized, peer-to-peer, multimedia communication protocol
• Based on HTTP, works at Application layer
• Ports 5060 (plaintext), 5061 (TLS)
• Real-time Transport Protocol (RTP)
• Transfers streaming media over networks
NAC

• Network Access Control

• Evaluates system security status before allowing a connection to
the network
• Anti-virus status
• System update level
• Configuration settings
• Software firewall enabled
NAC

• Quarantine Portal
• Redirects to a web page with hyperlinks to fix parts of the system
that aren’t in compliance
• Patch Management
• Antivirus
• Application Whitelisting
NAC

• Captive Portal
• Redirects to satisfy identification, authentication, authorization,
or policy requirements
• Hotel network requiring the visitor to provide credentials
• User gets redirected to the hotel’s login page to provide room number, last
name, and password
• Coffee shop charges for internet access
• User is redirected to login page and must provide a credit card number
Remote Administration

• Network backbone administration ports

• Console port (“line con 0”)
• Auxiliary port (“line aux 0”)
• Virtual terminals (“line vty 0 4”)
• Remote administration protocols
• SNMPv3
• Telnet
• SSH
• RDP / Terminal Services
SNMP

• Simple Network Management Protocol

• Application Layer protocol that manages and monitors devices in
a network
• Ports 161/162
• No authentication capabilities prior to v.3
• Community Strings
• Versions 1 and 2 are vulnerable to packet sniffing
• Vulnerable to IP spoofing attacks
• Provides the ability to send traps
• Vulnerabilities in trap handling and request handling
Telnet

• Command line interface used for remote administration of

TCP/IP-based systems on a network
• Application Layer protocol
• Passes data in plaintext
• Use either SSH or TLS instead
• TCP port 23
RDP

• Remote Desktop Protocol

• “Terminal Services”
• GUI-based service used for remote administration of
TCP/IP-based systems on a network
• Desktop of the remote system
• TCP port 3389
• Block port at network firewall
• Could be used as a backdoor
Tunneling

• Virtual dedicated connection between two systems or

networks
• Encapsulation within a routable protocol
• Can send private network data across a public network by encapsulating
data into other packets
• May or may not include protection mechanisms such as encryption
• Why tunnel?
• Make a higher layer, non-routable protocol routable
• Make a physically distant system logically near
• Make a foreign protocol routable through a network
• Make a non-internet routable protocol, internet routable
Tunneling Protocols

• Point-to-Point Protocol (PPP)

• Used for establishing remote connections over a serial line or dial-
up connection
• Allows TCP/IP traffic to be transmitted over telecommunication
lines
• Dial-up modems
• No encryption
• EAP, CHAP, or PAP Authentication
Tunneling Protocols

• Point-to-Point over Ethernet (PPPoE)

• PPP encapsulated inside of Ethernet
• IETF standard that works at the Data Link layer
• Creates a direct, virtual point-to-point connection (PPP) between two
systems over a multipoint-aware network (Ethernet)
• PPPoE Discovery
• Provides:
• Authentication
• PAP, CHAP, EAP
• Encryption
• Compression
PPTP

• Point-to-Point Tunneling Protocol

• Encapsulates and encrypts PPP over IP packets
• Negotiation in the clear
• After negotiation is completed, channel is encrypted
• Uses MPPE to encrypt data
• Authentication: PAP, CHAP, MS-CHAP, or EAP-TLS
• Operates at Layer 2
• TCP port 1723
Tunneling Protocols

• Layer 2 Forwarding (L2F)

• Tunneling protocol created by Cisco to tunnel PPP frames
• Provides authentication only
• Mutual Authentication
• No data encryption
• Layer 2 Data Link layer
• UDP port 1701
L2TP

• Layer 2 Tunneling Protocol

• Combines L2F and PPTP at Layer 2
• Message types
• Control Messages: Establish, maintain, and tear down tunnels
• Data Messages: Encapsulates PPP frames
• No data encryption
• Use IPsec
• Authentication: PAP, CHAP, MS-CHAP, EAP-TLS
• UDP port 1701
Virtual Private Network

• Private network connections that traverse through a public

network
• LAN through WAN back to LAN
• Uses tunneling protocols to establish virtual circuits
• Extends LAN
• Provides cryptosystem protections
• Examples:
• PPTP
• L2TP
• SSH
• IPsec
Virtual Private Networks
IPsec

• IP Security
• Most widely deployed VPN technology
• Works at Layer 3 to protect IPv4 or IPv6 traffic
• Authentication
• X.509 Digital Certificates
• Pre-shared keys
• Kerberos
• MAC/HMAC
• Anti-replay services
• Required to be part of the IPv6 protocol
IPsec Modes

• Transport Mode
• Designed for end-to-end encryption of data
• Packet data is protected, but the header is left intact

IP Data

• Tunnel Mode
• Designed for link-to-link communications
• Both the packet contents and the IP header are encapsulated

New IP header IP Data

“Transport on the LAN and Tunnel on the WAN”

IPsec Protocols

• Authentication Header (AH)

• Offers authentication and integrity services
• HMAC
• SHA or MD5 AH Transport Mode
• IP Protocol #51 IP AH L4 L4
HDR HDR HDR DATA
• NAT issues
• NAT-T
Integrity Check

AH Tunnel Mode
New IP AH Old IP L4 L4
HDR HDR HDR HDR DATA

Integrity Check
IPsec Protocols

• Encapsulating Security Payload (ESP)

• Offers authentication, integrity, and confidentiality
• Uses either AES, 3DES, or DES
• IP protocol #50
ESP Transport Mode
IP ESP L4 L4 ESP ESP
HDR HDR HDR DATA Trailer AUTH
Encrypted

Integrity Check

ESP Tunnel Mode

New IP ESP Old IP L4 L4 ESP ESP
HDR HDR HDR HDR DATA Trailer AUTH
Encrypted

Integrity Check
IPsec Security Association

• An agreement of security parameters between two IPsec

capable systems
• Recorded in the Security Parameter Index (SPI)
• Configured either manually by user or automatically by ISAKMP
• Unidirectional
ISAKMP

• Internet Security Association and Key Management

Protocol
• Defines the framework of procedures and packet formats that
establish, negotiate, modify, and delete Security Associations
• UDP port 500
IKE

• Internet Key Exchange

• Provides Key Management and Key Exchange
• Standard automated method for creating and negotiating shared secret
keys in IPsec
• Supports pre-shared keys and X.509 certificates for authenticating
VPN peers
• Provides mutual authentication
• Uses UDP port 500
• Built upon two protocols: ISAKMP and Oakley
Physical Transmission Media

• Interference issues
• Eavesdropping
• Wired media
• Wireless media
Interference Issues

• Electromagnetic Interference (EMI)

• External interference source
• Power cables, fluorescent lights
• Crosstalk
• Internal interference source
• Compromising emanations
• Shielding and twisted wire pairs (CAT5)
• Radio Frequency Interference (RFI)
• Infringing RF sources
Eavesdropping

• Splicing Attack
• Physical hacking of cable
• Vampire taps
• Packet Sniffing
• Protocol Analyzer
• Promiscuous Mode
Coaxial Cabling

• BNC Connector

• Vulnerabilities:
• Sniffer attached to T connector or vampire tap
• DoS through break in the cable
STP/UTP

• Unshielded Twisted Pair (UTP) and Shielded Twisted Pair

(STP)
• Easiest and cheapest to install
• Most popular: CAT 5e/6
• Vulnerabilities:
• Electromagnetic Interference (EMI)
• UTP is the more vulnerable of the two
• Wire tapping
• How and where wires are run in a building
• Plenum: Fire safety
CAT Standards

• Unshielded Twisted Pair (UTP)

• Shielded Twisted Pair (STP)

Category Speed Usage

CAT 1 Voice POTS
CAT 2 4 Mbps Token Ring
CAT 3 10 Mbps 10Base-T
CAT 4 16-20 Mbps 16 MB Token Ring
CAT 5 100 Mbps 10-, 100Base-T
CAT 5e 1000 Mbps 10-, 100- & 1000Base-T
CAT 6 1000 Mbps High speed - broadband
Fiber Optic Cabling

• Pulses of light
• Expensive, used for backbone
• Single mode (long distance)
• Multi mode (short distances)
• Cannot be tapped into easily
• Fiber Taps
• With a sharp bend in the strand, some light can escape
• Fiber tap device captures light
• Easy to detect due to the attenuation in the line
Wireless Networking

• CSMA/CA
• Carrier Sense Multiple Access with Collision Avoidance
• 802.11
• Wireless Local Area Network (WLAN)
• 802.15
• Wireless Personal Area Network (WPAN)
• 802.16
• Wireless Metropolitan Area Network (WMAN)
802.11 Standards

Protocol Frequency Throughput Modulation

802.11 2.4 GHz 2 Mbps FHSS

802.11a 5 GHz 54 Mbps OFDM

802.11b 2.4 GHz 11 Mbps DSSS

802.11g 2.4 GHz 54 Mbps OFDM / DSSS

802.11n 2.4 GHz / 5 GHz *600 Mbps OFDM / DSSS

802.11ac 5 GHz *1.69 Gbps OFDM / DSSS

*supports Multiple In Multiple Out (MIMO)

Modulation Types

• FHSS
• Frequency Hopping Spread Spectrum
• DSSS
• Direct Sequence Spread Spectrum
• OFDM
• Orthogonal Frequency Division Multiplexing
Wireless Terminology

• Wi-Fi
• Access Point
• Association
• Beacon Frame
• SSID (Service Set ID)
• BSSID (Basic Service Set ID)
• ESSID (Extended Service Set ID)
WLAN Physical Security

• Wireless Survey
• Antennae
• Placement YAGI
• Directional Antenna
• Omni-directional Antenna
• Transmitter Power
• Attenuation
PARABOLIC (GRID)

PANEL
WLAN Logical Security

• SSID Management
• Disable and change SSID
• Implement Guest Mode
• AP Isolation
WLAN Authentication

• Establish WLAN authentication requirements

• Open
• Pre-Shared Key (PSK)
• IEEE 802.1X
• Extensible Authentication Protocol (EAP)
• Mutual Authentication
• MAC Filtering
WLAN Encryption: WEP

• Wired Equivalent Privacy

• Intended to provide the equivalent security of a wired network
• Encrypts data using RC4 algorithm
• Authentication:
• Open System Authentication
• Shared Key Authentication
WEP Issues

• Static Keys
• Small key sizes
• Replay attacks
• Evil Twin attacks
WLAN Encryption: WPA

• Wi-Fi Protected Access

• Designed to fix WEP flaws
• Dynamic keys
• Temporal Key Integrity Protocol
• Larger IV space (48 bits)
• Message Integrity Code (MIC)
• Per-frame sequence counter
• Still uses RC4 (better implementation though)
WLAN Encryption: WPA2

• IEEE 802.11i standard

• Mandatory to be Wi-Fi certified
• National Institute of Standards and Technology (NIST) FIPS 140-2
compliant
• Uses CCMP with AES encryption
• CBC-MAC for packet authenticity and integrity checking
• AES for message confidentiality
• Supports Mutual Authentication
• 802.1X: PEAP, EAP-TTLS, EAP-TLS, EAP-FAST
• PKI
WPA/WPA2 Modes

• IEEE 802.11i Modes

• Personal (WPA-PSK)
• Pre-Shared Key grants access to WLAN
• Residential WLANs
• Enterprise (WPA-802.1X)
• Centralized Key Management
• Uses EAP-variant 802.1X authentication server
• PEAP / EAP-TLS / EAP-TTLS / EAP-FAST
• X.509 Digital Certificate installed on authentication server
• Supports PKI
WAP

• Wireless Application Protocol

• Commonly used in small mobile devices such as cell phones that
have a web browser
• Functions are equivalent to TCP/IP Suite
• WAP 1.x uses WTLS
• “Gap in the WAP”
• WAP 2.0 uses TLS
• Fixes WTLS decryption issue
Physical Devices

• Layer 1 Physical
• Layer 2 Data Link
• Layer 3 Network
• Upper layers
Layer 1

• NIC
• Connects host to the network (Layer 1)
• MAC address stored in firmware (Layer 2)
• Modem
• Connects host to the telephone network
• Modulate-Demodulate
• Hub
• Allows nodes to communicate with each other
• No path determination
Layer 2

• Switch
• Connects multiple network segments
• Trunking ports
• Access ports
• Improves network efficiency
• Uses MAC addressing for delivery determination
• Works at Layer 2
Loop Protection

• Loops
• More than one Layer 2 path between two endpoints
• Affects network availability: can bring down the network
• Broadcast Storm
• Loop Protection
• Manages switch ports automatically
• Use Spanning Tree Protocol (STP) on switches
• Prevent loops in the LAN
• Selects the fastest network links
• STP will failover to an alternate link if there is a failed link
Broadcast Storm

• Frames are broadcast, received and rebroadcast by each

switch, resulting in the frame never being delivered
• Can cause severe network congestion
• Degrades switch processing
• Switch memory depletion
• Mitigation:
• IEEE 802.1D STP
• Subnetting
• VLANs
VLAN

• Virtual LAN
• Devices on the same physical network are divided into multiple
logical networks
• Segments users or groups on a network
• Created using VLAN-capable switches
• Benefits:
• Decreases broadcast traffic
• Reduces traffic interception
• Better management of network assets
 Within Same VLAN
VLAN4 VLAN3 VLAN2
.22 .26
[Link]/24 [Link]/24 [Link]/24

.41 .3
.42

VLAN1
[Link]/24

16-port Managed Switch

.43 SRC:[Link]
DST:[Link]
Router
 Different VLANs
VLAN4 VLAN3 VLAN2
.22 .26
[Link]/24 [Link]/24 [Link]/24

.41 .3
.42

VLAN1
[Link]/24

16-port Managed Switch

.43 SRC:[Link]
DST:[Link]
Router
 Modifying VLAN Membership
VLAN4 VLAN3 VLAN2
.22 .26
[Link]/24 [Link]/24 [Link]/24

.41 .33
.3 interface fastethernet 0/2
.42 switchport mode access
switchport access vlan 4

VLAN1
[Link]/24

16-port Managed Switch

SRC: [Link]
.43 DST: [Link]
Router
VTP

• VLAN Trunking Protocol

• Allows switches to see all the VLANs within the whole network
• Bird’s eye view of nested VLANs
• Layer 2 protocol
• Aids in managing complex logical network backbones
• A switch updated within the VTP domain propagates the update to the
remaining switches
• IEEE 802.1Q VLAN Tagging
• QinQ attacks
Layer 3

• Router
• Provides connectivity between two or more networks
• Routes packets based upon IP addressing
• Works at layer 3
• Typical routing protocols:
• RIP (Routing Information Protocol)
• OSPF (Open Shortest Path First)
• BGP (Border Gateway Protocol)
Secure Router Configuration

• Document baseline configuration

• Perform the initial configuration from the console and back it up
securely
• Avoid using TFTP for image transfers
• SSH
• SSL/TLS
• Change default settings
• Password protect management interfaces
• Change Control
• Save each configuration change and document all modifications
ACL

Access Control List

• Rule based access control configured on an interface to restrict
access to resources
• Anti-spoofing filter
• Last line is the implicit deny statement
• Can be applied to inbound/outbound traffic
• Usually simple packet filtering that blocks traffic by
• Source and destination IP address
• Ports
• Protocol
ACL Standard vs Extended

• Cisco Standard ACL example

• access-list 1 permit [Link] [Link]
• access-list 1 deny any

• Cisco Extended ACL example

• access-list 101 permit tcp any any eq http
• access-list 101 deny tcp any any eq 23
• access-list 101 deny ip any any
Firewall Rules

• Firewall Rules
• Allow a computer to send traffic to, or receive traffic from,
programs, system services, computers, or users
• Inbound traffic (ingress)
• Outbound traffic (egress)
• Usually take one of two actions
• allow/permit/accept
• block/deny/reject
Network Design and Components

• Security Zones
• DMZ: contains public facing servers
• Bastion hosts: any hardened system located in the DMZ (VPN Concentrator,
Web Server, email server, etc.)
• Intranet: internal network (local and a way locations)
• Extranet: segment of your network set aside for trusted partners,
organizations
• Internet: unsecured security zone
Packet Filtering Firewall

• Filters traffic to specific addresses based on the IP header

of each packet that it receives
• Network Perimeter
• Works at layer 3
• Packets are compared against the ACL and will either be
forwarded or dropped
Packet Filtering Firewall

• Network Border
• Anti-spoofing (limited)
• Implicit Deny deny [Link] [Link]
Internet deny [Link] [Link]
deny [Link] [Link]
deny [Link] [Link]
deny [Link] [Link]
permit any
deny any

Source IP: [Link]

Dest IP: [Link]
LAN
RTR
Client Client Client
 Packet Filtering Firewall

Access Control List Access Control List

• Destination IP • Destination IP
• Source IP • Source IP
• Destination port • Destination port
• Source port • Source port
• Flag (TCP only) • Flag (TCP only)
SPI Firewall

• Stateful Packet Inspection Firewall

• Tracks each TCP connection in a state table
• May examine the header information and/or the contents of the
packet
• Filtering is based on rules and on context that has been
established by prior packets
• Works at Layers 3 and 4
 SPI Firewall

Stateful Inspection Firewall

Active Sessions Table

Access Control List Access Control List

• Destination IP • Destination IP
• Source IP • Source IP
• Destination port • Destination port
• Source port • Source port
• Flag (TCP only) • Flag (TCP only)
Circuit Level Proxy Firewall

• Circuit Level Proxy

• Monitors traffic between trusted and un-trusted hosts via virtual
circuits or sessions
• Filtering is based on sessions rather than content of packets
• Works at Layer 5
SOCKS

• Network service/protocol designed to allow clients to

communicate with Internet servers through firewall
• Often uses encryption
• Proxy configuration option in popular Web browsers and
instant messaging programs
• Example: PuTTY (similar)
Proxy Server

• Proxy Server
• A border device used to protect security zones
• Can be configured to:
• Improve performance by caching content locally
• Use ACLs to filter content for inbound/outbound traffic
Application Proxy Firewall

• Application Level Gateway

• Acts as an Application Proxy
• Works at Layer 7
• Traffic is evaluated by user, group policies, and
content/protocol/application
• Slowest form of a firewall
NAT

• Network Address Translation (NAT)

• Translates a private address into a public address
• Allows sharing of a single public IP address or a pool of public IP
addresses at the network gateway
• SNAT
• DNAT
• PAT/overloaded NAT
• Hides internal network address from an external network
• IPsec issues
• NAT-T
 NAT
[Link]
Dynamic: outside addresses are pooled [Link]
and “selected” for each inside address [Link]
when needed.
Static: each
INTERNET
outside address [Link]
configured for a
specific inside
address. Original Request Rewritten Request
[Link] [Link] [Link] [Link]

[Link] NAT Table stores the original Source IP and

associates it with the rewritten Source IP.
[Link] [Link]

[Link] Packets destined for the original Source IP

are remapped based on the NAT Table.

Rewritten Response Original Response

[Link] [Link] [Link] [Link]
[Link]

One-to-One Address Mapping

PAT

• Port Address Translation (PAT)

• Allows many hosts to share a single IP address by multiplexing
streams differentiated by TCP/UDP port numbers
• Ports are selected at random for each inside address which generates a
request
• Also known as “NAT Overloading”
 PAT
[Link]:58753

INTERNET

[Link]

Original Request Rewritten Request

[Link] [Link] [Link]:58753 [Link]

[Link] PAT Table stores the original Source IP and

associates it with the rewritten Source IP.
[Link] [Link]:58753

Packets destined for the original Source IP

[Link] are remapped based on the PAT Table.

Rewritten Response Original Response

[Link] [Link] [Link]:58753  [Link]

[Link] Many-to-One Address Mapping

VPN Concentrator

• Device that handles inbound VPN tunnels

• Primarily used for remote access VPN’s
• DMZ bastion host
• usually two flavors; SSL or IPsec (some can do both, ie. Cisco)
• examples: Cisco, Netgear, Juniper
All-in-One Appliance

• Device that combines numerous security functions into one

• Example: Cisco Adaptive Security Appliances (ASA) 5500’s
• ASA combines the
• PIX firewall (Routing, ACL, NAT)
• 4200 Series IPS (IPS functions)
• 3000 Series VPN concentrator (VPN management)
• Also known as Unified Threat Management (UTM)
Flood Guards

• A network device (firewall) designed to thwart DDoS attacks

• Fraggle
• Smurf
• Syn Flood
• Authentication DOS attacks
• Examples: Cisco’s floodguard
Load Balancers

• Distributes workload across multiple computers or network

links
• Can be used to implement failover
• In the event of server or application failure, load balancers
facilitate automatic failover to ensure continuous availability
• Can be hardware or software-based
• Examples: Barracuda, Cisco, Foundry, F5
Server Clustering

• Group of independent servers that work together to

increase the availability of applications and services
• Failover cluster
• Minimizes disruptions
• Mitigates Single Point of Failure
Internet Content Filters

• Filters content defined by a policy

• Permits or denies by URLs and content
• Designed to enforce the security policy
• Prevents employees from viewing inappropriate websites
• Can incorrectly block legitimate websites
Web Security Gateway

• Combines various security solutions into one

• Maximizes security by detecting, filtering and blocking web
threats
• Inspects all content in transit while remaining transparent to users
• Detects malicious code (viruses, spyware, adware)
• Filters URL content
• May provide data leakage protection (DLP)
Network Monitoring

• Promiscuous Mode
• Packet capture and analysis
• Protocol Analyzers
• NIDS / NIPS
• HIDS / HIPS
Protocol Analyzer

• Hardware or software utility for capturing and analyzing

network traffic
• Establishing network traffic baselines
• Logging real-time network traffic
• Sniffing network traffic for policy violations
• Network performance monitoring
• Network troubleshooting
• Wireshark, TCPDump, Kismet
IDS

• Intrusion Detection Systems (IDS)

• Monitoring system which collects and analyzes traffic
• Used to Detect:
• Attacks coming from outside the network
• Attacks and misuse from within the network
• IDS Types:
• Network Based
• Host Based
IDS Detection Methods

• Signature
• Evaluates attacks based on a database of signatures written by
the vendor
• Anomaly (Heuristics)
• Baseline
• Must learn what activities are normal and acceptable
• Looks for unexpected events
NIDS

• Network-based IDS
• Monitor’s network traffic in real time
• Analyzes protocols and other relevant packet information
• Particularly suited for detecting port scanning and DDoS attacks
• Sensors are deployed and usually report back to a system running a
management console
• Can send alerts or terminate connections
• Systems with sensor application installed are usually dual homed
• Cannot analyze encrypted traffic
 NIDS Placement

Where would you place

Server Server Server
your N-IDS?

5
2 1
4 Internet
Switch Router

6
3
Firewall

DMZ

Wireless AP
Computer Workstation
Server
Modem
Mirroring Port

• Allows network monitoring across a switch

• Frames are duplicated and delivered to the mirroring port of the
switch
• Ideal connection for a protocol analyzer or NIDS
• Needs to be configured
• Effects performance of the switch
HIDS

• Host-based IDS
• Installed on an individual hosts
• Detects attacks against the host and the level of their success
• Relies on the auditing and logging capabilities of the operating system
• Is detectable and can be a target of attack
Passive IDS

• Looks for security breaches, but effectively takes no action

• Logs suspicious activity
• Generates alerts if the attack is deemed to be severe
• The network analyst interprets the degree of the threat and
responds accordingly
Active IDS

• Can be configured to take specific actions

• Can automate responses including dynamic policy
adjustment and reconfiguration of supporting network
devices
• Might be too late
IPS

• Intrusion Prevention System

• Monitors network traffic for malicious activity and can block,
reject, or redirect traffic in real-time
• Focuses on prevention as opposed to detection
• Preventative control instead of merely a detective control
• Anticipates the attack before it is successful
• Can adjust security posture on the fly
• Installed in-line
• Dual-homed
• Encrypted traffic is not inspected
IDS Evaluations

• False Positives
• IDS reports legitimate activity as an intrusion
• Poorly tuned
• bad/outdated baseline
• False Negatives
• IDS fails to detect malicious network activity
• New attacks not yet identified by vendor
• Poorly written signatures
• Outdated signature files
• Patient, stealthy attacks (low and slow scanning)
Clipping Levels

• The set security threshold before a security service reacts

• Examples:
• IDS Tuning
• Failed logon attempts to the admin account will not be reported, unless it
occurs three times in a row over a short period of time
Virtualization Technology

• Multiple computers on one physical platform

• Virtualized environments are used to help secure networks
• Controlled by Hypervisor
• Sandbox security model
• Examples: VMware, Virtual PC, Java Applets
Sandbox Security Model

• Ensuring a compromised entity can’t cause harm to other

entities
• A compromised VM isn’t allowed to compromise other VMs or
the host machine
• A form of compartmentalization
• Handled by the Hypervisor
• VM Escape attacks
Hypervisors

• Type 1 Hypervisor (native or bare-metal)

• Run directly on the host's hardware to control the hardware and
to monitor guest operating-systems
• Examples: HyperV, ESXi
• Type 2 (hosted)
• Run within a conventional operating-system environment as a
separate application
• Examples: Virtual PC, VMWare Player
Virtualization Benefits

• Computing elasticity
• Dynamic, on-demand allocation of systems
• Compartmentalization
• Partitioning in support of damage control
• Containment
• Natural isolation of potential compromises
• Snapshots
• VM rollback capability
• Reduction of costs
Virtualization Vulnerabilities

• Single point of failure

• Physical host fails, they all fail
• VM files are all in one spot
• Insider Access
• VM Escape exploits
• Exploitable communication channels
• Packet sniffing
• Spyware
Cloud Computing

• Computing is "in the cloud" (internet)

• Software, data access, and storage services that do not require
user knowledge of the location and configuration of the system
delivering services
• Three layers
• Software as a Service (application)
• Platform as a Service (platform)
• Infrastructure as a Service (infrastructure)
Cloud Computing Architecture

Software as a Service
• Software as a service over the Internet
• Eliminates the need to install/run applications on
customer's computers
• No local software applications needed (just web site
connectivity)
Platform as a Service
• Facilitates deployment of applications reducing cost and
complexity
• Vendors allow apps to be created and run on their
infrastructure
Infrastructure as a Service
• Typically a platform virtualization environment
• Clients purchase resources/services (servers, software,
certain network devices, data center space)
Cloud Computing Types

• Private Cloud
• The cloud infrastructure is provisioned for exclusive use by a
single organization comprising multiple consumer
• Public Cloud
• The cloud infrastructure is provisioned for open use by the
general public (Pay-as-you-go Model)
• Community Cloud
• The cloud infrastructure shared by several organizations which
supports a specific community
Cloud Computing Types

• Hybrid Cloud
• A combination of a private cloud combined with the use of public
cloud services where one or several touch points exist between
the environments.
• The goal is to combine services and data from a variety of cloud
models to create a unified, automated, and well-managed
computing environment.
Cloud Computing Vulnerabilities

• Single Point of Failure

• Network Failure
• Dos/DDoS
• Third Party Access
• Cloud service provider insider access
• Inadequate Encryption
• VPN Tunnel
• Whole disk encryption
• File-level encryption
Domain Objectives

A Security+ candidate is expected to:

– Implement security configuration parameters on network devices
and other technologies
– Apply and implement secure network administration principles
– Explain network design elements and components
– Implement common protocols and services
– Implement wireless networks in a secure manner
– Explain types of wireless attacks
Questions?
Review Question 1

Configuring the mode, encryption methods,

and security associations are part of which of
the following?

a) IPsec
b) Whole disk encryption
c) IEEE 802.1X
d) PKI
Review Question 2

A server is configured to interface with both

VLAN1 and VLAN16. VLAN1 communication
works fine, however VLAN16 communication
fails. Which of the following MUST be
implemented?
a) The server’s network switch port must be enabled for
802.11X on VLAN16
b) The server’s network switch port must use VLAN Q-in-Q
for VLAN16
c) The server’s network switch port must be 802.1q
untagged for VLAN16
d) The server’s network switch port must be 802.1q tagged
for VLAN16
Review Question 3

Which of the following protocols allows for

secure transfer of files? (Select TWO).

a) ICMP
b) SNMP
c) SFTP
d) SCP
e) TFTP
Review Question 4

Which of the following is a step in deploying a

WPA2-Enterprise wireless network?
a) Disable CCMP on all wireless devices
b) Install a DHCP server on the authentication server
c) Install TKIP on all wireless clients
d) Install a Digital Certificate on the authentication server
e) Install a symmetric ticket on each wireless client
Review Question 5

Which of the following BEST describes a

common security concern for cloud
computing?
a) Data can be accessed by third parties who have
compromised the cloud platform
b) Antivirus signatures are not compatible with virtualized
environments
c) Network connections tend to experience latency issues
d) CPU and memory resources could be consumed by other
servers in the same cloud
Review Question 6

A security administrator is segregating all

web-facing server traffic from the internal
network and restricting it to a single interface
on a firewall. Which of the following BEST
describes this new network?

a) VLAN
b) DMZ
c) VPN
d) Subnet
e) Extranet
Review Question 7

Which of the following must Jane, a security

administrator, implement to ensure all wired
ports are authenticated before a user is
allowed onto the network?

a) Intrusion prevention system

b) Web security gateway
c) Network access control
d) IP access control lists
Review Question 8

Pete, the security administrator, wants to

ensure that traffic to the corporate intranet is
secure using HTTPS. He configures the firewall
to deny traffic to port 80. Now users cannot
connect to the intranet even through HTTPS.
Which of the following is MOST likely causing
the issue?
a) The web server is configured on the firewall's DMZ
interface.
b) The VLAN is improperly configured.
c) The firewall's MAC address has not been entered into the
network ACL.
d) The firewall executes an implicit deny.
Review Question 9

Which of the following should a security

administrator implement to prevent users
from disrupting network connectivity if a user
connects both ends of a network cable to
different switch ports?

a) VLAN separation
b) Access control
c) Loop protection
d) Split horizon
Review Question 10

A small company needs to invest in a new

expensive database. The company's budget
does not include the purchase of additional
servers or personnel. Which of the following
solutions would allow the small company to
save money on hiring additional personnel
and minimize the footprint in their current
datacenter?
a) Allow users to telecommute
b) Setup a load balancer
c) Infrastructure as a Service
d) Software as a Service