4: Communication & Network Security

• simple: physical connectivity, electrical signals flowing
• all hardware devices have a physical layer element

• hubs are layer 1

• theft
• unauthorized access
• vandalism
• sniffing
• interference
• data emanation

• only layer with sublayers

• error control

• physical addressing

• MAC address

  • physical address of the card
    • physically burned into the card
    • doesn’t change
      • can be spoofed
    • good for local addressing, not global addressing

• ARP (address resolution protocol)

  • maps an IP address to a MAC address
  • ARP cache poisoning
    • changing the cached address to point to another address

• RARP (reverse ARP)

  • predecessor to DHCP

• CSMA/CD (carrier sense multiple address with collision detection)

  • IEEE standard
  • 802.3 Ethernet

• CSMA/CD (carrier sense multiple address with collision avoidance)

  • IEEE standard
  • 802.11 Wireless

• token passing

  • 24 bit control frame passed around the network to determine which system can transmit data

• sniffer

  • a network card set to promiscuous mode. takes in all data it receives

• Ethernet

• all protocols start with “I” (IMAP doesn’t go here — it’s internet mail application protocol)
  • IP
  • ICMP
  • IGMP
  • IGRP
  • IPSEC
  • IKE
  • ISAKMP

• echoing utilities — ping, route, trace
• weak and frequently exploited
  • ping flood
    • sending an overwhelming amount of ICMP echo requests
  • SMURF
    • using a spoofed source address (which is the target of the attack) and directing broadcasts to launch a DDoS
  • Loki attack
    • hiding data within ICMP messages

• reliable, connection-oriented protocol
• uses three-way handshake
• SYN flooding

• connectionless
• unreliable
• no handshaking
• desirable when “realtime” transfer is needed
  • Netflix, gamer bois, hot tub Twitch streaming, etc.
  • TFTP uses UDP

• responsible for establishing connection between two applications
• dialog control
• release connections

• present data in a format that all computers can understand
• only layer that has no protocols
• concerned with compression, encryption and formatting
• makes sure data is in universal format
• file level compression
• removing redundancy from file (compression)

• defines a protocol that different programs / applications understand
  • HTTP, HTTPS, FTP, TFTP, SMTP, SNMP, IMAP, etc.
  • application proxies
  • non-repudiation
  • certs
  • integration with directory services
  • time awareness

• routing info across network
• provides an addressing scheme
• delivers packets from a source to a destination
• serves as a network layer protocol

• connection-oriented protocol

• guarantees delivery via acknowledgement

• widely used for critical applications

• TCP flags

  • SYN opens a connection
  • FIN closes a connection
  • ACK acknowledges a SYN or FIN

• TCP handshake

  • source sends SYN
  • destination replies w/ SYN/ACK
  • source replies w/ ACK

• lightweight connection-less protocol
• doesn’t send acknowledgements
  • doesn’t guarantee delivery
• used for voice and video applications

• promotes interoperability between vendors
• enables standardization
• describes the encapsulation (packaging) of data to enable it to get from point A to point B
• each layer adds a header to it
• each header has instructions for where the data should go
  • sending - you go down the layers and add headers to the data
  • receiving - you go up the layers and remove headers from the data

• pay attention to the question being asked
• learn the OSI model
• remember how TCP/IP aligns with OSI

• uniquely identifies systems on a network
• follow dotted quad notation
  • four 8-bit numbers 0–255
• 32-bit address (8 × 4 = 32)
• must not be reused in internet-connected systems
• may be reused on private networks

• allow private networks to be divided
• 192.168.1.100
  • first portion is the network address
  • second portion is the host address
• works by adjusting which portion of the address is the network and host

• source

  • sender of data

• destination

  • recipient of data

• machines communicating switch places between the two constantly during communications

• replaces IPv4 due to address exhaustion
• use 128-bit addresses
• consist of eight groups of four hexadecimal numbers

• static IP addresses

  • manually assigned to systems by admin
  • must be w/in network range
  • often used for servers

• dynamic IP addresses

  • automatically assigned by DHCP (dynamic host configuration protocol) server
  • address comes from admin-configured pool
  • often used for workstations

• provides address resolution on the internet

• DNS server

  • translates domain names into IP addresses
  • functions over UDP port 53

• DNS resolution

  1. URL input into browser
  2. computer sends DNS query to local DNS server
  3. DNS server looks up URL, finds IP address and sends back to computer
  4. computer connects to web server via IP address

• DNS is hierarchical

  • orgs designate servers that are authoritative for their domains

• some content filters (i.e. Pi-hole, AdGuard Home) alter DNS query results

• DNSSEC

  • adds digital signatures to DNS replies
  • protects against DNS poisoning

• guide traffic to the correct final destination
  • think of them as apartment numbers (ports) associated with an apartment building address (IP address)
• 16-bit number (65,536 ports)
• 0–65535

• housekeeping protocol of the internet

• identifies live systems
• source sends ICMP echo request to destination
• destination replies with ICMP echo reply

• identifies network paths

• destination unreachable
• redirects
• time exceeded
• address mask requests and replies

• TCP/IP is the most common multilayer protocol suite

• provides network connectivity for SCADA systems
  • allows for remote collection of data

• translates internal IP addresses of devices to external IP
  • advantages:
    • can use private addresses internally, don’t need to get a public IP address for each computer
    • allows for RFC 1918 IP addresses
      • 10.x.x.x
      • 172.16.x.x – 172.31.x.x
      • 192.168.x.x
    • hiding of internal network scheme
    • transparent, doesn’t require any special software

  • disadvantages:
    • single point of failure
    • performance bottleneck
    • doesn’t provide protection from bad content
  • NAT (network address translation)

    • provides translation between public and private addresses

    • security features/issues

      • hides internal address from the internet
      • limits direct access to systems
      • can be difficult to identify the origin of traffic
        • admins need to have good logging

    • requires a large pool of public IP addresses

      • internal IP addresses are mapped directly to internet IP addresses

  • PAT (port address translation)
    • allows multiple systems to share the same public IP address
    • assigns ports to each communication

• subdivides large networks

• subnet masks

  • identify the dividing line between the network and host address

  • remember that IP addresses are 32 bit (8-bit × 4)

  • 192.168.1.100

    • first portion is the network address
    • second portion is the host address

  • looking at the address in binary: 11000000.10101000.00000001.01100100

  • the subnet mask is simply a representation of what bits are in the host address, in this case all of the first 16 bits, or

    • 255.255.0.0

  • if you want to move the dividing line between network and host, you can do so

  • for example: 11000000.10101000.00000001.01100100

  • this subnet mask is 255.255.255.0

• subnets can be represented in two ways:

  • subnet mask notation

    • lists the IP address and the subnet mask
    • IP address: 192.168.1.100
    • Subnet mask: 255.255.255.0

  • slash notation

    • lists the IP address and the number of bits in the subnet mask
    • 192.168.1.0/24

• firewalls segment networks into security zones

• network border firewall

  • is placed between internet and an orgs internal network

• Internet

  • public internet
  • outside of the org’s control

• internal network

  • internal networks controlled by the org
  • may contain various network, servers, etc.

• DMZ

  • demilitarized zone

• systems gain no trust based on their network location

• extranet

  • intranet segments extended to business partners
  • example: vendor VPNs into network in intranet

• honeynets

  • decoy networks set up to attract attackers
  • similar to honeypots

• ad-hoc

  • temporary networks that bypass security controls

• east-west traffic

  • traffic between systems w/in a data center

• north-south traffic

  • traffic between systems in a data center and the internet

• separate systems on a network

• often due to networks not being physically separated

  • example: accounting, purchasing, sales all on same floor

• extend the broadcast domain

  • happens at layer 2

• configuring VLAN

  • must enable VLAN trunking
  • must assign switchports to VLANs

• exact placement depends on business requirements

• intrusion detection systems and intrusion prevention systems

• network taps

• port mirrors

• must all be placed on the network segment that they’re designed to collect information from

  • example: an IDS placed in the DMZ will only see data from the DMZ

• aggregation (or distribution) switches connect downstream switches to one another

  • note that a traffic collector placed on the aggregation switch may not be able to see traffic between downstream switches

• SPAN ports receive a copy of all traffic seen on a switch

• port mirroring allows monitoring of all traffic on a single port

• systems that gather info using collectors

• analyze info w/ a centralized aggregation and correlation engine

• collectors should be placed near the systems generating records

• correlation engine should be placed in a secure location

• proxy servers and content filters

  • usually belong in the DMZ

• aggregate user connections via VPN
• often reside on their own VPN
  • more sophisticated designs might use multiple VLANs that separate users based on roles

• belong in the DMZ

• SSL accelerators

  • handle cryptography work of setting up TLS connections
  • reduce load on web servers

• load balancers

  • distribute connection loads on servers

• detect and prevent DDoS attempts

• should be placed as close to the Internet as possible

• DDoS mitigation services may also be purchased from ISPs

  • can be an ideal approach
  • prevent DDoS from reaching the org in the first place

• treats network function and implementation as separate functions

• reconfiguring traditional networks requires reconfiguring devices

• control plane

  • responsible for making routing and switching decisions

• data plane

  • responsible for carrying out the instructions of the control plane

• SDN separates the control plane from the data plane

• this makes a network programmable

• encapsulation

  • allows one protocol to carry traffic that uses another protocol

• VXLANs

  • build overlay networks that operate at layer 2 using layer 3 equipment

• SD-WANs

  • connect larger areas

• SDN security benefits

  • granular network configuration
  • facilitate faster responses to security incidents
    • can programmatically turn off ports during an incident

• SDN security issues

  • increase network complexity
  • require strong access controls

• layered approach to networking (OSI or TCP) allow us to abstract the physical layer
• transmission media allows info to be transmitted over a distance

• Ethernet cable

  • transmits electricity over copper wires
  • electricity on line = 1, no electricity on line = 0

• fiber optic cable

  • transmits light over strands of glass
  • light = 1, dark = 0

• wi-fi

  • transmits data over radio waves

• Li-fi

  • replaces radio waves with light
  • light = 1, dark = 0

• all media types need to be protected against eavesdropping

building blocks of computer networks

• act like a security guard at the perimeter of a network
• often sit on the perimeter of a network (but not always)
  • can see all inbound and outbound connections
• connect three networks
  • Internet
  • internal network
  • DMZ

• demilitarized zone
• contain systems that must accept external connections
  • web servers
• isolates systems due to risk of compromise
• protects internal network from compromised systems in the DMZ

• source address
• destination address
• destination port and protocol
• action (allow or deny)
  example:
  • allows all traffic into web server

    Source	ANY
    Destination	192.168.1.3
    Destination Port	443
    Destination Protocol	HTTPS
    Action	ALLOW

• if a firewall receives traffic not explicitly defined in a rule, it’s blocked

  exam tip
  important to know and understand how implicit deny works and the importance of the order of firewall rules.

• incorporate contextual info into decision making
• info from threat sources, IP address origin, etc.

• NAT gateway
• content / URL filtering
• web application firewall

• network hardware vs. host-based software firewall
  • will it be a physical device or software running on a server?
• open source vs. proprietary
• hardware appliance vs. virtual machine
  • will it be a physical device or a virtual machine?

• block unneccessary ICMP packets
• use simple ACLs
• use implicit deny
• disallow source routed packets
• use least privilege
• block directed IP broadcasts
• perform ingress and egress filtering
  • block outbound traffic from non-internal addresses
    • sign that something inside that network is acting as a zombie for a DDoS attack
  • block inbound traffic from internal addresses
    • sign of a potential spoofing attack
• enable logging
• drop or reassemble fragments

• connect to a website on a user’s behalf

• connection proxying

  • user ↔︎ proxy server ↔︎ web server

  • benefits

    • anonymization

      • web server doesn’t know anything about the user, just about the proxy server

    • performance

      • proxy server can cache frequently visited websites

    • content filtering

      • allows orgs to block employee access to certain websites and services

• forward proxy

  • works on behalf of clients
  • w/out server knowledge

• reverse proxy

  • works on behalf of servers
  • w/out user knowledge

• tranparent proxy

  • works w/out client’s or server’s knowledge

• can handle many different apps, not just web traffic

• distribute load amongst servers

• DNS server points to a load balancer instead of a server

  • makes this a virtual IP address
  • load balancer sends traffic to servers

• allows for autoscaling

  • automatically adding and removing severs as needed

• security functions

  • SSL cert manangement
  • URL filtering
  • other web security applications

• load balancing techniques

  • round-robin balancing

    • each server gets an equal number of requests

  • other scheduling algortithms may be used based on performance, available capacity, session persistance, etc.

  • session persistance

    • routing individual users’ requests to the same server based on previous use

• load balancers can be a single point of failure

  • if the load balancer dies, none of the servers are available

• active-active

  • two or more load balancers actively run on the network
  • if one dies, other(s) continue to function
    • capacity is decreased

• active-passive

  • active load balancer handles all traffic
  • passive load balancer monitors all traffic
  • if the active load balancer dies, the passive load balancer takes over
    • no capacity is lost, just redundancy
  • big negative is that the passive load balancer is a lazy boy 99.9% of the time

• use encryption to create a virtual tunnel

• everything is encryted when entering the tunnel and decrypted on the other end

• protects against eavedropping

• site-to-site VPNs

  • connect remote offices to each other and main office

• remote access VPNs

  • gives remote access to org network to mobile users, WFH employees, etc.

• VPN endpoints

  • normal network equipment
    • firewall, server, router
    • not dedicated systems
      • can stuggle with bandwidth, encryption/decryption requirements, etc.

• VPN concentrators

  • dedicated piece of equipment
  • good for high use, high volume

• IPsec VPN

  • works at network layer (2)
  • supports L2TP (layer 2 tunneling protocol)
  • provide secure transport
  • can be difficult to use and set up
  • usually used for static site-to-site connections

• SSL/TLS VPN

  • work at application layer (7)
  • work over TCP port 443
    • same port as HTTPS
    • useful for bypassing firewalls that block other ports

• HTML5 VPN

  • run entirely w/in a browser

• full tunnel

  • all traffic routes through the VPN

• split tunnel

  • some traffic routes through the VPN
  • other traffic routes through the Internet
  • can provide users w/ a false sense of securiy

• always-on VPN

  • connect automatically

• point-to-point link between two networks

• adds an additional IP header to original packet

  • frequently used in the psat to encapsulate older protocols like AppleTalk, IPX, etc.

• data encapsulation

  • packets are encapsulated to allow them to travel over an incompatible network
  • ex. routing IPv4 packets over an IPv6-only network

• simplicity

  • lacks flow-control and security
  • can ease in configuration
  • GRE tunnels can be supplemented by IPSec

• multicast traffic forwarding

  • can forward multicast traffic (VPNs cannot)
  • multicast traffic (ex. advertisements sent by routing protocols) can be transferred between remote sites

  exam tip
  GRE doesn’t automatically mean that communicatations are encrypted.
  think about a car on a ferry. the car is encapsulated on the boat, but it isn’t encrypted by the boat.

• systems that monitor network traffic for signs of potentially malicious traffic
  • SQL injection, malformed packets, unusual logins, botnet traffic, DoS attempts, etc.

• allow for deep traffic inspection

• uses

  • troubleshooting networking issues
  • investigating security events

• must be used carefully

  • can eavesdrop on confidential communications
  • access to tools should be tightly controlled

• examples

  • Wireshark

    • open source GUI-based packet inspector

  • tcpdump

    • open source command line packet inspector

  • Wireshark and tcpdump are both built using the libpcap library

  • tcpreplay

    • command line tool
    • takes in packet captures from Wireshark or tcpdump
    • can edit or replay traffic

• solutions combine multiple security functions into a single device

• basic functions

  • protect against network attacks
  • block unsolicited traffic
  • route traffic to/from the Internet

• additional functions

  • VPN

  • IDS/IPS

  • small business functions

    • URL filter
    • content inspection
    • malware inspection
    • email and spam filter

• still require regular monitoring and management

• content delivery networks or content distribution networks

• provide scalability and security

• provide a shared web infrastructure

• 10s to 100s of locations around the world

• cache website data

  • users can get cached data from the nearest CDN server

• benefits:

  • on-demand
  • cost effective
  • place content closer to users
  • security enhancements
    • can filter out DDoS attacks
    • can provide web application firewall
      • filter out SQL injection, XSS, other attacks before traffic reached org’s web servers

• perimeter security

  • stop unwanted remote users
  • uses firewalls and other controls

• network access control

  • limit physical network access to authorized individuals and devices

• policies

  • rule-based

    • limit access based on business logic

  • role-based

    • limit access based on identity of an individual

  • time-based

    • limit access based on time of day

  • location-based

    • limit access based on physical location

• intercepts network traffic coming from unknown devices
• verify that that a system/user is authorized before allowing communications on the network
• often use 802.1x authentication

• supplicant

  • software on end user’s machine that performs NAC steps

• authenticator

  • receives credentials from user’s machine

• authentication server

  • provides all authentication for authenticators

• user and device authentication

• role-based access

  • authentication server provides additional user info to the authentictor
  • authenticator places the device/user in an appropriate network based on the user’s role

• posture checking

  • user’s device can be checked for multiple security controls
    • antivirus software
    • current antivirus definitions
    • proper firewall configuration
    • security patches
  • failing devices can be placed onto a quarantine VLAN
    • VLAN can have access to patches, antivirus definitions, etc.
    • once patched, user can attempt to authenticate again

• agent-based
• agentless
• in-line
• out-of-band

• firewall rules define how a firewall should act when it sees a new connection request
• rules are applied in order
  • will follow the first matching rule
• last rule is usually a “deny all”

admins need to watch out for these

• shadowed rule

  • a rule that will never be applied due to the rules before it
  • it’s generally best to have more specific rules first

• promiscuous rule

  • a rule that allow more access than intended or necessary

• orphaned rule

  • a rule that allows access to decommed systems or services
  • can be dangerous if ports or IP addresses of decommed systems are reused in the future

• routers can be configured to perform basic filtering
  • this can reduce load on firewalls

restrict network traffic

• standard ACLs

  • filter based on source IP address

• extended ACLs

  • filter based on more advanced criteria
    • source/destination IP addresses
    • source/destination ports
    • source/destination protocols

• so why not just use a router as a firewall?

• firewalls are purpose-specific and efficient, routers are not
• firewalls have much more advanced rule capabilities, routers do not
• firewalls have more advanced security functions, routers do not

• need to maintain physical security on switches and other networking equipment
  • attackers w/ physical access to a switch has physical access to the network

• attackers w/ physical access can disconnect a legitimate device and replace it w/ a malicous one

• switchports should limit devices attached to them via MAC address

• static port security

  • admin manually configures the MAC address allowed for each switchport
  • secure, be can be tedious

• dynamic port security

  • switch memorizes the MAC address connected to each switchport, then only allows access to that device
  • more convenient for the admin
  • can be dangerous w/ unused ports

• inspects DHCP messages
  • looks for malformed messages
  • checks if DHCP messages are from authorized DHCP servers
• blocks malicious DHCP traffic

• disable automatic trunk negotiation

  • prevents VLAN hopping attacks

• VLAN pruning

  • limit the number of switches where VLANs are switched
    • especially important for sensitive VLANs

• VLAN trunk negotiation

  • deny automatic VLAN trunk negotiation
  • limits the effectiveness of VLAN hopping
  • only allow explicitly set up VLAN trunk negotiation

many DoS attacks rely on flooding a network w/ traffic until it’s overwhelmed

• SYN flood

  • attacker created thousands of SYN packets
    • don’t reply to SYN/ACK packets
  • fills connection state tables of firewalls w/ half-open entries

• MAC flood

  • sends out large numbers of MAC addresses
  • hope to overflow MAC address table on a switch
    • switch may flood traffic out to all ports
      • attacker can eavesdrop

• flood guard technology

  • protect network devices against flood attacks
  • control the open number of connections that a system can have

• occur when there are multiple paths between two devices

  • devices mistakenly route broadcast messages
  • network fills to capacity with those messages
    • known as a broadcast storm

• spanning tree protocol

  • includes loop protection to protect against broadcast storms

  • uses BPDUs

  • BPDU bridge protocol data units

    • routing status messages that allow recomputation of network paths

    • if exploited, can cripple network with spanning tree attacks

    • BDPU guard

      • blocks against spanning tree attacks

• firewalls and routers have logs that are a rich source of security info

• logs of every connection

  • details about each attempted connection
  • timestamps
  • firewall rules applied to the attempt

• uses:

  • security incident investigations
  • network issue troubleshooting
  • anomalous activity detection

• ingress filtering

  • filtering of traffic entering the network

• egress filtering

  • filtering of traffic exiting the network

• full packet inspection requires a large amount of storage capacity
• net flow data captures most details of connections
  • source/destination systems
  • source/destination ports
  • timestamp
  • amount of data
• very useful information
  • doesn’t capture what, but does capture who, when and how much

security information and event management system

• facilitate rapid analysis of data
• log sources
  • firewalls
  • network devices
  • servers
  • application

• automates network monitoring and maintenance tasks

• managed devices

  • routers, firewall, APs

• agent

  • software package that runs on devices

• network management system

  • communicates with agents
  • manages the network

• SNMP requests

  • allow the network management system to get information from agents
    • network management system → GetRequest → agent
    • network management system ← response ← agent

• SNMP configuration

  • allows the network management system to configure agents
    • network management system → SetRequest → agent
    • network management system ← response ← agent

• SNMP traps

  • if something critical is needed, an agent can send information to the network management system
    • network management system ← SNMPtrap ← agent

• should always use SNMPv3

  • earlier versions have critical security flaws

• separates systems of differing security levels
• sensitive systems may be places in their own isolated security zones

AKA jump box, jump server, jump host

• allow connections between differing security zones
• must be carefully secured
  • can be used to bypass network segmentation

• it can be difficult to distinguish attacks from legitimate traffic

• fake networks, systems, files can be used to tell if traffic is malicious

• darknet

  • unused but monitored address space on a network
  • if being used or scanned, likely an attacker

• honeyfile

  • a false store of sensitive-looking data

• honeypot

  • systems designed to attract and trap attackers
  • may contain honeyfiles on them

• honeynet

  • a network designed to attrack attackers
  • may contain honeypots and honeyfiles

• DNS sinkhole

  • altered DNS records to reroute notnet traffic
  • intentionally route traffic away from a botnet
    • usually to a webpage letting a user know that their system is compromised
  • effectively a beneficial self-inflicted DNS poisoning attack

• use redundant power supplies
• vendors provide crucial services
  • understand response times in support contracts
  • understand that support contracts provide access to security updates and patches
  • warranties provide repair and replacement of defective equipment

• circuit switching — plain old telephone system (POTS)

  • PSTN
  • ISDN
  • DSL
  • T-carriers

• packet switching — IP

  • X.25
  • frame relay
  • ATM
  • VoIP
  • MPLS

• MPLS (multiprotocol labelled system)

  • used to create a cost-effective private WAN that is faster and more secure than a regular one routed through public networks (the Internet)
  • more secure because a private network can be custom built for your organization
  • because it is private, don’t have to maintain and use traditional VPN equipment
    • can reduce delay and latency caused by VPN software
  • provides QoS for VoIP and other priority traffic
  • purely layer 3 technology

converged networks now carry voice and data services

• carries voice communications over data networks
• converts analog voice to digital data
• transmits over IP protocol

• VoIP phones
• softphones
• bridge devices
  • convert analog systems to VoIP

• encryption

  • protects traffic
  • can degrade voice quality

• network segmentation

  • separated data VLAN from voice VLAN

• security issues

  • eavesdropping
  • toll fraud
  • vishing
  • SPIT

• latency
• jitter

supports communcations w/ teams, partners, clients, vendors, etc.

• IM (instant messaging)

  • AIM, ICQ, MSN, etc.
  • was popular, but created security issues
    • outside of IT control
    • unencrypted, open to eavedropping
    • replaced with on-prem or cloud-based solutions
      • Skype, Teams, etc.

• XMPP (extensible messaging and prescence protocol)

  • originally called Jabber
  • open-source standards-based
  • alternative to proprietary protocols

• SMS (short message service)

  • sends messages and images over wireless carrier networks
  • convenient and popular
  • significant security flaws
    • no encryption
    • no authentication
      • SMS numbers can easily be spoofed

demand lots of dedicated bandwidth for moving large files

• simple
• self-contained
• commonly uses CIFS or NFS
• appears as a file system on the network

• complex
• massive storage systems with dedicated networks
• present storage to devices
• connect to devices with dedicated networks

• fiberchannel

  • uses a direct fiberoptic connection between SAN and devices

• fiberchannel-over-Ethernet

  • replaces fiberoptic cabling w/ Ethernet cables
  • a bit slower

• iSCSI

  • runs SCSI connections over network connections

• SANs carry sensitive info
  • often unencrypted for speed purposes
• storage traffic should be on a dedicated network, separate infrastructure or a VLAN
  • storage VLANs should be carefully trunked

digital certs allow for exchange of public keys over untrusted networks

• encrypts network communications

• depends on pairings of encryption and hashing functions known as cipher suites

  • TLS is not an cryptographic algorithm

• steps

  1. client sends a request w/supported cipher suite to server
  2. server sends back a message w/ the selected best matching cipher suite to use and the server’s digital cert
  3. client checks server’s digital cert w/CA
  4. client creates a random encryption key called a session key
     • session key is also known as an ephemeral key
  5. client uses the public key to encrypt the session key and sends it to the server
  6. server decrypts the session key w/ the server’s private key

• insecure predecessor to TLS
• has known security flaws
• often incorrectly used to describe TLS

• open source TLS project
• Heartbleed vulnerability
  • allows attackers to retrieve info from servers using OpenTLS

• performs “friendly” man-in-the-middle attack to inspect network traffic

original implementation of TCP/IP didn’t consider security

• secures entire packet payload

• ESP and AH can be used in combination

• process that
  • identifies cryptograhy algorithms a system can support
  • each system lists the cryptography and hashing functions
  • they find and agree upon the strongest matching functions in common

provide command line access to a remote system

• telnet
  • used by older Unix systems in the past
  • insecure
    • doesn’t provide any encryption
• ssh
  • provides secure remote shell alternative to telnet
  • secure encrypted connection
  • authentication modes
    • password
    • certificate-based

provides graphical access to a remote system

• RDP
  • encrypted desktop access to Windows servers and machines

many common protocols don’t include built-in encryption

• HTTP → HTTPS

  • adds TLS to web browsing

• telnet → SSH

  • same functionality of telnet, but w/ encryption

• FTP → FTPS

  • adds TLS to FTP

• FTP → SFTP

  • transfers files over SSH

• FTP → SCP

  • uses SSH to securely copy files

• TFTP trivial FTP

  • insecure
  • may be on exam in an attempt to trip you up

• NTP → NTPSec network time protocol

• DNS → DNSSEC

  • adds digital signatures to DNS replies

• DHCP

  • in Windows, turn off DHCP services on machines not acting as a DHCP server

• LDAP → LDAPS

• voice and video services

  • should use TLS

    • may need to be turned on in application settings

  • RTP-based VoIP should use SRTP

• email

  • use encrypted versions and ports
  • can encrypt emails using S/MIME protocol

  mail protocol	unencrypted port	encrypted port
  POP	110	995
  IMAP	143	993
  SMTP	25	465

• wifi standards govern communication on many wireless networks

• replaces cables w/ radio transmitters and receivers

• WAPs connect wireless networks to wired networks and the Internet

• subject to undetectable interception

  • needs to be secured w/ encryption

• most wireless netowrks limit access to authorized users

• simple form of authentication

• use a 256-bit encryption key in one of two ways

  • hexadecimal string
    • 64 hex characters that encode a 256-bit encryption key
  • password
    • 8-13 ASCII characters converted to a 156-bit encryption key using PBKDF2

• limitations

  • changing the key is a pain in the ass
  • identifying individual users and revoking their access is impossible

• use some form of EAP

• EAP extensible authentication protocol

  • authentication framework

    • not a specific authentication mechanism

  • many variants, some secure, some not

  • variants

    • LEAP lightweight EAP

      • relies on MS-CHAP
      • insecure

    • PEAP protected EAP

      • tunnels EAP inside a TLS session

    • EAP-TLS

      • secure

    • EAP-TTLS EAP - tunneled TLS

      • secure

    • EAP-FAST EAP - flexible authentication via secure tunneling

      • replacement for LEAP by Cisco

    • EAP-MD5

      • insecure

exam tip
know which EAP variants are secure.

• redirect users to an authorization webpage

• many factors affect the ability of radio waves to reach users

• omnidirectional antennas

  • send signals in all directions

• directional antennas

  • direct signals in a single direction
  • useful for site-to-site communication

• beamforming

  • 802.11ac feature
  • steers signal towards clients

• optimal AP placement depends on building characteristics

  • walls, building materials, pipes, vents, etc.

• site survey

  • determines optimal AP placement
  • creates heatmaps to help w/ placement

• other tips

  • avoid overlapping channels w/ neighboring networks
  • power levels can be manipulated to modify range and signal strength

• contain all of the hardware and software needed to operate a wireless router

• minimal equipment
  • just the radio and chipset
• rely on wireless controllers for configuration and to run the network

• run the network
• manage configurations
  • optimize AP performance
  • reduce interference w/ other APs

• search for rogue networks
• test wireless security
• Aircrack-ng is a popular security testing tool

• in urban, suburban and rural areas
• can cover distances of 20+ miles
  • terrain dependent
• rated according to generation of service

• cover shorter distances w/higher bandwidth

• point-to-multipoint

  • single basestation to many clients

• point-to-point

  • connects two fixed basestations

• usable almost anywhere

• slow and expensive

• GPS

  • provides exact location anywhere on earth

• uses electromagnetic induction for communications
• covers distances measured in cms
• used for Apple Pay, Google Pay

• range of ~30 feet
• used by headphones, speakers, smart watches, etc.
• used to create a PAN (personal area network)
• modes
  • discovery mode
  • automatic pairing mode
• threats
  • bluejacking
    • sending spam to nearby bluetooth devices
  • bluesnarfing
    • copying information off of remote devices
  • bluebugging
    • more serious
    • allows for full use of the phone
    • allows attacker to remotely make calls
    • allows attacker to eavesdrop on calls as well

• require a clear path between the transmitter and receiver

• allows for a wired connection
• may be used for tethering

• four-digit passcodes don’t provide strong security
  • should use complex passwords
  • biometric authentication offers a convenient alternative access method
    • FaceID, TouchID

• protects sensitive info
• enabled by default on modern iOS and Android devices

• removes data from lost/stolen devices
• only available of the device is connected to a network to receive remote wipe command

• auto screen locking
• push notifications for two-factor authentication
• MicroSD HSMs
  • provide secure key management
• SELinux on Android

• manage settings across many mobile devices
• powerful tool
  • ensures that devices used on an org’s network have security settings that match the org’s security policy
  • prevents users from modifying security settings
  • controls data stored on devices
    • remote wiping
    • revoking access
    • disabling removable storage
  • management of apps installed on devices
    • app blacklist
    • app whitelist
  • storage segmentation
    • separated sensitive info
  • content filtering and management

• orgs need to track mobile devices just like they do all other org assets
• lost devices introduce confidentiality and financial risks
  • confidentiality: devices contain sensitive org info
  • financial: devices are expensive, upwards of $1,500

• manage device inventories
• should manage throughout the entire lifecycle
  1. request for device
  2. ordering and recieving device
  3. initial configuration of device
  4. device assignment (and reassignment)
  5. device decomm

• allows orgs to locate lost/stolen devices

• can provide historical location details

• geofencing

  • alerts when a device leaves a predefined area

• GPS use limits

  • limit who has access to data
  • ability of the monitored user to disable tracking
  • consider auto-disabling after work hours
  • clear disclosure is needed

• use strong credential management
• should rely on central authentication
• using external authentication places a great amount of trust in external providers

• encrypt info in transit
• encrypt info at rest on the device
• practice strong key management

• may disclose sensitive org locations
  • ex. photos, map apps
• should apply location settings in apps as necessary

• MDM solutions allow lockdown of mobile device configurations

• third party app stores may contain unsafe code

  • sideloading

    • installing software outside of normal app stores

  • jailbreaking

    • installs custom firmware and OS on mobile device

  • rooting

    • installs software that allows root access to mobile device

  • all three add security risks to devices

• mobile devices must be patched w/ current patches and OS updates

  • often done through OTA (over-the-air) updates

• device unlocking allows for portability amongst service providers

  • less common, devices are usually bought at full price in an unlocked state

• restrictions on device feature

  • many different security policies on devices
  • feature use needs to align w/ org’s business purpose and security needs
  • examples:
    • camera use
    • messaging
    • external media use
    • microphone use
    • GPS / geotagging
    • Wi-fi usage
    • device tethering / hotspots
    • mobile payments

• some employees want to use personal devices for business purposes
  • not this guy!
• marks a radical shift in philosophy

• who, what and how?

  • who can bring and use devices?
  • what devices will they bring?
  • how will the devices be securely used?

• ownership?

  • user owns the device
  • user owns their personal data
  • org owns their data
  • org owns their network and IT support

• users should understand monitoring that will be used
  • will be unlikely to accept intrusive monitoring
• orgs should consult w/ their legal team
  • review local, state, federal laws about privacy

• onboarding

  • ensure that device meets security requirements

• offboarding

  • ensure that all sensitive org data is removed from the device

• consider the impact of BYOD on the org’s technical infrastructure
• MDM use
• patching and AV management
• camera use
• forensic procedures

• limits org control of devices

• users select their device which the org purchases
  • size preference: mini, phablet, etc.
  • OS prefernce: iOS, Android, etc.
• may provide users w/ a menu of devices to choose from

• allows for personal use of org-owned devices

• MDM solutions provide policy enforcement for all of the above models

• desktop OS is in the cloud or the org’s data center
• employee uses their own device to access remote desktop

• admins should config endpoint OSes to meet org security requirements
  • attackers that can exploit a vulnerability in one endpoint to attack the entire network
• admins should limit admin access to systems
  • can be acheived with Group Policy management

• corrects security issues in applications and OSes
• user configuration management tools to patch
• patches should go through change management process!

• lockdown of configurations
• remove unneccessary software and OS components
  • reduces attack surface
• lock down host firewalls
• disable default accounts and passwords
• verify that configurations match industry best practices
  • Windows registry
  • Unix/Linux/OSX confguration files

malicious software

• viruses

  • spread by human actions

• worms

  • spread by themselves

• trojan horses

  • disguise themselves in other software

• spyware

  • gathers info
  • uses many techniques to spread

• protects against many threats

• types

  • signature detection
  • behavior detection

• advanced real-time protection

• uses sandboxing

• sandboxing

  • isolated malicious content

• spam filtering

  • blocks unwanted email

• malware logs on endpoints should be sent to a centralized system (SIEM) for storage and analysis

• restricts software that can run on a system

• Applocker: example of Windows application control technology

• application control logs should be sent to SIEM or central log storage repo

• whitelisting

  • admins create a list of all applications that may run on a system

• blacklisting

  • admins create a list of applications that are prohibited from running on a system

• baseline identifies expected system software
• reports deviations from baseline

• software component of an OS that limits connections to the system
• restricts network traffic
• uses default deny rule
• granting network access requires configuring the host firewall and network firewall

• IDS (intrusion detection system)

  • alerts administrators to suspicious network activity

• IPS (intrusion prevention system)

  • takes actions to block suspicious network activity

• are also found in third party security solutions

• usually are not part of an OS

• logs should be sent to SIEM or central logs repo

• watches for unexpected file modifications
• uses hashing functions
• periodically verifies hash values of critical files
• tuning is crucial
  • need to adjust FIM system to meet org needs
• often a compliance requirement
• Tripwire: example of Unix-based FIM software
• analyzing output of FIM is testable on the exam

• tech solutions the search systems and networks for sensitive info

• have the ability to remove, block or encrypt the found sensitive info

• these controls to ensure that certain data (SSNs, account numbers, birthdays, etc.) are controlled and don’t leave the organization

• two types:

  • host-based DLP

    • software agent on a single system
    • looks for sensitive info on the system
    • can also look for use of external media (USB thumbdrives, hard drives, CD-/DVD-Rs) that could be used to remove sensitive data

  • network-based DLP

    • scan network transmissions for sensitive info
    • may block traffic when sensitive info is found
    • may also automatically encrypt traffic that is found
      • common in email systems

• scanning methods:

  • pattern matching

    • recognizes known patterns of sensitive info
      • ex. 123-45-6789 is a SSN, 1-234-567-8910 is a phone number

  • watermarking

    • sensitive info is identified by electronic tags attached to files

• cloud-based DLP systems are available that operate as an MSSP

• provide isolaton and separation

• create zones based on trust

• hardware vs. software

• use rule based access control (RBAC)

• enforce network policy

• usually on the perimeter of a network

• fast, cheap, first line of defense
• packet filtering
• screening router — act as first level of screening network traffic
• inspect layer 3 and 4 headers
  • source and destination IPs
  • source and destination ports
  • protocols (TCP or UDP)

• stateful filtering
  • is aware of initiation of sessions and their states
  • can block unsolicited replies
  • can understand the syntax of lower layer protocols and block “misbehaving” traffic

• slower and more expensive
• aka application proxies or application firewalls
• deep packet inspection
• forward proxy inspects traffic from inside the network going out
• reverse proxy inspects traffic from outside the network coming in
• can inspect content, time, application-awareness, certificates, etc.
• specific to the application layer

• use access control lists (ACLs)
  • rules applied to each packet the firewall recieves
• not stateful, can only look at the network and transport layer packets (IP address, port, “flags”)
  • can’t look at application layer, look for viruses, etc.
  • usually aren’t advanced or customizable

• two types
  • circuit level
  • application
• both types hide internal hosts/addressing from the outside world

• advantages
  • understand the protocol and can add extra security based on that understanding
  • can have advanced logging/auditing
  • can have advanced access control
    • ex:
      • restricting website access
      • inspecting data for protocol violations
      • inspecting data for malware, viruses, etc.
• disadvantages
  • slower. extra CPU power needed for extra processing and inspection of data
  • proxies only understand the protocol that they were written for
    • usually need a separate proxy for each protocol that you want to proxy
    • Jim says: BlueCoat only handles HTTP

• LAN: local area network
  • high speed
  • small physical area
• WAN: wide area network
  • used to connect LANs
  • usually slow, using serial links
• MAN: metropolitan area network
  • connect sites together in a smaller geographic region (like a city… hence the metropolitan)