CISSP - Domain 4 - Communication and Network

Domain 4
Communication and Network Security
Subramaniam Sankaran
CISSP - Domain 4 - Comuter and Network

1
Security
Introduction
• Definition of network:
– A computer network, or simply a network, is a
collection of computers and other hardware
interconnected by communication channels that
allow sharing of resources and information
• Communication protocols define the rules and
data formats for exchanging information in a
computer network, and provide the basis for
networking.
2
Security
Note
• This presentation has been prepared by
Subramaniam Sankaran, for his CISSP program
delivery.
• Please do share this material as required.
• You can reach him on
[email protected]

3
Security
Benefits of Networking
• Multiple system together make a powerful
environment.
• Work is completed sooner than on a single system.
• Resource sharing is enabled.
• The world is shrunk. Global task force.
• Lesser communication costs (VOIP).
• System availability is guaranteed.
• Basis for DR/BCP.

4
Security
Few Application
• Email
• Ecommerce
• Browsing/Knowledge
• Digital Libraries
• VoD
• File Transfer
• Video/Audio conferencing

5
Security
Types of networks
• Function based classification
– Data Networks
– Voice Networks
– Multimedia Networks
• Distance based
– WAN
– MAN
– LAN
– PAN (Personal)
6
Security
Topology
• A network topology represents its layout or
structure from the point of view of data flow.
– Bus
– Star
– Mesh
– Ring

7
Security
Models
• Client-Server
• Peer to Peer

8
Security
Client Server
• Server serves as a centralized service provider. It is a
computer designed to process requests and deliver data to
other (client) computers over a local network or the Internet.
• Client acts as a requestor of services from server. The
requested service could be email transfer, file
transfer/download, playing audio or video
• Server can provide file, print, file transfer, etc
• One server can serve multiple clients, but a client must have
at least one server.
• Clients can be over MAN, LAN or WAN.

9
Security
P2P networking
• "A type of network in which each workstation
has equivalent capabilities and responsibilities.
This differs from client/server architectures, in
which some computers are dedicated to serving
the others.“
• Between computers.
• No Server/No Client.
• Like file sharing among systems using Kazaa ,
napster etc
10
Security
Attacks on P2P networking
• Routing attacks – Malware on a computer
deliberately forward the packet wrong or
purposefully sends out incorrect routing
updates as DoS.
• Almost 63% of the downloads on Kazaa, were
malware infected.
• Privacy must be at most importance. PKI can
as well be sought for.

11
Security
ISO OSI
• International Standard Organization
• Open System Interconnection
– 7 layers
– Portability
– Global Standard.

12
Security
13
Security
Physical Layer
• Physical layer defines the cable or physical
medium itself
• e.g., Coaxial, unshielded twisted pairs (UTP).
• All media are functionally equivalent.
• The main difference is in convenience and cost
of installation and maintenance.
• Converters from one media to another operate
at this level. E.g wireless to wired. (VSAT to LAN)

14
Security
Data Link Layer
• Data Link layer defines the format of data on the network.
• A network data frame aka packet, includes checksum, source and
destination address, and data.
• The largest packet that can be sent through a data link layer defines the
Maximum Transmission Unit (MTU).
• The data link layer handles the physical and logical connections to the
packet's destination, using a network interface.
• A host connected to an Ethernet would have an Ethernet interface to
handle connections to the outside world, and a loopback interface to
send packets to itself.
• MAC, Media Access Control, Address or Ethernet address identifies the
system on the network, is an unique identifier corresponds to this layer.

15
Security
Network layer
• The network layer provides the functional and procedural means
of transferring variable length data sequences from a source host
on one network to a destination host on a different network (in
contrast to the data link layer which connects hosts within the
same network).
• It maintains the (QoS) the quality of service requested by the
transport layer.
• The network layer performs network routing functions, and might
also perform fragmentation and reassembly, and report delivery
errors.
• Routers operate at this layer, sending data throughout the
extended network and making the Internet possible.
16
Security
Transport Layer
• This layer manages the end-to-end control (for
example, determining whether all packets
have arrived) and error-checking.
• QoS, Quality of Service.
• Connection Oriented or Connection less.
• It ensures complete data transfer.

17
Security
Session Layer
• Types of communication
– Simplex
– Half Duplex
– Full Duplex.
• Sets up, coordinates, and terminates
conversations, exchanges, and dialogs between
the applications at each end.
• It deals with session and connection
coordination.
18
Security
Presentation Layer
• This is a layer, usually part of an operating system, that converts
incoming and outgoing data from one presentation format to
another (for example, from a text stream into a popup window
with the newly arrived text).
• This layer provides independence from differences in data
representation (e.g., encryption) by translating from application to
network format, and vice versa.
• The presentation layer works to transform data into the form that
the application layer can accept.
• This layer formats and encrypts data to be sent across a network,
providing freedom from compatibility problems.
• It is sometimes called the syntax layer.
19
Security
Application layer
• This layer supports application and end-user processes.
• Communication partners are identified, quality of service is
identified, user authentication and privacy are considered,
and any constraints on data syntax are identified.
• Everything at this layer is application-specific.
• This layer provides application services for file transfers, e-
mail, and other network software services.
• Telnet and FTP are applications that exist entirely in the
application level.
• Tiered application architectures are part of this layer.

20
Security
Notes
• All seven layers work in harmony for a network
application to work.
• The communication starts from Application
layer to logically to network layer and physically
to physical layer, gets transmitted over internet.
It then reaches application layer to be
presented to user.
• The entire OSI model is a logical model and
must be implemented by protocol stack.
21
Security
Layer 8 !?!

22
Security
Protocol Stack
• The protocol stack is an implementation of a computer networking protocol
suite.
• Strictly speaking, the suite is the definition of the protocols, and the stack is
the software implementation of them.
• Individual protocols within a suite are often designed with a single purpose
in mind.
• This modularization makes design and evaluation easier.
• Because each protocol module usually communicates with two others, they
are commonly imagined as layers in a stack of protocols. The lowest protocol
always deals with "low-level", physical interaction of the hardware.
• Every higher layer adds more features.
• User applications usually deal only with the topmost layers i.e. application
layer.

23
Security
Few stack
• TCPIP Protocol stack
• WAP
• X.25
• SNA
• AppleTalk

24
Security
TCPIP Model
• The Internet protocol suite is the set of
communications protocols used for the Internet
and similar networks, and generally the most
popular protocol stack for wide area networks.
• It is commonly known as TCP/IP, because of its
most important protocols: Transmission Control
Protocol (TCP) and Internet Protocol (IP), which
were the first networking protocols defined in
this standard.
25
Security
Model
Application
Presentation
Session Application layer
Transport Transport
Network Network
Datalink
Physical Network Access Layer

26
Security
• TCP/IP provides end-to-end connectivity specifying how data should be
formatted, addressed, transmitted, routed and received at the
destination.
• It has four abstraction layers which are used to sort all Internet
protocols according to the scope of networking involved.
• From lowest to highest, the layers are:
– The link layer contains communication technologies for a local network.
– The internet layer (IP) connects local networks, thus establishing
internetworking.
– The transport layer handles host-to-host communication.
– The application layer contains all protocols for specific data communications
services on a process-to-process level. For example, HTTP specifies the web
browser communication with a web server.
• The TCP/IP model and related protocols are maintained by the Internet
Engineering Task Force (IETF).
• The model provides encapsulation and abstraction.
• This layer actually do not specify layer for DLL and Physical layer. The
biggest advantage is that TCP/IP is designed to be hardware
independent. CISSP - Domain 4 - Comuter and Network
Security
27
Link Layer (DLL)
• They move packets between network layer and physical media.
• They convert the packets into layer understandable format.
• The control of transmitting and receiving happens at both device driver
level or on firmware.
• This layer is related to (Media Access Control) MAC, which is logically
viewed as a sub layer to deal with network layer.
• All aspects of media control is defined in this model, though no explicitly
defined leaving physical layer only for packet handling.
• Topology is the management of this layer.
• Protocols:
– OSPF , Open Shortest path first.
– ARP – Address resolution protocol
– Layer 2 Tunneling Protocol (L2TP)

28
Security
Network layer protocol
• IP
• Internet Control Message Protocol (ICMP)
• IGMP, Internet Group Management Protocol,
is a communications protocol used by hosts
and adjacent routers on IP networks to
establish multicast group memberships. IGMP
is an integral part of IP multicast.
• IPSec – Internet Protocol Security.

29
Security
Network layer
• Internet Protocol – IP, is the protocol used in TCP/IP
model.
• The job of routing the packet across multiple
network is implemented by this layer.
• Basic functions:
– Host addressing and identification: This is accomplished
with a hierarchical addressing system
– Packet routing: This is the basic task of sending packets of
data from source to destination by sending them to the
next network node (router) closer to the final destination.

30
Security
Some more Protocols
• DNS – Domain naming service
• ICMP – Internet Control Message Protocol
• DHCP – Dynamic Host control Protocol.
• ARP – Address resolution protocol

31
Security
Transport layers
• The transport layer establishes host-to-host connectivity,
meaning it handles the details of data transmission that are
independent of the structure of user data and the logistics of
exchanging information for any particular specific purpose.
• Its responsibility includes end-to-end message transfer
independent of the underlying network, along with error control,
segmentation, flow control, congestion control, and application
addressing (port numbers).
• End to end message transmission or connecting applications at
the transport layer can be categorized as either
– connection-oriented, implemented in TCP,.
– connectionless, implemented in UDP.

32
Security
Application layer
• This layer is visible to user. The purpose of all other layer is to service
this layer.
• Few protocols related to this layer are
– DNS (Domain Naming System)
– HTTP (Hypertext Transfer Protocol)
– Telnet
– FTP (File Transfer Protocol)
– TFTP (Trivial File Transfer Protocol)
– SNMP (Simple Network Management Protocol)
– SMTP (Simple Mail Transfer Protocol)
– DHCP (Dynamic Host Configuration Protocol)
– X Windows
– RDP (Remote Desktop Protocol)

33
Security
IP Fragmentation
• MTU decides fragmentation
• Leads to Teardrop attack

34
Security
Teardrop attack
• This attack is the combination of Length and
Offset.
• For first packet offset is 0 and length could be
50.
• The problem is when the offset for next packet
is less than 50. It overlaps with previous
packet.

35
Security
Transmission Control Protocol
• One of two main and original component of
the suite. That enabled the name of TCP/IP in
spite of having other protocols too.
• This protocol is implemented if reliable data
stream is a mandate.
• This protocol acts between IP and application
layer to disallow application to break the data
for IP layer. TCP protocol implements that.

36
Security
Protocol Operations
• Connection establishment
• Data transfer
• Connection Termination

37
Security
Handshake

38
Security
ARP
• Matches Unique IP with MAC address.
• This happens with a help of ARP Table
• ARP table cache poisoning or ARP spoofing –
Masquerading attack.

39
Security
DHCP
• Dynamic host control protocol.
• Clients request for IP address on start up and receives an available address
from DHCP server. This process of getting a valid ip to work on the network,
undergoes a handshake.
• Attacks
– Attacker can introduce a new DHCP server on to the network and get clients to register
with him.
– DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests from
spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or servers
cannot keep up with the requests and can no longer assign IP addresses and lease
times to legitimate DHCP clients on the switch. Requests from those clients are either
dropped or directed to a rogue DHCP server set up by the attacker.
• Remediation
– DHCP snooping provides servers to associate themselves only with legitimate clients
based on their MAC address.
– There are network switches that direct the client request only to legitimate DHPCP
server. CISSP - Domain 4 - Comuter and Network
40
Security
DHCP Handshake

41
Security
ICMP
Internet Control Message Protocol
• The protocol was designed to be used as a messenger
protocol.
• Attack
– LOKI attack uses ICMP Packets to carry necessary instructions to
execute attack. It is a client/Sever attack. Usually ICMP packets are
not intended to carry data payload hence not checked at router
and Firewall. This has provided a way to perform this attack.
• Remediation
– To block ICMP packets at firewall or router.
– netstat will display ‘raw’ sockets open is an indication of could be
LOKI attack.

42
Security
More ICMP attacks
• ICMP packets are usually not more than 65,536 bytes (64KB), if it is more
than 64KB, most of the systems does not know how to handle. But these
attacks we historical they were prevalent before 1997. The recent PoD attack
is to ping flood the system with multiple request and making the system
crash (DoS).
• Smurf – the TCPIP packets have source and destination socket information.
In this attack the attacker floods the network with many ICMP packets,
where in the source address is victims IP address. As a standard, the devices
on the network will respond to this source IP (Victims) . Eventually the
victims computer is overwhelmed with larger number of requests which it
never initiated. System will get depleted of resources to work on and hence
will stop working. Making router not to respond to ICMP packets is one of
the good remediation's. this may impact network management,
• Fraggle – smurf using an UDP packet is Fraggle.

43
Security
More Attacks on ICMP
• LAND attack – Spoofed TCP SYN packet, with
same source and destination address.

44
Security
SNMP
Simple network Management protocol
• Provides holistic view to network performance and status.
• Works in fashion of client and server.
• Agent is a piece of software at the client and stores all the information in MIB.
• Server (SNMP Manager )polls the agent at the intervals and collect them
data.
• There can be formed communities to enable group of agents to speak to only
one server.
• Community string or password enables the manager to speak to the agent
and get information from.
• This can be read only password or read-write.
• If the attacker gains access to the community strings he will get access to
either information in MIB and if the password is read-write then attacker can
modify the configuration of the device too.
• Usually community string is ‘public’ and ‘private’ for read only and read-write.
• The passwords need to beCISSP
changed
- Domain 4from default
- Comuter and at regular intervals.
and Network
45
Security
Domain Name Service
DNS
• Hostname/URL to ip translation happen through DN Service. The complete
information is stored in resource records.
• Zonal division is among DNS is prevalent. There are assigned DNS servers for
each zone.
• The DNS servers could be positioned as primary and secondary. This lifts the
load off the primary server. Primary server holds the actual resource records
and secondary servers the copies of it.
• Zonal transfers happens between primary and secondary DNS servers
replicating the information on resource records.
• The DNS records must be made to replicate only with authorized DNS servers.
• DNS Spoofing is a method where by the data is introduced into DNS cache
database , causing server to return a different address for server. This causes
the traffic to be diverted to illegitimate sever.

46
Security
Securing DNS
• DNS splitting – dividing the functionality of
DNS servers, hence compromising a DNS
servers, does not give away complete
information. Eg. DMS in DMZ and internal
DNS.
• DNSSEC – Authentication mechanism using PKI
and Digital Signatures.
• Cyber squatting.

47
Security
SMTP
Simple Mail transfer protocol
• Message transfer agent move messages from client to server, between
servers and is a messaging standard to use address with ‘@’ and ‘.’ notation.
• POP3
– Post office protocol version 3.
– Caters for download and delete requirement for access to remote mail boxes.
– Uses port 110.
– Provide security by TLS/SSL on port 995.
– Could be frustrating as messages are downloaded.
• IMAP
– Internet Message Access Protocol
– Leaves mail on server unless explicitly deleted.
– Works on port 143, and IMAPS (SSL) on 993.
– Allows access to mail box from multiple clients (Group mail box)

48
Security
49
Security
Spam
• Use of electronic messaging system to send
unsolicited bulk messages.
• This could be email, instant messaging service,
wiki spam, blog spam etc.
• Economically viable as the spammers do not
incur an operating cost.

50
Security
Control
• Configure the settings to identify spam
emails/messages and move them to spam
folders.
• Introduce administrative control to educate
users about not to register emails on internet.

51
Security
Phishing
• Maliciously crafted email, carrying the link, when
clicked is an social engineering attempt to create a
fraudster. Or an unsolicited software is installed
without users knowledge and that could be malicious.
• Spear Phishing is an phishing attempts focused on an
individual or a organization.
• Clone phishing, is a method of attacking cloning a
legitimate email with malicious link.
• Whaling, phishing method targeted at the big
management team in an organization.
52
Security
Email spoofing
• Forge email header and other information from:, to:, reply-
to: fields to pose as if the email is from legitimate source .
• This so posed legitimate source of email is more dangerous
when used for phishing.
• Control
– Track or log all the connection to SMTP server, to take actions in
case of attack.
– Sender Policy Framework (SPF) validate senders IP address before
email is attempted to be sent. SPF allows administrators to specify
which hosts are allowed to send mail from a given domain by
creating a specific SPF record.

53
Security
Controlling Phishing
• Administrative control is to train the users on
email usage and phishing. This is the most
effective strategy.
• Anti phishing measures implemented at the
browser front as a extension or tool bars
(NetCraft).
• Anti Spam filters ensure the illegitimate emails
do not reach inbox rather filtered out to spam
folder.
54
Security
Network Address translation
• NAT is a gateway that hides the internal IP
addresses from external evil eyes by means of
translation.
• IP addresses are translated and as well the
checksum because of IP address change.
• Translation table is maintained hence every
conversation is being kept track of.

55
Security
Types of NAT
– Static mapping, pool of IP addresses mapped to
specific IP addresses each.
– Dynamic mapping, pool of IP addresses mapped to
an addresses each on the first come first server
basis.
– Port Address translation, is to ensure every
outgoing traffic is mapped to an single IP address
but a different port.
– Symmetric NAT – One to many NATed IP
depending on destination.

56
Security
Routing protocols
• These protocols enable the router to build paths based on
many factors.
• Types
– Static routing
– Dynamic Routing
– Distance-Vector protocol (Hop and Direction) –(RIP)
– Link state protocol (OSPF)
• Reliability
• Delay
• Packet size
• Link speed
• Network load or congestion

57
Security
Attacks on Routing protocols
• Attacker can forge a RIP packet and starts sending out an
advertisement, that it has shortest path to an destination and force
routers to send packet through him. This leads to reply or MIM attack.
This was prevalent in original RIP1, RIP2 does have password
authentication.
• DoS, attacker sends floods of packet targeting a particular website, the
router actually takes the complete load and when it is overwhelmed
with the requests sends out information to other routers saying
connection is full. Hence this path is clogged and the legitimate traffic is
thus prevented.
• Wormhole, is most prevalent in wireless network, where in the attacker
connects two distant end point on network using ethernet or any wired
or wireless network medium and transmits sniffed packets through.

58
Security
Routing attack
• Adversary node advertising an non existence route causing
the routing table to be filled up with incorrect information
thus preventing addition of incorrect information is called
Routing Table Overflow attack.
• Rouge router might advertise shortest path towards a
destination, thus become maliciously deny packets towards
a destination, and this attack is called router cache
poisoning or also called Black hole attack.
• Byzantine attack, where is the compromised router in the
network, maliciously route the packet on non optimal path
or selectively drop them.
59
Security
Routing Loops
• Split Horizon
• Maximum Hop Count

60
Security
Transport layer attacks
• SYN – Flooding attack: The hacker floods the
victims node with large number SYN packets.
The target responds with SYN-ACK and
attacker never complete the 3 way handshake.
The half open connections are stored in a fixed
size table and this preventing accepting any
genuine connections.
• Session Highjacking.

61
Security
HTTP Attack
• HTTP Flooding attack. – Uses large POST/GET
requests.

62
Security
FTP Bounce Attack
• Misuse of using PORT command to establish
secondary data connectivity.

63
Security
Active vs Passive FTP
• Active
– Client:1025 -> Server:21 (control connection)
– Server:20 -> Client:1026 (data connection)
• Passive
– Client:1025 -> Server:21 (control connection)
– Client:1026 -> Server:1025 (data connection)

64
Security
Firewalls

65
Security
Firewalls
• Firewalls are use to restrict users from accessing the
network from Internet.
• They also restrict access between two LAN segments
within organization.
• The security policy of the organization are implemented
using Firewall as far as network security is concerned.
• They govern what traffic is allowed inside and what is a
allowed outside.
• They perform the act of sentry. Otherwise called “Choke
Point”, as they inspect every packet and restricted.
66
Security
Firewall Types
• Packet Filtering
• Proxy
• Stateful or Dynamic Packet Filtering
• Kernel Proxy

67
Security
Packet Filtering
• Purely based on Protocol and rules or ACL.
• Default is deny
• Stateless firewall
• They cannot prevent what can cause a attack
on application .
• Limited logging facility
• Cannot detect spoofed addresses.
• Very basic firewall, but go to go as step 1.
68
Security
Stateful or Dynamic Packet filtering
• This type of firewall logs or tracks every conversation happening at its end.
• It ensures the traffic is genuine inline with how it must be
• For eg SYN, SYN-ACK, ACK, TCP handshake must be performed at the outset of any
TCP communication. If there is a ACK without step 1 and 2. Then the firewall alerts.
• There are many other factors than this one to keep track off (UDP + ICMP).
• Does inspect the packet for any suspicious information as well. As many status are
just flagging in the packet.
• There could be DoS attack on stateful firewall, too much of bogus information
flooded will occupy stateful firewall log to cause the system to freeze. Once this
type of firewall is restarted, the entire information maintained is lot.
• ACL created for any new communication
• Exists as long as communication happens, means until FIN Packets are exchanged
or sent.
• The ACL is created and deleted dynamically.

69
Security
Proxy firewall
• This guy is like a middle man.
• Breaks and Makes session.
• Types
– Circuit level proxy
– Application level proxy

70
Security
Circuit Level proxy
• Works at protocol and session level
• Cannot look into content of the packet and
hence cannot carry out packet inspection in
depth.
• Provides broader range of protection.
• SOCKS firewall is a circuit level firewall. (ToR)

71
Security
Application level proxy
• Inspect packet through application layer
• They look inside the packet at a granular level.
• Make decisions based on contents of the
packet.
• Prevents Buffer overflow and other
application specific attacks.
• The data can be looked into and data specific
control can be put in place.
72
Security
Kernel Proxy firewall
• Considered Fifth generation firewall.
• Create dynamic virtual network stacks necessary
for scrutinizing the packets at different levels to
comply with Layered approach.
• If there is anything suspicious in any of the
layers the packet is disallowed.
• Faster than application firewall as the
scrutinizing happen at the kernel level.

73
Security
Best practices for firewall management
• Must start with deny all.
• Fragmentation and reassembly at firewall must be call taken by the
organization as it might cause delay in delivery.
• The firewall or router must always deny the entry for the packets with
source routing.
• Do not log noisy traffic to save disk space. Keep the logging minimal –
Silent rule
• Disallow access to firewall from unauthorized system – Stealth rule
• Cleanup rule, or called ANY-ANY deny rule. Logging this rule will help in
analyzing dropped connections and in identifying attacks as well.
• Implement DR/BCP for firewall, if budget allows that.
• Patch Firewall regularly.
• Place commonly used firewall rules on the top, as it is top down approach
it improves performance.
• Use groups (Object) where CISSP ever
- Domainpossible toNetwork
4 - Comuter and combine similar rules to one
74
rules. Security
Limitations
• Dial up user by passes firewall
• They do not enforce password policy and they are not
for that.
• Inside users accessing websites with malicious
contents are not secured.
• Solely depends on our security policies and decisions.
• Social engineering attacks are something out of scope
for firewalls.
• Masquerading attacks cannot be detected by firewalls.

75
Security
DMZ
Demilitarized Zone
• Secure covering for LAN to protect internet
facing devices.
• DMZ is formed by firewalls to protect the
trusted network from external attacks (and
insider attacks!?!)

76
Security
Architectures
• Dual or Multi homed
• Screened Host
• Screened Subnet

77
Security
Dual or Multi Homed
• These systems have packet forwarding and
routing turned off to enable inspection
• They have dual or multiple NIC’s connecting
two or more networks to connect and perform
due diligence.
• This could be one of the firewall Layers in
defense.

78
Security
Screened Host
• This firewall communicated directly with
perimeter router and internal network.
• Only device to receive traffic from Perimeter
router is this firewall.
• Traffic is inspected at this firewall by applying
rules and is taken forward to internal network
only if it is valid.

79
Security
Screened Subnet

80
Security
Proxy Servers

81
Security
Proxy Servers
• Acts as intermediate agent for web browsing requests.
• Web request from client arrive at Proxy server. The proxy
server then validate the request and pass it on to web and vice
versa.
• It may result in performance degradation or improvement.
• It caches output of few previous web requests hence can
improve performance.
• As it has to cater for requests from so many clients, it may as
well be a bottle neck.
• Enforce security to confirm with Organizational policy to
restrict web access.
82
Security
Types of Proxies
• Forward Proxy
– Acts as intermediate for clients.
• Open proxy (Store and Forward)
– Conceal ip address when using internet services.
– The proxy can be used any one on internet.
– This can be installed on users computer without his knowledge.
– If hacker installs it on a system, he can make this a Zombie computer to launch
DDoS.
• Reverse proxy
– acts as intermediate for servers.
– For client it appears as if the response come from the servers themselves. They
hide the servers.
– Response from multiple servers can be given to client request.
– Can be a load balancer, participate in PKI, compression etc.

83
Security
Supervisory Control and Data Acquisitions
SCADA

84
Security
Components
• Control Server
• Remote Transmission Unit
• Human Machine Interface
• Programmable Logic Controller
• Intelligent Electronic Devices
• Input/Output Server
• Data Historian

85
Security
Vulnerabilities in SCADA
• Network Perimeter Vulnerabilities
• Protocol Vulnerabilities throughout the Stack
• Database Insecurities
• Session Hijacking and Man-in-the-middle
Attacks
• Operating System and Server Weaknesses
• Device and Vendor “Backdoors”

86
Security
Virtual Private Network

87
Security
Virtual Private Networks
• Provides secure connection to the trusted
network from remote.
• Extends the trusted network to remote users
on move.

88
Security
Understanding Framework IPSec
• The most important framework for VPN
• It is responsible for Key exchange, mutual
authentication and Encryption in an VPN
connection.
• It operates at Network layer, responsible for
secured transaction between network to
network or Host to network.

89
Security
IPSec framework
• Authentication Header – Ensures integrity of the
communication
• Encapsulating Security Payload – provides,
Authenticity, Confidentiality, and integrity.
• ISAKMP (Internet Security Association Key
Management Protocol) establishes security
associations. SA works unidirectional, it
associates protocol, keys etc with an entity.

90
Security
Key Exchange
IKE
• The two sides exchange nonces
• The two sides perform a Diffie-Hellman exchange
• The two sides each take the nonces,( the Diffie-
Hellman shared secret and the preshared key),
and generate a set of IKE keys
• They exchange IKE encrypted messages (to verify
that both came up with the same IKE keys; if they
used different IKE keys, they won't).

91
Security
Security Association
• One of the most important concepts in IPSec is called a Security
Association (SA). Defined in RFC 1825.
• SAs are the combination of a given Security Parameter Index (SPI)
and Destination Address.
• SAs are one way. A minimum of two SAs are required for a single
IPSec connection.
• SAs contain parameters including:
– Authentication algorithm and algorithm mode
– Encryption algorithm and algorithm mode
– Key(s) used with the authentication/encryption algorithm(s)
– Lifetime of the key
– Lifetime of the SA
– Source Address(es) of the SA
– Sensitivity level (ie Secret or Unclassified)

92
Security
Network Layer Security
• IP security (IPsec)
– Two protocols
• Authentication protocol, using an Authentication Header (AH)
• Encryption/authentication protocol, called the Encapsulating
Security Payload (ESP)
– Two modes of operation
• Transport mode: provides protection for upper-layer protocols
• Tunnel mode: protects the entire IP datagram

93
Security
AH
• AH - Authentication Header
– Defined in RFC 1826
– Integrity: Yes, including IP header
– Authentication: Yes
– Non-repudiation: Depends on cryptography algorithm.
– Encryption: No
– Replay Protection: Yes

94
Security
ESP
• ESP – Encapsulating Security Payload
– Defined in RFC 1827
– Integrity: Yes
– Authentication: Depends on cryptography algorithm.
– Non-repudiation: No
– Encryption: Yes
– Replay Protection: Yes

95
Security
Why two protocols
• Differences between AH and ESP:
– ESP provides encryption, AH does not.
– AH provides integrity of the IP header, ESP does not.
– AH can provide non-repudiation. ESP does not.
• However, we don’t have to choose since both
protocols can be used in together.
• Why have two protocols?
– Some countries have strict laws on encryption. If you can’t
use encryption in those countries, AH still provides good
security mechanisms. Two protocols ensures wide
acceptance of IPSec on the Internet.

96
Security
Data Integrity and Confidentiality

97
Security
Algorithms
• Algorithms Used:
– Encryption:
– Symmetric – As IP packets may arrive out of order and
Asymmetric algorithms are incredible slow.
– E.g. AES (Advanced Encryption Standard)
– Authentication:
– MAC (Message Authentication Codes) based on symmetric
encryption algorithms.
– One way hash functions. (SHA-2)

98
Security
How IPSec works
• Internet Key Exchange (IKE) is used to setup IPSec.
• IKE Phase 1:
– Establishes a secure, authenticated channel between the two computers
– Authenticates and protects the identities of the peers
– Negotiates what SA policy to use
– Performs an authenticated shared secret keys exchange
– Sets up a secure tunnel for phase 2
– Two modes: Main mode or Aggressive mode
• Main Mode IKE
1. Negotiate algorithms & hashes.
2. Generate shared secret keys using a Diffie-Hillman exchange.
3. Verification of Identities.
• Aggressive Mode IKE
– Squeezes all negotiation, key exchange, etc. into less packets.
– Advantage: Less network traffic & faster than main mode.
– Disadvantage: Information exchanged before a secure channel is created. Vulnerable to
sniffing.

99
Security
How IPSec works
– An AH or ESP packet is then sent using the agreed upon
“main” SA during the IKE phase 1.
– IKE Phase 2
• Negotiates IPSec SA parameters
• Establishes IPSec security associations for specific connections (like
FTP, telnet, etc)
• Renegotiates IPSec SAs periodically
• Optionally performs an additional Diffie-Hellman exchange

100
Security
101
Security
VPN - enablement
• Uses Encryption
• Provides redundancy or availability in process
• Gateway – Gateway architecture can be configured,
where in the complete network to network
connectivity is secured using Encryption.
• Host – Host VPN ensures that the communication
between two servers are as secured with VPN.
Resource intensive.
• Host – Gateway VPN is the most popular ones. Users
connect to network using VPN.
102
Security
Remote host to network

103
Security
Site to Site VPN

104
Security
Authentication Protocols
• PAP
• CHAP
• EAP (802.1X)
– EAPOL
– Authentication Server
– Authenticator (HUB)

105
Security
Network Authentication
• PAP
• CHAP
• EAP
– Supplicant
– Authentication Server
– Authenticator (WAP)
• Resolves Roaming Infected Laptop

106
Security
IDPS
• HIDS
• NIDS
• HIPS
• NIPS

107
Security
IDS Type
• Signature Based
• Traffic Anomaly
• Protocol Anomaly
• Statistical Anomaly

108
Security
Wireless Technologies

109
Security
Notes
• Direct Sequence Spread Spectrum
– The data is mixed with random sequence pseudo random noise
code (PN), this random code is generated at the source and
separated at the receiver to get the actual message.
– Data is distributed over wider band of frequencies and hence
susceptible to interference.
• Frequency hopping Spread Spectrum
– Data is spread across changing frequencies.
– The available range of frequencies is sub divided into frequency
ranges. The data is sent jumping across these sub divided
frequencies in manner agreed between source and destination.

110
Security
Few more
• Orthogonal FDM
– Division of Sub Frequencies.
– Each band is further modulated to avoid
interference.

111
Security
Wireless LAN
WLAN (IEEE 802.11)
• It is impossible to disallow register of wireless
client (Laptop) to wireless network. Unless
proper authentication in place.
• There is shared a SSID (Service Set Id) . This
SSID forms the Basic Service Set (BSS). BSS is a
set of STA (stations or NIC) that connect to a
Access Point (AP).

112
Security
WiFi Security
• The systems detect for any Wifi Signal and if found
one will initiate open system authentication.
• The Open system authentication is merely
matching of SSID. Which can be spoofed by any
attacker.
• Disabling SSID broadcast will prevent free
movement of Wifi users.
• SSID not only available on beacon frame but on
other broadcast’s as well.
113
Security
Wireless LAN Security
• Wired Equivalent Privacy (WEP)
– Shared Secret Key
– CRC-32 checksum for integrity.
– RC4 (Stream Cipher) for confidentiality. Including
checksum.
– Due to inherent flaws in RC4 it is easily broken in
minutes by any attacker.
– IV is only 24 bits irrespective of key size.
– Same key must be used on all STA using the AP. (Shared
Key)
114
Security
WEP Vulnerability
• IV is only 24 bits, 16.7 million values but on busy network it repeats after 5-7
hours, thus revealing the patter on key stream.
• The 802.11 standard does not specify how the IVs are set or changed, and
individual wireless adapters from the same vendor may all generate the same
IV sequences, or some wireless adapters may possibly use a constant IV. As a
result, hackers can record network traffic, determine the key stream, and use
it to decrypt the cipher text.
• IV is transmitted in plain text.
• There is no integrity checking in WEP. CRC is not considered a good integrity
protection.
• 40-bit or 104-bit encryption key that must be manually entered on wireless
access points and devices and does not change.
• Predominantly 40 bit key is used for encryption and thus making this
symmetric key susceptible to key breaking.

115
Security
WEP Vulnerability
• The IV is 24bit and key is 40 bits and IV still 24
bits even when key is 104 bits.
• Because of 24bits IV, the attacker can find two
packets derived from same IV. This is collision
attack.

116
Security
WLAN Security
(WPA-PSK)
• Wifi Protected Access
– Used RC4 with 128 Bit key later replaced by AES.
– IV was expanded from 24 Bits to 48 bits.
– This used Temporal Key Integrity protocol. This protocol uses
different key for each packet.
– In line with EAP, which provides frame work for
authentication
– Uses Pre shared Key
– The outset of communication both client and server
authenticate themselves to each other.
– Predominantly used in RADIUS.
117
Security
Weakness of WPA
• Susceptible to weak passwords attack
(Includes WPA2).
• Key distribution is done manually and hence
error prone.
• Security practice requires pre-shared keys to
be changed on regular basis this creating a
over head
• Highly inconvenient whilst guest user departs.

118
Security
WPA2
• Better than WPA and WEP.
• Uses EAP authentication mechanism and
Counter-Mode/CBC-Mac protocol for
encryption (AES Counter Mode)
• CCMP (AES CBC-Mac) for Integrity.
• Implements complete IEEE 802.11i standard.

119
Security
Difference between WPA –PSK and WPA2
• WPA was pre-standard. WPA2 is also known as

802.11i or the actual standard for wireless
security.

• WPA2 uses CCMP instead of TKIP as a message
authenticator.
• Both allow AES and a variety of EAP methods for

exchanging credentials.
120
Security
War Driving
• Person with portable device with wireless
enablement in search of wireless device for
information collection.
• War driving is not appropriation but just
information collection about WAP (Wireless
Access Points)

121
Security
War Chalking
• Performing War Driving and document the
detection for others to use.

122
Security
Rogue Access Point
or
Evil Twin
• Employee installing a wireless router enabling

the wireless access without knowledge of IT
team
• This wireless router is the evil twin router to
genuine AP.

123
Security
Piggy Backing
• Establishing Wireless internet connection by
using another subscriber wireless internet
access without his permission.
• But this is a activity to debate.
• Can be restricted by employing WEP or WPA.

124
Security
Best Practices
• Change default SSID.
• Disable broad casting of SSID.
• Adding an other layer of authentication like
Kerberos, or RADIUS.
• Access Points must be positioned at Centre of the
building.
• Traffic from Access Point must be filtered and
inspected, hence must be positioned at DMZ.
• Encrypting the data in transit.
125
Security
Blue tooth
• Short Range low power specification (IEEE
802.15.1).
• BT devices are designed to work at 10 mtr
range but longer devices are still possible.
• Has limited security feature.
• Specification has encryption and
authentication information.

126
Security
Blue Tooth attacks.
• Blue jacking – Anonymous message getting displayed on
victims device. Predominantly used for Advertising, and is
harmless.
• Bluesnarfing (Obsolete) – Unauthorized access to victims
contacts , Calendar etc. But the current protocol version
needs the devices to be paired for connection and hence
this vulnerability does not exist.
• Blue Bug – Exploitation of short range BT devices for
reading call list, sending and reading messages, reading
and writing to address book, initiating calls, etc. debugging
this, is not easy but still possible.
127
Security
Spim
• Spam delivered through instant messaging.
• Remediation
– Allow messages only from known contacts (or)
– Disallow any messages from users whom you do
not know.

128
Security
End

129
Security

CISSP - Domain 4 - Communication and Network

Uploaded by

Copyright:

Available Formats

CISSP - Domain 4 - Communication and Network

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP - Domain 4 - Communication and Network

Uploaded by

Copyright:

Available Formats

Domain 4

Communication and Network Security

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

Session Application layer

Physical Network Access Layer

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network

CISSP - Domain 4 - Comuter and Network