Terms you'll need to understand:
Denial of service (DoS)
Address Resolution Protocol (ARP)
Domain Name Service (DNS)
Firewalls
Network Address Translation (NAT)
IP Security (IPSec)
The Open Systems Interconnect (OSI) model
Transmission Control Protocol/Internet Protocol (TCP/IP)
Local area networks (LAN)
Wide area networks (WAN)
Techniques you'll need to master:
Understand the various types of attacks against networks
Understand the differences between LAN and WAN topologies
Describe and define the OSI model and its layers
Describe the four layers of the TCP/IP stack
Understand the function and purpose of VPNs
The telecommunications and network security domain addresses communications and network security. Mastery of this domain requires you to fully understand voice and data communications, as well as the countermeasures that can be implemented to protect these systems.
If you have spent some time working in this segment of IT security management, you might need only a quick review of the material. If your work has led you to concentrate in other domains, you will want to spend some time here reviewing the content because this is a large domain with many potential exam questions.
To be fully prepared for the exam, you will need to understand the data communication process and how it relates to network security. Knowledge of remote access, the use of firewalls, network equipment, and network protocols is also required. Being adept in network security also requires that you understand the techniques used for preventing network-based attacks.
Many threats to network security exist. Attackers are opportunistic and typically take the path of least resistance. This means they choose the most convenient route and exploit the most well-known flaw. Threats to network security can include denial-of-service attacks, disclosure, and destruction or alteration of information.
Many times denial-of-service (DoS) attacks are a last-ditch effort by malicious users to bring down a network. The thought process is that if they cannot have access to the network, no one else should, either. Some common DoS attacks include these:
Ping of death—. An oversize packet is illegal but possible when fragmentation is used. When the fragments are reassembled at the other end into a complete packet, it can cause a buffer overflow on some systems.
Smurf—. Uses a spoofed ping packet addressed to the broadcast address, with the source address listed as the victim. It floods the victim with ping responses.
Teardrop—. Sends packets that are malformed, with the fragmentation offset value tweaked so that the receiving packets overlap. These overlapping fragments crash or lock up the receiving system, thereby causing a denial of service.
Land—. Sends a packet with the same source and destination port and IP address. The receiving system typically does not know how to handle these malformed packets, so the system freezes or locks up, thereby causing a denial of service.
SYN flood—. Instead of targeting the Internet Control Message Protocol (ICMP) or Internet Protocol (IP), a SYN flood disrupts the Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This fills the buffer on the victim's system and prevents it from accepting legitimate connections.
Disclosure attacks seek to gain access to systems and information that should not be available to unauthorized individuals. As a CISSP candidate, you should be aware of these attacks and their potential effects. They include the following:
Sniffing—. This rather passive form of attack requires that the attacker gain some type of access to the network. This is easy to perform if the network is using hubs. The goal is to uncover sensitive information. This is made possible by the fact that many protocols, such as the File Transfer Protocol (FTP), Telnet, and the Simple Mail Transfer Protocol (SMTP), send usernames and passwords in clear text.
ARP poisoning—. This attack usually is done to redirect traffic on a switch. Because switches do not send all traffic to all ports like a hub, attackers must use ARP poisoning techniques to put themselves in the middle of a data exchange. When this has been achieved, the attack can attempt a series of attacks, including sniffing and interception of confidential information.
DNS spoofing—. Much like ARP poisoning, this attack attempts to poison the domain name service (DNS) process. Individuals who succeed have their fake DNS entry placed into the victim's DNS cache. Victims then can be redirected to the wrong Internet sites.
Pharming attack—. Pharming exploits are another type of attack that misuses the DNS protocol. Normally DNS is responsible for translating web addresses into IP addresses. Pharming attacks hijack the DNS and force it to redirect Voice over IP (VoIP) or other traffic to a location of the attacker's choice. This allows the attacker to get control of VoIP calls. This means that your phone call might no longer be private and could be monitored.
Phishing attack—. This social-engineering attack attempts to lure victims into disclosing confidential information. The attacker typically attempts to trick the victim by sending a fake email that appears to be from a legitimate bank or e-commerce vendor. The supplied link to the organization's website appears real but is actually hosted by the attackers.
War dialing—. This old-school attack is based on the premise that if the attacker can successfully connect to the victim's modem, he might be able to launch an attack. War-dialing programs work by dialing a predetermined range of phone numbers, in hopes of finding one that is connected to an open modem. The threat of war dialing is that the compromised host acts as a gateway between the network and the Internet.
War driving—. The practice of war driving, flying, boating, or walking around an area is to find wireless access points. Many individuals that perform this activity look specifically for unsecured wireless networks to exploit. The primary threat is that these individuals might then have a direct connection to your internal network or unrestricted Internet access.
Spyware—. Spyware includes a broad category of illicit programs that can be used to monitor Internet activity, redirect you to specific sites, or barrage you with pop-up ads. Spyware is usually installed on a computer by some form of browser hijacking or when a user downloads a computer program that has the spyware bundled with it. Spyware typically works by tracking and sending data and statistics via a server installed on the victim's computer. Spyware programs can result in a loss of confidentiality.
Viruses/worms—. These programs are created specifically to invade computers and networks and wreak havoc on them. Some display only cryptic messages on the victim's machine, whereas others are capable of disclosing information, altering files, or informing others so that they can victimize your computer. The big difference between viruses and worms is that viruses cannot replicate themselves. Worms are self-replicating and can spread so quickly that they clog networks and cause denial of service.
The destruction, alteration, or theft of data represents a serious threat to the security of the organization. These attacks cut to the heart of the organization by compromising a network and accessing items such as databases that contain credit card information, for example. Even if regulatory requirements do not hold the organization liable, there is still the possibility of a serious public relations problem if one of these attacks occurs:
Database attacks—. These attacks target an organization's database. Although the techniques vary, the results are the same: Malicious users can run their code on the victim's database server or steal information for the server. This can be a serious threat to the integrity or confidentiality of the organization.
Cellphone attacks—. It's not hard to believe that Americans now spend more time talking on their cellphones than they do land lines. With so many cellphones in use, there are numerous ways in which attackers can try to exploit their vulnerabilities. One is through the practice of cloning. Cellphones have an electronic serial number (ESN) and a mobile identification number (MIN). Attackers can use snifferlike equipment to capture these numbers from your phone and install them in another. The attacker then can sell or use this cloned phone.
Tumbling is another form of cellphone attack. Specially modified phones tumble and shift to a different pair of ESN/MIN numbers after each call. This technique makes the attacker's phone appear to be a legitimate roaming cell phone. First-generation (1G) cellphones were vulnerable to this attack. Today most cellphones are second- (2G) and third- (3G) generation phones.
Data diddling—. This form of attack works by changing data as it is being keyed in or processed by a computer. It can include canceling debts without proper authority or assigning a large hourly pay increase to your salary. Trying to track down the problem is difficult, and it could be months before the attack is uncovered.
Identity theft—. FBI statistics list identity theft as one of the fastest-growing white-collar crimes. Identity theft is the deliberate assumption of another person's identity, usually to gain access to that person's finances or to use his or her identity and credit history to purchase goods or services, or to establish credit or receive loans under the victim's name. This form of attack can endanger the integrity and confidentiality of the victim's credit history.
Password cracking—. This type of attack targets an organization's passwords. These passwords could belong to anyone from the CEO to the help-desk technician. Techniques include guessing, shoulder surfing, and dictionary, hybrid, and brute-force attacks. Dictionary password cracking pulls words from dictionaries and word lists to attempt to discover a user's password. Hybrid attacks use dictionaries and word lists, and then prepend and append characters and numbers to dictionary words in an attempt to crack the user's password. Brute-force attacks use random numbers and characters to crack a user's password.
Privilege escalation—. Some computer operations require special privilege to complete their tasks. These operations can be executed as administrator, system, or root. Attackers look at the code that executes the operations in search of errors or other bugs. By injecting their code into these programs, they can sometimes execute their commands, giving them control of the computer.
Salami attack—. This financial crime works by taking small amounts of money over an extended period. For the attacker to be successful, he must remove an amount so small that it will go unnoticed.
Software piracy—. This illegal activity occurs when individuals or corporations distribute software outside its legal license agreement. Not only is software piracy morally wrong, but there are also significant financial and legal penalties. Individuals who distribute pirated software can face felony charges and be jailed for up to 5 years.
Session hijacking—. This attack allows an attacker to take over an existing connection. It is an effective attack because most TCP services perform only authentication at the beginning of the session. So in this case, the attacker simply waits until authentication is complete and then jumps in and takes control. Applications such as FTP and Telnet are vulnerable to this attack.
Spamming—. Spam is unsolicited bulk mail. One of the real dangers of spam is that your organization's mail servers could be tricked into forwarding SPAM if they are not properly secured. Spammers don't want to send junk mail from their own domains so they troll the Internet looking for open mail relays, which they then use to send junk mail.
A local area network (LAN) is a critical component of a modern data network. A LAN is comprised of one or more computers, a communication protocol, a network topology, and cabling or a wireless network to connect the systems.
A LAN is best defined as computers or other devices that communicate over a small geographical area such as the following:
A section of a one-story building
The whole floor of a small building
Several buildings on a small campus
More than 80% of all LANs use the Ethernet protocol as a means of communication. The Ethernet specification describes how data can be sent between computers in physical proximity. The DIX (Digital, Intel, and Xerox) group first released Ethernet in 1975. Since its introduction, the IEEE Standards Committee has introduced several variations of the Ethernet II protocol, including these:
IEEE 802.3
IEEE 802.3 with Logical Link Control (LLC)
IEEE 802.3 with Subnetwork Access Protocol (SNAP)
Although the CISSP exam will not delve very far into the specifics of Ethernet, it is interesting to note the size and structure of these frames. An Ethernet frame is from 64 to 1,518 bytes. The Ethernet frame itself uses 18 bytes for control information; therefore, the data in an Ethernet frame can be between 46 and 1,500 bytes long.
The second most popular LAN networking protocol is Token Ring, which functions by arranging all the systems in a circle. A special packet, known as a token, travels around the circle. If any one device needs to send information, it must capture the token, attach a message to it, and then let it continue to travel around the network.
The design layout of a network is its topology. Before a network can be installed, a topology must be chosen to match its needs and intended use. Common topologies include bus, star, and ring; each is discussed next.
A bus topology consists of a single cable with multiple computers or devices attached to it. This cable is terminated on each end. In large environments, this is impractical because the medium has physical limitations. These problems can run the range from low speeds to network outages: One break can bring down the entire network (see Figure 6.1).
This is the oldest of the three primary network topologies and was originally used in telephone systems. The design of a star network consists of multiple computers or devices attached to a central hub. Wires radiate outward from the hub in a starlike pattern. Although this scheme uses the most cable, a break will most like affect only one computer. This is the most widely used LAN topology (see Figure 6.2).
The ring topology is characterized by the fact that there are no endpoints or terminators. Its layout is that of a continuous loop of cable in which all networked computers are attached. Token Ring and Fiber Distributed Data Interface (FDDI) networks use a ring topology (see Figure 6.3).
Even with a defined topology, it is necessary to determine what type of cable will connect the various devices. Cables carry the electrical signal between the devices. One of two transmissions methods is used: baseband or broadband. Baseband transmissions use a single channel to communicate. Ethernet uses a baseband transmission scheme. Broadband uses many channels and frequencies. Two good examples of broadband are cable television and digital subscriber lines (DSL).
Many types of cables can be used for network communications, including coaxial (coax), twisted-pair, and fiber:
Coaxial cable—. Coax cable consists of a single solid-copper wire core that uses a braided shield for the second conductor. Both conductors are covered with a plastic or insulative coating. Although it was widely used in the early days of networking, its usage has waned.
Twisted pair—. If you're in an office, you will probably notice that twisted-pair wiring is being used to connect your computer to a wall jack located nearby. The most common connector is the RJ-45. Twisted pair can be purchased in a multitude of varieties, one of which is unshielded twisted pair (UTP). UTP is unshielded copper wire insulated in plastic that is twisted together. Not only is it easy to work with, but it also is generally inexpensive. The primary drawback to copper cabling is that it is vulnerable to being tapped and emanates electrical energy, which could possibly be intercepted. Table 6.1 specifies many common table types, lengths, and topologies.
Table 6.1. Cable Specification
Ethernet Name
Cable Specifications
Distance Supported
Topology
10BASE-5
50-ohm, thick coaxial (Thicknet)
500m
Bus
10BASE-2
50-ohm, RG-58 A/U (Thinnet)
185m
Bus
10BASE-T
Cat3 UDP (or better)
100m
Star
10BASE-FL
Multimode fiber optic
2,000m
Star
100BASE-TX
Cat5 UTP
100m
Star
100BASE-T4
Cat3 UTP (or better)
100m
Star
100BASE-FX multimode fiber optic
Multiple-fiber connections
136 meters
Star
100BASE-FX multimode fiber optic
One-fiber connection
160 meters
Note
For the exam, you will want to know that plenum-grade cable is coated with a fire-retardant coating and is designed to be used in crawlspaces, in false ceilings, and below raised floors in a building. This special coating is designed to not give off toxic gasses or smoke as it burns, to help ensure the safety of occupants in case of fire.
Fiber-optic cable—. Whereas twisted pair and coax rely on copper wire for data transmissions, fiber uses glass. These strands of glass carry light waves that represent the data being transmitted. Basically two types of fiber cables are in use. They are constructed differently to handle different types of light:
When is a cable not a cable? When you use wireless for connectivity. Wireless networks have become popular because of their low cost and convenience. It's so much easier to plug in a wireless access point (WAP) than to run 1,000 feet of cable. Currently, the standard for wireless networks is 802.11 wireless, which is handled by the Institute of Electrical and Electronic Engineers (IEEE). Although it is not quite as robust as a wired network, 802.11 wireless equipment is generally fast and efficient. There are three primary types:
802.11a—. This version operates in the 5.15–5.35GHz to 5.725–5.825GHz frequency range and can support speeds of up to 54Mbps.
802.11b—. Operates in the 2.4000–2.2835GHz frequency range and can reach speeds of up to 11Mbps.
802.11g—. This popular standard operates in the 2.4GHz frequency range and can support speeds up to 54Mbps.
In North America, 802.11 supports 11 channels. The channel designates the frequency on which the network will operate. European units support 13 channels. Most wireless devices broadcast by using spread-spectrum technology. This method of transmission transmits data over a wide range of radio frequencies. Spread-spectrum technologies include frequency-hopping spread spectrum, an older technology, and sequence spread spectrum. Spread spectrum lessens noise interference and allows data rates to speed up or slow down, depending on the quality of the signal. Obstructions such as walls, doors, and other solid objects tend to block or reduce signal strength.
Unfortunately, many end users who are moving to wireless don't have any appreciation of the security measures they should employ. Using wireless requires little more than powering up the access point and plugging in an active RJ-45 jack.
So, what are some of the technologies used to protect wireless? Originally, there was Wired Equivalent Privacy (WEP), which the IEEE implemented at the data link layer. WEP encrypts data with the RC4 encryption algorithm. The key was limited to 40 bits because of export rules that existed during the late 1990s when the 802.11 protocol was being developed. This provides a very limited level of encryption that is relatively easy to compromise by someone with even a modest understanding of the problem. One way the industry responded to this potential problem was by incorporating 802.1x into many wireless devices. 802.1x provides port-based access control. When used in conjunction with extensible authentication protocol (EAP), it can be used to authenticate devices that attempt to connect to a specific LAN port.
WEP's sucessor was WiFi Protected Access (WPA). WPA uses Temporal Key Integrity Protocol (TKIP). TKIP scrambles the keys using a hashing algorithm and adds an integrity-checking feature that verifies that the keys haven't been tampered with. In 2004, the IEEE approved the next upgrade to wireless security, WPA2. It is officially known as 802.11.i. This wireless security standard makes use of the Advanced Encryption Standard (AES). Don't be surprised to see key sizes of up to 256 bits, which is a vast improvement over the original 40-bit encryption WEP used.
Bluetooth technology is designed for short-range wireless communication between mobile and handheld devices. Bluetooth started to grow in popularity in the mid- to late 1990s. Bluetooth was envisioned as a technology that would facilitate for the growth of personal area networks (PANs), which allow a variety of personal and handheld electronic devices to communicate. For example, in a PAN, a cellphone could communicate with a personal digital assistant (PDA) and a laptop. Bluetooth will allow these devices to communicate as they come in range of each other or are activated. The three classifications of Bluetooth are as follows:
Class 1—. This classification has the longest range (up to 100m) and has 100mW of power.
Class 2—. Although this classification is not the most popular, it allows transmission of up to 20m and has 2.5mW of power.
Class 3—. This is the most widely implemented classification. It supports a transmission distance of 10m and has 1mW of power.
Although Bluetooth does have some built-in security features, it has been shown to be vulnerable to attack. At a recent DEFCON security conference, security professionals demonstrated ways to sniff Bluetooth transmissions from up to a half-mile away. Bluetooth operates at a frequency of 2.45GHz and divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency.
Wide area networks (WANs) are considerably different than LANs. Organizations usually own their own LANs, but WAN services are typically leased; it's not feasible to have your network guy run a cable from New York to Dallas. WANs are concerned with the long-haul transmission of data and connect remote devices; the Internet is a good example of a WAN. WAN data transmissions typically cost more per megabyte than LAN transmissions. WAN technologies can be divided into two broad categories: packet switching and circuit switching.
Packet-switched networks share bandwidth with other devices. Packet-switched networks divide data into packets and frames. These packets are individually routed among various network nodes at the provider's discretion. They are considered more resilient than circuit-switched networks and work well for on-demand connections with bursty traffic. Each packet takes the most expedient route, which means they might not all arrive in order or at the same time. Packet switching is a form of connectionless networking.
X.25 is one of the original packet-switching technologies. Although it is not fast, with speeds up to 56Kbps, it is reliable and works over analog phone lines.
Frame Relay is a virtual circuit-switched network. It is a kind of streamlined version of X.25. Frame Relay controls bandwidth use with a committed information rate (CIR). The CIR specifies the maximum guaranteed bandwidth that the customer is promised. The customer can send more data than is specified in the CIR if additional bandwidth is available. If there is additional bandwidth, the data will pass; otherwise, the data is marked discard eligibility (DE) and is discarded. Frame Relay can use permanent virtual circuits (PVCs) or switched virtual circuits (SVCs). A PVC is used to provide a dedicated connection between two locations. A SVC works much like a phone call, in that the connection is set up on a per-call basis and is disconnected when the call is completed. Switched virtual circuits are good for teleconferencing, for phone calls, and when data transmission is sporadic.
ATM is a cell-switching-based physical-layer protocol. It supports high-bandwidth data needs and works well for time-sensitive applications. Because the switching process occurs in hardware, delays are minimized. ATM uses a fixed 53-byte cell size. ATM can be implemented on LANs or WANs.
ATM is being surpassed by newer technologies, such as Multiprotocol Label Switching Architecture (MPLS). MPLS designers recognized that data didn't need to be converted into 53-byte cells. MPLS packets can be much larger than ATM cells. MPLS can provide traffic engineering and allows VPNs to be created without end-user applications.
VoIP is carried on packet-switched networks in IP packets. Networks that have been configured to carry VoIP treat voice communications as just another form of data. Companies are moving to VoIP because of major cost savings. However, using VoIP is not without risks; as a network service, it is vulnerable in some of the same ways as other data traffic. Attackers can intercept the traffic, hack the VoIP server, or launch a DoS attack against the VoIP server and cause network outages. Another consideration is that the vulnerabilities of the operating system that the VoIP application is running on are inherited.
Circuit switching comes in either analog or digital configurations. Today the most common form of circuit switching is the Plain Old Telephone Service (POTS), but Integrated Services Digital Network (ISDN), T-carriers, and digital subscriber line (DSL) are also options.
POTS is a voice-grade analog telephone service used for voice calls and for connecting to the Internet and other locations via modem. Modem speeds can vary from 9600bps to 56Kbps. Although the POTS service is relatively inexpensive and widely available, it offers only low data speeds.
ISDN is a communication protocol that operates similarly to POTS, except that all digital signaling is used. Although it was originally planned as a replacement for POTS, it was not hugely successful. ISDN uses separate frequencies called channels on a special digital connection. It consists of B channels used for voice, data, video, and fax services, and a D channel used for signaling by the service provider and user equipment. Keeping the D signaling data separate makes it harder for attackers to manipulate the service. The D channel operates at a low 16Kbps; the B channels operate at a speed up to 64Kbps. By binding the B channels together, ISDN can achieve higher speeds. ISDN is available in two levels: Basic Rate Interface (BRI) 128Kbps and Primary Rate Interface (PRI) 1.544Mbps.
T-carrier service is used for leased lines. A leased line is locked in between two locations. It is very secure, but users pay a fixed monthly fee for this service, regardless of use. The most common T-carrier is a T1. A T1 uses time-division multiplexing and consists of 24 digital signal 0 (DS0) channels. Each DS0 channel is capable of transmitting 64Kbps of data; therefore, a T1 can provide a composite rate of 1.544Mbps. T3s are the next available choice. A T3 is made up of 672 DS0s and has a composite data rate of 45Mbps. For those who don't need a full T1 or a full T3, fractional service is available. A fractional T-line is just a portion of the entire carrier. Table 6.2 details common T-carrier specifications and contrasts them with POTS, ISDN, and DSL.
Table 6.2. T-Carrier Specifications
Service | Characteristics | Maximum Speed |
|---|---|---|
POTS dial-up service | Switch line; widely used | 56Kbps |
ISDN BRI digital | Requires a terminal adaptor; can be costly | 128Kbps |
ISDN PRI digital | Requires a terminal adaptor; can be costly | 1.54Mbps |
DSL | Typically asymmetric; downloads faster than uploads | up to 52Mbps |
T1 | Dedicated leased line; 24 bundled phone lines | 1.54Mbps |
T3 | Dedicated leased line; 28 bundled T1s |
DSL is another circuit-switching connectivity option. Most DSLs are asymmetric, which means that the download speed is much faster than the upload speed. The theory is that you usually download more than you upload.
DSL modems are always connected to the Internet; therefore, you do not have to dial in to make a connection. As long as your computer is powered on, it is connected to the Internet and is ready to transmit and receive data. This is the primary security concern of DSL. Unlike the usual lengthy connection time used for dial-up service, no waiting time is involved. An advantage of the DSL is that it maintains more of a fixed speed than cable modems typically do. Table 6.3 details the different DSL types.
Table 6.3. DSL Types and Speeds
Name | Data Rate | Mode | Distance |
|---|---|---|---|
IDSL (Internet digital subscriber line) | 160Kbps | Duplex | 18,000 ft., 24AWG |
HDSL (High-data-rate digital subscriber line) | 1.544Mbps 2.048Mbps | Duplex Duplex | 12,000 ft., 24 AWG |
SDSL (Symmetric digital subscriber line) | 1.544Mbps 2.048Mbps | Duplex Duplex | 10,000 ft., 24 AWG |
ADSL (Asymmetrical digital subscriber line) | 1.5–9Mbps 16–640Kbps | Down Up | 9,000–18,000 ft., 24 AWG |
VDSL (Very-high-data-rate digital subscriber line) | 13–52Mbps 1.5–2.3Mbps | Down Up | 1,000–4,500 ft., 24 AWG |
Cable Internet access refers to the delivery of Internet access over the cable television infrastructure. The Internet connection is made through the same coaxial cable that delivers the television signal to your home. The coaxial cable connects to a special cable modem that demultiplexes the TCP/IP traffic. This always-on Internet connection is a big security issue if no firewall is used. One of the weaknesses of cable Internet access is that there is a shared amount of bandwidth among many users. Cable companies control the maximum data rate of the subscriber by capping the maximum data rate. Some unscrupulous individuals attempt to uncap their line to obtain higher speeds. Uncappers are almost always caught and can be prosecuted because cable Internet providers check for this daily.
Another lingering concern is that of the loss of confidentiality. Individuals have worried about the possibility of sniffing attacks. Most cable companies have addressed this issue by implementing the Data Over Cable Service Interface Specification (DOCSIS) standard. The DOCSIS standard specifies encryption and other security mechanisms that prevent sniffing and protect privacy.
Network models and standards play an important role in the telecommunications industry. You have already seen how standards for services such as DSL, ATM, 802.11 wireless, Bluetooth, and others make it much easier for developers to design interoperable equipment, ease the burden of networking, and develop security solutions. Two of the most widely discussed network models are discussed in the following sections. In case you haven't guessed, these are the Open Systems Interconnect (OSI) model and the Transmission Control Protocol/Internet Protocol (TCP/IP) model.
The International Standards Organization (ISO) developed the Open Systems Interconnect (OSI) model in 1984. The model is based on a specific hierarchy in which each layer builds upon the output of each adjacent layer. It is described in ISO 7498. Today it is widely used as a guide in describing the operation of a networking environment. What was once considered the universal communications standard now serves as a teaching model for all other protocols.
The OSI model is designed so that control is passed down from layer to layer. Information is put into the application layer and ends at the physical layer. Then it is transmitted over the medium—wire, coax, wireless—toward the target device and then back up the stack to the application. The seven layers of the OSI model are the application, presentation, session, transport, network, data link, and physical layers. Most people remember this order by using one of the many acronyms that have been thought up over the years. My favorite one is based on the popular television show American Idol: “People Don't Need To See Paula Abdul.” For a better understanding of how the OSI model works, we'll start at the bottom of the stack and work our way up. The OSI model is shown on Figure 6.4.
Layer 1 is known as the physical layer. At Layer 1, bit-level communication takes place. The bits have no defined meaning on the wire, but the physical layer defines how long each bit lasts and how it is transmitted and received. Physical-layer components include these:
Copper cabling
Fiber cabling
Wireless system components
Wall jacks and connectors
Ethernet hubs
Layer 2 is known as the data link layer. It is focused on traffic within a single LAN. The data link layer is responsible for formatting and organizing the data before sending it to the physical layer. The data link layer organizes the data into frames. A frame is a logical structure in which data can be placed. When a frame reaches the target device, the data link layer is responsible for stripping off the data frame and passing the data packet up to the network layer. Data-link–layer components include these:
Bridges
Switches
NIC cards
MAC addresses
Layer 3 is known as the network layer. Whereas the bottom two layers of the OSI model are associated with hardware, the network layer is tied to software. This layer is concerned with how data moves from network A to network B; it makes sure frames from the data link layer reach the correct network. The network layer is the home of the Internet Protocol (IP), which acts as a postman in determining the best route from the source to the target network. Network-layer components include the following:
Routers
Firewalls/packet filters
Layer 4 is known as the transport layer. Whereas the network layer routes information to its destination, the transport layer ensures completeness by handling end-to-end error recovery and flow control. Transport-layer protocols include these:
TCP, a connection-oriented protocol. It provides reliable communication through the use of handshaking, acknowledgments, error detection, and session teardown.
UDP (User Datagram Protocol), a connectionless protocol. It offers speed and low overhead as its primary advantage.
Layer 5 is known as the session layer. Its purpose is to allow two applications on different computers to establish and coordinate a session. A session is simply a name for a connection between two computers. When a data transfer is complete, the session layer is responsible for tearing down the session. Session-layer protocols include these:
Remote Procedure Call
Structured Query Language
Layer 6 is known as the presentation layer. The presentation layer performs a job similar to that of a waiter in a restaurant: Its main purpose is to deliver and present data to the application layer. In performing its job, the data must be formatted in a way that the application layer can understand and interpret the data. The presentation layer is skilled in translation because its duties include encrypting data, changing, or converting the character set and handling protocol conversion.
Layer 7 is known as the application layer. Recognized as the top layer of the OSI model, this layer serves as the window for application services. This is the layer we, as users, work with. We send email or surf the Web and many times never think about all the underling processes that make it possible. Layer 7 is not the application itself, but rather the channel through which applications communicate.
TCP/IP is the foundation of the Internet as we know it today. Its roots can be traced back to standards adopted by the U.S. government's Department of Defense (DoD) in 1982. TCP/IP is similar to the OSI model, but it consists of only four layers: the network access layer, the Internet layer, the host-to-host layer, and the application layer.
It is of critical importance to remember that the TCP/IP model was originally developed as a flexible, fault-tolerant network. Security was not the driving concern. The network was designed to these specifications to withstand a nuclear strike that might destroy key routing nodes. The designers of this original network never envisioned the Internet we use today. Therefore, most of TCP/IP is insecure, and many of the security mechanisms in use today are add-ons to the original protocol suite.
The network access layer loosely corresponds to Layers 1 and 2 of the OSI model. Some literature separates this layer into two and references them as physical access and data link. Whether viewed as one layer or two, this portion of the TCP/IP network model is responsible for the physical delivery of IP packets via frames.
Ethernet is the most commonly used LAN frame type. Ethernet frames are addressed with MAC addresses, which identify the source and destination devices. MAC addresses are 6 bytes long and are unique to the NIC card in which they are burned. Programs are available that allow attackers to spoof MAC addresses.
The Internet layer maps to OSI Layer 3. This layer contains the information needed to make sure that data can be routed through an IP network and that the network can differentiate hosts. Currently, most organizations use IPv4. IPv6 is its planned replacement, with better security and support for 128-bit IP addresses instead of the current 32-bit addresses. IPv4 uses a logical address scheme or IP address. Whereas MAC addresses are considered a physical address, an IP address is considered a logical address. IP addresses are laid out in dotted-decimal notation format. The IPv4 address format is four decimal numbers separated by decimal points. Each of these decimal numbers is 1 byte in length, to allow numbers to range from 0 to 255.
Class A networks—. Consist of up to 16,777,214 client devices. Their address range can extend from 1 to 126.
Class B networks—. Host up to 65,534 client devices. Their address range can extend from 128 to 191.
Class C networks—. Can have a total of 245 devices. Their address range can extend from 192 to 223.
Class D networks—. Reserved for multicasting. Their address range can extend from 224 to 239.
Class E networks—. Reserved for experimental purposes. Their addresses range from 240 to 254.
Not all of the addresses shown can be used on the Internet. Some addresses are reserved for private use and are considered nonroutable. These addresses include the following:
Class A: 10.0.0.0
Class B: 172.16.0.0 to 172.31.0.0
Class C: 192.168.0.0 to 192.168.255.0
IP security issues include fragmentation, source routing, and DoS attacks, such as a teardrop. The Internet layer contains not only the Internet Protocol (IP), but also Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and the Internet Group Management Protocol (IGMP). ICMP and IGMP are IP support, error, and diagnostic protocols that handle problems such as error messages and multicast messages. ARP is used to resolve unknown MAC addresses to known IP addresses.
Note
IP addresses are required because physical addressees are tied to the physical topology used. Some LANs use Ethernet, but others are connected to ATM or Token Ring networks. Because no common format or structure exists, the IP protocol is used to bind these dissimilar networks together.
One of the protocols residing at the Internet layer is ICMP. Its purpose is to provide feedback used for diagnostics or to report logical errors. Even though ICMP resides at the Internet layer, it is a separate protocol and is distinctly different from IP.
All ICMP messages follow the same basic format. The first byte of an ICMP header indicates the type of ICMP message. The following byte contains the code for each particular type of ICMP. Eight of the most common ICMP types are shown in Table 6.4.
Table 6.4. ICMP Types and Codes
Type | Code | Function |
|---|---|---|
0/8 | 0 | Echo Response/Request (Ping) |
3 | 0–15 | Destination Unreachable |
4 | 0 | Source Quench |
5 | 0–3 | Redirect |
11 | 0–1 | Time Exceeded |
12 | 0 | Parameter Fault |
13/14 | 0 | Time Stamp Request/Response |
17/18 | 0 | Subnet Mask Request/Response |
One of the most common ICMP types is a ping. Although ICMP can be very helpful, it is also valued by attackers and can be manipulated and used for a variety of attacks, including the ping of death, Smurf, timestamp query, netmask query, source routing, and redirects.
ARP's two-step resolution process is performed by first sending a broadcast message requesting the target's physical address. If a device recognizes the address as its own, it issues an ARP reply containing its MAC address to the original sender. The MAC address is then placed in the ARP cache and used to address subsequent frames. Proxy ARPs can be used to extend a network and allow one device to communicate with a device on an adjunct node. Attackers can manipulate ARP because it is a trusting protocol. Bogus ARP responses are accepted as valid, which can allow attackers to redirect traffic on a switched network. ARP attacks play a role in a variety of man-in-the middle attacks, spoofing, and session-hijack attacks.
The host-to-host layer corresponds to OSI Layers 4 and 5. The host-to-host layer provides end-to-end delivery. Two primary protocols are located at the host-to-host layer: the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
TCP enables two hosts to establish a connection and exchange data reliably. TCP does this by performing a three-step handshake before data is sent. During the data-transmission process, TCP guarantees delivery of data by using sequence and acknowledgment numbers. At the completion of the data-transmission process, TCP performs a four-step shutdown that gracefully concludes the session. At the heart of TCP is a 1-byte flag field. Flags help control the TCP process. Common flags include synchronize (SYN), acknowledgment (ACK), push (PSH), and finish (FIN). See Figure 6.5 for additional details on the flags and the startup/shutdown process. TCP security issues include TCP sequence number attacks, session hijacking, and SYN flood attacks.
UDP performs none of the handshaking processes that we see performed with TCP. So although that makes it considerably less reliable than TCP, it does offer the benefit of speed. It is ideally suited for data that requires fast delivery and is not sensitive to packet loss but is easier to spoof by attackers because it does not use sequence and acknowledgment numbers. Figure 6.6 details the operation of UDP.
The application layer sits at the top of the protocol stack and maps loosely to OSI Layers 6 and 7. This layer is responsible for application support. Applications are typically mapped not by name, but by their corresponding port. Ports are placed into TCP and UDP packets so the correct application can be passed to the required protocols. Although applications can be made to operate on nonstandard ports, the established port numbers serve as the de facto standard. There are approximately 65,000 ports, divided into well-known ports (0–1024), registered ports (1024–49151), and dynamic ports (49152–65535). Some well-known applications and their associated ports are as follows:
File Transfer Protocol (FTP)—. FTP is a TCP service and operates on ports 20 and 21. This application is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server. Attacks on FTP target misconfigured directory permissions and compromised or sniffed clear-text passwords. FTP is one of the most commonly hacked services.
Telnet—. Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client's keyboard to the host computer system. Telnet can be configured to allow anonymous connections, but it should be configured to require usernames and passwords. Unfortunately, even then, Telnet sends them in clear text. When a user is logged in, he or she can perform any allowed task. Applications such as Secure Shell (SSH) should be considered as a replacement.
Simple Mail Transfer Protocol (SMTP)—. This application is a TCP service that operates on port 25. It is designed for the exchange of electronic mail between networked systems. Messages sent through SMTP have two parts: an address header and the message text. All types of computers can exchange messages with SMTP. Spoofing and spamming are two of the vulnerabilities associated with SMTP.
Domain Name Service (DNS)—. This application operates on port 53 and performs address translation. DNS converts fully qualified domain names (FQDNs) into numeric IP addresses, or IP addresses into FQDNs. This system works similar to a phone directory, which enables users to remember domain names (such as examcram2.com) instead of IP addresses (such as 114.112.18.23). DNS uses UDP for DNS queries and TCP for zone transfers. DNS is subject to poisoning and, if misconfigured, can be solicited to perform a full zone transfer.
Trivial File Transfer Protocol (TFTP)—. TFTP operates on port 69. It is considered a down-and-dirty version of FTP because it uses UDP to cut down on overhead. It not only does so without the session management offered by TCP, but it also requires no authentication, which could pose a big security risk. It is used to transfer router-configuration files and to configure cable modems for cable companies.
Hypertext Transfer Protocol (HTTP)—. HTTP is a TCP service that operates on port 80. This application is one of the most well known. HTTP has helped make the Web the popular protocol it is today. The HTTP connection model is known as a stateless connection. HTTP uses a request-response protocol in which a client sends a request and a server sends a response. Attacks that exploit HTTP can target the server, a browser, or scripts that run on the browser. Nimda is an example of code that targeted a web server.
Simple Network Management Protocol (SNMP)—. SNMP is a UDP service and operates on ports 161 and 162. It was envisioned to be an efficient and inexpensive way to monitor networks. The SNMP protocol allows agents to gather information, including network statistics, and report back to their management stations. Most large corporations have implemented some type of SNMP management. Some of the security problems that plague SNMP are caused by the fact that community strings can be passed as clear text and that the default community strings (public/private) are well known. SNMP version 3 is the most current and offers encryption for more robust security.
Telecommunications equipment is all the hardware used to move data between networked devices. This equipment can be used in a LAN or WAN. This is important to know not only from a networking standpoint, but also to better implement security solutions and pass the CISSP exam.
Hubs are one of the most basic networking devices. A hub allows all the connected devices to communicate with one another. A hub is logically a common wire to which all computers have shared access.
Hubs have fallen out of favor because of their low maximum throughput. Whenever two or more systems attempt to send packets at the same time on the same hub, there is a collision. As utilization increases the number of collisions skyrockets and the overall average throughput decreases.
Another somewhat outdated piece of equipment is a bridge. Bridges are semi-intelligent pieces of equipment that have the capability to separate collision domains. Bridges examine frames and look up the MAC address. If the device tied to that MAC address is determined to be local, the bridge blocks the traffic. One of the big problems with bridges is that, by default, they pass broadcast traffic. Too much broadcast traffic can effectively flood the network and cause a broadcast storm.
A switch performs in much the same way as a hub; however, switches are considered intelligent devices. Switches segment traffic by observing the source and destination MAC address of each data frame.
The switch stores the MAC addresses by placing them in a lookup table, which is located in random access memory (RAM). This lookup table also contains the information needed to match each MAC address to the corresponding port it is connected to. When the data frame enters the switch, it finds the target MAC address in the lookup table and matches it to the switch port the computer is attached to. The frame is forwarded to only that switch port; therefore, computers on all other ports never see the traffic. Some advantages of a switch are as follows:
Provides higher-layer independence
Provides higher throughput than a hub
Provides virtual LAN (VLAN) capability
Can be configured for full duplex
Not all switches are made the same. Switches can process an incoming frame in three ways:
Store-and-forward—. After the frame is completely inputted into the switch, the destination MAC is analyzed to make a block or forward decision.
Cut-through—. This faster design is similar to the store-and-forward switch, but it focuses on examining only the first 6 bytes.
Fragment Free—. This is a Cisco design that has a lower error rate.
Routers reside at Layer 3 of the OSI model. Routers are usually associated with the IP protocol, which, as previously discussed, sends blocks of data that have been formatted into packets. IP is considered a “best effort” protocol, and IP packets are examined and processed by routers. Routers are used to join similar or dissimilar networks. A router's primary purpose is to forward IP packets toward their destination through a process known as routing. Whereas bridges and switches examined the physical frame, routers focus on what information is found in the IP header. One important item in the IP header that routers examine is the IP address. IP addresses are considered a logical address. Routers can also be used to improve performance by limiting physical broadcast domains, act as a limited type of firewall by filtering with access control lists (ACLs), and ease network management by segmenting devices into smaller subnets instead of one large network. The security of the router is paramount. A compromised router can have devastating consequences, especially if it is being used for other services, such as IPSec, a virtual private network (VPN) termination point, or a firewall.
Each time a router is presented with packets, the router must examine the packets and determine the proper interface to forward the packets to. Not all routing protocols that routers work with function in the same manner. Routing protocols can be divided into two broad categories:
Algorithms based on distance-vector protocols
Algorithms based on link-state protocols
Distance-vector protocols are based on Bellman-Ford algorithms. The basic methodology of a distance-vector protocol is to find the best route by determining the shortest path. The shortest path is commonly calculated by hops. Distance-vector routing is also called routing by rumor. The Routing Information Protocol (RIP) is probably the most common distance-vector protocol in use. One major shortcoming of distance-vector protocols is that the path with the lowest number of hops might not be the optimal route; the path with the lowest hop count could have considerable less bandwidth than a route with a higher hop count.
Note
Distance-vector protocols such as RIP can be spoofed and are subject to redirection. It also easy for attackers to sniff RIP updates. RIP sends out complete routing tables every 30 seconds.
Link-state protocols are based on Dijkstra algorithms. Unlike distance-vector protocols, link-state protocols determine the best path with metrics such as delay or bandwidth. When this path is determined, the router informs other routers of its findings. This is how reliable routing tables are developed and routing tables reach convergence.
Link-state routing is considered more robust than distance-vector routing protocols. Open Shortest Path First (OSPF) is probably the most common link-state routing protocol; many times, it is used as a replacement for RIP.
Common routing protocols include these:
Routing Information Protocol (RIP)—. Legacy UDP-based routing protocol that does not use authentication and determines path by hop count.
Open Shortest Path First (OSPF)—. An improved link-state routing protocol that offers authentication.
Border Gateway Protocol (BGP)—. The core routing protocol used by the Internet. It is based on TCP and is used to connect autonomous systems.
Well-designed networks will always require authentication and access control. You might be internal to the organization or on the road in a hotel. Being outside the organization raises other concerns besides proper authentication, such as confidentiality and privacy. This section discusses an array of topics, including the Password Authentication Protocol (PAP), the Challenge Handshake Authentication Protocol (CHAP), virtual private networks (VPNs), and IP Security (IPSec).
PPP is the most commonly used protocol for dial-up connections. It can run on a line of any speed, from POTS to T1. Developed in 1994 by the IETF, PPP is a replacement to Serial Line IP (SLIP). SLIP is capable of carrying only IP and had no error detection, whereas PPP supports many types of authentication, including PAP, CHAP, and EAP.
This authentication protocol uses a two-way handshake to authenticate a client to a server when a link is initially established. PAP is vulnerable because it sends the password in clear text, which makes it highly vulnerable to snif-fing attacks.
CHAP is an improved version of the PAP protocol. It uses a three-way handshake to authenticate both the client and the server. The server uses MD5 to encrypt the challenge with the password stored in its database. The client is also sent the challenge, which it combines with the entered password. This hashed value is returned to the server for comparison. No plain text ever crosses the network. MS-CHAP is an improved version of CHAP that goes a step further by storing the clear-text password in an encrypted form.
EAP makes PPP more robust by adding the capability to implement different types of authentication mechanisms, including digital certificates, token cards, and MD5-Challenge. EAP is used in by 802.11i wireless LAN security protocols such as WPA to authenticate an end user or device. When used in this manner, the wireless access point initiates the EAP protocol. EAP can then negotiate an encryption key, called the pair-wise master key (PMK). When the key has been established, it can be used by the Advanced Encryption Standard (AES) or the Temporal Key Integrity Protocol (TKIP) to encrypt the communication session.
Note
EAP can be implemented in many different ways, including EAP-MD5, EAP-TLS, EAP-SIM, LEAP, PEAP-MSCHAP, and PEAP-GTC. The goal is not for you to memorize each of these in detail, but to understand that, as a CISSP, you must be able to select the appropriate protocol, depending on the policy established for authentication strength.
VPNs are used to connect devices through the public Internet. Their primary benefit is that they offer a cost advantage over private lines and T1s by providing the same capabilities as a private network at a much lower cost. The big concern with a VPN is privacy; after all, you're sending your company's traffic over the public Internet. Three protocols are used to provide VPN functionality and security: the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Tunneling Protocol (L2TP), and Internet Security (IPSec).
When an appropriate protocol is defined, the VPN traffic can be tunneled through the Internet. Two types of tunnels can be implemented:
Having a tunnel is just one part of establishing communication. Another important concept is that of authentication. Almost all VPNs use digital certificates serve as the primary means of authentication. X.509 v3 is the de facto standard. X.509 specifies certificate requirements and their contents. Much like that of a state driver's license office, the Certificate Authority guarantees the authenticity of the certificate and its contents. These certificates act as an approval mechanism.
Just as with other services, organizations need to develop policies to define who will have access to the VPN and how the VPN will be configured. It's important that VPN policies be designed to map to the organization's security policy. Senior management must approve and support this policy.
RADIUS was designed for dial-up users and typically used a modem pool to connect to the organization's network. Because of the features RADIUS offers, it is now used for more than just dial-up users. Enterasys uses it for secure network products, and WAPs and 802.11i also widely use it. A RADIUS server contains usernames, passwords, and other information to validate the user. RADIUS is a well-known UDP-based authentication and accountability protocol. Information is passed to RADIUS using PAP or CHAP. The RADIUS client then encrypts the information and sends it to the RADIUS server to be authenticated.
TACACS is an access-control protocol used to authenticate a user logging onto a network. TACACS is a UDP-based protocol that provides authentication, authorization, and accountability. It was originally used in Cisco devices. TACACS is very similar to RADIUS. When TACACS receives an authentication request, it forwards the received username and password to a central database. This database verifies the information received and returns it to TACACS to allow or deny access based on the results. The fundamental reason TACACS did not become popular is because TACACS is a proprietary solution from Cisco, and its use would require the payment of royalties. TACACS+, which is neither proprietary nor compatible with TACACS, was introduced in 1990. TACACS+ is TCP based and offers extended two-factor authentication.
IPSec was developed to provide security for IP packets. Without IPSec, someone could capture, read, or change the contents of data packets and then send them back to the unsuspecting target. The current version of IP, IPv4, supports IPSec as an add-on; IPv6 has IPSec built in. IPSec offers its users several levels of cryptographic security:
Because IPSec can be applied below the application layer, any application can use it. IPSec has two modes of operation:
New technologies make it possible to monitor all types of information that one individual might send to another. Carnivore is one example of such a technology. This controversial program was developed by the Federal Bureau of Investigation (FBI) to give the U.S. government the ability to monitor the Internet and email activities of suspected criminals.
Some Internet applications have little or no built-in security. Instant messaging (IM) is a good example. Many corporations allow or use IM, but it was built for chatting, not security. Most IM applications lack encryption capabilities, have insecure password management, and have features that actively work to bypass firewalls. IM can be vulnerable to sniffing attacks, can be used to spread viruses and worms, and can be targeted for buffer overflow attacks.
Standard email is also very insecure. Sending an email message is much like sending a postcard to Mom through the U.S. Mail. Anyone who happens to see the card during transit can read the message you sent her from your trip to Niagara Falls. If you need a little privacy, you must use encryption. Using encryption is the equivalent of sending a letter: The sealed envelope will prevent the casual snoop from learning about your trip to Niagara Falls. Email protection mechanisms include Pretty Good Privacy (PGP), Secure Multipurpose Internet Mail Extensions (S/MIME), and Privacy Enhanced Mail (PEM).
Phil Zimmerman initially developed Pretty Good Privacy (PGP) in 1991 as a free email security application. It is as close to military grade encryption as a private individual can get and works well at securing email. Unlike public key infrastructure (PKI), PGP works by using a web of trust. Users distribute and sign their own public keys. Unlike the PKI certificate authority, this web of trust requires users to determine how much they trust the other parties they exchange keys with. PGP is a hybrid cryptosystem, in that it uses both public and private encryption. Some of the algorithms PGP can use include Triple DES and Twofish for symmetric encryption, and Diffie-Hellman, Digital Signature Standard (DSS), and RSA for asymmetric encryption.
Secure Multipurpose Internet Mail Extensions (S/MIME) secures email by using X.509 certificates for authentication. The public key cryptographic standard is used to provide encryption. It can work in one of two modes: signed and enveloped. Signing mode provides integrity and authentication. Enveloped mode provides confidentiality, authentication, and integrity.
Security should be implemented in layers to erect several barriers against attackers. One good example of a network access control is a firewall. The firewall can act as a choke point to control traffic as it ingresses and egresses the network. Another network access control is the DMZ, which establishes a safe zone for internal and external users to meet.
It's a sad fact that we need firewalls. Just as in the real world, some individuals enjoy destroying other people's property. A firewall is a computer, router, or software component implemented to control access to a protected network. It enables organizations to protect their network and control traffic.
Packet filters are devices that filter traffic based on IP addresses. Savvy hackers use spoofing tools and other programs that are easily available on the Internet to bypass packet filters. The first firewalls ever implemented were packet filters. These devices inspect the TCP/IP headers and make a decision based on a set of predefined rules. Packet filters simply drop packets that do not conform to the predefined rule set. These devices are considered stateless. Packet filters are configured by compiling an access control list (ACL). ACLs can include IP addresses, protocol types, TCP ports, and UDP ports.
Network Address Translation (NAT) was originally developed because of the explosive growth of the Internet and the increase in home and business networks; the number of available IP addresses is simply not enough. NAT allows a single device, such as a router, to act as an agent between the Internet and the local network. This device or router provides a pool of addresses to be used by your local network. Only a single, unique IP address is required to represent this entire group of computers. The outside world is unaware of this division and thinks that only one computer is connected. NAT can provide a limited amount of security because it can hide internal addresses from external systems. When private addressing is used, NAT is a requirement. Otherwise, packets with private IP addresses cannot be routed to external IP addresses, and external traffic cannot be routed into the NAT'ed network. RFC 1918 defines the three ranges of private addresses on the 10.0.0.0, 172.16.0.0, and 192.168.0.0 network ranges.
Common types of NAT include these:
Static NAT—. Uses a one-to-one mapping between public and private IP addresses.
Dynamic NAT—. Uses a pool of public addresses. When internal devices need Internet connectivity, they are mapped to the next available public address. When the communication session is complete, the public address is returned to the pool.
Port Address Translation (PAT)—. Most home networks using DSL or cable modems use this type of NAT. It is designed to provide many internal users Internet access through one external address.
Stateful firewalls keep track of every communication channel by means of a state table. Because of this, they are considered an intelligent firewall. They're part of the third generation of firewall design. Packet filters do not have this capability. Remember that models addressed here, such as stateful inspection and proxies, are theoretical, so most vendors products will not match perfectly to one design.
By definition, the word proxy means “to stand in place of.” Therefore, a proxy is a hardware or software device that can perform address translation and that communicates with the Internet on behalf of the network. The real IP address of the user remains hidden behind the proxy server. The proxy server can also be configured to filter higher-layer traffic to determine whether the traffic is allowed to pass. Proxy servers offer increased security because they don't allow untrusted systems to have a direct connection to internal computers. Proxy servers function as follows: They accept packets from the external network, copy the packets, inspect them for irregularities, change the addresses to the correct internal device, and then put them back on the wire to the destination device. Other types of proxies include these:
Application-level proxy—. Not all proxies are made the same. Application-level proxies inspect the entire packet and then make a decision based on what was discovered while inspecting the contents. This method is very thorough and slow. For the application-level proxy to work correctly, it must understand the protocols and applications it is working with.
Circuit-level proxy—. A circuit-level proxy closely resembles a packet-filtering device, in that it makes decisions on addresses, ports, and protocols. It does not care about higher-layer applications, so it works for a wider range of protocols but doesn't provide the depth of security that an application-level proxy does.
SOCKS—. SOCKS takes the proxy servers concept to the next level. SOCKS must be deployed as a client and server solution. It provides a secure channel between the two devices. It examines individual applications to determine whether they are allowed access. Common SOCKS applications include these:
FTP—. Blocks or allows files to be transferred into or out of the network
HTTP—. Blocks or allows Internet access
SMTP—. Blocks or allows email
In the computer world, the DMZ prevents outsiders from getting direct access to internal services. DMZs are typically set up to allow external users access to services within the DMZ. Basically, shared services such as Internet, email, and DNS might be placed within a DMZ. The DMZ provides no other access to services located within the internal network. If an attacker is able to penetrate and hack computers within the DMZ, no internal computers would be accessible. Usually the computers placed in the DMZ are bastion hosts. A bastion host is a computer that has had all unnecessary services and applications removed; it has been hardened against attack. To add security to the devices in the DMZ, a screened host sometimes is used. A screened host is a firewall that is being partially shielded by a router acting as a packet filter. This furthers the concept of defense in depth.
http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM—. An introduction to TCP/IP
https://secure.linuxports.com/howto/intro_to_networking/c4412.htm—. An introduction to the ISO Model
www.telephonetribute.com/phonephreaking.html—. Phone phreaking
www.untruth.org/~josh/security/radius/radius-auth.html—. The RADIUS authentication protocol
http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci838703,00.html—. Protecting network assets from attack