The Global Information Grid (GIG) is the U.S. Department of Defense (DoD) global network, one of the largest private networks in the world.

At the other end of the spectrum, the smallest of these networks are PANs: Personal Area Networks, with a range of 100 meters or much less. Low-power wireless technologies such as Bluetooth use PANs.

One drawback of circuit-switched networks: once a channel or circuit is connected, it is dedicated to that purpose, even while no data is being transferred. Packet-switched networks were designed to address this issue, as well as handle network failures more robustly.

The original research on packet-switched networks was conducted in the early 1960s on behalf of the Defense Advanced Research Projects Agency (DARPA). That research led to the creation of the ARPAnet, the predecessor of the Internet. For more information, see the Internet Society’s “A Brief History of the Internet,” at http://www.internetsociety.org/internet/internet-51/history-internet/brief-history-internet.

Early packet-switched network research by the RAND Corporation described a “nuclear” scenario, but reports that the ARPAnet was designed to survive a nuclear war are not true. The Internet Society’s History of the Internet reports “…work on Internetting did emphasize robustness and survivability, including the capability to withstand losses of large portions of the underlying networks.”[1]

Instead of using dedicated circuits, data is broken into packets, each sent individually. If multiple routes are available between two points on a network, packet switching can choose the best route, and fall back to secondary routes in case of failure. Packets may take any path (and different paths) across a network, and are then reassembled by the receiving node. Missing packets can be retransmitted, and out of-order packets can be re-sequenced.

Unlike circuit-switched networks, packet-switched networks make unused bandwidth available for other connections. This can give packet-switched networks a cost advantage over circuit-switched.

Cabling standards such as Thinnet, Thicknet, and Unshielded Twisted Pair (UTP) exist at layer 1, among many others. Layer 1 devices include hubs and repeaters.

Layer 2 is divided into two sub-layers: Media Access Control (MAC) and Logical Link Control (LLC). The MAC layer transfers data to and from the physical layer. LLC handles LAN communications. MAC touches Layer 1, and LLC touches Layer 3.

Layer 4 makes a number of features available, such as resending or re-sequencing packets. Taking advantage of these features is a protocol implementation decision. As we will see later, TCP takes advantage of these features, at the expense of speed. Many of these features are not implemented in UDP, which chooses speed over reliability.

Historically, MAC addresses were 48 bits long. They have two halves: the first 24 bits form the Organizationally Unique Identifier (OUI) and the last 24 bits form a serial number (formally called an extension identifier).

Organizations that manufacture NICs, such as Cisco, Juniper, HP, IBM, and many others, purchase 24-bit OUIs from the Institute of Electrical and Electronics Engineers (IEEE), Incorporated Registration Authority. A List of registered OUIs is available at http://standards.ieee.org/regauth/oui/oui.txt

Juniper owns OUI 00-05-85, for example. Any NIC with a MAC address that begins with 00:05:85 is a Juniper NIC. Juniper can then assign MAC addresses based on their OUI: the first would have been MAC address 00:05:85:00:00:00, the second 00:05:85:00:00:01, the third 00:05:85:00:00:02, etc. This process continues until the serial numbers for that OUI have been exhausted. Then a new OUI is needed.

IP is a simple protocol, designed to carry data across networks. It is so simple that it requires a “helper protocol” called ICMP (see below). IP is connectionless and unreliable: it provides “best effort” delivery of packets. If connections or reliability are required, they must be provided by a higher-level protocol carried by IP, such as TCP.

IPv4 uses 32-bit source and destination addresses, usually shown in “dotted quad” format, such as “192.168.2.4.” A 32-bit address field allows 2³², or nearly 4.3 billion, addresses. A lack of IPv4 addresses in a world where humans (and their devices) outnumber available IPv4 addresses is a fundamental problem: this was one of the factors leading to the creation of IPv6, which uses much larger 128-bit addresses.

IPv6 has become more prevalent since the release of the Microsoft Vista operating systems, the first Microsoft client operating system to support IPv6 and have it enabled by default. All versions through Windows 10 have done the same. Other modern operating systems, such as OS X, Linux and Unix, also enable IPv6 by default.

The IPv6 header, shown in Figure 5.2, is larger and simpler than IPv4. Fields include:

Classful networks are inflexible: networks used for normal end hosts come in three sizes: 16,777,216 addresses (Class A), 65,536 addresses (Class B), and 256 addresses (Class C). The smallest routable classful network is a Class C network with 256 addresses: a routable point-to-point link using classful networks requires a network between the two points, wasting over 250 IP addresses.

The Class A network 10.0.0.0 contains IP addresses that begins with 10: 10.1.2.3.4, 10.187.24.8, 10.3.96.223, etc. In other words, 10.* is a Class A address. The first 8 bits of the dotted-quad IPv4 address is the network (10); the remaining 24 bits are the host address: 3.96.223 in the last previous example. The CIDR notation for a Class A network is /8 for this reason: 10.0.0.0/8. The “/8” is the netmask, which means the network portion is 8 bits long, leaving 24 bits for the host.

Similarly, the class C network of 192.0.2.0 contains any IP address that begins with 192.0.2: 192.0.2.177, 192.0.2.253, etc. That class C network is 192.0.2.0/24 in CIDR format: the first 24 bits (192.0.2) describe the network; the remaining 8 bits (177 or 253 in the previous example) describe the host.

Once networks are described in CIDR notation, additional routable network sizes are possible. Need 128 IP addresses? Chop a Class C (/24) in half, resulting in two /25 networks. Need 64 IP addresses? Chop a /24 network into quarters, resulting in four /26 networks with 64 IP addresses each.

Any public Internet connection using un-translated RFC1918 addresses as a destination will fail: there are no public routes for these networks. Internet traffic sent with an un-translated RFC 1918 source address will never return. Using the classful terminology, the 10.0.0.0/8 network is a Class A network; the 172.16.0.0./12 network is 16 continuous Class B networks, and 192.168.0.0/16 is 256 Class C networks.

RFC 1918 addresses are used to conserve public IPv4 addresses, which are in short supply. RFC stands for “Request for Comments,” a way to discuss and publish standards on the Internet. More information about RFC 1918 is available at: http://www.rfc-editor.org/rfc/rfc1918.txt.

Three types of NAT are static NAT, pool NAT (also known as dynamic NAT), and Port Address Translation (PAT, also known as NAT overloading). Static NAT makes a one-to-one translation between addresses, such as 192.168.1.47→192.0.2.252. Pool NAT reserves a number of public IP addresses in a pool, such as 192.0.2.10→192.0.2.19. Addresses can be assigned from the pool, and then returned. Finally, PAT typically makes a many-to-one translation from multiple private addresses to one public IP address, such as 192.168.1.* to 192.0.2.20. PAT is a common solution for homes and small offices: multiple internal devices such as laptops, desktops and mobile devices share one public IP address. Table 5.5 summarizes examples of the NAT types.

NAT hides the origin of a packet: the source address is the NAT gateway (usually a router or a firewall), not of the host itself. This provides some limited security benefits: an attack against a system’s NAT-translated address will often target the NAT gateway, and not the end host. This protection is limited, and should never be considered a primary security control. Defense-in-depth is always required.

NAT can cause problems with applications and protocols that change IP addresses or contain IP addresses in upper layers, such as the data layer of TCP/IP. IPsec, VoIP, and active FTP are among affected protocols.

RARP is used by diskless workstations to determine its IP address. A node asks “Who has MAC address at 00:40:96:29:06:51, tell 00:40:96:29:06:51.

In other words RARP asks: “Who am I? Tell me.” A RARP server answers with the node’s IP address.

Multicast traffic uses “Class D” addresses when used over IPv4. Nodes are placed into multicast groups. A common multicast application is streaming audio or video. Sending 1000 audio streams via unicast would require a large amount of bandwidth, so multicast is used. It works like a tree: the initial stream is the trunk, and each member of the multicast group a leaf. One stream is sent from the streaming server, and it branches on the network as it reaches routers with multiple routes for nodes in the multicast group. Multicast typically uses UDP.

UDP is commonly used for applications that are “lossy” (can handle some packet loss), such as streaming audio and video. It is also used for query-response applications, such as DNS queries.

Telnet is weak because it provides no confidentiality; all data transmitted during a telnet session is plaintext, including the username and password used to authenticate to the system. Attackers who are able to sniff network traffic can steal authentication credentials this way.

Telnet also has limited integrity: attackers with write access to a network can alter data, or even seize control of Telnet sessions. Secure Shell (SSH) provides secure authentication, confidentiality, and integrity and is a recommended replacement for Telnet.

FTP uses two ports: the control connection (where commands are sent) is TCP port 21; “Active FTP” uses a data connection (where data is transferred) that originates from TCP port 20. Here are the two socket pairs (the next two examples use arbitrary ephemeral ports):

Notice that the data connection originates from the server, in the opposite direction of the control channel. This breaks classic client-server data flow direction. Many firewalls will block the active FTP data connection for this reason, breaking Active FTP. Passive FTP addresses this issue by keeping all communication from client to server:

The FTP server tells the client which listening data connection port to connect to; the client then makes a second connection. Passive FTP is more likely to pass through firewalls cleanly, since it flows in classic client-server direction.

TFTP has no authentication or directory structure: files are read from and written to one directory, usually called /tftpboot. There is also no confidentiality or integrity. Like Telnet and FTP, TFTP is not recommended for transferring sensitive data over an insecure channel.

SSH version 1 was the original version, which has since been found vulnerable to man-in-the middle attacks. SSH version 2 is the current version of the protocol, and is recommended over SSHv1, or Telnet, FTP, etc.

Two core DNS functions are gethostbyname() and gethostbyaddr(). Given a name (such as www.syngress.com), gethostbyname returns an IP address, such as 192.0.2.187. Given an address such as 192.0.2.187, gethostbyaddr returns the name, www.syngress.com.

Authoritative name servers provide the “authoritative” resolution for names within a given domain. A recursive name server will attempt to resolve names that it does not already know. A caching name server will temporarily cache names previously resolved.

SNMPv1 and v2c use read and write community strings to access network devices. Many devices use default community strings such as “public” for read access, and “private” for write access. Additionally, these community strings are usually changed infrequently (if at all), and are typically sent in the clear across a network. An attacker who can sniff or guess a community string can access the network device via SNMP. Access to a write string allows remote changes to a device, including shutting down or reconfiguring interfaces, among many other options.

SNMPv3 was designed to provide confidentiality, integrity, and authentication to SNMP via the use of encryption. While SNMPv2c usage remains highly prevalent, use of SNMPv3 is strongly encouraged due to the lack of security in all previous versions.

DHCP (Dynamic Host Configuration Protocol) was designed to replace and improve on BOOTP by adding additional features. DHCP allows more configuration options, as well as assigning temporary IP address leases to systems. DHCP systems can be configured to receive IP address leases, DNS servers, and default gateways, among other information.

Both BOOTP and DHCP use the same ports: UDP port 67 for servers and UDP port 68 for clients.

Twisted pair cables are classified by categories according to rated speed. Tighter twisting results in more dampening: a Category 6 UTP cable designed for gigabit networking has far tighter twisting than a Category 3 fast Ethernet cable. Table 5.6 summarizes the types and speeds of Category cabling. Cisco Press also has a good summary at http://www.ciscopress.com/articles/article.asp?p=31276.

Shielded Twisted Pair (STP) contains additional metallic shielding around each pair of wires. This makes STP cables less susceptible to EMI, but more rigid and more expensive.

The core and shield used by coaxial cable are thicker and better insulated than other cable types, such as twisted pair. This makes coaxial more resistant to EMI and allows higher bandwidth and longer connections compared with twisted pair cable.

Two older types of coaxial cable are Thinnet and Thicknet, used for Ethernet bus networking.

Multimode fiber carrier uses multiple modes (paths) of light, resulting in light dispersion. Single-mode fiber uses a single strand of fiber, and the light uses one mode (path) down the center of the fiber. Multimode fiber is used for shorter distances; single-mode fiber is used for long haul, high-speed networking.

Multiple signals may be carried via the same fiber via the use of Wavelength Division Multiplexing (WDM), where multiple light “colors” are used to transmit different channels of information via the same fiber. Combined speeds of over a terabit/second can be achieved when WDM is used to carry 10-gigabits per color.

Ethernet has evolved from 10-megabit buses that used “thinnet” or “thicknet” coaxial cable. The star-based physical layer uses Twisted Pair cables that range in speed from 10 megabits to 1000 megabits and beyond. A summary of these types is listed in Table 5.7.

ARCNET ran at 2.5 megabits and popularized the star topology (later copied by Ethernet). The last version of Token Ring ran at 16 megabits, using a physical star that passed tokens in a logical ring.

Both Token Ring and ARCNET are deterministic (not random), unlike Ethernet. Both have no collisions, which (among other factors) leads to predictable network behavior. Many felt Token Ring was superior to Ethernet (when Ethernet’s top speed was 10 megabits). Ethernet was cheaper and ultimately faster than Token Ring, and ended up becoming the dominant LAN technology.

In addition to reliability, another advantage of FDDI is light: fiber cable is not affected by electromagnetic interference (EMI).

Network buses are fragile: should the network cable break anywhere along the bus; the entire bus would go down. For example, if the cable between Node A and Node B should break in Figure 5.14, the entire bus would go down, including the connection between Node B and C. A single defective NIC can also impact an entire bus.

Stars feature better fault tolerance: any single local cable cut or NIC failure affects one node only. Since each node is wired back to a central point, more cable is required as opposed to bus (where one cable run connects nodes to each other). This cost disadvantage is usually outweighed by the fault tolerance advantages.

Meshes have superior availability and are often used for highly available (HA) server clusters. Each of the four Web servers shown on the left in Figure 5.18 can share the load of Web traffic, and maintain state information between each other. If any web server in the mesh goes down, the others remain up to shoulder the traffic load.

A T3 is 28 bundled T1s, forming a 44.736-megabit circuit. The terms T3 and DS3 (Digital Signal 3) are also used interchangeably, with the same T1/DS1 distinction noted above. E1s are dedicated 2.048-megabit circuits that carry 30 channels, and 16 E1s form an E3, at 34.368 megabits.

SONET (Synchronous Optical Networking) carries multiple T-carrier circuits via fiber optic cable. SONET uses a physical fiber ring for redundancy.

Frame Relay multiplexes multiple logical connections over a single physical connection to create Virtual Circuits; this shared bandwidth model is an alternative to dedicated circuits such as T1s. A PVC (Permanent Virtual Circuit) is always connected, analogous to a real dedicated circuit like a T1. A Switched Virtual Circuit (SVC) sets up each “call,” transfers data, and terminates the connection after an idle timeout. Frame Relay is addressed locally via Data Link Connection Identifiers (DLCI, pronounced “delsee”).

The global packet switched X.25 network is separate from the global IP-based Internet. X.25 performs error correction that can add latency on long links. It can carry other protocols such as TCP/IP, but since TCP provides its own reliability, there is no need to take the extra performance hit by also providing reliability at the X.25 layer. Other protocols such as frame relay are usually used to carry TCP/IP.

ATM allows reliable network throughput compared to Ethernet. The answer to “How many Ethernet frames can I send per second” is “It depends.” Normal Ethernet frames can range in size from under 100 bytes to over 1500 bytes. In contrast, all ATM cells are 53 bytes.

SMDS (Switched Multimegabit Data Service) is older and similar to ATM, also using 53-byte cells.

High-Level Data Link Control (HDLC) is the successor to SDLC. HDLC adds error correction and flow control, as well as two additional modes (ARM and ABM). The three modes of HDLC are:

Some protocols, such as SMTP, fit into one layer. DNP3 is a multilayer protocol and may be carried via TCP/IP (another multilayer protocol): “Many vendors offer products that operate using TCP/IP to transport DNP3 messages in lieu of the media discussed above. Link layer frames, which we have not talked about yet, are embedded into TCP/IP packets. This approach has enabled DNP3 to take advantage of Internet technology and permitted economical data collection and control between widely separated devices.” [9]

Recent improvements in DNP3 allow for “Secure Authentication,” which addresses challenges with the original specification that could have allowed, for example, spoofing or replay attacks. DNP3 became an IEEE standard in 2010, called IEEE 1815-2010 (now deprecated). It allowed pre-shared keys only. IEEE 1815-2012 is the current standard; it supports Public Key Infrastructure (PKI).

FCoE leverages Fibre Channel, which has long been used for storage networking, but dispenses with the requirement for completely different cabling and hardware. Instead, FCoE can be transmitted across standard Ethernet networks. In FCoE, Fibre Channel’s HBA (Host Bus Adapters), which historically were unique cards to interface with storage, can be combined with the network interface (NIC), for economies of scale. FCoE uses Ethernet, but not TCP/IP. Fibre Channel over IP (FCIP) encapsulates Fibre Channel frames via TCP/IP.

Like FCoE, iSCSI is a SAN protocol that allows for leveraging existing networking infrastructure and protocols to interface with storage. While FCoE simply uses Ethernet, iSCSI makes use of higher layers of the TCP/IP suite for communication, and can be routed like any IP protocol (the same is true for FCIP). By employing protocols beyond layer 2 (Ethernet), iSCSI can be transmitted beyond just the local network. Thus, iSCSI could even allow for accessing storage that resides across a WAN. iSCSI uses Logical Unit Numbers (LUNs) to provide a way of addressing storage across the network. LUNs can also be used for basic access control for network accessible storage.

Traditional approaches to storage security often required hard-coding changes at switches or the HBAs to achieve access control. One approach to a virtual SAN feels analogous to the switching concept of VLANs and tries to allow for a conceptually simplistic approach to isolation within the SAN. This concept of the virtual SAN as analogous to VLANs is most commonly employed by networking vendors.

The concept of a virtual SAN is not limited to simply security considerations from networking vendors. Much recent use of the term virtual SAN leans heavily on the virtual side of the phrase. Virtualization vendors employ the term virtual SAN to imply an approach to the SAN that allows for more rapid provisioning of virtualized storage. Beyond provisioning, virtualization vendors tout the virtual SAN as a means to leverage virtualization to afford simpler linear scalability to the storage area network.

Recently, many organizations have maintained at least two distinct networks: a phone network and a data network, each with associated maintenance costs. The reliability of packet-switched data networks has grown as organizations have made substantial investments. With the advent of VoIP, many organizations have lowered costs by combining voice and data services on packet-switched networks.

Common VoIP protocols include Real-time Transport Protocol (RTP), designed to carry streaming audio and video. VoIP protocols such as RTP rely upon session and signaling protocols including SIP (Session Initiation Protocol, a signaling protocol) and H.323. SRTP (Secure Real-time Transport Protocol) may be used to provide secure VoIP, including confidentiality, integrity, and secure authentication. SRTP uses AES for confidentiality and SHA-1 for integrity.

While VoIP can provide compelling cost advantages (especially for new sites, without a large legacy voice investment), there are security concerns. If the network goes down, both voice and network data go down. Also, there is no longer a true “out of band” channel for wired voice. If an attacker has compromised a network, they may be able to compromise the confidentiality or integrity of the VoIP calls on that network. Many VoIP protocols, such as RTP, provide little or no security by default. In that case, eavesdropping on a VoIP call is as simple as sniffing with a tool like Wireshark (a high-quality free network protocol analyzer, see http://www.wireshark.org), selecting the “Telephony → VoIP Calls” menu, choosing a call and pressing “Player,” as shown in Figure 5.19.

Organizations that deploy VoIP must ensure reliability by making sufficient investments in their data networks, and in staff expertise required to support them. In the event of network compromise, use other methods such as cell phones for out-of-band communication. Finally, any VoIP traffic sent via insecure networks should be secured via SRTP, or other methods such as IPsec. Never assume VoIP traffic is secure by default.

DSSS uses the entire band at once, “spreading” the signal throughout the band. FHSS uses a number of small frequency channels throughout the band and “hops” through them in pseudorandom order.

Orthogonal Frequency-Division Multiplexing (OFDM) is a newer multiplexing method, allowing simultaneous transmission using multiple independent wireless frequencies that do not interfere with each other.

802.11n uses both 2.4 and 5 GHz frequencies, and is able to use multiple antennas with multiple-input multiple-output (MIMO). This allows speeds up to 600 Mbps. Finally, 802.11ac uses the 5 GHz frequency only, offering speeds up to 1.3 Gbps. Table 5.8 summarizes the major types of 802.11 wireless.

The 2.4 GHz frequency can be quite crowded: some cordless phones and baby monitors use that frequency, as does Bluetooth and some other wireless devices. Microwave ovens can interfere with 2.4 GHz devices. The 5 GHz frequency is usually less crowded, and often has less interference than 2.4 GHz. As 5 GHz is a higher frequency with shorter waves, it does not penetrate walls and other obstructions as well as the longer 2.4 GHz waves.

802.11 wireless clients connect to an access point in managed mode (also called client mode). Once connected, clients communicate with the access point only; they cannot directly communicate with other clients.

Master mode (also called infrastructure mode) is the mode used by wireless access points. A wireless card in master mode can only communicate with connected clients in managed mode.

Ad hoc mode is a peer-to-peer mode with no central access point. A computer connected to the Internet via a wired NIC may advertise an ad hoc WLAN to allow Internet sharing.

Finally, monitor mode is a read-only mode used for sniffing WLANs. Wireless sniffing tools like Kismet or Wellenreiter use monitor mode to read all 802.11 wireless frames.

Another common 802.11 wireless security precaution is restricting client access by filtering the wireless MAC address, allowing only trusted clients. This provides limited security. MAC addresses are exposed in plaintext on 802.11 WLANs; trusted MACs can be sniffed, and an attacker may reconfigure a non-trusted device with a trusted MAC address in software. Then the attacker can wait for the trusted device to leave the network (or launch a DoS against the trusted device), and join the network with a trusted MAC address.

WEP was designed at a time when exportation of encryption was more regulated than it is today, and was designed specifically to avoid conflicts with existing munitions laws (see Chapter 4, Domain 3: Security Engineering for more information about such laws). In other words, WEP was designed to be “not too strong,” cryptographically, and it turned out to be even weaker than anticipated. WEP has 40 and 104-bit key lengths, and uses the RC4 cipher. WEP frames have no timestamp and no replay protection: attackers can inject traffic by replaying previously sniffed WEP frames.

RSN is commonly referred to as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i. By default, WPA2 uses AES encryption to provide confidentiality, and CCMP (Counter Mode CBC MAC Protocol) to create a Message Integrity Check (MIC), which provides integrity. The less secure WPA (without the “2”) was designed for access points that lack the power to implement the full 802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for confidentiality and TKIP for integrity. Usage of WPA2 is recommended over WPA.

Bluetooth has three classes of devices, summarized below. Although Bluetooth is designed for short-distance networking, it is worth noting that class 1 devices can transmit up to 100 meters.

Bluetooth uses the 128-bit E0 symmetric stream cipher. Cryptanalysis of E0 has proven it to be weak; practical attacks show the true strength to be 38 bits or less.

Sensitive devices should disable automatic discovery by other Bluetooth devices. The “security” of discovery relies on the secrecy of the 48-bit MAC address of the Bluetooth adapter. Even when disabled, Bluetooth devices may be discovered by guessing the MAC address. The first 24 bits are the OUI, which may be easily guessed; the last 24 bits may be determined via brute-force attack. For example, many Nokia phones use the OUI of 00:02:EE. If an attacker knows that a target device is a Nokia phone, the remaining challenge is guessing the last 24 bits of the MAC address.

Another option is to create a VLAN on the original switch, as shown in Figure 5.22. That switch has two VLANs, and acts as two virtual switches: a computer switch and a server switch.

The VLAN in Figure 5.22 has two broadcast domains. Traffic sent to MAC address FF:FF:FF:FF:FF:FF by computers 1-3 will reach the other computers, but not the servers on the Server VLAN. Inter-VLAN communication requires layer 3 routing, discussed in the next section.

VLANs may also add defense-in-depth protection to networks; for example, using VLANs to segment data and management network traffic.

Architecturally, implementing widespread traditional port isolation/PVLANs has seemed to prove cumbersome for many organizations. However, with heavily virtualized infrastructures, port isolation has found a resurgence. Port isolation can prove tremendously useful in multi-tenant environments to help ensure isolation amongst customers being serviced by the same hypervisor. Likewise, even in internal virtual infrastructures, there are often systems that have no need of direct access to one another, but are fronted by the same hypervisor. Port isolation can help to ensure logical segmentation even within a single vswitch (virtual switch).

One drawback to using a switch SPAN port is port bandwidth overload. A 100-megabit, 24-port switch can mirror twenty-three 100-megabit streams of traffic to a 100-megabit SPAN port. The aggregate traffic could easily exceed 100 megabits, meaning the SPAN port (and connected NIDS) will miss traffic.

Here is an example of a typical home LAN network configuration:

The firewall has an internal and external interface, with IP addresses of 192.168.1.1 and 192.0.2.2, respectively. Internal (trusted) hosts receive addresses on the 192.168.1.0/24 subnet via DHCP. Internet traffic is NAT-translated to the external firewall IP of 192.0.2.2. The static default route for internal hosts is 192.168.1.1. The default external route is 192.0.2.1. This is a router owned and controlled by the ISP.

The network in Figure 5.23 has redundant paths between all four sites. Should any single circuit or site go down, at least one alternate path is available. The fastest circuits are the 45-megabit T3s that connect the data center to each office. Additional 1.5 megabit T1s connect Office A to B, and B to C.

Should the left-most T3 circuit go down, between the Data Center and Office A, there are multiple paths available from the data center to Office A: the fastest is the T3 to Office B, and then the T1 to Office A.

You could use static routes for this network, preferring the faster T3s over the slower T1s. The problem: what happens if a T3 goes down? Network engineers like to say that all circuits go down…eventually. Static routes would require manual reconfiguration.

Routing protocols are the answer. The goals of routing protocols are to automatically learn a network topology, and learn the best routes between all network points. Should a best route go down, backup routes should be chosen, and chosen quickly. And ideally this should happen, even while the network engineers are asleep.

Convergence means that all routers on a network agree on the state of routing. A network that has had no recent outages is normally “converged”: all routers see all routes as available. Then a circuit goes down. The routers closest to the outage will know right away; routers that are further away will not. The network now lacks convergence: some routers believe all circuits are up, while others know one is down. A goal of routing protocols is to make convergence time as fast as possible.

Routing protocols come in two basic varieties: Interior Gateway Protocols (IGPs), like RIP and OSPF, and Exterior Gateway Protocols (EGPs), like BGP. Private networks like Intranets use IGPs, and EGPs are used on public networks like the Internet. Routing protocols support Layer 3 (Network) of the OSI model.

The lack of state makes packet filter firewalls less secure, especially for sessionless protocols like UDP and ICMP. In order to allow ping via a firewall, both ICMP Echo Requests and Echo Replies must be allowed, independently: the firewall cannot match a previous request with a current reply. All Echo Replies are usually allowed, based on the assumption that there must have been a previous matching Echo Request.

The packet filtering firewall shown in Figure 5.25 allows outbound ICMP echo requests and inbound ICMP echo replies. Computer 1 can ping bank.example.com. The problem: an attacker at evil.example.com can send unsolicited echo replies, which the firewall will allow.

UDP-based protocols suffer similar problems. DNS uses UDP port 53 for small queries, so packet filters typically allow all UDP DNS replies on the assumption that there must have been a previous matching request.

Computer 1 sends an ICMP Echo Request to bank.example.com in Figure 5.26. The firewall is configured to allow ping to Internet sites, so the stateful firewall allows the traffic, and adds an entry to it state table.

An Echo Reply is then received from bank.example.com to Computer 1 in Figure 5.26. The firewall checks to see if it allows this traffic (it does), and then checks the state table for a matching echo request in the opposite direction. The firewall finds the matching entry, deletes it from the state table, and passes the traffic.

Then evil.example.com sends an unsolicited ICMP Echo Reply. The stateful firewall, shown in Figure 5.26, sees no matching state table entry, and denies the traffic.

Proxies terminate connections. Figure 5.27 shows the difference between TCP Web traffic from Computer 1 to bank.example.com passing via a stateful firewall and a proxy firewall. The stateful firewall passes one TCP three-way handshake between Computer 1 and bank.example.com. A packet filter will do the same.

The proxy firewall terminates the TCP connection from Computer 1, and initiates a TCP connection with bank.example.com. In this case, there are two handshakes: Computer 1 → Proxy, and Proxy → bank.example.com.

Like NAT, a proxy hides the origin of a connection. In the lower half of Figure 5.27, the source IP address connecting to bank.example.com belongs to the firewall, not Computer 1.

CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication protocol that does not expose the cleartext password, and is not susceptible to replay attacks. CHAP relies on a shared secret: the password. The password is securely created (such as during account enrollment) and stored on the CHAP server. Since both the user and the CHAP server share a secret (the plaintext password), they can use that secret to securely communicate.

To authenticate, the client first creates an initial (unauthenticated) connection via LCP (Link Control Protocol). The server then begins the three-way CHAP authentication process:

If the responses are identical, the user must have entered the appropriate password, and is authenticated. If they are different, the user entered the wrong password, and access is denied.

The CHAP server may re-authenticate by sending a new (and different) challenge. The challenges must be different each time; otherwise an attacker could authenticate by replaying an older encrypted response.

A drawback of CHAP is that the server stores plaintext passwords of each client. An attacker who compromises a CHAP server may be able to steal all the passwords stored on it.

The major 802.1X roles are:

EAP addresses many issues, including the “roaming infected laptop” problem. A user with an infected laptop plugs into a typical office network and requests an IP address from a DHCP server. Once given an IP, the malware installed on the laptop begins attacking other systems on the network.

By the time the laptop is in a position to request an IP address, it is already in a position to cause harm on the network, including confidentiality, integrity, and availability attacks. This problem is most acute on WLANs (where an outside laptop 100 feet away from a building may be able to access the network). Ideally, authentication should be required before the laptop can join the network: EAP does exactly this.

Figure 5.32 shows a supplicant successfully authenticating and connecting to an internal network. Step 1 shows the Supplicant authenticating via EAPOL (EAP Over LAN), a Layer 2 EAP implementation. Step 2 shows the Authenticator receiving the EAPOL traffic, and using RADIUS or Diameter to carry EAP traffic to the Authentication Server (AS). Step 3 shows the Authenticator allowing Supplicant access to the internal network after successful authentication.

There are many types of EAP; we will focus on EAP-MD5, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, and PEAP:

PPP (Point-to-Point Protocol) is a Layer 2 protocol that has largely replaced SLIP. PPP is based on HDLC (discussed previously), and adds confidentiality, integrity, and authentication via point-to-point links. PPP supports synchronous links (such as T1s) in addition to asynchronous links such as modems.

L2TP (Layer 2 Tunneling Protocol) combines PPTP and L2F (Layer 2 Forwarding, designed to tunnel PPP). L2TP focuses on authentication and does not provide confidentiality: it is frequently used with IPsec to provide encryption. Unlike PPTP, L2TP can also be used on non-IP networks, such as ATM.

Though initially Web-focused, SSL or TLS may be used to encrypt many types of data, and can be used to tunnel other IP protocols to form VPN connections. SSL VPNs can be simpler than their IPsec equivalents: IPsec makes fundamental changes to IP networking, so installation of IPsec software changes the operating system (which requires super-user privileges). SSL client software does not require altering the operating system. Also, IPsec is difficult to firewall; SSL is much simpler.

ISDN devices are called terminals. ISDN Basic Rate Interface (BRI) service provides two 64K digital channels (plus a 16K signaling channel) via copper pair. A PRI (Primary Rate Interface) provides twenty-three 64K channels, plus one 16K signaling channel.

ISDN never found widespread home use; it was soon eclipsed by DSL and cable modems. ISDN is commonly used for teleconferencing and videoconferencing.

Common types of DSL are Symmetric Digital Subscriber Line (SDSL, with matching upload and download speeds), Asymmetric Digital Subscriber Line (ADSL, featuring faster download speeds than upload), and Very High Rate Digital Subscriber Line (VDSL, featuring much faster asymmetric speeds). Another option is HDSL (High-data-rate DSL), which matches SDSL speeds using two pairs of copper; HDSL is used to provide inexpensive T1 service.

Symmetric DSL is also called Single-Line DSL. An advantage of ADSL is that it allows the simultaneous use of a POTS line, often filtered from the DSL traffic. As a general rule, the closer a site is to the Central Office (CO), the faster the available service.

Table 5.9 summarizes the speeds and modes of DSL.

Unlike DSL, Cable Modem bandwidth is typically shared with neighbors on the same network segment.

Caller ID is a similar method: in addition to username and password, it requires calling from the correct phone number. Caller ID can be easily forged: many phone providers allow the end user to select any Caller ID number of their choice. This makes Caller ID a weak form of authentication.

Remotely accessing consoles has been common practice for decades with protocols such as the clear-text and poorly authenticated rlogin and rsh on Unix-like operating systems, which leverage TCP port 513 and TCP port 514, respectively. Two common modern protocols providing for remote access to a desktop are Virtual Network Computing (VNC), which typically runs on TCP 5900 and Remote Desktop Protocol (RDP), which typically runs on TCP port 3389. VNC and RDP allow for graphical access of remote systems, as opposed to the older terminal-based approach to remote access. RDP is a proprietary Microsoft protocol.

Increasingly, users are expecting easy access to a graphical desktop over the Internet that can be established quickly and from any number of personal devices. These expectations can prove difficult with traditional VNC and RDP based approaches, which, for security purposes, are frequently tunneled over an encrypted channel such as a VPN.

A recent alternative to these approaches is to use a reverse tunnel, which allows a user who established an outbound encrypted tunnel to connect back in through the same tunnel. This usually requires a small agent installed on the user’s computer that will initiate an outbound connection using HTTPS over TCP 443. This connection will terminate at a central server, which the user can authenticate to (from outside the office) to take control of their office desktop machine. Two of the most prominent solutions that employ this style of approach are Citrix’ GoToMyPC and LogMeIn.

As opposed to providing a full desktop environment, an organization can choose to simply virtualize key applications that will be served centrally. Like desktop virtualization, the centralized control associated with application virtualization allows the organization to employ strict access control, and perhaps more quickly patch the application. Additionally, application virtualization can also be used to run legacy applications that would otherwise be unable to run on the systems employed by the workforce.

While the terms and particulars of the approach are relatively new, the underlying concepts of both desktop and application virtualization have existed for decades in the form of thin clients, mainframes, and terminal servers. The main premise of both the refreshed and more traditional approaches is that there might be organizational benefits to having more centralized and consolidated computing systems and infrastructure rather than a large number of more complex systems. In addition to general “economies of scale” justifications, there could be security advantages too from more tightly controlled desktop and application environments. Patching more complex applications in a centralized environment can be easier to manage. Likewise, developing and maintaining desktops to a security baseline can be easier to accomplish when there is one, or even several, central master images that determine the settings of each corresponding virtual desktop.

An older instant messaging protocol is IRC (Internet Relay Chat), a global network of chat servers and clients created in 1988 and remaining very popular even today. IRC servers use TCP port 6667 by default, but many IRC servers run on nonstandard ports. IRC can be used for legitimate purposes, but is also used by malware, which may “phone home” to a command-and-control channel via IRC (among other methods).

Other chat protocols and networks include AOL Instant Messenger (AIM), ICQ (short for “I seek you”), and Extensible Messaging and Presence Protocol (XMPP) (formerly known as Jabber).

Chat software may be subject to various security issues, including remote exploitation, and must be patched like any other software. The file sharing capability of chat software may allow users to violate policy by distributing sensitive documents, and similar issues can be raised by the audio and video sharing capability of many of these programs. Organizations should have a policy controlling the use of chat software and technical controls in place to monitor and, if necessary, block their usage.

Many of these solutions are designed to tunnel through outbound SSL or TLS traffic, which can often pass via firewalls and any Web proxies. If a site’s remote access policy requires an IPsec VPN connection using strong authentication to allow remote control of an internal PC, these solutions may bypass existing controls (such as a requirement for strong authentication) and violate policy. Usage of remote meeting technologies should be understood, controlled, and compliant with all applicable policy.

PDAs have become increasingly networked, offering 802.11 and in some cases cellular networking. PDAs have become so powerful that they are sometimes used as desktop or laptop replacements. Note that the term “PDA” has become dated (“mobile device” is more common), but is still used on the exam.

Some devices, such as the Apple iPod, remain dedicated PDAs (with audio and video capability). Most PDAs have converged with cell phones into devices called smart phones (such as the Apple iPhone and Blackberry smart phones).

Two major issues regarding PDA security are loss of data due to theft or loss of the device, and wireless security. Sensitive data on PDAs should be encrypted, or the device itself should store minimal amount of data. A PIN should be used to lock the device, and the device offering remote wipe capability (the ability to remotely erase the device in case of loss or theft) is an important control.

PDAs should use secure wireless connections. If Bluetooth is used, sensitive devices should have automatic discovery disabled, and owners should consider the Bluetooth risks discussed in the previous section.

A WAP browser is a microbrowser, simpler than a full Web browser, and requiring fewer resources. It connects to a WAP gateway, which is a proxy server designed to translate Web pages. The microbrowser accesses sites written (or converted to) WML (Wireless Markup Language), which is based on XML.

CDNs also increase availability and can reduce the effects of denial of service attacks: “While content delivery networks also solve ancillary problems such as improving global availability and reducing bandwidth, the main problem they address is latency: the amount of time it takes for the host server to receive, process, and deliver on a request for a page resource (images, CSS files, etc.). Latency depends largely on how far away the user is from the server, and it’s compounded by the number of resources a web page contains.

For example, if all your resources are hosted in San Francisco, and a user is visiting your page in London, then each request has to make a long round trip from London to SF and back to London. If your web page contains 100 objects (which is at the low end of normal), then your user’s browser has to make 100 individual requests to your server in order to retrieve those objects.

Typically, latency is in the 75–140ms range, but it can be significantly higher, especially for mobile users accessing a site over a 3G network. This can easily add up to 2 or 3 seconds of load time, which is a big deal when you consider that this is just one factor among many that can slow down your pages. [11]