Chapter 7. Communications and Network Security

If you have spent some time working in the network security domain, you might need only a quick review of the material. If your work has led you to concentrate in other domains, you will want to spend adequate time here, reviewing the material to make sure you have the essential knowledge needed for the exam.

Before we can begin to build these layers of defense, we need to start by understanding the basic building blocks of the network and discussing network models and standards like the Open Systems Interconnect (OSI) and TCP/IP network standards.

Interoperability

Availability

Flexibility

Maintainability

Many groups have been working toward meeting this challenge, including the following organizations:

International Organization for Standardization (ISO)

Institute of Electrical and Electronics Engineers (IEEE)

Internet Engineering Task Force (IETF)

International Telecommunication Union—Telecommunications Standardization Sector (ITU-T)

The next section discusses the ISO model in detail.

The OSI model is designed so that network communication is passed down the stack, from layer to layer. Information to be transmitted is put into the application layer, and ends at the physical layer. Then, it is transmitted over the medium (wire, coaxial, optical, or wireless) toward the target device, where it travels back up the stack to the application. Starting at the bottom of the stack and working up the seven layers of the OSI model are the physical, data link, network, transport, session, presentation, and application. Most people remember this order by using one of the many acronyms that have been thought up over the years. My favorite one is “Please Do Not Throw Sausage Pizza Away”:

Please (physical—Layer 1)

Do (data link—Layer 2)

Not (network—Layer 3)

Throw (transport—Layer 4)

Sausage (session—Layer 5)

Pizza (presentation—Layer 6)

Away (application—Layer 7)

For a better understanding of how the OSI model works, we’ll start at the bottom of the stack and work our way up. Figure 7.1 illustrates the OSI model.

Copper cabling

Fiber cabling

Wireless system components

Wall jacks and connectors

Ethernet hubs and repeaters

At Layer 1, bit-level communication takes place. The bits have no defined meaning on the wire, but the physical layer defines how long each bit lasts and how it is transmitted and received. Standards and specifications found at the physical layer include

High-Speed Serial Interface (HSSI)

V.24 and V.35

EIA/TIA-232 and EIA/TIA-449 (where EIA/TIA stands for Electronic Industries Alliance/Telecommunications Industry Association)

X.21

Bridges

Switches

NICs (network interface cards)

MAC (Media Access Control) addresses

The data link layer organizes the data into frames. A frame is a logical structure in which data can be placed. The data link layer is responsible for stripping off the header of the data frame, leaving a data packet, which passes up to the network layer. Some of the protocols found at the data link layer include the following:

Layer 2 Forwarding (L2F)

Layer 2 Tunneling Protocol (L2TP)

Fiber Distributed Data Interface (FDDI)

Integrated Services Digital Network (ISDN)

Serial Line Internet Protocol (SLIP)

Point-to-Point Protocol (PPP)

Internet Protocol (IP) (IPv4, IPv6, IPsec)

Internetwork Packet Exchange (IPX)

Internet Control Message Protocol (ICMP)

Open Shortest Path First (OSPF)

Border Gateway Protocol (BGP)

Internet Group Management Protocol (IGMP)

Transmission Control Protocol (TCP), a connection-oriented protocol that provides reliable communication using handshaking, acknowledgments, error detection, and session teardown.

User Datagram Protocol (UDP), a connectionless protocol that offers speed and low overhead as its primary advantage. Applications that use UDP must provide their own forms of error recovery because the protocol does not have this feature built in.

Remote Procedure Call (RPC)

Structured Query Language (SQL)

Secure Sockets Layer (SSL)

Network File System (NFS)

American Standard Code for Information Interchange (ASCII)

Extended Binary-Coded Decimal Interchange Code (EBCDIC)

Joint Photographic Experts Group (JPEG)

Musical Instrument Digital Interface (MIDI)

Tagged Image File Format (TIFF)

File Transfer Protocol (FTP)

Line Print Daemon (LPD)

Telnet

Simple Mail Transfer Protocol (SMTP)

Trivial File Transfer Protocol (TFTP)

Hypertext Transfer Protocol (HTTP)

Post Office Protocol version 3 (POP3)

Internet Message Access Protocol (IMAP)

Simple Network Management Protocol (SNMP)

Electronic Data Interchange (EDI)

1. A message is created at the application layer.

2. The message or protocol data unit (PDU) is passed to the presentation layer. Information and a checksum, known as a header, are added.

3. The information is passed down to the session layer and the process is repeated. This continues until the data reaches the data link layer.

4. At the data link layer, a header and trailer are added. Now the data is said to be a frame. When Ethernet is used for this process, the trailer is a cyclic redundancy check (CRC).

5. The frame is passed to the physical layer and converted to signals appropriate for the transmission medium.

The de-encapsulation process starts when the message reaches the recipient. The headers at each layer are stripped off as the data moves back up the stack. The only layer that physically communicates is the physical layer. Processes running at higher layers, say Layer 7, communicate logically as if they were directly connected at Layer 1, even though they are not. Figure 7.2 shows an example of this.

It is of critical importance to remember that the TCP/IP model was originally developed as a flexible, fault-tolerant network. Security was not a driving concern. The network was designed to specifications that could withstand a nuclear strike destroying key routing nodes. The designers of this original network never envisioned the Internet we use today. Therefore, many of the original TCP/IP protocols seem dated and insecure now. Protocols like FTP, Telnet, and RIP (Routing Information Protocol) all suffer from security problems. As an example, Telnet’s security was designed to mask the screen display of passwords the user typed because the designers didn’t want shoulder surfers stealing passwords; however, the passwords themselves are then sent in clear text on the wire. Little concern was given to the fact that an untrusted party might have access to the wire and be able to sniff the clear text password. FTP is also a clear text protocol; it uses both ports TCP/20 and TCP/21 for data and control. Many of the security mechanisms used in IPv4, such as IPSec, are add-ons to the original protocol suite.

Ethernet is the most commonly used LAN frame type. Ethernet uses Carrier Sense Multiple Access Collision Detection (CSMA/CD). Ethernet frames are addressed with MAC addresses that identify the source and destination devices. MAC addresses are 6 bytes long and are intended to be unique to the NIC in which they are burned. The first three bytes, known as the organizational unique identifier (OUI) are unique to the manufacturer. As an example, Cisco owns OUI 00-00-0C. Any NIC with a MAC address that begins with 00:00:0C is a Cisco NIC. Cisco can then assign this portion of the address until all possible values have been exhausted, at which point a new OUI is needed. Occasionally, though, vendors repeat addresses as they cycle through series.

Sometimes vendors also provide features in the NIC driver to change the MAC address to a unique locally administered address. Third-party programs are available that allow attackers to spoof MAC addresses. Network layer security standards:

802.1AE (MACsec) defines a security standard designed to provide confidentiality, integrity, and data origin authentication. MACsec frame formats are similar to the Ethernet frame but include Security Tags, Message authentication codes (ICV), Secure Connectivity Associations, and default cipher suites (Galois/Counter Mode of Advanced Encryption Standard cipher with 128-bit key).

802.1AR ensures the identity of the trusted network components. This standard uses unique per-device identifiers (DevID) along with the cryptography to bind a specific device to a unique identifiers.

Although an in-depth knowledge of the header is not needed for the test, complete details can be found in Request for Comments (RFC) 791. Examination of the structure of IP packets might not be the most exciting part of security work, but a basic understanding is extremely helpful in recognizing the many attacks based on manipulation of these packets. For example, in a teardrop attack, the Total Length field and Fragmentation fields are modified so that fragments are incorrectly overlapped. Fragmentation and source routing are two potential security issues with IPv4.

If IP needs to transmit a datagram larger than the network access layer allows, the datagram must be divided into smaller packets. Not all network topologies are capable of handling the same datagram size; therefore, fragmentation is an important function of IP. And as IP packets pass through routers, the needs of the upcoming network access layer may change again. IP is responsible for reading the acceptable size for the network access layer. If the existing datagram is too large, IP performs fragmentation and divides the datagram into two or more packets. Each fragmented packet is labeled with the following bits:

Length—The length specified is the total length of the fragment.

Offset—Specifies the distance from the first byte of the original datagram.

More—Indicates whether this fragment has more fragments following it or is the last in the series of fragments.

Loose source routing and strict source routing are other options that IP supports. These options allow a pseudo-routing path to be specified between the source and the target. Although potentially useful in certain situations, attackers can use this functionality to set up a man-in-the-middle attack.

Internet Protocol version 6 (IPv6) is the newest version of IP and is the designated replacement for IPv4, as shown in Figure 7.3. IPv6 brings many improvements to modern networks. One of these is that the address space moves from 32 bits to 128 bits. Also, IPv4 uses an option field. IPv6 does not support broadcast traffic; instead, IPv6 uses a link-local scope as an all-nodes multicast address. IPv6 can use multiple addresses, including a global and a local-link. A global (routable) address is used for communication beyond the local network. IPv6 relies on IPv6 routing advertisements to assign the global address. The link-local address is used for local network communication only. IPv6-enabled devices create a link-local address independently. There is no need for an IPv6 router advertisement for the creation of a local-link address.

IPv6 offers built-in support for IPsec so that greater protection exists for data during transmission, and it offers end-to-end data authentication and privacy. With the move to IPv6, Network addess transulation (NAT) will no longer be needed. However, with so many IPv4 networks in place, there is a need for transition mechanisms for migrating from IPv4 to IPv6. Two of these mechanisms are:

6to4—an Internet transition mechanism for migrating from IPv4 to IPv6 that allows IPv6 packets to be transmitted over an IPv4 network.

Teredo—another transition technology that can be used for IPv6-capable hosts that are on the IPv4 Internet and that have no native connection to an IPv6 network.

When IPv6 is fully deployed, one protocol that will no longer be needed is ARP. IPv6 does not support ARP, and instead uses Network Discovery Protocol (NDP). DHCP is also not required with IPv6. It can be used but has been replaced with stateless autoconfiguration. Common routing protocols to be used with IPv6 include RIPng, OSPFv3, IS-ISv2, and EIGRPv6. To date, Asia has a higher adoption rate of IPv6 compared to the United States.

All ICMP messages follow the same basic format. The first byte of an ICMP header indicates the type of ICMP message. The following byte contains the code for each particular type of ICMP. Table 7.2 lists the eight most common ICMP types. A complete list of all ICMP parameters is at www.iana.org/assignments/icmp-parameters.

One of the most common ICMP types is a ping. Although ICMP can be very helpful, it is also valued by attackers because it can be manipulated and used for a variety of attacks including ping of death, Smurf, timestamp query, netmask query, and redirects.

Attackers can manipulate ARP because it is a trusting protocol. Two well-known attacks include ARP poisoning and ARP flooding. ARP poisoning is possible as a host will accept bogus ARP responses as valid because it cannot tell the difference between a bogus and valid reply. Such attacks can be used to intercept traffic bound for the gateway or can be used to facilitate an attack against a targeted host. ARP poisoning allows attackers to redirect traffic on a switched network. ARP attacks play a role in a variety of man-in-the middle attacks, spoofing, and session-hijacking attacks.

Each of these protocols has its pros and cons, and developers select one or the other depending on what they are trying to accomplish via the network. Generally, trivial and ad-hoc exchanges across the network are done in a connectionless manner (UDP). More persistent network relationships are largely handled with connection-oriented solutions (TCP), especially when a substantial amount of data is being transferred.

At the host-to-host layer, you will find the capability for error checking and retransmission. This ensures that all connection-oriented messages sent will arrive intact at the receiving end. A checksum or similar mechanism is generally used to ensure message integrity. Retransmission strategies vary; for example, in the case of TCP, data not positively acknowledged by the recipient in a timely way is retransmitted.

Although there are actually 8 fields (bits) in the 1 byte reserved for flags, the upper two were not defined until 2001 and are not widely used. These include the CWR (Congestion Window Reduced) and ECN (Explicit Congestion Notification Echo) flags.

TCP provides reliable communication by performing formal startup and shutdown handshakes. The TCP three-step handshake occurs before any data is sent. Figure 7.5 illustrates the three-step startup and four-step shutdown.

The flags used to manage three-step startup are SYN and ACK, whereas RST and FIN are used to tear down a connection. FIN is used during a normal four-step shutdown, whereas RST is used to signal the end of an abnormal session. Between the startup and shutdown, TCP guarantees delivery of data by using sequence and acknowledgment numbers. Vulnerabilities that exist at this layer include the TCP sequence number attack that results in session hijacking, and the port-based attack of SYN flooding.

UDP can be used for services like IPTV (Internet Protocol Television), video multicast, and Voice over IP (VoIP). UDP in VoIP is primarily used for the voice connection portion of the call, and TCP is used for the setup and call control for the actual call. UDP is ideally suited for such applications that require fast delivery. UDP does not use sequence and acknowledgment numbers.

A complete list of ports is at www.iana.org/assignments/port-numbers. Some of the more common well-known applications and their associated ports are as follows:

File Transfer Protocol—FTP is a TCP service and operates on ports 20 and 21. This application moves files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server. Attacks on FTP commonly target clear-text passwords that can be sniffed. FTP is one of the most commonly targeted services.

Telnet—Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a remote session with a host at another site. The program passes the information typed at the client’s keyboard to the host computer system. Telnet can be configured to allow anonymous connections, but should be configured to require usernames and passwords. Unfortunately, even then, Telnet sends them in clear text. When a user is logged in, he or she can perform any task allowed by their user permissions. Applications like Secure Shell version 2 (SSHv2) should be considered as a replacement.

Simple Mail Transfer Protocol—This TCP service operates on port 25. It is designed for the exchange of electronic mail between networked systems. Messages sent through SMTP have two parts: an address header and the message text. All types of computers can exchange messages with SMTP. Spoofing, spamming, and open/misconfigured mail relays are several of the vulnerabilities associated with SMTP.

Domain Name Service—This application operates on port 53 and performs address translation. DNS converts fully qualified domain names (FQDNs) into numeric IP addresses or IP addresses into FQDNs. This system works in a similar way to a phone directory that enables users to remember domain names (such as examcram2.com) instead of IP addresses (such as 114.112.18.23). On some small networks, Network Information Service (NIS) can be used in place of DNS to provide nameserver information and distribute system configuration information. DNS uses UDP for DNS queries and TCP for zone transfers. DNS is subject to poisoning and, if misconfigured, can be solicited to perform a full zone transfer. Security DNS (DNSSEC) is an alternative to DNS. With DNSSEC, the DNS server provides a signature and digitally signs every response. For DNSSEC to function properly, authentication keys have to be distributed before use. Otherwise, DNSSEC is of little use if the client has no means to validate the authentication. You can read more about DNSSEC at www.dnssec.net.

Bootstrap Protocol (BootP)—BootP is used to download operating parameters to thin clients and is the forerunner to the Dynamic Host Configuration Protocol (DHCP). Both protocols are found on UDP ports 67 and 68.

Trivial File Transfer Protocol (TFTP)—TFTP operates on port 69. It is considered a down-and-dirty version of FTP because it uses UDP to cut down on overhead, and is intended for very small files. It not only copies files without the session management offered by TCP, but it also requires no authentication, which could pose a big security risk. It is typically used to transfer router configuration files and to configure cable modems for cable companies.

Hypertext Transfer Protocol—HTTP is a TCP service that operates on port 80, and is one of the most well-known protocols that reside at the application layer. HTTP has helped make the Web the popular protocol it is today. The HTTP connection model is known as a stateless connection. HTTP uses a request-response protocol in which a client sends a request and a server sends a response. Attacks that exploit HTTP can target a server, a browser, or scripts that run on the browser. Nimda is an example of code that targets a web server.

Internet Message Authentication Protocol—IMAPv4 is an alternative to POP3 that operates on port 143. IMAPv4 offers advantages over POP3, such as enhanced functionality in manipulating a user’s inbox, the capability to better manage mail folders, and optimized online performance. With IMAPv4, email is stored on the mail server and can be accessed from any IMAPv4 email client on the network. With POP3 email is downloaded to the mail client where it is accessed.

Simple Network Management Protocol—SNMP is a UDP service that operates on ports 161 and 162. It was envisioned to be an efficient and inexpensive way to monitor and remotely configure networks. The SNMP protocol allows agents to gather information, including network statistics, and report back to their management stations. Most large corporations have implemented some type of SNMP management. Some of the security problems that plague versions 1 and 2 of SNMP are caused by the fact that community access strings are passed as clear text and the default community strings (public/private) are well known. SNMP version 3 is the most current form and offers encryption for more robust security.

Secure Sockets Layer—SSL operates on port 443 and is a secure protocol used to connect to an untrusted network. SSL uses a two-part process to establish communications, and is based on hybrid cryptography. It is the encryption used in HTTPS. Attacks against SSL can be launched if a targeted system supports weak ciphers. In such a situation, an attacker might be able to manipulate the system so that encrypted data is downgraded or even deciphered to achieve access to sensitive data.

Line Printer Daemon—LPD operates on TCP port 515 and is a network protocol used to spool and deliver print jobs to printers.

Lightweight Directory Access Protocol—LDAP operates on TCP. LDAP was created as a means to access X.500 directory services. X.500 is a series of computer networking standards covering electronic directory services. LDAP had no data encryption method in versions 1 and 2, whereas version 3 has a much greater security model built in and is supported by TLS.

Routing Information Protocol—RIP operates on port 520 and allows routing information to be exchanged between routers on an IP network. Even though RIP is usually listed as part of Layer 3, as are the other routing protocols, it is an application. RIP uses UDP ports to send and receive routing information. The original version of RIP has no security and bogus RIP updates can be used to launch DoS attacks.

Pretty Good Privacy (PGP)—PGP was developed in 1991 as a free email security application. PGP v5 uses port 11371. PGP was designed to offer military grade encryption, and works well at securing email. Unlike public key infrastructure (PKI), PGP works by using a web of trust. Users distribute and sign their own public keys. Unlike the PKI certificate authority, this web of trust requires users to determine how much they trust the party they are about to exchange keys with. PGP is a hybrid cryptosystem in that it uses both public and private encryption. Sample algorithms PGP can use include Triple DES and Twofish for symmetric encryption, and RSA for asymmetric encryption.

Although there are hundreds of ports and corresponding applications, in practice only a few hundred are in common use. CISSP exam questions on ports will most likely be focused on common ports like these shown in Table 7.6.

A section of a one-story building

The whole floor of a small building

Several buildings on a small campus

IEEE 802.3

IEEE 802.3 with Logical Link Control (LLC)

IEEE 802.3 with Subnetwork Access Protocol (SNAP)

Although the CISSP exam will not delve very far into the specifics of Ethernet, it is helpful to know the size and structure of these frames. Not including the preamble, an Ethernet frame ranges from 64 to 1,518 bytes. The Ethernet frame uses 18 bytes for control information; therefore, the data in an Ethernet frame can be between 46 and 1,500 bytes long. Figure 7.7 illustrates an 802.3 Ethernet frame.

An older LAN wired networking protocol is token ring, which functions by arranging all the systems in a circle. A special packet, known as a token, travels around the circle. If any device needs to send information, it must capture the token, attach a message to it, and then let it continue to travel around the network.

Baseband—Baseband transmissions use the entire medium to transport a single channel of communication. Ethernet is an example of this baseband transmission scheme.

Broadband—Broadband can support many channels and frequencies on its backbone. Two good examples of broadband are cable television and digital subscriber lines (DSL).

Many types of cables can be used for network communications including the following:

Coaxial cable—Coax cable consists of a single solid-copper wire core to carry data signals. This wire is insulated with a Teflon or plastic material, called a dielectric, which is covered with braided shielding used as the signal ground. The entire cable is then coated with plastic (see Figure 7.11). Common types include RG-6 and RG-59. Connectors are typically either BNC or F-connector. Although it was widely used in the early days of networking, its usage has waned.

Twisted pair—If you’re in an office, you will probably notice that twisted-pair wiring is being used to connect your computer to a wall jack located nearby. The most common connector terminating this wiring is the RJ-45. Twisted pair can be purchased in a many varieties, one of which is unshielded twisted pair (UTP). UTP is unshielded copper wires, twisted around each other, and insulated in plastic. Not only is it easy to work with, but it is also generally inexpensive. Shielded twisted pair (STP) cable comprises individually insulated twisted wire pairs, as with UTP, but has an additional shielding made of a metallic substance, such as foil. This additional shielding offers support against electromagnetic interference. The primary drawbacks to copper cabling are that it is vulnerable to being tapped and it emanates electrical energy that could possibly be intercepted. The most common types of cabling include: CAT3, CAT5, CAT5e, CAT6, CAT6a, and CAT7. Wiring standards include T568A and T568B. Table 7.7 specifies many table types, lengths, and topologies.

Fiber-optic cable—Whereas twisted pair cable and coax cable rely on copper wire for data transmissions, fiber uses glass. These strands of glass carry light waves encoded to signal the data being transmitted. Common connector types include SC, ST, and LC. Fiber has several advantages, including greater bandwidth, and is somewhat more secure from physical tapping. Basically, two types of fiber cables are in use. They are constructed differently to handle different types of light:

Multimode fiber—Typically used in LANs and powered by light-emitting diodes (LEDs).

Single-mode fiber—Typically used in WANs and powered by laser light.

Although it is nice to know two computers can communicate locally via a local area network (LAN), most need the capability to communicate over a larger geographical region. To communicate between neighboring buildings, a campus area network (CAN) can be used. For those that need to communicate on a citywide level, the metropolitan area network (MAN) was created. A MAN is a network that interconnects a region larger than that covered by a LAN. It can include a city, geographic region, or large area.

If you work for a company that owns several buildings located in different states or countries, that network is part of a wide area network. A WAN spans a geographic distance that is too large for LANs and MANs. WANs are connected by routers. When two LANs are connected together over a distance, they form a WAN.

You might think that just about covers the different network types, but there is one more worth mentioning. Global Area Networks (GANs) offer the interconnection of terminals that do not have a geographical limitation. A GAN can connect computers from various countries or localities from around the world.

Internet Small Computer System Interface (iSCSI)—A SAN standard used for connecting data storage facilities and allowing remote SCSI devices to communicate. It does not require any special infrastructure and can run over existing IP LAN, MAN, or WAN networks.

Fiber Channel over Ethernet (FCoE)—Another transport protocol that is similar to iSCSI. FCoE can operate at speeds of 10 GB per second and rides on top of the Ethernet protocol. Although it is fast, it has a disadvantage in that it is non-routable.

Host Bus Adapter (HBA) Allocation—Used to connect a host system to an enterprise storage device. HBAs can be allocated by either soft zoning or by persistent binding. Soft zoning is the most permissive, whereas persistent binding decreases address space and increases network complexity.

LUN Masking—Implemented primarily at the HBA level. It is a number system that makes LUN numbers available to some but not to others. LUN masking implemented at this level is vulnerable to any attack that compromises the local adapter.

Several issues related to SANs include redundancy, replication, snapshots, and duplication. Location redundancy is the concept that data should be accessible from more than one location as a backup. An extra measure of redundancy can be provided by means of a replication service so that data is available even if the main storage backup system fails. Another issue with SANs is the protection of the data. Secure storage management and replication systems are designed to allow a company to manage and handle all corporate data in a secure manner with a focus on the confidentiality, integrity, and availability of the information. The replication service allows for the data to be duplicated and secured so that confidentiality and fault tolerance are achieved. For better fault tolerance, multipath solutions can be used to reduce the risk of data loss or lack of availability by setting up multiple routes between a server and its drives. The multipathing software maintains a listing of all requests, passes them through the best possible path, and reroutes communication if one of the paths dies.

SAN snapshots provide the capability to temporarily stop writing to physical disk to make a point-in-time backup copy. Snapshot software is typically fast and makes a copy quickly, regardless of the drive size.

Finally, am I the only one that ends up with seven different versions of a file? This common problem can be addressed in SANs by means of data de-duplication. It’s simply the process of removing redundant data to improve enterprise storage utilization. Redundant data is not copied. It is replaced with a pointer to the one unique copy of the data. Only one instance of redundant data is retained on the enterprise storage media, such as disk or tape.

Simplex—Communication occurs in one direction.

Half duplex—Communication can occur in both directions, but only one system can send information at a time.

Full duplex—Communication occurs in both directions and both computers can send information at the same time.

Something to consider when choosing cabling is how far you need to propagate the signal. Although each communication approach has specific advantages, they share some common disadvantages. These include attenuation and crosstalk. Attenuation is the reduction of signal. As the signal travels farther away from the transmitting device, the signal becomes weaker in intensity and strength. Therefore, all signals need periodic reamplification and regeneration. Figure 7.12 illustrates an example of attenuation.

Your basic choices for signaling are analog or digital transmissions. Both analog and digital signals vary a carrier wave in frequency and amplitude. Analog signals, however, are harder to clean of noise and to determine where the signal ends and where noise begins.

Hubs have fallen out of favor because of their low maximum throughput. Whenever two or more systems attempt to send packets at the same time on the same hub, there is a collision. As utilization increases, the number of collisions skyrockets and the overall average throughput decreases.

A sample technology that bridges Layer 2 and Layer 3 is known as Multiprotocol Label Switching (MPLS). MPLS is an OSI Layer 2 protocol. MPLS works with high-speed switches. Commercial switches also offer virtual LAN (VLAN) capabilities. Such switches can operate at OSI Layer 3. VLANs allow a group of devices on different physical LAN segments to communicate with each other as if they were all on the same logical LAN.

Switches operate by storing the MAC addresses in a lookup table that is located in random access memory (RAM). This lookup table is also referred to as content addressable memory (CAM). This lookup table contains the information needed to match each MAC address to the corresponding port it is connected to. When the data frame enters the switch, it finds the target MAC address in the lookup table and matches it to the switch port the computer is attached to. The frame is forwarded to only that switch port; therefore, computers on all other ports never see the traffic. Some advantages of a switch are:

Provides higher throughput than a hub

Provides VLAN capability

Can be configured for full duplex

Can be configured to span a port to support IDS/IPS (intrusion detection system/intrusion prevention system), network feed, or for monitoring

Not all switches are made the same. Switches can process an incoming frame in three ways:

Store-and-forward—After the frame is completely input into the switch, the destination MAC is analyzed to block or forward the frame.

Cut-through—This faster design is similar to the store-and-forward switch, but it examines only the first six bytes before forwarding the packet to its rightful owner.

Fragment Free—This is a Cisco Systems design that has a lower error rate.

Cisco Systems: Switched Port Analyzer (SPAN)

3Com: Roving Analysis Port (RAP)

Port mirroring is used to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. Therefore, if you are using a managed switch, you can configure port mirroring and easily capture and analyze traffic. Although this works well in corporate environments and in situations where you have control of the managed switch, what about situations where the switch is unmanaged or where someone does not have access to the switch? That is when network taps can be used.

A network tap provides another way to monitor the network and see all traffic, much like what you would see if you were using a hub. This functionality acts as a point to intercept traffic. One handy tool to meet this need is with a Throwing Star LAN Tap. This simple little device allows anyone to easily monitor Ethernet communications. You can find out more at greatscottgadgets.com/throwingstar/.

A trunking protocol propagates the definition of a VLAN to the entire local area network. Trunking protocols work by encapsulating the Ethernet frame. Two common trunking protocols include the 802.1Q standard and Cisco’s proprietary Inter-Switch Link (ISL) trunking protocol. The 802.1Q standard places information inside the Ethernet frame, whereas ISL wraps the Ethernet frame.

Trunking security is an important concern in regards to VLANs. A trunk is simply a link between two switches that carries more than one VLAN’s data. A CISSP should be aware that if an attacker can get access to the trunked connection, he can potentially jump from one VLAN to another. This is called VLAN hopping. Making sure that trunked connections are secure so that malicious activity cannot occur is very important.

Class A networks—Consist of up to 16,777,214 client devices. Their address range can extend from 1 to 126.

Class B networks—Host up to 65,534 client devices. Their address range can extend from 128 to 191.

Class C networks—Can have 245 devices. Their address range can extend from 192 to 223.

Class D networks—Reserved for multicasting. Their address range can extend from 224 to 239.

Class E networks—Reserved for experimental purposes. Their addresses range from 240 to 254.

Not all the addresses shown can be used on the Internet. Some addresses have been reserved for private use and are considered nonroutable. These private addresses include the following:

Class A—10.0.0.0

Class B—172.16.0.0 to 172.31.0.0

Class C—192.168.0.0 to 192.168.255.0

Routers can also be used to improve performance by limiting physical broadcast domains. They act as a limited type of firewall with access control lists (ACLs) filtering, and they ease network management by segmenting devices into smaller subnets instead of one large network. The security of a network’s router is paramount. A compromised router can have devastating consequences, especially if it is used as an endpoint for other services, such as IPSec, a VPN, or a firewall.

A routing protocol also has a specific role. A routing protocol sends and receives routing information to and from other routers. A routing protocol’s job is that of the large mechanized mail sort machine. Whereas routed protocols, such as IP, build and address a packet, the routing protocol must decide how to best deliver the packet. In real life, there are many ways to get from point A to point B. Likewise, on the Internet, there are many paths to the target network.

Routing protocols can be placed into several basic categories:

Static routing

Dynamic routing

Default routes

Static, or fixed, routing algorithms are not algorithms at all. They rely on a simple table developed by a network administrator mapping one network to another. Static routing works best when a network is small and the traffic is predicable. The big problem with static routing is that it cannot react to network changes. As networks grow, management of these tables can become difficult. Although this makes static routing unsuitable for use on the Internet or large networks, it can be used in special circumstances where normal routing protocols don’t function well.

Dynamic routing uses metrics to determine which path a router should use to send a packet toward its destination. Dynamic routing protocols include RIP, BGP, IGRP, and OSPF. Dynamic routing takes time as all routers must learn about all possible paths. Convergence is reached when all routers on a network agree on the state of routing.

Default routes are similar to static routes. When default routes are used, the designated route becomes the default path the router uses to transmit packets when the router knows no other route to use.

Each time a router receives packets, it must examine them and determine the proper interface to forward the packets to. Not all routing protocols that routers work with function in the same manner. Dynamic routing protocols can be divided into two broad categories:

Algorithms based on distance-vector protocols

Algorithms based on link-state protocols

Distance-vector protocols are based on Bellman-Ford algorithms, and try to find the best route by determining the shortest path. The shortest path is commonly calculated by hops. Distance-vector routing is also called routing by rumor.

RIP is probably the most common distance-vector protocol currently in use. It is a legacy UDP-based routing protocol that does not use authentication, and determines path by hop count. RIP has a 15-hop count maximum and uses broadcast routing updates to all devices. Later versions of RIP provide authentication in clear text. Although RIP works in small networks, it does not operate successfully in large network environments. RIP makes use of split horizon and poison reverse. Split horizon is a route advertisement that prevents routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the router interface from which it was discovered. Poison reverse is a way in which a gateway node tells its neighbor gateways that you can’t get there from here. It basically means that one of the gateways is no longer connected. Poison reverse sets the number of hops to the unconnected gateway to a number that indicates “infinite”: 16 hops.

One major shortcoming of distance-vector protocols is that the path with the lowest number of hops might not be the optimal route. The path with the lowest hop count could have considerably less bandwidth than a route with a higher hop count.

Link-state protocols are based on Dijkstra algorithms. Unlike distance-vector protocols, link-state protocols determine the best path with metrics like delay or bandwidth. When this path is determined, the router informs other routers of its findings. This is how reliable routing tables are developed and routing tables reach convergence. Link-state routing is considered more robust than distance-vector routing protocols. OSPF is probably the most common link-state routing protocol; it is often used as a replacement for RIP.

OSPF is an improved link-state routing protocol that offers authentication. It is an implementation of a link-state-based routing protocol developed in the mid-1980s to overcome the problems associated with RIP. OSPF has several built-in advantages over RIP that include the use of IP multicasts to send out router updates, no limitation on hop count (as with RIP), better support for load balancing, and fast convergence.

Routing protocols can be further divided and defined as interior or exterior routing protocols. RIP, OSPF, and IS-IS are three examples of interior routing protocols. Interior routing protocols are those used within an organization.

Exterior gateway protocols are used by routers connecting different autonomous systems (AS’s). An example of an exterior routing protocol is BGP. BGP is the core routing protocol used by the Internet. It is based on TCP and is used to connect autonomous systems.

ATM is being surpassed by newer technologies, such as MPLS, which was mentioned earlier. MPLS designers recognized that data didn’t need to be converted into 53-byte cells. MPLS packets can be much larger than ATM cells. MPLS can provide traffic engineering, and enables the creation of VPNs without end-user applications. MPLS can carry many types of traffic, handles addresses via labels, and does not encapsulate header data.

DSL modems are always connected to the Internet; therefore, you do not have to dial in to make a connection. As long as your computer is powered on, it is connected to the Internet and is ready to transmit and receive data. This is the primary security concern of DSL. Unlike the usual lengthy connection time used for dialup service, no waiting time is involved. An advantage of DSL is that it maintains a more fixed speed than cable modems typically do. Table 7.9 details the different DSL types.

Problems with cable modems continue to be discovered. Some cable modems can be hijacked by nothing more than visiting a vulnerable website, as seen here: www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/. Another lingering concern is that of the loss of confidentiality. Individuals have worried about the possibility of sniffing attacks. Most cable companies have addressed this issue by implementing the Data Over Cable Service Interface Specification (DOCSIS) standard. The DOCSIS standard specifies encryption and other security mechanisms that prevent sniffing and protect privacy. DOCSIS is currently at version 3.1.

Switched Multimegabit Data Service (SMDS)—A high-speed, packet-switched service used for MANs and WANs.

Synchronous Data Link Control (SDLC)—Developed by IBM in the 1970s and used to develop HDLC. SDLC is a Layer 2 communication protocol designed for use with mainframes.

High-Level Data Link Control (HDLC)—Uses a frame format to transmit data between network nodes. It supports full duplex communication and is used in SNA (Systems Network Architecture) network architecture.

High-Speed Serial Interface—A connection standard used to connect routers and switches to high-speed networks.

Infrastructure-as-a-Service (IaaS)—IaaS describes a cloud solution where you are buying infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use.

Software-as-a-Service (SaaS)—SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front-end or web portal. Although the end user is free to use the service from anywhere, the company pays a per-use fee.

Platform-as-a-Service (PaaS)—PaaS provides a platform for your use. Services provided by this model include all phases of the system development life cycle (SDLC) and can use application program interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

Dedicated bandwidth

Control of jitter and latency

These are important goals so that real-time traffic like voice and video can coexist with bursty traffic like HTTP. VoIP has replaced most of the circuit-switched POTS phone service that was common years ago. There is a good chance that if you still have a home phone that it’s actually a VoIP connection. Here are some basic characteristics of VoIP:

SIP-based signaling

User-agent client

User-agent server

Three-way handshake

Voice stream carried by RTP

One key concern of VoIP is sniffing because protocols like SIP provide little security by default. Without the proper security controls, sniffing a VoIP call can be as easy as using a tool like Wireshark, a common network sniffer. Security issues related to VoIP include the loss of the data network, which can disable VoIP. Other VoIP vulnerabilities include:

Open network—After the VoIP packets leave the organization’s network, the network is not in charge of where they are routed or who might have access to them.

DoS attacks—Because VoIP uses UDP for portions of the communication process, it is extremely susceptible to disruption or denial of service. VoIP uses an isochronous process in which data must be delivered within strict timelines.

Eavesdropping—Because VoIP relies on UDP and Session Initiation Protocol (SIP), it is an open service and communications can potentially be sniffed and replayed. Other protocols used by various vendors of VoIP products include IAX, IAX2, SCCP, and UNISTIM.

Unauthorized phone use—Services like Skype, GoogleTalk, and so on open the corporate network to exposure to attack and can be a potential policy violation. Such tools can even result in a violation of regulation depending on the industry or how they are used.

Spam over Internet Telephony (SPIT)—SPIT is bulk unsolicited SPAM delivered using the Voice over Internet Protocol.

1G—This generation of phones enabled users to place analog calls on their cell phones and continue their conversations as they moved seamlessly from cell to cell around an area or region.

2G—The second generation changed analog mechanisms to digital cell phones. Deployed in the 1990s, these phones were based on technologies like GSM (Global System for Mobile Communications) and CDMA (Code Division Multiple Access).

3G—The third generation changed the phone into a mobile computer, with fast access to the Internet and additional services. Downstream speeds range from 400 Kbps to several megabits per second.

4G—The fourth generation of cell phones were designed to support TV in real time as well as video downloads at much higher speeds. 4G test systems that have been rolled out in South Korea have been demonstrated to support speeds up to a gigabyte of data per second. However, depending on the environment, some indoor or fringe environments can be as low as 100 Mbps. Two of the most widely deployed standards include Mobile WiMAX and Long Term Evolution (LTE).

Today, most cell phones are 4G. The mobile communication scenario throughout the world is growing at an incredible rate and after the Internet, some might argue that mobile phones are the second most important invention in globalizing the world. Table 7.10 shows common cell phone technologies and their generational level.

One can easily believe the statistic that Americans now spend more time talking on their cell phones than they do on landlines. Mobile phones have revolutionized connectivity; however, they also have given rise to security concerns for organizations because more companies must consider what controls to place on these devices. With so many cell phones in use, there are numerous ways in which attackers can try to exploit their vulnerabilities. One is through the practice of cloning. Cell phones have an electronic serial number (ESN) and an International Mobile Station Equipment Identity (IMEI). Attackers can use specialized equipment to capture and decode these numbers from your phone and install them in another. The attacker then can sell or use this cloned phone. Tumbling is another technique used to attack cell phones. Specially modified phones tumble and shift to a different pair of ESN/IMEI numbers after each call. This technique makes the attacker’s phone appear to be a legitimate roaming cell phone. First-generation cell phones were vulnerable to this attack. GSM phones also make use of an International Mobile Subscriber Identity (IMSI) to identify the user of a cellular network, and is a unique identification associated with all cellular networks. As an example, a IMSI starting with 310 identifies a user in the United States whereas a IMSI starting with 460 identifies the user is from China. People that attack phone systems are called phreakers.

Three common methods include the following:

Orthogonal frequency division multiplexing (OFDM)—Splits the signal into smaller subsignals that use a frequency division multiplexing technique to send different pieces of the data to the receiver on different frequencies simultaneously.

Direct-sequence spread spectrum (DSSS)—A spread-spectrum technology that uses a spreading code to simultaneously transmit the signal on a small (22 MHz-wide) range of radio frequencies. The wider the spreading code, the more resistant the signal is to interference, but with the cost of a smaller data rate.

Frequency-hopping spread spectrum (FHSS)—FHSS works somewhat differently from OFDM and DSSS in that it works by taking a broad slice of the bandwidth spectrum, which is divided into smaller subchannels of about 1 MHz. The transmitter then hops between subchannels. Each subchannel is used to send out short bursts of data for a short period. This period is the dwell time. For devices to communicate, each must know the proper dwell time and be synchronized to the proper hopping pattern.

Table 7.11 summarizes the primary standards for wireless LANs (WLANs).

It’s not just wireless access points and equipment that could be a threat to the organization. All wireless devices should have enforced security and strong policies dictating their use. Camera phones allow users to take photos in otherwise secure areas. Smartphones, tablets, and BlackBerrys can be easily lost or stolen. Many forensic tools are available to extract data from these types of wireless devices. Portable wireless devices can also support onboard removable storage that can be lost or removed. It’s unfortunate, but these devices usually lack the level of security of wired devices. Corporate security officers must understand that the default wiping options for many modern devices do not remove all stored data.

Managed mode is the most generic wireless option. Clients communicate only with the access point and do not directly communicate with other clients.

Master mode is used by wireless access points to communicate with connected clients in managed mode.

Ad-hoc mode is a peer-to-peer mode with no central access point.

Monitor mode is a read-only mode used for sniffing WLANs. Wireless sniffing tools like Kismet use monitor mode to sniff 802.11 wireless frames.

802.11a—This amendment defined physical access that could operate in the 5 GHz frequency range and support speeds up to 54 Mbps at a range of 60 feet.

802.11b—Operates in the 2.4 GHz frequency range and can reach speeds of up to 11 Mbps and ranges of 300 feet.

802.11g—This popular amendment operates in the 2.4 GHz frequency range and can support speeds up to 54 Mbps.

802.11i—This amendment provided for secure authentication and encryption that would be a permanent replacement for the deficient Wired Equivalent Privacy (WEP) mechanism. 802.11i also makes use of Robust Security Network (RSN). RSN uses pluggable authentication modules. This allows for changes to cryptographic ciphers as new vulnerabilities are discovered.

802.11ac—IEEE 802.11ac is a wireless networking standard in the 802.11 family that includes multi-station WLAN throughput of at least 1 gigabit per second and a single link throughput of at least 500 Mbps per second.

802.11n—This version operates in the 2.4 GHz frequency. To enjoy benefits offered by the vendors, purchasers need to stay with one vendor. Resulting data rates can exceed 200 Mbps.

802.16—This broadband wireless access standard is also known as WiMAX and was designed to deliver last mile connectivity to broadband users at speeds of up to 75 Mbs. WiMAX is designed to provide wireless broadband access to Internet users in much the same way that cell phones revolutionized wired phone communication.

Table 7.12 summarizes the primary standards for wireless LANs (WLANs).

IEEE has written standards in support of our other wireless technologies as well. Bluetooth and RFID (radio frequency identification) are defined by 802.15, written for wireless PANs (WPANs).

Class 1—This classification has the longest range (up to 100 m) and has 100 mW of power.

Class 2—Although this classification is not the most popular, it allows transmission of up to 20 m and has 2.5 mW of power.

Class 3—This is the most widely implemented classification. It supports a transmission distance of 10 m and has 1 mW of power.

Class 4—This classification supports a transmission distance of .5 m and has .5 mW of power.

Although Bluetooth does have some built-in security features, it has been shown to be vulnerable to attack. At a recent DEF CON security conference, security professionals demonstrated ways to sniff Bluetooth transmissions from up to a kilometer away.

Bluetooth is part of the IEEE 802.15 family of protocols designed for WPANs. Although Bluetooth is extremely popular, competing 802.15 technologies, such as wireless USB and infrared, diversify the market.

Service Set ID (SSID)—For a computer to communicate or use the WLAN, it must be configured to use the WLAN’s SSID. The SSID distinguishes one wireless network from another.

Wireless access point—A wireless access point is a centralized wireless device that controls the traffic in the wireless medium and can be used to connect wireless devices to a wired network.

Wireless networking cards—Used to connect devices to the wireless network.

Encryption—802.11 encryption was originally provided by the aging WEP protocol, which was intended to provide the same level of privacy as a user might have on a wired network. WEP used RC4 symmetric encryption, but it was a flawed implementation. The amendment offering a secure replacement for WEP is 802.11i, which has become popularized by the Wi-Fi Alliance as Wi-Fi Protected Access (WPA, still using RC4) and WPA2 (uses Advanced Encryption Standard (AES)). These encryption mechanisms are discussed in detail in the next section.

In North America, 802.11 supports bandwidth at 2.4 GHz for 11 channels, three of which (1, 6, and 11) can be used simultaneously as non-overlapping. The channel designates the frequency on which the network will operate. European units support 13 channels (up to 4 non-overlapping) and Japanese units support 14 channels. There are 24 non-overlapping channels at 5 GHz. Worldwide, frequency availability changes according to the pertinent licensing authority. Equipment adjusts to these demands by asking what country the installation is occurring in, and either adjusting the frequencies to the local authority, or terminating transmissions (according to the licenses that the vendor is granted). The 802.11d amendment enables client equipment to ask what country it finds itself in and dynamically adjust its frequencies.

WEP is based on the RC4 algorithm that used either a 64-bit (IEEE standard) or a 128-bit (commercial enhancement) key. However, the keys can’t use that many bits because a 24-bit initialization vector (IV) was used to provide randomness. The “real key” is actually 40 or 104 bits long. Many people are reluctant to learn about such an old and broken technology as WEP; however, it is important to appreciate that WEP is still with us. Credit card information has been stolen from vendors because of the use of WEP. The PCI Security Standards Council has revised its rules on credit card transactions to prohibit the use of WEP, and this equipment was phased out in 2010.

WEP is known as static WEP because everyone has the same key. Two of the first weaknesses realized about WEP are that this static encryption key was the same key being used for the shared key authentication (SKA), and that the authentication used a challenge-handshake mechanism that was dictionary-crackable. The immediate solution was to throw away SKA, and use only open system authentication (OSA) and the WEP encryption key. Everyone could connect, but no one could communicate without the encryption key.

One way the industry responded to these potential issues was by incorporating 802.1X (port-based access) into many wireless devices. When used in conjunction with extensible authentication protocol (EAP), it can be used to authenticate devices that attempt to connect to a specific LAN port. Although this was an improvement over WEP, 802.1x has been shown to be vulnerable.

To better understand the WEP process, you need to understand how the exclusive-or (XOR) function works in Boolean logic. Specifically, XORing means exclusively or, never both. XORing is just a simple binary comparison between two bits that produces another bit as the result. When the two bits are compared, XORing looks to see whether they are different. If the answer is yes, the resulting output is a 1. If the two bits are the same, the result is a 0. Let’s look at the seven steps of encrypting a message:

1. The transmitting and receiving stations are initialized with the secret key. This secret key must be distributed using an out-of-band mechanism like email, posting it on a website, or giving it to you on a piece of paper the way many hotels do.

2. The transmitting station produces a seed, which is obtained by appending the 40-bit secret key to the 24-bit IV, for input into a Pseudo-Random Number Generator (PRNG).

3. The transmitting station uses the secret key and a 24-bit IV as input into the WEP PRNG to generate a key stream of random bits.

4. The key stream is XORed with plain text to obtain the cipher text.

5. The transmitting station appends the cipher text to a copy of the IV for the receiver to use, and sets a bit in the header to indicate that the packet is WEP-encrypted, and the WEP frame is transmitted. Because WEP encrypts at OSI Layer 2, the Layer 2 header and trailer are sent in clear text.

6. The receiving station checks to see whether the encrypted bit of the frame it received is set. If so, the receiving station extracts the IV from the frame and inputs it and the secret key into its WEP PRNG.

7. The receiver generates the same key stream used by the transmitting station, and XORs it with the cipher text to obtain the sent plain text.

WEP’s immediate successor was a stop-gap measure that was popularized as Wi-Fi Protected Access (WPA). This name was born out of hardware certification testing by the Wi-Fi Alliance. WPA certification meant that a piece of hardware was compliant with a snapshot of the 802.11i amendment; the amendment itself was still under design. One of the jobs of the 802.11i task group was to reverse-engineer WEP, and develop a software-only upgrade for wireless users that would deploy Temporal Key Integrity Protocol (TKIP) for encryption. TKIP scrambles the user key with network state information using a mixing algorithm, and adds an integrity-checking feature that was much stronger than WEP had to verify the frames haven’t been tampered with. WPA certification tested equipment for the implementation of TKIP.

In 2004, IEEE completed the 802.11i amendment, and released Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES solution, as a complete replacement for the outdated RC4 mechanism used in WEP and TKIP. CCMP is also tested for and certified by the Wi-Fi Alliance, and is recognized as WPA2. Don’t be surprised to see key sizes of up to 256 bits, which is a vast improvement over the original 40-bit encryption WEP used. Just keep in mind that in the IT security field, nothing remains static. Additional tools and techniques continue to be developed to attack newer security mechanisms like WPA. coWPAtty is one such tool.

Still another standard you should know is Wireless Application Protocol (WAP). WAP is an open standard to help cell phone users get the same types of content available to desktop and laptop users. A WAP-enabled device customizes the content of a website to work with the small screen size of a mobile phone. A key component of this technology is wireless markup language (WML). Security issues in WAPv1 have been fixed by WAPv2. Anyone considering the use of WAP for sensitive information exchange should understand these issues. WAP was created by the WAP Forum, and was an attempt to rewrite the upper layers of the OSI to minimize the overhead of a mini-browser inside the cell phone. The Forum created its own encryption protocol called WTLS, which was a rewrite of transport layer security (TLS). When a client’s signal reached the ISP’s gateway, the WTLS packet had to be decrypted from WTLS to re-encapsulate it as a TLS signal and then to send it onto the Internet. This was a vulnerable moment, where data was fully decrypted, and it became known as the GAP in WAP (see Figure 7.14). WAP2 has been rewritten as an abbreviated form of TLS instead of WTLS, and the packet no longer needs to be decrypted.

1. Accept packets from the external network.

2. Copy the packets.

3. Inspect them for irregularities.

4. Change the addresses to the correct internal device.

5. Put them back on the wire to the destination device.

Other types of proxies include the following:

Application-level proxy—Not all proxies are made the same. Application-level proxies inspect the entire packet and then make a decision based on what was discovered while inspecting the contents. This method is very thorough and slow. For an application-level proxy to work correctly, it must understand the protocols and applications it is working with.

Circuit-level proxy—A circuit-level proxy closely resembles a packet-filtering device in that it makes decisions based on addresses, ports, and protocols. It does not care about higher-layer applications, so it works for a wider range of protocols but doesn’t provide the depth of security that an application-level proxy does. SQUID is an example of an open-source proxy. Table 7.13 summarizes the primary differences between application- and circuit-level proxies.

SOCKS—SOCKS takes the proxy servers concept to the next level. SOCKS must be deployed as a client and server solution. It provides a secure channel between the two devices. It examines individual applications to determine whether they are allowed access. Common SOCKS applications include:

FTP—Blocks or allows files to be transferred into or out of the network

HTTP—Blocks or allows Internet access

SMTP—Blocks or allows email

Static NAT—Uses a one-to-one mapping between public and private IP addresses.

Dynamic NAT—Uses a pool of public addresses. When internal devices need Internet connectivity, they are mapped to the next available public address. When the communication session is complete, the public address is returned to the pool.

Port Address Translation (PAT)—Most home networks using DSL or cable modems use this type of NAT. It is designed to provide many internal users Internet access through one external address.

The router is typically configured to see only one host computer on the intranet network. Users on the intranet have to connect to the Internet through this host computer, and external users cannot directly access other computers on the intranet. In this configuration, only one network interface card is needed for the application gateway or the screening host. The screened subnet sets up a DMZ.

Authentication header (AH)—Protects data against modification; does not provide privacy.

Encapsulating security payload (ESP)—Provides privacy and protects against malicious modification.

Internet key exchange (IKE)—Allows secret keys to be exchanged securely before communications begin.

Key exchange is something that must be handled securely. IPSec uses Internet Security Association and Key Management Protocol (ISAKMP). It is defined by RFC 2408 and is used for establishing Security Associations (SA) and cryptographic keys in an Internet environment. Basically, it defines procedures and formats to establish, negotiate, modify, and delete SAs, and defines payloads for exchanging key generation and authentication data. Each has an IP protocol number; ESP is protocol 50, and AH is protocol 51. Because IPSec is applied at OSI Layer 3, any layer above Layer 3 can use it transparently. Other Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers at the OSI model. IPSec has two modes of operation:

Transport mode—Protects just the payload.

Tunnel mode—Protects the payload and the header. In this configuration, IPSec acts as a gateway; traffic for any number of client computers can be carried. IPSec in tunnel mode provides link encryption and is compatible with IPv6. It can be used to encrypt any traffic supported by IP.

See Figure 7.16 to better understand the differences between the two modes.

Three different implementation architectures are defined for IPsec in RFC 2401. These include host to gateway, gateway-to-gateway, and host-to-host.

Host to gateway—Used to connect one system that runs IPsec client software to an IPsec gateway.

Gateway-to-gateway—Connects two IPsec gateways to form an IPsec connection that acts as a shared routable network connection.

Host-to-host—Connects two systems to each other via IPsec.

Some Internet applications have little or no built-in security. Instant messaging (IM) is a good example. Many corporations allow or use IM, but it was built for chatting, not security. Most IM applications lack encryption capabilities, have insecure password management, and have features that actively work to bypass firewalls. IM can be vulnerable to sniffing attacks, can be used to spread viruses and worms, and can be targeted for buffer overflow attacks. If these programs are going to be used, security controls like the Pidgin encryption plug-ins and SSL-based chat should be considered. Although IM is not as popular as it once was, IM products are all highly vulnerable to malware, such as worm viruses, backdoor Trojan horses, hijacking, impersonation, and denial of service. IM can also be used to exfiltrate sensitive information.

Web conferencing is a low-cost method that allows people in different locations to communicate over the Internet. Though useful, web conferencing can potentially be sniffed and intercepted by an attacker. Common solutions include Adobe Connect, GoToMeeting, and Microsoft Office Live Meeting. These technologies usually include displaying PowerPoint slides, sharing audio or video, or even sharing documents. Some solutions allow users to remotely control another connected PC.

Remote meeting and web conferencing software is typically designed tunnel outbound SSL or TLS traffic. These technologies often pass outside the corporate network and as such should be understood, controlled, and made compliant with all applicable policy as they offer attackers and others the ability to exfiltrate data.

Finally, there is email. It’s another common network application and in its native state can be very insecure. Sending an email message is much like your parents sending a postcard about their vacation to you through the U.S. mail. Anyone who happens to see the card during transit can read the message they sent you from their trip to Kathmandu. If you need a little privacy, you must use encryption. Using encryption is the equivalent of sending a coded letter in a sealed envelope: Even if someone opens the sealed envelope, the coded letter will prevent anyone from learning about your parents’ trip to Kathmandu to see Mount Everest. Email protection mechanisms include PGP, Secure Multipurpose Internet Mail Extensions (S/MIME), and Privacy Enhanced Mail (PEM).

A. EAP-LEAP

B. EAP-MD5

C. EAP-TLS

D. EAP-SIM

2. You just overheard two people discussing ways to steal electronic serial numbers (ESNs). What type of attack are they discussing?

A. Bank card hacking

B. Modem hacking

C. PBX hacking

D. Cell phone hacking

3. You are a security consultant for a company that has a location in Houston, Texas, New York City, and Dallas, Texas. Your client requires link-to-link communications from the LAN to the WAN for data/traffic encryption supported by IP that includes encryption and authentication. They will be using L2TP at L3 of the OSI model. The CIO for the company plans to migrate to IPv6 over the next year so he needs something that will be compatible with IPv6. What is the BEST protocol to use for your client?

A. IPSec Transport mode

B. IPSec Tunnel model

C. PPTP

D. L2F

4. Which of the following is a mechanism for converting internal IP addresses found in IP headers into public addresses for transmission over the Internet?

A. ARP

B. DNS

C. DHCP

D. NAT

5. Samuel has been asked to start the implementation of IPv6 on an existing IPv4 network. The current system has no native connection to an IPv6 network. It has about 130 hosts. The internal routing protocol is OSPF. Which technology would you recommend that Samuel use?

A. VRRP

B. Teredo

C. 802.1AE

D. 6to4

6. You have been brought on as a consultant to a small non-profit where they are using a routing protocol that is based on Bellman-Ford algorithms. Although the network has reached convergence, one path is no longer available and shows an infinite hop count. What is the proper term to describe this situation?

A. Loopback

B. Split horizon

C. Classless Inter-Domain Routing

D. Poison reverse

7. Which of the following is considered a current updated standard to the WEP protocol?

A. WPA2

B. SMLI

C. PGP

D. POP

8. Which of the following closely resembles a packet-filtering device because it makes decisions on addresses, ports, and protocols?

A. Stateless firewall

B. Circuit-level proxy

C. Application proxy

D. Stateful firewall

9. This protocol is considered a forerunner to Frame Relay and works over POTS lines.

A. SMDS

B. ATM

C. X.25

D. T-carriers

10. RADIUS provides which of the following?

A. Authentication and accountability

B. Authorization and accountability

C. Authentication and authorization

D. Authentication, authorization, and accountability

11. You have been asked to implement a WAN technology for your client. The client is based in a rural area in the southern US. The client does not want to use a circuit-switched technology. Based on this information, which of the following is a cell-switched technology which you could use?

A. DSL

B. T1

C. ISDN

D. ATM

12. Which of the following is considered a third-generation firewall?

A. Packet filter

B. Circuit proxy

C. Application proxy

D. Stateful firewall

13. Identify protocols that work at OSI Layers 2, 6, 3, 4, and 7.

A. ARP, SQL, ICMP, SMB, and SNMP

B. L2TP, SMB, IP, SQL, and HTTP

C. WEP, ASCII, IPX, TCP, and BootP

D. PPP, ZIP, SPX, UDP, and TFTP

14. Which of the following wireless standards has a range of 5.15–5.35 GHz to 5.725–5.825 GHz and a range of approximately 60 feet?

A. 802.11a

B. 802.11b

C. 802.11g

D. 802.11n

15. Which of the following is the BEST description of ISAKMP?

A. Defines procedures and packet formats to establish, negotiate, modify, and delete Security Associations and defines payloads for exchanging key generation and authentication data. Typically utilizes IKE for key exchange, although other methods can be implemented

B. Enables the authentication of the parties involved in a secure transition and contains the certificate issuer’s name, valid from-date and valid to-date, the owner of the certificate (the subject), the subject’s public key, the time stamp, and the certificate issuer’s digital signature.

C. A framework for managing private keys and certificates that provides a standard for key generation, authentication, distribution, and storage, establishes who is responsible for authenticating the identity of the owners of the digital certificates, and follows the X.509 standard.

D. ISAKMP is the standard that defines how to protect keys and establish policies for setting key lifetimes, and sets out essential elements of business continuity and disaster recovery planning.

2. D. Cell phone hackers scan for electronic serial numbers and mobile identification numbers. These are used to clone phones. Answer A is incorrect because bank card hacking would most likely target a database. Answer B is incorrect because the individuals that target modems are known as war dialers. Answer C is incorrect because PBX hacking is performed by phreakers.

3. B. IPsec in tunnel mode provides link encryption, is compatible with IP v6 and can be used to encrypt any traffic supported by IP. It also can be used with L2TP or alone and operates at layer 3 of the OSI model. A is not correct because transport mode encrypts only the IP payload. C is not correct because PPTP does not offer encryption. Answer D is wrong because it works at layer 2 of the OSI model and does not provide data encryption.

4. D. NAT allows a single device, such as a router, to act as an agent between the Internet and the internal network. ARP is used for physical address resolution, so answer A is incorrect. DNS is used for IP address resolution, so answer B is incorrect. DHCP is used to assign dynamic addresses, so answer C is incorrect.

5. B. Teredo is the correct answer as it an a transition technology that can be used for IPv6-capable hosts that are on the IPv4 Internet that have no native connection to an IPv6 network. Answer A is incorrect as Virtual Router Redundancy Protocol (VRRP) is used for router redundancy. Answer C is incorrect because 802.1AE is a layer 1 OSI technology known as MACSEC. Answer D is incorrect because although 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6 it is typically used where there is connectivity to an IPv6 network.

6. D. Poison reverse sets the number of hops to the unconnected gateway to a number that indicates infinite. All other answers are incorrect. Answer A describes the loop back address which has no relevance to the question. Answer B is incorrect because split horizon is a route advertisement that prevents routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the router interface from which it was discovered. Answer C is incorrect because Classless Inter-Domain Routing was designed to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.

7. A. WPA2 is the current standard for wireless security. SMLI, answer B, is incorrect because it is a firewall technology. Answer C is incorrect because PGP is an email-protection mechanism, and POP, answer D, is associated with email, so neither of these is correct.

8. B. Circuit-level proxies closely resemble packet-filtering devices because they examine addresses, ports, and protocols. Stateless firewalls are packet-filtering devices and application proxies and stateful firewalls examine higher-level content, so answers A, C, and D are incorrect.

9. C. X.25 predates Frame Relay. Although it is not fast, it is reliable and works over analog phone lines. SMDS is a high-speed MAN/WAN packet-switched protocol, so answer A is incorrect. ATM is a modern protocol that offers high speed and various classes of service, so answer B is incorrect. T-carriers are circuit-switched technology, so answer D is incorrect.

10. C. RADIUS is a client/server protocol used to authenticate dial-in users and authorize access. The other answers are incorrect because they do not meet the specification of RADIUS.

11. D. ATM is a cell-switched technology. DSL, T1, and ISDN are not based on cell-switching technology, and therefore are incorrect.

12. D. Stateful firewalls are considered intelligent firewalls and are third-generation devices. Circuit and application proxies are second-generation devices and packet filters are first-generation devices, so answers A, B, and C are incorrect.

13. C. WEP is found at Layer 2. ASCII is found at Layer 6, IPX is found at Layer 3, TCP is found at Layer 4, and BootP is found at Layer 7.

14. A. 802.11a has a range of 5.15–5.35 GHz to 5.725–5.825 GHz and a range of approximately 60 feet.

15. A. ISAKMP is Internet Security Association and Key Management Protocol. It defines procedures and packet formats to establish, negotiate, modify, and delete Security Associations, and defines payloads for exchanging key generation and authentication data. It typically utilizes IKE for key exchange, although other methods can be implemented. Answer B and C are both incorrect because they deal specifically with certificate management. Answer D is not correct because it deals with key management.

An introduction to the OSI Model: www.rfdesign.info/doc-desc/15/Introduction-to-OSI-model-and-Networking-Components.html

Encapsulation: www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm

Bluetooth keyboard sniffing: www.gossamer-threads.com/lists/fulldisc/full-disclosure/64769?page=last

Securing OSI: www.infosecwriters.com/text_resources/pdf/KRodriguez_OSI_Model.pdf

Electronic serial numbers: en.wikipedia.org/wiki/Electronic_Serial_Number

Phone phreaking: www.telephonetribute.com/phonephreaking.html

Phone phreaking history: en.wikipedia.org/wiki/John_Draper

The RADIUS authentication protocol: en.wikipedia.org/wiki/RADIUS

Wireless standards: www.wi-fi.org/