TCP/IP and OSI Reference Models

Data encapsulation is the foundation of both the TCP/IP and OSI models. In essence, when a document is to be sent from one user to another, the entire document must be reduced into bite-sized chunks that can ultimately be transmitted over wires. To accomplish, this the data must proceed through a number of permutations, which establishes not only the communication path between the two host computers but also the agreed-upon signaling technology using copper wires, fiber optics, or wireless radio systems.

OSI Reference Model

The Open Systems Interconnection (OSI) model is a conceptual model that characterizes and standardizes the internal functions of a communication system by segmenting it into layers. The OSI model is not a protocol; it is a model used for understanding and designing a communication architecture that allows any two systems to communicate regardless of the underlying hardware or software infrastructure.

The model consists of seven logical layers, numbered 1 through 7. A layer responds to or is served by the layer above it and similarly serves the layer below it. For example, one layer establishes a connection between two host machines and accepts the data to be transmitted from the layers above it. Once the connection is established by this layer, the layer below it is responsible for actually sending and receiving the packets.

Figure 8.1 shows all seven layers and illustrates the relationships between them.

The OSI model groups data encapsulation functions into seven layers of logical progression. Each layer communicates only with the layer above it and the layer below as the information flows through the model. For instance, every layer serves a specific purpose. Each layer will add an appropriate header to the data, which will be interpreted at the exact same layer on the receiving host.

It is important to understand the operation of this model. It's only natural to understand that the transmitted data between two machines must flow over some sort of wire or media that connects the two computers. The actual physical connection is illustrated at the bottom of Figure 8.1. The original application data to be exchanged is illustrated between the software applications at the top of the diagram. This is the same data that might be saved to a USB drive as a data file and then reopened by the same application on a different computer.

To transmit the data over a wire connecting two computers, it is important to accomplish several functions, such as defining the type of data to be transmitted, beginning and maintaining the connection, checking for errors during the communication, determining the logical and physical addresses of the machine to receive the information, and finally, converting the data into electrical pulses on a copper wire, fiber-optic cable, or Wi-Fi radio signal.

All of this is accomplished at different layers of the OSI model. At each layer, a set of instructions is appended to the data that informs the other computer what to do and the operations to be performed at that specific layer. This information is embedded in a header created at each layer of the model and is attached in layer order to the data. Upon receiving the data, with all of the headers attached, the receiving computer processes the data up the OSI model, taking the appropriate actions at each layer and then stripping off that layer's header. Ultimately, the receiving computer, having completely processed the transmitted data, passes the data to the appropriate application.

TCP/IP Reference Model

The U.S. Department of Defense, through the Defense Advanced Research Projects Agency (DARPA), created the TCP/IP model. The TCP/IP model is usually depicted with four layers that include Application layer, Transport layer, Internet layer, and Network access layer. It is a much simpler model and predates the OSI reference model. Figure 8.2 illustrates the mapping between the seven-layer OSI model and the four-layer TCP/IP model.

Network Topology Models

Network topology has changed through the years. The following five models depict the most popular layouts:

1. Bus The bus topology was one of the earliest and most commonsense designs for local area network layout and design. The central bus wire featured terminators at each end, and computer hosts as well servers were connected to the central bus wire through what was known as “drops.” There were a couple of advantages to this system. Adding a node to the bus was very easy, and if an individual node failed, it would not affect other nodes on the central bus wire.

   A disadvantage was that if the central bus wire failed, the entire network failed as well because the cable run lengths had to be short due to signal fading. Each of the drop cables connected to the central bus wire with a special connector. The connector not only reduced the amplitude of the signal, but if they were disconnected inappropriately, the entire network would fail. Figure 8.5 illustrates a common bus topology.

   

2. Tree The tree topology is similar to several parallel bus structures, each containing networking items, one placed on top of the other. The top-level bus drops to a server. The server then connects below it to another bus, which contains hosts or workstations. This is a layered approach to a bus structure, but it still maintains the same problems as a bus topology. If the last centralized device fails, everything below it also fails. Figure 8.6 illustrates a tree topology.

   

1. Ring The ring topology is an older technology predating Ethernet networks and was made popular by IBM. It provided a solution to the problem of who talks next. When a token was circulated around a closed loop ring, each node could determine exactly when they could transmit next. This was referred to as a deterministic system. Typically, token ring networks consisted of coaxial cable or fiber-optic cable. Because the entire ring is a single point of failure, later technology such as Fiber Distributed Data Interface (FDDI) provided redundancy by using two rings for failover. Ring topology has been almost totally eliminated and replaced by Ethernet technology. Figure 8.7 illustrates a typical ring topology.

   

1. Mesh In a mesh topology, every node is connected to every other node. This provides great redundancy and speed, usually at a very large expense. Mesh topologies are used where speed and redundancy are required, such as with fault-tolerant devices, load distribution server clustering, and storage area networks (SANs). In the storage area network application, the mesh network is between the servers and the storage devices, which allows for great speed and redundancy. This type of mesh usually consists of fiber-optic cables and is sometimes referred to as a fiber fabric.

   The number of connections required in a mesh network can be illustrated through the equation N * (N - 1) / 2, where N equals the number of devices. For instance, if there were 10 devices on the mesh network, the equation would be 10 * 9 / 2 = 45 connections. If 2 more devices were added to the network, the equation would be 12 * 11 / 2 = 66 connections. So as you can see, when just two additional devices were added, the number of connections jumped by 21. Figure 8.8 illustrates a mesh topology.

   

1. Star Present-day networks generally take the form of a star topology. In this type of layout design, each node is connected to a central device such as a switch or router. Although the use of a centralized connection devices inserts a single point of failure, the flexibility of this type of network design allows for shorter cable runs and ease of network deployment. Figure 8.9 illustrates a star topology.

   

Network Connection Models

Various types of networks are required to transmit data across town or across the country. The design of these networks spans the period of wires hanging on telephone poles to today, when the very latest technologies are available.

1. Circuit-Switched Networks Circuit-switched networks are created by physically connecting to endpoints through a series of wires and mechanical switches where the signal voltage generated at one endpoint is received by the other endpoint. A disadvantage of this early network communication was both lack of available bandwidth and poor line quality.

   A typical example of a circuit-switched network was known as plain old telephone service (POTS). Telephone companies grappled with digital technology as they made every attempt to transmit data over relatively low-quality standard telephone lines. One of the outgrowths of this was Integrated Services Digital Network (ISDN), and other techniques were also used in the quest for higher speed and greater reliability. In these later data network offerings, carriers offered dedicated networks to clients and billed only for time of use.

2. Packet-Switched Networks Typical of most wide area networks today, a packet-switched network makes use of a large number of devices with nondedicated connections. Information is subdivided into packets that feature an address of the ultimate destination. Devices such as routers use the destination address and forward the packet to the next router until the packet eventually arrives at its destination. Since the packet-switching network is dynamic and ever changing, packets within one conversation may take numerous routes. Because of this, packets may arrive out of order, and it is up to the receiving device to resequence the packets in the correct order.
3. Virtual Circuit Networks Some organizations require high-bandwidth connections between offices, clients, or other endpoints. In such cases, they may contract with a carrier for a special type of data network.
   1. Permanent Virtual Circuit A permanent virtual circuit (PVC) is a connection between endpoints where the carrier configures the circuit routes to provide the requested speed and bandwidth through their equipment. This provisioning is usually accomplished when the permanent virtual circuit is initially contracted and when the dedicated hardware and contracted bandwidth is determined. Typically, once a permanent virtual circuit is established, it remains connected.
   2. Switched Virtual Circuit A switched virtual circuit (SVC) dynamically configures the circuit routes each time the circuit is used by the end user. A switched virtual circuit is less expensive and is billed for only time of use.

Media Access Models

Through the years network engineers have struggled with the concept of trying to get more users to communicate on a single piece of wire. Various techniques, some better than others, have been designed to eliminate congestion in an attempt to provide an orderly flow of data through a network.

1. Carrier Sense Multiple Access Carrier sense multiple access (CSMA) is a media access control protocol used to communicate on the media such as a wire, fiber-optic cable, or modulated radio signal. Carrier sense refers to the fact that the device is listening to the media at all times. It is specifically listening for the transmission of other devices. Multiple access means that all of the devices on the wire or network are transmitted the same time. Of course, if they are, the transmitted data would be unrecognizable. This type of communication has no mediating controller and therefore is called contention-based access and nondeterministic. It is the least effective of any of the transmission protocols because none of the devices have any means of determining when to transmit data.
2. Carrier Sense Multiple Access/Collision Detection Carrier sense multiple access/collision detection (CSMA/CD) is a media access control protocol used to communicate in an organized fashion on a type of media. As in CSMA, a device may begin transmitting at the same time another device transmits. When this happens, two frames will be transmitted simultaneously and a “collision” will occur. Each of the two devices will wait a random period of time and then retransmit. The random timer prohibits each of the two devices from immediately retransmitting and causing a collision once again. This is the most-often-used technique to reduce transmission contention on modern local area networks.
3. Carrier Sense Multiple Access/Collision Avoidance Carrier sense multiple access/collision avoidance (CSMA/CA) is a media access control protocol used to announce that a device is wishing to transmit on the media. The device will transmit or broadcast a tone prior to transmission. The tone is referred to as a jamming signal and will be received by all other devices connected to the media. After waiting a brief interval to ensure that all other devices are aware of the device's desire to transmit, the device begins transmitting.
4. Ethernet Ethernet is an IEEE 802.3 standard that supports a number of different media standards such as coaxial, fiber-optic, and shielded and unshielded twisted-pair cable. Ethernet speeds include 100 megabits per second (Mbit/s) to 1,000 Mbit/s over both unshielded twisted-pair and fiber-optic cables. Through the use of CSMA/CD, most collisions are dealt with on smaller networks or limited-broadcast domains. On larger networks, there may be major network media contention due to retransmission volume.

Ports

Ports are special addresses in memory that allow communication between hosts and applications or services running on a host. A port number is added to the address from the originator, indicating which port to communicate with on a server. If a server has a port defined and available for use, it will send back a message accepting the request. A server is instructed to refuse to connect if the port isn't valid. The Internet Assigned Numbers Authority (IANA) has defined and maintains a list of ports called well-known ports.

Ports may also prove to be a source of security weakness. An intruder may perform a port scan to determine which ports are open and may be penetrated to gain access into a system. Therefore, any unused ports should be blocked by a firewall to reduce the possibility of intrusion.

Well-known ports are those ports that have been assigned to specific software applications, services, and protocols. For instance, port 80 is the common port for all Internet traffic. Ports are identified by the specific communication method they use. TCP ports expect to set up a three-way handshake, while UDP ports will transmit all of the information without expecting a confirmation of receipt. Table 8.1 lists well-known TCP ports, and Table 8.2 lists well-known UDP ports. Ports with an asterisk are important to know.

There are total of 65,536 ports available. Note that there is a port number 0 (zero), which makes the range of port numbers 0 to 65,535. These ports are divided into three ­primary groups:

1. Well Known Ports: Ports 0–1023 Well-known ports are ports that are assigned and matched to specific protocols. The port number is embedded in a packet destined for a host or server machine.
2. Registered Ports: 1024–49151 Registered ports are ports that are reserved to be used by third-party applications, services, and networking devices to communicate between machines.
3. Dynamic, or Private, Ports: 49152–65535 The upper layer of the port range may be used by applications that begin a conversation at a port with a lower number and then switch the conversation to a port with a higher number. Using this technique releases the lower port to respond to additional communication requests.

Common Protocols

There are hundreds of protocols. The difficulty is in determining how each protocol is used and whether it is secure. The following list details a number of common protocols.

1. File Transfer Protocol File Transfer Protocol (FTP) is an older interconnect protocol that allows connections between machines for file uploads and downloads. FTP is among the original protocols developed for the Internet. Ports 20 and 21 are used by default by FTP to transfer information between hosts and the Internet. Due to its design, FTP is insecure.
2. Simple Mail Transfer Protocol Simple Mail Transfer Protocol (SMTP) is the standard protocol for email communications. SMTP involves the use of email clients and servers to transmit messages. The default port is 25.
3. Domain Name System Domain Name System (DNS) allows hosts to resolve hostnames to an Internet Protocol (IP) address. For instance, DNS would convert a fully qualified domain name into an IP address. The default port used by the domain name system when sending name queries for this service is 53.
4. Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a management tool that allows network devices to send selected parameter data to a management console. A software client runs on the network device and captures various parameters and performance data at the request of a central administrator. Most routers, bridges, and other network appliances can be monitored using SNMP.
5. Post Office Protocol Post Office Protocol (POP) is a protocol used in many email systems. It is a standard communications interface in many email servers. Post Office Protocol is used for receiving email. The default port for version 3 (POP3) is 110. In its place, many systems now use the Internet Message Access Protocol (IMAP) to download email messages from a storage location upon request. IMAP is assigned to port 143.
6. Telnet Telnet is a legacy protocol and performs as an interactive terminal emulation protocol. It allows a remote user to maintain an interactive session with a Telnet server. The Telnet session will appear to the client as if it were a local session.
7. Address Resolution Protocol Address Resolution Protocol (ARP) provides a process for resolving IP addresses into Data Link layer MAC hardware addresses. ARP resolves an IP address to a Media Access Control (MAC) address. MAC addresses are used to identify hardware network devices and are assigned to the network interface card (NIC).
8. Internet Control Message Protocol Internet Control Message Protocol (ICMP) provides reporting and maintenance functionality. ICMP includes a number of communication information commands, such as ping to test connectivity and traceroute to return the route used by packets to a destination. Routers and other network devices can report path information between hosts using ICMP.

Maintaining the security of ports is very important. One of the common procedures in hardening a system is to close unused ports and remove unused protocols. Closing unused ports is generally accomplished by blocking the port on a firewall. It is important to consider blocking not only popular specifically named ports but also a large range of ports that may be exploited by an intruder.

Continuous Monitoring

Continuous monitoring involves the policy, process, and technology used to detect risk issues within an organization's IT infrastructure. This monitoring may be in response to regulatory or contractual compliance mandates.

Continuous monitoring of network operations stems from a risk assessment program where it was required for financial transactions. During the financial transactions monitoring procedure, the disposition of all transactions is recorded and analyzed for risk and regulatory compliance.

The continuous monitoring of network operations is where security incident and event monitoring (SIEM) activities are maintained on a 24/7 basis. Logs must be maintained for specific time periods and analyzed as appropriate. Effectively, continuous monitoring requires that all users be monitored equally, that users be monitored from the moment they enter the physical or logical premises of an organization until they depart or disconnect, and that all activities of all types on any and all services and resources be tracked. This comprehensive approach to auditing, logging, and monitoring increases the likelihood of capturing evidence related to abuse or violations.

Network Monitors

Network monitoring devices are available with several different modes of operation, which include active and passive modes. Passive network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems. Intrusion detection systems are also passive network monitoring devices.

A network monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring or logging software. Promiscuous mode simply means that the network card is set in such a way that it accepts any packet that it sees on the network, even if that packet is not addressed to that network interface card.

The amount of information obtained from network traffic may be immense. Logical filtering to identify anomalies or items of interest must be undertaken due to the overwhelming amount of traffic.

Active network monitors, such as intrusion prevention systems, also monitor network traffic activity, but they are tuned to detect specific anomalies. In the event they discover traffic that should not be allowed on the network, an active monitor will take some predetermined action, such as dropping the packet or generating a firewall rule.

Managing Network Logs

Network logs are the lifeblood of a network monitoring operation. They can be set to record every event that happens on the network. This would create a large volume of information very quickly. There are several different types of logs, and the SSCP should be familiar each of them.

Remote Network Access Control

Users wishing access to an enterprise network may be across the street, across town, or around the world. In any event, they are normally transmitting data through an untrusted network, such as the Internet. It is important to place controls on the network to mitigate the risk of data interception, corruption, and a variety of other attacks that might occur when data is transmitted and receive across this type of network.

A virtual private network (VPN) is a private network connection that is established through a public network. Creating a tunnel, or VPN, is a method of encapsulating restricted or private data so that it may not be read or intercepted when traversing the Internet. Encapsulation is the act of placing restricted data inside a larger packet and ­placing a special destination address on the packet so that it may be routed to the intended receiver.

A virtual private network provides information security through encryption and encapsulation over an otherwise unsecure environment. VPNs can be used to connect LANs together across the Internet or through other public networks. When a VPN is used, both ends appear to be connected to the same network. A VPN requires a VPN software package to be running on servers and workstations. Figure 8.10 illustrates a virtual private network connecting two different networks.

Tunneling protocols are used to encapsulate other packets that are sent across public networks. Once the packets are received, the tunneling protocol is discarded, leaving the original information for the receiver.

The most common protocols used for tunneling are as follows:

1. Point-to-Point Tunneling Protocol Point-to-Point Tunneling Protocol (PPTP) supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts point-to-point protocol (PPP) packets. Although PPTP is a favorite protocol for network communications, one of its major weaknesses is that all channel negotiation is done in the clear. After the tunnel is created, the data is encrypted. Developed by Microsoft, PPTP is supported on most of the company's products. PPTP is assigned to port 1723 and uses TCP for connections.
2. Layer 2 Forwarding Layer 2 Forwarding (L2F) was created by Cisco as a method of creating tunnels that do not require encryption. Used primarily for dial-up connections, L2F provides authentication only. L2F uses port 1701 (a little Cisco humor; 1701 is the number of the Starship Enterprise while it “tunnels through space”). L2F uses TCP for connections.
3. Layer 2 Tunneling Protocol Due to the demands of the market, Microsoft and Cisco have reached an agreement to combine their respective tunneling protocols into one protocol, the Layer 2 Tunneling Protocol (L2TP). L2TP can be used in many networks besides TCP/IP and will support multiple network protocols. Primarily a point-to-point protocol, L2TP is a combination of PPTP and L2F. Since it works equally well over such network protocols as IPX, SNA, and IP, it can be used as a bridge across many types of systems. L2TP does not provide security encryption, so it requires the use of such security protocols as IPsec to provide end-to-end or tunneling encryption. L2TP uses UDP and port 1701 for connections.
4. Secure Shell Originally designed for Unix systems, Secure Shell (SSH) is now available for use on Windows systems as well and is a tunneling protocol that uses encryption to establish a secure connection between two systems. SSH also provides an information exchange protocol for such standards as Telnet, FTP, and many other communications-oriented applications. This makes it the preferred method of security for Telnet and other cleartext-oriented programs in the Unix environment. SSH is assigned to port 22 and uses TCP for connections.

1. Internet Protocol Security Internet Protocol Security (IPsec) is a versatile protocol. It has two primary modes of operation. Tunneling mode can be used between two routers or two firewalls to establish a tunnel connection, illustrated in Figure 8.12, between two local area networks. The IPsec transport mode, illustrated in Figure 8.11, can be used between two endpoints. The versatility stems from the fact that an authentication header (AH) is used, which provides authentication of the sender as well as an integrity hash of the packet.

   

   

1. The Encapsulating Security Protocol (ESP) can be used to totally encapsulated and encrypt the original packet. Security associations (SAs) maintain the information concerning the symmetric encryption algorithm that has been agreed upon between the parties. Symmetric keys can be exchanged, either out-of-band or through a Diffie-Hellman key exchange. This key exchange is referred to as the Internet Key Exchange (IKE). Due to its wide acceptance and versatility, IPsec was originally selected as the security protocol to be mandated in IPv6. Since this mandate was put into effect, it has been reduced to an optional security protocol in IPv6.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a protocol and system that allows user authentication of remote and other network connections. The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers. Once intended for use on dial-up modem connections, it now has many modern features.

A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. In a large network with many users, RADIUS allows a single server to perform all authentications.

Since a RADIUS server may be used to centrally authenticate incoming connection requests, it poses a single point of failure. Many organizations provide multiple servers to increase system reliability. Of course, like all authentication mechanisms, the servers should be highly protected from attack.

TACACS/TACACS+/XTACACS

Terminal Access Controller Access Control System (TACACS) is a client-server environment that operates in a similar manner to RADIUS. It is a central point for user authentication. Extended TACACS (XTACACS) replaced the original TACACS and combined authentication and authorization along with logging, which enables communication auditing. The most current method or level of TACACS is TACACS+, and this replaces the previous versions. TACACS+ has been widely implemented by Cisco and possibly may become a viable alternative to RADIUS.

LDAP

Lightweight Directory Access Protocol (LDAP) is a standardized directory protocol that allows queries to be made of a directory database, especially in the form of an X.500 format directory. To retrieve information from the directory database, an LDAP directory is queried using an LDAP client. The Microsoft implementation of LDAP is Active Directory (AD). LDAP is the main access protocol used by Microsoft's Active Directory. LDAP operates, by default, at port 389, and the syntax is a comma-delimited format.

Kerberos

Kerberos is an authentication, single sign-on protocol developed at MIT and is named after a mythical three-headed dog that stood at the gates of Hades. It allows single sign-on in a distributed environment. An attractive feature of Kerberos is that it does not pass passwords over the network. The design is also unique in that most of the work is provided by the host workstations and not the Kerberos server. Figure 8.13 illustrates a simplified version of the Kerberos process.

Kerberos authentication uses a key distribution center (KDC) to maintain the entire access process. As you can see in Figure 8.13, the KDC authentication server authenticates (steps 1 and 2) the principal (which can be a user, a program, or a system) and provides it with a ticket-granting ticket, or TGT (step 3).

After the ticket-granting ticket is issued, it can be presented to the ticket-granting server, or TGS (step 4) to obtain a session ticket to allow access to specific applications or network resources. The ticket-granting server sends the user the session ticket granting access to the requested resource (step 4). The user then presents the session ticket to the resource requesting access (step 6).

Through the use of a trust system, the resource authenticates the ticket as coming from the key distribution center and allows access for the user. Tickets are usually timed and will timeout after an eight-hour default unless set differently.

Kerberos is quickly becoming a common standard in network environments due to its adoption as a single sign-on methodology by Microsoft.

Single Sign-On

On larger systems, users must access multiple systems and resources on a daily basis. A major problem exists for users if they are required to remember numerous passwords and usernames. The purpose of single sign-on (SSO) is to allow users to use one set of logon credentials to access all the applications and systems they are authorized to access when they log on.

With the Kerberos system, a single session ticket allows any “Kerberized” resource to accept a user as valid. It is important to remember in this process that each application you want to access using SSO must be able to accept and process the Kerberos ticket. Some legacy applications require a script that accepts a password or user credentials and then processes the information by inserting it into the correct places in the legacy application to log the user on.

Active Directory (AD), on the other hand, retains the information about all access rights for all users and groups in the network. When a user logs on to the network, Active Directory issues the user a globally unique identifier (GUID). Access control is provided by the use of this GUID, and applications that support AD can use this GUID to allow access.

Using AD simplifies the support requirements for administrators. By using the assigned GUID, the user doesn't have to have separate sign-on credentials for Internet, email, and applications. Access can be assigned through groups such as role-based access control and can be enforced through group memberships.

SSO passwords are stored on each server in a decentralized network. Since a compromised single sign-on password would allow an attacker free reign on a network, it is important to enforce password changes and make sure certain passwords are updated throughout the organization on a frequent basis.

Although SSO offers a single point of failure in a potential security risk should a password be compromised, it is still better than having the user personally manage a large number of passwords for various applications and system resources. The tendency for an overwhelmed user is to write down usernames and passwords and place them in close proximity to the computer system. Single sign-on, despite all the possible headaches, can still be a substantial security benefit to an organization.

Federation

A federation is an association of nonrelated third-party organizations that share information based on a single sign-on and one-time authentication of a user. Figure 8.14 illustrates a travel booking site that would have a federated relationship with hotels, car rental agencies, and air carriers. Once the user signs on to the travel booking site, user inquiries and ultimately booking selections will be coordinated with the federated organizations without the individual having to log in to each organization's website.

Subnetting

One of the issues to consider when designing a network is how to subdivide it into usable domains. There are numerous ways to divide a local area network. It may be accomplished logically, topologically, physically, by workgroups, by physical building, and in almost any other way you can think of.

Networks are subnetted by using segments of the IP address. For instance, an internal local area network address for a specific host machine might be 38.8.210.2. In this example, 210 is the number of the network, and 2 is the number of a specific host machine on network number 210. Figure 8.15 illustrates a three-segment network set up as three subnets. Note the differences in the IP addresses of the separate network segments.

A special tool called a subnet mask value is used for subnetting. It covers up numbers in the address that are not required. When a network is subnetted, it is divided into smaller components, or subnets, with a smaller number of host machines available on each subnet.

The broadcast domain for a subnet is much smaller and has fewer hosts. The advantage to this is much better network performance because you are reducing overall network traffic while also making the network more secure and manageable.

Virtual Local Area Networks

A virtual local area network (VLAN) is created by grouping hosts together. Hosts may be grouped by workgroups, departments, buildings, and so on. The hosts in a VLAN are connected to a network switch. The switch is responsible for controlling the traffic that is destined for each host based upon each hosts Mac address. Members of the VLAN do not necessarily need to be in the same area. They can be in another office or even in another building. The VLAN can be used to control the path data takes to get from one point to another and may constrain network traffic to a certain area of the network. VLANs differ from subnets in that they do not provide security.

Demilitarized Zones

A demilitarized zone (DMZ) is a network segment created between two firewalls, one of which faces an untrusted network such as the Internet, so that some servers on an enterprise network can be accessed by external communications. The purpose of a demilitarized zone is to allow people you might not trust otherwise to access a public server, database, or application without allowing them on to the internal local area network.

When a server is positioned in a DMZ, it may be accessed by both untrusted users such as those on the Internet, as well as users from the trusted internal network. Figure 8.16 illustrates three servers placed in a demilitarized zone formed by two firewalls. Note that the internal network is completely shielded from both the Internet and the demilitarized zone by a firewall.

Devices placed in the DMZ are subject to attack. Routers, switches, servers, intrusion protection devices, and any other items that are exposed to the outside network must be hardened against attack. This means removing any unused services and protocols and closing all unused ports. After an attack, you might have to re-image or rebuild demilitarized zone network devices after an attack. Systems that allow public access and that are hardened against attack are usually referred to as bastion hosts. It is expected that bastion hosts may be sacrificed from time to time.

When establishing a DMZ, you assume that the person accessing the resources isn't necessarily someone you would trust with other information.

Network Address Translation

Network address translation (NAT) is primarily used to extend the number of usable Internet addresses. IPv4 has since run out of unique network addresses. Therefore, organizations create their own IP addresses for their internal network using a translation methodology to convert from the internal IP addresses to the external IP address.

Network address translation allows an organization to exhibit a single unique IP address to the Internet for all hosts and servers on the internal network. The network address translation server provides internal IP addresses to the hosts and servers in the network and translates inbound and outbound traffic from the external IP address to the IP addressing system used internally. The only information that an intruder will be able to see is that the organization has a single IP address. The connection between the Internet and the internal network is usually through a NAT server or a router.

Network address translation assigns internal hosts private IP addresses. These addresses are private and nonroutable across the Internet. The specific address ranges used for internal hosts IP addresses are as follows:

1. 10.0.0.0–10.255.255.255
2. 172.16.0.0–172.31.255.255
3. 192.168.0.0–192.168.255.255

The NAT server operates as a firewall for the network by restricting access from outside hosts to internal network IP addresses. Through NAT, the internal network is effectively hidden from untrusted external networks. This makes it much more difficult for an attacker to determine what addresses exist on the internal network.

MAC Filtering and Limiting

MAC filtering is a method whereby known MAC addresses are allowed and those that are not wanted are not allowed on the network. This is a type of white list/blacklist filtering. Even in small home networks, MAC filtering can be implemented because most routers typically give you the option of choosing to allow only computers with MAC addresses you list on an authorized access control list.

MAC filtering can also be used as a wireless identification access control. Most wireless devices offer the ability to turn on MAC filtering, but it is off by default. Although a user may wish to join with a network using the SSID of a wireless system, the wireless system may refuse a connection based upon the MAC address not being unauthorized. In various network access control implementations, the term network lock is used to describe MAC filtering, and the two are synonymous.

MAC limiting is specific to some brands of network switches and is used to enhance port security on the switch by setting the maximum number of MAC addresses that can be learned (added to the Ethernet switching table) on a specific access interface port or all of the interface ports.

Unfortunately, MAC addresses may be spoofed relatively easily. Therefore, MAC filtering and limiting are not always foolproof.

Disabling Unused Ports

Part of system hardening is to disable all unused ports. Otherwise, they present an attack vector for an attacker to exploit. Any type of firewall implementation can be used to close or disable communication ports.

Firewalls

A firewall is an essential line of defense within a network system. They separate networks from each other and specifically separate interior networks from untrusted networks such as the Internet. A firewall is used as a border gate, usually depicted in drawings as a brick wall on the perimeter of the network.

There are many different types of firewalls, which can be either implemented as stand-alone appliances or embedded as an application within other devices, such as servers or routers. Operating systems such as Windows includes a host-based firewall.

Firewall Rules

Firewalls enforce various types of rulesets. The rules can be very specific, allowing or denying a specific IP or port address, or very general, allowing total access to a specific port such as HTTP port 80. Firewall and router rules may exist by default, meaning they are built into the system. These types of rules are referred to as implicit rules. Explicit rules are those specifically created to perform a certain function, like blocking a port or IP address.

Firewall rules is a list of statements used to determine how to filter traffic and what can pass between the internal and external networks. A firewall might have dozens if not hundreds of rules. There are three possible actions that can be specified in a firewall rule:

• Deny the connection.
• Allow the connection.
• Allow the connection if it is secure.

Firewall rules can be applied to both inbound traffic and outbound traffic. Firewalls may be placed anywhere within a local area network. For instance, firewalls can separate workgroups, filter inbound traffic from the wireless network, filter traffic to and from a virtual private network, and be dedicated to a specific server or application to filter content traffic.

Firewall rules may be constructed using various techniques. Some of these techniques are described in the following sections.

Routers

A router is a networking device used for connectivity between two or more networks. They operate by enabling a path between the networks based on packet addresses. Routers perform a traffic-directing operation within a LAN and over a network such as the Internet. Reading the destination address on a packet, the router, based on a routing table or internal rule, will forward the packet to the next network and router. This forwarding will continue until one of two events occur. Either the packet reaches its end destination or the counter on the packet, referred to as a “hop” counter, reaches zero, meaning it has exceeded the number of routers it has crossed and therefore the packet will be discarded.

Routers exchange information about destination addresses using a table listing the preferred routes between any two systems on an interconnected network. This routing table is created using a dynamic routing protocol.

The routing table contains information concerning destinations and local connections to which the router has immediate access. A routing table contains information about previous paths and where to send requests if the packet destination is not in the table. Tables expand as connections are made through the router.

Routers communicate with each other and share information using one of several standard protocols. These protocols include Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).

Routers can be configured in a number of ways, including as a packet filtering firewall and as an endpoint device for a virtual private network. Routers may also have different types of interfaces that accommodate various types of transmission media. This media includes fiber-optic cables, twisted-pair copper wire, and wireless transmission using modulated radio waves.

Local area networks can be subdivided into segments by routers based on IP addresses, effectively creating zones that operate autonomously. Each segment will have a unique subnet address. Subnets may be a logical group, a workgroup, a building, or any other subjective grouping of hosts or servers. Within a network, routers can be connected to other routers.

Switches

A switch is a network device that routes traffic based on physical MAC addresses. Most switches contain very little programming or intelligence. Previously, hosts on a network were connected by network hubs that forwarded the same information to each host. Modern switches are multi-port networking appliances that forward data to one or multiple devices.

Operating at the Data Link layer (layer 2) of the OSI model, switches switch information based on MAC addresses and are used to assemble virtual local area networks using a star network topology model. Virtual local area networks (VLANs) that are created through the use of a switch are not natively secure because the data within one virtual private network could possibly be exposed to other network segments. This is referred to as the VLAN “hopping.”

More intelligent network switches combine the ability to switch MAC addresses as well as route IP addresses. Because IP addresses are at OSI layer 3, this type of switch is referred to as a layer 3 switch.

Intrusion Detection Systems

An intrusion detection system (IDS) is software that runs either on a host workstation or on a network appliance. Depending upon the location, the system may be referred to as a host intrusion detection system (HIDS) or network intrusion detection system (NIDS). The primary role of a detection system is to monitor and analyze network traffic. This is a passive role, and no action is taken on the traffic itself.

There are two primary measurements of network activity used in setting up and fine-tuning an intrusion detection system:

1. Baseline A baseline is a predetermined level of expected activity on a network segment or network component. It may vary by day or by the hour. An intrusion detection system may be tuned to expect a certain volume of traffic or a specific type of packet being sent over the network.
2. Clipping Level A clipping level is an activity level established above the baseline that, when crossed, sets off an alarm or initiates some activity based upon an increased level of traffic on the network segment (Figure 8.17). A clipping level reduces noise and log entries.

   

An intrusion detection system is a passive system that listens and alerts. The system is connected to the network through the use of a network tap or three-way connector that allows the device to monitor network traffic. An IDS is not inline in the network and does not provide a single point of failure.

Intrusion Prevention Systems

An intrusion prevention system (IPS) is software that runs either on a host system or on a network appliance. The IPS not only detects a potential attack, it takes a predetermined action to stop the attack. For example, if it appears as if an attack might be in progress, identified packets might be dropped, ignored, logged, or otherwise dealt with. Operators might be alerted, and other actions, such as changing of firewall rules to block a port or IP address, might be initiated. While an intrusion detection system is a passive device, an intrusion prevention system is an active device.

For an intrusion prevention system to work it must be in line with the network data stream. This is so it may take immediate action to drop or block packets or take any other action based upon its ruleset. It also creates the problem that the IPS may become a target for an attack and that by being in the data stream, it is a single point of failure.

Both IDSs and IPSs utilized four primary methods of network monitoring:

1. Behavior-Based Detection A behavior-based monitoring system monitors network traffic behavior, such as unusually high traffic, high-volume traffic destined for a specific port, high-volume traffic destined for specific IP address, and unusual control or request packets. Behavior-based detection is monitoring deviations in behavior from established baseline standards.
2. Signature-Based Detection A signature-based monitoring system monitors network traffic based on previously established signatures of typical attacks. Similar to an anti-malware identification system, this type of system might identify different types of attacks through the methods used during the attack. For instance, a SYN flood attack is characterized by an attacker sending a large number of SYN packets with no responding acknowledgment packets. This opens a very large number of communication sessions. Other types of attacks can be identified through a library of signatures, thus triggering a response or action against the attack. Signature libraries must be kept up-to-date for this type of detection to be effective.
3. Anomaly-Based Detection An anomaly-based monitoring technique is very similar to a behavior-based monitoring system in that it looks for something completely outside of the ordinary. This type of device is usually more intelligent and learns what normal looks like from the typical traffic flow and activity on the network. Should anything out of the ordinary appear, the device would then take action. An anomaly-based device can be set within established baselines or be set to use automated processes to monitor traffic patterns to determine the baseline.
4. Heuristic-Based Detection A heuristic-based monitoring technique produces a solution by monitoring network traffic and providing a result based on good enough information. A type of learning system, it uses just enough information to arrive at a solution. Thus, it is very fast, but it is also potentially inaccurate. A heuristic system uses algorithms to analyze traffic passing through a network; the algorithms can be used by themselves or in conjunction with other techniques and information to improve their efficiency and accuracy.

   Many manufacturers are concentrating their efforts on the development of heuristics and intelligent sensing devices rather than signatures and baseline monitoring. The downside is that the systems are prone to errors if not adjusted correctly.

Wireless Intrusion Prevention Systems

A wireless intrusion prevention system (WIPS) is used to mitigate the possibility of rogue access points. These systems are typically implemented in an existing wireless LAN infrastructure and enforce wireless policies within an organization. They prevent unauthorized network access to local area networks through unauthorized access points.

A wireless intrusion prevention system might be simply a workstation with an antenna running a specialized sniffing application. A typical wireless intrusion detection system receives wireless transmitted packets, analyzes the packets, and then correlates against existing IT policy standards. Upon identification of a violation and classification of a threat, the WIDS administrator is alerted.

Several components work together to form a wireless intrusion prevention system:

1. WIPS Sensors A wireless intrusion prevention system uses antennas and radio receivers that scan the 2.4 GHz and 5 GHz wireless spectrum and accumulate all packets transmitted. Such sensors may be installed throughout the internal perimeter of the organization. Packets are stored and forwarded to a centralized server for analysis.
2. WIPS Processing Server A wireless intrusion prevention system uses a centralized server for analysis. The centralized server utilizes specialized wireless packet detection software that inspects packets against specific packet signatures as established by the policies of the organization. The WIPS processing server correlates the information, validates it against the defined rules, and notifies an administrator if it meets threat criteria.
3. WIPS Multi Network Controller In very large organizations, a multiple-network controller is used, which is made up of several sensors and servers dispersed in geographic locations that coordinate a number of WIPS processing servers.

Comparing Intrusion Detection Systems and Intrusion Prevention Systems

While intrusion detection systems began the intrusion detection revolution, intrusion prevention systems have far surpassed them in popularity and integration into modern networks. NIST now classifies both IDS and IPS as one type of device, an intrusion detection and prevention system (IDPS).

Spam Filter to Prevent Email Spam

To prevent email spam, such as unsolicited email, various email systems use antispam techniques. Unfortunately, the techniques are not without the downside of sometimes eliminating legitimate emails or sending them to spam folders. Antispam techniques can be broken into four broad categories:

• Actions that must be taken by individuals
• Actions that may be taken by email administrators
• Actions that may be taken by those who send email
• Actions that may be utilized by data researchers and law enforcement officials

No technique is a complete solution that offers a trade-off between incorrectly rejecting legitimate email and rejecting all spam.

There are a number of appliances, services, and software systems that system administrators may use to combat spam within their network systems. Lists of known spam sites are available to administrators so they can blacklist known spammers from their networks. Another spam elimination and blocking technique uses specialized analysis of the message patterns to detect spam or typical spam behavior and then compare it to global databases of spam.

Network Access Control

Network access control (NAC) is a technology approach to control the wellness and hygiene of a device desiring connection to a network. NAC is a network access solution that uses a set of predefined protocols to define and implement a policy whereby devices must meet various standards prior to being allowed access to a network.

When a device attempts to connect to a network, it must first be checked by a network application accessing a preinstalled software agent on the device to retrieve various device parameters and to ensure that the device complies with a network access policy. The network access policy may include requirements for antivirus protection level, system update level, and app configuration. During this period, the device can only access resources that can remediate any issues. Upon being certified as compliant, the device is able to access network resources and the Internet within the policies defined by the NAC system. NAC might integrate automated remediation processes to bring the device into compliance. Network access control is described in the 802.1X standard.

Network access control includes policies such as preadmission endpoint security checks and posted admission controls concerning the authorization of where users and devices can go on a network once access is granted.

IEEE 802.11x Wireless Protocols

IEEE 802.11 is a list of specifications for implementing wireless computer communications. Originally issued as a standard in 1997, the standard has received a number of amendments that are designated by a letter following the basic specification of 802.11 (Table 8.3). Various frequency bands have been allocated by the Federal Communications Commission (FCC) for implementing wireless local area networks. These frequencies include the 2.4, 3.6, 5, and 60 GHz frequency bands. Wi-Fi is a trademark of the Wi-Fi Alliance. It describes a local area wireless computer networking technology that allows electronic devices to communicate most commonly in the 2.4 GHz and 5 GHz bands.

WEP/WPA/WPA2

Over a period of time there have been a series of wireless security implementations. Several wireless security protocols have been used, each replacing another after weaknesses were exposed. The following sections discuss the relative capabilities of the wireless security protocols.

Wired Equivalent Privacy (WEP) was intended to provide basic security for wireless networks, while wireless systems frequently use the Wireless Application Protocol (WAP) for network communications. Over time, WEP has been replaced in most implementations by Wi-Fi Protected Access (WPA) and WPA2. The following sections briefly discuss these terms and provide you with an understanding of their relative capabilities.

Cellular Network

A cellular network contains a system of radio towers referred to as a cellular base stations and featuring directional radio transceivers and antennas to form of geographic cell. Each cell borders other cells to maintain continuous coverage over a large geographic area. A cellular base station and its radio antennas transmit on different frequencies from the adjacent cell. As cellular devices such as cellular telephones traverse the geographic area, a handoff is made between cellular base stations, which is completely transparent to the user (Figure 8.21).

WiMAX

The name WiMAX is a trademark and was created by the WiMAX Forum. It is specified in the IEEE 802.16 standard.

The original concept of WiMAX was to replace Wi-Fi as a connection medium of choice. WiMAX is intended as a much stronger and robust geographically based system covering a much larger physical area than Wi-Fi covers. There are significant differences between WiMAX and Wi-Fi, and with Wi-Fi already embedded with many major manufacturers, it may be difficult for the WiMAX Forum to compete.

While the initial concept involved WiMAX competing in the commercial user marketplace, it has found a significant niche in corporate and government implementations. For instance, several cities have initiated WiMAX digital communication systems for their emergency services, such as police, fire, and ambulance communications. Also, large industrial complexes such as chemical plants, oil refineries, and major manufacturing plants have incorporated WiMAX communications over a large-scale physical area. A WiMAX connection is highly reliable and favorably replaces traditional T1 or T3 connections by completely bypassing the local telephone line service providers.

Wireless MAN

A metropolitan area network (MAN) is a very large geographic network that connects groups of smaller networks or connects directly to end users. Originally intended for a metropolitan areas such as cities, business parks, and college campuses, a MAN is connected physically by dedicated wireless links using microwave, radio, or infrared laser transmission. Many MAN providers rent or lease wired circuits from common carriers because laying long stretches of cable is expensive.

A wireless MAN (WMAN) utilizes radio transmitters and receivers to communicate to wired LANs through access points or directly to wireless endpoints. The WMAN eliminates the requirement for the leased lines of a MAN.

Wireless WAN

A wireless wide area network (WWAN) utilizes standard cellular radio transmitters, receivers, and transceivers (cellular telephones, laptops, and cellular-enabled devices) to communicate to wired LANs through access points or directly to wireless endpoints. The WWAN essentially describes the existing cellular telephone network, where any user can connect to a local area network using any current cellular service. Users and existing local area access points are already set up to use a WWAN.

Wireless LAN

A Wireless LAN (WLAN) utilizes standard short-distance cellular radio transmitters, receivers, and transceivers (cellular telephones, laptops, and cellular-enabled devices) to communicate to wired LANs through access points. A WLAN may be characterized as a local area network where several user workstations connect using Wi-Fi to an access point installed in the room.

Wireless Mesh Network

In a mesh technology network, each node communicates with all of the other nodes. Mesh networks are redundant and usually very fast. They are referred to as “self-healing” because if one communication path fails, another communication path is immediately available. In a wireless mesh network, each node is immediately available and can forward messages to other nodes. A wireless mesh network can be implemented in an ad hoc communication relationship.

Bluetooth

Bluetooth has become famous for connecting items such as keyboards, mice, headphones, speakers, and other devices to a user workstation. Bluetooth has also been a conduit for communication between two Bluetooth-enabled devices such as computers, tablets, and cell phones. Originally designed as a low-power transmission medium to replace wires and cables, it has been expanded to a number of other uses, including data synchronization between devices. Using a low-power, Class II transmitter, Bluetooth has a general range of approximately 10 meters, or 33 feet, and has a stated maximum range of 100 meters, or 333 feet. It has been proven through experimentation that with the use of sophisticated specialized “shotgun” antennas, it is possible to extend the range to 2 miles.

Bluetooth originally started as an IEEE 802.15 standard and has since been relinquished by IEEE and is currently managed by the Bluetooth Special Interest Group.

Wireless Network Attacks

Because data is transmitted readily through the radio environment, it is subject to being captured either mistakenly or intentionally. There are a number of well-known attacks against wireless transmissions.

1. Parking Lot Attack The parking lot attack is best characterized by a vehicle located within close proximity to a transmission source, such as in the parking lot of an organization. The attacker usually has sophisticated radio monitoring equipment.
2. Drive-By Attack In a drive-by attack, attackers have already identified the target and either jam the target with powerful conflicting signals on the 2.4 GHz and 5.0 GHz bands, thus disrupting communications, or attempt to intercept communications.
3. Wardriving The act of searching for wireless communications by driving through an area using antennas, software, and a portable computer. Wardriving may be also accomplished using smartphones or personal digital assistants.
4. Warchalking The marking of symbols to advertise the availability of Wi-Fi networks and to indicate whether they are open. Similar to hobo symbols, warchalking symbols consist of a number of different hieroglyphs or icons that were usually more in shock on buildings with available Wi-Fi networks.
5. Bluesnarfing The unauthorized use of Bluetooth to access information from a wireless device.
6. Bluejacking Uses Bluetooth to send unsolicited messages to Bluetooth-enabled devices such as mobile phones, tablets, and laptop computers.
7. Bluebugging A form of a Bluetooth attack in which the attacker accesses and uses all phone features.
8. Evil Twin Referred to as an evil twin, a rogue Wi-Fi access point that appears to be a legitimate access point that is part of an enterprise network on the premises but has actually has been set up to eavesdrop on wireless communications.

Wireless Access Points

A wireless access point (WAP), commonly called an access point, or AP, is a low-power directional transceiver (transmitter/receiver) that is connected to the local area network through a standard network connection. The wireless access point associates with wireless devices within its immediate vicinity and transmits packets from the wired network to the wireless device.

Wireless devices such as cell phones, personal digital assistants, and laptops will connect to the “loudest” (in transmission volume) or nearest access point to their location. This is an attack technique commonly used by nefarious individuals to establish an access point that appears to be authentic but in fact just monitors all of the wireless information sent from an unsuspecting user's wireless device.

A typical method employed when spoofing an access point is for the attacker to use a secondary or rogue access point. This rogue access point will be under the control of the attacker and may be placed in closer proximity to the user machines that he wants to attack. In practice, the rogue access point will appear as the legitimate access point on the actual network to unsuspecting laptops and tablets and other digital devices. This rogue access point would then process or view all traffic destined for the original network and would appear to all users to actually be the access point of the original network. This is a typical attack method used in many public places, including airports and restaurants.