Domain 4: Communication and Network Security
4.1 Implement secure design principles in network architectures
Communications and Network Security
Encapsulation is when the payload has the headers and footers added as the message goes down layers. Decapsulation is the unwinding of the message as it travels back up. This means data has the most information at the physical layer
Layer 1 – Physical – cabling standards, radio waves etc. Devices include hubs, repeaters and cables. Protocol Data Unit (PDU) is the bit
EIA/TIA, X.21, HSSI, SONET, v.24, V.35
Layer 2 – Data Link – PDU is called the Frame. Uses MAC addresses. Devices used at Layer 2 include Switches
SLIP, PPP, ARP, L2F, L2TP, PPTP, FDDI, ISDN
Layer 3 – Network – PDU is the Packet/Datagram. Performs routing using IP addresses. Devices used at layer 3 include Routers.
ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT, SKIP
Layer 4 – Transport – Connection between computers. PDU is the Segment (TCP) or Datagram (UDP). Protocols include UDP and TCP. Port numbers operate here. TCP is reliable, re-sends undelivered segments (connection-oriented).
Layer 5 – Session – Connection between applications. PDU is the datastream
Layer 6 – Presentation – presents data to the application layer in a comprehensive way, like character encoding (ASCII), image formats (GIF, JPEG), data conversion, encryption and compression.
Encryption protocols, format types such as ASCII, TIFF, JPEG, MPEG, MIDI
Layer 7 – Application – Human readable data. Web browsing, word processing, and IM clients operate at this layer. Protocols include Telnet, FTP, HTTP, etc The primary purpose of a gateway is to translate protocols
HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC, SET
LAN Technologies, Protocols, and Network Toplogies
Bus – A straight line of devices. A is connected to B, which is connected to C. A single cable break brings the network down.
Ring – A is connected to Z and B, B is connected to A and C, and so on. Doesn’t really improve on a Bus topology
Star – ethernet uses a star. Everything is connected to a central hub/switch/whatever. A cable break only affects that single node.This provides fault tolerance.
Mesh – everything is connected to everything.
MAC Addresses – Media Access Control. 48 bits long. First 24 bits form the OUI, last 24 bit identify the specific device.
ARP resolves IP addresses to MAC addresses
IPv4 – 32-bit address written as four bytes in decimal (x.x.x.x)
CIDR – allows for many network sizes (ie, subnetting)
Class A network is /8
Class b is /16
Class C is /24
Single IP is /32
NAT – hides private IP addresses behind a single public IP. A Pool NAT would be multiple public IPs
IPv6 – addresses are 128-bit instead of IPv4’s 32-bit addresses. Provides. 340 undecillion addresses. Routing and address assigning are easier through autoconfiguration using a host’s MAC address. This removes the need for DHCP.
TCP 3-way handshake – SYN > SYN/ACK > ACK
Socket – IP and port: 10.10.1 0.100:443
ICMP – ping, tracert, netstat, etc. Used to troubleshoot and report error conditions.
FTP – many varieties. TCP port 21 (control collection), and TCP 20 (data collection)
SFTP – port 22 uses SSH to add security
FTPS – uses TLS to add security
TFTP – UDP 69. Used for bootstrapping
Application Layer Protocols
SMTP – TCP 22. Send email between servers
POP – TCP 110, downloads email to a local client from server
IMAP – TCP port 143, downloads email to local client like POP
S/MIME- allows attachments and foreign character sets in email. Uses PKI to encrypt and authenticate MIME-encoded email
DNS – TCP 53. Resolves domain names to IP addresses. Handles zone transfers
SOA – start of authority server. Contains the master record for the zone
Weaknesses of DNS:
DNSSEC – adds authentication and integrity to DNS responses and uses PKI, but offers no confidentiality. Like a digital signature.
SNMP – UDP 161. Used to monitor and control network devices. “Community string” is transmitted in plain text in v1 and v2. SNMPv3 adds encryption
HTTP and HTTPS
DHCP – UDP 67 for servers and 68 for clients
4.2 Secure network components
Hub – layer 1 device. Provides no security, confidentiality and security because it does not isolate traffic. Half duplex, meaning it cannot send and receive simultaneously.
Repeater – has two ports. Receives traffic on one port and repeats it out the other
Switches – uses a SPAN (cisco) or mirror port to mirror all traffic through this particular port, normally to send it to an IDS/IPS. One issue here can be bandwidth overload.
Routers – layer 3 device routes traffic from one network to another. Often times routers are default gateways
Allow/block traffic using:
Generally deployed between a private network and a link to the internet.
Use an “implicit deny” rule
Rules at the top of an ACL take priority. Traffic that meets the first applicable rule will be used.
Screened-Host Architecture -when a router forces traffic to only go to a Bastion Host, which alone can access LAN. A Bastion Host is a heavily secured device, such as a firewall, that would then allow traffic to LAN. Creates a SPOF.
DMZ - “perimeter” or “edge” network. Two firewalls, public available resources sit in between them to allow things like HTTPS and DNS through. The second firewall would stop anything from coming into the internal network.
SEVERAL TYPES OF FIREWALLS:
Packet Filtering – works at layer 3 where the PDU is the packet. Filtering decisions are made on each individual packet. Just looks at IP addresses and port numbers (header)
Stateful – stores info about who initiates a session, and blocks unsolicited communications (nothing from the outside that didn’t originate internally can get through). This information is stored on the firewall’s “state table”, which can be DoSed by flooding it with communication requests.
Application Level Firewall – act as an intermediary server and proxies connection between client and application server. They can see the entire packet as the packet won’t be encrypted until layer 6. Other firewalls can only inspect the packet but not the payload. Application firewalls can then detect unwanted applications or services attempting to bypass the firewall
Next-Gen Firewalls – bundle a ton of shit together, such as deep-packet inspected, application-level inspection, IDS/IPS, integrating threat intel, etc
Electromagnetic Interference – caused by electricity and causes unwanted signals, or noise.
Twisted Pair cabling is the most common type of cabling. They are copper cables twisted with a pair like ethernet
Unshielded Twisted Pair are the twisted pairs inside the cable. The twists provide protection against EMI.
Shielded Twisted Pair has a sheath around each individual pair. This provides better protection than UTP, but it is more expensive and more difficult to work with. Prices of fiber are getting low enough that STP doesn’t make sense
Coax cable – More resistant to EMI than UTP or STP, and provides a higher bandwidth
Fiber Optic Cable – uses light pulses. Cable is made of glass so it is very fragile. It is immune to EMI and much faster than coax. Several types:
Multimode – many paths of light. Shorter distance and lower bandwidth. Uses LED as its light source
Singlemode – one path, long haul, long side. Uses a laser
Multiplexing – sends multiple signals over different colors of light. Exceeds speeds of 10GB
SSID – service set Identifier. Basically the network name. Normally broadcasted, but you can disable it.
WEP – old, can be broken due to weakness in the implementation of its IV.
WPA – fixed issues with WEP by implementing RC4 and TKIP. Also no longer secure
WPA2 – Uses AES and CCMP to provide confidentiality and integrity. Current standard for test purposes, although WPA3 is being rolled out. Allows for MFA functionality
Bluetooth – 802.15. uses 2.4 GHz. Sensitive devices should disable automatic discovery. Uses 128-bit E0 symmetric stream cipher. Several classes:
Blue Jacking – sending forged messages to nearby bluetooth devices
Blue Snarfing – copies information off of remote devices
Blue Bugging – allows full use of device
Asset inventory and faraday cages are common protections against these attacks. Faraday cages block the emissions of RFID signals
Captive Portals are when you’re forced to sign in or redirected to a website upon connecting to a wireless network
4.3 Implement secure communication channels according to design
SLIP – layer 2 protocol. Old, provides no confidentiality, integrity or authentication
PPP – replaced SLIP. Adds confidentiality, integrity and authentication
ISDN – provides digital service over copper-wire phone lines.
DSL – symmetric (UL and DL speeds are the same) and asymmetric (DL speeds are faster)
T1 Connection – 1.5Mbps
T3 – 45 Mbps
E1 – 2Mbps
E3 – 34 Mbps
MPLS – Multiprotocol Label Switching. Forwards WAN data using labels
VoIP – uses two protocols:
Mimics directly attaching a h ard drive, and allows block-level file access over a network
Fibre Channel – uses a special cable and hardware, has a couple variations like Fiber Chanel over Ethernet (FCoE) (layer 2, does not use TCP/IP) and Fiber Channel over IP (layer 3, uses TCP/IP). Allows for high speed transfer and is often used with NAS or SAN
iSCSI – allows access to storage over a WAN.
rlogin and rsh are old unix remote access systems. Cleartext, use TCP 513 and 514 respectively
VNC (TCP 5900) and RDP (3389) are used more commonly today