cissp week 5
TRANSCRIPT
CISSP:
Network Security
Week 5; Pages 266-315
Part 1
OSI & TCP/IP
OSI and TCP/IP
OSI and TCP/IP
Open System Interconnect Model● Defined in 1984. Last revision in 1994.● International Standard (ISO/IEC 7498-1)● Theoretical way to describe network
structure● Divided into 7 layers
○ Certain layers require further subdivisions
OSI and TCP/IP
The OSI Layers1. Physical
a. CAT5 and fiber optic cablesb. Electrical signalsc. Topologies (Star, Bus, Ring)
2. Data-linka. Logical Link Contol (Error and flow control)b. Media Access Control (Hardware addressing)c. Switches
3. Networka. Internet Protocol (Addressing, Fragmentation)b. Routers
OSI and TCP/IP
4. Transporta. TCP & UDPb. Error Detection and Correctionc. Three-Way Handshake
5. Sessiona. Logical Persistent Connectionb. Duplex vs. Simplex
6. Presentationa. Ensures common formatsb. Complex Architecture
7. Applicationa. HTTP, FTP, SMTP, DHCP, etc...b. Web browser
OSI and TCP/IP
Routing Protocols (under Network Layer)● RIP v1 & 2 (RFCs 1058, 1723)
○ Uses distance vector to select path w/ fewest hops; not always fastest; no more than 15 hops
○ v2 supports subnet mask and password authentication
● OSPF v1 & 2 (RFCs 1131, 1583, 2328)○ Link-state based○ smaller, more frequent updates to routing tables○ supports classless IP ranges
OSI and TCP/IP
● BGP (RFCs 4271, 1771, 1654, 1105, 1163, 1267)○ for interdomain routing in TCP/IP networks○ allows the internet to be decentralized
● ICMP (RFC 792)○ Used heavily in troubleshooting○ Announces network errors, congestion, and
timeouts○ Common utilities using this protocol: Ping,
Traceroute
OSI & TCP/IP
TCP Control Bits● URG - Urgent Pointer field significant● ACK - Acknowledgement field significant● PSH - Push Function● RST - Reset the connection● SYN - Synchronize sequence numbers● FIN - No more data from sender
OSI and TCP/IP
Three-Way Handshake
OSI & TCP/IP
Sublayers of Presentation Layer● CASE
○ provides common application services○ ACSE, ROSE, CCR, RTSE
● SASE○ provides specific application services○ FTAM, VT, MOTIS, CMIP, MMS, RDA, DTP
OSI and TCP/IP
Part 2
IP Networking
IP Networking
Network Addressing● In 8.24.28.159
○ 8 is network (assigned by orgs like ICANN)○ .24.28.159 is unique to host
● .0 and .255 are not used by hosts● Class A: 1.0.0.0 - 127.255.255.254● Class B: 128.0.0.0 - 191.255.255.254● Class C: 192.0.0.0 - 223.255.255.254● Class D: 224. - 239. (for multicast)● Class E: 240. - 255. (Special purpose)
IP Networking
Network Addressing● Special networks: 10.0.0.0, 127.0.0.0,
172.16.0.0-172.31.0.0, 192.168.0.0● Subnets
○ Octets represent bits○ All bits with a value of 1 are network bits○ Example: A host in the 172.25.156.0 network with a
subnet mask of 255.255.255.224 means that its address will be between 172.27.165.1 and 172.27.165.30. Next subnet will start at 172.27.165.32.
IP Networking
CIDR/IPv6● IP addresses in high demand since '90s● CIDR introduced to help remedy
○ Classless interdomain (remember BGP?)
● IPv6 currently being introduced○ Much longer addresses using hexadecimal○ IPSec implemented○ Increased throughput○ Better QoS (meaning better VoIP)
IP Networking
● Connection requires two parts○ IP Address○ Ports
● Ports associated with TCP/UDP● IANA manages standard port numbers
○ 0-1023: well-known; 1024-49151: registered; 49152-65535: private
IP Networking
IP Networking
DHCP● Allows hosts to get their own IP addresses● Process is similar to three-way handshake
○ Workstation sends out DHCPDISCOVER○ Server responds with DHCPOFFER○ Workstation sends DHCPREQUEST to begin lease○ Server responds with DHCPACK
● Authentication supported (RFC 3118)
IP Networking
While ICMP is useful, attackers also love it.● Ping of Death
○ ICMP echo larger than 65,536 bytes would cause systems to crash; OSs now made to handle it
● Redirect attacks○ Man-in-the-Middle by redirecting a host through
an attackers computer
● Ping Scanning & Traceroute Exploitation○ Scanning for open ports/mapping network; NMAP
● IGMP○ used to manage multicasting groups
IP Networking
● VRRP○ Performs failover for routers○ Acts as a virtual router transparently
● RPCs○ Allows a host to execute code not stored on it○ CORBA and DCOM are examples
IP Networking
Port 53
RFCs 882, 1034, 1035
IP Networking
Directory Services (Again...)● LDAP
○ supports lots of back ends○ weak authentication; transfers in CT
● NetBIOS● NIS, NIS+
○ Commonly used to manage user credentials○ NIS does not authenticate between request, NIS+
does
Port 389; RFC 1777
Ports 135, 137, 138, 139; RFCs 1001, 1002
IP Networking
File sharing● CIFS/SMB/Samba
○ Prevalent on Windows, but also used on Unix-based systems
○ Capable of user- and tree-level security○ Credentials sent in CT for backwards compatability
● NFS○ Prevalent on Unix-type systems, but also found on
Windows.○ v2 & v3 are stateless protocols for performance○ Secure NFS uses DES for authentication and
encryption; time stamps for tokens○ v4 uses Kerberos and is stateful
Port 445
RFCs 1094, 1813, 3010, 3530
IP Networking
● SMTP○ Routes email○ No authentication; identification using email
address○ ESMTP improves security; provides authentication
● FTP○ Requires two channels: control and data○ Original: username/password auth passed in CT○ TLS: sends AUTH TLS command to encrypt session○ SFTP: encrypts both control and data○ FTP over SSH: tunneling; only encrypts control○ Active and Passive: server could be blocked by
firewall
Port 25
Ports 20, 21; RFCs 959, 4217
IP Networking
● Anonymous FTP○ Replaced with similar HTTP services○ Considered unsafe due to the need to input an
email address for access
● TFTP○ Simplified FTP similar in purpose to Anonymous○ Used on LANs for system administration tasks
Ports 69; RFC 1350
IP Networking
● HTTP○ Initially "Web enabled" apps caused security
issues○ No encryption support; simple authentication
● Proxying○ Anonymizing
■ Allows obfuscation of connection information○ Open
■ Allows unrestricted access to GET commands■ Can be used to launch attacks
○ Content Filtering■ Blocks traffic to restricted sites■ Protects against accidental downloading of
viruses
Port 80; RFCs 1945, 2109, 2616
Part 3
Implications of
Multi-Layer
Protocols
Multi-Layer Protocols
Typically found used with industrial systems● SCADA (also called ICS)
○ Control Server - hosts software○ RTU - equipped with radios○ HMI - where people control the machines○ PLC - controls machinery components○ IED - sensors that collect data○ IO Server - collects info from RTUs, PLCs, IEDs○ Data Historian - like SEIM
● Modbus○ Information sent in clear text○ No authentication to send commands
Questions?