CBK Telecommunications and Network Security

This domain examines internal, external, public, and private communication systems; networking structures; devices; protocols; and remote access and administration.

Open System Interconnect Model

OSI model has seven layers with different protocols defining different network functions at each layer.

Application layer
Application layer protocols interact with actual programs, e.g. web browsers, and ftp clients. These protocols or services communicate with actual applications using standard APIs. Protocols include like SMTP, SNMP, HTTP, LPD, FTP, WWW, Telnet, and TFTP.
Some well known application ports are Telnet port 23, SMTP port 25, HTTP port 80, SNMP ports 161 and 162, FTP ports 21 and 20.
The application layer in the TCP/IP architecture model is equivalent to a combination of the application, presentation, and session layers in the OSI model.
Applications send requests to an API, which is the interface to the supporting protocol.
 
Figure 1Interaction of Application programs with Protocol through API

Presentation layer
It provides a common means of representing data in a structure that can be properly processed by the end system. Handles functions like data compression and encryption. Example includes graphic formats like TIFF, GIF, JPEG and ASCII, Unicode encodings and MIME.

Session layer
Only used in a client/server model. It is involved in establishing client/server connection and subsequently maintaining its state. Protocols include SSL, NFS, NetBIOS, SQL and RPC.
The session layer protocol can enable communication between two applications to happen in three different modes:

Session layer protocols control application-to-application communication, whereas the transport layer protocols handle computer-to-computer communication.
Different references can place specific protocols at different layers. For example, many references place the Secure Sockets Layer (SSL) protocol in the session layer, while other references place it in the transport layer. It is not that one is right or wrong. The OSI model tries to draw boxes around reality, but some protocols straddle the different layers. SSL is made up of two protocols - one works in the lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP exam, SSL resides in the transport layer.

Transport layer
Provides end-to-end (host-to-host) data transport services and establishes the logical connection between two communicating computers. Protocols include TCP, UDP, SPX, and SSL (some literature also say it is at session layer).
Transport layer formats /multiplex data from multiple applications into a stream to be prepared for transmission.

Network layer
Insert information into the packet’s header so that it can be properly routed. The main task is to support internet work addressing, packet forwarding and routing. Network layer protocols include IP, ICMP, RIP, OSPF, BGP and IGMP.
Protocols that work at this layer do not ensure the delivery of the packets.

Data Link layer
It is only one that actually understands what kind of network or environment you are communicating. It format frames for proper technology.
The operating system format the data frame to properly transmit over networks (Token Ring, Ethernet, ATM or FDDI). It has two sub layers, LLC and MAC. Actual framing takes place at MAC layer, the lower sub layer.
Data link layer protocols include ARP, SLIP, PPP, RARP, L2F, L2TP, FDDI and ISDN. Each network technology has defined electronic signaling and bit patterns.

Physical layer
This layer converts bits into some kind of electricity for transmission. At physical layer different interfaces are defined. Some of the standard interfaces include HSSI, X.21, EIA/TIA-232 and EIA/TIA-449.

LAN media Access technologies

Ethernet

It uses share media employing carrier sense multiple access with collision detection (CSMA/CD). It supports full-duplex on twisted-pair and coaxial media. It is defined by IEEE 802.3 standard.

Token ring

It uses a token passing technology with a physically star configured topology.

FDDI—Fiber Distributed Data Interface

It is a high speed token-passing media access topology.

Important Terms

Maximum Transfer Unit (MTU)    It is a parameter that indicates how much data a frame can carry on a specific network. MTU parameters usually appear in association with a communications interface (NIC, serial port, etc.).

Token passing  It is a 24-bit control frame used to control which computers communicate at what intervals. The token grants a computer the right to communicate. Do not cause collisions because only one computer can communicate at a time.
CSMA Carrier sense multiple access  CSMA/CD (collision detection) - Monitor the transmission activity or carrier activity on the wire so that they can determine when would be the best time to transmit data. Computers listen for the absence of a carrier ton on the cable, which indicates that no one else is transmitting date at the same time.

Collision Domains  It is a group of computers that are contending or competing for the same shared communication medium. Collection of hubs represents a single collision domain.
Polling  Some systems are configured to be primary stations and others are secondary stations. At predefined intervals, the primary station will ask the secondary station if it has anything to transmit.

Cabling

Coaxial Cable

It is more resistant to electromagnetic interference (EMI), providing a higher bandwidth and longer cable lengths compared to twisted pair. It can either transmit using a baseband method, where the cable carries only one channel or using a broadband method, where the cable carries several channels.
Twisted Pair

It is cheaper and easier to work with than coaxial cable. It is less resistant to electromagnetic interference (EMI).

Fiber-Optic Cabling

Because of the use of glass, it has higher transmission speeds that can travel over longer distances and is not affected by attenuation and EMI when compared to cabling that uses copper. However this is most expensive compare to coax and twisted pair cabling.

Cabling problems

Types of transmission

Analog transmission signals - Modulation of signals, electromagnetic waves.
Digital transmission signals - Represents binary digits as electrical pulses.
Asynchronous communication - Two devices are not synchronized in any way. The sender can send data at anytime and the receiving end must always be ready. It can be a terminal and a terminal server or modem.
Synchronous communication – It takes place between two devices that are synchronized, usually via a clocking mechanism. It transfers data as a stream of bits.
Baseband – It uses the full cable for its transmission.

Broadband - Usually divides the cable into channels so that different types of data can be transmitted at a time.
Unicast method - A packet needs to go to one particular system.
Multicast method - A packet need to go to a specific group of systems.
Broadcast method - A packet goes to all computers on its subnet.

Network Topology

Bus Topology  A single cable runs the entire length of the network. Each node decides to accept, process or ignore the packet. The cable where all nodes are attached is a potential single point of failure.
Linear bus  It has a single cable with nodes attached to it.
Tree topology  It has branches from the single cable and each branch can contain many nodes.
Ring Topology  It has a series of devices connected by unidirectional transmission links, that forms a ring. Each node is dependent upon the preceding nodes and if one system failed, all other systems could fail.
Star Topology  All nodes connect to a central hub or switch. Each node has a dedicated link to the central hub.
Mesh Topology  All systems and resources are connected to every other directly. We can further categories of full or partial mesh topology.

Protocols

ARP  The Address Resolution Protocol (ARP) is the method for finding a host's link layer (hardware) address when only its Internet Layer (IP) or some other Network Layer address is known.
RARP  Reverse ARP is used when link layer (hardware) address is known and RARP request is broadcasted to find the IP address. It was used in mainframe environments. RARP evolved to BOOTP and BOOTP to DHCP.
BOOTP  It can receive a diskless computers IP address from a server.
DHCP  A computer depends upon a server to assign it the right IP address.
Masquerading attack.    An attacker alter a system’s ARP table so that it contains incorrect information (ARP table poisoning).
ICMP  The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for instance, that a requested service is not available or that a host or router could not be reached.
ICMP relies on IP to perform its tasks, and it is an integral part of IP. It differs in purpose from transport protocols such as TCP and UDP in that it is typically not used to send and receive data between end systems. It is usually not used directly by user network applications, with some notable exceptions being the ping tool and traceroute.

STP  The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged LAN. In the OSI model for computer networking, STP falls under the OSI layer-2. Spanning tree allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links. Bridge loops must be avoided because they result in flooding the network. The Spanning Tree Protocol (STP), is defined in the IEEE Standard 802.1D.

Source routing  It allows a sender of a packet to specify the route the packet takes through the network. With source routing the entire path to the destination is known to the sender and is included when sending data.
In the Internet Protocol, two header options are available which are rarely used: "strict source and record route" (SSRR) and "loose source and record route" (LSRR). Due to security concerns, packets marked LSRR are frequently blocked on the Internet. If not blocked, LSRR can allow an attacker to spoof its address but still successfully receive response packets.

Networking devices

Repeater – Physical layer  It simply amplifies signals and extends the network.
Bridge - Data link layer  It forwards packets and filters based on MAC addresses, forwards broadcast traffic, but not collision traffic.
Switch - Data link  It may be defined as multi port bridges and with some added intelligence and functionality. Provides a private virtual link between communicating devices, allows for VLANs, reduces traffic and impedes network sniffing.
Bridging Functions  Three are different types of bridges:

Router - Network layer  Routers seperate and connnect LANs creating internetworks; routers process traffic based on IP addresses.
Layer 3 Switch / Brouter - Data link and Network layer  A hybrid device that combines the functionality of a bridge and a router. A brouter can bridge multiple protocols and can route packets on some of those protocols.
Gateway – Application layer  (although different types of gateways can work at other Layers) Connects different types of networks, performs protocol and format translations.
PBX Private Branch Exchange  It is a telephone switch that is located on a company’s property.
Firewall  A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications.

VLAN (Virtual LANs)

Enable administrators to logically separate and group users based on resource requirements, security or business needs instead of the standard physical location of the users.

Firewalls

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.

Application Layer Firewalls (3rd Gen)
An application layer firewall is a third-generation firewall technology that evaluates network packets for valid data at the application layer before allowing a connection. It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information. In addition, an application layer firewall can validate other security items that only appear within the application layer data, such as user passwords and service requests.
Most application layer firewalls include specialized application software and proxy services. Proxy services are special-purpose programs that manage traffic through a firewall for a specific service, such as HTTP or FTP. Proxy services are specific to the protocol that they are designed to forward, and they can provide increased access control, careful detailed checks for valid data, and generate audit records about the traffic that they transfer.

Dynamic Packet Filters (4th Gen)
A dynamic packet filter firewall is a fourth-generation firewall technology that allows modification of the security rule base on the fly. This type of technology is most useful for providing limited support for the UDP transport protocol. The UDP transport protocol is typically used for limited information requests and queries in application layer protocol exchanges.
This firewall accomplishes its functional requirements by associating all UDP packets that cross the security perimeter with a virtual connection. If a response packet is generated and sent back to the original requester, then a virtual connection is established and the packet is allowed to traverse the firewall server. The information associated with a virtual connection is typically remembered for a short period of time, and if no response packet is received within this time period, the virtual connection is invalidated.

Firewall architecture

Bastion Host
The first and most simple option is the use of a bastion host. In this scenario, the firewall is placed between the Internet and the protected network. It filters all traffic entering or leaving the network.
The bastion host toplogy is well suited for relatively simple networks, which don't offer any public Internet services. The key factor to keep in mind is that it offers only a single boundary.

DMZ

In computer networks, a DMZ is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to company intranet and vice versa.
Screened Subnet
A screened subnet or "triple-homed firewall" is a network architecture that uses a single firewall with three network interfaces.

• Interface 1 is the public interface and connects to the Internet.
• Interface 2 connects to a DMZ (demilitarized zone) to which hosted public services are attached.
• Interface 3 connects to an intranet for access to and from internal networks.

Even if the firewall itself is compromised, access to the intranet should not be available, as long as the firewall has been properly configured.

Screened Host
The screened host architecture, is a lower-security, lower-cost alternative to the screened subnet architecture. In this architecture, there is no perimeter net, no interior router, and often no bastion host per se. There is a host that the outside world talks to, but this host is often not dedicated solely to that task. What you have instead is a single router and a services host that provides Internet services to internal and external clients.
The router is there to protect and control access to the internal net, and the services host is there to interact with the outside world, much like a bastion host. We call it a services host, rather than a bastion host, because it's often fulfilling many other roles.

A dual-homed host is a term used to reference a type of firewall that uses two (or more) network interfaces. One connection is an internal network and the second connection is to the Internet.

Honeypot
It is a computer that sits in the DMZ in hopes to lure attackers to it instead of actual production computers. 

  "The default action of any firewall should be to implicitly deny any packets, if not allowed explicitly." 

Networking Services

NOS - Networking operations system It is designed to control network resource access and provide the necessary services to enable a device to interact with the surrounding network.
DNS - Domain Name service It is a service for resolving hostnames to ip addresses. The DNS System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed, fault tolerant, and helped avoid the need for a single central register to be continually consulted and updated.
Directory Service A network service that identifies all resources on a network and makes them accessible to users and applications. Resources include e-mail addresses, computers, and peripheral devices such as printers. Ideally, the directory service should make the physical network topology and protocols transparent so that a user on a network can access any resource without knowing where or how it is physically connected.
There are a number of directory services that are used widely. Two of the most important ones are LDAP, which is used primarily for e-mail addresses, and Netware Directory Service (NDS), which is used on Novell Netware networks. Virtually all directory services are based on the X.500 ITU standard, although the standard is so large and complex that no vendor complies with it fully.

Extranets It refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders. You can access an extranet only if you have a valid username and password, and your identity determines which parts of the extranet you can view.
Extranets are becoming a very popular means for business partners to exchange information.

NAT Network Address Translation NAT enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT device located at the boundry of internet and LAN makes all necessary IP address translations. It serves three main purposes:

• Provides a type of firewall by hiding internal IP addresses.
• Enables a company to use multiple private internal IP addresses. While using a single or small set of public ip addresses to communicate with rest of world.
• Allows sharing of single internet connection by multiple intranet users.

VPN - Virtual Private Network

It is a secure private network, based on resources of a public network like internet. Companies and organizations use a VPN to communicate confidentially over a public network and can be used to send voice, video or data. It's an excellent option for remote workers and organizations with global offices and partners to share data in a private manner.

It is difficult to define precisely what constitutes a VPN because the term means different things to different people. To some people, separation of their traffic on a network is sufficient to call it "private" while others expect encryption when they hear the word "private".

Types of VPN

Connection-oriented/connectionless technologies
Many VPN technologies are connection oriented. That means that a VPN user who connects to the VPN service appears to have a connection to another VPN user, e.g. IPsec, GRE, and IP-in-IP.
Other like MPLS is a connectionless VPN technology: a VPN user (customer equipment) does not have a direct relationship with any other VPN user; rather, it is connected to the MPLS service as a "cloud," which ensures that packets are forwarded correctly to the other VPN user site.
Encrypted/non-encrypted
Encrypted VPN types are typically used where confidentiality of data in transit is required, such as over a wireless network or the public Internet. The most widely used encrypting VPN technologies are IPsec and SSL.
Internet based/not Internet based
Some VPN types can be used over the public Internet and thus allow easy interconnection of sites worldwide, assuming availability of Internet services in these locations. IPsec, GRE, IP-in-IP, TLS, and SSH are examples of VPN technologies that can be used over the Internet. The advantage of Internet-based VPN types is their mostly worldwide availability; the disadvantage is that often no quality-of-service guarantees are available for such services.

Common VPN Technologies

PPTP
The Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft in conjunction with other technology companies. PPTP is an extension of the Internet standard Point-to-Point protocol (PPP), the link layer protocol used to transmit IP packets over serial links. PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-CHAP, EAP).
PPTP establishes the tunnel but does not provide encryption. It is used in conjunction with the Microsoft Point-to-Point Encryption (MPPE) protocol to create a secure VPN. PPTP has relatively low overhead, making it faster than some other VPN methods.
L2TP
The Layer 2 Tunneling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft, combining features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol. One advantage of L2TP over PPTP is that it can be used on non-IP networks such as ATM, frame relay and X.25. L2TP operates at the data link layer of the OSI networking model.
IP Security (IPSec), and more specifically its Encapsulating Security Payload (ESP) protocol, provides the encryption for L2TP tunnels.
The L2TP client is built into Windows 2000, XP and 2003, but you can download client software for most pre-Windows 2000 operating systems (Windows 98, ME and NT 4.0).
L2TP has several advantages over PPTP. PPTP gives you data confidentiality, but L2TP goes further and also provides data integrity, authentication of origin, and replay protection. On the other hand, the overhead involved in providing this extra security can result in slightly slower performance than PPTP.
IPSec
We know as above, that IPSec as a protocol is used for encryption in conjunction with the L2TP tunneling protocol. However, IPSec can itself be used as a tunneling protocol, and is in fact considered as “standard” VPN solution, especially  for gateway-to-gateway (site-to-site) VPNs that connect two LANs. IPSec operates at the network layer (Layer 3). IPSec VPN works only with IP-based networks and applications.
Authentication is accomplished via the Internet Key Exchange (IKE) protocol with either digital certificates (which is the more secure method) or with a preshared key. IPSec VPNs can protect against many of the most common attack methods, including DoS, replay, and “man-in-the-middle” attacks.
Many vendors include “managed client” features in their VPN client software, which make it possible for you to establish policies regarding such things as a requirement that the client machine have anti-virus software or personal firewall software installed in order to be allowed to connect to the VPN gateway.
SSL
SSL VPNs are known as “clientless” solutions, as it uses the Web browser as the client application. This also means the protocols that can be handled by an SSL VPN are more limited. However, this can also be a security advantage. With SSL VPNs, instead of giving VPN clients access to the whole network or subnet as with IPSec, you can restrict them to specific applications. If the applications to which you want to give them access are not browser-based, however, custom programming might be necessary to create Java or Active-X plug-ins to make the application accessible through the browser.
SSL VPNs operate at an even higher layer of the OSI model than IPSec VPNs: the session layer. SSL VPNs use digital certificates for server authentication. Other methods can be used for client authentication, but certificates are preferred as the most secure.

Common Authentication Protocols

PAP
Short for Password Authentication Protocol, the most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. The Basic Authentication feature built into the HTTP protocol uses PAP. The main weakness of PAP is that both the username and password are transmitted "in the clear" -- that is, in an unencrypted form. Contrast with CHAP.
CHAP
Short for Challenge Handshake Authentication Protocol, a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both the sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated.
By transmitting only the hash, the secret can't be reverse-engineered. The ID value is increased with each CHAP dialogue to protect against replay attacks.
EAP
Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks (but not limited to) and Point-to-Point connections. It is an authentication framework, not a specific authentication mechanism. The EAP provides some common functions and a negotiation of the desired authentication mechanism. Such mechanisms are called EAP methods and there are currently about 40 different methods.
Methods defined in IETF RFCs include EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, and EAP-AKA, and in addition a number of vendor specific methods and new proposals exist.
When EAP is invoked by an 802.1X enabled NAS (Network Access Server) device such as an 802.11 a/b/g Wireless Access Point, modern EAP methods can provide a secure authentication mechanism and negotiate a secure PMK (Pair-wise Master Key) between the client and NAS. The PMK can then be used for the encryption session.
EAP is not an actual protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages. In the case of 802.1X, this encapsulation is called EAPOL, "EAP over LANs".

RAID - Redundant Array of Inexpensive / Independent Disks

Redundant Array of Inexpensive Disks, a technology that allowed computer users to achieve high levels of storage reliability from low-cost and less reliable PC-class disk-drive components, via the technique of arranging the devices into arrays for redundancy. More recently, marketers representing RAID manufacturers have revised the term to Redundant Array of Independent Disks, a convenient means of avoiding the expectation of low cost associated with "inexpensive".
"RAID" is now used as an umbrella term for computer data storage schemes that can divide and replicate data among multiple hard disk drives. Various RAID designs involve two key design goals:

There are three key concepts in RAID:

Different RAID levels use one or more of these techniques, depending on the system requirements.
There are various combinations of these approaches giving different trade-offs of protection against data loss, capacity, and speed. RAID levels 0, 1, and 5 are the most commonly found, and cover most requirements.

Important.    RAID is not a good/complete alternative to backing up data. Data may become damaged or destroyed without harm to the drive(s) on which they are stored. For example, part of the data may be overwritten by a system malfunction; a file may be damaged or deleted by user error or malice and not noticed for days or weeks; and, of course, the entire array is at risk of physical damage.

RAID Implementation alternatives.    RAID combines two or more physical hard disks into a single logical unit by using either special hardware or software. Hardware solutions often are designed to present themselves to the attached system as a single hard drive, so that the operating system would be unaware of the technical workings. For example, you might configure a 1TB RAID 5 array using three 500GB hard drives in hardware RAID, the operating system would simply be presented with a "single" 1TB disk. Software solutions are typically implemented in the operating system and would present the RAID drive as a single drive to applications running upon the operating system.

SAN vs NAS

Storage Area Network (SAN)

A storage area network (SAN) is an architecture to attach remote computer storage devices (such as disk arrays, tape libraries, and optical jukeboxes) to servers in such a way that the devices appear as locally attached to the operating system. Although the cost and complexity of SANs are dropping, they are still uncommon outside larger enterprises.

Network-attached storage (NAS)

It is an enclosure containing disk drives and the equipment necessary to make them available over a computer network, usually Ethernet. The enclosure is basically a dedicated computer in its own right, designed to operate over the network without screen or keyboard. It contains one or more disk drives; multiple drives may be configured as a RAID.
Network attached storage (NAS), in contrast to SAN, uses file-based protocols such as NFS or SMB/CIFS where it is clear that the storage is remote, and computers request a portion of an abstract file rather than a disk block.
SAN-NAS hybrid

Despite the differences between NAS and SAN, it is possible to create solutions that include both technologies.