CISSP Domain 2 – TELECOMMUNICATIONS & NETWORK SECURITY

NOTE: These notes have not been updated since I took the test many years ago.
To perform a more up to date study for your CISSP exam, I suggest buying the Shon Harris Book.

DOMAIN 2 – TELECOMMUNICATIONS & NETWORK SECURITY

 

Open Systems Interconnect (OSI) model:

Developed early 1980s and introduced in 1984:

OSI Model                  TCP/IP Model

Application               |
Presentation            | Application
Session                       |____________
Transport      <–> Host to Host
Network        <–> Internet Layer
Data Link                |
Physical                  | Network Access Layer.

“Each protocol at a specific OSI layer communicates with a protocol that operates at the same OSI layer on another computer. This happens through encapsulation

The protocols, technologies and computers that operate within the OSI model are called open systems. 

Application Layer:

The application layer works closest to the user and handled message exchanges, terminal sessions, etc. The application does not include the actual applications, but the protocols (APIs) that support the applications.

Examples of protocols running in the application layer include:

  • SMTP, HTTP, LPD, FTP, WWW, Telnet, TFTP

Presentation Layer:

The presentation layer received data from the application layer and puts it into a format that all computers using the OSI model can understand.

The presentation layer is not concerned with the meaning of data, but the correct syntax and format. The presentation layer can often be considered a “translator”.

This layer also handles encryption and compression.

  • ASCII, JPEG, TIF, GIF, Encryption, Compression, MIDI, MPEG

Session Layer:

When two computers need to communication, or transfer information, a connection session needs to be set up between them. The session layer is responsible for establishing a connection, maintaining it during data transfer and releasing it when done.

The session layer works in 3 phases:

  • Connection establishment
  • Data Transfer
  • Connection release

Common protocols at the session layer are:

  • SSL, NFS, SQL, RPC

Transport Layer:

When two computers are going to communicate, they must first agree on how much information each will send at a time, how to determine if data was lost in order to retransmit and other parameters. The computers agree on these parameters through a process at the transport layer, OSI layer 4.

The transport layer helps provide more reliable data transfer, error correction and flow control. It assembles data into a stream for transmitting over the network, and handled multiplexing if necessary. The transport layer also handles the teardown of virtual circuits and the multiplexing of upper layer applications.

  • TCP, UDP, SPX

Network Layer:

The main responsibility of the network layer is to insert information into the packet’s header so that it can be properly routed. Routing protocols build and maintain their tables at this layer.

The protocols at this layer do not ensure packet delivery – they rely on the transport layer for that.

Protocols operating at this level include:

  • IP, ICMP, RIP (Routing information protocol), OSPF (Open shortest path first), BGP (Border gateway protocol) and Internet group management protocol (IGMP)
  • Most routers also run in the network layer.

Data Link Layer:

As data travels down the ISO stack it comes to a point where it needs to be translated into LAN or WAN binary format for line transmission. This happens at the data link layer.

The data link layer is where the operating system knows what format the data frame must be in to transmit over Token Ring, Ethernet, FDDI, ATM, etc.

Network cards bridge the data link and physical layer. The data link layer actually consists of two sub layers:

  1. Media Access Control (MAC)
  2. Logical Link Control (LLC)

Protocols operating in the data link layer include:

  • SLIP, PPP, RARP, L2F, L2TP, ISDN ARP
  • Bridges operate in the data link layer.

Physical Layer:

The physical layer converts bits into voltage for transmission. This layer controls synchronization, data rates, line noise and phsyical medium access.

Protocols operating in the physical layer include:

  • RS232, SONET, HSSI, X.21
  • Repeaters operating in the physical layer.

OSI Security Services and Mechanisms:

OSI defines 6 basic security services to secure OSI communications:

  1. Authentication
  2. Access Control
  3. Data confidentiality
  4. Data integrity
  5. Non-repudiation
  6. Logging and Monitoring

In addition, the OSI model defines 8 security mechanisms. A security mechanism is a control that is implemented in order to provide the 6 basic security services:

  1. Encipherment
  2. Digital Signatures
  3. Access Control
  4. Data Integrity
  5. Authentication
  6. Traffic Padding
  7. Routing Control
  8. Notarization

TCP/IP

  • I/P is a network layer protocol and provides datagram routine services.
  • Two main protocols work at the transport layer, TCP and UDP.

TCP Handshake:

1. Host ——– SYN ———> Host B
2. <—– SYN/ACK —–
3. ——— ACK ——–>

The TCP/IP model has 4 layers:

Application
Host to host
Internet
Network Access

 

The TCP/IP model layers correspond to the ISO model layers as follows:

Application               Application, presentation, session.
Host to Host             Transport
Internet                  Network
Network Access        Data Link, Physical

 

The Host-to-host layer handles:

TCP              – Virtual Circuit, sequenced, slower, more reliable
UDP              – “Best effort”, connectionless.

 

Internet layer:

IP                 – No guarantee of delivery, delivery in sequence or only once.
ARP              – I/P to MAC
RARP            – MAC to I/P
ICMP

 

Protocol Numbers:

The IP header contains a protocol field. Some common protocols are:
1  – ICMP
2  – IGMP
6 – TCP
17 – UDP

Data Structures:

–      Within the IP protocol suite, when an application formats data for sending over the network, it is a message.
–      At the transport layer, TCP works on the data and it is now a segmentThe segment is passed to the network layer.
–      The network layer adds addressing and routine and the bundle is now called a datagram.
–      The datagram is passed off to the data link layer which frames the datagram with a header & trailer. It is now called a frame.

 

TCP                                         UDP

Application Layer      Message                           Message
Transport Layer        Segment                           Packet
Network Layer         Datagram                         Datagram
Data Link Layer        Frame                              Frame

 

General Classes of Network Abuse:

Class A: Unauthorized access of restricted network services. Also called “login abuse”. Refers to legitimate users accessing network services that should be restricted to them.
Class B: Unauthorized use of a network for non-business purposes.
Class C: Eavesdropping
Class D: DOS and other disruptions
Class E: Network Intrusion. Refers to the use of unauthorized access to break into the network from the outside. Classic cases are spoofing, piggybacking and backdoor exploitation.
Class F: Probing. An active variation of eavesdropping.

Additional Attacks: SYN attacks, Buffer Overflow, Teardrop attack and Smurf.

Common Session Hi-jacking attacks:

  • IP Spoofing attacks.
  • TCP sequence number attacks.
  • Other fragmentation attacks – using fragmented packets to hide true contact.

 

NETWORKING

LAN Media Access Technologies

  • Most of the differences between LAN and WAN take place at the data link layer

“Two LANs connected by a router is an internetwork, not a bigger LAN. Each LAN has its own addressing scheme and broadcast and communication mechanisms. If they are connected by different data link technologies such as frame relay of X.25 then we are looking at a WAN”

Ethernet

  • Usually a bus or star topology
  • IEEE 802.3 standard
  • Shared media – all devices take turns and detect collisions
  • Uses broadcast and collision domains
  • CSMA/CD access method (Carrier Sense Multiple Access with Collision Detection)
  • Uses coaxial or twisted pair.

Common Implementations:

10base2: ThinNet. Uses coaxial cable. Max length of 185 meters and provides up to 10mbs throughput. Uses BNC connectors.

10base5: ThickNet. Uses thicket coaxial cable. Longer cable segments and less interference.

10baseT: Twisted-pair copper wiring. RJ45 connectors, usually in a star topology with a hub or switch.

Fast Ethernet: Regular Ethernet running at 100mbps over twister pair wiring.

Ethernet Types Table:

            Type                           Cabling                      Speed

10base2, ThinNet      Co-Axial                 10mbps
10base5, ThickNet    Co-Axial                           10mbps
10base-T                 UTP                       10mbps
100base-FX, Fast       UTP                                100mbps
1000base-T             UTP                                1,000mbps

Token Ring

  • 802.5 standard, originally developed by IBM
  • Signal travels in a logical ring
  • Each computer is connected to a hub called a Multistation Access Unit (MAU)
  • 16mbps capacity
  • Active Monitor – removes frames that are continually circulating
  • Beaconing – attempts to work around errors.

FDDI – 802.8

  • Fiber Distributed Data Interface
  • Developed by ANSI
  • High speed token-passing media access technology
  • Speed of 100mbvps – usually used as a backbone network using fiber optics.
  • Fault tolerance – second counter rotating ring.
  • Can be used up to 100kms, so popular in MANs
  • CDDI (copper distributed data interface) is a version that can be used locally.
  • 802.8 standard.

CABLING

LAN Media Standard Characteristics
Ethernet 802.3 * Shared media

* Broadcast & Collision Domains
* CSMA/CD
* Coaxial or twisted cable
* 10mbps – 10 Gbps
Token Ring802.5* Devices connect to center MAU
* Token-passing access method
* Transmission speeds of 4-16mpbs
* Active monitor and beaconing

FDDI802.8* Token-passing access method
* Dual counter rotating ring – fault tolerance
* 100mbps over fiber-optic
* Long distance at high speed
* CDDI works over UTP

Bandwidth               : Size of pipe

Data Rate                : Amount of data

 

Coaxial

 

  • Copper core surrounded by shielding layer
  • More resistant to EMI
  • 10base2 = ThinNet (RG58), 10base5 = ThickNet (RG11/RG8)
  • 10base2 segments can be up to 185 meters
  • 10base5 segments can be up to 500 meters
  • Can use baseband method (one channel) or broadband (multiple channel)
  • 50ohms cable used for digital signaling and 75ohms for analog signaling and high speed data.

Twister Paid Cable

  • STP = Shielded Twisted Pair
  • UTP = Unshielded Twisted Pair
UTP Category Characteristics Usage
CAT 1 Voice Grade Not recommended for network use.
CAT 2 Up to 4mbps Mainframe and mini connections.
CAT 3 10 mbps Ethernet

4mbps token10 base-T networksCAT 416 mpbsToken ring networksCAT 5100 mbps for

100-base TX and FDDIFDDI & ATM installations. New LANSCAT 6155mbpsNet network installationsCAT 71gbpsNet network installations

Fiber Optics

  • Uses a type of glass carrying light waves
  • Glass core surrounded by protective cladding, encased in outer jacket
  • Not affected by EMI, no attenuation
  • Very hard to tap into, so more secure.

Common Cable problems:

Noise: Caused by surrounding devices or characteristics of the environment

Attenuation: Loss of signal as it travels. The affect of attenuation increases at higher frequencies.

Crosstalk: UTP is susceptible to crosstalk which is caused when electrical signals on one wire spill over to another wire.

Plenum space is the space between the ceiling and the next floor. Often used for wiring and cabling.

TYPES OF TRANSMISSION

Data transmission can happen in different ways (analog or digital), use different controlling schemes (synchronous or asynchronous) and can only use one channel on a wire (baseband) or several channels (broadband).

Analog Signals: Continually varying.

Modulation: Combining with carrier signal of a specific frequency.

Digital Signals: Discrete binary pulses.

Asynchronous

  • Two devices not synchronized in any way.
  • Usually used for smaller amounts of data
  • Usually includes start and stop delineation

Synchronous

  • Transfers data as a stream of bits instead of framing it in start and stop bits.
  • Synchronization can be via clocking mechanisms, or a signal in the data.
  • Usually used for higher volumes of data.

Baseband

  • Transmission accomplished by applying direct current to a cable. Uses full cable for its transmission. Ethernet is baseband.

Broadband

  • Divides cable into channels so that different types of data can be transmitted at the same time. CATV is broadband. Other broadband types include T1, T3, ISDN, ATM, DSL and wireless.

Unicast: From source to one computer.

Multicast: From source to a specific set of systems. NIC pics up packets with a specific multicast address.

Broadcast: From source to all computers on a subnet.

Network Topology:

The physical arrangement of computers and devices is the “Network Topology”

Ring Topology

  • Series of devices connected by unidirectional transmission links.
  • Form a closed loop, no central hub
  • Must provide redundancy or risk single points of failure

Bus Topology

  • In a simple bus topology, a single cable runs the entire length of the network.
  • Each packet is looked at by all nodes.
  • Traditional Ethernet uses bus topologies.

Star Topology

  • All nodes connect to a dedicated central hub or switch
  • Hub is a potential single point of failure
  • Less cabling used and no termination issues
  • Most LANs are in a physical star topology

Mesh Topology

  • All systems and resources are connected to each other in some way
  • Greater degree of complexity
  • Greater degree of redundancy
  • The Internet is a good example of a partial mesh.

LAN Media Access Technologies:

Token Passing:

Only the computer has the token can put frames onto the wire. This media access technology is used by Token Ring & FDDI and is defined in the 802.5 standard.

Token passing networks are deterministic meaning it is possible to calculate the maximum time that will pass before a station can transmit. This makes token ring networks ideal for applications where delay must be predictable, such as factory automation.

CSMA (Carrier Sense Multiple Access):

There are two flavors are CSMA, CSMA/CA (Collision avoidance) and CSMA/CD (Collision detection).

A transmission is called a “carrier”. If a computer is transmitting frames, it is performing a carrier activity.

With CSMA/CD, computers listen to the wire for the absence of a carrier tone. If two computers sense this absence and transmit at the same time, contention and a collision can take place. All stations will execute a “back off” algorithm (Random retry timer).

With CSMA/CA, each computer signals the intent to transmit before they actually do so.

Collision Domains

“The more devices there are on a contention based network, the more likely collisions are which increases latency. A collision domain is a group of resources that are competing for the same shared communication medium”.

One subnet will be on the same broadcast and collision domain if it is not separated by routers or bridges.

 

PROTOCOLS

 

Address Resolution Protocol: ARP

The data link layer works with MAC addresses, not IP addresses. ARP resolves IP addresses to MAC addresses. ARP broadcasts a frame requesting the MAC address that corresponds to the destination IP address. The computer that has that IP address responds with its MAC address.

“ARP table poisoning” is altering the ARP cache so that an attacker receives packets intended for another destination.

Reverse Address Resolution Protocol: RARP

Diskless workstations know their hardware address, but not the IP address. It broadcasts the MAC address information and the RARP server responds with an I/P address.

BOOTP is similar to RARP but provides more functionality including name server and gateway address.

Internet Control Message Protocol: ICMP

ICMP delivers messages, reports errors, reports routing information and tests connectivity.

PING is the most common – sends out ICMP ECHO frames and receives ICMP REPLY frames back.

 

NETWORKING DEVICES

 

Repeaters

  • Repeats and amplifies signal between cable segments
  • Works at the physical layer
  • Also known as line conditioners

Bridges

  • Uses to connect different LAN segments
  • Works at the data link layer and therefore works with MAC addresses.
  • Divides overburdened networks into smaller segments for better use of bandwidth and traffic control
  • Beware of “broadcast storms” – using bridges to echo broadcast packets.
  • A bridge forwards data to all other network segments if the MAC address of the destination computer is not on the local network segment.

There are three types of bridge:

Local: Connects two or more LAN segments.

Remote: Can connect two or more LANS over a long distance with telecommunications between them.

Translator: Connects LANs of different types and protocols.

Summary of the functions of bridges:

  • Segment a large network into smaller, more controllable pieces
  • Use filtering based on MAC address
  • Join different types of network while retaining same broadcast domain
  • Isolate collision domains within the same broadcast domain
  • Some bridges translate between protocol types.

Routers vs. Bridges:

  • Routers work at the network layer and are based on IP address. Bridges work at the data link layer and filter frames based on MAC addresses.
  • Routers will not usually pass broadcast information.
  • Bridges will pass broadcast information.

Spanning tree algorithm is a bridge algorithm.

If source routing is used, the packets themselves have the information within them to tell the bridge where they should go.

Hubs:

Hubs are used to connect multiple LAN devices into a concentrator. Hubs can be considered as multiport repeaters and operate at the physical layer.

Routers:

Routers work at the network layer. A router has two or more interfaces and a routing table to get packets to their destination. Routers can filter traffic based on access control lists (ACLs) and fragment packets when necessary.

Routers discover information about routers and changes that take place in a network through its routing protocols (RIP, BGP and OSPF).

The following outlines the stages that take place when a router receives a packet:

  1. A frame is received on one of the router’s interfaces.
  2. Destination i/p address is retrieved from the datagram
  3. The router looks at the routing table to see which port matches the destination
  4. If the router has no information on the destination, it sends an ICMP error to the sending computer.
  5. The router decrements the TTL. If the MTU is different than the destination requires, it fragments the packet.
  6. Router changes the header information on the frame so that it can go to the next correct router.
  7. Frame is sent to the router’s output queue.

Routing environments are based on autonomous systems. The autonomous systems are connected to each other through routers and routing protocols.

Routing takes place within an autonomous system through internal protocols like OSPF and RIP.

Routing takes place between autonomous systems through exterior protocols like BGP.

Switches:

Switches combine the functionality of a repeater and the functionality of a bridge. Any device connected to one port communicates to any device on another port with it’s own virtual private link.

“A switch is a multiport bridging device and each port provides dedicated bandwidth to the device attached to it”

Basic switches work at layer 2 and forward traffic based on MAC address. Today, there are layer 3 and layer 4 switches with more enhanced functionality. There are referred to as “multilayered switches”.

Virtual LANS (VLANS) are also an important part of switching networks. A switch only sends a packet to the port where the destination MAC address is located, so offer more protection against network sniffers.

VLAN:

VLANs (Virtual LANs) allow administrators to logically separate and group users. VLANs also allow administrators to apply different security practices to different groups.

Brouter:

Hybrid device combining the functionality of a bridge and a router. A brouter can bridge multiple protocols and route packets based on some of these protocols.

Gateways:

Almost all gateways work at the application layer because they need to see a majority of the information within a frame and not just the address and routing information that a router or bridge requires.

A popular type of gateway is an email gateway. The mail gateway will usually convert email into standard X.400 and pass it on to the destination mail server.

A network connecting to a backbone (Ethernet –> FDDI for example) would need a LAN gateway.

Summary of Main Devices:

Device Layer Functionality
Repeater Physical Amplifies signal and extends networks
Bridge Data Link Forwards packets. Filters packets based on MAC address. Forwards broadcast but not collision traffic.
Router Network Filters based on IP address. Separates or connects LANs, creating internetworks.
Brouter Network & Data Link Bridges multiple protocols and routes some of them.
Switch Data Link & Higher Private virtual link between devices. Allows for VLANs. Impedes sniffing and reduces contention.
Gateway Application Connects different types of network. Protocol and format translation.

PBX:

A Private Branch Exchange (PBX) is a telephone switch located on the company’s property. A PBX can interface with several types of device and provides a number of telephone services. Data is multiplexed onto a dedicated line connected to the telephone company’s central office.

PBXs have the following issues:

  • Often have modems attached for vendor maintenance.
  • Come shipped with default system passwords.
  • Vulnerable to brute force attacks.

ATM Switches:

Most commonly used in WANs but started to be seen in LANs. Use a cell-relay technology.

 

FIREWALLS

Firewalls are used to restrict access from one network to another network. A firewall is a device that supports and enforces the company’s network security policy.

Many times companies will set up firewalls to construct a “DMZ” or “buffer zone” which is a network segment located between protected and unprotected networks. Usually, two firewalls are used to construct a DMZ:

LAN <– firewall <— DMZ <—- firewall <—– router <—– .o(Internet)o.

 

Packet Filtering:

Packet filtering firewalls use Access Control Lists to determine which packets can and cannot pass through. The filtering is based on network layer information; the device cannot look further into the packet itself. A packet filtering router is also called a screening router. Packet filtering usually takes place at the network or transport layer.

Pros                                        Cons

Scalable                            Does not look into packet past the header info

High Performance               Lower security relative to other options

Application Independent       Does not keep track of connection state

Used in first generation firewalls.

Packet filtering firewalls are often called “first generation firewalls”.

Application Control Capable Firewalls are often Called “Next Generation Firewalls”

 

Stateful Packer Filtering:

Stateful filtering keeps track of which packets went where until the connection is closed. To accomplish this, the firewall maintains a state table.

A packet filtering firewall may have the rule to deny UPD on port 25, while a stateful packet filtering firewall can say “allow those packets through if they are in response to an outgoing request”.

  • Frames are analyzed at all communication layers.
  • High degree of security without the performance hit of proxy firewalls.
  • Scalable and transparent to users.
  • Provides data for tracking connectionless protocols like UDP and RPC
  • Used in third generation firewall applications.

Proxy Firewalls:

A “proxy” is a middleman. A proxy firewall accepts messages entering or leaving the network and checks it for malicious information and if ok, passes it on to the destination. A proxy firewall breaks the communication channel – there is no direct communication to internal computers.

Outside scanners will only see the proxy server. Packets are repackaged as they pass through the proxy firewall. Outbound packets will only have the IP address of the firewall which means that a proxy server will be the only one with a valid IP address- the servers behind it can all use private address ranges.

A dual homed firewall has two NICs and forwarding turned off. There are two types of proxies:

  • Application and circuit proxies.

Proxy firewalls are considered second-generation firewalls and are usually used with a dual-homed host.

Application Level: Inspects entire packets and makes access decisions based on actual content. Understands the different protocols and usually works for just one service or protocol.

Circuit-Level: Creates a circuit between client computer and server. Makes access decisions based on source and destination.

Pros:

  • Looks at information within the packet, right up to the application layer.
  • Better security than packet filtering
  • Aware of protocols, services and commands being used.

Cons:

  • Limited to what applications it can support
  • Can degrade network performance
  • Poor scalability
  • Breaks client/server model.

Dual-Homed Host Firewalls:

  • Single computer with separate NICs to each network
  • Used to divide internal trusted network and external untrusted network
  • Must disable forwarding
  • Usually used with proxy software
  • Users can easily and accidentally enable forwarding.

Application level vs. Circuit Level proxy firewalls:

 Application Level:

  • Transfers a copy of each approved packet from one network to another.
  • Different proxy required for each service.
  • Hides network information from external attackers.
  • Hides internal computer information and addresses.
  • More intricate control than circuit level proxy firewalls
  • Reduces network performance

Circuit-Level:

  • Provides a circuit between the source and destination
  • Does not require a proxy for each service
  • Does not provide the detailed control that the application level proxy does.
  • Security for a wider range of protocols.

SOCKS proxy server characteristics:

  • Circuit-level proxy
  • Requires clients to be integrated with SOCKS client software.
  • Mainly used for outbound internet access and VPN
  • Can be resource intensive
  • Authentication and encryption are similar to VPN, but is not considered a bidirectional VPN.

 

1st generation: Packet filtering firewalls.

2nd generation: application (proxy) firewalls

3rd generation: stateful packet firewalls

4th generation: dynamic filtering

5th generation: kernel proxy

6th generation: Chip based Flow inspection with Application Control (NGFW)

 

FIREWALL ARCHITECTURE:

Bastion Host:

A bastion host can be thought of as the foundation for the firewall software to operate on. It is the machine that will be accessed by all entities trying to access or leave the network.

Screened Host:

Many times a screened host is a bastion host that communicates with a border router and the internal network. Inbound traffic is filtered by packet filtering on the router and then sent to the screened host firewall.

Screened Subnet:

Adds another layer of security over the screened host firewall – the bastion host housing the firewall is screened between two routers. This architecture sets up a DMZ between the two routers.

Purposes of firewalls:

Firewalls should:

  • Default to deny
  • Block external packets inbound with internal addresses (Spoofing)
  • Block outbound packets with external source addresses (Zombies)
  • High security firewalls should reassemble packet fragments before sending them on to their destination.
  • Many firewalls will deny packets with source routing information.

 

Networking Services

 

Network Operating Systems (NOS):

Short list of some of the services that NOS systems (NT, W2K, Linux) provide that most single user (W95, W98) systems do not:

  • Directory services
  • Internetworking, routing and WAN support
  • Support for dial-up users
  • Clustering functionality
  • File & print services
  • Management and administration tools
  • Fault tolerance

redirector connects local computer to resources of the network – the local computer may not even be aware of this.

DNS:

  • Networks are split up into “zones”
  • DNS server is said to be authoritative for the zone it serves.

Directory Services:

A directory service is a database containing a hierarchy of users, computers, printers and attributes of each. The directory is used mainly for lookup purposes – to allow users to break down resources. Most directory services are built on the X.500 model or use LDAP to access the directory database.

Intranets and Extranets:

Private I/P address ranges (Non-routed) are:

10.0.0.0        –        10.255.255.255        Class A

172.16.0.0     –        172.31.255.255        16 * Class B

192.168.0.0   –        192.168.255.255       256 * Class C

Network Address Translation:

Network address translation forms a gateway between a network and the internet or another network. The gateway performs transparent routing and address translation. Some attributes of this process are:

  • Hides true internal IP address information from the outside world.
  • The NAT device needs to remember the internal IP address and port to send the messages back to.

Metropolitan Area Network (MAN):

A MAN is usually a backbone that connects businesses to WANS, the Internet and other businesses. A majority of today’s MANs are Synchronous Optical Network (SONET) or FDDI rings provided by local telephone companies.

Wide Area Network (WAN):

WAN technologies are used when communication needs to take place over a larger geographical area.

There are several technologies in the WAN arena, several of which are discussed below.

The SONET (Synchronous Optical Network) gives all the world’s carriers the ability to interconnect.

ATM encapsulates data in fixed cells and can be used to deliver data over SONET. The fixed size provides better performance and reduced overhead.

A quick snapshot at telecom history:

  • Copper lines carrying analog information
  • T1 lines carrying up to 24 conversations
  • T3 lines carrying up to 28 T1 lines
  • Fiber optics and the SONET network
  • ATM over SONET

 

Types and speed of standard leased lines:

DS0: Single 64k channel on a T1 facilities

DS1: 1.544mbps on a T1 (2.108 on a E1 in Europe)

DS3: 44.756mbps on a T3 facility.

Dedicated Links:

  • Leased line or “point to point” link.
  • Expensive, but secure

T-Carriers:

  • Dedicated lines that carry voice or data over trunk lines.
  • Most common are T1 @ 1.544mbps and T3 @ 45mbps
  • Multiplexing through TDM (Time division multiplexing)

S/WAN:

  • Secure WAN, initiative of RSA security who worked with firewall and protocol vendors to build secure firewall-to-firewall connections through the internet.
  • S/WAN is based on VPNs that are created with IPSEC.

xDSL types

ADSL: More bandwidth down than up.

SDSL: 1.544mbps down and up. Limited to 10,000 feet from exchange.

HDSL: High-rate digital subscriber line. 1.544mbps each way.

VDSL: Very high data rate DSL – 13 to 52mbs downstream and 1.5 to 2.3 upstream. Limited to 1,000 – 4,500 feet from exchange.

 

Packet Switching vs Circuit Switching:

Circuit Switching                                                     Packet Switching                                        

Constant Traffic                                              Bursty Traffic

Fixed delays                                                   Variable delays

Connection-oriented                                        Connectionless

Sensitive to loss of connection                           Sensitive to loss of data

Voice oriented                                                Data Oriented

WAN Technologies

CSU/DSU:

  • Channel service unit / data service unit: required when digital equipment will be used to connect a LAN network to a WAN network
  • Necessary because the frames are so different between LAN and WAN equipment.
  • DSU converts signals from routers, bridges, etc into signals that can be transmitted over the telephone company’s digital lines
  • CSU connects the network directly to the telephone company lines.
  • Provides an interface for DTE and DCE devices such as the router and the carrier’s switch.

 

Switching:

There are two main types of switching, circuit switching and packet switching:

Circuit Switching:

  • Connection oriented virtual links (ISDN, telephone call)
  • Traffic travels in a predictable and constant manner
  • Fixed delays
  • Usually carries voice oriented data

Packet Switching:

  • Packets can use many different dynamic paths to get to the same destination
  • Supports traffic that is bursty
  • Variable delays
  • Usually carries data-oriented information.
  • Internet, X.25 and Frame Relay are all packet switching networks.

Frame Relay:

Frame relay is a WAN protocol that operates at the data link layer. Frame Relay uses packet switching technology as an alternative to expensive dedicated lines.

Companies that pay more to ensure a higher level of bandwidth availability pay a “committed information rate” or CIR.

Virtual Circuits:

Frame relay forwards frames across virtual circuits. These can be permanent meaning they are programming in advance, or switching means it is built when needed an then torn down.

The PVC (Permanent Virtual Circuit) works like a private line for a customer with a CIR. A PVC is programmed to ensure bandwidth availability.

 

X.25

X.25 is an older WAN technology that defined how networks and devices establish and maintain connections. X.25 is a switching technology.

Data is divided into 128 bytes and encapsulated in HDLC frames (High-level Data Link Control).

X.25 is slower than frame relay or ATM due to heavy error checking and correction that is not necessary on more modern networks.

 

ATM – Asynchronous Transfer Mode:

ATM is another switching technology that uses a cell-switching method instead of packet switching. Like frame relay, ATM is connection-oriented. Cell switching means that data is segmented into fixed size cells (53 bytes).

Like Frame Relay, ATM can set up PVCs and SVCs.

SMDS – Switched Multimegabit Data Service:

High-speed packet switched technology used to enable customers to extend their LANs across MANs and WANs. Protocol is connectionless and can provide bandwidth on demand.

SDLC – Synchronous Data Link Control:

Base on networks that use leased lines with permanent physical connections. SDLC is used mainly for communication to IBM hosts within the SNA architecture.

HDLC – High Level Data Link Control:

Bit-oriented link layer protocol used for transmission over synchronous lines, HDLC is an extension of SDLC. HDLC provides high throughput because it supports full duplex.

HSSI – High Speed Serial Interface:

Interface used to connect multiplexers and routers to high-speed services like ATM and Frame Relay.

These interfaces define the electrical and physical interfaces to be used by DTE/DCE devices, thus it works at the physical layer. Developed by CISCO and T3Plus Networking.

Multi-Service Access:

Multi-service access technologies combine different types of communication categories (voice, data and video) over one transmission line.

VOIP can be affected by latency due to Internet being packet oriented switching technology vs. circuit switching. This is referred to as “jittering”.

H.323

Standard that deals with video, audio and data packet-based transmissions where multiple users can be involved with the data exchange. H.323 terminals are connected to gateways or the gateways are connected to PSTN.

Packet switching technologies include X.25, LAPB, FRAME RELAY, ATM and SMDS.

 

REMOTE ACCESS

Remote access covers technologies that enable remove and home users to access networks.

Dial-up and RAS:

Remote access is usually gained by connecting to a network access server (NAS). NAS acts as a gateway and end point for a PPP connection.

ISDN:

Integrated services digital network. ISDN breaks the telephone line into different channels and transmits data in a digital form vs. the old analog method. There are 3 types of ISDN implementation:

BRI: Basic Rate Interface: Operates over existing copper lines in the local loop and provides digital voice and data channels. Uses two B channels and 1 D channel.

PRI: Primary Rate Interface: 23 B channels and one D channel operating at 64k. Equivalent to a T1 circuit.

BISDN: Broadband ISDN. Mainly used with backbones over ATM/SONET.

B channels enable data to be transferred.

D channel provides for call setup, error control, caller id and more.

ISDN is a circuit switching point-to-point protocol.

DSL – Digital Subscriber Line:

  • Uses existing phone lines
  • Have to be within a 2.5 mail radius of the provider’s equipment.

Cable Modems:

  • High speed Internet access through coaxial and fiber lines.
  • Bandwidth shares between users in a local area.
  • Security concerns: Network sniffers on shared medium.

 

VPN – VIRTUAL PRIVATE NETWORKS

 

A virtual private network is a secure private connection through a public network or otherwise insecure environment. VPNs are often used to provide a connection between two routers.

Tunneling Protocols:

VPNs use tunneling protocols to create a virtual path across a network. There are three main tunneling protocols used in VPN connections: PPTP, L2TP and IPSEC

PPTP:

Point to point tunneling protocol. Encapsulation protocol based on PPP. PPTP works at the data link layer and encrypts and encapsulates packets.

There are a few weaknesses with PPTP. Negotiation information is exchanged in clear text and can be easily snooped. PPTP is a Microsoft developed protocol.

  • Designed for client/server connectivity
  • Sets up a single point-to-point connection between two computers
  • Works at the data link layer
  • Transmits only over I/P networks

L2F:

Layer 2 Forwarding:

  • Created before L2TP by Cisco
  • Merged with PPTP to create L2TP
  • Provides mutual authentication, but no encryption.

L2TP:

Layer 2 Tunneling Protocol. L2TP combines L2F with PPTP.

  • PPTP can only run on top if I/P. L2TP can use other protocols such as IPX and SNA
  • PPTP is an encryption protocol, L2TP is not. L2TP is often used in conjunction with IPSEC for security.
  • L2TP supports TACACS+ and RADIUS, PPTP does not.

IPSEC:

  • Handles multiple connections at the same time
  • Provides secure authentication and encryption
  • Supports only IP networks
  • Focuses on LAN-LAN communication
  • Works at network layer –> Security on top of I/P
  • Can work in tunnel mode where both header and payload are encrypted, or transport mode where only the payload is encrypted.

PPP:

PPP encapsulates messages and transmits them through an IP network ove a serial line. PPP supports different authentication methods such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP).

PAP, CHAP, EAP:

PAP: Least secure of the three options as credentials are sent in clear text. Also vulnerable to reply attacks.

CHAP: Uses a challenge/response mechanism instead of sending a username and password. Client sends host a logon request and the host returns a random “challenge” value. The challenge is encrypted with the user password and returned to the host. The server performs the same encryption and determines whether or not there was a match.

CHAP is not vulnerable to “man in the middle” attacks because it continues this challenge/response activity throughout the connection.

EAP: Extensible Authentication Protocol. EAP is not a specific mechanism like PAP or CHAP but is more of a framework to allow many different types of authentication mechanism. EAP extends the authentication possibilities to other methods like one-time passwords, token cards, biometrics and future mechanisms.

Network and Resource Availability:

Some general guidelines are:

  • Watch out for single points of failure
  • Use ISDN or modem backup for WANs
  • Use UPS’ and RAID (striping and/or mirroring)
  • Clustering provides for fault tolerance, load balancing and failover.

RAID types:

Raid# Name Description
Level 0 Striping Data is striped over several drives, but there is no redundant drive. Used for performance enhancement. If one drive fails, the whole volume is unusable.
Level 1 Mirroring Data is written to two drives at once. If one fails, the other has the same data. This is an expensive option as each drive has another whole drive with the same information.
Level 2 Hamming Code Parity Data is striped over all drives at bit level. This array uses 39 drives, 32 for data and 7 for parity. Not used in practice.
Level 3 Byte Level Parity Data is striped over all drives, parity is held on just one drive. If a drive fails, it can be reconstructed from the parity drive.
Level 4 Block Level Parity Same as level 3 except data is striped in disk sector units rather than blocks of bits or bytes.
Level 5 Interleave Parity Data is written to disk sector units across all drives. Parity is written to all drives. There is no single point of failure because parity is written to all drives. Uses XOR algorithm.
Level 6 Second Parity Data Similar to level 5 but with added fault tolerance – second set of parity data written to all drives.
Level 7 Variation of RAID 5 where the array functions as a single virtual disk in the hardware.
Level 10 Level 1 + Level 0 Data is striped across multiple RAID1 pairs.
Level 15 Level 5 + Level 1 Two complete RAID5 systems are mirrored for additional fault tolerance.

 

WIRELESS TECHNOLOGIES

Broadband wireless occupies band 2 to 24ghz

  • IEEE 802.16 deals with wireless MANs
  • IEEE 802.11 deals with wireless LANs
  • Higher frequency can carry more data, but a shorter distance

WLANS work in the 2.4 & 5ghz unlicensed bands and there are two IEEE standards, 802.11a and 802.11b:

  • 802.11a is the latest standard, works in the 5ghz range and provides up to 54mbps
  • 802.11b is in the 2.4ghz range and providers up to 11mbps

801.11 uses Wireless Application Protocol (WAP). WAP uses WML (Wireless Markup Language) and WMLScript to present web based material. WAP has its own session and transaction protocols and a transport layer security protocol called WTLS (Wireless Transport Layer Security).

A WAP gateway is required to translate WAP protocols to the internet. Encrypted data from a wireless device comes in with WTLS but must be converted into SSL or TLS by the gateway. For a second or two, the WTLS data will be decrypted for conversion into SSL – this is referred to as the gap in the WAP.

 

Wireless Technology (Prep Guide):

IEEE 802.11 refers to a family of specifications for wireless LANs. The current 802.11 standard all use CSMA/CD.

802.11: Original wireless LAN standard. 1 or 2mpbs speed in the 2.4ghz band using DSS or FHSS.

802.11b: 11mpbs (autoslows to 5.5, 2 or 1mpbs based on signal strength). Uses only DSSS. Also known as wi-fi.

802.11a: Up to 54mbs in the 5ghz range. Uses orthogonal FDM.

802.l11g: 20mbps to 54mpbs in the 5ghz range.

802.11e: Draft standard to provide QOS features and multimedia support.

Spread Spectrum Technology:

Spread Spectrum Technology broadcasts signals over a range of frequencies. Receiving device must know the correct frequency of the spread spectrum signal being broadcast. Two spread spectrum technologies currently exist:

Direct-Sequence Spread Spectrum (DSSS): Redundant bit pattern for each bit to be transmitted – spread over a wide frequency. Because it is spread over the spectrum, the number of discrete channels in the 2.4ghz band is small.

Frequency-Hopping Spread Spectrum (FHSS): Uses a narrow band carrier that continually changes frequency in a known pattern. Source and destination devices must be synchronized to be on the same frequency at the same time.

Both of the above appear as line noise to a non spread-spectrum device.

AD-HOC mode: Access is Peer to peer.

Infrastructure mode: Access is via an access point (wireless hub).

 

Wireless Application Protocol (WAP):

Wireless application protocol is a set of technologies related to HTML but tailored to small screens. The most noticeable is HDML: Handheld device markup language.

WAP has 5 layers: Application, session, transaction, security and transport

Application Layer:

 Microbrowser, WML (Wireless Markup Language), WMLScript and Wireless Telephony Applications (WTA)

Session Layer:

 Contains the Wireless Session Protocol (WSP), which is similar to HTTP. WSP facilitates transfer of content between WAP clients and gateway. WSP provides a connection-oriented mode and a connectionless mode.

Transaction Layer:

 Providers the Wireless Transaction Protocol (WTP). Similar functionality to TCP/TP. Reliable request and response transactions and supports unguaranteed and guaranteed psuh

The transaction layer provides transaction services to WAP and handled acknowledgements.

Security Layer:

 The security layer contains WTLS (Wireless Transport Layer Security). WTLS is based on TLS (similar to SSL) and can be invoked in a manner similar to HTTPS. WTLS provides data integrity, privacy, authentication and DOS protection.

Transport Layer:

 The transport layer supports the Wireless Datagram Protocol (WDP) which provides an interface to bearers of transportation. The transport layer supports CDPD, GSM, CDMA, TDMA, SMS and Flex.

 

Wired Equivalent Privacy (WEP) Encryption:

WEP is an option in 802.11b. It uses a 40-bit shared key, RC4 pseudorandom number generator and a 24 bit initialization vector. WEP works in the following manner:

  1. Checksum of message computed and appended to the message.
  2. Shared secret key and initialization vector are fed to the RC4 algorithm to produce a keystream.
  3. The keystream is XORed with the msg and checksum and produces ciphertext.
  4. The initialization vector is appended to the ciphertext message and the message is sent to the recipient.
  5. The recipient who has the same secret key generates the same keystream with the IV.
  6. The generated keystream is XORed with the ciphertext to yield the original message.

WEP is not considered secure due to the 40-bit encryption.

 


No tags for this post.

Leave a Reply

Advanced & Persistent Security

CLOSE
CLOSE