Telecommunications and

Network Security
• CISSP Study Group – June 2013
• Abhijit Kulkarni
Agenda
• Introduction

• OSI model

• Internet Protocol Suite

• LAN, WAN and MAN

• Networking devices

• Networking services

• Wireless Technologies

• Other Network Security topics

• Conclusion

2 Confidential
Introduction
• Network Security is about securing data communications on
network and telecommunications infrastructure.
• Network Security is one of the important domains of the
information security world, since it provides technology
solutions to protect organization networks from security
exploits
• Network security involves configuring policies, standards, and
procedures, and use of protocols, devices, and software to
protect an organization’s network

3 Confidential
OSI model

• Developed by ISO, introduced in

1984
• It’s an abstract framework/model
that protcols adhere to
• TCP/IP model is a condensed
version of OSI model that is applied
on a parctical basis

4 Confidential
OSI model – data flow
• Each protocol at a specific OSI layer
communicates with a protocol that
operates at the same OSI layer on
another computer. This happens
through a process called encapsulation

• See the OSI model data flow animated

at:
http://www.youtube.com/watch?v=Ywx
a1pzgC2E

5 Confidential
OSI Model - Data Encapsulation

Host A Host B

6 Confidential
OSI Model – Data Encapsulation
• It is a process of adding a header to wrap the data that flows down the OSI
model. Wrapping up of data into a protocol is also known as encapsulation.
• The Application, Presentation, and Session layers create data from user's
input.
• Encapsulation actually starts at layer 4 of the OSI model where the Transport
layer converts the data into segments by adding a header containing source
and destination port numbers.
• The Network layer converts the segments into packets (or datagrams) by
adding a header containing source and destination IP address.

7 Confidential
OSI Model – Data Encapsulation
• The Data link layer converts the packets into frames by adding a header
containing source and destination MAC address and a trailer containing the
Frame check sequence (FCS) used for verifying data integrity.
• The Physical layer converts the frames to bits and it is transmitted through
the physical medium which can be a UTP or fiber cable.
• When the bits stream arrives at the destination, the Physical layer takes it of
the wire and converts it into frames, each layer will remove their
corresponding header while the data flows up the OSI model until it is
converted back to data and presented to the user, this is known as
decapsulation.

8 Confidential
 OSI Model – the Layers
Application (7) End user interface (API), closest to user; includes protocols that support applications
File transmissions, message exchanges, terminal sessions; does not include actual applications
Layer 7 of the OSI model allows applications (users) to use the network in a distributed processing environment.
HTTP, FTP, TFTP, LPD, TELNET

Presentation (6) Presents data to layer 7, acts as Translator . Concerned with data format, not the actual data
Data compression, decompression, encryption, decryption
JPEG, GIF, MPEG, TIFF, ASCII, EBCDIC, MIDI
Session (5) Communication between 2 applications; responsible for creating and removing connection, and data transfer.
Dialog Management: Simplex, Half Duplex, Duplex
NFS, SQL, RPC
Transport (4) Communication/handshaking between 2 computers; determines resources required for data transfer. Error
detection and correction, data integrity, flow control, multiplexing, etc.
TCP, SPX, UDP, SSL, SSH, SKIP (Simple Key Mgmt for Internet Protocols)
Network (3) Data routing; adds header info to data packets. Just sends data packets, does not confirm whether they have
been received or not
IP, ICMP, OSPF, BGP, IGMP
Data link (2) Format of data frame to transmit over Ethernet/Token Ring/FDDI/ATM. Split into MAC (Media Access Control and
LLC (Logical Link Control)
MAC – Sublayer that is allowed to access media at a point of time, uses CSMA/CD
LLC – Multiplexes protocols running in the DLL and provides flow control, acknowledgement, and error recovery
Ethernet, ARP, RARP, SLIP, L2TP, L2F, FDDI, ISDN, PPP
Physical (1) Conversion from bits to electrical signals; controls synchronization, data rates, noise levels, and medium access.
High Speed Serial Interface (HSSI), X.21, EIA/TIA 232, EIA/TIA 449
9 Confidential Global Marketing
Dell - Internal Use - Confidential
OSI model – the layers
• 7 - Application layer: “Hand me your information. I will take it from here.” e.g. HTTP,
SMTP

• 6 - Presentation layer: “You will now be transformed into something that everyone
can understand.” e.g. ASCII, JPEG

• 5 - Session layer: “I don’t want to talk to a computer. I want to talk to an application.”

e.g. RPC, NFS

• 4 - Transport layer: “How do I know if I lose a piece of the message? Response: The
transport layer will fix it for you.” e.g. TCP

• 3 - Network layer: “Many roads lead to Rome.” e.g. IP, ICMP

• 2 - Data Link layer: “Here we go bits.” e.g. ARP, PPP

• 1 - Physical layer: “Everything ends up as electrical signals anyway.” EIA/TIA-232, X.21

10 Confidential
OSI model – vulnerabilities (applying the 7 layer model to information security)

• Application – App design flaws bypass security controls

• Presentation – Poor handling of input can lead to app crash
• Session – Weak auth mechanisms, Credentials passing in the clear
• Transport– TCP hijacking, Mishandling of poorly defined conditions
• Network – IP spoofing, Route spoofing
• Data Link – MAC address spoofing
• Physical – Disconnection of physical links, Loss of power

11 Confidential
OSI model - controls (applying the 7 layer model to information security)

• Application – Standards, testing and review of app code

• Presentation – Check/cleansing of app input
• Session – Strong auth mechanisms, Encrypted credentials exchange
• Transport– Firewall rules to specific protocols, Stateful inspection
• Network – Firewall w/ strong anti-spoofing, Route policy controls
• Data Link – MAC address filtering
• Physical – Locked perimeters, Power supply redundancy

12 Confidential
Internet Protocol Suite
• A set of communications protocols used for Internet and
similiar networks.
• What we have today on IP networking is a synthesis of
development started in the 60’s. Boosted by its use in LANs
and WWW.
• TCP and UDP are two of the core protocols of IP suite.
• IP is a connectionless protocol that provides the addressing
and routing capabilities for each data package.

13 Confidential
Internet Protocol Suite
The Internet Protocol Suite
Application Layer

BGP · DHCP · DNS · FTP · GTP · HTTP · IMAP · IRC · Megaco · MGCP · NNTP · NTP · POP · RIP · RPC ·
RTP · RTSP · SDP · SIP · SMTP · SNMP · SOAP · SSH · Telnet · TLS/SSL · XMPP · (more)

Transport Layer
TCP · UDP · DCCP · SCTP · RSVP · ECN · (more)
Internet Layer
IP (IPv4, IPv6) · ICMP · ICMPv6 · IGMP · IPsec · (more)
Link Layer
ARP/InARP · NDP · OSPF · Tunnels (L2TP) · PPP · Media Access Control (Ethernet, DSL, ISDN, FDDI) ·
(more)
http://en.wikipedia.org/wiki/Internet_Protocol_Suite

14 Confidential
Transport Layer Protocols
• The transport layer in the TCP/IP model does two things: it packages the data given
out by applications to a format that is suitable for transport over the network, and it
unpacks the data received from the network to a format suitable for applications.

• TCP – Transmission Control Protocol

• UDP – User Datagram Protocol

• SPX – Sequenced Packet eXchange

• SCTP - Stream Control Transmission Protocol

• ATP – Appletalk Transaction Protocol

• FCP – Fiber Channel Protocol

15 Confidential
TCP
• Transmission control protocol: Connection oriented, reliable protocol that ensures
that data packets are transferred in sequence from source to destination. Speed of
transfer is somewhat slow because of the high overhead (Any data packets that are
lost are resent). Full duplex connection. TCP does handshaking between 2 systems
before data is transferred between them.

• Operates at Layer 4 (Transport).

16 Confidential
TCP attacks
• Sequence Prediction attack occurs when an
attacker is able to listen into TCP sessions
between trusted hosts, and then send malicious
traffic from the same source IP address. By
monitoring the traffic before an attack is mounted,
the malicious host can figure out the correct
sequence number.
• SYN Flood attack is a form of DoS attack where
the attacker sends a series of SYN requests to the
victim host in an attempt to consume enough
server resources to make the system unresponsive
to legitimate traffic.

17 Confidential
TCP attacks
• TCP SYN attacks are technically establishing thousands of half-open connections to
consume the server resources. 2 types of attacks are possible.
– The attacker, or malicious software, will send thousands of SYN to the server and withhold the ACK. This is
known as SYN flooding. Depending on the capacity of the network bandwidth and the server resources, in a
span of time the entire resources will be consumed. This will result in a denial-of-service.
– If the source IP were blocked by some means, then the attacker, or the malicious software, would try to spoof
the source IP addresses to continue the attack. This is known as SYN spoofing.

• SYN attacks, such as SYN flooding and SYN spoofing, can be controlled using SYN
cookies* with cryptographic hash functions. In this method, the server does not
create the connection at the SYN-ACK stage. The server creates a cookie with the
computed hash of the source IP address, source port, destination IP, destination port,
and some random values based on an algorithm, which it sends as SYN-ACK. When
the server receives an ACK, it checks the details and creates the connection.
*A cookie is a piece of information, usually in a form of text file, sent by the server to client. Cookies are generally stored on a client's
computer and are used for purposes such as authentication, session tracking, and management.

18 Confidential
TCP Summary Table
Protocol / Service Transmission Control Protocol (TCP)
Layer(s) TCP works in the transport layer of the TCP/IP
model
Applications Applications where the delivery needs to be
assured such as email, World Wide Web (WWW), file
transfer, and so on use TCP for transmission
Threats Service disruption
Vulnerabilities Half-open connections
Attacks Denial-of- service attacks such as TCP SYN attacks
Connection hijacking such as IP Spoofing attacks

Countermeasures Syn cookies

Cryptographic solutions
19 Confidential
UDP
• UDP is a best-effort and connectionless protocol.
• UDP has neither packet sequencing nor flow or congestion
control.
• The destination doesn’t acknowledge every packet received.
• UDP is a fast protocol since it does not check for reliability of
transmission.
• Used earlier in audio and video streamming (still is).

20 Confidential
UDP Summary Table
Protocol / Service User Datagram Protocol (UDP)

Layer(s) UDP works in the transport layer of the TCP/IP model

Applications UDP is predominantly used where a loss of

intermittent packets is acceptable, such as video or
audio streaming
Threats Service disruptions
Vulnerabilities Weak validation

Attacks UDP flood attacks such as ping of death

Countermeasures Controlling ICMP access

21 Confidential
Network Layer Protocols
• The protocols in this layer primarily carry out the following functions:
– They pass the outgoing packets to the next layer (datalink) through the gateway
– They pass the incoming packets to the transport layer
– They provide error detection and diagnostics for the incoming and outgoing packets

• Some of the important protocols in this layer are Internet Protocol (IP),
Internet Communication Message Protocol (ICMP), Internet Group
Management Protocol (IGMP), and Internet Protocol security (IPsec).
• ICMP (ping) is used for error and diagnostic functions, and IGMP is used in
multicasting.
Multicasting refers to one-to-many communications. For example, a stock exchange may require sending stock price
data to multiple groups or an IPTV to multicast to many users at once.
22 Confidential
Internet Protocol - IP
• A connectionless protocol that is used in packet-switched networks such as
the Internet. The primary function of this protocol is to send data from one
computer to other.
• Internet Protocol version 4 (IPv4) is a widely deployed protocol on the
Internet. As the name implies, it is the fourth iteration of the protocol. It uses
32 bits for the length of the address and its maximum limit is up to 232
addresses. The number of publicly available IPv4 addresses is more or less
consumed, and the Internet is moving towards IPv6.
• Internet Protocol version 6 (IPv6) is designed as a successor to IPv4 address
spaces. This protocol uses 128 bits for IP addresses and has an address space
of 2128 IP addresses.

23 Confidential
 IP Summary Table
Protocol / Service Internet Protocol (IP)
Layer(s) The IP works in the Network Layer of OSI and Internet layer of the TCP/IP model.
Applications The primary application is to send data packets across the network to the destination
computer. The computers in such a network are known as hosts. IP is a
connectionless protocol that tries the best effort method delivery of packets, but does
not guarantee it. The Transmission Control Protocol (TCP) manages the reliability of
the transmission. Two versions are being used in the Internet: Internet Protocol
version 4 (IPv4), and Internet Protocol version 6 (IPv6).

Threats Mis-delivery or non-delivery of packets, Data corruption, Duplicate data

Vulnerabilities Lack of validation, Lack of sequencing
Attacks Identity theft, Hacking
Countermeasures Transmission Control Protocol (TCP) and Address Resolution Protocol (ARP)
IPv6 and IPSec

24 Confidential
IPSec
• IPsec is a suit of protocols that is created to secure Internet Protocols (IP). It
provides authentication and encryption functions. Compared to the upper-
layer security protocols such as SSL or TLS, IPsec is independent of
applications. It can be used to protect the application and transport layer
protocols.
• IPsec uses the following three protocols for various security functions:
– Internet Key Exchange (IKE): It is used to negotiate protocols and algorithms, and also to
generate keys for encryption and authentication
– Authentication Header (AH): It is used to provide data origin authentication to datagrams and
integrity assurance
– Encapsulation Security Payload (ESP): It is used to support encryption-only and
authentication-only configurations

25 Confidential
IPSec
Protocol / Service IPsec
Layer(s) The IPsec works in the network layer of the OSI and the Internet layer of
the TCP/IP model
Applications The primary functions include authentication and encryption
This protocol suit is designed to protect transport layer protocols such
as the TCP and UDP
The Virtual Private Network (VPN) is one of the key applications of IPsec

Threats Spoofing
Unauthorized connections
Vulnerabilities Weak authentication
Lack of connection checks
Attacks Man-in-the-middle attacks
Session hijacking
Countermeasures Proper IPsec policies
Additional IPsec connection checks
26 Confidential
Link Layer Protocols
• The methods, protocols, and specifications that are used to link hosts, or nodes, in a network are
grouped in the Data Link Layer. This layer operates close to physical layer components.

• Media Access Control (MAC) is a unique hardware address that is assigned to the Network
Interface Cards (NIC) or the Network Adapters.

• Address Resolution Protocol (ARP): It is used for resolving hardware address for a given IP address

• Reverse Address Resolution Protocol (RARP): It is used to obtain IP addresses based on hardware
address

• Neighbor Discovery Protocol (NDP): It is used to find neighbor nodes in an IPv6 network.

• Address Resolution Protocol (ARP): This protocol is a standard method for finding hardware
addresses from network layer addresses such as the Internet Protocol (IP).

27 Confidential
ARP
Protocol / Service Address Resolution Protocol (ARP)
Layer(s) The ARP works in the network layer of the OSI and the link layer of the
TCP/IP model.
Applications The primary application of the ARP is to translate the IP addresses to the
Ethernet Media Access Control (MAC) addresses.
The primary purpose of this protocol is to resolve hardware addresses
such that communication can be established between two computers
within the same network or over the Internet.
Threats Sniffing, Spoofing
Vulnerabilities Unsolicited ARP reply
Attacks ARP poisoning, ARP Poison Routing (APR), Denial-of-service (DoS)

Countermeasures MAC to IP mapping

ARP poisoning refers to overwriting existing entries in the ARP table with malicious addresses

28 Confidential
Protocol Table
• Useful table that contains list
of most protocols with
explanation of each

29 Confidential Global Marketing

Dell - Internal Use - Confidential
Internet Protocol Suite – IP addressing
Class A 0.0.0.0 to 127.255.255.255
Class B 128.0.0.0 to 191.255.255.255
The first byte is the network portion and
the remaining three byes are the host
portion.
The first two bytes are the network
portion and the remaining two bytes are
the host portion.

Class C 192.0.0.0 to 223.255.255.255 The first three bytes are the network
portion and the remaining one byte is the
host portion.

Class D 224.0.0.0 to 239.255.255.255 Used for multicast addresses.

Class E 240.0.0.0 to 255.255.255.255 Reserved for research.

30 Confidential
Network Class Table

31 Confidential
LAN, MAN and WAN
• LAN – local area network.
• Ethernet the most widely used standard.
• Topologies: ring, bus, star, tree and mesh.

32 Confidential
LAN, MAN and WAN

• MAN – Metropolitan Area Network

– Most of MANs are over SONET or FDDI rings provided by telecom
companies.

• WAN – Wide Area Network

– WANs are used when data needs to travel long distances. e.g. Leased
lines connecting multiple offices of an organization

33 Confidential
LAN
• LAN Topologies – BUS, STAR, MESH, RING
• LAN Transmission Methods – CSMA/CD, CSMA/CA, Token
Passing, Polling
• LAN Architectures – Ethernet, Token Ring, FDDI
• LAN Transmission Protocols – TCP/IP, UDP

34 Confidential
LAN X’mission: Token Ring / Polling
• Token passing networks are deterministic and predictable.
– In a token ring network, it is possible to calculate the maximum transmission delay
experienced by any end station. Token passing networks use a token, or series of
bits, to grant a device permission to transmit over the network. The token acts like
a ticket, enabling its owner to send a message across the network. When
transmission is complete, the device passes the token along to the next device in
the topology. Since there is only one token for each network, there is no
possibility that a collision will occur, i.e. two computers attempting to transmit
messages at the same time. In addition, rules in the protocol specifications
mandate how long a device may keep the token, how long it can transmit for and
how to generate a new token if there isn't one circulating.
– Hence, token passing networks, such as Token Ring networks, are ideal for
environments where transmission delays must be predictable.

35 Confidential
LAN X’mission: CSMA/CD and CSMA/CA
• CSMA/CD (specified in the IEEE 802.3 standard) networks, such as
Ethernet networks, are non-deterministic.
– In these types of networks, nodes constantly monitor the line to make sure that no
other hosts are transmitting. A node must wait until the line is clear before starting
to transmit and must continue to monitor the line while transmitting. If two nodes
transmit at the same time, the transmission will be corrupted (collision) and the
frames will be discarded. In this situation, each device then waits a random
amount of time and retries until transmission is successful. As a result of its non-
deterministic nature, CSMA/CD (IEEE 802.3) networks, such as Ethernet, are NOT
ideal for network environment where transmission delays must be predictable and
deterministic.

• CSMA/CA uses the concept of collision avoidance, used in Wireless

networks.

36 Confidential
LAN Architectures: Ethernet
• It is a family of frame-based networking technologies that is used in a Local
Area Network (LAN).
• Usually a bus or star topology
• IEEE 802.3 standard
• Shared media – all devices take turns and detect collisions
• Uses broadcast and collision domains
• CSMA/CD access method (Carrier Sense Multiple Access with Collision
Detection)
• Uses coaxial or twisted pair cabling
37 Confidential
Ethernet Summary Table
Protocol / Service Ethernet
Layer(s) The Ethernet operates in the data link layer and the physical
layer of the TCP/IP model.
Applications The Ethernet initially used co-axial cables for networking
The present day technologies include hubs or switches and
twisted pair cabling. The Ethernet technologies have
predominantly replaced other LAN standards such as token
ring, FDDI, and ARC net.
Threats Spoofing
Vulnerabilities Reuse of frame buffers
Attacks Denial-of-service (DoS), Eavesdropping
Countermeasures Segmentation, Filtering, Encryption

38 Confidential
Types of Ethernet Cabling
• 10base2 ThinNet. Uses coaxial cable. Max length of 185 meters and provides
up to 10mbs throughput. Uses BNC connectors.
• 10base5 ThickNet. Uses thicket coaxial cable. Longer cable segments and
less interference.
• 10baseT Twisted-pair copper wiring. RJ45 connectors, usually in a star
topology with a hub or switch.
• Fast Ethernet Regular Ethernet running at 100mbps over twister pair wiring.

39 Confidential
Ethernet Cabling
Type Cabling Speed
• 10base2, ThinNet Co-Axial 10mbps
• 10base5, ThickNet Co-Axial 10mbps
• 10base-T UTP 10mbps
• 100base-FX, Fast UTP 100mbps
• 1000base-T UTP 1,000mbps

40 Confidential
LAN Architectures: Token Ring
• 802.5 standard, originally developed by IBM
• Signal travels in a logical ring
• Each computer is connected to a hub called a Multistation Access
Unit (MAU)
• 16mbps capacity
• Active Monitor – removes frames that are continually circulating
• Beaconing – attempts to work around errors.

41 Confidential
LAN Architectures: FDDI
• Fiber Distributed Data Interface, developed by ANSI, 802.8 standard.
• High speed token-passing media access technology
• Speed of 100mbps – usually used as a backbone network using fiber
optics.
– CDDI (copper distributed data interface) uses copper instead of fiber

• Fault tolerance – second counter-rotating ring.

• Can be used up to 100kms, so popular in MANs

42 Confidential
LAN Cabling Types
• Coaxial
– Copper core surrounded by shielding layer
– More resistant to EMI
– 10base2 = ThinNet (RG58), 10base5 = ThickNet (RG11/RG8)
– 10base2 segments can be up to 185 meters
– 10base5 segments can be up to 500 meters
– Can use baseband method (one channel) or broadband (multiple channel)
– 50ohms cable used for digital signaling and 75ohms for analog signaling and high
speed data.

43 Confidential
LAN Cabling Types
• Twisted Pair Cable
– STP = Shielded Twisted Pair
– UTP = Unshielded Twisted Pair

• Fiber Optics
– Uses a type of glass carrying light waves
– Glass core surrounded by protective cladding, encased in outer jacket
– Not affected by EMI, no attenuation
– Very hard to tap into, the most secure type of cabling.

44 Confidential
UTP Cabling
UTP Category Characteristics Usage

CAT 1 Voice Grade Not recommended for network use.

CAT 2 Up to 4mbps Mainframe and mini connections.
CAT 3 10 mbps ethernet 10 base-T networks
4mbps token
CAT 4 16 mpbs Token ring networks
CAT 5 100 mbps for FDDI & ATM installations. New LANS
100-base TX and
FDDI
CAT 6 155mbps Net network installations
CAT 7 1gbps Net network installations

45 Confidential
Cabling Issues
• Noise Caused by surrounding devices or characteristics of the environment
• Attenuation Loss of signal as it travels. The affect of attenuation increases at
higher frequencies.
• Crosstalk UTP is susceptible to crosstalk which is caused when electrical
signals on one wire spill over to another wire.
• Plenum space is the space between the ceiling and the next floor. Often
used for wiring and cabling. This space, if not properly specd, can lead to
interference (EMI)

46 Confidential
LAN, MAN and WAN - attacks
• Net Sec Adm: “Why are you scanning the network (my network)?”.
Answer: “Hmm... I’m the LAN-testing-scanning-stuff guy...”.
• Local/internal attacks do occur: unsatisfied employee, “test guys”.
• DoS without knowing: high bandwith usage due downloading,
streaming video or any other high consumption net usage.
• MANs and WANs more suitable to physical disruptions (intentional or
not). They are in the “open”. E.g.: underground optical cables broken
by a construction crew.

47 Confidential
Networking Devices

• Where network security theories and policies come to life.

• In the 10 years devices capabilities for bandwidth and security
increased a lot.
• Devices work accordingly with their functionality, capabilities,
intelligence and network placement.
• Repeaters, Hubs, Bridges, Switches, Routers, Gateways,
Firewalls

48 Confidential
Repeaters
• Layer 1
• No intelligence, cannot work with addresses
• Amplifies signals, used to extend networks
• Forwards broadcast and collision information, does not have
the intelligence to decipher among different types of traffic i.e.
forwards all information it receives
• No security

49 Confidential
Hubs
• Layer 1
• Multiport repeater, also called concentrator
• Forwards information through all ports

50 Confidential
Bridges
• Layer 2 device
• Used to connect network segments or LANs or to extend a network, thus
dividing a network into segments for better use of bandwidth and traffic
control
• Bridges are simple, protocol-dependent networking devices that are used to
interconnect two or more homogeneous LANs to form an extended LAN. A
bridge does not change the contents of the frame being transmitted but acts
as a relay.
• Builds forwarding tables based on MAC addresses
• Amplifies a signal as well as filters it using MAC addresses

51 Confidential
Bridges
• Reads header information, but does not alter it; uses same network address
for all ports
• Forwards traffic if destination is unknown to bridge
• LANs connected by a bridge are in the same broadcast domain, hence called
Extended LAN
• Isolates collision domains, and forwards information only to the port where
the destination network is connected
• Bridges are used to connect two separate networks to form a logical
network. They must have storage capacity to store frames and act as a
store-and-forward device. Bridges operate at the data link layer by
examining the media access control header of a data packet.
52 Confidential
Bridges
• Forwards broadcast packets, thus creating possibility of network congestion
(broadcast storms)
• Use Transparent Bridging and Source Routing
– Transparent Bridging: Frames are examined and forwarding tables are populated
with address information.
– Source Routing: Data packets themselves contain forwarding information to tell
the bridge where they should be transmitted. External / border routers should not
accept source routing packets because it will override all routing rules, and
attackers with this technique can maneuver traffic the way they want by
sidelining the router.

53 Confidential
Switches
• Layer 2 (switches operating on 3, 4 are called
multilayered switches – use ASIC, application specific
integrated circuit)
• Repeater + Bridge
• Layer 2 switches forward frames based on its MAC
address.
• Layer 3 and 4 switches have more “inteligence” and can
make forwarding or routing decisions based on data link,
network or transport layer.

54 Confidential
Switches
• Multiport bridging device, with each port providing dedicated bandwidth to
the device attached to it. Therefore, no collision or broadcast domains,
sends data frame directly to destination computer
• Full duplex connection (one wire for sending, one for receiving) reducing
competition between 2 devices for connection, thus decreasing traffic and
network latency and improving network efficiency.
• Since it does not transfer broadcast and collision traffic, its difficult for
intruders to sniff the network to extract information – thus more secure
• Allows flexibility of VLANs
– VLANS: virtual lans separate networks within a switch.
– Do not rely network security only on VLAN separation.
55 Confidential
Routers
• Layer 3 device; uses ACLs to route data packets from
source to destination using IP addresses and dataframe
information
• A router discovers information about routes and
changes that take place in a network through its routing
protocols (RIP, BGP, OSPF, and others).
• Splits up a network into collision and broadcast domains
• Frame received by router  router strips header info 
retrieves destination IP address from data  look up in
ACL table  find match and send data to destination. If
match not found, ICMP error message sent to source
computer
56 Confidential
Routers
• A router -
– Is used for sophisticated filtering of data packets when segmenting a network
– Creates new header for each frame
– Builds routing tables based on IP addresses
– Assigns different network address per port
– Filters traffic based on IP addresses
– Does not forward broadcast packets
– Does not forward traffic that contains destination address unknown to a router
– A router connects two networks or network segments and use IP to route
messages. Router’s ACLs are not really firewalls, but can be considered as first line
of defence.

57 Confidential
Gateways
• Layer 7, although different types can work at other layers
• Connects 2 different networks that use different topology/protocols and
acts as a translator
• Performs protocol and format translations
• A gateway is designed to reduce the problems of interfacing any
combination of local networks that employ different level protocols or local
and long-haul networks.
• Primarily software products that can be run on computer or other network
devices. They can be multi-protocol (link different protocols) and can
examine the entire packet. Gateways provide access paths to foreign
networks.
58 Confidential
Firewalls
• Firewalls are used to restrict access to one
network from another network.
• A common firewall installation exists to isolate a
company’s network from the outside world and
is not used to isolate internal traffic.
• Types of firewall include: packet filtering, stateful,
proxy, dynamic packet filtering, kernel proxy.
• Layer 7 firewalls are a good choices to protect
pontentialy vulnerable apps that can’t be re-
written.
59 Confidential
Packet Filtering Firewall
• First generation, operates at layer 3 or 4
• Also called ‘screening router’
• Uses ACLs like routers, examines source and destination address of
incoming data packet
• Filtering based on header information of data packets, so limited
functionality
• Only looks at header info, so not application-dependent
• Is scalable and provides high performance
• Does not keep track of state of a connection
• Low security
60 Confidential
Packet Filtering Firewall
• An important point with packet filtering firewalls is their speed and flexibility,
as well as capacity to block denial-of-service and related attacks, makes
them ideal for placement at the outermost boundary with and untrusted
network.
– Packet-filtering firewall blocks traffic at a gateway based on IP address and/or
port numbers. It is also known as a "screening router." It blocks unwanted network
traffic based either on its source address, destination, or its type (e-mail, FTP, etc.).
Packet filtering is generally performed in a router. Unlike stateful inspection
firewalls, packet filtering firewalls do NOT maintain state table in order to track the
state and context of incoming data packets.

61 Confidential
Proxy Firewalls
• ‘Middleman’ concept – packets inspected by this firewall before they are
passed
• Second generation firewall
– Impersonates the destination computer
– Breaks the communication channel; there is no direct communication between host and
destination, goes through proxy.

• Provides good security

• Reduces network performance since it analyzes every packet
– Degrades traffic performance

• Has scalability issues

– Limited to what applications it can support
62 Confidential
Application Level Proxy Firewall
• Operates at Layer 7
• Host computer running a proxy server software, making it Proxy Server
• Transfers a copy of each data packet, thus masking the data’s origin – thus
protects network from outsiders who might want to know network design
• Used commonly with a Dual Homed Host
• Works only for one service or protocol

63 Confidential
Circuit Level Proxy Firewall
• Creates virtual circuit between client and server.
• Does not care or understand about higher level issues that appln proxy
protocol deals with
– Knows source and destination addresses
– Does not require proxy for each and every service

• Can handle wider variety of protocols or services than application proxy

firewall, easier to maintain.
• Doesn’t provide detailed access control that an application proxy firewall
provides. Provides security for a wider range of protocols
• SOCKS: Example of circuit level proxy gateway that provides secure channel
between 2 computers. Provides authentication and encryption features
similar to other VPN protocols, but not considered a traditional VPN
64
protocol
Confidential
Stateful Inspection Firewall
• Third generation firewall
• Like a ‘nosy neighbour’ that keeps track of what data packets are entering
the network – ‘remembers’
• Has an inspection engine, operates at layer 3
• Maintains a ‘state table’ that tracks each and every communication channel
• Frames are analyzed at all communication layers
• Provides high security; scalable and transparent to users
• Provides data for tracking connectionless protocols like ICMP and UDP
• Packets are queued and analyzed at all OSI layers.

65 Confidential
Dynamic Packet Filtering Firewall
• Fourth generation firewall
• Ports upto 1024 are well known ports used by server side services, and thus
cannot be used. Sender has to use dynamic port higher than 1024to set up
connection with another entity. Firewall creates an ACL to allow the sender
to connect to the network via this port. Thus, this ACL is refreshed every
time a sender wants to connect.
• ACLs for these firewall are dynamic in nature, i.e. once connection is
finished, the ACL is removed from the list.
• On connectionless protocols like UDP and ICMP, connection times out and
then ACL is removed.

• Can allow any type of traffic outbound and only response traffic inbound.
66 Confidential
Kernel Proxy Firewall
• Fifth generation firewall
• Creates dynamic, customized TCP/IP stacks when a packet needs to be
evaluated.
• Packet is scrutinized at every layer
• Faster than application layer firewall since inspection takes place at kernel
level and does not need to be passed up to the application level of O/S
• Runs in Windows NT Executive, the kernel mode of Windows NT

67 Confidential
Firewall Table
Firewall Type OSI Layer Characteristics
Packet Filtering Network ACLs. Looks at destination and
source addresses, ports, and
service requested
Application-level Proxy Application Looks deep into packets, granular
control over filtering. Requires one
proxy per service
Circuit-level Proxy Network Looks only at header packet
information. Protects wider range
of protocols and services, but no
detailed control
Stateful Inspection Network Uses state table to keep track of
connections.

68 Confidential
Firewall Architectures
• Bastion Host
• Screened Host
• Screened Subnet
• Dual Homed Host

69 Confidential
Bastion Host
• Foundation of firewall software. Locked down
system, front line security and exposed to the
Internet, so should be extremely secure, no
unnecessary services should be running,
unused subsytems must be disabled, unneeded
ports closed. Suitable for simple networks. A
screened host, or bastion host, is a "hardened"
computer implementation combining packet
filtering and an application gateway. It is not
located on the trusted, internal network, but on
the protected subnet side of the router
(screened subnet) and receives all incoming
connections. This host then communicates
with the internal network via a different
interface.

70 Confidential Global Marketing

Dell - Internal Use - Confidential
Screened Host
• Communicates directly with a perimeter router and the internal network. Traffic from
Internet packet filtered through perimeter router first, and traffic that makes it past the
router is filtered by firewall which applies more rules to traffic and drops denied
packets. High level of security.

• Thus, 2 devices – perimeter router + firewall. Like Dual Homed Host, uses 2 NICs to
connect to trusted and untrusted networks, but in addition uses a screening router.
Unlike the dual-homed host firewall, a screened host firewall configuration uses a
single homed bastion host in addition to a single screening router. This design uses
packet filtering and the bastion host as security mechanisms and incorporates both
network- and application-level security. The router performs the packet filtering, and
the bastion host performs the application-side security. It is more flexible but less
secure than a dual-homed gateway firewall. The screened host firewall has one
network interface and does not require a subnet between the application gateway and
the router. The gateway's proxy passes services to site systems.
71 Confidential
Screened Subnet

• Similar to Screened Host, but one more layer of security – internal

router. 3 devices – perimeter router + firewall + internal router

72 Confidential Global Marketing

Dell - Internal Use - Confidential
Dual Homed Host
• The dual-homed host firewall is an alternative to packet-filtering router firewalls. It
has a host system with two network interfaces. This configuration has two network
interfaces and is secure because it creates a complete physical break in your network.
The host's IP forwarding ability should be disabled so it cannot route packets between
the two connected networks. As a result, it blocks all IP traffic between the Internet
and the secure network. One of the advantages of using a multi-homed bastion host
is that is can translate between two network access protocols, such as Ethernet or
Token Ring. However, a drawback of the dual-homed firewall (not screened-host
firewall) is that the host's routing capabilities must be disabled so that internal routing
is not accidentally enabled.
– 2 interfaces – one facing external network, other internal network. Single computer with 2 NIC
connected to each network
– Used to divide internal trusted network from external network
– Must disable computer’s forwarding and routing functionality so the 2 networks are truly
segregated. Users can easily enable packet forwarding, which can cause malicious traffic to
enter the internal network
73 Confidential
Firewall Rules – Should Haves
• Default to deny
• Block external packets inbound with internal addresses (Spoofing)
• Block outbound packets with external source addresses (Zombies)
• High security firewalls should reassemble packet fragments before sending
them on to their destination.
• Deny packets with source routing information.

74 Confidential
DMZ (Demilitarized Zone)

75 Confidential Global Marketing

Dell - Internal Use - Confidential
DMZ (Demilitarized Zone)
• (DMZ) or perimeter network is a network area (subnet) that sits between an organization's internal network and an
external network, usually the Internet. RFC 2647 defines a DMZ as a network segment or segments located
between protected and unprotected networks. As an extra security measure, networks may be designed such that
protected and unprotected segments are never directly connected. Instead, firewalls (and possibly public resources
such as HTTP or FTP servers) reside on a so-called DMZ network. DMZ networks are sometimes called perimeter
networks.

• The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted,
whereas connections from the DMZ are only permitted to the external network — hosts in the DMZ may not
connect to the internal network. This allows the DMZ's hosts to provide services to both the internal and external
network while protecting the internal network in case intruders compromise a host in the DMZ.

• The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail,
web and DNS servers. Connections from external network to DMZ are controlled using Port Address Translation
(PAT), which translates connections made between a host and a port on the external network to a host and port on
the internal network.

• A DMZ is located right behind the first Internet firewall. The Web server, external DNS server and mail relay are
generally what sit on a DMZ. But you can beef it up and put honeypots and other things on it as well.

76 Confidential
NAT & PAT
• Network Address Translation (NAT) is the process of modifying IP address information
in IP packet headers while in transit across a traffic routing device.
– The simplest type of NAT provides a one to one translation of IP addresses. RFC 2663 refers to this type of
NAT as basic NAT. It is often also referred to as one-to-one NAT. In this type of NAT only the IP addresses, IP
header checksum and any higher level checksums that include the IP address need to be changed. The rest of
the packet can be left untouched
– However it is common to hide an entire IP address space, usually consisting of private IP addresses, behind a
single IP address (or in some cases a small group of IP addresses) in another (usually public) address space. A
one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications
and must maintain a translation table so that return packets can be correctly translated back. RFC 2663 uses
the term NAPT (network address and port translation) for this type of NAT. Other names include PAT (port
address translation), IP masquerading, NAT Overload and many-to-one NAT. Since this is the most common
type of NAT it is often referred to simply as NAT.

• Hides true internal I/P address information from the outside world.

77 Confidential
Networking Devices – other devices

• Bridges
• Repeaters
• Load-balancing
switches
• IDS (with Snort engine)
• Honeypots

78 Confidential
Networking Devices Summary Table
Device Layer Functionality
Repeater Phsyical Amplifies signal and extends networks

Bridge Data Link Forwards packets. Filters packets based on MAC address.
Forwards broadcast but not collision traffic.
Router Network Filters based on IP address. Seperates or connects LANs,
creating internetworks.
Brouter Network & Data Bridges multiple protocols and routes some of them.
Link
Switch Data Link & Higher Private virtual link between devices. Allows for VLANs.
Impedes sniffing and reduces contention.
Firewall Network, Transport, Creates secure barrier between unprotected and protected
Session, Application areas of a network
Gateway Application Connects different types of network. Protocol and format
translation.

79 Confidential
Wide Area Networks (WAN/MAN)
• MAN: Is a backbone that connects LAN to WANs,
Internet, and telecommunication service providers.
SONET or FDDI rings, using T1, fractional T1s, or T3s.

• WAN: A wide area network (WAN) is a

telecommunication network that covers a broad area
(i.e., any network that links across metropolitan,
regional, or national boundaries). Business and
government entities utilize WANs to relay data
among employees, clients, buyers, and suppliers
from various geographical locations. This mode of
telecommunication allows a business to effectively
carry out its daily function regardless of location.
– This is in contrast with personal area networks (PANs), local area
networks (LANs), campus area networks (CANs), or metropolitan
area networks (MANs) which are usually limited to a room,
building, campus or specific metropolitan area (e.g., a city)
respectively. (Ref: Wiki)

80 Confidential Global Marketing

Dell - Internal Use - Confidential
Packet/Circuit Switching
Circuit Switching Packet Switching
• Constant Traffic Bursty Traffic
• Fixed delays Variable delays
• Connection-oriented Connectionless
• Sensitive to loss of connection Sensitive to loss of data
• Voice oriented Data Oriented

81 Confidential
WAN Topologies
• Copper analog lines  T1 lines (1.544 Mbps, upto 24 conversations)
• T3 lines (44.736 Mbps, upto 28 T1 lines)
– Digital Signal level 1 (DS-1) is the framing specification used for transmitting digital signals at
1.544 Mbps on a T1 facility. DS-0 is the framing specification used in transmitting digital signals
over a single 64 Kbps channel over a T1 facility. DS-3 is the framing specification used for
transmitting digital signals at 44.736 Mbps on a T3 facility. DS-2 is not a defined framing
specification.

• Fiber Optics and SONET

• ATM over SONET
– SONET achieves data rates upto 50 Mbps using T1 and T3 lines.
– Each OC-1 frame runs at signaling rate of 51.84 Mbps, throughput of 44.738 Mbps
– SONET is used in America, and rest of the world uses SDH that uses E1 lines (2.048 Mbps) and
E3 lines (34.368 Mbps)
82 Confidential
WAN Technologies
• Frame Relay
– FR uses PVCs or SVCs to transmit data over the network. Packet switching connection
oriented technology. DTE (Data Terminal Equipment) and DCE (Data Circuit-Terminating
Equipment) are required. DTE is customer owned router or switch, and DCE is telecom
company owned switch that does actual data transmission and switching in FR cloud.

• Leased Line networks

– Leased line or “point to point” link.
– Expensive, but secure

• ATM
– ATM (Asynchronous Transfer Mode) is a cell switching technology. Connection oriented. Data
is segmented into fixed size cells of 53 bytes. Sets up virtual circuits like FR that guarantee QoS
and bandwidth, unlike IP.

83 Confidential
WAN Technologies
• SWAN
– Secure WAN, initiative of RSA security who worked with firewall and protocol vendors to build
secure firewall-to-firewall connections through the Internet.
– S/WAN is based on VPNs that are created with IPSEC.

• VPN
– A virtual private network (VPN) provides a secure communications mechanism for data and
other information transmitted between two endpoints.
– IPSec: Secures IP communications by authenticating and encrypting each IP packet of a
communication session. IPsec also includes protocols for establishing mutual authentication
between agents at the beginning of the session and negotiation of cryptographic keys to be
used during the session.
– SSL: An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. In contrast to the traditional Internet Protocol Security
(IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the
end user's computer

84 Confidential
WAN Technologies
• X.25
– X.25 is an older WAN technology that defined how networks and devices establish and
maintain connections. X.25 is a switching technology.
– Data is divided into 128 bytes and encapsulated in HDLC frames (High-level Data Link
Control).
– X.25 is slower than frame relay or ATM due to heavy error checking and correction that is not
necessary on more modern networks.

• SMDS – Switched Multimegabit Data Service

– High speed packet switched technology used to enable customers to extend their LANs across
MANs and WANs. Protocol is connectionless and can provide bandwidth on demand.

85 Confidential
WAN Technologies
• SDLC – Synchronous Data Link Control
– Base on networks that use leased lines with permanent physical connections. SDLC is used
mainly for communication to IBM hosts within the SNA architecture.

• HDLC – High Level Data Link Control

– Bit-oriented link layer protocol used for transmission over synchronous lines, HDLC is an
extension of SDLC. HDLC provides high throughput because it supports full duplex.

• HSSI – High Speed Serial Interface

– Interface used to connect multiplexers and routers to high speed services like ATM and Frame
Relay.
– These interfaces define the electrical and physical interfaces to be used by DTE/DCE devices,
thus it works at the physical layer. Developed by CISCO and T3Plus Networking.

86 Confidential
Remote Access Technologies
• Dial-up and RAS
– Remote access is usually gained by connecting to a network access server (NAS). NAS acts as
a gateway and end point for a PPP connection.

• ISDN
– Integrated services digital network. ISDN breaks the telephone line into different channels and
transmits data in a digital form vs the old analog method. ISDN is a circuit switching point-to-
point protocol. There are 3 types of ISDN implementation.
– BRI (Basic Rate Interface) : Operates over existing copper lines in the local loop and provides
digital voice and data channels. Uses two B channels and 1 D channel.
– PRI (Primary Rate Interface): 23 B channels and one D channel operating at 64k. Equivalent to
a T1.
– BISDN (Broadband ISDN): Mainly used with backbones over ATM/SONET. B channels enable
data to be transferred. D channel provides for call setup, error control, caller id and more.

87 Confidential
Remote Access Technologies
• DSL – Digital Subscriber Line
– Uses existing phone lines
– Have to be within a 2.5 mail radius of the provider’s equipment.

• Cable Modems
– High speed internet access through coaxial and fibre lines.
– Bandwidth shares between users in a local area.
– Security concerns: Network sniffers on shared medium.

88 Confidential
Virtual Private Networks (VPN)
• A virtual private network is a secure private connection through a public network or
otherwise unsecured environment. VPNs use tunneling protocols to create a virtual
path across a network. There are three main tunneling protocols used in VPN
connections PPTP, L2TP and IPSEC

• PPTP
– Point to point tunneling protocol. Encapsulation protocol based on PPP. PPTP works at the
data link layer and encrypts and encapsulates packets.
– There are a few weaknesses with PPTP. Negotiation information is exchanged in clear text
and can be easily snooped. PPTP is a Microsoft developed protocol.
– Designed for client/server connectivity
– Sets up a single point-to-point connection between two computers
– Works at the data link layer
– Transmits only over I/P networks
89 Confidential
Virtual Private Networks (VPN)
• L2F
– Layer 2 Forwarding
– Created before L2TP by Cisco
– Merged with PPTP to create L2TP
– Provides mutual authentication, but no encryption.

• L2TP
– Layer 2 Tunneling Protocol. L2TP combines L2F with PPTP.
– PPTP can only run on top if I/P. L2TP can use other protocols such as IPX and SNA
– PPTP is an encryption protocol, L2TP is not. L2TP is often used in conjunction with IPSEC for
security.
– L2TP supports TACACS+ and RADIUS, PPTP does not.

90 Confidential
Virtual Private Networks (VPN)
• IPSEC
– Handles multiple connections at the same time
– Provides secure authentication and encryption
– Supports only IP networks
– Focuses on LAN-LAN communication
– Works at network layer --> Security on top of I/P
– Can work in tunnel mode where both header and payload are encrypted, or transport mode
where only the payload is encrypted.

• PPP
– PPP encapsulates messages and transmits them through an IP network over a serial line. PPP
supports different authentication methods such as Password Authentication Protocol (PAP),
Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol
(EAP).

91 Confidential
Virtual Private Networks (VPN)
• PAP, CHAP, EAP
– PAP (Password Authentication Protocol): Least secure of the three options as credentials are
sent in clear text. Also vulnerable to reply attacks.
– CHAP (Challenge Handshake Authentication Protocol): Uses a challenge/response
mechanism instead of sending a username and password. Client sends host a logon request
and the host returns a random “challenge” value. The challenge is encrypted with the user
password and returned to the host. The server performs the same encryption and determines
whether or not there was a match. CHAP is not vulnerable to “man in the middle” attacks
because it continues this challenge/response activity throughout the connection.
– EAP (Extensible Authentication Protocol): EAP is not a specific mechanism like PAP or CHAP
but is more of a framework to allow many different types of authentication mechanism. EAP
extends the authentication possibilities to other methods like one-time passwords, token
cards, biometrics and future mechanisms.

92 Confidential
Networking Services
• Networking services are not used only on LAN environments
only. They’re also used on MAN and WAN environments.
• Network Operating Systems (NOS): a special software
designed to control network resource access and provide the
necessary services to enable a computer to interact with the
surrounding network.
• A NOS may provide directory services, authentication,
authorization and auditing, software distribution.

93 Confidential
Networking Services - DNS

• Domain Name Services: used to

resolve names into IP addresses.
• Without DNS using the Internet would
be very hard to use.
• Networks on the Internet are
connected in a hierarchical structure,
as are the different DNS servers.

94 Confidential
Networking Services - DNS
• Use at least two DNS servers structures: one primary and
other secondary.
• DNS Poisoning is a common attack executed against DNS
servers.
• Organizations should implement split DNS, which means a
DNS server in the DMZ handles external resolution requests,
while an internal DNS server handles only internal requests.
This helps ensure that the internal DNS has layers of protection
and is not exposed by being “Internet facing.”
95 Confidential
Networking Services - LDAP
• A client/server protocol used to access network directories
such as Microsoft Active Directory or NDS.
• These directories follow the X.500 standard.
• The LDAP specification works with directories that organize
their database in a hierarchical tree structure.
• The newest LDAP version, version 3, has an extensive security
model embedded that supports Internet security standards
such as transport layer security (TLS).

96 Confidential
Wireless Technologies
• Wireless communications are everywhere, not only today, but
some time ago. e.g. microwave, cell phones.
• Broadband wireless signals occupy frequency bands that may
be shared with microwave, satellite, radar, and ham radio use,
for example.
• In wireless technologies, each device must share the allotted
radio frequency spectrum.

97 Confidential
Wireless Technologies – spread spectrum
• In wireless technologies, certain technologies and industries are
allocated specific spectrums, or frequency ranges, to be used for
transmissions.
• Each country regulates the spectrum allotments and enforces its own
restrictions.
• When a spread spectrum technology is used, the sender spreads its data
across the frequencies over which it has permission to communicate.
• The two main types of spread spectrum are frequency hopping spread
spectrum (FHSS) and direct sequence spread spectrum (DSSS).

98 Confidential
Wireless LANs
• A wireless LAN (or WLAN, for wireless local area
network, sometimes referred to as LAWN, for local
area wireless network) is one in which a mobile user
can connect to a local area network (LAN) through
a wireless (radio) connection. The IEEE 802.11
group of standards specify the technologies for
wireless LANs. 802.11 standards use the Ethernet
protocol and CSMA/CA (carrier sense multiple
access with collision avoidance) for path sharing
and include an encryption method, the Wired
Equivalent Privacy algorithm.

• WEP has been more recently replaced by WPA

(Wireless Protected Access).

99 Confidential
Wireless Standards
• The first WLAN standard, 802.11, was developed in 1997 and
provided a 1- to 2-Mbps transfer rate. It worked in the 2.4GHz
frequency range. IEEE 802.16 deals with wireless MANs, IEEE 802.11
deals with wireless LANs
– Higher frequency can carry more data, but a shorter distance
– WLANS work in the 2.4 & 5ghz unlicensed bands and there are
two IEEE standards, 802.11a and 802.11b, 802.11g
• 802.11b: the first extension to the 802.11 WLAN standard and is the
most common standard used in early 2000s

100 Confidential
Wireless Standards
• 802.11g: provides for higher data transfer rates—up to 54 Mbps. This
is basically a speed extension for current 802.11b products, most
commonly used
• 802.11i: uses EAP, incorporates 802.1X and TKIP. IEEE standard that
replaces WEP security with AES encryption and many other stronger
security features
• 802.11n: is designed to be much faster, with throughput at 100
Mbps. Combines other wireless standards.

101 Confidential
Spread Spectrum Technology
• Spread Spectrum Technology broadcasts signals over a range of frequencies.
Receiving device must know the correct frequency of the spread spectrum signal
being broadcast. Two spread spectrum technologies currently exist

• Direct-Sequence Spread Spectrum (DSSS) Redundant bit pattern for each bit to be
transmitted – spread over a wide frequency. Because it is spread over the spectrum,
the number of discrete channels in the 2.4ghz band is small.

• Frequency-Hopping Spread Spectrum (FHSS) Uses a narrow band carrier that

continually changes frequency in a known pattern. Source and destination devices
must be synchronized to be on the same frequency at the same time.

• Both of the above appear as line noise to a non spread-spectrum device.

• AD-HOC mode Access is Peer to peer.

• Infrastructure mode Access is via an access point (wireless hub).

102 Confidential
WLAN Architecture – Components
• Access points (APs), normally routers, are base stations for the wireless network. They transmit and
receive radio frequencies for wireless enabled devices to communicate with.

• Wireless clients can be mobile devices such as laptops, personal digital assistants, IP phones and
other smartphones, or fixed devices such as desktops and workstations that are equipped with a
wireless network interface.

• The basic service set (BSS) is a set of all stations that can communicate with each other. Every BSS
has an identification (ID) called the BSSID, which is the MAC address of the access point servicing
the BSS.
– There are two types of BSS: Independent BSS (also referred to as IBSS), and infrastructure BSS. An independent BSS (IBSS) is an ad-
hoc network that contains no access points, which means they can not connect to any other basic service set.
– An extended service set (ESS) is a set of connected BSSs. Access points in an ESS are connected by a distribution system. Each ESS
has an ID called the SSID which is a 32-byte (maximum) character string.

• A distribution system (DS) connects access points in an extended service set. The concept of a DS
can be used to increase network coverage through roaming between cells.
– DS can be wired or wireless. Current wireless distribution systems are mostly based on WDS or MESH protocols, though other
systems are in use.
103 Confidential
WLAN Types – P2P Network
• An ad-hoc or peer-to-peer (P2P) network is a network where stations communicate
only peer to peer (P2P). There is no base and no one gives permission to talk. This is
accomplished using the Independent Basic Service Set (IBSS). A peer-to-peer (P2P)
network allows wireless devices to directly communicate with each other. Wireless
devices within range of each other can discover and communicate directly without
involving central access points. This method is typically used by two computers so
that they can connect to each other to form a network.

104 Confidential
WLAN Types – Infrastructure Mode
• In infrastructure mode,
mobile units communicate
through an access point that
serves as a bridge to a wired
network infrastructure.
• Infrastructure mode can be
enabled with shared-key
encryption mechanisms: Wired
Equivalent Privacy (WEP), Wi-Fi
Protected Access (WPA,
WPA2), to secure wireless
computer networks.

105 Confidential
Wireless Application Protocol (WAP)
• Wireless application protocol is a set of technologies related to HTML but tailored to
small screens - HDML Handheld device markup language. WAP has 5 layers
application, session, transaction, security and transport.

• Application Layer: Microbrowser, WML (Wireless Markup Language), WMLScript and Wireless
Telephony Applications (WTA)

• Session Layer: Contains the Wireless Session Protocol (WSP) which is similar to HTTP. WSP
facilitates transfer of content between WAP clients and gateway. WSP provides a connection-
oriented mode and a connectionless mode.

• Transaction Layer: Providers the Wireless Transaction Protocol (WTP). Similar functionality to
TCP/TP. Reliable request and response transactions and supports unguaranteed and guaranteed
push.The transaction layer provides transaction services to WAP and handled acknowledgements.

106 Confidential
Wireless Application Protocol (WAP)
• Security Layer: The security layer contains WTLS (Wireless Transport Layer Security). WTLS is
based on TLS (similar to SSL) and can be invoked in a manner similar to HTTPS. WTLS provides data
integrity, privacy, authentication and DOS protection.

• Transport Layer: The transport layer suports the Wireless Datagram Protocol (WDP) which
provides an interface to bearers of transportation. The transport layer supports CDPD, GSM,
CDMA, TDMA, SMS and Flex.

107 Confidential
WEP (Wired Equivalent Privacy)
• WEP is an option in 802.11b/g WLANs. It uses a 40-bit shared key, RC4 pseudorandom
number generator and a 24 bit initialization vector.
– Checksum of message computed and appended to the message.
– Shared secret key and initialization vector are fed to the RC4 algorithm to produce a
keystream.
– The keystream is XORed with the msg and checksum and produces ciphertext.
– The initialization vector is appended to the ciphertext message and the message is sent to the
recipient.
– The recipient who has the same secret key generates the same keystream with the IV.
– The generated keystream is XORed with the ciphertext to yield the original message.

• WEP is not considered secure due to the 40-bit encryption, static keys, and published
methods to break the encryption.

108 Confidential
WiFi Protected Access (WPA)
• Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are
two security protocols and security certification programs developed by the
Wi-Fi Alliance to secure wireless computer networks. The Alliance defined
these in response to serious weaknesses researchers had found in WEP.
• WPA (802.11i standard) uses TKIP (Temporal Key Integrity Protocol) that
employs a per-packet key, meaning that it dynamically generates a new 128-
bit key for each packet and thus prevents the types of attacks that
compromised WEP.
• WPA2 has replaced WPA. WPA2 implements the mandatory elements of IEEE
802.11i. In particular, it introduced CCMP, a new AES-based encryption
mode with stronger security than WPA.

109 Confidential
 Wireless technologies – best practices
• Enable WEP. Even though it can be broken into, it might deter casual attackers. Better still, use WPA or WPA II.

• Change default SSID. Each AP comes with a preconfigured default SSID value.

• Disable “broadcast SSID” on the AP. Most APs allow for this to be turned off.

• Physically put AP at the center of the building. The AP has a specific zone of coverage.

• Logically put the AP in a DMZ with a firewall between the DMZ and internal network. Allow the firewall to
investigate the traffic before it gets to the wired network.

• Implement VPN for wireless devices. This adds another layer of protection for data being transmitted.

• Configure the AP to allow only known MAC addresses into the network. Allow only known devices to authenticate.
But remember that these MAC addresses are sent in cleartext, so an attacker could capture them and masquerade
himself as an authenticated device.

• Assign static IP addresses to wireless devices and disable DHCP. If an attacker gains access and DHCP is enabled,
you have just given the attacker a valid working IP address.

110 Confidential
Network Attacks & Vulnerabilities
• Ping of Death exploits fragmentation vulnerability of large ICMP ECHO request packets by sending
an illegal packet with more than 65K of data, creating a buffer overflow.

• TCP vulnerabilities: Sequence Number attack, SYN attack, land.c attack.

– Sequence Number attack exploits nonrandom predictable pattern of TCP sequence numbers
to spoof a session.
– SYN attack is a DoS attack in which attacker rapidly generates random SYN packets to flood
target’s connection queue before connection times out.
– In this type of DoS attack, an attacker sends numerous SYN packets with the same source and
destination IP addresses and the identical source and destination ports to its victim. The
purpose of this attack is to make the victim send the reply packet to itself. Because the
attacker repeatedly sends these packets, the victim can run out of resources by replying to
itself. Technically, the attacker uses the server's own resources against itself.

• C2MAYZZ is a utility that enables server spoofing to implement hijacking or MITM attack.

• BO2K is an application level Trojan Horse used to give an attacker backdoor network access.
111 Confidential
Network Attacks & Vulnerabilities
• The Birthday attack is based upon the birthday paradox: If you have 23 people in a room, the
probability that 2 people have the same birthday is above 50%. The Birthday attack relies on the
idea of producing duplicates, or collisions, at a rate that exceeds expectations. "Birthday attacks are
a class of brute-force techniques used in an attempt to solve a class of cryptographic hash
function problems. These methods take advantage of functions which, when supplied with a
random input, return one of equally likely values. By repeatedly evaluating the function for
different inputs, the same output is expected to be obtained after about 2^ (m/2) evaluations."

• Man In The Middle attack (MITM) is an attack in which an attacker is able to read, insert and modify
messages between two parties without either party knowing that the communication channel
between them has been compromised. In a MITM attack, an attacker sniffs packets from a
network, modifies them and then inserts them back into the network. Once the attacker intercepts
network transmissions between two hosts, the attacker then masquerades as one of the hosts.

• Meet-In-The-Middle attack is an attack in which an attacker encrypts the plaintext from one end
and decrypts the cipher text from the other end, thus meeting in the middle. This type of attack is
applied to double encryption schemes. Specifically, if you encrypt data twice, with two different
keys, you usually find yourself susceptible to a meet-in-the-middle attack. That is why Triple-DES
is used instead of double encryption, despite the three factor performance penalty.
112 Confidential
Network Attacks & Vulnerabilities
• Differential cryptanalysis is a chosen plaintext attack where the attacker is able to select inputs
and examine outputs in an attempt to derive the encryption key. Differential cryptanalysis exploits
the high probability of certain occurrences of plaintext differences and differences into the last
round of the cipher.

• Sequence Number attack exploits nonrandom predictable pattern of TCP sequence numbers to
spoof a session

• The Land attack involves the perpetrator sending spoofed packet(s) with the SYN flag set to the
victim's machine on any open port that is listening. If the packet(s) contain the same destination
and source IP address as the host, the victim's machine could hang or reboot. In addition, most
systems experience a total freeze up, where as CTRL-ALT-DELETE fails to work, the mouse and
keyboard become non operational and the only method of correction is to reboot via a reset
button on the system or by turning the machine off. Land.c is another DoS attack in which attacker
gives both source and destination addresses, and uses the same source and destination port.

113 Confidential
Network Attacks & Vulnerabilities
• The Boink attack, a modified version of the original Teardrop and Bonk exploit programs, is very
similar to the Bonk attack, in that it involves the perpetrator sending corrupt UDP packets to the
host. It however allows the attacker to attack multiple ports where Bonk was mainly directed to
port 53 (DNS).

• The Teardrop attack involves the perpetrator sending overlapping packets to the victim, when
their machine attempts to re-construct the packets the victim's machine hangs.

• A Smurf attack is a network-level attack against hosts where a perpetrator sends a large amount of
ICMP echo (ping) traffic at broadcast addresses, all of it having a spoofed source address of a
victim. If the routing device delivering traffic to those broadcast addresses performs the IP
broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo
request and reply to it with an echo reply each, multiplying the traffic by the number of hosts
responding. On a multi-access broadcast network, there could potentially be hundreds of
machines to reply to each packet.

• A Playback or Replay Attack is a type of attack in which valid data transmission is fraudulently
repeated or delayed. Attacker intercepts data and retransmits it with the IP packets substituted.
Similar to Stream Cipher Attack.
Source: S.A.B.R.O. Net Security, Denial of Service Attacks, available at http://home.indy.net/~sabronet/dos/dos.html.

114 Confidential
Other Network Security topics
• Other Network security topics mentioned on Shon Harris
book:
– Types of transmition
– Routing protocols
– Intranets and Extranets
– Remote access
– Rootkits

115 Confidential
Conclusion
• Network Security golden rule: deny by default.
• Encrypt the transport whenever possible.
• Update the firmware.
• Be redundant.
• Is it broken? Fix it.
• Follow the standards.
• Each piece of networking is important to security. Misconfiguration,
defective equipment, outdated software, bad network design can lead to
unwanted vulnerabilities.
116 Confidential
A tale of travelling packets

A classic Internet movie about network communication.

“Warriors of the Net”, from Ericsson Medialab
http://www.youtube.com/watch?v=x9XWxD6cJuY

117 Confidential
Additional links
• http://en.wikipedia.org/wiki/OSI_model
• http://en.wikipedia.org/wiki/TCP/IP_model
• http://en.wikipedia.org/wiki/Internet_Protocol_Suite
• http://en.wikipedia.org/wiki/SYN_flood
• http://en.wikipedia.org/wiki/Comparison_of_firewalls
• http://www.sans.org/reading_room/whitepapers/application/applica
tion-firewalls-forget-about-layer-7_1632

118 Confidential
Bibliography & References
• "CISSP All-in-One Exam Guide, Fourth Edition", Shon Harris
• "Applying the OSI seven-layer model to Information Security", Sans
Institute
• http://en.wikipedia.org/wiki/
• http://www.freebsd.com/
• http://www.datko.de/
• http://www.windowsecurity.com/

119 Confidential
Thanks!

Abhijit_Kulkarni@Dell.com

120 Confidential