CISSP - Between the lines notes about Telecommunications Security

Telecommunications and Network Security domain is one of the largest domains in CISSP CBK. Even people with important level of experience with network operations may find many points they miss during their daily lives.

In this blog entry, rather than explaining the facts that most people know, I tried to resume those little points that may have missed from many people’s attention up to now. These points may be lifesaving in answering questions. So let’s start with some information about Session Layer which network and security people maybe pay the less attention.

When two applications need to communicate or transfer data between themselves, a connection may need to be set up between them. The session layer is responsible for establishing a connection between the two applications, maintaining it during the transfer of data, and controlling the release of this connection. The session layer works in three phases: connection establishment, data transfer, and connection release.

Session layer protocols control application-to-application communication, whereas the transport layer protocols handle computer-to-computer communication. For example, if you are using a product that is working in a client/server model, in reality you have a small piece of the product on your computer (client portion) and the larger piece of the software product is running on a different computer (server portion). The communication between these two pieces of the same software product needs to be controlled, which is why session layer protocols even exist. Session layer protocols take on the functionality of middleware, which allows software on two different computers to communicate.

Session layer protocols provide interprocess communication channels, which allow a piece of software on one system to call upon a piece of software on another system without the programmer having to know the specifics of the software on the receiving system. The programmer of a piece of software can write a function call that calls upon a subroutine. The subroutine could be local to the system or be on a remote system. If the subroutine is on a remote system, the request is carried over a session layer protocol. The result that the remote system provides is then returned to the requesting system over the same session layer protocol. This is how RPC works.

One security issue common to RPC (and similar interprocess communication software) is the lack of authentication or the use of weak authentication. Secure RPC can be implemented, which requires authentication to take place before two computers located in different locations can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets. Session layer protocols need to provide secure authentication capabilities.

RPC and similar distributed computing calls usually only need to take place within a network; thus, firewalls should be configured so this type of traffic is not allowed into or out of a network.

Some protocols that work at session layer are SQL, NetBIOS, NFS, and (RPC).

The main protocols that work at layer 4 are TCP, UDP, SSL, TLS and SPX.

ICMP and IGMP are Layer 3 protocols.

RARP, PPP, PPTP, L2TP, SLIP, ATM, Ethernet, Token Ring and FDDI are Layer 2 protocols.

ISDN, DSL and SONET are Layer 1 protocols.

Port numbers up to 1023 (0 to 1023) are called well-known ports. Ports 0 to 1023 can be used only by privileged system or root processes.

Registered ports are 1024 to 49151, which can be registered with ICANN for a particular use.

Dynamic ports are 49152 to 65535 and are available to be used by any application on an “as needed” basis.

The SYN proxy is a piece of software that resides between the sender and receiver and only sends on TCP traffic to the receiving system if the TCP handshake process completes successfully.

If an attacker can correctly predict the TCP sequence numbers that two systems will use, then she can create packets containing those numbers and fool the receiving system into thinking that the packets are coming from the authorized sending system. She can then take over the TCP connection between the two systems, which is referred to as TCP session hijacking.

802.1AE (MACSec) defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication. Where a VPN connection provides protection at the higher networking layers, MACSec provides hop-by-hop protection at layer 2.

802.1AR standard specifies unique per-device identifiers (DevID, PKI, certificates) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers.

DHCP packet types are Discover, Offer, Request and Acknowledgment (DORA) in their order.

In environments that require extensive security, wires are encapsulated within pressurized conduits so if someone attempts to access a wire, the pressure of the conduit will change, causing an alarm to sound and a message to be sent to the security staff.

CSMA/CA will send out a message indicating to all other systems that it is going to put data on the line and CSMA/CD will listen to the wire and try to figure out when would be the best time to put data on the line.

Token Ring uses a token-passing technology with a star-configured topology. Each computer is connected to a central hub, called a Multistation Access Unit (MAU). Token ring operates either at 4 or 16 Mbps.

FDDI has a data transmission speed of up to 100 Mbps and is usually used as a backbone network. FDDI also provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data traveling clockwise and is used for regular data transmission. The second ring transmits data in a counterclockwise fashion and is invoked only if the primary ring goes down.

Copper Distributed Data Interface (CDDI) can work over UTP cabling. Whereas FDDI would be used more as a MAN, CDDI can be used within a LAN.

Devices that connect to FDDI rings fall into one of the following categories:

• Single-attachment station (SAS) Attaches to only one ring (the primary) through a concentrator
• Dual-attachment station (DAS) Has two ports and each port provides a connection for both the primary and the secondary rings
• Single-attached concentrator (SAC) Concentrator that connects an SAS device to the primary ring
• Dual-attached concentrator (DAC) Concentrator that connects DAS, SAS, and SAC devices to both rings

Loki is actually a client/server program used by hackers to set up back doors on systems and uses ICMP packets to carry control traffic.

The Ping of Death attack is based upon the use of oversized ICMP packets. If a system does not know how to handle ICMP packets over the common size of 65,536 bytes, then it can become unstable and freeze or crash.

In Smurf attack, the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address of victim to victim’s network broadcast address. This means that each system on the victim’s subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packets—which is the victim’s address.

Fraggle attack works with the same principle with Smurf but Fraggle uses the UDP protocol, and Smurf uses the ICMP protocol. They are both DDoS attacks.

In teardrop attack malformed fragments are created by the attacker, and once they are reassembled, they could cause the victim system to become unstable.

Within DNS servers, DNS namespaces are split up administratively into zones. One zone may contain all hostnames for the marketing and accounting departments, and another zone may contain hostnames for the administration, research, and legal departments. The DNS server that holds the files for one of these zones is said to be the authoritative name server for that particular zone. A zone may contain one or more domains, and the DNS server holding those host records is the authoritative name server for those domains.

The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity.

DNSSEC implements PKI and digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious.

Organizations should implement split DNS, which means a DNS server in the DMZ handles external hostname-to-IP resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed by being “Internet facing.” The internal DNS server should only contain resource records for the internal computer systems, and the external DNS server should only contain resource records for the systems the organization wants the outside world to be able to connect to.

Cybersquatters, individuals who register prominent or established names, hope to sell these later to real-world businesses that may require these names to establish their online presence (Domain grabbing).

IMAP provides all the functionalities of POP, but has more capabilities. If a user is using POP, when he accesses his mail server to see if he has received any new messages, all messages are automatically downloaded to his computer. Once the messages are downloaded from the POP server, they are usually deleted from that server, depending upon the configuration. POP can cause frustration for mobile users because the messages are automatically pushed down to their computer or device and they may not have the necessary space to hold all the messages. This is especially true for mobile devices that can be used to access e-mail servers. This is also inconvenient for people checking their mail on other people’s computers.

POP is commonly used for Internet-based e-mail accounts (Gmail, Yahoo!, etc.), while IMAP is commonly used for corporate e-mail accounts.

E-mail spoofing is a technique used by malicious users to forge an e-mail to make it appear to be from a legitimate source.

If source routing is allowed, the packets contain the necessary information within them to tell the bridge or router where they should go. The packets hold the forwarding information so they can find their way to their destination without needing bridges and routers to dictate their paths.

External devices and border routers should not accept packets with source routing information within their headers, because that information will override what is laid out in the forwarding and routing tables configured on the intermediate devices. Source routing can be used by attackers to get around certain bridge and router filtering rules.

A phreaker is a phone hacker.

Main charachteristics of different types of firewalls are :

• Packet Filters:(Network Layer) Looks at source and destination addresses, ports and services requested. Routers using ACLs to network monitor traffic.
• Application-level Proxy:(Application Layer) Looks deep into packets and makes granular access control decisions. Requires one proxy per protocol.
• Circuit-level Proxy:(Session Layer) Looks only at the header packet information. It protects a wider range of protocols and services than an application-level proxy, but does not provide the detailed level of control available to ALPs.
• Stateful : (Network Layer) Looks at the state and context of packets. Keeps track of each connection using a state table.
• Kernel Proxy : (Application Layer) Faster because processing is done in the kernel. One network stack is created for each packet.

Characteristics of application-level proxy firewalls:

• Each protocol that is to be monitored must have a unique proxy.
• Provides more protection than circuit-level proxy firewalls.
• Require more processing per packet and thus are slower than a circuit-level proxy firewall.

Characteristics of circuit-level proxy firewalls:

• Do not require a proxy for each and every protocol.
• Do not provide the deep-inspection capabilities of an application layer proxy.
• Provide security for a wider range of protocols.

SOCKS is an example of a circuit-level proxy gateway that provides a secure channel.

A system is considered a bastion host if it is a highly exposed device that is most likely to be targeted by attackers.

Firewall rules that should be implemented are as follows:

• Silent rule :  Drop “noisy” traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.
• Stealth rule :  Disallows access to firewall software from unauthorized systems.
• Cleanup rule : Last rule in rule-base that drops and logs any traffic that does not meet preceding rules.
• Negate rule: Used instead of the broad and permissive “any rules.” Negate rules provide tighter permission rights by specifying what system can be accessed and how.

A reverse proxy server is commonly on the network that fulfills clients’ requests; thus, it is handling traffic that is entering its network. The reverse proxy can carry out load balancing, encryption acceleration, security, and caching.

On a smaller scale, companies may choose to implement tarpits, which are similar to honeypots in that they appear to be easy targets for exploitation.

Vishing is voice phishing by the use of voice mail messages and other things.

The main protocols that make up the IPsec suite and their basic functionality are as follows:

• Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks.
• Encapsulating Security Payload (ESP) provides confidentiality, data-origin authentication, and data integrity.
• Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange.
• Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP.

AH and ESP can be used separately or together in an IPsec VPN configuration.

• PPTP is used when a PPP connection needs to be extended through an IP-based network.
• L2TP is used when a PPP connection needs to be extended through a non IP-based network.
• IPsec is used to protect IP-based traffic and is commonly used in gateway to gateway connections.
• SSL VPN is used when a specific application layer traffic type needs protection. 

The three core deficiencies with WEP are the use of static encryption keys, the ineffective use of initialization vectors, and the lack of packet integrity assurance.

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary protocol released before 802.1X was finalized. LEAP has significant security flaws and should not be used.

EAP-TLS (EAP-Transport Layer Security) uses PKI, requiring both server-side and client side certificates. EAP-TLS establishes a secure TLS tunnel used for authentication. EAP-TLS is very secure due to the use of PKI, but is complex and costly for the same reason. The other major versions of EAP attempt to create the same TLS tunnel without requiring a client-side certificate.

EAP-TTLS (EAP-Tunneled Transport Layer Security) simplifies EAP-TLS by dropping the client-side certificate requirement, allowing other authentication methods (such as password) for client-side authentication. EAP-TTLS is thus easier to deploy than EAP-TLS, but less secure when omitting the client-side certificate.

PEAP (Protected EAP) It is similar to (and may be considered a competitor to) EAP-TTLS, including not requiring client-side certificates.

802.11b uses DSSS, 802.11a uses OFDM and works in the 5GHz frequency band. But working at higher frequency means a device’s signal cannot cover as wide a range.

802.16 is WiMAX.

Bluejacking and Bluesnarfing are Bluetooth attacks.

War driving is the type of attack when one or more people either walk or drive around with a wireless device equipped with the necessary equipment and software with the intent of identifying APs and breaking into them.

The protocol field of the IP packet dictates what protocol the IP packet is using. TCP=6, ICMP=1, UDP=17, IGMP=2

Dedicated point-to-point protocols are HDLC and PPP.

Packet-switched protocols are X.25, Frame Relay and ATM.

Circuit-switched protocols are ISDN and Leased Line.

HDLC provides a higher throughput and supports full-duplex transmissions comparing to SDLC. IBM Mainframe systems used SDLC.

DSL is considered as an “always on” technology.

Footprinting is a method used by an attacker to learn information about a victim before carrying out scanning and probing activity.

802.2 is LLC and 802.3 is MAC. LLC communicates with Layer 3.

SNMP community string is a password a manager uses to request data from the agent.

In PPP protocol, LCP establishes, configures and maintains the connection and NCPs are used for network layer protocol configuration and authentication.