Ch-12 Flashcards
(15 cards)
OSI Model
Layer 7 - App Layer - Human Interface - HTTP, FTP, SSH, DNS
Layer 6 - Presentation Layer - Format data, encryption, compression - SSL, IMAP, SSH
Layer 5 - Session Layer - Auth, Sessions, Permissions - APIs, Sockets
Layer 4 - Transport Layer - Transmission of data, error control - TCP, UDP
Layer 3 - Network Layer - Physical path, addressing, routing, switching - IP, ICMP, IPSec
Layer 2 - Data Layer - Data format for network, flow control - Frames, Ethernet
Layer 1 - Physical Layer - Electrical impulses - Cables, NICs
Net Segmentation
DMZ - Aka a screened subnet, typically used to contain web servers or other internet facing devices but can be used for internal purposes.
Intranet - Internal access for employees or members of the organization
Extranet - External access typically by customers or partners
Broadcast Domain - Segment of the network in which al devices can reach one another via packets sent as a broadcast at the data layer(Layer 2). Limiting broadcast domains make the network less noisy.
VLAN - Allows devices to be within the same network to be separated or devices across multiple networks to be connected
Traffic Flow
East-West - Traffic between systems in the same security zone
Port-Security
Allows you to limit the number of MAC addressees that can use a single port.
Helps to prevent MAC spoofing, content-addressable memory(CAM) table overflow.
Protocol-level Protection
Loop-Prevention - Detecting loops and disabling ports int order to stop/prevent loops.
Spanning-Tree(STP) - Uses bridge protocol data units sends frames with a switch identifier that the switch then monitors to prevent a loop. Can implement anti-loop implementations like Ciscos loopback detection,
Broadcast storm prevention - Prevents broadcast packets from being amplified as they traverse a network. Relies on several features such as loop protection on user ports, enabling STP and switches and rate limiting broadcast traffic.
Bridge Protocol Data Unit Guard (GDPU) - Protects STP by preventing ports that should not send BDPU messages from sending them. Typically applied to switch ports.
Dynamic Host Configuration Protocol (DHCP) Snooping - Focuses on preventing rogue DHCP servers from handing out IP addresses to clients in a managed network.
Port Spanning -
Switch Port Analyzer (SPAN) - Same as port mirror but can also combine traffic from multiple ports to a single port for analysis.
Port Mirror - Sends a copy of all traffic sent to one switch port for monitoring.
VPNs
L2TP VPN - No encryption on their own simply provide a tunnel. Often combined with IPsec to provide security.
SSL VPN - Either using a portal based approach typically via a html5 webpage. Or a tunnel mode like IPSec VPNs. SSL VPNs can be used without a client installed and the ability to segment application access. The SSL VPNs actually use TLS.
Split Tunnel - Traffic that is not intended for the remote trusted network is booted from the VPN tunnel
Full Tunnel - All traffic is kept within the VPN tunnel
Load Balancing
Major Modes of Operation -
Active/Active
Active/Passive
Scheduling Options -
Round-Robin - Servers used in predetermined turns
Least connection - Server with least connections gets the incoming connection
Agent-Based - Monitors the load and distributes load
Source IP - Hash of IP is used to assign traffic to servers. Basically a randomization
Weighted -
Weighted least - Combines least connection with a predetermined weight value for each server
Fixed Weighted - Servers are preassigned a weight often based on capacity or capability
Weighted Response Time - Combines server current response times with a weight value to assign traffic
Proxy Servers
Accept and forward requests, can filter or modify traffic and cache data, as well as support access restrictions by IP or similar requirements.
Forward Proxy - Accept from Client and Forward to Server. Can be used to anonymize traffic and provide access to resources blocked by IP address or geolocation
Reverse Proxy - Between the Server and Client. Used to help load balancing and caching content.
Route Security
BGP (Border Gateway Protocol) - Does not have strong security built in but are typically accepted by default. Occasionally can lead to BGP hijacking which can cause DoS conditions and latency.
OSPF (Open Shortest Path First) - Integrates some security features including MD5-based authentication, however it is not turned on by default. OSPF does not secure the actual data but it does validate that the data is complete and from the router it is expected to be from
EIGRP (Enhanced Interior Gateway Routing Protocol) - A Cisco proprietary protocol that provides authentication.
Honeypots, nets, and files
Honeypots, nets, and files are intentionally configured to appear vulnerable but are actually heavily instrumented and monitored systems, networks, and files respectively.
They are all designed to collect and monitor data on every file, command and movement the attacker makes.
Secure Protocols Overview
Voice and video - Typically HTTPS however SIPS and SRTP exist
Network Time Protocol (NTP) - NTS but it is not widely adopted
Email and Web Traffic - HTTPS, IMAPS, POPS, Domain-Based Message
Authentication(DMARC), Domain Keys ID Mail (DKIM), and Sender Policy Framework (SPF)
File Transfer Protocol - Combination of HTTPS, SFTP or FTPS
LDAP - Moved to LDAPS
DNS - Remains a challenge
Routing and Switching - Complex security must be built around lack of security
Network (DHCP) - Relies on detection and response rather than secure protocols
Cloud tools - Leverage HTTPS but may also provide secure protocols for specifics
Secure Protocols Cont.
DNS - UDP/TCP 53 - DNSSEC - UDP/TCP 53
FTP - TCP 21 - FTPS - TCP 21 Explicit mode & 990 Implicit mode - Uses TLS
FTP - TCP 21 - SFTP - TCP 22 - Uses SSH
HTTP - TCP 80 - HTTPS - TCP 443 - Uses TLS
IMAP - TCP 143 - IMAPS - TCP 993 - Uses TLS
LDAP - UDP & TCP 389 - LDAPS - TCP 636 - Uses TLS
POP3 - TCP 100 - POP3 - TCP 995 - Uses TLS
RTP - UDP 16384-32767 - SRTP - UDP 5004
SNMP - UDP 161 and 162 - SNMPv3 - UDP 161 and 162
Telnet - TCP 23 - SSH - TCP 22
TCP - Transmission Control Protocol - Uses 3 way handshake
UDP - User Data Protocol - Low latency loss tolerating connection - No handshake
Networking Attacks
On-Path - Also referred to as Man in the Middle
SSL stripping - Removes TLS encryption to read traffic contents during an on-path attack
DNS attacks -
Domain Hijacking - Changes the registration of a domain resulting in the domains settings and configurations being changed allowing them to intercept traffic, send and receive emails. Extremely difficult to notice.
DNS poisoning - Accomplished by MiTM, vulnerabilities in the DNS protocols, or by poisoning the DNS cache. May be noticed by users.
URL redirection - Accomplished by inserting alternative IP addresses into a host file. Easy to spot
Domain Reputation services and tools such as Cisco Talos, McAfee’s WebWasher and SmartFilter. help tp spot DNS attacks.
Layer 2 Attacks
ARP Poisonoing -
MAC Flooding -
MAC Cloning -
DDoS -
System DDoS -
Operational Tech. DDoS -
Recon and Discovery Tools
Path/Route info -
tracert (Windows) & traceroute (Linux) - Shows all hops - $ tracert or traceroute
pathping (Windows) - same as tracert but it is significantly slower but will provide data about latency and packet loss.
DNS info -
nslookup (Windows) & dig (Linux) - $ nslookup Shows server, ip, and aliases
$ dig Shows the same as nslookup but with more detail
Net info -
ipconfig (Windows) ifconfig (Linux)
netstat
arp - Will show local hosts arp cache. ‘-a’ will show current cache for each interface
route
Port and Vuln Scans -
nmap
nessus
OpenVAS
Data Transfer and General -
nc or ncat - $nc
curl - $ curl or $ curl –request GET
OSINT -
theHarvester - $ theHarvester -d -l 250 -b
scanless - Leverages port scanners to run scans without exposing your system
$ scanless -s -t
Packet Capture and Replay -
tcpdump - Ex: port 80 capture $ tcpdump -w capture.pcap -i eth0 tcp port 80
Can also be used to modify speed, splut putput, or apply modifications.
wireshark - allows complex analysis of traffic
tcpreplay - used to replay packets when an attack was suspected
