Explain the four general goals for secure networking.
CIFAC: Confidentiality, Availability, Functionality, Access Control
Confidentiality - Not the idea of keeping messages secret, but also keeping network structure and data secret as well. Things like network protocols and packet header values need to be kept secure.
Availability - Ensuring that authorized users have access to information, services, and network resources.
Functionality - Preventing attackers from altering the capabilities or operation of the network (think DDoS).
Access Control - Keep attackers from accessing internal resources.
How can information be gathered from encrypted network traffic?
Information can be gathered from encrypted traffic by passively monitoring said traffic. Even encrypted, you could still see sites visited, how much data is sent or received, etc.
How does the castle model relate to secure networking?
The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers would be stopped.
What is a denial-of-service attack?
A denial-of-service attack is an attack made in order to attempt to render a server or network unavailable by flooding it with attack packets.
Is a slow degradation of service worse than a total stoppage? Why?
It is worse, in that it’s much harder to detect. It might just look like actual growth in traffic, as opposed to an attack.
What is a denial-of-service attack?
A denial-of-service attack is a method of overwhelming network resources in such a way that legitimate users cannot access it.
Other than a DoS attack, what could cause a company’s network to crash?
Other things that could cause a company’s network to crash might be things like:
Referral from sites with considerably larger traffic volume.
What are the main goals of DoS attacks?
The primary goal of DoS attacks is to cause harm, by either stopping a service, or slowly degrading it over time.
What is the difference between a direct and indirect DoS attack?
A direct DoS occurs when the attacker sends attack packets directly from his computer. An indirect attack relies on IP address spoofing in order to try and misdirect traceback.
What is backscatter?
Backscatter is a side effect of an attacker spoofing an IP address, where the victim’s response packets unintentionally flood the spoofed IP address the attacker is using. Hilarity ensues.
What types of packets can be sent as part of a DoS attack?
Although any packet could be used in theory, there are a few particulars:
SYN Packets - Known as a SYN Flood, the SYN packets form half-open connections, as the system waits for the final confirmation packet, which won’t come. Eats up memory.
Ping Flood - The system is hit with ICMP packets that look like standard supervisory traffic, overwhelming bandwidth and CPU.
HTTP Flood - Usually with webservers, flooded with web requests, crashing due to lack of memory and CPU power.
How does a DDoS attack work?
A DDoS attack is much like a DoS attack, but the attack comes from multiple computers, often botted. This provides resources that one attacker might not have with one machine, and can take down large targets.
What is a handler, and what does it do?
A handler is an intermediary computer that coordinates large groups of bots, as significant numbers of bots can be difficult to manage. They are also known as command-and-control servers, and provide an additional layer of anonymity.
How does a P2P redirect work?
A P2P redirect works by redirecting legitimate P2P requests to an unrelated network, redirecting the “flow” of the P2P traffic. The target can generally not filter out legitimate users from the flood.
How does a reflected attack work?
A reflected attack is similar to a P2P redirect. The attacker sends spoofed requests to servers that offer legitimate services. The responses from the servers then overwhelm the victim, as they often have far more power than the victim. The servers can be blocked, but this might cause more trouble, as attackers might use something like the DNS services of the victim, thus causing additional harm.
What is a DRDoS attack, and how does it work?
A DRDoS attack is a Distributed Reflected Denial of Service attack, and it uses the same basic mechanism of the reflected attack, but using a botnet to achieve far greater volume.
What is a smurf flood?
A smurf flood is a form of the reflected attack, but it takes advantage of a server that hasn’t been configured in a way to prevent broadcasting to all devices. The attacker sends a spoofed ICMP echo to the router (or other network device), which then echoes it to all network devices. All the devices then echo to the target, flooding it. The target need not be internal to the smurfed network.
How could a malformed packet cause a host to crash?
A malformed packet is a packet that somehow violates the rules of an operating system, causing it to have unhandled exceptions and go down.
What is black holing?
Black holing is when all packets from an IP address are dropped automatically. This isn’t good, if done automatically. Spoofed IPs could cause blocking of genuine business partners or customers, and it’s simple for attackers to change IP addresses.
How can the effects of SYN floods be mitigated?
SYN Floods can be mitigated by firewalls; the firewall accepts the SYN packet and sends back the SYN/ACK packet. If no final ACK is forthcoming, the firewall drops the original packet. If the final ACK does come, it lets it through. This is called a “false open”.
What is rate limiting, and why is it good? Why is it bad?
Rate limiting is done by limiting the amount of a certain type of traffic that a network will admit to a reasonable amount. This can prevent smurf flooding by preventing an unacceptable amount of ICMP packets from entering, while still allowing broadcasting to be used. Unfortunately, this limitation can limit legitimate users as well.
Why are DoS community problems?
DoS attacks are community problems because they can saturate ISP access lines, causing problems for legitimate users, and can only really be stopped by the ISP and any organization whose computers have been zombified.
Why do hosts use Address Resolution Protocol?
Hosts use Address Resolution Protocol (or ARP) to resolve 32-bit IP addresses into 48-bit local MAC addresses. For this to work, hosts must know each other’s MAC addresses. This allows them to send and receive packets using IP addresses.
How does ARP work?
When a router receives a packet addressed to an internal host, it sends an ARP request to every host on the LAN asking for their IP address. The actual host replies with an ARP reply, the rest ignore the request. This reply contains its physical ARP reply. The network switch then records this information, along with port numbers, and looks from that point on at MAC addresses, not IP addresses.
Can ARP poisoning be used outside the LAN? Why or why not?
ARP poisoning cannot be used outside the LAN, because ARP tables aren’t used anywhere but on a LAN.
Why do hosts send ARP requests?
Hosts send ARP requests to determine the MAC addresses of hosts on their network.
What is ARP spoofing?
ARP spoofing is when false ARP replies are used to map any IP address to any MAC address. These spoofed ARP replies are broadcast to all hosts on the LAN, manipulating the ARP tables.
What is ARP poisoning, and how does it work?
ARP poisoning is when a continuous stream of unsolicited, spoofed ARP requests to all the hosts on the LAN save the gateway. This tells the hosts that the gateway is at a new location, the attacker’s MAC. All packets they want to send now go to the attacker. Thanks to the switch only looking at MAC addresses, it goes along with it.
The attacker then poisons the gateway by bombarding it with ARP replies telling it that all the hosts are at the attacker’s MAC.
The ARP requests must be continuous, or else the hosts and gateways will reply normally, and self-correct.
How can ARP poisoning be used as a DoS attack?
ARP poisoning can be used very easily as a DoS attack, by setting the MAC address of all hosts in the tables to a non-existent MAC address. All packets will be dropped, and nothing will get through.
How can ARP poisoning be prevented?
ARP poisoning can be prevented through the use of static ARP tables and static IP tables. These are set manually, and cannot be dynamically updated.
Another method would be by limiting local access, keeping foreign hosts out.
What’s the downside of static IP and ARP tables?
They’re flat-out unwieldy for anything save small networks, as they’ll have to be updated constantly whenever the network structure changes.
What is the main access control threat to Ethernet LAN?
The main access control threat to Ethernet LANs is the act of people actually physically plugging in to an ethernet port in the wall.
What is the main access control threat to wireless LANs? Why is it even more severe than that of an Ethernet LAN?
The main access control threat to wireless LANs is remote connection to an unsecured access point. This is more severe because the attacker does not even need to be inside the building physically, or even within sight.
Is eavesdropping usually a problem for wired LANs, wireless LANs, or both?
Eavesdropping is an issue for both wired and wireless LANs, provided the attacker gains access. The attacker can use a packet sniffer to intercept and read legitimate data (since encryption is rare on Ethernet). This is astonishingly easy on wireless LANs unless traffic is strongly encrypted.
Why is 802.1X called Port-Based Access Control?
802.1X makes the Ethernet workgroup switch the gateway to the network. From there, the user connects to via UTP to a wall jack (or directly to the switch), to a specific port. Thus it is port-based.
In 802.1X, where is the heavy authentication done?
In 802.1X, the heavy authentication is done by a central authentication server, so as to not burden the switch.
What are three benefits of using a central authentication server with 802.1X?
Three benefits to the central authentication server are:
- Cost savings - Having a centralized authentication server means each switch is much easier to configure, and doesn’t need to be as beefy.
- Consistency - Credential checking will always be done the same way, no matter what workgroup switch someone connects to. Same database, every time.
- Immediate changes - Changes made to central echo out immediately. No updating one switch at a time.
In 802.1X, which device is the verifier?
Both the central auth server and the switch share the task of verifier.
In 802.1X, which device is the authenticator?
In 802.1X, the switch is the authenticator. The central auth server is the authentication server.
What does EAP stand for? What is it?
EAP stands for the Extensible Authentication Protocol. This is used to govern authentication interactions under 802.1X.
When does an EAP session start?
An EAP session starts when an ethernet switch detects a connection on one of its ports.
Describe how the central authentication server tells the authenticator that the supplicant is acceptable.
When the supplicant successfully provides the authentication server with valid credentials, the authentication server sends an EAP Success message to the authenticator.
Once the authenticator has received an EAP Success message, how does it inform the supplicant?
When the supplicant is approved by the EAP Success message, the authenticator notifies the supplicant by a method outside the EAP protocol? I guess?
What does it mean that EAP is extensible?
EAP is called Extensible because it’s simple to add new authentication methods. The structure of EAP messages stay the same regardless of authentication method.
When a new authentication method is added to EAP, what device software must be changed to use the new method?
When a new authentication method is added to EAP, the device software of both the supplicant and “verifier” must be updated. The authenticator does not change in this instance, though, as it simply passes the EAP Request through, regardless of method.
Why is it important that authenticators do not need to be updated when authentication methods are added or removed?
Because a system could have dozens or hundreds or thousands of switches, and that’s a lot of work, yo.
What standard to most central authentication servers follow?
Most central authentication servers follow the RADIUS protocol.
How do EAP and RADIUS function together.
RADIUS provides not only authentication, but authorization and auditing. Authorization in this case can limit what severs the user can access, file directories, privileges, and so on. It can also audit connections, determining how long and where a particular computer was connected.
What is the most common attack against wireless networks? Why?
The most common attack against wireless networks is simple “unauthorized access”, connecting to a network without permission. This is because even if a network is not locked, it does not mean that you have authorization to use it.
What device acts as a relay between wireless and wired networks?
An access point acts as a relay between wireless and wired networks.
What is the typical range of a WLAN?
The range of a typical WLAN is 30 to 100 meters.
What is the difference between an open network and a private network?
An open network is one that can be legally accessed by anyone, whereas a private network is one that do not allow access unless specifically authorized, regardless of security.
What is a rogue access point? Who would set one up and why?
A rogue access point is an unauthorized access point set up by individuals or departments with little or no security. A hacker might set one up, giving them a clear avenue past border security and wireless security.
What is an example of internal and external harm caused by unauthorized wireless access.
An example of internal harm might be identity theft, or the planting of malware. An example of external harm might be downloading illegal content.
What man-in-the-middle attack is a danger to 802.11 WLANs? How?
The evil twin access point is a man-in-the-middle attack that threatens 82.11 WLANs. This is done by configuring a computer to disguise itself as a legitimate access point with a high-powered antenna (to trick clients into automatically connecting). This evil twin then pretend to be the client that has connected to it, and connect to the legitimate access point within the corporate walls, acting as the supplicant user.
What two types of attacks can an “evil twin” take part in?
The evil twin can either do the traditional “man-in-the-middle” snooping, or it can pretend to be the client and send attack packets.
Where are evil twins most commonly encountered?
Evil twins are most commonly encountered with public hot spots.
How can evil twins be combated?
The easiest way to combat the evil twin is by forcing users to connect to a VPN using a pre-shared secret, preventing the evil twin from intercepting it.
What is a wireless DoS attack?
A wireless DoS attack is exactly what it seems like; it’s a denial-of-service attack upon a wireless LAN, attempting to disrupt its availability.
What are the three main forms of the wireless DoS?
The three main forms of wireless denial of service are:
Frequency Flooding - This is a crude but effective method, where the attacker floods the entire transmission frequency with electromagnetic interference (or noise), making packets unreadable. Shit like baby monitors can do this.
Access Point Flooding - This is an attempt to overwhelm the access point with too much traffic with a large amount of packets, or a smaller number of very large files.
Send Attack Commands - The attacker can use specific packets or frames to disrupt the LAN, like sending spoofed “deauthenticate messages”, forcing people to disconnect.
What device can be used to identify a DoS flood if the entire frequency is being flooded?
A spectrum analyzer can be used to identify DoS floods, by recording all signals, including packet transmissions, within a given radio frequency band.
What commands can be sent to cause a wireless DoS attack?
The following commands make for effective wireless DoS attacks:
- Deauthenticate Commands - Causes users to be disconnected.
- Request-to-Send Frame - Causes a flood of Clear-to-Send frames
- Clear-to-Send Frame - A CTS frame with a long transmission duration will force other clients to wait to transmit.
What is the main weakness of EAP in regards to wireless LANs?
EAP assumes that the connection between the supplicant and the authenticator is secure. Unlike Ethernet, it is not hard to “tap” a wireless connection.
What standard did the 802.3 Working Group create to extend 802.1X operations to WLANs for security for EAP?
The 802.3 Working Group created 802.11i to extend security for WLANs.
In 802.11i, what’s the difference between outer and inner authentication?
In the 802.11i standard, outer authentication is done via a digital certificate that is installed on the AP that is used. Inner authentication is done through the standard EAP protocol.
What two extended EAP protocols are popular today? How do they work?
The two most popular extended EAP protocols are EAP-TLS and protected EAP (PEAP).
EAP-TLS uses transport-level security, requiring the supplicant to have a digital certificate.
PEAP uses any authentication method specified in the EAP standard, and this is generally favored due to it being cheap and supported by Cisco.
Is 802.11i security strong?
802.11i is fairly strong; the two levels of authentication provide reasonable security.
What was the first core wireless security standard?
The first core wireless security standard was the Wired Equivalent Privacy standard, or WEP. It was tragically, fatally flawed.
What encryption algorithm does the WEP standard use?
The WEP standard uses a shared key encryption, and the RC4 cipher.
Why are permanent shared keys undesirable?
Because they are easy to get passed around, and once cracked, they’re 100% worthless.
What per-frame key does a WEP computer or access point use to encrypt when it transmits?
The WEP standard uses a RC4 key plus a 24-bit initialization vector that changes from frame to frame. This still allows a bit of the shared key to leak, though. Still no good.
How long does it take to crack WEP today?
It takes a good 2-3 minutes to crack WEP today.
What’s the difference between WPA and WEP?
WPA uses a 48-bit initialization vector, to vastly reduce leakage, and it uses the Temporal Key Integrity Protocol (TKIP) for keying and rekeying. WEP does not.
What does the Wi-Fi Alliance call 802.11i?
The Wi-Fi Alliance calls 802.11i WPA2.
What weakness is there to WPA, and why do some companies continue to use it?
Thus far, the primary weakness to WPA is that the TKIP has been partially cracked. Companies do not shift away due to cost issues.
Why is 802.1X unsuitable for homes and small offices?
802.1X is unsuitable for homes and small offices because it requires a central authentication server, and would be extremely expensive to set up for a small number of computers.
What mode was created for homes or very small businesses with a single access point?
Both 802.11i and WPA offer “Pre-Shared Key” mode, or PSK. The problems with a shared key are far more avoidable in a small firm than a large company.
How does 802.11i and WPA bypass the issue with shared keys being easy for cryptanalysis to crack?
802.11i and WPA only use the shared key initially, for authentication, and briefly at that. After that happens, the access point sends the client an unshared session key.
How are PSK/personal keys generated?
PSK/personal keys are generated from passphrases that are provided to each piece of equipment. Long passphrases generate better keys.
How long must a passphrase be to generate an adequate key for PSK/personal keys?
A passphrase must be at least 20 characters long.