0% found this document useful (0 votes)
24 views

CH 03

The document provides an overview of basic networking concepts including common connectivity protocols like TCP, UDP, IP, ICMP, ARP, and NDP. It also discusses encryption protocols, application layer protocols, remote access protocols, IPv4 and IPv6 addressing, DNS, ports, firewalls, port scanners, network device types, and spanning tree protocol. The purpose is to review fundamental networking topics covered in the CompTIA Security+ certification exam.

Uploaded by

Yusren Riziqi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
24 views

CH 03

The document provides an overview of basic networking concepts including common connectivity protocols like TCP, UDP, IP, ICMP, ARP, and NDP. It also discusses encryption protocols, application layer protocols, remote access protocols, IPv4 and IPv6 addressing, DNS, ports, firewalls, port scanners, network device types, and spanning tree protocol. The purpose is to review fundamental networking topics covered in the CompTIA Security+ certification exam.

Uploaded by

Yusren Riziqi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 85

Ch 3:

Reviewing Basic Networking


Concepts

CompTIA Security+: Get


Certified Get Ahead:
SY0-401 Study Guide
Darril Gibson
Basic Connectivity Protocols
• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
• IP (Internet Protocol)
• ICMP (Internet Control Message Protocol)
• ARP (Address Resolution Protocol)
• NDP (Neighbor Discovery Protocol)
TCP
• Connection-oriented: guaranteed delivery
• Three-way handshake
• SYN
• SYN/ACK
• ACK
• SYN Flood Attack
• Consumes server resources, creating a Denial of
Service (DoS)
UDP
• Connectionless
• No handshake
• No guarantee of delivery
• Often used for DoS attacks
IP
• Delivers packets to specified computer by
IP Address
• IPv4: 32-bit address
• 192.168.1.1
• IPv6: 128-bit address
• fe80:0:0:0:462a:60ff:fef6:278a
ICMP
• Connectivity tests
• Ping
• Pathping
• Tracert
• Used in DoS attacks
• Blocked by default by Windows XP SP2 and
later firewalls
ARP
• Finds MAC address from IP address
• ARP Poisoning
• Sends false ARP messages
• Redirects traffic on a LAN
• Commonly used for Man-In-The-Middle Attacks
NDP
• Replaces ARP for IPv6
• Used for address autoconfiguration
• Can be used for man-in-the-middle and DoS
attacks on a LAN
Encryption Protocols
SSH (Secure Shell) and SCP (Secure Copy)
SSL (Secure Sockets Layer)
TLS (Transaction Layer Security)
IPSec (Internet Protocol Security)
SSH
Used to encrypt Telnet
• Telnet lacks encryption and uses port TCP 23
Also used for Secure Copy Protocol (SCP)
Runs on port TCP 22
SSL
• Can be used to encrypt HTTP traffic, as
HTTPS
• Port TCP 443
• Can also secure LDAP as LDAPS
• Port TCP 636
• SSL is old and has security weaknesses
TLS
• Replacement for SSL
• Runs on the same ports
• HTTPS on TCP 443
• LDAPS on TCP 636
IPSec
• Native to IPv6 but back-ported to IPv4
• Encapsulates and encrypts IP packets
• Two components
• AH (Authentication Header)
• Protocol ID 51 (neither TCP nor UDP)
• ESP (Encapsulating Security Payload)
• Protocol ID 50
Application Protocols
• HTTP (Hypertext Transfer Protocol)
• HTTPS (HTTP Secure)
• FTP (File Transfer Protocol)
• SFTP (Secure FTP)
• FTPS (FTP Secure)
• TFTP (Trivial File Transfer Protocol)
Application Protocols
• Telnet
• SNMP (Simple Network Management
Protocol)
• NetBIOS (Network Basic Input/Output
System)
• LDAP (Lightweight Directory Access
Protocol)
Application Protocols
• Kerberos
• SQL Server (Structured Query Language)
• RDP (Remote Desktop Protocol)
• Used by Terminal Services
• Also called Remote Desktop Service or Remote
Administration
HTTP
• Normal Web browser traffic
• Port TCP 80
• Not encrypted
HTTPS
• Encrypts traffic
• Guarantees identity of server
• Displays padlock in Web browser and
HTTPS at start of URL
• Uses SSL or TLS, port TCP 443
FTP
• Upload or download files
• Data in cleartext, including passwords
• Active mode
• Ports TCP 20 for data and TCP 21 for control
• Passive mode
• Random port for data and TCP 21 for control
SFTP and FTPS
• SFTP
• FTP over SSH
• Port TCP 22
• FTPS
• FTP over SSL or TLS
• Ports TCP 989 and 990
TFTP
• Uses UDP port 69
• No authentication at all
• Used for IP phone and router firmware
updates
• Many attacks used it
Telnet
• Used to send command lines to remote
systems
• Uses no encryption, not even for passwords
• Port TCP 23
SNMP
• Used to monitor and manage network
devices like routers, switches, and firewalls
• Sends traps – signals notifying
management systems of their status
• Port UDP 161
• SNMPv1 and v2 sent "community strings"
(passwords) in cleartext
• SNMPv3 encrypts passwords
NetBIOS
• Used to resolve Windows computer names
like SERVER1 to IP addresses on Local Area
Networks
• A legacy protocol, replaced by DNS on most
modern networks
• Still used by Windows
• Ports 137-139, both TCP and UDP
LDAP
• Used for directories of users and objects on
networks, including
• Microsoft Active Directory
• Novell Netware Directory Services
• Port TCP 389 (unencrypted)
• Port TCP 636 (LDAPS, encrypted)
Kerberos
• Uses tickets for authentication
• Used in Windows domains and some Unix
environments
• Port 88, both TCP and UDP
SQL Server
• Manages databases
• Often has SSNs, email addresses, account
numbers, and other PII (Personally
Identifiable Information)
• Commonly hacked via SQL Injection
• Port TCP 1433 (Also UDP 1434)
RDP
• Remotely control a Windows computer
• Service is called "Remote Administration",
"Terminal Services", or "Remote Desktop"
• Port TCP 3389
• Also used by Remote Assistance
Email Protocols
• SMTP (Simple Mail Transfer Protocol)
• Sends mail to other email servers
• Port TCP 25
• POP3 (Post Office Protocol v3)
• Moves incoming email to your local Inbox in clients
like Outlook
• Port TCP 110
• IMAP4 (Internet Message Access Protocol v4)
• Moves incoming email to your local Inbox in clients
like Outlook, or lets you view them on the server
• Port TCP 143
Remote Access Protocols
• PPP (Point-to-Point Protocol)
• IPSec (Internet Protocol Security)
• PPTP (Point-to-Point Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)
• RADIUS (Remote Authentication Dial-in User
Service)
• TACACS (Terminal Access Controller Access-
Control System)
• TACACS+
PPP
• Used to create dial-up connections to a
server
• Commonly used by clients to connect to an
ISP
IPSec
• Can be used as a remote access tunneling
protocol
• To encrypt traffic, forming secure
connections over the Internet
• Uses IKE (Internet Key Exchange) over port
UDP 500
PPTP
• Old VPN (Virtual Private Network) protocol
• Included in Microsoft Windows
• Has serious security flaws
• Still commonly used
• Port TCP 1723
L2TP
• Combines Microsoft's PPTP with Cisco's L2F
• Often combined with IPSec for encryption
• Port UDP 1701
RADIUS
• Central authentication for remote access
clients
• Encrypts passwords only
TACACS / XTACACS
• Older network authentication protocols
• TACACS is generic
• XTACACS is Cisco proprietary
• Port UDP 49 for both TACACS and XTACACS
TACACS+
• Used by Cisco VPN concentrators
• Encrypts entire authentication process
• Multiple challenge responses for
Authentication, Authorization, and
Accounting (AAA)
• Port TCP 49
IPv4, IPv6, and Subnetting
• See Binary Games in Projects (Extra Credit)
DNS
• Resolves host names like www.ccsf.edu into IP
addresses like 147.144.1.212
• Ports UDP 53 and TCP 53
• Many security problems, which will be improved
by switching to DNSSEC
Basic DNS Query
What is the Address of
yahoo.com?

A record is
98.138.253.109

Client DNS Server

• Usually uses UDP port 53


• For large responses, may use TCP port 53
DNS Records
•A IPv4 Address
• AAAA IPv6 Address
• PTR Pointer record
• Used for reverse DNS lookups
• Commonly used to block spam email
• MX Mail Exchange
• CNAME Canonical Name
• Alternate name for a server
DNS Server Software
• Berkeley Internet Name Domain (BIND)
• Most common, runs on Unix and Linux
• Microsoft DNS
• Used in Windows domains
• Incredibly out-of-date and inefficient
• Creates large amount of junk traffic on the
Internet
• Details in CNIT 40: DNS Security
DNS Zone Transfer
• Sends all information from a DNS server to
the requester over TCP port 53
• A security risk
• Should only be allowed to trusted IP
addresses
Dan Kaminsky
• World-famous DNS expert
• Found a serious flaw that
enabled him to redirect Internet
traffic
• Kept it secret till Microsoft and
other vendors patched it
• Testified before Congress
• Link Ch 3a
Ports
• 0-1023: Well-known ports
• 1024-49151: Registered ports
• Registered by IANA for convenience
• Example: SQL Server on 1433
• 49152-65535: Dynamic and private ports
• "Ephemeral" ports for temporary use by any
application
Demo: Telnet to 147.144.1.2
Firewalls
• Block ports by protocol and number
• For example, allowing TCP 80 but blocking
UDP 69
Port Scanners
• Find open , closed, or filtered ports
• Nmap
Comparing Ports and
Protocol IDs
• TCP and UDP use ports
• There are other protocols that don't use ports,
such as
• ICMP
• ESP
• AH
IPv4 Header

• Protocol is an 8-bit value in the header


• 6 for TCP
• 17 for UDP
• Same values for IPv6
• Image from Wikipedia
Understanding Basic Network Devices
IP Address Types
• Unicast
• One sender, one receiver
• The most common type
• Broadcast
• One sender to all devices on a LAN
• IP 255.255.255.255 sends to all devices on a
LAN
• 147.144.255.255 sends to all devices in the
147.144.0.0 network
Hub
• Common on old 10
Mbps LANs
• Zero intelligence
• Whatever comes in
on a port goes out
all other ports
• Each user can sniff
traffic intended for
others
Physical Port v. Logical Port
• Physical port is a socket you can plug a
cable into
• Logical port is a number used to direct TCP
or UDP traffic
Switch

• Replaces hubs in almost all LANs now


• Learns which devices are connected to each port
• Sends traffic only to the correct port, after learning
where the devices are
• At first, it acts like a hub while learning
• Image from Cisco
Security Benefits of Switches
• Reduces the threat of sniffing attacks
• Because devices don't get other devices' traffic
• Can be defeated by flooding with random
MAC addresses
• Switch runs out of RAM for switching table and
acts like a hub instead
• Can also be defeated by ARP poisoning
Physical Security of a Switch
• Put the switch in a locked wiring closet
• Prevents attacker from accessing:
• Console port used to manage the switch
• Monitor port used to sniff all traffic
STP (Spanning Tree Protocol)
• If wires allow traffic to flow in loops, this
can lead to a broadcast storm
• To prevent this, switches use
• STP (Spanning Tree Protocol) or
• RSTP (Rapid Spanning Tree Protocol)
• Blocks unneeded ports to prevent loops
• Included in all switches and on by default
VLAN (Virtual Local Area Network)

• At CCSF, the CNIT Dept. computers are in several


different rooms and buildings
• SCIE 37, CLOU 218, SCIE 214, etc.
• But they are all in the same subnet and see one
another as on the same LAN
• Switches sort traffic by adding a VLAN Tag to
each ethernet frame
Port Security
• Port Security
• Only allow a device with the approved MAC
address to connect to each port
• Common in wireless and wired networks
• BUT: MAC addresses can be sniffed and
spoofed
• They are transmitted in plaintext with each
frame
802.1x Port Security
• Requires authentication from a user before
connecting them to the LAN
• Can be used in wireless and wired networks
• Uses a RADIUS server to store credentials
for each user
• Supports Extensible Authentication Protocol
(EAP) which can use multiple authentication
methods, including digital certificates
Router

• Connect network segments together


• For example, a LAN to the Internet
• Don't forward broadcasts
• Reduce "noise" traffic on segments
• Computers can act as routers
• But most networks use hardware routers
• Image from Cisco
ACLs (Access Control Lists)
• Packet filtering
• Traffic that is not allowed is usually
discarded
Routers and Firewalls
• Routers can filter traffic in simple ways
• By protocol, port, or address
• Early firewalls filtered the same way
• Firewalls are much more advanced now
Home Router
• You can also use a
router or residential
gateway, which typically
adds network address
translation (NAT)
capabilities and security
features
Firewall

• Filters traffic, both inbound and outbound


• Host-based Firewall
• Protects a single host from intrusion
• Example: Windows Firewall
• Network-based Firewall
• Protects a whole network
• Image from Palo Alto Networks
Firewall Rules
• For simple packet-filtering, they are similar
to router access lists
• Uses a deny any, deny any rule at the end
for implicit deny
Web Application Firewall
• Specifically designed to stop SQL Injection
and other Web App attacks
• Including NOP Sled, commonly used in buffer
overflow attacks
• Example: modsecurity for Apache
Advanced Firewalls
• First generation
• Filters packets with ACL
• Second generation
• Stateful inspection
• Packets in ESTABLISHED sessions can be
treated differently
• Third generation
• Layer 7 inspection, such as a WAF
Next-Generation Firewalls
• Integrate with Active Directory domains
• Recognize traffic regardless of port
• Bittorrent
• Facebook
• Streaming media
• Games
• Included in Unified Threat Management
appliances
Firewall Logs and Log Analysis
• Firewalls log all blocked traffic, all allowed
traffic, or both
• Splunk (Link Ch 3b)
• AlienVault OSSIM (Link Ch 3c)
Network Separation
• Use routers, VLANs, and Firewalls to control
traffic flow
• For example, at CCSF, these network
segments are separated
• Accounting
• Administration
• Student labs
• Wireless
Protecting the Network Perimeter
DMZ (Demilitarized Zone)
• A semi-trusted zone between a private
network and the Internet
• Provides defense in depth for internal
network
DMZ (Demilitarized Zone)
Public and Private IPv4 Addresses
• Public IP addresses are used to send and
receive Internet traffic
• They aren't free, but leased from Internet
Service Providers
• Private addresses can't be used on the
Internet, but are free for use on private
networks
RFC 1918 Private Addresses
• 10.0.0.1 – 10.255.255.254
• 172.16.0.1 – 172.21.255.254
• 192.168.0.1 – 192.168.255.254
NAT
(Network Address Translation)
NAT

• NAT allows many clients to share a single public


IP address
• By also performing PAT (Port Address Translation)
• Cost savings
• Hides local IP addresses
• Provides some protection
• Users can't run unauthorized servers
• NAT breaks some network services
• IPSec and many others
Proxy Server
• Clients cannot connect directly to the
Internet
• Requests go to Proxy, which fetches the
content (if it's permitted)
Caching Proxy
• If many clients request the same page
• Such as yahoo.com
• The proxy only fetches one copy, and
distributes it to all the clients
• Makes network seem faster
Unified Threat Management
• Web Security Gateway or UTM Security
Appliances
• Combines many security functions, such as
• URL filtering
• Firewall
• Antivirus
• Spam-blocking
• Content filtering
• Data Loss Prevention (DLP)
Spam Filters

• Google’s Postini is very good too


OSI Model

• Image from Wikipedia

You might also like