Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 3 Exploring Networking Tech and Tools (Basic Networking …
Chapter 3
Exploring
Networking Tech
and Tools
Basic Networking
Protocols
UDP (User Diagram Protocol)
no error-correction (unlike TCP)
so less reliable
common in DOS attacks
not connection-orientated (unlike TCP)
faster than TCP
example of apps using UDP
DHCP
TFTP (Trivial File Transfer Protocol)
lot of streaming audio and video like
VOIP where RDP and SRDP use UDP
RTP v SRTP
(Secure Real Time Protocol)
SRTP is encrypted, uses authentication
and provides integrity so protecting against replay
attacks
ICMP (Internet Control
Message Protocol)
example apps
ping
pathping
tracert
other basic connectivity testing apps
often used in DOS attacks
so
some firewalls and routers
block it
to stop attacks
identifying devices in a network
through pings to every IP in a subnet
Ergo
innocent pings
also get no response
ARP
resolves IPv4 addresses
to MAC addresses
:explode: ARP poisoning
of ARP tables :explode:
used to redirect
or interrupt traffic
IP (internet
protocol)
Identifies hosts using IP addresses
and uses these to direct delivery of packets : :
IPv4 addresses are 32 bits
e.g 192.22.233.01
public addresses
are purchased
private addresses
:no_entry: these are reserved
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
routers will reject any private addresses
running out of addresses
with last block assigned 2011
NAT partly solves this
but IPv6 also
IPv4 sends traffic in 2 ways
Unicast: one-to-one traffic
Other hosts will see packet
but will ignore it
Broadcast: one to
many traffic
sent using broadcast address
like 255.255.255.255
every host that receives will process it
switches pass broadcast traffic but routers don't
IPv6
IPv6 addresses are 128 bits
represented using hexadecimal in eight 16 bit numbers
e.g. FE80:0000:0000:0000:20D4:3FF7:003F:DE62
i.e. every section between 0000 and FFFF
instead of private IPs IPv6 has
local addresses
these start with
fc00
solves the IPv4
problem of number of
addresses
short notation for any
sections that are zero is : :
FFFF :: says that the last 7 sections are 0000
FFFF:2222:3435::5555:1111 says the 4th to 6th sections are 0000
NDP
Neighbour Discovery
Protocol
used on IPv6
function similar to ARP
autoconfigs device IPv6 addresses
discovers other IPv6 devices on the network
TCP (Transmission Control
Protocol)
connection orientated
connections established
using
3 way handshake
slower than UDP
error-correction (unlike UDP)
so more reliable
most popular protocol
Protocols for
transferring files
FTP (File Transfer
Protocol)
FTP not encrypted
Active mode
Port 20 for data
Port 21 for control signals
servers initiates data connection
Passive mode
Random port for data
Port 21 for control signals
client initiates data connection
SFTP
uses SSH to encrypt
FTPS
uses TLS to encrypt
TFTP
Trivial File Transfer Protocol
UDP port 69
used for smaller amounts of data than FTP
used in many attacks
not essential so disabled on many networks
SSH
Secure Shell
TCP port 22
provides encryption
can encrypt other protocols like FTP (e.g. SFTP)
Used by SCP (Secure Copy)
replacement for Telnet for
remote admin of systems
SSL
Secure Socket Layer
:explode: Compromised! :explode:
used before TLS to provide encryption for HTTPs
provided encryption for other things like SMTP and LDAP
no longer maintained or patched
TLS Transport Layer Security
Replacement for SSL
Many protocols using TLS use STARTTLS
STARTTLS allows encrypted version
of a protcol to use same port as unencrypted
version
IPSec Internet Protocol Security
encrypts traffic
built into IPv6
but works with IPv4
Main components
Authentication Header (AH)
protocol ID number 51
Encapsulating Security Payload (ESP)
protocol ID number 50
uses Internet Key Exchange (IKE) over UDP port 500
to create security association for the VPN
Email protocols
SMTP - Simple Mail Transfer Protocol
unencrypted uses port 25
with TLS or SSL uses port 465
POP3 - Post Office Protocol
without encryption port 110
with SSL or TLS port 995
STARTTLS recommended
IMAP4
Internet Message Access Protocol
without encryption port 143
with TLS/SSL port 993
STARTTLS recommended
NTP
Network Time Protocol
Allows hosts to sync time with
each other within miliseconds
SNTP = simple network time protocol
stripped down version
DHCP
Dynamic Host Control Protocol
automatically assigns IP addresses
and other configs (subnet mask, default gateway,
DNS server etc) to hosts on a network
DNS
Domain Name System
resolves Domain Names
to IP addresses
vulnerable to DNS
poisoning
where DNS records
or DNS cache changed to add bogus IP
to maliciously redirect users
DNSSEC - Domain Name System Security Extensions
main defense against DNS poisoning
Suite of extensions
that validate DNS responses
i.e. digital signatures provide data
integrity so you know the records haven't
been messed with
can configure DNS server to only
accept secure zone transfers
DNS Servers
records of DNS mapping
held on DNS Servers in 'Zones'
DNS servers sometimes exchange information
using 'zone transfers'
DNS Servers use lots of caching
which is why DNS propagation
can take up to a few days
DNS record types
A record
resolves host address to IP address
for IPv5
AAAA record
same as A record but for IPv6
TXT record
whatever you want.
Often used for verification
e.g. Google Search Console
CNAME Canonical Name aka ALIAS
resolves subdomains (e.g. www) to
domains.
useful because means you just have
to change one A record if you move site
PTR
reverse of an A record
this is optional which is why reverse lookup
might fail
MX Mail Exchange or Exchanger
says which mail server to use for email
SOA Statement of Authority
Includes info about the DNS zone and it's settings
such as TTL - Time to Live (how long to cache stuff for).
TTL
in seconds
lower means records renewed more often
most run BIND (Berkeley Internet Name Domain) software
and run on LINUX or UNIX
TCP Port 53 - Zone transfers
UDP Port 53 - Name Resolution
command line tools
nslookup (windows)
can query particular
server
dig (linux)
Domain Information Groper
has replaced nslookup on linux
can query particular server
Ports
What are ports
numbers used by systems
to tell it which application to send
a protocol packet to
:warning: Port numbers are
not
protocol numbers! :warning:
Some protocols
are identified by
protocol numbers rather
than port numbers
(e.g. IPSec)
Protocol numbers can be
used by Firewalls/routers in the same
way that they use port numbers though
TCP
has 65,536 ports
(0 to 65,535)
0-1023 are "well known" ports
reserved for common applications
:explode: most attacks are
against these well known ports
Port Scanners
check if a port is open :explode:
1024-49151 are registered ports
that companies can choose to license
49,152-65,535
are dynamic/private aka ephemeral ports
temporary and anything can use
Browers will be assigned a free
ephemeral port on which to receive
back the data they requested from the web
Firewalls 'open' or 'close' ports
to allow or stop traffic coming through
Basic Network
Devices
Switches
Layer 2 Switch: switches based on MAC address. forwards
broadcast traffic
Layer 3 Switch: switches based on IP address.
blocks broadcast traffic
Starts out knowing
nothing other than it has
physical ports
Learns which computers are attached to
it's physical ports
Uses this knowledge
to switch
Builds a MAC table
Switches
versus
Hubs
:explode: Hubs only broadcast
so attacker only needs
listen on any of the ports
to capture packets :explode:
Switches send unicast
so if traffic is between ports 1 and 4
attack can't listen in on 5
Port Security
Can disable unused ports
Can use MAC filtering
on ports
Though MAC address
easy to spoof ...
can use 802.1x for authentication
Switch Physical
Security
Switches have
console port that
sees all traffic incl unicast
:explode: The console port can
become a vulnerability :explode:
To protect against vulnerability
switch often kept in physically
secure area
Loop prevention
Loops have similar effect
to broadcast storms
unicast traffic goes
back and forth endlessly
between two ports
:explode: can happen if two ports
are connected with cable :explode:
Loops can disable switch
and degrade performance
Prevention
Use
STP Spanning Tree Protocol
or RSTP Rapid Spanning Tree
These prevent loops
Flood attacks
and guards
:explode:
Flood attack
sends
lots of traffic with spoofed MACS
to port :explode:
Switch runs out of
memory to store all the
MAC addys
Switch 'falls open'
and starts working as a Hub
Attacker then
only needs to connect protocol
analyzer to any port
Prevention:
Flood Guard
Limits memory used
to record MAC addresses
on port
OR
Sets maximum number of
MAC addies per port
if attempt to store more
then alarm raised
using SNMP Simple Network
Management Protocol
Switch can then
disable port or refuse
any more MAC addies for it
maximum number
usually set to 1
but some exceptions (e.g. VMs)
Aggregation Switch
connects multiple switches
together in a network
i.e. a switch for switches
Routers
What?
Connects multiple
networks into single network
Moves traffic between these networks
networks created by routers
or by subnetting
called
Broadcast Domains
why?
if networks are too
big broadcasts can cause
too many collisions and hurt
performance
Routers Don't pass
on broadcasts
unlike switches
Brands
Cisco main brand
but there are others
Usually physical device
BUT
A computer with two NIC
can potentially be a router with
software
Access Control Lists (ACLs)
rules on routers/firewalls
for allowed/disallowed traffic
inbound and outbound
Implicit Deny
important last rule on an
ACL that says anything not
explicitly approved is blocked
Some ACLs
add this rule automatically
while on others it needs added
manually
Typical Syntax
varies but eg.
DENY ANY ANY
or
DENY ALL ALL
Router/Firewall works
through the list from top to bottom
Basic Packet Filtering
IP addresses
can block
single IPs or
whole subnets
Logical Ports
can have different rules
for incoming/outgoing
e.g. HTTP(80) allowed out but not in
Protocol numbers
e.g. block all ICMP
by blocking protocol 1
Antispoofing
:explode: Some attackers may
replace source IP in a packet
with a private IP to hide their real IP :explode:
Can be dealt with
by making ACL reject all traffic from
private IPs
Bridge
What
connects networks
diverts traffic based on
MAC address
learns MAC addresses in
same way as a switch (by analysing traffic)
Firewalls
What
filter outgoing
or incoming traffic
Mostly keeps
bad traffic out
can also stop users
from dangerous browsing
or other activities
Linux systems
use xtables
Stateless
v
Stateful
Firewalls
Stateless Firewalls
Use ACLs
see router section
Typical ACL rule format
Permission Protocol Source Destination Port
Permission
PERMIT/ALLOW or DENY
Protocol
TCP or UDP or other
"IP" will block TCP AND UDP
Source
can include subnet.
subnet mask sometimes required
Destination
can use subnets.
subnet mask sometimes required
Port or Protocol
usually well known ports.
Some systems will allow codes like
"www" for http or eq for equal e.g. eq 80
also use Implicit Deny
:explode: A misconfig firewall
without Implicit Deny rules
is a major vulnerability :explode:
Stateful Firewalls
approves or denies
packets based on whether
they are part of an existing
approved connection
Advanced Firewalls
These go beyond
basic packet filtering
and can filter by a packet's content
Web Application
Firewall
WAF
Firewall
specifically
designed to
protect web
application
Can be
host based or
cloud based with
own hardware
and/or software
Where
Can be host based
e.g. on a particular workstation
or server
host based usually runs on
special software on the device
it's trying to protect (e.g. Wordfence or
Windows Defender)
can be network based
These will sit on
separate, dedicated
hardware that also
runs special software
needs 2 or more NICs
These will usually be between
the intranet and the internet
Media Gateway
converts data from one
network format to another
e.g. VOIP gateway
converts between IP
based network and
old phone network
Proxy Servers
Forward Proxy Servers
(aka Proxy Servers)
Forward request
(e.g. HTTP) from
clients, gets data from servers
then returns data to clients
can improve performance
by caching
transparent
vs
nontransparent
nontransparent:
can modify or filter requests
can restrict access to
inappropriate sites
(e.g. porn, gambling
web based email etc)
done through use
of subscription lists
of 'bad' urls
can log
transparent:
forwards without modifying
Anonymizers
sites that give
illusion of privacy online
Sometimes used to try and bypass
forward proxy
most forward proxies
easily able to stop
bypass
reverse proxies
main difference with forward proxy
is that reverse is run by the owners of the
particular web server user is trying to access
also can cache
these take requests to a server, get the
data from the server and give it to the user
(if no caching)
can also act as load balancers
Application Proxy
(APIs)
reverse proxies for one protocol
or application
APIs are a type of reverse proxy
UTMs
Unified Threat Management
device
multiple security controls
in one place
reduces admin
work
can usually be configured
to send alerts if it spots something
may include
firewall
anti-virus
anti-spam
URL filtering
content filtering
mail gateway
URL filtering
do same job as forward proxy
blocking sites based on URLs
block list can be
manually set up or
use subscription list
malware inspection
screens for malware
often both on email servers
or on endpoints
Content Inspection
filter for incoming data
:explode: misconfiguring this is a
common security issue
e.g. spam filter set too sensitive or
not sensitive enough :explode:
DDos mitigator
defends against DDos in similar
way to an IPSs (Intrusion Prevention System)
where?
usually at network border between internet
and intranet but will vary depending on use.
Mail Gateway
scans incoming and
outgoing email
for spam
where?
usually located between
the mail server and internet
scans email
before it gets to the
mail server
definition of spam
unsolicited email
so includes phishing
but also other types
DLP Data Loss Prevention
capabilities
Examine outgoing email for keywords
e.g. those associated with confidential stuff
can send an alert to security team
can encrypt outgoing messages
(all or some)
SNMPv3
Simple Network Management Protocol
monitors and
manages network devices
can use to modify
configs of network devices
first version was
vulnerable
password passwords
across network in cleartext
v2 and v3 more secure
they have strong
authentication
uses UDP 161
but sends "traps" (info
and notifications) on UDP 162
allows secure
management of
routers
can prevent IP spoofing
Secure Network
Implementations
(Zones/Topologies)
Network perimeter
boundary line
between intranet and
extranet
DMZ
buffer zone between
intranet and internet
internet facing part of
network lives here
allows access to
services while segmenting
access to intranet
NAT - Network
Address Translation
Translates
private IPs to public
and visa versa
Often found on internet
facing firewalls
and home routers
common form is
PAT - Port Address Translation
Pros
Need less IPs
Can hide computers from
internet with private IPs
Cons
Incompatible with IPSec
though there is workarounds ...
Static v Dynamic
Static uses 1 public IP
and maps to one private IP
Dynamic
uses multiple public IPs.
maps 1 to many.
Network separation
for security
segregation
basic separation
segmentation
traffic on different segments
provided by routers and firewalls
VLANs can provide logical segmentation
can create with a
Layer 3 switch
creates logical
(as opposed to physical)
subnets regardless of where
the individual computers are
isolation
Df: systems completely separate
virtualisation can
provide this
malware often
analysed on virtual systems
physical isolation
aka Air Gaps
system not connected
to another system
If they can't reach it they
can't attack it!
