Please enable JavaScript.

Coggle requires JavaScript to display documents.

BLOCK 3:INFRASTRUCTURE,HOST'S,& APPLICATION SECURITY - Coggle…

- - - - network hardware, such as switches, routers and cabling
      - security elements, such as firewalls and intrusion detection.
      - data held on servers and in databases
      - data traversing a network
      - software, such as antivirus protection.
  - - - As there are so many different types of device, connection and protocol, networks can become very complex, thus making it difficult to understand how everything works together. It helps for us to think about this in hierarchical terms. By doing this, it helps us to understand where each of the devices ‘sits’ within a network, how it connects, what its purpose is and the role of the end user and administrator. This also makes it easier for us to understand – in terms of cyber security – what we need to defend on a network infrastructure.
      - THE CISCO 3 LAYER MODEL SECTION 1.2.1
        
        Access: this provides the entry point onto the network for end-users and devices, such as PCs, wireless and mobile technology. Security can be controlled using policy and access control features.
        
        Distribution: this middle layer serves as the conduit between the access layer and the core layer. At this layer, we find network devices like routers and switches. Also, devices provide filtering of traffic and access to wide area network features in the core layer.
        
        Core: the job of this layer is the delivery of large volumes of traffic between distribution layer (mainly telecommunications) devices at the highest speed possible. This layer is often referred to as the ‘network backbone’.
        
        DESCRIPTION
        
        A network topology displaying each of the three layers of the Cisco hierarchical model: Access layer, which contains end devices. Distribution layer with routing and switching capabilities and the Core layer: the backbone of the network.
        
        MODELS FOR COMMUNICATIONS SECTION 1.2.2
        
        The Cisco three-layer model represents the more ‘physical’ attributes of a network. We can delve a bit deeper than this by thinking about the more ‘logical’ aspects of a network (e.g. protocols, addressing and software) and how communication takes place across a network.
        
        This is represented in communication reference models, such as the TCP/IP (Figure 3.2) and OSI models. Models such as these help us to further define the protocols, devices, addressing techniques and data transmission techniques that are found within a network infrastructure.
        
        It also helps us to think in terms of modularity: what protocols, devices and media elements (e.g. cables or wireless) exist at each of the layers, and interoperability with other systems.
        
        DESCRIPTION OF 3 LAYER DIAGRAM
        
        You can see in Figure 3.2 each of the layers and their corresponding protocols and technologies. Note the use of devices, such as routers and switches, and their respective layers.
    - - There are many different devices that lie at the heart of the operation of a network infrastructure, many of which are critical to how it is secured. Generally, the infrastructure includes devices that are part of the network as opposed to being on the network. If you think back to the Cisco three-layer model in the previous section, most of the devices critical to the operation and security of a network infrastructure exist at the distribution layer. These can also be defined as intermediary devices, as they have responsibility for moving data through a network.
        
        Security implications arise with switches in the form of a device that has not been appropriately ‘hardened’. For example, interfaces that are used for the configuration of the device have weak authentication (or perhaps even none at all!). Issues also arise with MAC flooding, where an attacker can flood the MAC address table, causing the switch to overload and start acting as a hub and revealing addresses to an attacker analysing the network.
      - SWITCHES SECTON 1.3.1
        
        MANAGED
        
        : this is usually found in production environments (e.g. business and organisations). This type of switch allows configuration and offers greater control in terms of traffic management and security.
        
        UNMANAGED
        
        this is typically used in a home network where you simply plug in and it works without any configuration.
        
        The main function of a switch is to provide an entry point from end-user devices onto a network. When devices (e.g. PCs) are connected to a switch, they are said to form a star topology because the devices connected to it communicate centrally via the switch. Switches normally exist within a local area network (LAN) environment and make decisions about where to send traffic based on source and destination MAC address information.
      - ROUTERS Section 1.3.2
        
        PATH DETERMINATION
        
        the router builds and maintains a routing table, essentially a database of known networks and how to reach them.
        
        PACKET FORWARDING
        
        the router accepts a packet on one interface and makes a decision about where to send it based on routing table information.
        
        Routers are central to the operation of how data from one network reaches another, and indeed to the operation of the World Wide Web itself. They use the process of routing to forward packets between different networks (or subnetworks). Routers generally perform the following functions:
        
        Given how critical routers are to the operation of networks and internetworks, they of course become a prime target for attackers. Routers are prone to many different attacks, in the same way that switches are. Without proper protection, routing tables are very vulnerable and can be prone to manipulation. Routers are also prone to other types of attack, such as ‘Denial of Service’ (DoS) attacks.
        
        This, of course, has implications for home users because a large proportion of homes are now provided with internet via broadband routers or modems. The prospect of manipulation and misdirection of packets into the wrong hands when carrying out internet banking is now considered to be a serious threat.
    - - Managed switches (such as Cisco switches).
        
        MAC address tables: flooding a MAC address table can cause it to start acting as a hub and revealing all the devices on the network, which can then be captured through eavesdropping.
        
        VLAN: attacks carried out through the manipulation of VLAN information can be used to reveal and access devices on another network.
        
        ROUTERS
        
        Routers can also be vulnerable in areas such as:
        
        Services: attacks on router services (e.g. manipulation of discovery protocols that can reveal neighbouring networks and routers).
        
        Buffer overflows: ICMP (ping) echo request packets that are too large for the router to handle, leading to buffer overflow and potentially DoS.
        
        Routing tables: the manipulation of routing protocol updates to manipulate routing tables leading to man-in-the-middle or DoS attacks.
      - Activity 3.2
        
        Routers vulnerability at home
    - - Copper coaxial
        
        Descriptions Commonly used in 10Base-T cabling; however, it has been mainly superseded by twisted pair cabling. Still commonly used to connect wireless antennas as well as in broadband installations and security systems.
        
        Vulnerabilities High
        Easily tapped, allowing for eavesdropping.
      - Twisted pair
        
        Descriptions The most common type of network cabling. It uses either shielded (STP) or unshielded (UTP) mechanisms, and popular categories are Cat5e and Cat6e (Gigabit). Typically uses RJ45 connectors.
        
        Vulnerabilities Medium
        Not as easy to tap due to cable structure; however, port security must be considered.
      - Wireless
        
        Descriptions devices together. Typically uses a wireless access point (which may in turn be wired to a router).
        
        Vulnerabilities Medium
        Less secure than wired networks; however, it does offer strong levels of encryption (especially with Wi-Fi 6, which offers even stronger encryption).
      - Fibre optic
        
        Descriptions Typically used for high-speed transmission over large distance. Requires specialist knowledge and equipment for installation.
        
        Vulnerabilities Low
        It’s difficult to tap a fibre connection (but it may be broken/cut).
    - - Servers play a critical role in the network infrastructure and can be found at the distribution layer of the Cisco three-layer model. The role of the server is to provide critical information services to the end users on the network, at their request. As well as providing the security itself, it could be argued that the whole point of the infrastructure is to provide security to these critical servers and services.
      - Physical protection section 1.3.6
        
        So far, you have learned about a few of the key elements within a network infrastructure, as well as considerations in terms of the protection that they need. However, it is also important to look at how these hardware resources need to be physically protected with regard to their actual location. For example, if we think about cabling for a network infrastructure within an organisation, how well protected is it? Fibre backbone cabling within an organisation is responsible for carrying high volumes of traffic throughout a building. If any damage should be done to the backbone of the network,
        
        Book: Digital Forensics Processing and Procedures, Watson and Jones (2013)
      - Wiring closets Section 1.3.7
        
        The wiring closet feeds smaller closets throughout a building with vertical (high-speed) cabling, which then feeds nodes on each floor through horizontal cabling (typically ethernet and/or wireless). The wiring closet usually marks the entry point of backbone cabling from an internet service provider – this is known as the demarcation point. The wiring closet is also protected from environmental factors, through air conditioning and venting (to control temperature), as well as fire and flood, through appropriate fire protection/alarms and drainage (raised flooring), for example.
        
        Physical access controls Section 1.3.8
        
        A number of approaches are used by organisations to control physical access to such locations:
        
        using locked doors to control access to the location and storing equipment inside locked cabinets
        
        controlling access to locks through swipe or smart cards with varying levels of permission and biometric controls
        
        restricting access to the building itself, as well as controlling access to the location of wiring closets, thus removing the threat from external intruders (and not employees/staff)
        
        securing physical equipment to immovable objects (e.g. through use of locks), therefore removing the threat of theft (but not vandalism)
        
        fitting tracking devices and/or security tags and alarms (to mitigate theft).
        
        Activity 3.3
        
        Search the OU Library for the book Cybersecurity and IT Infrastructure Protection by John Vacca.
        
        Once you have found the book, refer to Chapter 4 ‘Physical security essentials’. Read pages 109–117. Then answer the following questions.
        
        Briefly summarise the three elements of information systems security.
        
        What does Stallings categorise as the three main threats to physical security?
        
        Briefly summarise the four categories of human-caused physical threat.
- - - - looking at packets and comparing against the rules of the firewall. For example, is the destination port allowed by the firewall (e.g. port 80)? Is the packet coming from an address source that is trusted (known)? Although packet filters mainly operate at the network layer (of the TCP/IP stack) they also make decisions on transport layer information (e.g. TCP and UDP port numbers).
    - - stateless firewalls generally do not offer the same features as stateful inspection firewalls, and tend to be less rigorous. For example, a stateful firewall is more aware of the context of the network; however, a stateless firewall generally monitors traffic based on source and destination information (i.e. addresses). Figure 3.8, below, highlights the differences between stateful and stateless firewalls. The state table in a stateful firewall records ‘established’ connections, whereas the stateless firewall permits or denies based on rules.
    - - this examines each of the packets arriving in a stream and, as well as checking the details (as described above), it also looks at other packets in the conversation to gain a picture of the context in which the packets have been sent. This is useful in that the firewall can detect certain types of attack. For example, if a large stream of ICMP (ping) packets have been originating from the same source, the firewall will recognise this as a DoS attack and block the packets. This type of scenario also helps the firewall to identify spoofing tactics. Stateful packet inspectors can also go a step further by inspecting the data payload (e.g. to check for executable files of a malicious nature).
    - - If we examine both of these tables, we can see that they contain different columns. The stateless firewall employs access control and permits or denies traffic based on where it has come from and its destination. The stateful firewall establishes, maintains and tracks the connection between two endpoints.
    - - Host-based firewall: normally implemented as software on a host that is part of an existing network. Considerations have to be given to the security (or hardening) of the operating system, as this may compromise the security of the firewall.
      - Screened host: implemented using a combination of different methods; for example, a screening device and a bastion host (where a bastion is a network host specifically designed to withstand attacks). The screening permits or denies traffic coming from the bastion.
      - Dual-homed: essentially a dedicated firewall with routing functionality, this device has two network cards, allowing it to connect one network to another. Instead of the device forwarding (routing) packets from one network to another, it only does so based on rules of what is allowed and where the packets can go.
      - Home Based Routers as Firewalls Section 3.1.4
        
        Port Forwarding
        
        You have a file server on your internal network that allows remote access on port 22 (SSH) with the address...192.168.1.254 (255.255.255.0)...You wish to be able to access this file server from outside the network. To do so, you would create a port forwarding rule on the router that maps the IP address to the port...192.168.1.254:22...A request arrives from outside on port 22 to access the file server. The router knows that this doorway is open and forwards the request to the server, which is listening on port 22, awaiting requests.
        
        S.A.Q 3.1 Port Forwarding
        
        1.Do you see any specific security implications arising from this scenario?2.Supposing you want to implement a HTTP server alongside your file server. What steps do you think you would need to take?3.Carry out some additional research into ‘well-known’ ports.
        Who is responsible for maintaining ports?
        List five popular services and their port numbers.
        
        Activity 3.6 Netalabs #17
        
        Nowadays, it is not unusual for home (broadband) routers to have built-in firewall technology. This type of firewall performs basic packet filtering by allowing IP addresses or applications (based on port numbers) onto the network. It also allows ‘port forwarding’, which is a technique for allowing devices running designated services to communicate with other hosts outside the network (allowing traversal of the router/firewall).
    - - Cisco routers provide the mechanism for creating what are also called ‘Access Control Lists’ (ACLs). These allow for packet filtering functionality based on certain information, such as where traffic is originating and where it is going, as well as applications and ports. Cisco router ACLs are very similar to that of a stateless firewall. ACLs can, however, be implemented in different ways on a router. Two main examples being:
        
        Standard Access List
        
        : checks the source address, permits or denies protocol suites such as TCP.
        
        Extended Access List
        
        checks source and destination address, can be specific about source and destination protocols and applications as well as protocol type; for example, TCP, UDP, ICMP, I
        
        How it Works
        
        If you had a host on a network (a PC) that you didn't want to access web services on another portion of the network, an extended access list can be created and applied to the router to block incoming requests from that host on port 80 (www). See Figures 3.9 and 3.10.
        
        This is only a very basic example. However, you will notice that ACLs perform very similar functions to those mentioned earlier in stateless firewalls. You will learn more about Cisco ACLs in Cisco networking modules TM257 (Cisco networking (CCNA) part 1) and TM357 (Cisco networking (CCNA) part 2). The following short video demonstrates the use of an ACL for filtering traffic.
  - - - Transparent proxy: like a regular proxy, this receives and forwards data; however, it does not modify the data passing through it and is likely to be used for efficiency through caching of content. Clients on a network may not even be aware that traffic is being redirected through the proxy.
      - Quite often, an application gateway is a piece of software running on another device, for example, software being used in combination with a firewall. We can, however, have dedicated proxy devices (hardware or servers) that provide additional features to security. There are different types of proxy server:
      - Anonymous proxy: this does not pass IP address details of information being forwarded but identifies itself as a proxy. This is useful for keeping web browsing private and targeted for advertising based on your location. Anonymous proxies can also distort information and pass false IP address details, so that the user appears to be from another location.
      - High anonymity proxy: the Tor network (Tor, 2021) is a good example of the use of high anonymity proxy usage, in which the source IP address periodically changes, making it difficult to keep track of the location (and source) of the IP address.
  - - - Take ten minutes to carry out some additional research using the OU Library or internet and answer the following questions.
        
        1.Name two devices that you think would be found at the boundary of a network. 2.Earlier, we mentioned intermediary devices. Do you think there are any differences between boundary and intermediary devices?
    - - These systems are normally integrated on the boundary of a network at the entry and exit points, and employ sensors that can be integrated into different devices; for example, routers, dedicated IDS/IPS devices or an adaptive security appliance (ASA). An IDS/IPS has two common methods for deployment:
      - Unfiltered: monitors the stream of data before it reaches the screening device. This is prone to unreliability as it has to monitor much higher volumes of traffic.
      - Screened: monitors the traffic that comes through a screening device (e.g. a firewall). This reduces the amount of traffic being monitored, ensuring more accurate results.
    - - Email (spam)-based: used for analysis of spam email.
      - Research-based: used to research sophisticated tools and attacks.
      - Production-based: used in a live environment.
      - Honeypots are normally used in addition to IDS/IPS systems and are used as a means of trapping attackers. A honeypot diverts attackers away from the real target and uses tools to identify new vulnerabilities and exploits and to learn about the identity of attackers and patterns of attack. This is valuable in the sense that it provides a surveillance and early warning facility. There are different types of honeypot available such as:
        
        How it Works Figure 3.11, below, details the inclusion of a honeypot within the design of a network.
        
        External traffic is screened through the firewall/IDS device. Malicious traffic is forwarded to the honeypot...Regular traffic is destined for the internal network...Access control mechanisms on the router catch any malicious traffic that has slipped through the screening device and forward it to the honeypot.
        
        A diagram showing a network with an external firewall connected to an internal router that is connected to an internal network and a honeypot. The firewall is directing malicious activity to the honeypot and regular traffic is being directed to the internal network. The router is also connected to the honeypot and has capability to also filter malicious traffic.
      - Honeypots can be grouped together into ‘honeynets’ to present an even more realistic system to attackers.
  - - - McAfee defines the five key benefits of SIEM as:McAfee defines the five key benefits of SIEM as:
        
        1.key to managing the strategic, tactical and operational aspects of threat hunting
        
        2.reduced response times using enhanced situational awareness
        
        3.better security integration and real-time visibility
        
        4.better staffing of security resources
        
        5.enhanced compliance with auditing and governance.
- - - - When a switch receives a frame on a port, it records where it has come from. If there is no destination recorded in the MAC table, it floods the network (except on the port at which the frame was received) and waits for a reply from the destination, which it records in the MAC table, thus creating a path. There is potential for attackers to flood a network with spoofed addresses. This, in turn, has the potential to overload the MAC table, causing the switch to start emptying its table and attempting to rebuild it. Flood protection can be enabled on a switch by defining a limit on switchports. If the switch detects excessive floods from a port, it closes it down.
  - - - where scanning takes place in the hope of revealing unsecured wireless networks, which an attacker can join and then use for malicious activity.
    - - where an attacker impersonates a public wireless access point (e.g. that users will connect to).
    - - where attackers use tools to analyse wireless networks to look for unencrypted connections, in the hope of capturing traffic (in plaintext) that will reveal important information.
    - - where an attacker steals a mobile device already attached to wireless networks, which allows the attacker to exploit existing connections as well as banking information, for example.
    - - As mentioned, wireless technology is continually evolving to keep abreast of security threats. Some popular techniques used in the securing of wireless networks are:
        
        Activity 3.7 Wi-Fi encryption and the IoT
        
        Search the OU Library for the article Wi-Fi Encryption Vulnerability Highlights Value of Industrial IoT Security Practices, by Doug Chandler.
      - Passwords: changing the default passwords of wireless access points, as well as using strong passwords.
      - MAC address filtering: maintaining a list of MAC addresses of only the devices that are allowed onto the network (more suitable for smaller or home networks).
      - SSID protection: configuring the access point to not broadcast the SSID for the network, helping to keep the network invisible to attackers scanning for wireless networks.
      - Data encryption: enabling the strongest encryption possible for the network and making sure that other devices on the network support the same encryption level (the current standard is WPA3).
      - Patching: keeping access point firmware up to date and frequently patched.
- - - - Table 3.2
        
        Service disruption Preventing users from accessing services on a network; for example, DoS attacks on servers, network devices and links.
        
        Information theft Unlawful access to computers and servers to obtain confidential information for criminal purposes.
        
        Data manipulation Unlawful access to computers and servers to destroy, manipulate or alter data.
        
        Identity theft Stealing personal information from systems for impersonation and fraudulent means.
    - - As well as vulnerabilities that exist for the end user and networking hardware that we have previously considered this week, there are additional vulnerabilities within the network infrastructure that we also need to consider – for example:
        
        Network services: issues surrounding services and protocols that are inherently insecure, such as FTP, HTTP, SMTP and Telnet; all of which pass unencrypted data across a network.
        
        Operating systems: there is no such thing as a fully secured operating system. Do some operating systems offer better security than others?
        
        User accounts: usernames and passwords being transmitted using insecure means and being intercepted; passwords that are too weak.
        
        Internet services: vulnerabilities in web services and web browsers; for example, weaknesses in services that are not kept up to date and use weak (unencrypted) methods for delivery of data. Also, browsers with plug-ins that are vulnerable (such as Java and JavaScript) and that are out-of-date (as well as the browser itself).
        
        Products: vulnerabilities in, for example, software and hardware products that have security holes in the default settings (e.g. poor default passwords).
        
        Misconfigured network equipment: poor configuration or errors in routers, switches and firewalls that misdirects traffic or accidentally allows traffic into protected areas.
      - A closer look at protocols&services Section 2.2.1
        
        Insecure protocols
        
        Under network vulnerabilities, we have mentioned network services and protocols that are inherently insecure.
        
        What does this mean?
        Application protocols, such as File Transfer Protocol (FTP) and Telnet, are among the oldest of services, dating back to the late 1960s and early 1970s. Even Hypertext Transfer Protocol (HTTP) is now over 30 years old.When these protocols were developed, security wasn’t a great concern as there weren’t as many computers connected to networks (and internetworks) as there are now, not to mention encryption across a network being a thing far off into the future.This means that when using such protocols, data can be passed in plaintext between sender and recipient. For example, in Figure 3.4 below, employee A decides to implement a small FTP server on a network so that files can be shared remotely with other locations in a building. Employee B has malicious intent and decides to perform reconnaissance on the network using a network sniffer, and notices FTP services on the network. Employee B can inspect these packets and see the login details of the FTP server for employee A, which are in plaintext.
        
        FIG 3.4
        
        There are a few important points that arise out of this scenario:
        
        An employee should not be able to install ‘rogue’ insecure server software onto devices within the organisation.
        
        1 more item...
  - - - Reconnaissance activity takes place in order for attackers to build a bigger picture of the network. In the previous section on insecure protocols, there was an employee performing reconnaissance on the network to gain a view of the traffic on the network – this is just one instance of the reconnaissance activity that can take place. This type of attack is used to discover the types of systems service and existing vulnerabilities that exist on a network, so that attackers can build a map of vulnerabilities. The following table provides an example of the tools and methods used.
      - Table3.3
        
        Internet query Using basic tools like search engines, ‘nslookup’ and ‘whois’ to determine the address space for a victim.
        
        Ping sweep Using ping tools such as ‘gping’ and scanner software to discover hosts on a network – which have been discovered through internet queries – that are active.
        
        Port scanning Using tools such as ‘nmap’ to scan for open ports on hosts that have been revealed through ping sweeps. This allows the attacker to exploit services through ports that have been left open unnecessarily. Different types of port scan exist (e.g. TCP, UDP, ACK and SYN).
        
        These types of attack might then allow the attacker an entry point into which they can plan their access attack. Some types of access attack are outlined in the next sections.
    - - A Denial of Service (DoS) attack is one of the most common forms of attack against a computer network and associated network infrastructure services. The main aim of a DoS attack is to bring disruption to a network, user services, devices and applications, in order to make them unavailable. This type of attack is normally carried out by doing one of the following:
      - flooding a target computer with an overwhelming amount of traffic, such that the target is unable to handle the high volume of data.forwarding maliciously formed packets, so that the receiver cannot process the unexpected conditions; an example of this is a buffer overflow attack.
      - Additionally, if we consider physical security aspects (especially insider threats), another form of DoS attack is the disconnection of power from servers and network equipment.
        
        DoS attacks normally result in the following:
        
        slow network performance when, for example, trying to transfer files or access websites...unavailability of websites...an increase in the number of spam emails received.
      - Panek (2020) states that: ‘Today, most DoS attacks are Distributed Denial-of-Service (DDoS) attacks, whereby multiple computers are used to overwhelm the network resource.’ Panek then goes on to mention that there are generally three types of attacks
        
        Protocol attack: this consumes resources of servers and network devices using SYN floods and ping of death attacks.
        
        Application layer attack: this uses system and device vulnerabilities to crash servers and network devices, using HTTP GET/POST floods.
        
        Volume-based attack:: this saturates the bandwidth of the attack site with spoofed packets (e.g. ICMP packets).
      - HOW IT WORKS
        
        The following diagram represents a DDoS attack. Instead of a computer (the master) directly attacking a resource, the attack employs a number of other computers to attack the resource. These other computers likely have malware (infected software) installed that lets the master control them in order to attack the victim. These computers are known by a variety of names such as zombies, slaves or bots. A group of bots is normally referred to as a ‘botnet’. Each bot receives instructions from the master to send multiple requests to a resource in order to overwhelm it and disrupt the network. See Figure 3.5.
        
        A number of techniques that are implemented in routers can be used for mitigating DoS attacks, for example:
        
        Blackholing: traffic originating from a suspicious source is funnelled into a black hole (or a null route) and the packets are dropped from the network.
        
        Limiting requests: allowing a server to receive no more than a certain number of requests, to stop it becoming overwhelmed.
        
        Network diffusion: using load balancing techniques to redistribute traffic across the network.
        
        Government Guidance Study Note
        
        The UK National Cyber Security Centre provides guidance on DoS attacks for individuals and organisations.
        
        Read the Denial of Service (DoS) guidance.
    - - Closely linked to DoS attacks are spoofing techniques. Spoofing is when traffic that seems to be originating from a particular (seemingly trusted) source is in fact originating from another source using falsified information. This technique is at the heart of a DoS attack as the attacker uses spoofing to hide where the information is coming from. When discussing spoofing in the context of network security, the biggest area of concern is that of protocol spoofing. Spoofing can fall into two categories:
      - Non-blind spoofing: where the attacker can see the traffic that is being sent across the network.
      - Blind spoofing: where the attacker cannot see the traffic between source and destination; this is the most common type in DoS attacks.
      - Attacks can be defined as:
        
        IP spoofing: we can think of IP packets as having similarities to a letter being sent across a postal network. As with a letter, an IP packet has a source address (the originator) and a destination address. In an IP spoofing attack, the packet has a forged source address in order to protect the identity of the attacker. This type of attack takes place at the network layer (layer 3). An example of this kind of attack is shown in Figure 3.6.
        
        DNS spoofing: this happens when an attacker intercepts a DNS request and then responds before the actual DNS server is able to respond itself. This can lead to the victim being directed to a falsified website designed to conduct malicious activities. This type of attack takes place at the application layer (layer 7
        
        ARP spoofing: also known as ‘ARP poisoning’. This type of attack is used to determine the hardware address (MAC address) for a device, where the IP address is already known. The attacker modifies the ARP cache for the network and then uses the IP address for the victim. This type of attack occurs when attackers have access to an internal network.
    - - In this scenario, an attacker places themselves in the flow of traffic between source and destination hosts. This allows the attacker to transparently monitor, capture and control the traffic across the network. Tools allow eavesdropping, inspection and modification of packets on the way to their destination. Session hijacking can also take place in this scenario, where an attacker can gain access to a network and then use a man-in-the-middle attack to hijack sessions. The following steps represent a typical man-in-the-middle attack.
      - Man in the Middle attacks 4. steps:
        
        1.A web page is requested by a user (victim).
        2.Instead of the request reaching the original destination directly, it is received by the attacker.
        3.The attacker retrieves the original page and alters it for malicious means.
        4.The attacker forwards the altered page to the victim.
        
        Description
        
        Example of a man-in-the-middle attack. A computer is the victim and through the cloud there are requests that are sent to the attacker. The Attacker sends it to the Server. The Server sends it back to the Attacker. The Attacker sends an altered ?? through the cloud back to the Victim.
        
        Activity 3.5 Netalabs #16
- - - - Network topologies can be represented by both physical and logical topologies. For example, we can provide a floor plan for a building that indicates where devices and cabling is physically placed. This is said to represent the physical topology. We can also represent the network by the kinds of device and addresses and how they are connected together, for example. This is said to represent the logical topology.
  - - - Description
        
        A network infrastructure with four different networks connected to it: Staff network (192.168.10.0), Sales network (192.168.20.0), Admin network (192.168.30.0) and IT network (192.168.40.0). This demonstrates departments placed into different segments, based on network address.
        
        Consider the default class C network addresses that are being used above in Figure 3.12.
        
        An example of a class C network address - 192.168.10.0 using a default subnet mask with host portion. 8 bits are available in the host portion.
    - - As each segment is using a default class C scheme, this means that each of these segments is one network that allows for 254 hosts. For example, examine the Staff network in Figure 3.13:
        
        Fig 3.13
        
        The first three octets represent the network address (with each octet being eight bits). The final octet is used for host addresses, for example:192.168.10.1–254 There are 256 addresses in total we can use: 2^8 = 256 Note: We have to take two addresses off as they represent the network and broadcast addresses: 256 − 2 = 254
        
        SAQ 3.3 Addressing
        
        The previous example represents four segments within a network infrastructure, each of which resides in its own network address space.4 QUESTIONS!
        
        1.Are any of these segments able to communicate with each other?
        2.If not, how do you think they could be enabled to?.
        3.Suppose we need more than 254 addresses on one segment and need to use a default class B network address scheme (which has 16 bits in the hosts portion). How many available addresses would we have? Please show your working.
        4.Considering question 3, do you think this is a viable solution? Please state your reasons.
  - - - Fig 3.14
        
        Description
        
        A diagram that shows an external network connected to an external firewall. A router is placed in between the external firewall and an internal firewall, which is then connected to the internal network. The demilitarised zone (DMZ) is connected to the router, which is responsible for redirecting public traffic from the external firewall into the DMZ.
    - - We have, at various points, talked about switches and the important role they play on the network. Virtual Local Area Networks (VLANs) are one of the key features that (managed) switches have to offer, as they present the opportunity of segmenting the network into discrete zones. In a VLAN scenario, ports on a switch are grouped together into their own LAN. The same VLAN can exist across multiple switches connected through a trunk link. The trunk link (along with the trunking protocol) is responsible for managing the traffic across the VLANs. A router can also be connected that will allow the routing of the traffic between the different VLANs. For an example, see Figure 3.15.
        
        Description Fig 3.15
        
        A diagram showing two switches. One first floor switch and one second floor switch. The first floor switch has four PCs connected - two on vlan10 and two on vlan20. The second floor switch has four PCs connected - two on vlan10 and two on vlan20. There is a trunk link between each of the switched which is responsible for carrying the traffic between each of the vlans.
      - A word on the cloud Section 5.3.1
        
        It’s perhaps worth mentioning at this point the role of DMZs and VLANs within cloud infrastructure and how they integrate. Vacca (2017) discusses the security aspects of cloud computing and networks and how susceptible they are to hacking and other forms of DoS attack. He goes on to discuss how the cloud infrastructure is likely to have a firewall IDS/IPS for perimeter safety measures, which offers access to services within a DMZ. Cloud computing resources (e.g. data centre storage) is protected behind an internal firewall that is further segmented through the use of VLANs. Consumers on one VLAN would not be able to monitor or see traffic on another VLAN.
      - Section 5.4 Virtualisation
        
        Virtualisation is the process of using software to emulate hardware, operating system and software functionality as a virtual computer system. This allows organisations to run multiple systems – for example, operating systems – on one server. A virtual machine manager (also known as a ‘hypervisor’) allows the creation of virtual machines and subsequently manages the allocation of physical hardware resources to a virtual machine. There are generally two types of hypervisor:
        
        Type 1: essentially, an operating system in its own right, onto which virtual machines can be installed.
        
        Type 2: a piece of software that is installed onto an existing operating system (e.g. Windows or Linux) and onto which virtual machines can be installed. You will likely have come across Oracle VirtualBox in previous OU modules, such as TM129. This is a good example of a type 2 hypervisor.
        
        In terms of network security, virtual machines bring many benefits. For example, they provide isolation from other systems, allowing sandbox testing. They also provide good fault tolerance; for example, services running inside a DMZ on virtual machines can be easily recovered (or a fail-safe can be implemented) should they come under attack.
        
        TOR Section 5.5
        
        5.5.1 How it works
        
        SAQ 3.4 Tor WATCH THE VIDEO
        
        What is the minimum number of Tor relay servers that data passes through when entering onto the network?
        
        What are three practical uses of Tor?
        
        At which layer does Tor encrypt data?
        
        What is the name of the location at which data passing through Tor leaves the network?