Network Security Slides 2

• Host-Based IPS (HIPS)
• Network (NIPS)
• Content Based (CBIPS)
• Protocol Analysis
• Rate-Based (RBIPS)

• False Alarms:
• False Positive: Generates alarm on normal activity
• False Negative: Fails to generates alarm for know intrusive activity
• True Alarms:
• True Positive: Generates an alarm to activities matching a attack signature
• True Negative: No alarm generated when viewing normal traffic

• Severity:
• Informational signatures: detects port scanning
• Attack signatures: detects attacks on protected network
• Complexity:
• Atomic signature: detects simple patterned attack
• Compound signature: detects complex patterned attack

• String matched byte by byte
• Searching for a key command, or section of code which indicates that an attack is being prepared.
• Once all the signatures have been searched the next packet is loaded and the process begins anew.

• Excels at catching low level, simple attacks.
• Speed is lost as the rule set grows.

• Uses a detailed knowledge of expected or normal packet field values to discover malicious traffic.
• Packets are unwrapped and conformance of the packet to the protocol RFC is checked.
• As each wrapper and fields within the packet are known errors are easily detected.

• Due to the preprocessing required for analysis it is slow. Rules are hard to write.
• As they search for generic violations they can catch new attacks or new varients.

• Benefits:
• Enables tuneable control over false positives
• Detects previously unpublished attacks

• Drawbacks:
• Requires initial training
• No protection while in training mode
• Requires the updating of usage profiles
• Enable false negatives if the traffic appears normal
• Difficulty in correlating alarms to specific attacks
• Can be complicated and difficult to understand

• Snort is a free software IDS for both Windows and Unix operating systems. It can run in a number of different modes, including:
• Sniffer mode: simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).
• Packet Logger mode: logs the packets to disk.
• Network Intrusion Detection System (NIDS) mode: the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees.
• Inline mode: obtains packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.

• Obfuscating attack payload: Encoding an attack in a way the target will reverse but the IDS will not.
• Fragmentation and Small Packets: Split attack payload into small packets.
• Overlapping Fragments: Overlap TCP sequence numbers
• Protocol Violations: Deliberate violations of the TCP or IP protocol which will be handled differently by the target and the IDS.
• Inserting Traffic at the IDS: Using different TTL so the IDS sees different packages to the machine it is trying to protect.
• Denial of Service: Overwhelm the IDS

“The study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication.”

• Confidentiality: ensure that the content of the information is kept secret form all but those intended to see it.
• Data integrity: ensure that there is no unauthorised alteration of the information.
• Authentication: Identification of the parties involved and the information exchange.
• Non-repudiation: prevents an entity from denying either the source or content of the information.

• Level of security
• Functionality of primitives
• Method of operation
• Performance
• Ease of implementation

• The algorithm
• The key
• The original data (plain text)
• The ciphertext

• 1. the system should be, if not theoretically unbreakable, unbreakable in practice;
• 2. compromise of the system details should not inconvenience the correspondents;
• 3. the key should be rememberable without notes and easily changed;
• 4. the cryptogram should be transmissible by telegraph;
• 5. the encryption apparatus should be portable and operable by a single person; and
• 6. the system should be easy, requiring neither the knowledge of a long list of rules nor mental strain.

• Secret Key (symmetric) Cryptography (SKC):
• plaintext --|key|--> ciphertext --|key|--> plaintext
• SKC uses a single key for both encryption and decryption

• Public Key (asymmetric) Cryptography (PKC)
• plaintext --|key1|--> ciphertext --|key2|--> plaintext
• PKC uses two keys, one for encryption and the other for decryption

• Hash Function (one-way cryptography):
• plaintext --|algorithm|--> ciphertext
• Hash functions have no key since the plaintext is not recoverable from the ciphertext

• Data Encryption Standard (DES): Triple-DES (3DES), DESX
• Advanced Encryption Standard (AES)
• International Data Encryption Algorithm (IDEA)
• Rivest Ciphers (aka Ron's Code): RC1, RC2, RC3, RC4, RC5, RC6
• Blowfish
• Camellia

• RSA
• Diffie-Hellman
• Digital Signature Algorithm (DSA)
• ElGamal
• Elliptic Curve Cryptography (ECC)
• Cramer-Shoup
• Key Exchange Algorithm (KEA)
• LUC

• Stream Ciphers
• Block Ciphers

• Stream ciphers:
• Operates on single bit, byte or word at a time with some feed back mechanism so the key keeps changing.
• The same plaintext will not produce the same ciphertext
• Approximates to OTP if key stream is as long as the plaintext
• Generally operated with a 128 bit to generate a pseudorandom key stream
• Self-synchronizing
• stream ciphers use several of the previous N ciphertext digits to create the keystream.
• Not as susceptible to active attacks
• Synchronizing stream ciphers generates a pseudorandom key stream.
• Do not propagate errors in transmission
• They are periodic so the key stream will repeat itself.

• Block ciphers:
• Operates on a block of plaintext.
• The same piece of plaintext will produce the same cipertext

• Electronic Codebook (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)

• Electronic Codebook (ECB): mode is the simplest, most obvious application: the secret key is used to encrypt the plaintext block to form a ciphertext block. Two identical plaintext blocks, then, will always generate the same ciphertext block. Although this is the most common mode of block ciphers, it is susceptible to a variety of brute-force attacks.
• Cipher Block Chaining (CBC): mode adds a feedback mechanism to the encryption scheme. In CBC, the plaintext is exclusively-ORed (XORed) with the previous ciphertext block prior to encryption. In this mode, two identical blocks of plaintext never encrypt to the same ciphertext.
• Cipher Feedback (CFB): mode is a block cipher implementation as a self-synchronizing stream cipher. CFB mode allows data to be encrypted in units smaller than the block size, which might be useful in some applications such as encrypting interactive terminal input. If we were using 1-byte CFB mode, for example, each incoming character is placed into a shift register the same size as the block, encrypted, and the block transmitted. At the receiving side, the ciphertext is decrypted and the extra bits in the block (i.e., everything above and beyond the one byte) are discarded.
• Output Feedback (OFB): mode is a block cipher implementation conceptually similar to a synchronous stream cipher. OFB prevents the same plaintext block from generating the same ciphertext block by using an internal feedback mechanism that is independent of both the plaintext and ciphertext bitstreams.

• Message Digests
• One-Way Encryption:
• Digital fingerprinting
• Password encryption
• Two files could have the same hash value!
• Researchers found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms.

• Message Digest: MD2, MD4, MD5
• Secure Hash Algorithm (SHA)
• RIPEMD
• HAVAL (HAsh of VAriable Length)
• Whirlpool
• Tiger

• Non-repudiable digital signatures on messages*
• Digital signatures in certificates from trusted third parties*
• Challenge-response protocols
• Message authentication with shared secrets
• Key derivation functions
• Mixing functions
• Integrity protection
• *Only two which are affected by the collision attack

• One to one
• One way
• Trapdoor one way
• Define by two sets X & Y and a rule f which assigns to each element in X precisely one element in Y.
• y εY, x εX and y=f(x)

• 1 –1: if each element in the codomain Y is the image of at most one element in the domain X
• onto: if each element in the codomain Y is the image of at least one element in the domain
• One-way: If f(x) is “easy” to compute and for all x εX and all y εIm(f) it is “hard” to find any x εX for which y=f(x)
• One-way trap door: There exists some secret information y, such that given f(x) and y it is easy to compute x.

• The web of trust employed by Pretty Good Privacy (PGP) users, who hold their own set of trusted public keys.
• Kerberos, a secret key distribution scheme using a trusted third party.
• Certificates, which allow a set of trusted third parties to authenticate each other and, by implication, each other's users

• UNIX:
• /etc/passwd -13 byte long done by DES
• /etc/shadow –MD5
• Windows:
• Security Access Manager (SAM) –MD4 16 byte

• Mishandling or human error
• Deficiencies in the cipher itself:
• mathematical formula
• open public scrutiny.
• reasonable amount of time.
• no useful weaknesses
• Brute force attacks

• Key generation
• Key storage and key archiving
• Key distribution and key protection
• Key accounting and key history
• Key usage and key renewal
• Key revocation and key distribution, which can also include key archiving

• For asymmetric (public/private) keys.
• create,
• revoke,
• update and store user keys.

• Confidentiality to ensure that the information is not disclosed or revealed to unauthorized parties
• Authentication to ensure that the parties involved in a transaction are who they say they are
• Integrity to ensure that the data has not been modified or tampered with during its transmission
• Non-repudiation to ensure that neither party can deny their role in a transaction
• Access control to ensure that only authorized entities can access certain electronic information

• CA Certification Authority is a trusted third party
• Expensive so only really usable by large groups of people like corporations and government.
• Although not making much headway in the Business to Consumer (B2C) market it is very scalable.
• It is adaptable for the Business to Business (B2B) transactions

• Why are you implementing a firewall?
• How will a firewall fit into your network topology?
• What type of traffic inspection do you need?:
• Packet-filtering
• Stateful-inspection
• Dynamic filtering
• Application-proxy
• Does your organisation need a hardware or software solution?
• What Operating system will your hardware solution run?

• Packet filtering
• Circuit level filtering
• Dynamic filtering
• Application filtering

All incoming packets are compared against defined rules corresponding to a limited command set for one or more low-level protocols. Packets are either denied, thus dropped or passed here.

Packets which pass all the rules are either passed up the stack for further processing or sent on to the remote host.

• Packets typically filtered by:
• Physical network interface
• The sources address of the incoming data
• Destination address of the incoming data
• Type of transport layer
• Transport layer source and destination port

• Pro’s:
• Generally fast, easily implemented in h/w
• Single rule can protect an entire network.
• Do not require clients to be specially configured
• Con’s:
• Do not understand application layer
• They are stateless
• Cannot see inside packet payload

• All incoming packets are compared against defined rules composed from a command set to the Transport layer. Packets are either denied, thus dropped or passed here.Transport layer maintains state information about a network session in a virtual circuit table.
• Packets which pass all the rules and the virtual circuit table are either passed up the stack for further processing or sent onto the remote host.

• Unique session identifier
• State of the connection
• Sequencing information
• Source and destination addresses
• Network interface through which packet transits

• Pro’s:
• Generally faster than application but slower than packet.
• Help protect entire networks
• With NAT can shield internal addresses form outside.
• Con’s:
• Cannot restrict access to protocols other than TCP
• Cannot perform security checks on higher level protocols.
• Limited audit event generation

• 1. As incoming packets are compared against defined rules composed from a very limited command set for one or more low-level protocols (IP, TCP). Packets are dropped here, or they are accepted and passed to the network stack for delivery.
• 2. Based on information contained within each packet they are associated with additional state information.
• 3. Dynamic rules are added and removed based on a continuation of the data contained within the packet and the state information.
• 4. If a packet satisfies all of the packet filter rules, then depending on whether it is destined for the firewall or a remote host the packet either propagates up the stack for further processing or is forwarded to the network host.
• 5.All network packets associated with an authenticated session are processed by an application running on the firewall host.

• Same advantages and disadvantages as packet filters.
• Notable exception is UDP packets:
• Now have a mechanism to stop unsolicited UDP packets.
• Useful for allowing application (DNS) to operate across your security perimeter.

The incoming network packets propagate up a “hardened" stack until it reaches the highest protocol layer found in the packet.

The packets move out of the network stack to the application proxy listening on that port.

The Packet data and header information form the highest protocol layer.

The proxy service compares data against acceptable command rules defined in accept and deny lists. The proxy service may perform data modification, authentication, logging, URL filtering etc

Packets are either dropped or sent onto the host's port or a remote host.

• Evaluates network packets for valid data at the application layer.
• It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information.
• can validate other security items that only appear within the application layer data, such as user passwords and service requests.
• Provide increased access control
• Generate audit data about traffic

• Pro’s:
• Understand high-level protocols
• Maintain information about communications passing through
• Selectively deny or permit network access
• Do not allow external computers access to internal
• Con’s:
• Need to replace native network stack
• Introduce performance delays
• Proxy services are specific to one application
• Vulnerable to OS and application layer bugs

• Sunbelt Personal Firewall
• ZoneAlarm Pro
• Bullguard Suite
• CA Personal Firewall
• Comodo Firewall Pro
• Windows Firewall

• Dedicated hardware
• Specially hardened hardware
• Specific OS to that product
• May be modular
• Specific tools for monitoring and analysing logs
• Multiple interface cards or virtual interfaces
• VPN accelerators

Cisco PIX

• Numerous security features in one package, which may include:
• Provides Firewall
• VPN
• Anti-virus
• Web filtering
• Intrusion Prevention
• Anti-spam
• Anti-spyware

• How many people will it take to support my choice.
• Do I have the staff or can I count on support from the vendor?
• If I choose a UTM, do I know that the services are well integrated and the device is ultra-reliable.
• If I choose a series of security products, will the overall solution be able to handle a blended threat, and do the separate devices work well together?
• Does the appliance, best of breed or UTM, offer adequate reporting capabilities?
• Is it fast enough?

• Audit:
• Monitor rule activity
• Traffic flow
• Rule violation
• Denied Probes

• Traditional VPNs:
• Frame Relay VPN (Layer 2)
• ATM VPN (Layer 2)
• CPE-based VPNs:
• L2TP and PPTP VPN (Layer 2)
• IPsec VPN (Layer 3)
• Provider Provisioned VPNs (PP-VPNs):
• BGP/MPLS VPNs (Layer 2 and 3, RFC 2547bis)
• Session based VPN:
• SSL VPN (Layer 4 +)
• SOCKS VPN (Layer 4 +)

• Hardware Based:
• Most are encrypting routers
• As plug and play as is possible to find
• May not be flexible enough
• Firewall Based:
• Take advantage of a firewall’s security mechanisms.
• Hardened OS
• Performance may be an issue for an already loaded device.
• Stand-alone application Based:
• Ideal for those occasions where the end points are not controlled by one company.
• Require familiarity with OS and application.
• The best where modest performance is requirements

• Secure VPN’s:
• All traffic encrypted and authenticated
• End points of each tunnel must agree on security properties of tunnel.
• Trusted VPN’s:
• Customer can trust the provider to control the VPN.
• No one other than the VPN provider can change data etc on the tunnel path.
• Hybrid:
• Clear boundaries exists between secure and trusted VPN’s
• A secure VPN may be a subset of a trusted VPN

• Organisational Management
• Access Control
• Traffic Control

• Extend geographic connectivity
• Improve security
• Reduce operational costs versus traditional WAN
• Reduce transit time and transportation costs for remote users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
• Provide broadband networking compatibility
• Provide faster ROI (return on investment) than traditional WAN

• Security
• Reliability
• Scalability
• Network management
• Policy management

Remote:

Large number of mobile workers needing access to corporate LAN. Use an Enterprise Service Provider (ESP) to supply VPN. ESP gives clients a 0800 number to dial into a network access server which gives access to the corporate LAN (Virtual Private Dial-up Network)

Site-to-Site:

• Desktop software client for each remote user
• Dedicated hardware such as a VPN concentrator or secure PIX firewall
• Dedicated VPN server for dial-up services
• NAS (network access server) used by service provider for remote-user VPN access
• VPN network and policy-management centre

• Carrier protocol: The protocol used by the network that the information is travelling over (frame relay, ATM, MPLS)
• Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
• Passenger protocol: The original data (IPX, NetBeui, IP) being carried

• Datagram-Based
• Stream-Based

• Datagram-based:
• IPsec
• GRE(Generic Routing Encapsulation) supports multiple protocols and multiplexingTunnelling Lower overhead than GRE and used when only 1 IP stream is to be tunnelled
• L2F(Layer 2 Forwarding)
• MPLS(Multi-Protocol Label Switching)
• GTP (GPRS Tunnelling Protocol)
• PPTP(Point-to-Point Tunnelling Protocol)
• L2TP(Layer 2 Tunnelling Protocol)
• PPPoE(point-to-point protocol over Ethernet)
• PPPoA(point-to-point protocol over ATM)
• IEEE 802.1Q (Ethernet VLANs)
• DLSw(SNA over IP)
• XOT (X.25 datagramsover TCP)
• IPv6 tunnelling: 6to4; 6in4; Teredo
• Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)

• Stream-based:
• TLS
• SSH
• SOCKS
• HTTP CONNECT command
• Various circuit-level proxy protocols
• SSTL (Secure Socket Tunnelling Protocol)

• Loss of Privacy
• Loss of Data Integrity
• Loss of Identity
• Loss of Access

• Counter:
• Loss of privacy
• Loss of data integrity
• Identity spoofing
• Denial-of-service.
• All with no expensive hardware and application rewrites.

An overview of IPSec is contained within RFC2411

• IKE:
• Provides framework for negotiating security parameter.
• Establishment of authentication keys
• ESP:
• Provides framework for encrypting, authenticating and securing data.
• AH:
• Provides framework for authenticating and securing data.

• Diffie-Hellman key exchange for deriving key material between peers on a public network
• Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties and avoid man-in-the-middle attacks
• Bulk encryption algorithms, such as DES, for encrypting the data
• Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA for providing packet authentication.
• Digital certificates signed by a certificate authority to act as digital ID cards.

• IPsec can provide either message authentication and/or encryption
• Authentication and confidentiality using Authentication Header (AH) or Encapsulated Security Payload (ESP)
• Security Association (SA).
• Internet Key Exchange (IKE)

• Used to provide data integrity.
• Data origin authentication for IP datagram.
• Provides protection against replays
• Can be used alone or in combination with ESP
• Use of the IP AH is indicated by placing the value 51 (0x33) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
• AH requires less overhead to ESP
• AH is never export restricted
• AH is mandatory for IPv6 compliance
• Uses key-hash mechanism
• Provides NO confidentiality

• Next Header
• Payload Length
• RESERVED
• Security Parameter Index (SPI) Shows the SA used for this packet
• Sequence Number: 64-bit prevents packet replay
• Authentication Data: Integrity Check Value (ICV)

• Transport: the AH Header is instered in the original data packet
• Tunnel: A tunnel and a AH Header are added to the original packet

• Provides confidentiality
• Data origin authentication
• Connectionless integrity
• Anti-replay
• Limited traffic flow confidentiality
• Service depends on SA’s options
• Encryption done with DES or 3DES
• Authentication/integrity done by HMAC with keys of SHA-1 or MD5
• Use of the IP ESP format is indicated by placing the value 50 (0x32) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
• Does not protect IP header unless in tunnel mode

• Security Parameter Index (SPI)
• Sequence Number Field
• Payload Data
• Padding (if any)
• Payload Length
• Nextheader
• Authentication Data

• Transport: ESP Header/Trailer are inserted in the original packet
• Tunnel: A tunnel and a ESP Header/Trailer are added to the original packet

• SA contains unidirectional specifications:
• Authentication/encryption algorithm, key length + other encryption parameters
• Session key for authentication, or HMACs, encryption
• Interested traffic to which SA is applied
• IPsec AH or ESP encapsulation protocols and tunnel or transport mode
• ESP authentication

• AH: authentication algorithm
• AH: authentication secret
• ESP: encryption algorithm
• ESP: encryption secret key
• Many key-exchange parameters
• Routing restrictions
• IP filtering policy

• IPsec assumes that SA is in place, but it does not have the mechanism for creating the association.
• The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete security associations, and provides the framework for exchanging information about authentication and key management. ISAKMP's security association and key management is totally separate from key exchange.
• The Internet Key Exchange (IKE) algorithm is the default automated key management protocol for IPsec.

• Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
• Allows you to specify a lifetime for the IPSec security association.
• Allows encryption keys to change during IPSec sessions.
• Allows IPSec to provide anti-replay services.
• Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
• Allows dynamic authentication of peers.
• IKE negotiation uses UDP on port 500

• Pre-shared keys
• Public key cryptography
• Digital signature

• DES: The Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard.
• Cipher Block Chaining (CBC): requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
• Diffie-Hellman: A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
• MD5 (HMAC variant): is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
• SHA (HMAC variant): is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
• RSA signatures and RSA encrypted nonces: RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation.

• In main or aggressive mode the peers do:
• Negotiate an IKE protection suite
• Authenticate each other
• Exchange keying material to protect the IKE session
• Establish the IKE SA
• This defines a secure IKE channel to establish IPsec SA’s through

• In the one mode, quick the peers do:
• Negotiate IPsec policies
• Exchange keying material of IPsec SAs
• Establish IPsec SAs
• Periodically renegotiates IPSec SAs to ensure security
• Optionally performs an additional Diffie-Hellman exchange

• Ease of use
• Restoral capability
• Monitor network availability
• Improved automation
• Monitor response time
• Security features
• Ability to add and delete users
• Traffic monitoring
• User regulation

• Fault Management: Detect, modify, notify, fix network problems
• Configuration Management: Monitor network and system configuration
• Account Management: Network utilisation
• Performance Management: Performance monitoring
• Security Management: Control access to resources

• SNMP
• CMIP
• CMIS

• Simple Network Management Protocol (SNMP) (IETF)
• Used in data networks
• A protocol, a database structure specifications and a set of data objects.
• Adopted TCP/IP standard in 1989
• SNMP v2c in 1993, SNMP v3 is current version
• Common Management Information Protocol (CMIP)(ISO)
• Used more by telecommunications networks
• Complex set of standards, defines a management service, a protocol, a database structure specification, and a set of data objects.
• Common Management Information Service (CMIS)
• It defines the service interface that is implemented by CMIP

• Ver 1 1989: Insecure –community strings sent in the clear
• Ver 2 1993: Uses MD5 to authenticate messages
• Ver 3 2002 Provides:
• Message integrity
• Authentication
• encryption

• Strengths
• Wide spread popularity
• Flexible and extensible protocol
• Weaknesses
• Anything but simple
• Inefficient use of bandwidth

• While the protocol maybe less than perfect it is the only way to manage large networks.
• SNMP allows the DIFFERENCES of state to be monitored and reported.

• A Standard Message Format: defines a UDP message format.
• A Standard Set Of Managed Objects: standard set of values
• A Standard Way Of Adding Objects: Standard objects can be augmented by vendors.

• GetRequest:
• Specific values can be fetched without establishing a TCP connection with the device.
• GetNextRequest/GetBulkRequest:
• Enable a “walk” through or bulk collection of SNMP values for a device.
• SetRequest:
• This provides a way of configuring and controlling network devices via SNMP.
• TrapMessage:
• Enables notify of problems to a manager.
• InformRequest:
• Returns the variable from the various “get” messages.
• InformRequest:
• Acknowledge asynchronous notifications from manager to manager

• “Management Information Base” (MIB). (See RFC 1213):
• measure and monitor IP activity
• TCP activity
• UDP activity
• IP routes
• TCP connections
• interfaces

• Alarm Polling Functions.
• threshold violation
• Trend Monitoring Functions.
• sampling the value at periodic intervals
• Trap Reception Functions.
• allow devices to self-report problems.
• Management Tool Set.
• inspect the raw MIB objects of a particular device.
• MIB Compiler.
• add in new MIB objects

• Who: Communities –the relationships between SNMP entities
• What: The community profile made up of the MIB view and the SNMP access mode.
• How:
• Read-only: Public community
• Read/write: Private community
• none

• Read only community: This community allows a read access only to any objects of a device. The common default value is “public”.
• Read write community: This community allows read and write access to any objects of a devices. The common default value is “private”.
• Trap community: the agent when sending traps to the manager uses this community.

• Problems:
• Community strings carried in the clear
• No fine grain control of access between users
• Solution:
• User-based Security Model (USM)
• Views-Based Access control Model (VACM)

• verification of data -achieved by using MD5 or SHA , prevents changing the data on route.
• verification of the identity of the generator -achieved by using MD5 or SHA, prevents masquerading attacks
• Ensure packet age -achieved by tracking timelines using timestamps, Defend against message capture and replay.
• Protection from disclosure -achieved by enabling full encryption of content, the standard ways now are CDC/DES , prevents unauthorized users from gaining data not allowed them.

• Allows granular control of:
• Read
• Write
• Notify (trap)

• The user is authenticated based on the authentication subsystem
• The variable the user intends to access is matched to the view containing it
• The user's access rights are matched to the view access definitions to check what type of access the user is granted.
• If the user is allowed the access requested the request is handled.

• Is a MIB
• Based on IETF RFCs
• Gathers statistics by analysing every frame on a segment
• RMON1 is for data link layer
• RMON2 is for the network layer to the application layer
• Work with an external probe

• It has to send and receive radio signals.
• Timing message packets to ensure client synchronization and help avoid data-transmission collisions
• Authenticating clients to make sure only authorized personnel connect to the network
• Encrypting data to enhance data privacy
• Checking data integrity to ensure that the data remains uncorrupted or unmodified

• Placement of APs relative to existing network infrastructure devices, such as routers, firewalls, and switches
• What type of antennae to use and where to locate them
• How to adjust signal-power settings to prevent RF signals from leaking outside your building
• Keeping track of your wireless devices —such as APs, laptops, and personal digital assistants (PDAs)
• Knowing which device types are allowed on your network and which ones don’t belong

• IP addresses
• SSIDs
• Broadcasting of SSIDs
• Admin passwords
• Remote management enabled
• Full power settings
• Use of omnidirectional antennas that come standard on most APs
• MAC-address filtering
• WEP, WPA, WPA2

• PDAs
• IP Phones
• Printers
• Projectors
• Tablet PCs
• Security cameras
• Barcode scanners
• RFID
• Custom devices for vertical markets:
• Healthcare
• Manufacturing
• Retail
• Restaurants

• Commercial Network Analysers:
• AiroPeek
• AirMagnet
• Sniffer Wireless
• Free Network Analysers:
• Ethereal
• tcpdump
• Scanning Tools:
• Kismet
• NetStumbler

• Service Set Identifier (SSID)
• Encryption:
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
• Wi-Fi Protected Access 2 (WPA2)
• Authentication:
• None
• MAC
• Shared Key
• Enterprise using RADIUS/TACCAS+
• Certificates
• Digital Signature

• Weak device-only authentication: Client devices are authenticated. Users are not authenticated.
• Weak data encryption: Wired Equivalent Privacy (WEP) has been proven ineffective as a means to encrypt data.
• No message integrity: The Integrity Check Value (ICV) has been proven ineffective as a means of ensuring message integrity.

• Authentication:
• Authentication is device based rather than user.
• Client does not authenticate network
• Existing authentication databases are not usable.
• Key Management:
• Keys are static
• Keys are shared among devices and APs
• All devices and APs must be rekeyed if adaptor or device stolen
• RC4-based WEP keys:
• Encryption algorithm is vulnerable to attack
• Message integrity is not ensured

• Use of 802.1x protocol:
• Mutual authentication using Extensible Authentication Protocol
• Temporal Key Integrity Protocol (TKIP):
• Hash WEP key
• Message Integrity checks (MIC)
• Broadcast Key Rotation (BKR)
• Advanced Encryption Standard (AES)
• Virtual Private Network (VPN)
• Wi-Fi Protected Access (WPA)
• Robust Secure Network (RSN)

• Wrapper around WEP
• Temporal Key:
• Sequence number (IV) + MAC address + base key
• Base Key:
• Each time a wireless station associates to an access point, a new base key is created.

• Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks);
• Reduced overhead in key derivation during the wireless LAN authentication exchange;
• Support for opportunistic key caching to reduce the overhead in roaming between access points;
• Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming;
• Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol.

• "Gone in 900 seconds: Some Crypto issues with WPA!" November 2008
• Erik Tews cracks the Pairwise Master Key in TKIP
• In Oct 2008 Russian researchers report 100 fold increase in cracking WPA keys via the massively parallel computational power of the newest NVIDIA chips.
• Build yourself 20 station workstation and have the key in days if not weeks rather than years.