Name some of the popular types of IPS
- Host-Based IPS (HIPS)
- Network (NIPS)
- Content Based (CBIPS)
- Protocol Analysis
- Rate-Based (RBIPS)
What are the different IDS / IPS alarms?
- False Alarms:
- False Positive: Generates alarm on normal activity
- False Negative: Fails to generates alarm for know intrusive activity
- True Alarms:
- True Positive: Generates an alarm to activities matching a attack signature
- True Negative: No alarm generated when viewing normal traffic
What are the two IDS Signature Classifications?
Wha are the different signatures within each classification?
- Informational signatures: detects port scanning
- Attack signatures: detects attacks on protected network
- Atomic signature: detects simple patterned attack
- Compound signature: detects complex patterned attack
What is the method used in signature detection/analysis?
- String matched byte by byte
- Searching for a key command, or section of code which indicates that an attack is being prepared.
- Once all the signatures have been searched the next packet is loaded and the process begins anew.
What are the strength and weaknesses of signature detection/analysis?
- Excels at catching low level, simple attacks.
- Speed is lost as the rule set grows.
How does protocol analysis/detection work?
- Uses a detailed knowledge of expected or normal packet field values to discover malicious traffic.
- Packets are unwrapped and conformance of the packet to the protocol RFC is checked.
- As each wrapper and fields within the packet are known errors are easily detected.
What are the strengths and weaknesses of protocol detection/analysis?
- Due to the preprocessing required for analysis it is slow. Rules are hard to write.
- As they search for generic violations they can catch new attacks or new varients.
What are the benefits of anomaly-based detection?
- Enables tuneable control over false positives
- Detects previously unpublished attacks
What are the drawbacks of anomaly-based detection?
- Requires initial training
- No protection while in training mode
- Requires the updating of usage profiles
- Enable false negatives if the traffic appears normal
- Difficulty in correlating alarms to specific attacks
- Can be complicated and difficult to understand
What is Snort?
What are Snort's different modes and how do they work?
- Snort is a free software IDS for both Windows and Unix operating systems. It can run in a number of different modes, including:
- Sniffer mode: simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).
- Packet Logger mode: logs the packets to disk.
- Network Intrusion Detection System (NIDS) mode: the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees.
- Inline mode: obtains packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.
What are the IDS evasion techniques?
- Obfuscating attack payload: Encoding an attack in a way the target will reverse but the IDS will not.
- Fragmentation and Small Packets: Split attack payload into small packets.
- Overlapping Fragments: Overlap TCP sequence numbers
- Protocol Violations: Deliberate violations of the TCP or IP protocol which will be handled differently by the target and the IDS.
- Inserting Traffic at the IDS: Using different TTL so the IDS sees different packages to the machine it is trying to protect.
- Denial of Service: Overwhelm the IDS
What is the definition of Cryptography?
“The study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication.”
Describe the four goals of Cryptography?
- Confidentiality: ensure that the content of the information is kept secret form all but those intended to see it.
- Data integrity: ensure that there is no unauthorised alteration of the information.
- Authentication: Identification of the parties involved and the information exchange.
- Non-repudiation: prevents an entity from denying either the source or content of the information.
What are the cryptographic primatives?
- Level of security
- Functionality of primitives
- Method of operation
- Ease of implementation
What are the symbiotic relationships in cryptography?
- The algorithm
- The key
- The original data (plain text)
- The ciphertext
What is the original methodology of cryptography?
- 1. the system should be, if not theoretically unbreakable, unbreakable in practice;
- 2. compromise of the system details should not inconvenience the correspondents;
- 3. the key should be rememberable without notes and easily changed;
- 4. the cryptogram should be transmissible by telegraph;
- 5. the encryption apparatus should be portable and operable by a single person; and
- 6. the system should be easy, requiring neither the knowledge of a long list of rules nor mental strain.
Name three categories of Cyrtography Algorithms and provide an overview of how they work
- Secret Key (symmetric) Cryptography (SKC):
- plaintext --|key|--> ciphertext --|key|--> plaintext
- SKC uses a single key for both encryption and decryption
- Public Key (asymmetric) Cryptography (PKC)
- plaintext --|key1|--> ciphertext --|key2|--> plaintext
- PKC uses two keys, one for encryption and the other for decryption
- Hash Function (one-way cryptography):
- plaintext --|algorithm|--> ciphertext
- Hash functions have no key since the plaintext is not recoverable from the ciphertext
Name some popular secret key cryptography algorithms
- Data Encryption Standard (DES): Triple-DES (3DES), DESX
- Advanced Encryption Standard (AES)
- International Data Encryption Algorithm (IDEA)
- Rivest Ciphers (aka Ron's Code): RC1, RC2, RC3, RC4, RC5, RC6
Name some popular public key cryptography algorithms
- Digital Signature Algorithm (DSA)
- Elliptic Curve Cryptography (ECC)
- Key Exchange Algorithm (KEA)
What are the two differet Secret Key Cryptography schemes?
- Stream Ciphers
- Block Ciphers
Explain Secret Key Cryptograph Stream Ciphers
- Stream ciphers:
- Operates on single bit, byte or word at a time with some feed back mechanism so the key keeps changing.
- The same plaintext will not produce the same ciphertext
- Approximates to OTP if key stream is as long as the plaintext
- Generally operated with a 128 bit to generate a pseudorandom key stream
- stream ciphers use several of the previous N ciphertext digits to create the keystream.
- Not as susceptible to active attacks
- Synchronizing stream ciphers generates a pseudorandom key stream.
- Do not propagate errors in transmission
- They are periodic so the key stream will repeat itself.
Explain Secret Key Cryptograpy Block Ciphers
- Block ciphers:
- Operates on a block of plaintext.
- The same piece of plaintext will produce the same cipertext
Name some popular Block Cipher Modes
- Electronic Codebook (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
Name and describe some popular Block Cipher Modes
- Electronic Codebook (ECB): mode is the simplest, most obvious application: the secret key is used to encrypt the plaintext block to form a ciphertext block. Two identical plaintext blocks, then, will always generate the same ciphertext block. Although this is the most common mode of block ciphers, it is susceptible to a variety of brute-force attacks.
- Cipher Block Chaining (CBC): mode adds a feedback mechanism to the encryption scheme. In CBC, the plaintext is exclusively-ORed (XORed) with the previous ciphertext block prior to encryption. In this mode, two identical blocks of plaintext never encrypt to the same ciphertext.
- Cipher Feedback (CFB): mode is a block cipher implementation as a self-synchronizing stream cipher. CFB mode allows data to be encrypted in units smaller than the block size, which might be useful in some applications such as encrypting interactive terminal input. If we were using 1-byte CFB mode, for example, each incoming character is placed into a shift register the same size as the block, encrypted, and the block transmitted. At the receiving side, the ciphertext is decrypted and the extra bits in the block (i.e., everything above and beyond the one byte) are discarded.
- Output Feedback (OFB): mode is a block cipher implementation conceptually similar to a synchronous stream cipher. OFB prevents the same plaintext block from generating the same ciphertext block by using an internal feedback mechanism that is independent of both the plaintext and ciphertext bitstreams.
What are Hash Functions?
What can they be used for?
What are their vulnerabilities?
- Message Digests
- One-Way Encryption:
- Digital fingerprinting
- Password encryption
- Two files could have the same hash value!
- Researchers found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms.
Name some common Hash Algorithms
- Message Digest: MD2, MD4, MD5
- Secure Hash Algorithm (SHA)
- HAVAL (HAsh of VAriable Length)
What alternative functions are hashes used for?
- Non-repudiable digital signatures on messages*
- Digital signatures in certificates from trusted third parties*
- Challenge-response protocols
- Message authentication with shared secrets
- Key derivation functions
- Mixing functions
- Integrity protection
- *Only two which are affected by the collision attack
What are the characterisitcs of hash functions?
- One to one
- One way
- Trapdoor one way
- Define by two sets X & Y and a rule f which assigns to each element in X precisely one element in Y.
- y εY, x εX and y=f(x)
What are the hash function definitions?
- 1 –1: if each element in the codomain Y is the image of at most one element in the domain X
- onto: if each element in the codomain Y is the image of at least one element in the domain
- One-way: If f(x) is “easy” to compute and for all x εX and all y εIm(f) it is “hard” to find any x εX for which y=f(x)
- One-way trap door: There exists some secret information y, such that given f(x) and y it is easy to compute x.
Provide an overview of Cryptographic Trust Models
- The web of trust employed by Pretty Good Privacy (PGP) users, who hold their own set of trusted public keys.
- Kerberos, a secret key distribution scheme using a trusted third party.
- Certificates, which allow a set of trusted third parties to authenticate each other and, by implication, each other's users
Name the OS password protection mechanisms
- /etc/passwd -13 byte long done by DES
- /etc/shadow –MD5
- Security Access Manager (SAM) –MD4 16 byte
What are the weaknesseses of Encryption?
- Mishandling or human error
- Deficiencies in the cipher itself:
- mathematical formula
- open public scrutiny.
- reasonable amount of time.
- no useful weaknesses
- Brute force attacks
What are the components of Key Management?
- Key generation
- Key storage and key archiving
- Key distribution and key protection
- Key accounting and key history
- Key usage and key renewal
- Key revocation and key distribution, which can also include key archiving
What is Public Key Infrastructure PKI used for?
- For asymmetric (public/private) keys.
- update and store user keys.
What are the components of PKI and how does it use these to provide a secure environment?
- Confidentiality to ensure that the information is not disclosed or revealed to unauthorized parties
- Authentication to ensure that the parties involved in a transaction are who they say they are
- Integrity to ensure that the data has not been modified or tampered with during its transmission
- Non-repudiation to ensure that neither party can deny their role in a transaction
- Access control to ensure that only authorized entities can access certain electronic information
Provide an overview of the PKI CA-Centric Model
- CA Certification Authority is a trusted third party
- Expensive so only really usable by large groups of people like corporations and government.
- Although not making much headway in the Business to Consumer (B2C) market it is very scalable.
- It is adaptable for the Business to Business (B2B) transactions
What should you think about when you are choosing a firewall?
- Why are you implementing a firewall?
- How will a firewall fit into your network topology?
- What type of traffic inspection do you need?:
- Dynamic filtering
- Does your organisation need a hardware or software solution?
- What Operating system will your hardware solution run?
What are the different types of traffic inspection?
- Packet filtering
- Circuit level filtering
- Dynamic filtering
- Application filtering
Describe the process of packet filtering
All incoming packets are compared against defined rules corresponding to a limited command set for one or more low-level protocols. Packets are either denied, thus dropped or passed here.
Packets which pass all the rules are either passed up the stack for further processing or sent on to the remote host.
What are the features of packet filtering?
- Packets typically filtered by:
- Physical network interface
- The sources address of the incoming data
- Destination address of the incoming data
- Type of transport layer
- Transport layer source and destination port
What are the Pro's and Con's of packet filtering?
- Generally fast, easily implemented in h/w
- Single rule can protect an entire network.
- Do not require clients to be specially configured
- Do not understand application layer
- They are stateless
- Cannot see inside packet payload
Explain the process of Circuit Level Filtering
- All incoming packets are compared against defined rules composed from a command set to the Transport layer. Packets are either denied, thus dropped or passed here.Transport layer maintains state information about a network session in a virtual circuit table.
- Packets which pass all the rules and the virtual circuit table are either passed up the stack for further processing or sent onto the remote host.
What are the features of circuit level filtering?
- Unique session identifier
- State of the connection
- Sequencing information
- Source and destination addresses
- Network interface through which packet transits
What are the Pro's and Con's of circuit level filtering?
- Generally faster than application but slower than packet.
- Help protect entire networks
- With NAT can shield internal addresses form outside.
- Cannot restrict access to protocols other than TCP
- Cannot perform security checks on higher level protocols.
- Limited audit event generation
Explain the proccess of Dynamic Filtering
- 1. As incoming packets are compared against defined rules composed from a very limited command set for one or more low-level protocols (IP, TCP). Packets are dropped here, or they are accepted and passed to the network stack for delivery.
- 2. Based on information contained within each packet they are associated with additional state information.
- 3. Dynamic rules are added and removed based on a continuation of the data contained within the packet and the state information.
- 4. If a packet satisfies all of the packet filter rules, then depending on whether it is destined for the firewall or a remote host the packet either propagates up the stack for further processing or is forwarded to the network host.
- 5.All network packets associated with an authenticated session are processed by an application running on the firewall host.
What are the features of Dynamic Filtering?
- Same advantages and disadvantages as packet filters.
- Notable exception is UDP packets:
- Now have a mechanism to stop unsolicited UDP packets.
- Useful for allowing application (DNS) to operate across your security perimeter.
Explain the process of Application Layer Filtering
The incoming network packets propagate up a “hardened" stack until it reaches the highest protocol layer found in the packet.
The packets move out of the network stack to the application proxy listening on that port.
The Packet data and header information form the highest protocol layer.
The proxy service compares data against acceptable command rules defined in accept and deny lists. The proxy service may perform data modification, authentication, logging, URL filtering etc
Packets are either dropped or sent onto the host's port or a remote host.
What are the features of Application Layer Filtering?
- Evaluates network packets for valid data at the application layer.
- It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information.
- can validate other security items that only appear within the application layer data, such as user passwords and service requests.
- Provide increased access control
- Generate audit data about traffic
What are the Pro's and Con's of Application Layer Filtering?
- Understand high-level protocols
- Maintain information about communications passing through
- Selectively deny or permit network access
- Do not allow external computers access to internal
- Need to replace native network stack
- Introduce performance delays
- Proxy services are specific to one application
- Vulnerable to OS and application layer bugs
Name some popular software firewalls
- Sunbelt Personal Firewall
- ZoneAlarm Pro
- Bullguard Suite
- CA Personal Firewall
- Comodo Firewall Pro
- Windows Firewall
What is an Hardware Firewall and what are their features?
- Dedicated hardware
- Specially hardened hardware
- Specific OS to that product
- May be modular
- Specific tools for monitoring and analysing logs
- Multiple interface cards or virtual interfaces
- VPN accelerators
Name an example of a hardware firewall
What do Unified Threat Management (UTM) provide?
- Numerous security features in one package, which may include:
- Provides Firewall
- Web filtering
- Intrusion Prevention
What are the considerations for choosing a Unified Threat Management (UTM) for they security of a system?
- How many people will it take to support my choice.
- Do I have the staff or can I count on support from the vendor?
- If I choose a UTM, do I know that the services are well integrated and the device is ultra-reliable.
- If I choose a series of security products, will the overall solution be able to handle a blended threat, and do the separate devices work well together?
- Does the appliance, best of breed or UTM, offer adequate reporting capabilities?
- Is it fast enough?
What do you do once a firewall is up and running to help maintain security?
- Monitor rule activity
- Traffic flow
- Rule violation
- Denied Probes
What are four categories of VPN's?
Name examples for each category and what layer the operate over.
- Traditional VPNs:
- Frame Relay VPN (Layer 2)
- ATM VPN (Layer 2)
- CPE-based VPNs:
- L2TP and PPTP VPN (Layer 2)
- IPsec VPN (Layer 3)
- Provider Provisioned VPNs (PP-VPNs):
- BGP/MPLS VPNs (Layer 2 and 3, RFC 2547bis)
- Session based VPN:
- SSL VPN (Layer 4 +)
- SOCKS VPN (Layer 4 +)
What are the different VPN Implementations?
What are their common features?
- Hardware Based:
- Most are encrypting routers
- As plug and play as is possible to find
- May not be flexible enough
- Firewall Based:
- Take advantage of a firewall’s security mechanisms.
- Hardened OS
- Performance may be an issue for an already loaded device.
- Stand-alone application Based:
- Ideal for those occasions where the end points are not controlled by one company.
- Require familiarity with OS and application.
- The best where modest performance is requirements
What are the different types of VPN's?
What are their common features?
- Secure VPN’s:
- All traffic encrypted and authenticated
- End points of each tunnel must agree on security properties of tunnel.
- Trusted VPN’s:
- Customer can trust the provider to control the VPN.
- No one other than the VPN provider can change data etc on the tunnel path.
- Clear boundaries exists between secure and trusted VPN’s
- A secure VPN may be a subset of a trusted VPN
What are the critical components of VPNs?
- Organisational Management
- Access Control
- Traffic Control
What the well designed VPN’s are doing these days?
- Extend geographic connectivity
- Improve security
- Reduce operational costs versus traditional WAN
- Reduce transit time and transportation costs for remote users
- Improve productivity
- Simplify network topology
- Provide global networking opportunities
- Provide telecommuter support
- Provide broadband networking compatibility
- Provide faster ROI (return on investment) than traditional WAN
What are the good VPN's feature sets?
- Network management
- Policy management
Describe VPN Access Topology
Large number of mobile workers needing access to corporate LAN. Use an Enterprise Service Provider (ESP) to supply VPN. ESP gives clients a 0800 number to dial into a network access server which gives access to the corporate LAN (Virtual Private Dial-up Network)
What are the different VPN technologies an organisation can implement?
- Desktop software client for each remote user
- Dedicated hardware such as a VPN concentrator or secure PIX firewall
- Dedicated VPN server for dial-up services
- NAS (network access server) used by service provider for remote-user VPN access
- VPN network and policy-management centre
What are the VPN Tunnelling Protocols?
Give examples of what technologies make use of each.
- Carrier protocol: The protocol used by the network that the information is travelling over (frame relay, ATM, MPLS)
- Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
- Passenger protocol: The original data (IPX, NetBeui, IP) being carried
What are two different layers of VPN tunnelling protocols?
Name the popular Datagram based VPN Tunnelling Protocols
- GRE(Generic Routing Encapsulation) supports multiple protocols and multiplexingTunnelling Lower overhead than GRE and used when only 1 IP stream is to be tunnelled
- L2F(Layer 2 Forwarding)
- MPLS(Multi-Protocol Label Switching)
- GTP (GPRS Tunnelling Protocol)
- PPTP(Point-to-Point Tunnelling Protocol)
- L2TP(Layer 2 Tunnelling Protocol)
- PPPoE(point-to-point protocol over Ethernet)
- PPPoA(point-to-point protocol over ATM)
- IEEE 802.1Q (Ethernet VLANs)
- DLSw(SNA over IP)
- XOT (X.25 datagramsover TCP)
- IPv6 tunnelling: 6to4; 6in4; Teredo
- Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)
Name the popular Stream-Based VPN tunnelling protocols
- HTTP CONNECT command
- Various circuit-level proxy protocols
- SSTL (Secure Socket Tunnelling Protocol)
What are the security threats in a network?
- Loss of Privacy
- Loss of Data Integrity
- Loss of Identity
- Loss of Access
What are the goals of IPSec?
- Loss of privacy
- Loss of data integrity
- Identity spoofing
- All with no expensive hardware and application rewrites.
What is are the RFC documents most relevant to IPSec?
An overview of IPSec is contained within RFC2411
What are the IPsec protocols and what do they provide?
- Provides framework for negotiating security parameter.
- Establishment of authentication keys
- Provides framework for encrypting, authenticating and securing data.
- Provides framework for authenticating and securing data.
Provide an Overview of some of the popular IPsec technologies and their features
- Diffie-Hellman key exchange for deriving key material between peers on a public network
- Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties and avoid man-in-the-middle attacks
- Bulk encryption algorithms, such as DES, for encrypting the data
- Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA for providing packet authentication.
- Digital certificates signed by a certificate authority to act as digital ID cards.
What are the central IPsec concepts?
- IPsec can provide either message authentication and/or encryption
- Authentication and confidentiality using Authentication Header (AH) or Encapsulated Security Payload (ESP)
- Security Association (SA).
- Internet Key Exchange (IKE)
Describe what an Authentication Header in IPsec is and does
- Used to provide data integrity.
- Data origin authentication for IP datagram.
- Provides protection against replays
- Can be used alone or in combination with ESP
- Use of the IP AH is indicated by placing the value 51 (0x33) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
- AH requires less overhead to ESP
- AH is never export restricted
- AH is mandatory for IPv6 compliance
- Uses key-hash mechanism
- Provides NO confidentiality
Name and briefly describe the AH fields in IPsec
- Next Header
- Payload Length
- Security Parameter Index (SPI) Shows the SA used for this packet
- Sequence Number: 64-bit prevents packet replay
- Authentication Data: Integrity Check Value (ICV)
Where are the AH Headers placed in Tranport and Tunnel mode of IPsec?
- Transport: the AH Header is instered in the original data packet
- Tunnel: A tunnel and a AH Header are added to the original packet
Describe what an encapsulated security payload is in IPsec
- Provides confidentiality
- Data origin authentication
- Connectionless integrity
- Limited traffic flow confidentiality
- Service depends on SA’s options
- Encryption done with DES or 3DES
- Authentication/integrity done by HMAC with keys of SHA-1 or MD5
- Use of the IP ESP format is indicated by placing the value 50 (0x32) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
- Does not protect IP header unless in tunnel mode
Provide a brief overview of the ESP Header Format
- Security Parameter Index (SPI)
- Sequence Number Field
- Payload Data
- Padding (if any)
- Payload Length
- Authentication Data
Where are the ESP Headers placed in Tranport and Tunnel mode of IPsec?
- Transport: ESP Header/Trailer are inserted in the original packet
- Tunnel: A tunnel and a ESP Header/Trailer are added to the original packet
What are Security Associations in IPsec?
- SA contains unidirectional specifications:
- Authentication/encryption algorithm, key length + other encryption parameters
- Session key for authentication, or HMACs, encryption
- Interested traffic to which SA is applied
- IPsec AH or ESP encapsulation protocols and tunnel or transport mode
- ESP authentication
Describe some IPsec's SA Database Parameters
- AH: authentication algorithm
- AH: authentication secret
- ESP: encryption algorithm
- ESP: encryption secret key
- Many key-exchange parameters
- Routing restrictions
- IP filtering policy
Explain the deployment of IPsec
- IPsec assumes that SA is in place, but it does not have the mechanism for creating the association.
- The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete security associations, and provides the framework for exchanging information about authentication and key management. ISAKMP's security association and key management is totally separate from key exchange.
- The Internet Key Exchange (IKE) algorithm is the default automated key management protocol for IPsec.
What is Internet Key Exchange (IKE) and what does it do?
- Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
- Allows you to specify a lifetime for the IPSec security association.
- Allows encryption keys to change during IPSec sessions.
- Allows IPSec to provide anti-replay services.
- Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
- Allows dynamic authentication of peers.
- IKE negotiation uses UDP on port 500
What are the types authentication IKE can be utilised with?
- Pre-shared keys
- Public key cryptography
- Digital signature
Provide a descriptive overview some popular IKE component technologies
- DES: The Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard.
- Cipher Block Chaining (CBC): requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
- Diffie-Hellman: A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
- MD5 (HMAC variant): is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
- SHA (HMAC variant): is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
- RSA signatures and RSA encrypted nonces: RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation.
Describe IKE phase 1
- In main or aggressive mode the peers do:
- Negotiate an IKE protection suite
- Authenticate each other
- Exchange keying material to protect the IKE session
- Establish the IKE SA
- This defines a secure IKE channel to establish IPsec SA’s through
Describe IKE Phase 2
- In the one mode, quick the peers do:
- Negotiate IPsec policies
- Exchange keying material of IPsec SAs
- Establish IPsec SAs
- Periodically renegotiates IPSec SAs to ensure security
- Optionally performs an additional Diffie-Hellman exchange
What are the Network Management Requirements
- Ease of use
- Restoral capability
- Monitor network availability
- Improved automation
- Monitor response time
- Security features
- Ability to add and delete users
- Traffic monitoring
- User regulation
Provide an overview of FACPS: Network Management Functional Model
- Fault Management: Detect, modify, notify, fix network problems
- Configuration Management: Monitor network and system configuration
- Account Management: Network utilisation
- Performance Management: Performance monitoring
- Security Management: Control access to resources
Name some popular network management models
Provide an overview of the different Network Management Models
- Simple Network Management Protocol (SNMP) (IETF)
- Used in data networks
- A protocol, a database structure specifications and a set of data objects.
- Adopted TCP/IP standard in 1989
- SNMP v2c in 1993, SNMP v3 is current version
- Common Management Information Protocol (CMIP)(ISO)
- Used more by telecommunications networks
- Complex set of standards, defines a management service, a protocol, a database structure specification, and a set of data objects.
- Common Management Information Service (CMIS)
- It defines the service interface that is implemented by CMIP
Provide a overview of SNMP
- Ver 1 1989: Insecure –community strings sent in the clear
- Ver 2 1993: Uses MD5 to authenticate messages
- Ver 3 2002 Provides:
- Message integrity
What are the strengths and weaknesses of SNMP?
- Wide spread popularity
- Flexible and extensible protocol
- Anything but simple
- Inefficient use of bandwidth
What is a good argument to support SNMP?
- While the protocol maybe less than perfect it is the only way to manage large networks.
- SNMP allows the DIFFERENCES of state to be monitored and reported.
What are the Standards of SNMP?
- A Standard Message Format: defines a UDP message format.
- A Standard Set Of Managed Objects: standard set of values
- A Standard Way Of Adding Objects: Standard objects can be augmented by vendors.
What are the SNMP PDU's?
- Specific values can be fetched without establishing a TCP connection with the device.
- Enable a “walk” through or bulk collection of SNMP values for a device.
- This provides a way of configuring and controlling network devices via SNMP.
- Enables notify of problems to a manager.
- Returns the variable from the various “get” messages.
- Acknowledge asynchronous notifications from manager to manager
What are the managed objects of SNMP?
- “Management Information Base” (MIB). (See RFC 1213):
- measure and monitor IP activity
- TCP activity
- UDP activity
- IP routes
- TCP connections
What are the managed components of MIB/SNMP?
- Alarm Polling Functions.
- threshold violation
- Trend Monitoring Functions.
- sampling the value at periodic intervals
- Trap Reception Functions.
- allow devices to self-report problems.
- Management Tool Set.
- inspect the raw MIB objects of a particular device.
- MIB Compiler.
- add in new MIB objects
What are the security concerns of SNMP?
- Who: Communities –the relationships between SNMP entities
- What: The community profile made up of the MIB view and the SNMP access mode.
- Read-only: Public community
- Read/write: Private community
Explain the different Community Strings of SNMP
- Read only community: This community allows a read access only to any objects of a device. The common default value is “public”.
- Read write community: This community allows read and write access to any objects of a devices. The common default value is “private”.
- Trap community: the agent when sending traps to the manager uses this community.
What are the problems and solutions to upgrading SNMP security?
- Community strings carried in the clear
- No fine grain control of access between users
- User-based Security Model (USM)
- Views-Based Access control Model (VACM)
Describe the User-based Security Model, relevant to SNMP
- verification of data -achieved by using MD5 or SHA , prevents changing the data on route.
- verification of the identity of the generator -achieved by using MD5 or SHA, prevents masquerading attacks
- Ensure packet age -achieved by tracking timelines using timestamps, Defend against message capture and replay.
- Protection from disclosure -achieved by enabling full encryption of content, the standard ways now are CDC/DES , prevents unauthorized users from gaining data not allowed them.
Describe the Views-Based Access control Model (VACM) relevant to SNMP
- Allows granular control of:
- Notify (trap)
How is security managed in SNMP?
- The user is authenticated based on the authentication subsystem
- The variable the user intends to access is matched to the view containing it
- The user's access rights are matched to the view access definitions to check what type of access the user is granted.
- If the user is allowed the access requested the request is handled.
What is Remote Monitoring? (RMON)
What does it do?
What are the components and what layers do they operate on?
- Is a MIB
- Based on IETF RFCs
- Gathers statistics by analysing every frame on a segment
- RMON1 is for data link layer
- RMON2 is for the network layer to the application layer
- Work with an external probe
Provide an overview of the 802.11 Protocol and its complexities
- It has to send and receive radio signals.
- Timing message packets to ensure client synchronization and help avoid data-transmission collisions
- Authenticating clients to make sure only authorized personnel connect to the network
- Encrypting data to enhance data privacy
- Checking data integrity to ensure that the data remains uncorrupted or unmodified
What are the issues of wireless network design?
- Placement of APs relative to existing network infrastructure devices, such as routers, firewalls, and switches
- What type of antennae to use and where to locate them
- How to adjust signal-power settings to prevent RF signals from leaking outside your building
- Keeping track of your wireless devices —such as APs, laptops, and personal digital assistants (PDAs)
- Knowing which device types are allowed on your network and which ones don’t belong
What are the components of Wireless AP settings?
- IP addresses
- Broadcasting of SSIDs
- Admin passwords
- Remote management enabled
- Full power settings
- Use of omnidirectional antennas that come standard on most APs
- MAC-address filtering
- WEP, WPA, WPA2
Provide a list of common wireless devices
- IP Phones
- Tablet PCs
- Security cameras
- Barcode scanners
- Custom devices for vertical markets:
What are the three categories of wireless reconnaissance tools?
Name some popular tools in each category
- Commercial Network Analysers:
- Sniffer Wireless
- Free Network Analysers:
- Scanning Tools:
What are the fundementals in WLAN Security?
- Service Set Identifier (SSID)
- Wired Equivalent Privacy (WEP)
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access 2 (WPA2)
- Shared Key
- Enterprise using RADIUS/TACCAS+
- Digital Signature
What were the early weaknesses of wireless security?
- Weak device-only authentication: Client devices are authenticated. Users are not authenticated.
- Weak data encryption: Wired Equivalent Privacy (WEP) has been proven ineffective as a means to encrypt data.
- No message integrity: The Integrity Check Value (ICV) has been proven ineffective as a means of ensuring message integrity.
What are the security limitations of IEEE 802.11
- Authentication is device based rather than user.
- Client does not authenticate network
- Existing authentication databases are not usable.
- Key Management:
- Keys are static
- Keys are shared among devices and APs
- All devices and APs must be rekeyed if adaptor or device stolen
- RC4-based WEP keys:
- Encryption algorithm is vulnerable to attack
- Message integrity is not ensured
What have been the security improvements in wireless?
- Use of 802.1x protocol:
- Mutual authentication using Extensible Authentication Protocol
- Temporal Key Integrity Protocol (TKIP):
- Hash WEP key
- Message Integrity checks (MIC)
- Broadcast Key Rotation (BKR)
- Advanced Encryption Standard (AES)
- Virtual Private Network (VPN)
- Wi-Fi Protected Access (WPA)
- Robust Secure Network (RSN)
What is Temporal Key Integrity Protocol (TKIP)
- Wrapper around WEP
- Temporal Key:
- Sequence number (IV) + MAC address + base key
- Base Key:
- Each time a wireless station associates to an access point, a new base key is created.
What is WPA2?
What are the features and improvements of WPA2?
- Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks);
- Reduced overhead in key derivation during the wireless LAN authentication exchange;
- Support for opportunistic key caching to reduce the overhead in roaming between access points;
- Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming;
- Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol.
Is WPA2 insecure?
- "Gone in 900 seconds: Some Crypto issues with WPA!" November 2008
- Erik Tews cracks the Pairwise Master Key in TKIP
- In Oct 2008 Russian researchers report 100 fold increase in cracking WPA keys via the massively parallel computational power of the newest NVIDIA chips.
- Build yourself 20 station workstation and have the key in days if not weeks rather than years.