Telecommunications, Network, and Internet Security - Auburn ...

greydullΔίκτυα και Επικοινωνίες

30 Οκτ 2013 (πριν από 4 χρόνια και 14 μέρες)

119 εμφανίσεις

© Copyright 2005 (ISC)


All Rights Reserved.

1

Telecommunications, Network and Internet Security v5.0

Telecommunications,
Network, and Internet
Security

© Copyright 2005 (ISC)


All Rights Reserved.

2

Telecommunications, Network and Internet Security v5.0

Introduction


The telecommunications, network, and
Internet security domain discusses the:


Network structures


Transmission methods


Transport formats


Security measures used to provide
availability, integrity, and confidentiality


Authentication for transmission over private
and public communications networks and
media.

© Copyright 2005 (ISC)


All Rights Reserved.

3

Telecommunications, Network and Internet Security v5.0

Objectives


The CISSP should be able to:


Describe

the telecommunications and
network security elements as they relate to
the transmission of information in local area,
wide area, and remote access.


Define

the concepts associated with the
Internet, intranet, and extranet
communications, such as firewalls, gateways,
and associated protocols.

© Copyright 2005 (ISC)


All Rights Reserved.

4

Telecommunications, Network and Internet Security v5.0

Objectives (cont.)


The CISSP should be able to:



Identify

the communications security
management and techniques that
prevent, detect, and correct errors so
that the protection of information
transmitted over networks is maintained.

© Copyright 2005 (ISC)


All Rights Reserved.

5

Telecommunications, Network and Internet Security v5.0

Goals of Network
Security


The common thread among good information security objectives is
that they address all three core security principles.




Availability

Prevents unauthorized
disclosure of systems
and information.

Prevents unauthorized
modification of systems
and information.

Prevents disruption of
service and productivity.

© Copyright 2005 (ISC)


All Rights Reserved.

6

Telecommunications, Network and Internet Security v5.0

Specific Network Security
Objectives


The
objectives

of network security:


Transmission channels and services
are secure and accessible.


Interoperability of network security
mechanisms are operational.


Messages sent are the messages that
are received.


Message link is between valid source
and destination nodes.

© Copyright 2005 (ISC)


All Rights Reserved.

7

Telecommunications, Network and Internet Security v5.0

Specific Network Security
Objectives (cont.)


Message non
-
repudiation is available.


Prevent unauthorized disclosure of
messages.


Prevent unauthorized disclosure of traffic
flows.


Remote access mechanisms are secure.


Security mechanisms are easy to
implement and maintain.


Security mechanisms are transparent to
end
-
users.

© Copyright 2005 (ISC)


All Rights Reserved.

8

Telecommunications, Network and Internet Security v5.0

Subtopics


Data Networks


Network Protocols


Telephony


Remote Access


Network Threats, Attacks and Countermeasures


Network Access Controls


Network Availability Technologies


Internet and Web Security Protocols


Multimedia and Quality of Service


Information Security Activities

© Copyright 2005 (ISC)


All Rights Reserved.

9

Telecommunications, Network and Internet Security v5.0

Section Objectives


Describe various network
architectures


List the elements and devices that
comprise a data network


Describe data network technologies


© Copyright 2005 (ISC)


All Rights Reserved.

10

Telecommunications, Network and Internet Security v5.0

Data Network Structures

Examples ….



Personal Area
Network


Wireless Personal
Area Network


Local Area Network


Metropolitan Area
Network


Campus Area
Network





Wide Area Network


Internet


Intranet


Extranet


Value Added
Network


World Wide Web


Global Area Network

© Copyright 2005 (ISC)


All Rights Reserved.

11

Telecommunications, Network and Internet Security v5.0

Data Network Components


Data network components include:


Mainframe/Server Hosts


File Servers


Workstations


Software
-

Network Operating System
and Applications

© Copyright 2005 (ISC)


All Rights Reserved.

12

Telecommunications, Network and Internet Security v5.0

Data Network Components (cont.)


Data network components include:


Network Adapter/Network Interface
Card


Hub/Concentrator/Repeater


Bridges


Switches
-

Layer 2, 3, 4, etc.


Routers


Gateways

© Copyright 2005 (ISC)


All Rights Reserved.

13

Telecommunications, Network and Internet Security v5.0

Data Network Components (cont.)


Data network
components include:


Physical Cabling


Twisted Pair/Coaxial
Cable/Fiber Optics


Wireless


Radio Frequency/
Infrared/Optical/
Satellite

© Copyright 2005 (ISC)


All Rights Reserved.

14

Telecommunications, Network and Internet Security v5.0

Circuit Switched Networks


Information is
segmented

into pieces that fit
within a channel or time slot (usually 8 bits).


A connection is established permanently or on
demand and is maintained between switches in
order to route traffic to the correct destination.


Traffic is switched based on Time Division
Multiplexing (
TDM
).

© Copyright 2005 (ISC)


All Rights Reserved.

15

Telecommunications, Network and Internet Security v5.0

Packet Switched Networks


Each data packet contains information such as addresses
and sequence numbers.


A connection is established permanently, or on demand, and
maintained between switches in order to switch traffic to the
correct destination.


Switches switch the packets to the final destination based on
the header information.


Traffic is switched based on Statistical Time Division
Multiplexing (STDM)

© Copyright 2005 (ISC)


All Rights Reserved.

16

Telecommunications, Network and Internet Security v5.0

Circuit vs. Packet Switching

Circuit
-
Switched



Designed for
constant

traffic


Typically experience
fixed

delays


Connection
-
oriented


Traffic is sensitive to
loss of
connection


Voice/video

oriented


Can waste resources

Packet
-
Switched


Designed for
bursty

traffic


Typically experience
variable

delays


Connection
-
less oriented


Traffic is sensitive to loss
of
data


Data

oriented


Can introduce delays

© Copyright 2005 (ISC)


All Rights Reserved.

17

Telecommunications, Network and Internet Security v5.0

Virtual Circuits


A
logical circuit

created over a packet
switched network


Two types


Permanent Virtual Circuits (
PVC
s)
-

permanently established circuits that remain
in place till the network administrators delete
them from the switches.


Switched Virtual Circuits (
SVC
s)
-

dynamically established when requested
and removed when transmission is finished

© Copyright 2005 (ISC)


All Rights Reserved.

18

Telecommunications, Network and Internet Security v5.0

LAN Network Topologies

LANs are logically or physically organized as:

Bus

Ring

Mesh

Tree

Star

© Copyright 2005 (ISC)


All Rights Reserved.

19

Telecommunications, Network and Internet Security v5.0

LAN Transmission Methods


Unicast

-

packet is sent from
source to destination address


Multicast

-

packet is copied and
sent to a specific subset of nodes
on the network


Broadcast

-

packet is copied and
sent to all nodes on the network

© Copyright 2005 (ISC)


All Rights Reserved.

20

Telecommunications, Network and Internet Security v5.0

LAN Media Access Methods


Three types of methods are used by
hosts to access the physical network
medium.


Carrier Sense Multiple Access

(CSMA)


With Collision Avoidance (CSMA/CA)


With Collision Detection (CSMA/CD)


Polling


Token Passing

© Copyright 2005 (ISC)


All Rights Reserved.

21

Telecommunications, Network and Internet Security v5.0

LAN Implementations

Subtopics


Wireless



Bluetooth / IEEE
802.15


802.11a


802.11b


802.11g


Wired


Ethernet / IEEE
802.3


Fiber Distributed
Data Interface
(FDDI)


Token Ring /
IEEE 802.5

© Copyright 2005 (ISC)


All Rights Reserved.

22

Telecommunications, Network and Internet Security v5.0

LAN Implementations
-

Wired

Ethernet/IEEE 802.3


Usage


Most
widely used

LAN implementation.


Access Method


CSMA/CD, probabilistic


Topology


Logically a
bus topology
, often implemented as a
physical star or sometimes point
-
to
-
point.


Speeds


Ethernet (10 Mbps), Fast Ethernet (100 Mbps),
Gigabit Ethernet (1 Gbps)

© Copyright 2005 (ISC)


All Rights Reserved.

23

Telecommunications, Network and Internet Security v5.0

LAN Implementations
-

Wired

Fiber Distributed Data Interface (FDDI)


Usage


Standard originally designed for fiber optic networks.


Typically used as
backbones

for LANs/WANs.


FDDI
-
2 extension provides for voice, video, and data.


Access Method


Token passing, deterministic


Topology


Ring


Speeds


100 mps

1000 mps

© Copyright 2005 (ISC)


All Rights Reserved.

24

Telecommunications, Network and Internet Security v5.0

LAN Implementations
-

Wired

Token ring IEEE 802.5


Usage


Promoted by IBM as their networking standard


Access Method


Token passing, single token contains
priority

mechanism.



Nodes insert, copy, or remove data.


Data sent sequentially bit by bit around ring.


Topology


Star wired ring topology.



Speeds


16
-
100mps



© Copyright 2005 (ISC)


All Rights Reserved.

25

Telecommunications, Network and Internet Security v5.0

Introduction to Wireless





Cell Phones

PDAs

WLANs

Toys

Appliances

Cordless


Phones

© Copyright 2005 (ISC)


All Rights Reserved.

26

Telecommunications, Network and Internet Security v5.0

Wireless Radio Frequency Band

0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz



10GHz 28GHz 38GHz

AM Radio (535


1605 KHz)

VHF TV (174


216 MHz)

FM Radio (88


108 MHz)

UHF TV (512


806 MHz)

Analog Cellular (824
-
894 MHz)

Digital Cellular (1850
-
1900 MHz)

Cordless Phones, Baby Monitors, Toys (900 MHz)

802.11b/g, Bluetooth, Phones (2.4 GHz)

802.11a/h, Phones (5 GHz)






Unlicensed Radio Frequencies

Licensed Radio Frequencies

© Copyright 2005 (ISC)


All Rights Reserved.

27

Telecommunications, Network and Internet Security v5.0

Wireless Network Standards


Bluetooth


Used as short distance
replacement for cabling


Less than 1 Mbps


2.4 GHz frequency band


Frequency Hopping Spread
Spectrum (FHSS)


802.11b


Extension to 802.11 Wireless
LAN standard


11 Mbps data rate


2.4 GHz frequency band


Direct Sequence Spread
Spectrum (DSSS)


802.11a


Extension to 802.11 Wireless
LAN standard


54 Mbps data rate


5 GHz frequency band


Orthogonal Frequency Division
Multiplexing (OFDM)


802.11g


54Mbps data rate


2.4 GHz frequency band


OFDM


802.11b compatible

© Copyright 2005 (ISC)


All Rights Reserved.

28

Telecommunications, Network and Internet Security v5.0

Wide Area Networks


Connects

LANs together through
technologies such as:


Dedicated leased lines


Dial
-
up phone lines


Satellite and other wireless links


Data packet carrier services

© Copyright 2005 (ISC)


All Rights Reserved.

29

Telecommunications, Network and Internet Security v5.0

WAN Network Technologies

Subtopics



Integrated Services
Digital Network


Point
-
to
-
Point Lines


Digital Subscriber Line
and Cable Modem


Synchronous Data Link
Control and Derivatives


X.25




Frame Relay


Asynchronous
Transfer Mode


Wireless Wide Area


WAP


i
-
Mode


IP Telephony

© Copyright 2005 (ISC)


All Rights Reserved.

30

Telecommunications, Network and Internet Security v5.0

ISDN and Point to Point Lines

Integrated Services Digital Network (
ISDN
)


Attributes:

1.
End
-
to
-
End digital connectivity

2.
Integrated access

3.
Small family of standard interfaces

4.
Message
-
oriented signaling

5.
Customer control


Point to Point
Lines


Types


Leased Lines


Digital Circuits


Optical Circuits.

© Copyright 2005 (ISC)


All Rights Reserved.

31

Telecommunications, Network and Internet Security v5.0

DSL and Cable Modems

DSL and Cable Modems



Always
-
on
” technologies (as opposed to on
-
demand),
that provide high
-
speed connections that pose risks to
unprotected computers.

DSL


Provides high
-
bandwidth data transport


Uses existing
twisted pair telephone

lines

Cable Modem


High
-
speed access to the Internet over
television
cable

lines.


Uses a modem that filters the coaxial cable
connection.

© Copyright 2005 (ISC)


All Rights Reserved.

32

Telecommunications, Network and Internet Security v5.0

SDLC and HDLC


SDLC and HDLC


Data link layer protocols.


Designed for point
-
to
-
point connections.


Developed to carry data.


Synchronous Data Link Control (
SDLC
)


Protocol developed by IBM for their SNA
networks


High Level Data Link Control (
HDLC
)


Based on SLDC but standardized by ISO

© Copyright 2005 (ISC)


All Rights Reserved.

33

Telecommunications, Network and Internet Security v5.0

X.25


International

protocol for a p
acket
-
switched
network technology


Defines how connections between user devices and
network devices are established and maintained.


Operates at the Network and Data Link Layers.


It uses PVCs and SVCs.


Used by telecommunication carriers.


Overhead requirements limit it to
lower
speeds.


Data
-
only support.

© Copyright 2005 (ISC)


All Rights Reserved.

34

Telecommunications, Network and Internet Security v5.0

Remote

Host

Frame Relay

High performance packet switching technology


Operates at the physical and data link layers of the OSI
model.


Designed to replace X.25. Originally, data
-
only support,
implementation supports voice and video as well.


Uses PVCs and SVCs.

© Copyright 2005 (ISC)


All Rights Reserved.

35

Telecommunications, Network and Internet Security v5.0

Asynchronous Transfer Mode (ATM)


Very
high speed

cell relay service, similar in a
number of ways to frame relay.


Transfers data in cells that are a
fixed size
.


Small, constant cell size allows video, audio,
and computer data to be transmitted over the
same network.


It uses PVCs and SVCs.


It is packet switched.


Designed to replace frame relay with a faster
technology designed to carry all traffic types.

© Copyright 2005 (ISC)


All Rights Reserved.

36

Telecommunications, Network and Internet Security v5.0

Wireless Wide Area


Satellites provide global coverage in
areas where terrestrial cable facilities
are not available.


Microwave technology also supports
wide area connections.


© Copyright 2005 (ISC)


All Rights Reserved.

37

Telecommunications, Network and Internet Security v5.0

Generations of Wireless Wide
Area Protocols


1G Wireless


First wave of analog
phones


Heavy and bulky


Not many services
other than voice



2G Wireless


Commonly deployed


Smaller size


Caller id, paging,
email


2.5G Wireless


Addition of always on
Internet email and
alerts (GPRS)


Higher data rates



3G Wireless


First hit in Japan late
2001


Packet technology


Higher connection
speeds (video
conferencing, MPEG)

© Copyright 2005 (ISC)


All Rights Reserved.

38

Telecommunications, Network and Internet Security v5.0

Wireless Application Protocol
(WAP)


Standard protocol for enabling
wireless data
access

via small portable terminals to secure
transaction services.


It supports wireless browsing, messaging, and
other applications.


It uses less resources (i.e., CPU, memory) and
is simpler than TCP/IP.


WAP supported networks include:


CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX,
ReFLEX, iDEN, TETRA, DECT, DataTAC, and
Mobitex

© Copyright 2005 (ISC)


All Rights Reserved.

39

Telecommunications, Network and Internet Security v5.0

i
-
Mode



Mobile Internet service


First introduced in Japan by NTT DoCoMo, Inc.


Now available in European markets through i
-
mode
partners including Belgium, France, Germany, Greece,
Italy, Spain, Netherlands, etc.


Wide variety of specialized services including


Online shopping


Banking


Ticket reservation


Restaurant advice


Multimedia e
-
mailing of still and moving images


Java
-
based application for downloading and storing
sophisticated content

© Copyright 2005 (ISC)


All Rights Reserved.

40

Telecommunications, Network and Internet Security v5.0

Mobile Phone Vulnerabilities


Lack of
policies

and awareness


Theft
of mobile phones, Personal Digital
Assistants (PDAs) and their data


Subscriber Identity Module
cloning


False

Base Stations


Stealing secrets

using phone
-
based or
PDA
-
based cameras, email, storage chips,
etc.


Access to the Internet, bypassing the
firewalls

© Copyright 2005 (ISC)


All Rights Reserved.

41

Telecommunications, Network and Internet Security v5.0

Mobile Phone Vulnerabilities
(cont.)


Short Message Service spamming


Malicious downloadable code or content


Encryption is weak or non
-
existent


Turning on wireless encryption does not
mean data is protected end
-
to
-
end


Wired portion of the traffic may travel in the
clear


Bluetooth vulnerabilities


Pin length, lack of encryption, bluejacking, etc.

© Copyright 2005 (ISC)


All Rights Reserved.

42

Telecommunications, Network and Internet Security v5.0

IP Telephony


Integrates existing voice network with data
networks.


Combines data, voice, and video over a single
packet.


Uses “isochronous” (i.e., time
-
dependent)
processes where data must be delivered within
certain time constraints
--

used for video that
requires synchronization.


Includes: Voice over IP, Voice over Frame
Relay, Voice over Asynchronous Transfer
Mode, etc.

© Copyright 2005 (ISC)


All Rights Reserved.

43

Telecommunications, Network and Internet Security v5.0

Quick Quiz


What is the difference between
synchronous and asynchronous
communication?


What is the difference between a
circuit
-
switched network and a packet
-
switched network?



© Copyright 2005 (ISC)


All Rights Reserved.

44

Telecommunications, Network and Internet Security v5.0

Section Summary


Synchronous communication is the transfer of data that
relies on the presence of a clocking system at both ends
of the transmission.


Asynchronous communication is the transfer of data by
sending bits sequentially, with start bits and stop bits to
mark beginning and end, without a shared clock.


A circuit
-
switched network is a connection established on
demand and maintained between data stations in order
to allow exclusive use of a circuit (transmission line) until
the connection is released.


A packet
-
switched network has segmented data, with
each packet containing information such as a destination
address, source address, and packet sequence number.
Network devices route the packets to the final
destination.


© Copyright 2005 (ISC)


All Rights Reserved.

45

Telecommunications, Network and Internet Security v5.0

Subtopics


Data Networks


Network Protocols


Telephony


Remote Access


Network Threats, Attacks and Countermeasures


Network Access Controls


Network Availability Technologies


Internet and Web Security Protocols


Multimedia and Quality of Service


Information Security Activities

© Copyright 2005 (ISC)


All Rights Reserved.

46

Telecommunications, Network and Internet Security v5.0

Section Objectives


Describe various standard network
protocols


Describe the OSI network model


Describe the TCP/IP network protocol


Identify network protocol
vulnerabilities


© Copyright 2005 (ISC)


All Rights Reserved.

47

Telecommunications, Network and Internet Security v5.0

Network Protocol Definition



A standard
set of rules

that governs the
exchange of data between hardware and/or
software components in a communications
network.


A Network Protocol also describes the
format

of
a message and how it is exchanged.


When computers
communicate

with one another, they
exchange a series of messages.


To understand and act on these messages,
computers must
agree

on what a message means.


© Copyright 2005 (ISC)


All Rights Reserved.

48

Telecommunications, Network and Internet Security v5.0

Subtopics



Open System Interconnection (
OSI
)
Model


Transmission Control Protocol/Internet
Protocol (
TCP/IP
)

© Copyright 2005 (ISC)


All Rights Reserved.

49

Telecommunications, Network and Internet Security v5.0

OSI Model


Seven Layers


Data transfer is accomplished by a layer interacting with
the layer above or below through the use of interface
control information.


ISO 7498


Describes the OSI model


Defines the security services that are available and where they
fit in the layered model.


Authentication Exchange


Traffic Padding


Routing Control


Notarization



Encipherment


Digital Signatures


Access Control


Data Integrity

© Copyright 2005 (ISC)


All Rights Reserved.

50

Telecommunications, Network and Internet Security v5.0

Layer Interaction

7 Application

6 Present.

5 Session

4 Transport

3 Network

2 Data Link

1 Physical

Application
Presentation

Session

Transport

Network

Data Link


Protocol Layer


Hdr1Hdr2 Hdr3 Message Tlr3 Tlr2 Tlr1

Host 2

Host 1

Physical

Original

Message

Hdr3

Tlr3

Hdr2

Hdr1

Tlr2

Tlr1

Data 3

Data 2

Data 1

Protocol Layer

© Copyright 2005 (ISC)


All Rights Reserved.

51

Telecommunications, Network and Internet Security v5.0

Application Layer


Provides a user
interface through
which the user
gains access to the
communication
services.


Ideal place for end
-
to
-
end encryption
and access control.

© Copyright 2005 (ISC)


All Rights Reserved.

52

Telecommunications, Network and Internet Security v5.0

Presentation Layer


Ensures
compatible syntax
in how the
information is
represented for
exchange by
applications.


Not used
extensively.

© Copyright 2005 (ISC)


All Rights Reserved.

53

Telecommunications, Network and Internet Security v5.0

Session Layer


Coordinates
communications
dialogue

between
cooperating application
processes.


Maintains a
logical

connection between
two processes on end
hosts.


Ideal place for
identification

and
authentication
.

© Copyright 2005 (ISC)


All Rights Reserved.

54

Telecommunications, Network and Internet Security v5.0

Transport Layer


Ensures host
-
to
-
host
information
transfer
.


Provides
reliable
,
transparent data transfers
between session entities.


Isolates the user from any
concerns about the actual
movement of the
information.


A place to implement
end
-
to
-
end
encryption
.

© Copyright 2005 (ISC)


All Rights Reserved.

55

Telecommunications, Network and Internet Security v5.0

Network Layer


Selects and manages a
route

chosen from the
available links arranged
as a network.


Can determine alternate
routes

to avoid
congestion or node
failure.


A place to implement link,
or end
-
to
-
end
encryption
.

© Copyright 2005 (ISC)


All Rights Reserved.

56

Telecommunications, Network and Internet Security v5.0

Data Link Layer


Responsible for reliable
delivery of information
over a point
-
to
-
point or
multi
-
point network.


Can be divided into
Logical Link Control
and Media Access
Control.


Common place to
implement link
encryption.

© Copyright 2005 (ISC)


All Rights Reserved.

57

Telecommunications, Network and Internet Security v5.0

Physical Layer


Provides for the
transparent

transfer of
a bit stream over a
physical circuit.


Provides physical or
virtual connection for
transmission between
data link entities.

© Copyright 2005 (ISC)


All Rights Reserved.

58

Telecommunications, Network and Internet Security v5.0

TCP/IP

Suite of protocols.


Transmission Control Protocol (
TCP
)


Internet Protocol (
IP
)


De facto standard for networking.


Architecture
-
independent.


Security was not originally designed into
the protocols. Therefore, security
-
specific
protocols have been devised for use on
TCP/IP networks.

© Copyright 2005 (ISC)


All Rights Reserved.

59

Telecommunications, Network and Internet Security v5.0

OSI vs. TCP/IP

TCP/IP Implementation

OSI Model

© Copyright 2005 (ISC)


All Rights Reserved.

60

Telecommunications, Network and Internet Security v5.0

TCP/IP Application Layer


Includes the
functionality

of the OSI application,
presentation, and session
layers.


Sends to and retrieves
data from the transport
layer.


Converts

received data to
a usable, viewable format.

© Copyright 2005 (ISC)


All Rights Reserved.

61

Telecommunications, Network and Internet Security v5.0

TCP/IP Transport Layer

Transfers data between different
applications on end hosts.

Can construct data in two ways:


Transmission Control Protocol
(
TCP
)


User Datagram Protocol (
UDP
)

© Copyright 2005 (ISC)


All Rights Reserved.

62

Telecommunications, Network and Internet Security v5.0

TCP/IP Network Layer


Defines how information
is
sent

between hosts. It
contains the:


Internet Protocol (
IP
)


Internet Control Message
Protocol (
ICMP
)


Internet Group
Management Protocol
(
IGMP
)

© Copyright 2005 (ISC)


All Rights Reserved.

63

Telecommunications, Network and Internet Security v5.0

TCP/IP Data Link Layer


Defines how the physical layer
transmits

the network layer
packets between adjacent or
broadcast computers


Resolves information into bits
that control construction and
exchange of packets.


Mediates access to the
physical layer.


© Copyright 2005 (ISC)


All Rights Reserved.

64

Telecommunications, Network and Internet Security v5.0

TCP/IP Physical Layer


Defines the encoded signaling
on the transmission channel.


Specifies the characteristics of
the wire that connects the
machines in a network.


Specifies how network cards
encode the bits they transmit.


Includes the transmission
medium.


© Copyright 2005 (ISC)


All Rights Reserved.

65

Telecommunications, Network and Internet Security v5.0

Data Encapsulation


To transmit data across a layered network, the
data
passes

through each layer of the protocol
stack.


It begins at the application layer with the
application software passing the data to the
next lower protocol in the stack.


At each layer the data is
encapsulated



the
protocol processes the data in the format that
the next protocol layer requires.

© Copyright 2005 (ISC)


All Rights Reserved.

66

Telecommunications, Network and Internet Security v5.0

Data Encapsulation

Application Layer (Program)

Transport Layer (TCP Module)

Network Layer (IP Module)

Data Link Layer

Data

Data

Data

Data

TCP Header

TCP Header

IP Header

TCP Header

IP Header

DL Header

Send

Receive

© Copyright 2005 (ISC)


All Rights Reserved.

67

Telecommunications, Network and Internet Security v5.0

Data Structure Terminology

Application Layer

Transport Layer

Internet (Network)

Layer

Network Access

(Data Link) Layer

TCP

UDP

stream

message

segment

packet

datagram

datagram

frame

frame

© Copyright 2005 (ISC)


All Rights Reserved.

68

Telecommunications, Network and Internet Security v5.0

TCP/IP Implementation

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Network Cable

PPP

Hardware

Interface

IGMP

ICMP

IP

UDP

TCP

Program

Application Layer

ARP

Program

© Copyright 2005 (ISC)


All Rights Reserved.

69

Telecommunications, Network and Internet Security v5.0

TCP/IP


The protocols in the TCP/IP suite work
together to:


Break the data into small pieces that can be
efficiently handled by the network.


Communicate the
destination

of the data to
the network.


Verify the
receipt

of the data on the other end
of the transmission.


Reconstruct

the data in its original form.

© Copyright 2005 (ISC)


All Rights Reserved.

70

Telecommunications, Network and Internet Security v5.0

Network Protocols

Subtopics


Internet Protocol (
IP
)


Transmission Control
Protocol (
TCP
)


User Datagram
Protocol (
UDP
)


Internet Control
Message Protocol
(
ICMP
)


Internet Group
Management Protocol
(
IGMP
)


Point
-
to
-
Point Protocol
(
PPP
)


Domain Name System
(
DNS
)


Address Resolution
Protocol (
ARP
)


Simple Network
Management Protocol
(
SNMP
)


Routing Protocols

© Copyright 2005 (ISC)


All Rights Reserved.

71

Telecommunications, Network and Internet Security v5.0

Internet Protocol (IP)


The
Internet Protocol

is a packet
-
based protocol used to exchange
data over computer networks.


Network layer protocol.


Handles addressing and control
information to allow packets to travel
through the network.



IP is a best
-
effort protocol.

© Copyright 2005 (ISC)


All Rights Reserved.

72

Telecommunications, Network and Internet Security v5.0

IP Functions


Define the
datagram

(the basic unit of
transmission in the Internet).


Define the Internet
addressing

scheme.


Move data
between

Network Layer and
Transport Layer.


Route

datagrams to remote hosts.


Perform
fragmentation

and reassembly of
datagrams.

© Copyright 2005 (ISC)


All Rights Reserved.

73

Telecommunications, Network and Internet Security v5.0

IP Addresses


Composed of 32
-
bit addresses that are
often displayed in the form of four groups of
decimal digits separated by a period/dot.


Each group of numbers cannot be larger
than 254.


1 1 0 1 10 0 0

0 0 0

1 1 0 0 1

0

1 1 0 1 0 0 0

1 1 0 0 1 1 1 1



216



.
25

.

104

.

207


© Copyright 2005 (ISC)


All Rights Reserved.

74

Telecommunications, Network and Internet Security v5.0

IP version 6 (IPv6)


Expands

the address to 128 bit.


Simplifies

the header format.


Provides support for extensions and
options.


Adds
quality of service

capabilities.


Adds address
authentication

and
message confidentiality and integrity.

© Copyright 2005 (ISC)


All Rights Reserved.

75

Telecommunications, Network and Internet Security v5.0

IP Security Issues


IP
Fragmentation

Attacks


Tiny fragment attack


Overlapping fragment attack


Teardrop Denial of Service Attack


IP Address
Spoofing


Source Routing


Smurf

and Fraggle


IP Tunneling over other protocols

© Copyright 2005 (ISC)


All Rights Reserved.

76

Telecommunications, Network and Internet Security v5.0

Transmission Control Protocol (TCP)


Provides
reliable

data transmission.


Retransmits lost/damaged data
segments.


Sequences incoming segments to
match original order.


Marks every TCP packet with a source
host and
port

number, as well as a
destination host and port number.

© Copyright 2005 (ISC)


All Rights Reserved.

77

Telecommunications, Network and Internet Security v5.0

TCP Provides:


Connection
-
oriented data
management


Reliable data
transfer


Stream
-
oriented
data transfer


Push functions


Resequencing


Flow Control


Multiplexing


Full
-
duplex
transmission


Identification of
urgent data


Graceful close

© Copyright 2005 (ISC)


All Rights Reserved.

78

Telecommunications, Network and Internet Security v5.0

Connection Oriented TCP


TCP maintains
status and state

information about each user data
stream flowing into and out of the
TCP module.


TCP provides
end
-
to
-
end

transfer of
data across one network or multiple
networks to a receiving user
application.

© Copyright 2005 (ISC)


All Rights Reserved.

79

Telecommunications, Network and Internet Security v5.0

Sample TCP Session

Host A

Host B

SYN(2000), ACK(1001)

ACK(2001)

ACK, data

ACK(2300), FIN(1500)

ACK(1501)

ACK(2401)

SYN(1000)

Active open

Passive open

Connection

established

Connection

established

Host A close

Host B close

Connection closed

Connection closed

ACK(1501), FIN(2400)

© Copyright 2005 (ISC)


All Rights Reserved.

80

Telecommunications, Network and Internet Security v5.0

TCP Security Issues


TCP Sequence Number Attacks


Session Hijacking


SYN Flood

© Copyright 2005 (ISC)


All Rights Reserved.

81

Telecommunications, Network and Internet Security v5.0

User Datagram Protocol (UDP)


Transport

layer protocol


Provides quick and simple service


Provides unreliable,
connectionless
,
service for applications

© Copyright 2005 (ISC)


All Rights Reserved.

82

Telecommunications, Network and Internet Security v5.0

UDP Security Issues


Does
not

offer error correction,
retransmission, or protection from
lost, duplicated, or re
-
ordered
packets.


Easier to
spoof
since there are no
session identifiers (handshake,
sequence number and ACK bit)

© Copyright 2005 (ISC)


All Rights Reserved.

83

Telecommunications, Network and Internet Security v5.0

Internet Control Message Protocols
(ICMP)


Used to exchange
control messages

between gateways and hosts
regarding the low
-
level operation of
the Internet.


Also used for
diagnostic tools

such as
Ping and Traceroute.


The ICMP message is encapsulated
within the IP packet.

© Copyright 2005 (ISC)


All Rights Reserved.

84

Telecommunications, Network and Internet Security v5.0

ICMP Security Issues


Denial of Service


Ping of Death


Host/Network Not Reachable messages


ICMP Redirect


Traceroute


© Copyright 2005 (ISC)


All Rights Reserved.

85

Telecommunications, Network and Internet Security v5.0

Internet Group Management
Protocol (IGMP)


Supports
multicast

transmissions (IP only
supports broadcast and unicast).


When a message is sent to a particular
multicast group,
all

computers in that
group will get a copy of the message.


It is used by hosts to
report

multicast
group memberships to neighboring
multicast routers.

© Copyright 2005 (ISC)


All Rights Reserved.

86

Telecommunications, Network and Internet Security v5.0

Point
-
to
-
Point Protocol (PPP)


Data link

layer protocol.


Standardized encapsulation protocol
for
transporting packets

over dial
-
up
and dedicated transmission links.


Supports other protocols, including
authentication protocols.

© Copyright 2005 (ISC)


All Rights Reserved.

87

Telecommunications, Network and Internet Security v5.0

Domain Name System (DNS)


Distributed Internet
directory
service.


Global network of “
name servers
” that
translate host names to numerical IP
addresses.


www.ISC2.org = 209.164.6.194


Internet services rely on DNS to work, if
DNS fails, web sites cannot be located
and email delivery stalls.

© Copyright 2005 (ISC)


All Rights Reserved.

88

Telecommunications, Network and Internet Security v5.0

DNS (cont.)


It is
tree

structured.


Contains two elements:


Name

Server

-

responds to client
requests by supplying name to address
conversions.


Resolver

-

when it does not know the
answer, the resolver element will ask
another name server for the information.

© Copyright 2005 (ISC)


All Rights Reserved.

89

Telecommunications, Network and Internet Security v5.0

DNS Security Issues


Attackers have been known to
corrupt

the
tree and obtain access to a trusted
machine.


The name servers can be
poisoned

so that
legitimate addresses are replaced.


Unauthorized users could discover
sensitive information if
querying

is allowed
by users.

© Copyright 2005 (ISC)


All Rights Reserved.

90

Telecommunications, Network and Internet Security v5.0

Address Resolution Protocol (ARP)


Used when a node
knows

the network layer
address, but
needs

the
data link layer address
to forward the
encapsulating frame.


The ARP software
maintains a
table

of
translations between IP
addresses and data link
addresses.

© Copyright 2005 (ISC)


All Rights Reserved.

91

Telecommunications, Network and Internet Security v5.0

ARP (cont.)


The table is built
dynamically

-

if a
destination data link address is not
found in the table, the node will
broadcast a message on the data link
asking for the host with the chosen IP
address to respond with its data link
address.

© Copyright 2005 (ISC)


All Rights Reserved.

92

Telecommunications, Network and Internet Security v5.0

Reverse ARP (RARP)


Used to
discover

the
IP

address
which corresponds to a known data
link address (MAC).


Sometimes used by
diskless

workstations to learn their own IP
address.


© Copyright 2005 (ISC)


All Rights Reserved.

93

Telecommunications, Network and Internet Security v5.0

ARP Security Issues


ARP is
unauthenticated
, thus an attacker
can poison the ARP table to spoof another
host by sending unsolicited ARP replies.


An attacker can send an ARP reply
mapping the
attacker’s

MAC address to
the default router’s IP address, the target
will then send all traffic destined for the
router to the attacker’s node. The attacker
“sniffs” the traffic, then forwards it to the
real router.

© Copyright 2005 (ISC)


All Rights Reserved.

94

Telecommunications, Network and Internet Security v5.0

ARP Poisoning

© Copyright 2005 (ISC)


All Rights Reserved.

95

Telecommunications, Network and Internet Security v5.0

Simple Network Management
Protocol (SNMP)


Provides remote
administration

of network
devices.


SNMP is referred to as "
simple
" because the
agent requires minimal software.


SNMP accesses particular instances of an object
and each object belongs to a
community
.


Community strings are used to provide read
-
only
or read
-
write access controls. They
authenticate

messages sent between the SNMP manager and
agent.

© Copyright 2005 (ISC)


All Rights Reserved.

96

Telecommunications, Network and Internet Security v5.0

Routing Protocols


Routing is the process of
selecting

a path
through a network.


At each router in the network, the datagrams are
examined, and the destination address is
mapped to a routing
table

kept in memory. The
table tells the router which outgoing link to use to
continue sending the datagram.


Routing protocols are used by routers to
determine the
appropriate

path that data should
travel.

© Copyright 2005 (ISC)


All Rights Reserved.

97

Telecommunications, Network and Internet Security v5.0

Routing Protocols


Routing protocols specify how routers
share

information with other routers in the network
that they can reach.


Routing Protocol examples:


Routing Information Protocol (
RIP
)


Exterior Gateway Protocol (
EGP
)


Border Gateway Protocol (
BGP
)


Open Shortest Path First Protocol (
OSPF
)

© Copyright 2005 (ISC)


All Rights Reserved.

98

Telecommunications, Network and Internet Security v5.0

Routing Protocols Security Issues


A routing table can be
compromised

or
altered to:


Reduce availability


Reroute traffic from a secure network to a
compromised network


Networks
may not

use any authentication
for their routing protocols which might
result in a lack of security for the network
infrastructure.

© Copyright 2005 (ISC)


All Rights Reserved.

99

Telecommunications, Network and Internet Security v5.0

Routing Protocols Security Issues
(cont.)

Attackers can also use source routed packets or
ICMP redirect messages to bypass controls.

© Copyright 2005 (ISC)


All Rights Reserved.

100

Telecommunications, Network and Internet Security v5.0

Quick Quiz


What network protocol is used for
internet communications?


What is the difference between UDP
and TCP?


What vulnerabilities exist with ICMP?


What OSI layer maintains
communications between processes?


What is IPv6? Why is it important?

© Copyright 2005 (ISC)


All Rights Reserved.

101

Telecommunications, Network and Internet Security v5.0

Section Summary


Network protocols provide a standard set of
rules that governs the exchange of data
among hardware and software components
in a communications network.


Network protocols contain many security
vulnerabilities.


Some protocols are designed to control
specific vulnerabilities.

© Copyright 2005 (ISC)


All Rights Reserved.

102

Telecommunications, Network and Internet Security v5.0

Subtopics


Data Networks


Network Protocols


Telephony


Remote Access


Network Threats, Attacks and Countermeasures


Network Access Controls


Network Availability Technologies


Internet and Web Security Protocols


Multimedia and Quality of Service


Information Security Activities

© Copyright 2005 (ISC)


All Rights Reserved.

103

Telecommunications, Network and Internet Security v5.0


Describe telephony components


Discuss telephony vulnerabilities


Describe IP telephony


Understand how traditional security
concepts can address IP telephony
security concerns


Section Objectives

© Copyright 2005 (ISC)


All Rights Reserved.

104

Telecommunications, Network and Internet Security v5.0

Telephony

Traditional Voice Network


Simple analog and digital
phones


Separate cabling systems
(data and voice)


Closed and proprietary
PBX (Private Branch
Exchange) systems


The Public Switched
Telephone Network (PSTN)

© Copyright 2005 (ISC)


All Rights Reserved.

105

Telecommunications, Network and Internet Security v5.0

Telephony

Voice System Vulnerability

© Copyright 2005 (ISC)


All Rights Reserved.

106

Telecommunications, Network and Internet Security v5.0

Telephony

Authorized Modem Vulnerability

LAN

Servers

Workstations

ISP

PBX

Voicemail

Telephones

Modems

PSTN

Internet

IDS

Firewall

Central

Office

Central

Office

Attacker

Authorized

Modem

© Copyright 2005 (ISC)


All Rights Reserved.

107

Telecommunications, Network and Internet Security v5.0

Telephony

Outbound Modem Vulnerability

LAN

Servers

Workstations

ISP

PBX

Voicemail

Telephones

Modems

PSTN

Internet

IDS

Firewall

Central

Office

Central

Office

Attacker

© Copyright 2005 (ISC)


All Rights Reserved.

108

Telecommunications, Network and Internet Security v5.0

Telephony

Voice Eavesdropping

LAN

Servers

Workstations

ISP

PBX

Voicemail

Telephones

Modems

PSTN

Internet

IDS

Firewall

Central

Office

Central

Office

Toronto Office

Winnipeg Office

PBX

PBX

© Copyright 2005 (ISC)


All Rights Reserved.

109

Telecommunications, Network and Internet Security v5.0

Traditional Voice & Data Network

© Copyright 2005 (ISC)


All Rights Reserved.

110

Telecommunications, Network and Internet Security v5.0

Concept of IP Telephony with
Wireless



IP phones and
softphones that can run
PC applications



Voice servers providing
IP PBX, Voice Mail,
Messaging, etc.



Media gateways to
connect to the PSTN and
TDM components



TDM trunks and IP
trunks

PSTN

IP Phones

Corporate
LAN

Internet

Server

Router

Telephony
Server

Access
Points

Wireless
LAN
Phones

© Copyright 2005 (ISC)


All Rights Reserved.

111

Telecommunications, Network and Internet Security v5.0

IP Telephony Network Issues


Inherits

security issues
of traditional IP
networks


Uses Non
-
secure

operating systems


IP/Web based administration


Susceptible to Denial of Service

(DoS) against
media sometimes makes it unusable


Connected to an un
-
trusted IP network


Authentication should be user
-
transparent


IP Telephony intelligence advancing rapidly

© Copyright 2005 (ISC)


All Rights Reserved.

112

Telecommunications, Network and Internet Security v5.0

IP Telephony Vulnerabilities


Voice System


Operating System/Support Software Implementation


Application implementation


Application manipulation (Toll Fraud, Blocking)


Unauthorized administrative access


Network and media:


DoS on media and signaling


DoS against media gateway / TDM sites


DoS against any shared network resource


Eavesdropping on conversations


Media Tunneling

© Copyright 2005 (ISC)


All Rights Reserved.

113

Telecommunications, Network and Internet Security v5.0

IP Phone attacks


IP Phone attacks


‘Rogue’ softphones


Implementation attacks (DoS and access
controls)


Remote access attacks


Local access attacks


Unauthorized firmware / applications


Protocol attacks

© Copyright 2005 (ISC)


All Rights Reserved.

114

Telecommunications, Network and Internet Security v5.0

Telephony Security

Subtopics


Apply the IP security safeguards
to the voice network:


Firewalls


Strong Authentication


Virtual Private Networks


Intrusion Detection

© Copyright 2005 (ISC)


All Rights Reserved.

115

Telecommunications, Network and Internet Security v5.0

Telephony Security

Voice Firewall Application


Unauthorized calls should be blocked by the firewall

X

Alert

© Copyright 2005 (ISC)


All Rights Reserved.

116

Telecommunications, Network and Internet Security v5.0

Strong Authentication


Modem calls should require two
-
factor authentication

Audit Trail
Produced

© Copyright 2005 (ISC)


All Rights Reserved.

117

Telecommunications, Network and Internet Security v5.0

Voice, Fax, Modem, Video VPN


Calls between sites should use encryption

© Copyright 2005 (ISC)


All Rights Reserved.

118

Telecommunications, Network and Internet Security v5.0

Intrusion Detection


Real
-
time monitoring of abusive call patterns, DTMF
-
based attacks


Modem/Fax Recording and Content Monitoring

Alert Sent
to IDS

Call
Monitored!!

© Copyright 2005 (ISC)


All Rights Reserved.

119

Telecommunications, Network and Internet Security v5.0

IP Telephony Security
Recommendations


Voice Servers


Secure the operating system/network services


Patch maintenance


Use strong authentication for authorized hosts


Maintain strong physical security


Follow best practices for basic server/IP security


Consider using host
-
based security


Consider deploying a firewall and IDS


Control access by IP Phones and softphones

© Copyright 2005 (ISC)


All Rights Reserved.

120

Telecommunications, Network and Internet Security v5.0

IP Telephony Security
Recommendations

Engineer the network to have proper security


Maintain strong security on all networking components


Limit the number of calls over media gateways


Infrastructure requirements


Switched networks


Firewalls and NIDS


Perimeter firewalls block unauthorized IP Telephony


VLANs


Encryption


Encrypting phones


Un
-
trusted parts of the network

© Copyright 2005 (ISC)


All Rights Reserved.

121

Telecommunications, Network and Internet Security v5.0

IP Telephony Security
Recommendations


Engineer the network to have proper security


Deploy IP Telephony aware perimeter devices
for end
-
to
-
end security


Perform high speed processing of the media (and
NAT)


Open and close ports for media sessions


Inspect media for tunneling, illegal flow levels, and
DoS


Provide intrusion prevention functions for signaling


Implement VPN functions, if desired


Support appropriate QoS standards


© Copyright 2005 (ISC)


All Rights Reserved.

122

Telecommunications, Network and Internet Security v5.0

IP Telephony Security
Recommendations


IP Phones


Update default administrator passwords


Disable unnecessary remote access features


Prevent casual local configuration of the IP
Phone


Secure the firmware upgrade process


Insist upon IP Phones that support security
features


Limit use of the web server


Enable logging


Cautiously use IP softphones


© Copyright 2005 (ISC)


All Rights Reserved.

123

Telecommunications, Network and Internet Security v5.0

Quick Quiz



What are some examples of
telephony vulnerabilities?


What are the advantages and
disadvantages of IP telephony?

© Copyright 2005 (ISC)


All Rights Reserved.

124

Telecommunications, Network and Internet Security v5.0

Section Summary


The traditional voice network has known
vulnerabilities.


These security issues can be addressed by
applying technologies with parallels in the data
network, such as firewalls, intrusion detection,
VPN’s, etc.


IP Telephony introduces new vulnerabilities.


IP Telephony vulnerabilities can be addressed
with a combination of existing and new
technologies.


Voice is a unique application and security should
be managed similarly for the current and IP
Telephony networks.

© Copyright 2005 (ISC)


All Rights Reserved.

125

Telecommunications, Network and Internet Security v5.0

Subtopics


Data Networks


Network Protocols


Telephony


Remote Access


Remote Access Security Methods


Tunneling Standards


Virtual Private Networks


Network Threats, Attacks and Countermeasures


Network Access Controls


Network Availability Technologies


Internet and Web Security Protocols


Multimedia and Quality of Service


Information Security Activities

© Copyright 2005 (ISC)


All Rights Reserved.

126

Telecommunications, Network and Internet Security v5.0

Section Objectives


Describe various methods of remote
access to a network


Discuss remote access control
techniques


Describe remote access tunneling
protocols


Describe virtual private networks
(VPNs)

© Copyright 2005 (ISC)


All Rights Reserved.

127

Telecommunications, Network and Internet Security v5.0

Remote Access Services

Typically conducted over an
untrusted

network.


Increased

risk to disclosure, modification, and
denial of service.


Remote access security minimums


Strong

identification and authentication services


Rapid growth of remote access via the Internet


Wide availability


Economical

© Copyright 2005 (ISC)


All Rights Reserved.

128

Telecommunications, Network and Internet Security v5.0

Telecommuter

Mobile
User

Network
Access
Server

Branch
Office

Remote Access Technologies

Allows users to access network
information through a dial
-
in or wireless
connection.

© Copyright 2005 (ISC)


All Rights Reserved.

129

Telecommunications, Network and Internet Security v5.0

Internet Access

Allows users to access network information
through an Internet Service Provider (ISP)
connection.

Mobile
User

Corporate
Gateway

© Copyright 2005 (ISC)


All Rights Reserved.

130

Telecommunications, Network and Internet Security v5.0

General Remote Access
Safeguards


Publish a clear/definitive remote access
policy

and enforce it through audit.


Justify all remote users and
review

regularly, such as yearly.


Identify and periodically
audit

all remote
access facilities, lines and connections.


Consolidate all general user dial
-
up
facilities into a
central

bank that is
positioned on a DMZ.

© Copyright 2005 (ISC)


All Rights Reserved.

131

Telecommunications, Network and Internet Security v5.0

General Remote Access
Safeguards (cont.)


Use phone lines
restricted

to outbound
access for dial
-
out services.


Set modems to answer
after

a pre
-
determined number of rings; counters “war
dialers.”


Use secure modems for
single
-
port

diagnostic and administrative access, or
unplug when not in use.


Consolidate remote access facilities when
practical.

© Copyright 2005 (ISC)


All Rights Reserved.

132

Telecommunications, Network and Internet Security v5.0

General Remote Access
Safeguards (cont.)


Implement
two
-
factor

user authentication
and network access restrictions for remote
access to all resources on private
WAN/LANs.


Use
V
irtual
P
rivate
N
etworks for sensitive
data communications on public networks.


Use
personal

firewalls and
anti
-
virus

tools
on remote computers.

© Copyright 2005 (ISC)


All Rights Reserved.

133

Telecommunications, Network and Internet Security v5.0

Remote Access Controls

Three basic methods to restrict dial
-
up remote

access are:


Restricted Access



Only accepts incoming calls
from addresses on approved list.


Caller ID



Checks each caller’s telephone
number against an approved list.


Callback



Callers identify themselves to the
server with passcodes or ID numbers. The
server terminates connection and calls the user
back at pre
-
determined phone number.

© Copyright 2005 (ISC)


All Rights Reserved.

134

Telecommunications, Network and Internet Security v5.0

Tunneling


Tunneling is the act of
packaging

one
network packet (the tunneled packet)
inside another (the transport packet).


The tunnel is the
vehicle

for encapsulating
packets inside a protocol that is
understood at the entry and exit points of a
given network.


For confidentiality and integrity, the tunnels
should be
encrypted
.

© Copyright 2005 (ISC)


All Rights Reserved.

135

Telecommunications, Network and Internet Security v5.0

Tunneling (cont.)


Tunneling can allow
different

protocols to travel
over a public IP network.


Protocols being
used

are:


Point to Point Tunneling Protocol


Layer 2 Forwarding Protocol


Layer 2 Tunneling Protocol


IPSec Protocol


MPLS (Multi
-
Protocol Label Switching)


SOCKS


SSH

© Copyright 2005 (ISC)


All Rights Reserved.

136

Telecommunications, Network and Internet Security v5.0

PPTP

Point to Point Tunneling Protocol (PPTP)


One of the
first

protocols deployed for
Internet
-
based virtual private networks.


It is a
client/server

architecture that allows
the Point
-
to
-
Point Protocol (PPP) to be
tunneled through an IP
-
network.

© Copyright 2005 (ISC)


All Rights Reserved.

137

Telecommunications, Network and Internet Security v5.0

L2F Protocol

Layer 2 Forwarding (L2F) Protocol


Permits tunneling at the
link

layer.


Designed as a protocol for tunneling traffic
from users to their corporate site.


Provides
mutual

authentication of user and
server.


Does not offer
encryption
.

© Copyright 2005 (ISC)


All Rights Reserved.

138

Telecommunications, Network and Internet Security v5.0

L2TP

Layer 2 Tunneling Protocol (L2TP)


Hybrid

of Layer 2 Forwarding (L2F) and
Point
-
to
-
Point Tunneling Protocol (PPTP).


Designed for
single

user point
-
to
-
point
client/server connection.


Multiple

protocols can be encapsulated
within the tunnel.


No

encryption, but is often deployed over
IPSec.

© Copyright 2005 (ISC)


All Rights Reserved.

139

Telecommunications, Network and Internet Security v5.0

IPSec Protocol


IP standard for
encryption

and node
authentication
.


It has enough functionality to
encrypt
,
authenticate
, and
carry

IP
-
only data through a
shared network.


While PPTP, L2F, and L2TP are aimed at end
users, IPSec focuses on
LAN
-
to
-
LAN

or host
-
to
-
host tunnels.


Allows
multiple
, simultaneous tunnels per end
host.


No user authentication method defined in the
standard.

© Copyright 2005 (ISC)


All Rights Reserved.

140

Telecommunications, Network and Internet Security v5.0

IPSec AH and ESP


The IP Authentication Header (
AH
)


provides connectionless integrity, data origin
authentication, & an optional anti
-
replay
service


The Encapsulating Security Payload (
ESP
)


provides confidentiality (
encryption
) & limited
traffic flow confidentiality


may provide connectionless integrity, data
origin authentication, & anti
-
replay service


© Copyright 2005 (ISC)


All Rights Reserved.

141

Telecommunications, Network and Internet Security v5.0

IPSec Protocol Security Associations

All implementations
must

support a Security
Association (SA)


Simplex (i.e.,
one
-
way
) “connection” that affords
security services to the traffic carried by it


To secure typical, bi
-
directional communication, 2
Security Associations (one in each direction) are
required



Security services are provided using
AH

or
ESP


If both AH & ESP protection is applied to a traffic
stream, then 2 (or more) SAs are created

© Copyright 2005 (ISC)


All Rights Reserved.

142

Telecommunications, Network and Internet Security v5.0

Security Association Triplet


A security association is uniquely
identified by a triplet:


An IP destination
address


Security protocol (
AH

or
ESP
) identifier


Security parameter index (
SPI
)


Distinguishes among different SAs
terminating at the same destination

© Copyright 2005 (ISC)


All Rights Reserved.

143

Telecommunications, Network and Internet Security v5.0

Security Association Combinations

Security associations may be combined in
two

ways:


Transport adjacency
: using the same IP datagram to apply
multiple security protocols , without invoking tunneling


Allows for only one level of combination; further nesting
yields no additional benefit


Transport mode
: encrypts normal communication between
end
-
node to end
-
node(peer to peer).


Iterated tunneling: applying multiple layers of security
protocols through IP tunnels


allows for multiple levels of nesting


each tunnel can originate or terminate at a different
IPSec site along the path


Iterated tunneling mode is designed to be used by VPN
gateways (LAN to LAN/office to office).

© Copyright 2005 (ISC)


All Rights Reserved.

144

Telecommunications, Network and Internet Security v5.0

IPSec Protocol


IPSec imposes
computational

performance costs
on the hosts or security gateways.


Memory

needed for IPSec code and data structures.


Computation of integrity
check

values.


Encryption

and
decryption
.


Added
per
-
packet

handling
-

manifested by increased
latency and possibly, reduced throughput


Use of
SA/key

management protocols, especially those
that employ public key cryptography, also adds
computational performance costs to use of IPSec

© Copyright 2005 (ISC)


All Rights Reserved.

145

Telecommunications, Network and Internet Security v5.0

Multi
-
Protocol Label Switching
(MPLS)


Does
not

rely on encapsulation and encryption
to maintain high
-
level of security


Service providers create IP tunnels throughout their
network without encryption


Uses forwarding tables and ‘
labels
’ to create a
secure connection


Used to guarantee a certain level of
performance, to route around network
congestion, or to create IP tunnels for network
-
based virtual private networks

© Copyright 2005 (ISC)


All Rights Reserved.

146

Telecommunications, Network and Internet Security v5.0

MPLS Benefits


MPLS brings
benefits

to IP
-
based
networks, such as:


Traffic Engineering
-

the ability to set
performance characteristics and the path a
particular class of traffic will use



VPNs


gives service providers the ability to
provide IP tunnels through their network
without need end
-
user applications or
encryption

© Copyright 2005 (ISC)


All Rights Reserved.

147

Telecommunications, Network and Internet Security v5.0

Socket Security (SOCKS)


Circuit
-
level

proxy that contains
authentication and encryption features.


Usually used to allow internal computers
access to the external Internet


Can be used for
tunneling

to allow external
users access to the internal network.


Requires client applications to be
SOCKS
-
ified
.

© Copyright 2005 (ISC)


All Rights Reserved.

148

Telecommunications, Network and Internet Security v5.0

Secure Shell (SSH, SSH2)


SSH


Powerful method of performing client
authentication


Safeguards multiple service sessions between two
systems.


Provides support for:


Host and user authentication


Data
compression


Data
confidentiality

and
integrity


Credentials are validated by digital certificate
exchange using
RSA
.

© Copyright 2005 (ISC)


All Rights Reserved.

149

Telecommunications, Network and Internet Security v5.0

Virtual Private Networks (VPN)


Virtual Private Network (VPN)


Dynamically
established

secure
network link between two specific
network nodes or subnets using a
secure encapsulation method.


Uses
tunneling

AND
encryption

to
protect private traffic over an un
-
trusted network.

© Copyright 2005 (ISC)


All Rights Reserved.

150

Telecommunications, Network and Internet Security v5.0

VPN LAN
-
to
-
LAN Configuration

Internet

LAN

LAN

Firewall

Firewall

VPN

Server

VPN

Server

VPN Server is behind
the firewall

VPN Server is
on DMZ

DMZ

Encrypted

© Copyright 2005 (ISC)


All Rights Reserved.

151

Telecommunications, Network and Internet Security v5.0

Mobile User
-
to
-
LAN VPN

Internet

LAN

Firewall and

VPN Server on
same box

Mobile

User

Laptop with
VPN client
software

Encrypted

© Copyright 2005 (ISC)


All Rights Reserved.

152

Telecommunications, Network and Internet Security v5.0

IPSec Compatible VPN Devices


IPSec Compatible VPN Devices



Derive
confidentiality

and
integrity

from
workstation IP address and either machine
certificate or shared secret key.


Require
least

user intervention since IPSec
authentication and encryption are not user
-
based.


Work
only

with IP, not multi
-
protocol.


Operate at the
Network

Layer of OSI model.

© Copyright 2005 (ISC)


All Rights Reserved.

153

Telecommunications, Network and Internet Security v5.0

IPSec Compatible VPN Devices (cont
.)

Key
management

is a critical component
of using IPSec for a VPN.

IPSEC Key Exchange

© Copyright 2005 (ISC)


All Rights Reserved.

154

Telecommunications, Network and Internet Security v5.0

Non
-
IPSec Compatible VPN Devices

Non
-
IPSec Compatible VPN Devices


Use protocols
such as

PPTP,
SOCKS, or MPLS.


Provide advantages over IPSEC


Two
-
factor

authentication


Better

integration with proxy servers and
NAT.

© Copyright 2005 (ISC)


All Rights Reserved.

155

Telecommunications, Network and Internet Security v5.0

Firewall based VPN Devices


Integrated

with many firewall systems.


Central

VPN administration is integrated on
firewall system.


Often uses
proprietary
, non
-
standard protocols.


Allows VPN traffic to be securely transmitted and
filtered
by

the firewall.


Typically does
not

provide any user
authentication, but relies on the firewall
authentication service to perform the user
identification and authentication.

© Copyright 2005 (ISC)


All Rights Reserved.

156

Telecommunications, Network and Internet Security v5.0

Quick Quiz


What functions does a VPN provide?


What is IPSec?


What is tunneling?


Name a few tunneling protocols.


© Copyright 2005 (ISC)


All Rights Reserved.

157

Telecommunications, Network and Internet Security v5.0

Section Summary


Remote access typically refers to
accessing a trusted network from outside
the network.


Identification and authentication is critical
prior to establishing remote access.


A VPN can be used to help support
remote access.


Various protocols exist to support and
control remote access.

© Copyright 2005 (ISC)


All Rights Reserved.

158

Telecommunications, Network and Internet Security v5.0

Subtopics


Data Networks


Network Protocols