Ch 3:

Reviewing Basic Networking

Concepts

CompTIA Security+: Get

Certified Get Ahead:
SY0-401 Study Guide
Darril Gibson
Basic Connectivity Protocols
• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
• IP (Internet Protocol)
• ICMP (Internet Control Message Protocol)
• ARP (Address Resolution Protocol)
• NDP (Neighbor Discovery Protocol)
TCP
• Connection-oriented: guaranteed delivery
• Three-way handshake
• SYN
• SYN/ACK
• ACK
• SYN Flood Attack
• Consumes server resources, creating a Denial of
Service (DoS)
UDP
• Connectionless
• No handshake
• No guarantee of delivery
• Often used for DoS attacks
IP
• Delivers packets to specified computer by
IP Address
• IPv4: 32-bit address
• 192.168.1.1
• IPv6: 128-bit address
• fe80:0:0:0:462a:60ff:fef6:278a
ICMP
• Connectivity tests
• Ping
• Pathping
• Tracert
• Used in DoS attacks
• Blocked by default by Windows XP SP2 and
later firewalls
ARP
• Finds MAC address from IP address
• ARP Poisoning
• Sends false ARP messages
• Redirects traffic on a LAN
• Commonly used for Man-In-The-Middle Attacks
NDP
• Replaces ARP for IPv6
• Used for address autoconfiguration
• Can be used for man-in-the-middle and DoS
attacks on a LAN
Encryption Protocols
SSH (Secure Shell) and SCP (Secure Copy)
SSL (Secure Sockets Layer)
TLS (Transaction Layer Security)
IPSec (Internet Protocol Security)
SSH
Used to encrypt Telnet
• Telnet lacks encryption and uses port TCP 23
Also used for Secure Copy Protocol (SCP)
Runs on port TCP 22
SSL
• Can be used to encrypt HTTP traffic, as
HTTPS
• Port TCP 443
• Can also secure LDAP as LDAPS
• Port TCP 636
• SSL is old and has security weaknesses
TLS
• Replacement for SSL
• Runs on the same ports
• HTTPS on TCP 443
• LDAPS on TCP 636
IPSec
• Native to IPv6 but back-ported to IPv4
• Encapsulates and encrypts IP packets
• Two components
• AH (Authentication Header)
• Protocol ID 51 (neither TCP nor UDP)
• ESP (Encapsulating Security Payload)
• Protocol ID 50
Application Protocols
• HTTP (Hypertext Transfer Protocol)
• HTTPS (HTTP Secure)
• FTP (File Transfer Protocol)
• SFTP (Secure FTP)
• FTPS (FTP Secure)
• TFTP (Trivial File Transfer Protocol)
Application Protocols
• Telnet
• SNMP (Simple Network Management
Protocol)
• NetBIOS (Network Basic Input/Output
System)
• LDAP (Lightweight Directory Access
Protocol)
Application Protocols
• Kerberos
• SQL Server (Structured Query Language)
• RDP (Remote Desktop Protocol)
• Used by Terminal Services
• Also called Remote Desktop Service or Remote
Administration
HTTP
• Normal Web browser traffic
• Port TCP 80
• Not encrypted
HTTPS
• Encrypts traffic
• Guarantees identity of server
• Displays padlock in Web browser and
HTTPS at start of URL
• Uses SSL or TLS, port TCP 443
FTP
• Upload or download files
• Data in cleartext, including passwords
• Active mode
• Ports TCP 20 for data and TCP 21 for control
• Passive mode
• Random port for data and TCP 21 for control
SFTP and FTPS
• SFTP
• FTP over SSH
• Port TCP 22
• FTPS
• FTP over SSL or TLS
• Ports TCP 989 and 990
TFTP
• Uses UDP port 69
• No authentication at all
• Used for IP phone and router firmware
updates
• Many attacks used it
Telnet
• Used to send command lines to remote
systems
• Uses no encryption, not even for passwords
• Port TCP 23
SNMP
• Used to monitor and manage network
devices like routers, switches, and firewalls
• Sends traps – signals notifying
management systems of their status
• Port UDP 161
• SNMPv1 and v2 sent "community strings"
(passwords) in cleartext
• SNMPv3 encrypts passwords
NetBIOS
• Used to resolve Windows computer names
like SERVER1 to IP addresses on Local Area
Networks
• A legacy protocol, replaced by DNS on most
modern networks
• Still used by Windows
• Ports 137-139, both TCP and UDP
LDAP
• Used for directories of users and objects on
networks, including
• Microsoft Active Directory
• Novell Netware Directory Services
• Port TCP 389 (unencrypted)
• Port TCP 636 (LDAPS, encrypted)
Kerberos
• Uses tickets for authentication
• Used in Windows domains and some Unix
environments
• Port 88, both TCP and UDP
SQL Server
• Manages databases
• Often has SSNs, email addresses, account
numbers, and other PII (Personally
Identifiable Information)
• Commonly hacked via SQL Injection
• Port TCP 1433 (Also UDP 1434)
RDP
• Remotely control a Windows computer
• Service is called "Remote Administration",
"Terminal Services", or "Remote Desktop"
• Port TCP 3389
• Also used by Remote Assistance
Email Protocols
• SMTP (Simple Mail Transfer Protocol)
• Sends mail to other email servers
• Port TCP 25
• POP3 (Post Office Protocol v3)
• Moves incoming email to your local Inbox in clients
like Outlook
• Port TCP 110
• IMAP4 (Internet Message Access Protocol v4)
• Moves incoming email to your local Inbox in clients
like Outlook, or lets you view them on the server
• Port TCP 143
Remote Access Protocols
• PPP (Point-to-Point Protocol)
• IPSec (Internet Protocol Security)
• PPTP (Point-to-Point Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)
• RADIUS (Remote Authentication Dial-in User
Service)
• TACACS (Terminal Access Controller Access-
Control System)
• TACACS+
PPP
• Used to create dial-up connections to a
server
• Commonly used by clients to connect to an
ISP
IPSec
• Can be used as a remote access tunneling
protocol
• To encrypt traffic, forming secure
connections over the Internet
• Uses IKE (Internet Key Exchange) over port
UDP 500
PPTP
• Old VPN (Virtual Private Network) protocol
• Included in Microsoft Windows
• Has serious security flaws
• Still commonly used
• Port TCP 1723
L2TP
• Combines Microsoft's PPTP with Cisco's L2F
• Often combined with IPSec for encryption
• Port UDP 1701
RADIUS
• Central authentication for remote access
clients
• Encrypts passwords only
TACACS / XTACACS
• Older network authentication protocols
• TACACS is generic
• XTACACS is Cisco proprietary
• Port UDP 49 for both TACACS and XTACACS
TACACS+
• Used by Cisco VPN concentrators
• Encrypts entire authentication process
• Multiple challenge responses for
Authentication, Authorization, and
Accounting (AAA)
• Port TCP 49
IPv4, IPv6, and Subnetting
• See Binary Games in Projects (Extra Credit)
 DNS
• Resolves host names like www.ccsf.edu into IP
addresses like 147.144.1.212
• Ports UDP 53 and TCP 53
• Many security problems, which will be improved
by switching to DNSSEC
 Basic DNS Query
What is the Address of
yahoo.com?

A record is
98.138.253.109

Client DNS Server

• Usually uses UDP port 53

• For large responses, may use TCP port 53
DNS Records
•A IPv4 Address
• AAAA IPv6 Address
• PTR Pointer record
• Used for reverse DNS lookups
• Commonly used to block spam email
• MX Mail Exchange
• CNAME Canonical Name
• Alternate name for a server
DNS Server Software
• Berkeley Internet Name Domain (BIND)
• Most common, runs on Unix and Linux
• Microsoft DNS
• Used in Windows domains
• Incredibly out-of-date and inefficient
• Creates large amount of junk traffic on the
Internet
• Details in CNIT 40: DNS Security
DNS Zone Transfer
• Sends all information from a DNS server to
the requester over TCP port 53
• A security risk
• Should only be allowed to trusted IP
addresses
 Dan Kaminsky
• World-famous DNS expert
• Found a serious flaw that
enabled him to redirect Internet
traffic
• Kept it secret till Microsoft and
other vendors patched it
• Testified before Congress
• Link Ch 3a
Ports
• 0-1023: Well-known ports
• 1024-49151: Registered ports
• Registered by IANA for convenience
• Example: SQL Server on 1433
• 49152-65535: Dynamic and private ports
• "Ephemeral" ports for temporary use by any
application
Demo: Telnet to 147.144.1.2
Firewalls
• Block ports by protocol and number
• For example, allowing TCP 80 but blocking
UDP 69
Port Scanners
• Find open , closed, or filtered ports
• Nmap
 Comparing Ports and
Protocol IDs
• TCP and UDP use ports
• There are other protocols that don't use ports,
such as
• ICMP
• ESP
• AH
IPv4 Header

• Protocol is an 8-bit value in the header

• 6 for TCP
• 17 for UDP
• Same values for IPv6
• Image from Wikipedia
Understanding Basic Network Devices
IP Address Types
• Unicast
• One sender, one receiver
• The most common type
• Broadcast
• One sender to all devices on a LAN
• IP 255.255.255.255 sends to all devices on a
LAN
• 147.144.255.255 sends to all devices in the
147.144.0.0 network
 Hub
• Common on old 10
Mbps LANs
• Zero intelligence
• Whatever comes in
on a port goes out
all other ports
• Each user can sniff
traffic intended for
others
Physical Port v. Logical Port
• Physical port is a socket you can plug a
cable into
• Logical port is a number used to direct TCP
or UDP traffic
 Switch

• Replaces hubs in almost all LANs now

• Learns which devices are connected to each port
• Sends traffic only to the correct port, after learning
where the devices are
• At first, it acts like a hub while learning
• Image from Cisco
Security Benefits of Switches
• Reduces the threat of sniffing attacks
• Because devices don't get other devices' traffic
• Can be defeated by flooding with random
MAC addresses
• Switch runs out of RAM for switching table and
acts like a hub instead
• Can also be defeated by ARP poisoning
Physical Security of a Switch
• Put the switch in a locked wiring closet
• Prevents attacker from accessing:
• Console port used to manage the switch
• Monitor port used to sniff all traffic
STP (Spanning Tree Protocol)
• If wires allow traffic to flow in loops, this
can lead to a broadcast storm
• To prevent this, switches use
• STP (Spanning Tree Protocol) or
• RSTP (Rapid Spanning Tree Protocol)
• Blocks unneeded ports to prevent loops
• Included in all switches and on by default
 VLAN (Virtual Local Area Network)

• At CCSF, the CNIT Dept. computers are in several

different rooms and buildings
• SCIE 37, CLOU 218, SCIE 214, etc.
• But they are all in the same subnet and see one
another as on the same LAN
• Switches sort traffic by adding a VLAN Tag to
each ethernet frame
Port Security
• Port Security
• Only allow a device with the approved MAC
address to connect to each port
• Common in wireless and wired networks
• BUT: MAC addresses can be sniffed and
spoofed
• They are transmitted in plaintext with each
frame
802.1x Port Security
• Requires authentication from a user before
connecting them to the LAN
• Can be used in wireless and wired networks
• Uses a RADIUS server to store credentials
for each user
• Supports Extensible Authentication Protocol
(EAP) which can use multiple authentication
methods, including digital certificates
 Router

• Connect network segments together

• For example, a LAN to the Internet
• Don't forward broadcasts
• Reduce "noise" traffic on segments
• Computers can act as routers
• But most networks use hardware routers
• Image from Cisco
ACLs (Access Control Lists)
• Packet filtering
• Traffic that is not allowed is usually
discarded
Routers and Firewalls
• Routers can filter traffic in simple ways
• By protocol, port, or address
• Early firewalls filtered the same way
• Firewalls are much more advanced now
 Home Router
• You can also use a
router or residential
gateway, which typically
adds network address
translation (NAT)
capabilities and security
features
 Firewall

• Filters traffic, both inbound and outbound

• Host-based Firewall
• Protects a single host from intrusion
• Example: Windows Firewall
• Network-based Firewall
• Protects a whole network
• Image from Palo Alto Networks
Firewall Rules
• For simple packet-filtering, they are similar
to router access lists
• Uses a deny any, deny any rule at the end
for implicit deny
Web Application Firewall
• Specifically designed to stop SQL Injection
and other Web App attacks
• Including NOP Sled, commonly used in buffer
overflow attacks
• Example: modsecurity for Apache
Advanced Firewalls
• First generation
• Filters packets with ACL
• Second generation
• Stateful inspection
• Packets in ESTABLISHED sessions can be
treated differently
• Third generation
• Layer 7 inspection, such as a WAF
Next-Generation Firewalls
• Integrate with Active Directory domains
• Recognize traffic regardless of port
• Bittorrent
• Facebook
• Streaming media
• Games
• Included in Unified Threat Management
appliances
Firewall Logs and Log Analysis
• Firewalls log all blocked traffic, all allowed
traffic, or both
• Splunk (Link Ch 3b)
• AlienVault OSSIM (Link Ch 3c)
Network Separation
• Use routers, VLANs, and Firewalls to control
traffic flow
• For example, at CCSF, these network
segments are separated
• Accounting
• Administration
• Student labs
• Wireless
Protecting the Network Perimeter
DMZ (Demilitarized Zone)
• A semi-trusted zone between a private
network and the Internet
• Provides defense in depth for internal
network
DMZ (Demilitarized Zone)
Public and Private IPv4 Addresses
• Public IP addresses are used to send and
receive Internet traffic
• They aren't free, but leased from Internet
Service Providers
• Private addresses can't be used on the
Internet, but are free for use on private
networks
RFC 1918 Private Addresses
• 10.0.0.1 – 10.255.255.254
• 172.16.0.1 – 172.21.255.254
• 192.168.0.1 – 192.168.255.254
NAT
(Network Address Translation)
NAT

• NAT allows many clients to share a single public

IP address
• By also performing PAT (Port Address Translation)
• Cost savings
• Hides local IP addresses
• Provides some protection
• Users can't run unauthorized servers
• NAT breaks some network services
• IPSec and many others
Proxy Server
• Clients cannot connect directly to the
Internet
• Requests go to Proxy, which fetches the
content (if it's permitted)
Caching Proxy
• If many clients request the same page
• Such as yahoo.com
• The proxy only fetches one copy, and
distributes it to all the clients
• Makes network seem faster
Unified Threat Management
• Web Security Gateway or UTM Security
Appliances
• Combines many security functions, such as
• URL filtering
• Firewall
• Antivirus
• Spam-blocking
• Content filtering
• Data Loss Prevention (DLP)
 Spam Filters

• Google’s Postini is very good too

 OSI Model

• Image from Wikipedia