Network Implementation of Protocols and Services

Date: Mar 10, 2015

Return to the article

This chapter from CompTIA Security+ SY0-401 Exam Cram, 4th Edition discusses how to use the proper network implementation of protocols and services as a tool to protect and mitigate threats against network infrastructure based on organizational needs. It also has a section specifically dedicated to wireless security implementation based on organization requirements.

The network infrastructure is subject to myriad internal and external attacks through services, protocols, and open ports. It is imperative that you understand how to properly implement services and protocols, especially if the network has been in existence for some period of time and some services are no longer needed or have been forgotten. To stop many would-be attackers, you must understand how protocols are used on the network, what common ports are used by network protocols, and how to securely implement a wireless network.

This chapter discusses these concepts to help you understand how to use the proper network implementation of protocols and services as a tool to protect and mitigate threats against network infrastructure based on organizational needs. It also has a section specifically dedicated to wireless security implementation based on organization requirements.

Given a Scenario, Implement Common Protocols and Services

Protocols

Internet Protocol Security

The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. The use of IPsec can secure transmissions between critical servers and clients. This helps prevent network-based attacks from taking place. Unlike most security systems that function within the application layer of the OSI model, IPsec functions within the network layer. IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.

The asymmetric key standard defining IPsec provides two primary security services:

Protocols 51 and 50 are the AH and ESP components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header.

The protocol field of the IP header will be 50 for ESP or 51 for AH. If IPsec is configured to do authentication rather than encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, you can configure an IP filter to let only protocol 51 (AH) traffic pass.

IPsec supports the IKE protocol, which is a key management standard used to allow specification of separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.

The common key exchange protocols and standard encryption algorithms—including asymmetric key solutions such as the Diffie-Hellman Key Agreement and Rivest-Shamir-Adleman (RSA) standards; symmetric key solutions such as the International Data Encryption Algorithm (IDEA) and Digital Encryption Standard (DES); Triple DES (3DES) and hashing algorithms, such as the message digest 5 (MD5) and Secure Hash Algorithm (SHA)—are covered in detail in Chapter 12, “Cryptography Tools and Techniques.”

Although IPsec by itself does not control access to the wireless local-area network (WAN), it can be used in conjunction with 802.1X to provide security for data being sent to client computers that are roaming between access points (AP) on the same network. For better security, segment the wireless network by placing a firewall between the WLAN and the remainder of the network. Because IPsec is a solution to securely authenticate and encrypt network IP packets, you can use IPsec to provide strong security between a Remote Authentication Dial-In User Service (RADIUS) server and a domain controller, or to secure traffic to a partner organization’s RADIUS servers. RADIUS provides authentication and access control within an enterprise network and is explained in greater detail in Chapter 10, “Authentication, Authorization, and Access Control.” Many of the VPN solutions use IPsec, and, like a virtual private network (VPN), IPsec is an excellent solution in many circumstances. However, it should not be a direct alternative for WLAN protection implemented at the network hardware layer.

Simple Network Management Protocol

Older protocols that are still in use might leave the network vulnerable. Protocols such as Simple Network Management Protocol (SNMP) and Domain Name Service (DNS) that were developed a long time ago and have been widely deployed can pose security risks, too. SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPS). Many of the vulnerabilities associated with SNMP stem from using SNMPv1. Although these vulnerabilities were discovered in 2002, vulnerabilities are still being reported with current SNMP components. A recent Ubuntu Linux Security Advisory noted that vulnerabilities in Net-SNMP allow remote attackers to cause a denial of service.

The SNMP management infrastructure consists of three components:

The device loads the agent, which in turn collects the information and forwards it to the management station. Network management stations collect a massive amount of critical network information and are likely targets of intruders because SNMPv1 is not secure. The only security measure it has in place is its community name, which is similar to a password. By default, this is “public,” and many times is not changed, thus leaving the information wide open to intruders. SNMPv2 uses message digest 5 (MD5) for authentication. The transmissions can also be encrypted. SNMPv3 is the current standard, but some devices are likely to still be using SNMPv1 or SNMPv2.

SNMP can help malicious users learn a lot about your system, making password-guessing attacks a bit easier than brute-force attacks. SNMP is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162. Make sure that network management stations are secure physically and secure on the network. You might even consider using a separate management subnet and protecting it using a router with an access list. Unless this service is required, you should turn it off.

Secure Shell

As a more secure replacement for the common command-line terminal utility Telnet, the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH requires encryption of all data, including the login portion. SSH uses the asymmetric (public key) RSA cryptography method to provide both connection and authentication.

Data encryption is accomplished using one of the following algorithms:

Using SSH helps guard against attacks such as eavesdropping, man-in-the-middle attacks, and spoofing. Attempts to spoof the identity of either side of a communication can be thwarted because each packet is encrypted using a key known only by the local and remote systems.

Domain Name Service

Domain Name Service (DNS) was originally designed as an open protocol. DNS servers are organized in a hierarchy. At the top level of the hierarchy, root servers store the complete database of Internet domain names and their corresponding IP addresses. There are different types of DNS servers. The most common types are the following:

Internal DNS servers can be less susceptible to attacks than external DNS servers, but they still need to be secured. To stop outside intruders from accessing the internal network of your company, use separate DNS servers for internal and Internet name resolution. To provide Internet name resolution for internal hosts, you can have your internal DNS servers use a forwarder.

The following are some considerations for internal DNS servers:

Transport Layer Security

Another asymmetric key encapsulation currently considered the successor to SSL is the Transport Layer Security (TLS) protocol, based on Netscape’s Secure Sockets Layer 3.0 (SSL3) transport protocol, which provides encryption using stronger encryption methods, such as DES, or without encryption altogether if desired for authentication only. SSL and TLS transport are similar but not entirely interoperable. TLS also provides confidentiality and data integrity.

TLS has two layers of operation:

Secure Sockets Layer

Secure Sockets Layer (SSL) protocol communications occur between the HTTP (application) and TCP (transport) layers of Internet communications. SSL is used by millions of websites in the protection of their online transactions with their customers. SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. The SSL process uses certificates for authentication and encryption for message integrity and confidentiality. SSL establishes what is called a stateful connection. In a stateful connection, both ends set up and maintain information about the session itself during its life. This is different from a stateless connection, where there is no prior connection setup. The SSL stateful connection is negotiated by a handshaking procedure between client and server. During this handshake, the client and server exchange the specifications for the cipher that will be used for that session. SSL communicates using an asymmetric key with cipher strength of 40 or 128 bits.

SSL works by establishing a secure channel using public key infrastructure (PKI). This can eliminate a vast majority of attacks, such as session hijackings and information theft.

You can secure communications when performing administration on wireless access points (WAP) by leveraging protocols such as SSH or HTTP with SSL or TLS. A WAP can implement access control functions to allow or deny access to the network and provides the capability of encrypting wireless traffic. It also has the means to query an authentication and authorization service for authorization decisions and securely exchange encryption keys with the client to secure the network traffic.

As a general rule, SSL is not as flexible as IPsec from an application perspective but is more flexible for access from any location. One must determine the usage requirements for each class of user and determine the best approach.

Transmission Control Protocol/Internet Protocol

The core of TCP/IP consists of four main protocols: the Internet Protocol (IP), the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Control Message Protocol (ICMP). IP is responsible for providing essential routing functions for all traffic on a TCP/IP network. TCP provides connection-oriented communication. UDP provides connectionless communications. TCP connections are initiated and terminated with a three-way handshake process. ICMP provides administrative services to TCP/IP networks.

TCP/IP’s implementation of the OSI model makes functionality simpler by mapping the same seven layers of the OSI model to a four-layer model instead. Unlike the OSI reference model, the TCP/IP model focuses more on delivering interconnectivity than on functional layers. It does this by acknowledging the importance of a structured hierarchical sequence of functions, yet leaves protocol designers flexibility for implementation. Table 2.1 compares the OSI and TCP/IP models.

TABLE 2.1 OSI and TCP/IP Model Comparison

OSI Reference Model

TCP/IP Reference Model

Application Presentation Session

Application

Transport

Transport

Network

Internet

Data link

Network access Physical

File Transfer Protocol Secure

FTP passes the username and password in a plain-text form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server. FTPS, also known as FTP Secure and FTP-SSL, is an FTP extension that adds support for TLS and SSL. FTPS supports channel encryption as defined in RFC 2228.

With FTPS, data transfers take place in a way designed to allow both parties to authenticate each other and to prevent eavesdropping, tampering, and forgery on the messages exchanged. FTPS includes full support for the TLS and SSL cryptographic protocols, including the use of server-side public key authentication certificates and client-side authorization certificates. It also supports compatible ciphers, including AES, RC4, RC2, Triple DES and DES, as well as hash functions SHA1, MD5, MD4, and MD2.

You should use FTPS when you need to transfer sensitive or confidential data between a client and a server that is configured to use SSL for secure transactions.

Secure variations of FTP ensure that data cannot be intercepted during transfer and allow the use of more secure transfer of user access credentials during FTP login. However, the same certificate vulnerabilities discussed earlier in this chapter apply here, too.

Hypertext Transport Protocol over Secure Sockets Layer

Basic web connectivity using Hypertext Transport Protocol (HTTP) occurs over TCP port 80, providing no security against interception of transacted data sent in clear text. An alternative to this involves the use of SSL transport protocols operating on port 443, which creates an encrypted pipe through which HTTP traffic can be conducted securely. To differentiate a call to port 80 (http://servername/), HTTP over SSL calls on port 443 using HTTPS as the URL port designator (https://servername/).

HTTP Secure (HTTPS) was originally created by the Netscape Corporation and used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and web server, although it can also support the use of X.509 digital certificates to allow the user to authenticate the sender. Now, 256-bit encryption keys have become the accepted level of secure connectivity for online banking and electronic commerce transactions.

Although HTTPS encrypts communication between the client and server, it does not guarantee that the merchant is trustworthy or that the merchant’s server is secure. SSL/TLS is designed to positively identify the merchant’s server and encrypt communication between the client and server.

Secure Copy Protocol

The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the SSH protocol to provide encryption and authentication. The RCP performs the file transfer, and the SSH protocol performs authentication and encryption. SCP runs on port 22 and protects the authenticity and confidentiality of the data in transit. It thwarts the ability for packet sniffers to extract information from data packets.

An SCP download request is server driven, which imposes a security risk when connected to a malicious server. SCP has been mostly superseded by the more comprehensive SFTP, and some implementations of the SCP utility actually use SFTP instead.

Internet Control Message Protocol

Internet Control Message Protocol (ICMP) is a protocol meant to be used as an aid for other protocols and system administrators to test for connectivity and search for configuration errors in a network. Ping uses the ICMP echo function and is the lowest-level test of whether a remote host is alive. A small packet containing an ICMP echo message is sent through the network to a particular IP address. The computer that sent the packet then waits for a return packet. If the connections are good and the target computer is up, the echo message return packet will be received. It is one of the most useful network tools available because it tests the most basic function of an IP network. It also shows the Time To Live (TTL) value and the amount of time it takes for a packet to make the complete trip, also known as round-trip time (RTT), in milliseconds (ms). One caveat with using ICMP: It can be manipulated by malicious users, so some administrators block ICMP traffic. If that is the case, you will receive a request timeout even though the host is available.

Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an IP network. Traceroute outputs the list of traversed routers in simple text format, together with timing information. Traceroute is available on most operating systems. On Microsoft Windows operating systems, it is named tracert. Traceroute uses an ICMP echo request packet to find the path. It sends an echo reply with the TTL value set to 1. When the first router sees the packet with TTL 1, it decreases it by 1 to 0 and discards the packet. As a result, it sends an ICMP Time Exceeded message back to the source address. The source address of the ICMP error message is the first router address. Now the source knows the address of the first router. Generally, three packets are sent at each TTL, and the RTT is measured for each one. Most implementations of traceroute keep working until they have gone 30 hops, but this can be extended up to 254 routers.

Pathping is a Windows route-tracing tool that combines features of the ping and tracert commands with additional information. The command uses traceroute to identify which routers are on the path. When the traceroute is complete, pathping sends pings periodically to all the routers over a given time period and computes statistics based on the number of packets returned from each hop. By default, pathping pings each router 100 times, with a single ping every 0.25 seconds. Consequently, a default query requires 25 seconds per router hop. This is especially helpful in identifying routers that cause delays or other latency problems on a connection between two IP hosts.

IPv4

IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it ensure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper-layer transport protocol, such as TCP. IPv4 currently routes the majority of Internet traffic. IPv4 is widely used in both internal and external networks throughout the world.

IPv4 is susceptible to ping sweeps, port scans, and application and vulnerability scans. To mitigate sweeps and scans, filtering messages or traffic types is an acceptable solution because it is impossible to eliminate reconnaissance activity.

IPv6

Because of the increased demand of devices requiring IP addresses, IPv4 could not keep up with such an expansive demand. As a result, a new method was needed to address all the new devices requiring IP addresses. The Internet Engineering Task Force (IETF) published a new standard for IP addresses in RFC 2460. The new standard, IPv6, makes several changes to the older IPv4 standard. IPv6 increases the address size from IPv4 32 bits to 128 bits.

The differences between IPv6 and IPv4 are in five major areas: addressing and routing, security, network address translation, administrative workload, and support for mobile devices. Table 2.2 provides a comparison of some of the differences between IPv4 and IPv6.

Table 2.2 IPv4 and IPv6 Comparison

IPv4

IPv6

Addresses are 32 bits (4 bytes) in length.

Addresses are 128 bits (16 bytes) in length.

Header includes a checksum and options.

Header does not include a checksum, and all optional data is moved to IPv6 extension headers.

ARP uses broadcast request frames to resolve an IP address to a link-layer address.

Multicast Neighbor Solicitation messages are used to resolve IP addresses to linklayer addresses.

IPv4 header does not identify packet flow for quality of service (QoS).

IPv6 header identifies packet flow for QoS.

IPsec support is optional.

IPsec support is required.

IPv4 limits packets to 64 KB of payload.

IPv6 has optional support for jumbograms, which can be as large as 4 GB.

Must be configured either manually or through Dynamic Host Configuration Protocol (DHCP).

Does not require manual configuration or DHCP.

In addition to the difference in the address structure in IPv6, there are IPv6 versions of protocols and commands. The following are some of the more prevalent ones:

Internet Small Computer System Interface

Internet Small Computer System Interface (iSCSI) is an IP-based storage networking standard for linking data storage facilities. iSCSI is used for faster data transfers over intranets and handling remote storage access mainly in local-area networks (LAN) and WANs. It can be used in cloud environments as well, allowing remote resources to appear as local.

Businesses choose iSCSI because of ease of installation, cost, and utilization of current Ethernet networks. iSCSI clients or initiators send SCSI commands to SCSI targets on remote servers to communicate. iSCSI typically uses TCP port 860, with the target service using port 3260. iSCSI uses IPsec for protection. IPsec provides greater levels of security and integrity, as mentioned earlier in this section.

Fibre Channel

Fibre Channel (FC) is a gigabit network technology predominantly used to link data storage facilities or a storage-area network (SAN). FC is similar to iSCSI, but requires a Fibre Channel infrastructure. An FC infrastructure generally is more costly and complex to manage due to the separate network switching infrastructure. FC uses the Fibre Channel Protocol (FCP) to transport SCSI commands over the network consisting of ports and fabric. FC allows devices to attach through an interconnected switching system called a fabric. An FC port is not the same thing as computer port or network port. It is the node path performing data communications over the channel. The fiber may attach to a node port (N_Port) and to a port of the fabric (F_Port).The FC port manages a point-to-point connection between itself and the fabric.

FC network protection is primarily security through obscurity because direct access to the FC network is not available to most users, but this does not eliminate the need for security. Approved in 2004, the Fibre Channel Security Protocols standard (FC-SP) specifies how to protect against security breaches. This standard defines protocols for authentication, session keys, integrity and confidentiality, and policy implementation across an FC fabric. Basic FC security occurs through authentication and access control. To secure FC, authentication between FC devices and other devices with whom they communicate can be established using mutual authentication. Proper access control can be achieved through port locking, hard zoning, logical unit number (LUN) masking, and using secure management interfaces and protocols.

Fiber Channel over Ethernet

Fiber Channel over Ethernet (FCoE) is similar in concept to FC except that it allows Ethernet as a method of linking devices to storage. FC traffic runs over an Ethernet infrastructure by encapsulating FC over the Ethernet portions of the connectivity, allowing FC to run alongside IP traffic. FC traffic is used for the server applications, FC SAN, and FC storage. Because FCoE allows FC to be carried over Ethernet, the amount of equipment required in the data center can be reduced. FCoE uses a converged network adapter (CNA), lossless Ethernet links, and an FCoE switch.

Organizations often choose FCoE to maintain or evolve their existing FC network. SAN basic security flaws include weaknesses with authentication and authorization. FCoE can be secured in the manners suggested for FC but also includes control-plane protection and data-plane protection. Control-plane protection is access protection for the switches. Data-plane protection is security for traffic passing through the switches.

File Transfer Protocol

File Transfer Protocol (FTP) servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Many FTP servers include the ability for anonymous access in their default installation configuration. Anonymous access is a popular method to provide general access to publicly available information. The problem with this form of access is that any user may download (and potentially upload) any file desired. This might result in a server’s available file storage and network access bandwidth being rapidly consumed for purposes other than those intended by the server’s administrator. If unauthorized file upload is allowed along with download, illegal file content could be placed on the server for download, without the knowledge of the system’s administrator.

Even when user authentication is required, FTP passes the username and password in an unencrypted (plain-text) form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access. To mitigate FTP vulnerabilities, actions such as disabling anonymous access, hardening access control lists (ACL), enabling logging and disk quotas, setting access restrictions by IP, and enabling “blind” puts can be implemented. Using more secure variations of FTP ensures that data cannot be intercepted during transfer and allows the use of more secure transfer of user access credentials during FTP login.

Secure File Transfer Protocol

Secure File Transfer Protocol (SFTP), or Secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you cannot use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a simple version of FTP used for transferring files between network devices. TFTP uses UDP port 69, has no login feature, and because it is implemented using UDP generally works only on LANs. TFTP works with either Bootstrap Protocol (BOOTP) or DHCP.

Because of the lack of security in TFTP, it is a good idea to place the TFTP server behind a firewall on an isolated LAN that only the essential equipment can reach.

Telnet

Telnet is a terminal emulation program used to access remote routers and UNIX systems. Telnet can be used as a tool to determine whether the port on a host computer is working properly. Telnet passes the username, password, and even transacted data in an unencrypted form (clear text), allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server. Telnet-type clear-text connections create the ideal situation for TCP hijacking and man-in-the-middle attacks. Methods for mitigating Telnet vulnerabilities include using enhanced encryption or authentication security such as Kerberos, IPsec, SSH, SSL, or Cisco Secure Telnet.

Hypertext Transport Protocol

Hypertext Transfer Protocol (HTTP) allows users to connect to sources of information, services, products, and other functionality through the Internet. Business transactions, membership information, vendor/client communications, and even distributed business logic transactions can all occur though HTTP using basic Internet connectivity on TCP port 80.

An HTTP message contains a header and a body. The message header of an HTTP request has a request line and a collection of header fields. All HTTP messages must include the protocol version. Some HTTP messages can contain a content body, which is optional. The original HTTP specification has little support for the security mechanisms appropriate for today’s Internet transactions. Methods for mitigating HTTP vulnerabilities include using enhanced encryption or authentication security HTTPS or SSL.

NetBIOS

Network Basic Input/Output System (NetBIOS) is an application programming interface (API) providing various networking services. NetBIOS provides name, datagram, and session services, allowing applications on different computers to communicate within a LAN. The session mode establishes a connection and provides error detection. The datagram mode is connectionless and supports LAN broadcast. NetBIOS is most commonly found in use with Microsoft Windows operating systems. Because it does not support routing, NetBIOS must be used with another transport mechanism such as TCP when it is implemented in an organization that has a WAN.

Ports

There are 65,535 TCP and UDP ports on which a computer can communicate. The port numbers are divided into three ranges:

Often, many of these ports are not secured and, as a result, are used for exploitation. Table 2.3 lists some of the most commonly used ports and the services and protocols that use them. Many of these ports and services have vulnerabilities associated with them. It is important that you know what common ports are used by network protocols and how to securely implement services on these ports.

TABLE 2.3 Commonly Used Ports

Port

Service/Protocol

15

Netstat

20

FTP-Data transfer

21

FTP-Control (command)

22

SSH/SFTP/SCP

23

Telnet

25

SMTP

53

DNS

69

TFTP

80

HTTP

110

POP3

110

POP3

137, 138, 139

NetBIOS

143

IMAP

161/162

SNMP

443

HTTPS

445

SMB

989/990

FTPS

1,812

RADIUS

3389

RDP

Table 2.3 includes a list of protocols that may be currently in use on a network. These protocols, along with some older or antiquated protocols, may be configured open by default by the machine manufacturer or when an operating system is installed. Every operating system requires different services for it to operate properly. If ports are open for manufacturer-installed tools, the manufacturer should have the services listed in the documentation. Ports for older protocols such as Chargen (port 19) and Telnet (port 23) may still be accessible. For example, Finger, which uses port 79, was widely used during the early days of Internet, and today’s sites no longer offer the service. However, you might still find some old implementations of Eudora mail that use the Finger protocol, or worse, the mail clients have long since been upgraded, but the port used 10 years ago was somehow left open. The quickest way to tell which ports are open and which services are running is to do a Netstat on the machine. You can also run local or online port scans.

The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create access control lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited and minimize the threat of an attack.

OSI Relevance

You should be very familiar with the OSI model as well as the common protocols and network hardware that function within each level. For example, you should know that hubs operate at the physical layer of the OSI model. Intelligent hubs, bridges, and network switches operate at the data link layer, and Layer 3 switches and routers operate at the network layer. The Network+ Exam Cram and Exam Prep books cover the OSI model in much more detail. If you will be working extensively with network protocols and hardware, you should also look at these texts.

The layers of the OSI model are as follows:

  1. Application layer
  2. Presentation layer
  3. Session layer
  4. Transport layer
  5. Network layer
  6. Data link layer (subdivided into the Logical-Link Control [LLC] and Media Access Control [MAC] sublayers)
  7. Physical layer

Most applications, like web browsers or email clients, incorporate functionality of the OSI layers 5, 6, and 7.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. Which of the following is the correct address size for IPv6 addresses?

    • A. 32 bit
    • B. 64 bit
    • C. 128 bit
    • D. 256 bit
  2. Which of the following protocols runs on port 22 and protects the authenticity and confidentiality of file transfer data in transit?

    • A. DHCP
    • B. SSL
    • C. FTP
    • D. SCP
  3. You are troubleshooting connectivity issues on the network. Which of the following would be most helpful in determining where the connectivity issues lie?

    • A. SNMP
    • B. ICMP
    • C. SSL
    • D. IPsec
  4. You want to be sure that the NetBIOS ports that are required for certain Windows network functions have been secured. Which of the following ports would you check?

    • A. 25/110/143
    • B. 161/162
    • C. 137/138/139
    • D. 20/21
  5. Your company is in the process of setting up a management system on your network, and you want to use SNMP. You have to allow this traffic through the router. Which UDP ports do you have to open? (Choose two correct answers.)

    • A. 161
    • B. 139
    • C. 138
    • D. 162
  6. Which standard port is used to establish a web connection using the 40-bit RC4 encryption protocol?

    • A. 21
    • B. 80
    • C. 443
    • D. 8,250

Cram Quiz Answers

  1. C. IPv6 increases the address size from IPv4 32 bits to 128 bits. Answers A, B, and D are incorrect because IPv6 addresses sizes are 128 bit.
  2. D. SCP runs on port 22 and protects the authenticity and confidentiality of the data in transit. Answer A is incorrect because DHCP is used to automatically assign IP addresses. Answer B is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. The standard port for SSL is port 443. Answer C is incorrect because in FTP the data is not protected.
  3. B. Traceroute uses an ICMP echo request packet to find the path between two addresses. Answer A is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPS). Answer C is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. Answer D is incorrect because IPsec authentication and encapsulation standard is widely used to establish secure VPN communications.
  4. C. There are NetBIOS ports that are required for certain Windows network functions, such as file sharing, which are 137, 138, and 139. Answer A is incorrect because these ports are used for email. Answer B is incorrect because these ports are used for SNMP. Answer D is incorrect because these ports are used for FTP.
  5. A and D. UDP ports 161 and 162 are used by SNMP. Answer B is incorrect because UDP port 139 is used by the NetBIOS session service. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution.
  6. C. A connection using HTTPS is made using the RC4 cipher and port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8,250 is not designated to a particular TCP/IP protocol.

Given a Scenario, Troubleshoot Security Issues Related to Wireless Networking

WPA

Wireless security comes in two major varieties: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Both include methods to encrypt wireless traffic between wireless clients and WAPs. WEP has been included in 802.11–based products for some time and includes a strategy for restricting network access and encrypting network traffic based upon a shared key. The Wi-Fi Protected Access (WPA and WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol. WPA was developed after security flaws were found in WEP. WPA protects networks by incorporating a set of enhanced security features. WPA-protected networks require users to enter a passkey to access a wireless network. There are two different modes of WPA: WPA-PSK (Personal Shared Key) mode and WPA-802.1X mode, which is more often referred to as WPA-RADIUS or WPA-Enterprise. For the PSK mode, a passphrase consisting of 8 to 63 ASCII characters is all that is required. The Enterprise mode requires the use of security certificates. WPA includes many of the functions of the 802.11i protocol but relies on Rivest Cipher 4 (RC4), which is considered vulnerable to keystream attacks.

WPA2

WPA2 is based on the IEEE 802.11i standard and provides government-grade security by implementing the AES encryption algorithm and 802.1X-based authentication. AES is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. WPA2 incorporates stricter security standards and is configurable in either the PSK or Enterprise mode. There are two versions of WPA2: WPA2-Personal and WPA2-Enterprise. WPA2-Personal protects unauthorized network access via a password. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA and supports strong encryption and authentication for both infrastructure and ad hoc networks. In addition, it has support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the Temporal Key Integrity Protocol (TKIP). TKIP is an encryption protocol included as part of the IEEE 802.11i standard for WLANs. An AES-based encryption mechanism that is stronger than TKIP.

WEP

Wired Equivalent Privacy (WEP) is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its AP. Originally, many wireless networks were based on the IEEE 802.11 standard, which had serious data transmission security shortcomings. When this standard was put into place, the 802.11 committee adopted an encryption protocol called WEP. To discuss WEP’s shortcomings, we have to understand how it operates. WEP uses a stream cipher for encryption called RC4. RC4 uses a shared secret key to generate a long sequence of bytes from what is called a generator. This stream is then used to produce the encrypted ciphertext. Early 802.11b networks used 40-bit encryption because of government restrictions. Hackers can crack a 40-bit key in a few hours. It is much easier to break RC4 encryption if a second instance of encryption with a single key can be isolated. In other words, the weakness is that the same keys are used repeatedly. Specifications for the WEP standard are detailed within the 802.11b (Wi-Fi) specification. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection.

Although using WEP is much better than no encryption at all, it’s important to understand its limitations so that you have an accurate picture of the consequences and what you must do to properly protect your wireless environment.

EAP

The 802.1X standard is a means of wireless authentication. The 802.1X authentication standard is an extension of point-to-point protocol (PPP) that relies on the Extensible Authentication Protocol (EAP) for its authentication needs. EAP is a challenge-response protocol that can be run over secured transport mechanisms. It is a flexible authentication technology and can be used with smart cards, one-time passwords, and public key encryption. It also allows for support of public certificates deployed using auto enrollment or smart cards. These security improvements enable access control to Ethernet networks in public places such as malls and airports. EAP-Transport Layer Security (EAP-TLS) uses certificate-based mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server.

EAP messages are encapsulated into 802.1X packets and are marked as EAP over LAN (EAPOL). After the client sends a connection request to a wireless AP, the authenticator marks all initial communication with the client as unauthorized, and only EAPOL messages are accepted while in this mode. All other types of communication are blocked until credentials are verified with an authentication server. Upon receiving an EAPOL request from the client, the wireless AP requests login credentials and passes them on to an authentication server. Remote Authentication Dial-In User Service (RADIUS) is usually employed for authentication purposes; however, 802.1X does not make it mandatory.

PEAP

Protected EAP (PEAP) was co-developed by Cisco, Microsoft Corporation, and RSA Security, Inc. PEAP provides several additional benefits within TLS, including an encrypted authentication channel, dynamic keying material from TLS, fast reconnect using cached session keys, and server authentication that protects against the setting up of unauthorized access points. PEAP is a means of protecting another EAP method (such as MS-CHAPv2) within a secure channel. The use of PEAP is essential to prevent attacks on password-based EAP methods. As part of the PEAP negotiation, the client establishes a TLS session with the RADIUS server. Using a TLS session as part of PEAP serves a number of purposes:

Secured within the PEAP channel, the client authenticates itself to the RADIUS server using the MS-CHAPv2 EAP protocol. During this exchange, the traffic within the TLS tunnel is visible only to the client and RADIUS server and is never exposed to the WAP.

LEAP

Lightweight Extensible Authentication Protocol (LEAP) combines centralized two-way authentication with dynamically generated wireless equivalent privacy keys or WEP keys. LEAP was developed by Cisco for use on WLANs that use Cisco 802.11 wireless devices. LEAP is a proprietary EAP method because it requires the use of a Cisco AP. It features mutual authentication; secure session key derivation; and dynamic per-user, per-session WEP keys. However, because it uses unencrypted challenges and responses, LEAP is vulnerable to dictionary attacks. Still, when LEAP is combined with a rigorous user password policy, it can offer strong authentication security without the use of certificates. LEAP can only authenticate the user to the WLAN, not the computer. Without computer authentication, machine group policies will not execute correctly.

MAC Filter

Most wireless network routers and access points can filter devices based on their Media Access Control (MAC) address. The MAC address is a unique identifier for network adapters. MAC filtering is a security access control method whereby the MAC address is used to determine access to the network. When MAC address filtering is used, only the devices with MAC addresses configured in the wireless router or access point are allowed to connect. MAC filtering permits and denies network access through the use of blacklists and whitelists. A blacklist is a list of MAC addresses that are denied access. A whitelist is a list of MAC addresses that are allowed access. Blacklisting and whitelisting are discussed in further detail in Chapter 8, “Host Security.”

While giving a wireless network some additional protection, it is possible to spoof the MAC address. An attacker could potentially capture details about a MAC address from the network and pretend to be that device in order to connect. MAC filtering can be circumvented by scanning a valid MAC using a tool such as airodumping and then spoofing one’s own MAC into a validated MAC address. After an attacker knows a MAC address that is out of the blacklist or within the whitelist, MAC filtering is almost useless.

Disable SSID Broadcast

A service set identifier (SSID) is used to identify WAPs on a network. The SSID is transmitted so that wireless stations searching for a network connection can find it. By default, SSID broadcast is enabled. This means that it accepts any SSID. When you disable this feature, the SSID configured in the client must match the SSID of the AP; otherwise, the client does not connect to the AP. Having SSID broadcast enabled essentially makes your AP visible to any device searching for a wireless connection.

To improve the security of your network, change the SSIDs on your APs. Using the default SSID poses a security risk even if the AP is not broadcasting it. When changing default SSIDs, do not change the SSID to reflect your company’s main names, divisions, products, or address. This just makes you an easy target for attacks such as war driving and war chalking. War driving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer or other mobile device. War chalking is the drawing of symbols in public places to advertise an open Wi-Fi network. Keep in mind that if an SSID name is enticing enough, it might attract hackers.

Turning off SSID broadcast does not effectively protect the network from attacks. Tools such as Kismet enable nonbroadcasting networks to be discovered almost as easily as broadcasting networks. From a security standpoint, it is much better to secure a wireless network using protocols that are designed specifically to address wireless network threats than to disable SSID broadcast.

TKIP

Temporal Key Integrity Protocol (TKIP) is the security protocol designed to replace WEP and is also known by its later iterations of Wi-Fi Protected Access (WPA) or WPA2. Similar to WEP, TKIP uses the RC4 algorithm and does not require an upgrade to existing hardware, whereas more recent protocols, such as CCMP, which use the AES algorithm, do require an upgrade. TKIP was designed to provide more secure encryption than WEP by using the original WEP programming, but it wraps additional code at the beginning and end to encapsulate and modify it. To increase key strength, TKIP includes four additional algorithms: a cryptographic message integrity check, an IV sequencing mechanism, a per-packet key-mixing function, and a rekeying mechanism.

TKIP is useful for upgrading security on devices originally equipped with WEP, but does not address all security issues and might not be reliable enough for sensitive transmission. AES is a better choice and has become the accepted encryption standard for WLAN security.

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption protocol that forms part of the 802.11i standard for WLANs. CCMP offers enhanced security compared with similar technologies such as TKIP. AES is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. The AES cipher suite uses the Counter-Mode Cipher Block Chaining (CBC) Message Authentication Code (MAC) Protocol (CCMP) as defined in RFC 3610. CCMP uses 128-bit keys with a 48-bit IV that reduces vulnerability to replay attacks. To provide for replay protection, a packet number (PN) field is used. CCMP produces a message integrity code (MIC) that provides data origin authentication and data integrity for the packet payload data. The PN is included in the CCMP header and incorporated into the encryption and MIC calculations. Counter mode makes it difficult for an eavesdropper to spot patterns, and the CBC-MAC message integrity method ensures that messages have not been tampered with.

Antenna Placement

When designing wireless networks, antenna placement and power output should be configured for maximum coverage and minimum interference. Four basic types of antennas are commonly used in 802.11 wireless networking applications: parabolic grid, yagi, dipole, and vertical. APs with factory-default omni antennas cover an area that is roughly circular and are affected by RF obstacles such as walls. When using this type of antenna, it is common to place APs in central locations or divide an office into quadrants. Many APs use multiple-input, multiple-output (MIMO) antennas. This type of antenna takes advantage of multipath signal reflections. Ideally, locate the AP as close as possible to the antennas. The farther the signal has to travel across the cabling between the AP and the antenna, the more signal loss that occurs. Loss is an important factor when deploying a wireless network, especially at higher power levels. Loss occurs as a result of the signal traveling between the wireless base unit and the antenna.

APs that require external antennas need additional consideration. You need to configure the antennas properly, consider what role the AP serves (AP or bridge), and consider where the antennas are placed. When the antenna is mounted on the outside of the building or the interface between the wired network and the transceiver is placed in a corner, it puts the network signal in an area where it is easy to intercept. Antenna placement should not be used as a security mechanism.

Professional site surveys for wireless network installations and proper AP placement are sometimes used to ensure coverage area and security concerns. Up-front planning takes more time and effort but can pay off in the long run, especially for large WLANs.

Power-Level Controls

One of the principle requirements for wireless communication is that the transmitted wave must reach the receiver with ample power to allow the receiver to distinguish the wave from the background noise. An antenna that is too strong raises security concerns. Strong omnidirectional Wi-Fi signals are radiated to a greater distance into neighboring areas, where the signals can be readily detected and viewed. Minimizing transmission power reduces the chances your data will leak out. Companies such as Cisco and Nortel have implemented dynamic power controls in their products. The system dynamically adjusts the power output of individual access points to accommodate changing network conditions, helping ensure predictable wireless performance and availability.

Transmit power control is a mechanism used to prevent too much unwanted interference between different wireless networks. Adaptive transmit power control in 802.11 WLANs on a per-link basis helps increase network capacity and improves battery life of Wi-Fi-enabled mobile devices.

Captive Portals

The captive portal technique enables administrators to block Internet access for users until some action is taken. When a user attempts to access the Internet, the HTTP client is directed to a special web page that usually requires the user to read and accept an acceptable use policy (AUP). By using a captive portal, the web browser is used to provide authentication. Captive portals are widely used in businesses such as hotels and restaurants that offer free Wi-Fi hotspots to Internet users. A captive portal web page can be used to require authentication, require payment for usage, or display some type of policy or agreement. Although captive portals are mainly for Wi-Fi hotspots, you can also use them to control wired access.

Antenna Types

Wireless antenna types are either omnidirectional or directional. Omni-directional antennas provide a 360-degree radial pattern to provide the widest possible signal coverage. An example of omnidirectional antennas are the antennas commonly found on APs. Directional antennas concentrate the wireless signal in a specific direction, limiting the coverage area. An example of a directional antenna is a yagi antenna.

The need or use determines the type of antenna required. When an organization wants to connect one building to another building, a directional antenna is used. If an organization is adding Wi-Fi internally to an office building or a warehouse, an omnidirectional antenna is used. If the desire is to install Wi-Fi in an outdoor campus environment, a combination of both antennas would be used.

Site Surveys

A site survey is necessary before implementing any WLAN solution, to optimize network layout within each unique location. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas.

A site survey should include a review of the desired physical and logical structure of the network, selection of possible technologies, and several other factors, including the following:

Data transported over this medium is available to anyone with the proper equipment, and so must be secured through encryption and encapsulation mechanisms no subject to public compromise.

VPN (Over Open Wireless)

VPNs are commonly used to securely connect employees to corporate networks when they are not in the office by using an Internet connection. More organizations are requiring hotspot visitors to VPN into the organizational network because they have no control over the security used in public Wi-Fi hotspots. The same principles that apply to wired VPNs can be applied to VPNs over open wireless networks. The use of a VPN over public Wi-Fi hotspots can increase privacy and provide data protection. VPNs over open wireless are not always immune to man-in-the-middle attacks. They can be susceptible to Wi-Fi-based attacks and VPN-based attacks.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

  1. You want to implement non-vendor-specific strong authentication protocols for wireless communications. Which of the following would best meet your requirements? (Select two correct answers.)

    • A. EAP
    • B. PEAP
    • C. LEAP
    • D. WEP
  2. Which of the following technologies would be selected when looking to reduce a vulnerability to replay attacks by using 128-bit keys with a 48-bit initialization vector (IV)?

    • A. ICMP
    • B. WEP
    • C. WPA
    • D. CCMP
  3. Which of the following technologies would be used by a hotel for guest acceptance of an acceptable use policy?

    • A. Site survey
    • B. MAC filtering
    • C. VPN over wireless
    • D. Captive portal

Cram Quiz Answers

  1. A and B. The IEEE specifies 802.1X and EAP as the standard for secure wireless networking, and PEAP is standards based. PEAP provides mutual authentication and uses a certificate for server authentication by the client, while users have the convenience of entering password-based credentials. Answer C is incorrect because LEAP is a Cisco proprietary protocol. Answer D is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point.
  2. D. CCMP uses 128-bit keys with a 48-bit IV that reduces vulnerability to replay attacks. Answer A is incorrect because ICMP is a network troubleshooting protocol. Answer B is incorrect because WEP is the most basic form of encryption that can be used on 802.11-based wireless networks. Answer C is incorrect because WPA protects networks by incorporating a set of enhanced security features. WPA-protected networks require users to enter a passkey in order to access a wireless network.
  3. D. A captive portal web page can be used to require authentication, require payment for usage, or display some type of policy or agreement. Answer A is incorrect because a site survey is used to optimize network layout within each unique wireless location. Answer B is incorrect because MAC filtering is a security access control method whereby the MAC address is used to determine access to the network. Answer C is incorrect because the use of a VPN over public Wi-Fi hotspots can increase privacy and provide data protection, but is not used to force acceptance of an acceptable use policy.

What Next?

If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all the Cram Quiz questions on the CD. You can also create a custom exam by objective with the practice exam software. Note any objective that you struggle with and go to the material that covers that objective in this chapter.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |