CISSP Blog Post 21, Domain 4: Network Tunneling

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Network tunneling is where two networks are connected to one another over the public internet. This is accomplished through different protocols including:

Point-to-Point Protocol (PTPP) which can be used with different authentication options. Adding / removing frames is called “tunneling”.

Point-to-Point Protocol (PTPP) Tunneling

The Password Authentication Protocol (PAP) uses an ID and password to authenticate users, however passwords are sent in clear-text.

There are lots of versions of the Challenge-Handshake Authentication Protocol (CHAP), a common one is MD5-CHAP. CHAP provides for repeated / continuous authentication if desired to re-authenticate a client on a set time period (i.e. every 4 hours) to reduce risk of spoofing and session hijacking. In the standard version of CHAP, passwords are stored in clear text on the server, leaving it up to the implementation vendor on how to protect those passwords.

The CHAP Challenge number is typically a randomized session ID issued for tracking each user. The Nonce (short for “Number Used Once”) is typically a time-based session ID, only used once (timestamp) to reduce the risk of password replay attacks.

Challenge-Handshake Authentication Protocol (CHAP) Process

The Extensible Authentication Protocol (EAP) can be used with passwords, challenge and response (e.g. CHAP), biometrics, tokens, combining protocols (e.g. EAS+TLS), device authentication, etc.

Layer 2 Tunneling Protocol (L2TP) is a hybrid of L2F and PPTP. PPTP was developed by Microsoft, PPTP uses PPP frames but provides encryption. L2F was developed by Cisco and also uses PPP frames but does not have encryption. However, each tunnel can support multiple connections per user. L2F requires special hardware to use it.

Microsoft & Cisco worked together to combine L2F and PPTP into L2TP. L2TP uses PPP frames, supports multiple connections in a single tunnel, does not require special hardware, but also does NOT provide encryption.

IPSec is a protocol designed to protect IP traffic through use of an:

• Authentication Header (AH) which is designed to authenticate source IP addresses, and
• Encapsulating Security Payload (ESP) which provides encryption of both payload and header if desired.

Security Associations (SA’s) are one-way connections using either AH or ESP services. Each SA is uniquely identified using a:

• Security Parameter Index (a session ID for tracking connection)
• Destination IP address
• AH or ESP identifier A second SA must be defined for 2-way communication.

End-to-end encryption / Transport Mode is where only the payload portion of a packet is encrypted (if using encryption).

Two examples of this include: Transport Mode with ESP

Transport Mode with Encapsulating Security Payload (ESP)

And Link Encryption / Tunnel Mode – this is where the entire original packet is encrypted including the original header and payload. It is also known as a Gateway-to-Gateway VPN. A trick to help you remember it is <u>Linc</u>oln Tunnel -> Tunnel Mode uses <u>Link</u> Encryption

Here’s an example of Tunnel Mode with ESP:

Tunnel Mode with Encapsulating Security Payload (ESP)

To summarize:

Tunneling Protocol	Provides Encryption?
IPSec	Yes, ESP
SSH	Yes
L2F	No
L2TP	No, but yes if partnered with IPSec
PPTP	Yes
MPLS	No
TLS/SSL	Yes
PPP	No

To end our discussion about the OSI model, we’ll touch briefly on how Transport Layer Security (TLS) and Secure Sockets Layer (SSL) work:

TLS/SSL Connection Negotiation Process

CISSP Blog Post 19, Domain 4: Network: OSI Layers 5 (Session Link) & 6 (Presentation)

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Layer 5 protocols coordinate the orderly exchange of information. They include:

The Remote Procedure Call (RPC) Protocol which is utilized in client-server environments and Secure RPC which uses mutual authentication for client & server to authenticate one another.

Remote Procedure Call (RPC) Protocol Process

Layer 6 protocols are responsible for giving applications access to the network services, i.e. they help applications talk to the network. An example is Microsoft Outlook using Layer 6 protocols such as SMTP, POP3, or IMAP to handle email transmission on the network. Other examples include:

The Domain Name System (DNS) protocol which is a translation service to resolve Fully Qualified Domain Names (FQDN) to IP addresses. The way this works is:

1. Browser sends domain to ISP for lookup
2. ISP DNS goes through recursive search, first to Root DNS, which will return local .ORG DNS address
3. .ORG DNS will return IP address of DNS server of actual website Website
4. DNS server will return IP address of actual website to ISP DNS
5. ISP DNS then returns actual website IP address to Browser

Domain Name Service (DNS) Lookup Process

DNS Security (DNS-SEC) is a protocol designed to combat DNS cache poisoning using digital signatures to verify that DNS data is coming from authentic sources.

Network Address Translation (NAT) is the translation between public internet IP addresses and local (private) IP addresses. Private IP ranges include:

• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255

Network Address Translation (NAT)

CISSP Blog Post 18, Domain 4: Network OSI Layer 4, the Transport Layer

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

First off, Happy New Years! Hopefully your New Year’s resolution was to continue to study for the CISSP exam! 😉

Today we’re going to look at Layer 4 protocols which are responsible for end-to-end, host-to-host, or source-to-destination communications. Common protocols here include the:

Transmission Control Protocol (TCP) which is a connection-oriented protocol, i.e. it expects acknowledgments from the destination.

TCP Handshake

The sequence number increments by the size of bytes in the packet. To close transmission, device A send a final ACK transmission and then sends FIN with the last sequence it is up to:

TCP Communication Close

TCP Headers are sandwiched between the IP Header and the Data Payload. They typically include:

• Source & Destination Ports
• Sequence #’s
• Acknowledgement #’s
• Flags
• Checksums
• Etc.

Well known port numbers range from 0 to 1023. Examples are:

• HTTP = 80
• SMTP = 25
• FTP = 20 & 21
• Telnet = 23
• SSH = 22
• DNS = 53
• HTTPS = 443

Ports indicate the protocol being used. The sequence # and checksum are used to figure out if a packet needs to be resent.

User Datagram Protocol (UDP) is a connection-less protocol, i.e. it does not expect acknowledgements and does not have any error checking. It assumes best effort and there is no connection “state” for a firewall to observe / monitor. The UDP header only includes source and destination ports, checksum, etc.

Two common TCP exploits at the OSI Layer 4 level include the

TCP Sequence Number Attack

TCP Sequence Number Attack

SYN Flood Attack

SYN Flood Attack

CISSP Blog Post 17, Domain 4: Network: OSI Layers 2 (Data Link) & 3 (Network)

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Not going to spend a lot of time on OSI Layer 2, aka the Data Link Layer. At this layer, protocols are responsible for node-to-node or link-to-link communications between systems on the same network

Common protocols include:

• Address Resolution Protocol (ARP) which resolves IP addresses to MAC addresses. It is susceptible to ARP cache poisoning attacks.
• Multiprotocol Label Switching (MPLS) operates at both L2 and L3 of the OSI model. In summary, data enters the MPLS network through a Label Edge Router which passes traffic to Label Switch Routers until data gets to the final Edge Router and exits the MPLS network to the destination. MPLS routers add special encapsulating data labels to send data along pre-defined network paths. The Switch routers forward data along the directed path, where the last edge router strips off the labels before the data exists the network.

The OSI Layer 3, Network Layer protocols are responsible for network-to-network, router-to-router, or gateway-to-gateway communications and include:

The IP Protocol (IPv4) handles IP addressing. Without going into the difference between the two, the main reason IPv6 was developed is because IPv4 has literally run out of addressable addresses to assign to Internet devices.

• IPv4 = 32-bit addresses which provide 2^32 addresses
• IPv6 = 128-bit addresses which provides 2^128 addresses

The IP protocol handles data fragmentation and reassembly of packets if you’re sending over networks with different maximum transmission unit (MTU) sizes. The IP header element includes items such as:

• Total fragment length
• Fragment ID
• Different flags
• Fragment offset
• Time-to-live
• IP source address
• IP destination address
• Etc.

The Internet Control Message Protocol (ICMP) can be abused to conduct Man-in-the-Middle (MITM) and Denial of Service (DoS) attacks. It provides network diagnostics (such as ping, traceroute, etc.) and network error reporting. It also provides ICMP redirect functionality where a router can inform a sender of a better route to the final destination.

A couple of common Layer 3 attacks include the:

• Tear Drop Attack which crashes a system by exploiting the fragment offset field to overload the receiving system with malformed packets.
• SMURF Attack where an ICMP echo request is sent to the network broadcast address of a spoofed victim, causing all nodes to reply to the victim with echo reply. A similar attack called a FRAGGLE attack uses the UDP protocol to create a similar effect.

SMURF Attack Process

CISSP Blog Post 16, Domain 4: Network: WiFi

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Let’s dive a little deeper into the OSI Layer 1, Physical layer for WiFi:

There are a couple of different wireless transmission methods that include:

• Direct Sequence Spread Spectrum (DSSS) which is a wide frequency channel (band). An example is 802.11b
• Frequency Hopping Spread Spectrum (FHSS) uses multiple narrow frequency channels / bands in sequential order. An example technology is Bluetooth.
• Orthogonal Frequency Division Multiplexing (OFDM) uses multiple narrow frequency channels / bands simultaneously for faster throughput. The example here is 802.11n.

How about Wi-Fi Authentication Methods? These include:

• Open System Authentication is essentially no authentication – all that’s required is for the client device to transmit a service set identifier (aka SSID) for the access point to which it’s transmitting. This is a weak form of authentication because anyone can sniff and copy an SSID, even if the AP isn’t broadcasting it.
• MAC Address Filtering at the access point – this is also weak as someone can sniff and spoof a MAC address.
• The 802.1x protocol is the strongest authentication option. This is a port-based authentication protocol standard for both wired and wireless networks and has two components:
• The Extensible Authentication Protocol (EAP)
• And the Remote Authentication Dial-in User System aka RADIUS, which has a central server to control an access list.

RADIUS Authentication Process

Okay, you’ve authenticated your device to the network – so here’s a summary of how you can encrypt your data while in transit via Wi-Fi:

Wi-Fi Encryption Standard	Algorithm	Key Usage	Integrity Checking
Wired Equivalent Privacy (WEP)	RC4	Can choose either a 40-bit key or 104-bit key. The 40-bit key has a 24-bit IV so equivalent of a 64-bit key. The 104-bit key has a 24-bit IV, equivalent to a 128-bit key.	Checksums proves accidental changes did not occur
WiFi Protected Access (WPA)	RC4	128-bit temporal key + Client MAC (48-bit) + IV (48-bit) = Temporal Key Integrity Protocol (TKIP) key. This is different for each user session. The IV is different for each packet, it’s based on a data sequence number.	Uses HMAC with 2 phases of hashing (including key) proving both accidental and intentional tampering didn’t occur
IEEE 802.11i (WPA2)	AES	TKIP or Countermode of AES	CBD-MAC 2 stages of encryption proves both accidental and intentional tampering didn’t occur

Here’s a summary of all the IEEE Standard’s we’ve covered thus far:

IEEE	Description
802.1x	Port-based authentication protocol
802.11i WPA2	WiFi Encryption Standard
802.3	Ethernet
802.5	Token Ring

IEEE	Frequency Band	Data Rate	Transmission Method	Common Name
802.11b	2.4 GHz	11 Mbps	DSSS	These are all Wi-Fi Standards
802.11a	5 GHz	54 Mbps	OFDM
802.11g	2.4 GHz	54 Mbps	OFDM
802.11n	5 and 2.4 GHz	250 Mbps+	OFDM
802.11ac	5 GHz	430 Mbps+	OFDM
802.16	2 – 11 GHz or 10 – 66 GHz	Many	OFDM and Others	WiMax for wired metro network
802.15.1	2.4 GHz	Many	FHSS	Bluetooth

CISSP Blog Post 15, Domain 4: Network: Intro to the OSI Model

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

This is the start of a number of different blog posts on Network Security. First we’re going to start reviewing the basics and some of the models used.

The OSI Model (ISO 7498) is an educational model explaining how network protocols work. It is also a framework for designing & building network protocols.

First, let’s give an example of data encapsulation and show how it links to different "layers" in the model:

Data Encapsulation Example

In addition to OSI, there’s also the TCP/IP Model which is less used but still good to know. Here’s a comparison and trick to remember (the OSI model, read from bottom to top):

Trick	TCP / IP	OSI
Away	Application	7 – Application
Pizza		6 – Presentation
Sausage		5 – Session
Throw	Transport (or Host)	4 – Transport
Not	Internet	3 – Network
Do	Network Interface / Access	2 – Data Link
Please		1 – Physical

So let’s start with the OSI Layer 1 – The Physical Layer:

At this layer, protocols are responsible for the encoding and transmission of data onto the network.

There are many different network topology or design options that include:

Common Network Topology Examples

This is also the basis for cell phone technologies including: Carrier Sensing Multiple Access (CDMA) which is split into two types:

• CDMA/CD – Carrier Sensing Multiple Access with Collision Detection – which is used on Local Area Networks (LANs)
• CDMA/CA – Carrier Sensing Multiple Access with Collision Avoidance – which is used by WiFi

The basic "handshake" to initiate CDMA is:

CDMA Handshake Negotiating Process

Multiplexers is the technology that is used to combine multiple signals into one for transmission. A common example is Time Division Multiplexing (TDM)

Time Division Multiplexer Example

Another form of multiplexer are Token Rings & Fiber Distributed Data Interface (FDDI) which use forms of tokens to control which device can transmit at a specific time.

Here’s a quick summary of cell phone technologies (in generational order):

1. Gen1 – Analog
   • This uses Frequency Division Multiple Access (FDMA)
   • Has 2 Channels assigned to each cell phone (send / receive)
2. Gen 2 – Digital
   • Uses Time Division Multiple Access (TDMA) where 2 channels are assigned to each phone (send / receive) with 3 time slots per channel (e.g. 3 users / channel)
3. Global Services for Mobile (GSM) – like TDMA but has 8 time slots per channel
4. Code Division Multiple Access (CDMA) has 2 wide channels assigned (send / receive) to each device. Devices share time slots with others and are differentiated by assigned codes.
5. Gen 3 – 3G (Digital) this includes:
   • Universal Mobile Telecom Service (UMTS) which is part of the GSM family
   • CDMA-Evolution Data Optimize (EDO) which is part of the CDMA family
6. Gen 4 – 4G (Digital) aka Long Term Evolution (LTE) it incorporates both CDMA & GSM
7. Gen 5 – 5G (Digital) – have greater bandwidth, and thus greater transmission speeds, however due to using higher-frequency radio waves, they also travel a shorter distance.

Lastly, let’s touch briefly on Bluetooth, aka Wireless Personal Area Network (IEEE 802.15) which uses polling by a control master to each device sequentially to give them a chance to send and receive (called a polling cycle).

CISSP Blog Post 20, Domain 4: Network Firewalls

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

09/06/2020 – Edit: I am starting to publish a series of blog posts on topics related to studying for the Certified Information System Security Professional (CISSP) exam. I am updating this post first but I’m changing the name of the post as well to help folks better identify where this post falls in the series. I’m also adding in illustrations!

It’s been quite a while since my last post so here’s hoping I can keep the momentum going!

In this post, I’m going to walk through the four different types of firewalls and what they are best used for.

The four types of firewalls, from most basic to most complex include:

1. Static Packet Filtering Firewall
2. Stateful (aka Dynamic) Inspection Packet Firewall
3. Circuit Level Proxy Firewall
4. Application Level Proxy Firewall

Static Packet Filtering Firewalls
Static Packet Filtering Firewalls are the most basic type of firewall. The only type of filtering you can do is allow or block specific IP addresses and ports from entering or existing the firewall. I.e. you can block computers on your network from accessing Google’s DNS service by creating a block of any outgoing traffic to 8.8.8.8:53 (TCP & UDP).

Benefits: Cheapest option, fast to apply rules

Drawbacks: Limited filtering abilities, cannot scan or inspect inside a data payload

Static Packet Filtering Firewall

Stateful (aka Dynamic) Inspection Packet Firewall
Stateful or Dynamic Inspection Packet Firewalls provide all the functionality of Static Packet Filtering Firewalls, plus they “inspect” and allow or block based on connection states. For example, the firewall can watch a TCP handshake being performed and determine if it is executed normally, or if there’s a denial of service (aka a SYN flood) attack occurring and then automatically block the incoming traffic, keeping your internal machines from being overwhelmed.

A typical TCP handshake occurs when a SYN request is sent from one machine to another, the second machine sends back a SYN and an ACK acknowledgment back to the requesting machine. The original machine then sends an ACK acknowledgement back completing the handshake and allowing communication to begin. If the original machine doesn’t send a second ACK acknowledgment and instead just continues to send a stream of SYN requests, the firewall will realize that the handshake is incorrect and block the flood of incoming SYN requests.

Benefits: Stronger filtering capabilities, retains (logs) state information about a connection for further offline analysis

Drawbacks: More expensive system, slightly slower filtering, still cannot inspect inside a data payload, requires static rules to allow unsolicited inbound traffic (e.g. email incoming to an email server)

Stateful Inspection Firewall

Circuit Level Proxy Firewall
Circuit Level Proxy Firewalls provide all the aforementioned functionality of both the static packet filtering and stateful inspection packet firewalls. In addition, they provide Network Address Translation (NAT) and Port Translation.

Benefits: There is no direct contact between client and external server, internal IPs are hidden from external systems, malformed packets are dropped and not forwarded onwards

Drawbacks: Requires a minimum of 4 packets per round trip (e.g. client sends packet #1 to firewall, firewall repackages into new packet #2 & sends to external server, external server sends reply packet #3 back to firewall, firewall repackages into new packet #4 and sends to internal client), more expensive system than the previous two, still cannot inspect inside a data payload.

Proxy Firewall – Circuit Level

Application Level Proxy Firewall
Application Level Proxy Firewalls do everything the last three firewalls can do and in addition, can inspect inside data payloads! The firewall does this through proxies that are written for each service that’s required to pass through the firewall “air gap”. A proxy is a piece of software that’s customized to each service (e.g. HTTP, SMTP, FTP, etc.) and is able to unpack the data packet and inspect the data inside, and filters the content based on proxy rules.

Benefits: Can inspect inside data packets! Can even inspect inside encrypted payloads provided you have the requisite certificates to un-encrypt the payload and re-encrypt before sending onward.

Drawbacks: Most expensive option, much slower to filter data, not all services have proxies written and may require custom coding or a generic UDP/TCP proxy to essentially bypass the proxy filtering capabilities (i.e. it can’t scan inside the payload) and allow traffic through on a specific service port.

Proxy Firewall – Application Level