1.15k likes | 1.3k Views
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012. Telecommunications and Network Security. Domain Agenda. Networks Network Security Physical Data Link Network Transport Session Presentation Application Telephony Services. OSI Model.
E N D
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2012 Telecommunications and Network Security
Domain Agenda • Networks • Network Security • Physical • Data Link • Network • Transport • Session • Presentation • Application • Telephony • Services
OSI Model • The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. • It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it. • On each layer an instance provides services to the instances at the layer above and requests service from the layer below.
OSI Reference Model • Layer 7: Application • Layer 6: Presentation • Layer 5: Session • Layer 4: Transport • Layer 3: Network • Layer 2: Data Link • Layer 1: Physical
TCP/IP • In the TCP/IP model of the Internet, protocols are not as rigidly designed into strict layers as the OSI model. • TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols, namely the scope of the software application, the end-to-end transport connection, the internetworking range, and lastly the scope of the direct links to other nodes on the local network. • The Internet Application Layer includes the OSI Application Layer, Presentation Layer, and most of the Session Layer. Its end-to-end Transport Layer includes the graceful close function of the OSI Session Layer as well as the OSI Transport Layer. The internetworking layer is a subset of the OSI Network Layer (see above), while the Link Layer includes the OSI Data Link and Physical Layers, as well as parts of OSI's Network Layer.
Network Security • Issues and Concerns • Non-repudiation • Redundancy • Risks • Network is the key asset in many organizations • Network Attacks • Attacks • Network as a channel for attacks • Network as the target of attack
Network Security • Defense in Depth • Series of hurdles • Collection of controls • Security controls: • Are built around social, organizational, procedural and technical activities • Will be based on the organization’s security policy • Security Objectives and Attacks • Business risk vs. Security solutions • Attack scenarios • Network entry point • Inbound vs. Outbound attacks • Methodology of Attack • Attack trees • Path of least resistance
Target Related Issues • Acquisition • Attacks start by gathering intelligence • Controls • Limit information on a network; Distract an attacker • Analysis • Analyze target for security weaknesses • Access • Obtain access to the system • Manage user privileges • Monitor access • Target Appropriation • Escalation of privileges • Attacker may seek sustained control of the system • Controls against privilege escalation
Network Security Tools • Tools automate the attack processes • Network security is more than just technical implementations • Scanners • Discovery scanning • Compliance scanning • Vulnerability scanning
Layer 1: Physical Layer • Bits are converted into signals • All signal processing is handled here • Physical topologies
Communication Technology • Analog Communication • Analog signals use frequency and amplitude • Transmitted on wires or with wireless devices • Digital communications • Uses different electronic states • Can be transmitted over most media • Integrity of digital communication is easier • Digital communication brings quantitative and qualitative enhancements
Network Topology • Even small networks are complex • Network topology and layout affect scalability and security • Wireless networks also have a topology • Ring Topology • Closed-loop topology • Advantages • Deterministic • Disadvantages • Single point of failure
Network Topology • Bus Topology • LAN with a central cable to which all nodes connect • Advantages • Scalable; Permits node failure • Disadvantages • Bus failure • Tree Topology • Devices connect to a branch on the network • Advantages • Scalable; Permits node failure • Disadvantages • Failures split the network
Network Topology • Mesh Topology • Every node network is connected to every other node in the network • Advantages • Redundancy • Disadvantages • Expensive; Complex; Scalability • Star Topology • All of the nodes connect to a central device • Advantages • Permits node/cable failure; Scalable • Disadvantages • Single point of failure
Cable Selection Considerations • Throughput • Distance between devices • Data sensitivity • Environment • Twisted Pair • One of the simplest and cheapest cabling technologies • Unshielded (UTP) or shielded (STP)
Coaxial Cable (Coax) • Conducting wire is thicker than twister pair • Bandwidth • Length • Expensive and physically stiff
Fiber Optics • Three components • Light source • Optical fiber cable • Two types • Light detector • Advantages • Disadvantages
Wireless Transmission Technologies • 802.11 – WLAN • 806.16 – WMAN, WiMAX • Satellite • Bluetooth • IrDA • Microwave • Optical
Physical Layer: Equipment Agenda • Patch panel • Modem • Cable modem • Digital subscriber line • Hub and repeater • Wireless access points
Physical Layer: Equipment Agenda • Patch Panels • Provide a physical cross-connect point for devices • Alternative to directly connecting devices • Centralized management • Modem • Convert a digital signal to analog • Provide little security • War dialing • Unauthorized modems
Physical Layer: Equipment Agenda • Cable Modem • PCF Ethernet NIC connects to a cable modem • Modem and head-end exchange cryptographic keys • Cable modems increase the need to observe good security practices • Digital Subscriber Line • Use CAT-3 cables and the local loop • Asymmetric Digital Subscriber Line (ADSL) • Rate-Adaptive DSL (RADSL) • Symmetric Digital Subscriber Line (SDSL) • Very high bit rate DSL (VDSL)
Physical Layer: Equipment Agenda • Hubs • Used to implement a physical star/logical bus topology • All devised can read and potentially modify the traffic of other devices • Repeaters • Allow greater distances between devices • Wireless Access Points (WAPS) • Access Point (AP) • Multiple Input Multiple Output (MIMO)
Standard Connections • Types of connectors • RJ-11 • RJ-45 • BNC • RS-232 • Cabling standards • TIA/EIA-568
Physical Layer Threats and Controls • Attacking • Wire • Wireless • Equipment: Modems • Controls • Wire • Shielding • Conduit • Faraday cage • Wireless • Encryption • Authentication • Equipment • Locked doors and cabinets
Layer 2: Data Link Layer • Connects layer 1 and 3 • Converts data from a signal into a frame • Transmits frames to devices • Linker-Layer encryption • Determines network transmission format
Synchronous/Asynchronous Communications • Synchronous • Timing mechanism synchronizes data transmission • Robust error checking • Practical for high-speed, high-volume data • Asynchronous • Clocking mechanism is not used • Surrounds each byte with bits that mark the beginning and end of transmission
Unicast, Multicast and Broadcast Transmissions • Multicasts • Broadcasts • Do not use reliable sessions • Unicast
Unicast – Point-to-Point • ISDN (Integrated Services Digital Network) • T’s (T Carriers) • E’s (E Carriers) • OC’s (Optical Carriers)
Circuit-switched vs.Packet-switched Networks • Circuit-switched • Dedicated circuit between endpoints • Endpoints have exclusive use of the circuits and its bandwidth • Packet-switched • Data is divided into packets and transmitted on a shared network • Each packet can be independently routed on the network • Switched vs. Permanent Virtual Circuits • Permanent Virtual Circuits (PVC) • Switched Virtual Circuits (SVC)
Carrier Sense Multiple Access • Only one device may transmit at a time • There are two variations • Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) • Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
Polling to Avoid Contention • Slave device needs permission from a master device • Used mostly in mainframe protocols • Optional function of the IEEE 802.1 1 standard
Token Passing • A token is a special frame that circulates through the ring • Device must possess the token to transmit • Token passing is used in Token Ring (IEEE 802.5) and FDDI
Bridges and Switches • Bridges • Layer 2 devices that filter traffic between segments based on MAC addresses • Can connect LANs with unlike media types • Simple bridges do not reformat frames • Switches • Multi-port devices to connect LAN hosts • Forward frames only to the specified MAC address • Increasingly sophisticated • Also forward broadcasts
Multiplexer/Demultiplexer • Combining or splitting signals • Technologies • TDM – Time • FDM – Frequency • WDM – Wave
Wireless Local Area Networks • Allow mobile users to remain connected • Extend LANs beyond physical boundaries
Wireless Standards : IEEE 802 • 802.1 1b • 802.1 1a • 802.1 1g • 802.1 1n / Multiple Input Multiple Output • 802.1 1i / Security • 802.1 6 / WiMAX • 802.1 5 / Bluetooth • 802.1 x / Port security
Ethernet (IEEE 802.3) • Most popular LAN architecture • Support bus, star, and point-to-point topologies • Currently supports speed up to 10000 Mbps
Protocols • Address Resolution Protocols (ARP) • ARP (RFC 826) • RARP (RFC 903) • ARP Cache Poisoning • Point-to-Point Protocol (PPP) • RFC 1331 • Encapsulation • Link Control Protocol (LCP) • Network Control Protocols • Password Authentication Protocol (PAP) • Identification and authentication of remote entity • Uses a clear text, reusable (static) password • Supported by most network devices
Challenge Handshake Authentication Protocol • CHAP • Periodically re-validates users • Standard password database is unencrypted • Password is sent as a one-way hash • CHAP Process • MSCHAP • The Nonce
Extensible Authentication Protocol (EAP) • Provides a pointer to authentication • EAP – Transport level security • Wireless needs EAP • PEAP - (Protected EAP)
Link Layer Threats • Confidentiality • Sniffing for reconnaissance • Offline brute force • Unapproved wireless • Integrity • Modify packets • Man-in-the-middle • Force weaker authentication • Availability • Denial of service • War driving • Transition from wireless to wired
Wired and Wireless Link-Layer Controls • Encryption • PPP Encryption Control Protocol (ECP) • Authentication • PAP • CHAP • EAP • Tunneling • EAP-TTLS • Radio frequency management
Metropolitan Area Network (MAN) • Optimization for city • Use wireless infrastructure, fiber optics or ethernet to connect sites together • Still needs security • Switched Multi-megabit Data Service (SMDS) • SONET/SDH