Network Security Slides 1

The flashcards below were created by user DaveGT on FreezingBlue Flashcards.

  1. What are the Security Layers?
    • Network Security
    • Physical Security
    • Personal Security
    • Operational Security
    • Communication
  2. What is Computer Security?
    Keeping anyone from doing things you do not want them to do with, on, or from your data, computer, or any peripheral device.
  3. What are the costs of not having security?
    • stolen business
    • loss of business through bad publicity
    • network ground to a halt
    • you may fall foul of the data protection legislation
  4. Why aren't computers secure?
    • Security is an annoyance
    • Vendors need to get product out
    • Hardware and software evolve quickly
    • Programmers can’t predict flaws
    • Little OS diversity
    • Vendors are not motivated to declare flaws
    • Patches if available may actually cause more problems
  5. What must security be balanced against?
  6. What data characteristics are worth preserving?
    • Availability of information
    • Accuracy of information
    • Authenticity of the information
    • Confidentiality of the information
    • Integrity of the information
  7. Who are the attackers?
    • Hackers: Script kiddies/Ideological
    • Bodies with criminal intent
    • Government / Corporate raiders
    • Own employees
    • Short term contractors
  8. What are the vectors that hackers exploit?
    • Over the Internet
    • Using a computer connected to the network
    • Remote Access: Dial-up, VPN, Telnet
    • Wireless
    • Line-0f-sight
  9. What are Administrators Security Expectations?
    • Users can perform only authorized tasks.
    • Users can obtain only authorized information.
    • Users cannot cause damage to the data, applications, or operating environment of a system.
  10. What are the concerns affecting security?
    • Increase of network attacks
    • Increased sophistication of attacks
    • Increased dependence on the network
    • Lack of trained personnel
    • Lack of awareness
    • Lack of security policies
    • Wireless access
    • Legislation
    • Litigation
  11. What are the category's of threat?
    • Human error or failure: Accidents, mistakes
    • Compromise of IP: Piracy, ©infringement
    • Espionage or trespass: Unauthorised access
    • Software attacks: Virus, worms, macros
    • Deviation in quality of service: Service providers, DOS
    • h/w, s/w failures: Equipment failures, bugs
  12. What are the Network Vulnerabilities?
    • Technology: Transport Protocols, Routing Protocols, Operating System
    • Configuration: Servers and workstations, Firewalls and Routers, IDS
    • Policy: Ineffective security policy
  13. What are the classes of attack?
    • Reconnaissance attacks
    • Access attacks
    • Denial of service attacks
    • Worms, viruses, and Trojan horses
  14. What are the types of attack?
    • Packet sniffers
    • Trust exploitation
    • Password attacks
    • Trojan horse
    • Man-in-the-middle attacks
    • Worms
    • VLAN
    • IP weaknesses
    • Port redirection
    • Virus
    • DoS or DDoS
    • Operator error
    • Application layer attacks
  15. What are the targets of attacks?
    • System Hacking: Window/Unix/Apple
    • Network Hacking: Network devices, OSI Layer, Protocols
    • Software Hacking: Web Server Hacking, Web Applications, Malware, Spyware, viruses
  16. Name some useful Security Websites
  17. Name the three entities in a hackers methodology
    • Footprinting
    • Scanning
    • Enumeration
  18. What information is aquired through footprinting?
    • Company web sites -public and private
    • Related Organisations
    • Location details
    • Phone number, contact names, email addresses, and personal details
    • Current events (mergers, acquistions, layoff, charity events etc.)
    • Privacy or security policies and the technical details indicating the types of security and how they are implemented.
    • Archived information
    • Disgrunted employees
    • Search engines, Usnet and resumes
    • Other information of Interest
  19. Name some hacking tools and what they do
    • Google groups: Search for useful emails addresses in newsgroups
    • Whois: Gather IP and domain information
    • SamSpade: Gather IP and domain information
    • Namedroppers: Run a domain name search
    • Google: Search for web sites and company information
    • Dig: Performs DNS zone transfers
    • Netcat: Read and write data to ports over the network
    • Wget: Retrieves HTTP, HTTPS and ftp over the internet
  20. In the process of Whois and DNS enumeration, what does ICANN provide?
    • Internet Domain names
    • IP addresses
    • Protocol parameter and port numbers
    • Internet’s root DNS servers.
  21. Name two network reconnaissance tools
    • tracert
    • traceroute
  22. What is the purpose of scanning?
    • If you have an IP address range - to find out which IP addresses are alive
    • If you have a found a target - to find out which ports are open
  23. What are Ping Sweeps used for?
    • Identify which IP addresses belong to active hosts
    • Ping a range of IP addresses
  24. What are the potential problems of ping sweeps?
    • Computers that are shut down cannot respond
    • Networks may be configured to block ICMP Echo Requests
    • Firewalls may filter out ICMP traffic
  25. From RFC 792; what are the primary ICMP type messages?
    • 0: Echo Reply
    • 3: Destination Unreachable
    • 4: Source Quench
    • 5: Redirect
    • 8: Echo Request
    • 11: Time Exceeded
    • 12: Parameter problem
    • 13: Timestamp
    • 14: Timestamp Reply
    • 15: Information Request
    • 16: Information Reply
  26. What does Port Scanning find out?
    What is the problem with services?
    What ports do you scan?
    What do port scanners report about ports?
    • Port Scanning: Finds out which services are offered by a host and Identifies vulnerabilities
    • Open services can be used on attacks: Identify a vulnerable port, Launch an exploit
    • Scan all ports when testing: Not just well-known ports
    • Port scanning programs report: Open ports, Closed ports, Filtered ports, Best-guess assessment of which OS is running
  27. What are the types of port scans?
    • SYN scan: Stealthy scan
    • Connect scan: Completes the three-way handshake
    • NULL scan: Packet flags are turned off
    • XMAS scan: FIN, PSH and URG flags are set
    • ACK scan: Used to past a firewall
    • FIN scan: Closed port responds with an RST packet
    • UDP scan: Closed port responds with ICMP “Port Unreachable” message
  28. Name some popular port scanning tools for Unix and Windows
    • UNIX
    • scope
    • udp-scan
    • netscan
    • nmap

    • Windows
    • netcat
    • SuperScan
    • ipEye
  29. What are the countermeasures to port scanning?
    • Options limited
    • Shut the port
    • Leave it open
    • Try to disguise it
    • Use IDS/IPS
  30. Name two operating system failures to deal with Active Stack Fingerprintin (Port) scans
    • FIN probe: RFC 793 states that the correct response to this flag is not to respond. Windows NT/200/2003 respond with a FIN/ACK
    • Bogus flag probe: An unidentified TCP flag is set in a TCP header of a SYN packet. Some OS’s like Some OS’s like Linux will respond with that flag set in the response packet.
  31. How to try and detect Active Stack Fingerprinting?
    Look for these flags by using some network monitoring software to capture network traffic.
  32. What information does Enumeration hope to extract?
    • Resources or shares on the network
    • User names or groups assigned on the network
    • Last time user logged on
    • User’s password
  33. Name some examples of enumeration tools
    • Port scanning and footprinting: Determine OS being used
    • NBT (NetBIOS over TCP/IP): Tool for enumerating Microsoft OSs
    • Using NBTscan: Use nbtscan command to scan a range of IP addresses
    • Example: nbtscan192.168.0.0./24
    • Telnet to probe services: banner grabbing, ftp, DNS zone transfers, SMTP and NetBIOS
  34. What type of process is enumeration?
    Intrusive process
  35. What is the Application Layer?
    • Front end to the lower-layer protocols
    • What you can see and touch
  36. What is the Transport Layer?
    What common Protocols run on this layer?
    On what basis do these protocols work?
    What is a three way handshake?
    • Encapsulates data into segments
    • Segments can use TCP or UDP to reach a destination host
    • UDP is a minimal message-oriented
    • TCP is a connection-oriented protocol
    • TCP three-way handshake
    • Computer A sends a SYN packet
    • Computer B replies with a SYN-ACK packet
    • Computer A replies with an ACK packet
  37. What are the critical components of TCP Segment Headers and why are they important?
    • Critical components:
    • TCP flags
    • Initial Sequence Number (ISN)
    • Source and destination port

    Important because they are abused by hackers finding vulnerabilities
  38. What are the TCP Flags and what do they do?
    • URG: indicates that the Urgent pointer is valid.
    • ACK: indicates that the Acknowledgement number is valid.
    • PSH: indicates that this segment requests a push (i.e. pass this data to the application as soon as possible).
    • RST: indicates that the connection should be reset.
    • SYN: indicates that Initial Sequence Numbers (ISNs) should be synchronised.
    • FIN: indicates that the sender has finished sending data
  39. What is the initial sequence number (ISN) in TCP?
    • 32-bit number
    • Tracks packets received
    • Enables reassembly of large packets
    • Sent on steps 1 and 2 of the TCP three-way handshake
  40. Describe TCP Ports
    What do TCP's contain?
    What are the common ports and where can you find information about them?
    • Port: Logical, not physical, component of a TCP connection
    • Identifies the service that is running
    • Example: HTTP uses port 80
    • A 16-bit number
    • TCP packets has source and destination port fields
    • Helps you stop or disable services that are not needed:Open ports are an invitation for an attack
    • Only the first 1023 ports are considered well-known
    • List of well-known ports: Available at the Internet Assigned Numbers Authority (IANA) Web site (
  41. Describe TCP ports 20 and 21
    • Ports 20 and 21:File Transfer Protocol (FTP)
    • Use for sharing files over the Internet
    • Requires a logon name and password
    • More secure than Trivial File Transfer Protocol (TFTP)
  42. Describe TCP ports 25, 53 and 69
    • Port 25:
    • Simple Mail Transfer Protocol (SMTP)
    • E-mail servers listen on this port
    • Port 53:
    • Domain Name Service (DNS)
    • Helps users connect to Web sites using URLs instead of IP addresses
    • Port 69:
    • Trivial File Transfer Protocol
    • Used for transferring router configurations
  43. Describe TCP ports 80, 110 and 119
    • Port 80:
    • Hypertext Transfer Protocol (HTTP)
    • Used when connecting to a Web server
    • Port 110:
    • Post Office Protocol 3 (POP3)
    • Used for retrieving e-mail
    • Port 119:
    • Network News Transfer Protocol
    • For use with newsgroups
  44. Describe TCP ports 135, 139 and 143
    • Port 135:
    • Remote Procedure Call (RPC)
    • Critical for the operation of Microsoft Exchange Server and Active Directory
    • Port 139:
    • NetBIOS
    • Used by Microsoft’s NetBIOS Session Service
    • Port 143:
    • Internet Message Access Protocol 4 (IMAP4)
    • Used for retrieving e-mail
    • Better than POP3
  45. Describe the User Datagram Protocol (UDP)
    • Fast but unreliable protocol
    • Operates on transport layer
    • Does not need to verify whether the receiver is listening
    • Higher layers of the TCP/IP stack handle reliability problems
    • Connectionless protocol
  46. What is the internet layer used for and what protocol does it use?
    What is the ICMP?, what is it used for and what are common commands?
    • Responsible for routing packets to their destination address
    • Uses a logical address, called an IP address
    • IP addressing packet delivery is connectionless
    • Internet Control Message Protocol (ICMP):
    • Used to send messages related to network operations
    • Helps in troubleshooting a network
    • Some commands include:
    • Ping
    • Traceroute
  47. Name some popular security models
    • Asset and Risk Based Infosec Lifecycle (ARBIL)
    • Confidentiality, Integrity and Availability (CIA)
    • McCumber Cube
    • Cisco Security Wheel
  48. Describe Network Security as a Continuous Process
    • Network security is a continuous process built around a security policy:
    • Step 1: Secure
    • Step 2: Monitor
    • Step 3: Test
    • Step 4: Improve

    Image Upload 1
  49. With reference to the Cisco security model; describe the secure step.
    • Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
    • Authentication
    • Encryption
    • Firewalls
    • Vulnerability patching
  50. With reference to the Cisco security model; describe monitor step
    • Detects violations to the security policy
    • Involves system auditing and real-time intrusion detection
    • Validates the security implementation in Step 1 (secure)
  51. With reference to the Cisco security model; describe testing step
    Validates effectiveness of the security policy through system auditing and vulnerability scanning
  52. With reference to the Cisco security model; describe improve step
    • Use information from the monitor and test phases to make improvements to the security implementation.
    • Adjust the security policy as security vulnerabilities and risks are identified
  53. What is a security policy?
    • “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
    • (RFC 2196, Site Security Handbook)
  54. What factors should be taken into consideration when preparing a security policy?
    • Count the Cost
    • Identify your assumptions
    • Control your secrets
    • Remember human factors
    • Know your weaknesses
    • Limit the scope of access
    • Understand your environment
    • Limit your trust
    • Remember physical security
    • Make security pervasive
    • Know your enemy
  55. Why should you create a security policy?
    • To create a baseline of your current security posture
    • To set the framework for security implementation
    • To define allowed and not allowed behaviors
    • To help determine necessary tools and procedures
    • To communicate consensus and define roles
    • To define how to handle security incidents
  56. Describe the two sets of security policy elements
    Network Design Factors upon which security policy is based:

    • Data Assessment
    • Host Addressing
    • Application Definition
    • Usage Guidelines
    • Topology/Trust Model

    Basic Internet threat vectors toward which security policies are written to mitigate

    • Vulnerabilities
    • Denial of Service
    • Misuse
    • Reconnaissance
  57. What are the threats to security and what are the counters that should be documented in a security policy?
    • Treats---------------> Counters
    • Masquerade--------> Authenticity
    • Interception---------> Privacy
    • Modification--------> Integrity
    • Interruption---------> Availability
  58. What are the main Personal threats to Authenticity?
    • Same log in routine
    • Username readily available
    • Thus password becomes the gateway: Or session tickets for inter-resource communication
    • Often limited in some way: lower & upper case, more than 8 char.
  59. What are the Authenticity Attacks?
    • Guessing the password
    • “Cracking” passwords
    • Reuse of old passwords
    • Capture via Trojan Horses
  60. What are the treats to internal Authenticity?
    • Main threat is from “spoofing”
    • Identification of host is by address
    • The usual assumption is if you say you are a particular address then it must be so.
  61. Structure of internal networks regarding Authenticity
    How is the network arranged, what identifies what and how are the able to communicate?
    • Address conveys information about your setup
    • IP addresses must be unique
    • Must reside on correct network unless using “source routing”
    • Most IP traffic within an organisation is carried over LAN’s
    • Media Access Control MAC
    • Address Resolution Protocol (ARP) uses LAN broadcast to ask for MAC address of a particular IP address.
  62. What are the countermeasures to an internal Authenticity Attack?
    • Spoof detection
    • Static address mapping
    • Using an APR server
    • Authentication protocols e.g MD5, Kerberos
  63. What is the problem of exploiting Authenticity from the exterior using a permanent network and what counter measures can be utilised?
    • Spoofing of an internal address from outside is harder as the traffic which passes though a router will be directed to the appropriate network via the routers internal tables
    • Main Counter: IP source routing: source host specifies the list of routers the package must pass through.
    • Secondary Counters:
    • Password encryption
    • One-time passwords
    • Secure address mapping
    • Strong authentication
    • Proper router configuration
    • Firewall gateways
  64. How does exploiting a networks authenticity from the exterior using a temporary network work? What are the countermeasures to this attack?
    • Find the dial-in line and then use brute force attack
    • Main Counter attack: by dial back or strong authentication
    • Secondary Counters:
    • Password encryption
    • One-time passwords
    • Secure address mapping
    • Strong authentication
    • Proper router configuration
    • Firewall gateways
  65. What are the countermeasures to a masquerade/exterior attack?
    • Masquerade -> Authenticity
    • Password encryption
    • One-time passwords
    • Secure address mapping
    • Strong authentication
    • Proper router configuration
    • Firewall gateways
  66. What are the three different areas of Interception attacks?
    • Personal
    • Interior
    • Exterior
  67. What is the structure of interception on a personal level. What different user technologies are employed?
    What is the structure in a multi-user system?
    • The technology:
    • single user
    • single user with optional authentication
    • multiple user
    • Multiuser system:
    • file permission scheme: rwx|rwx|rwx
    • VMS, Netware more permissions and/or user categories
    • Users may belong to more than one grouping
    • ACL’s
  68. What are the methods employed to secure data at a personal level to protect against interception attacks?
    • Your job to ensure that documents are secure:
    • File encryption: password protection
    • Key encryption: DES, IDEA, PGP, RSA
    • Compression
  69. What is the structure of interception on a interior level? What would allow a hacker to obtain information? What is a common interception weakness in interior networks?
    Where are attacks possible from?
    • Most LAN’s are broadcast:
    • Can turn a PC into protocol analyser
    • Many login/password sequences are sent in clear text
    • Attacks are possible from:
    • Legally connected host
    • Illegally connected host
    • Invisible hosts
  70. How do you setup interception on a exterior level, what do you use and what do you want to access?
    • External connections via say friendly ISP.
    • Gain access to your monitoring device.
  71. What is that main method utilised for interception attacks?
    Eavesdropping, which is the main threat to privacy.
  72. What are the countermeasures to interception attacks?
    • Interception -> Privacy
    • Strong authentication techniques
    • Data encryption
    • Correct file permissions
    • Secure address mapping techniques
    • Good firewall topology.
  73. What are the three levels of Integrity. What are the common components of these areas?
    • Personal:
    • Import of data via removable media: floppy, zip, hard drive, USB
    • Electronic mail: especially via mime attachments, Message transfer agents
    • WWW or similar
    • Internal:
    • Network Technologies
    • File checksum
    • Immutable Files
    • External:
    • Router
    • DNS server
  74. What is the main goal and countermeasures to a modification attack?
    • Modification -> Integrity
    • The main goal is prevention:
    • Checksums
    • Digital Signatures
    • Firewall
    • Immutable files
    • Static routing
  75. What are the three levels of Availability and what are the components of these areas?
    • Personal:
    • Viruses
    • Bombs
    • Trojan horses
    • Interior:
    • Disc quotas
    • Broadcast Storms
    • Duplicate IP address
    • Exterior:
    • Disruption of normal routing
    • Flooding of resources
  76. What are the countermeasures to a Interruption Attack?
    • Interruption -> Availability
    • Frequent virus checks
    • Limit resources assigned to a process
    • Control IP address allocation
    • Use static routing on external connects
    • Use packet-filtering gateways
    • Good firewall topology.
    • IDS/IPS
  77. What are the Security Risk Areas (areas of concern)?
    • Theft of data, files, or software
    • Unauthorised use of computer resources
    • Denial-of-service attacks
    • Deletion and/or replacement of content.
    • Installation of unauthorised resource
  78. What areas of an organisations security are most at risk?
    • Passwords: Gaining access to lists of usernames and passwords, which then give intruder free access for further attacks.
    • Organisational data: Sensitive organisational data such as planning data, test data, payroll etc.
    • Customer data: Commerce Web sites should realise that access to customer data, such as credit card numbers could prove useful to the hacker.
    • Application software: Downloading licenses, sensitive software
  79. What are the three areas which can be addressed to improve OS security? What are the good practices to improving security in these areas?
    • Logon Security:
    • Display legal notice
    • Remove last user’s name from logon dialog
    • Remove shut down button
    • User Rights:
    • Sufficient for task
    • Create several for a user to match requirements
    • Don’t give “Back up files and directory” rights
    • Machine itself:
    • Keep up to date with patches and service packs.
    • Close off ports that are not being used.
    • Shut down/uninstall services not required.
    • Restrict access to the registry
    • Domain security
  80. What are the methods to impove Application Security?
    • Correct user privileges: anonymous, others for specific directories/ applications
    • Appropriate use of directory browsing.
    • Correct access permissions on directories: usually read only, scripting, execute for cgi directory
  81. What are good security practices?
    • Integrated Thread Management: Firewalls, Virus scanners, IDS/IPS, DMZ
    • Limiting Server services: Remove needless services, lock down others
    • Perform regular Server Maintenance and Administration
    • Protect the log file:
    • Encrypt the files, store on a different m/c. Use a different file system
    • Logfiles should not be visible via the web.
    • Logfiles should be analysed frequently
    • Ample disc space should be allocated to prevent “denial of service”
    • Secure Programs and Scripts:
    • Adopt a general policy regarding the authoring and testing of scripts.
    • Remove all unnecessary scripts or programs
    • Consider server configuration which requires the “CGI” process to run in isolation.
    • Carefully examine any application which requires the installation of server’s API.
  82. What type of security tools should be utilised to improve security?
    • Macros or scripts that periodically check the integrity of critical files. (check sums)
    • Programs that periodically make HTTP requests to check server availability.
    • Scanning programs which check for known server vulnerabilities.
    • Network Monitors
  83. How can you make services more secure?
    • Remove/replace the “default” configuration
    • Isolate the document root from the real file system.
    • Regular backup of configuration files
    • Disable:
    • Automatic directory listings
    • Home directory that may contain “exploitable” scripts
    • Server-side includes especially with #EXEC option
    • CGI script execution from arbitrary directories.
    • See
  84. What shouuld you do in the event of an intrusion?
    • Shut down the server
    • Explain to reader/user community
    • Back up all server configuration to obtain accurate information about the system.
    • Report intrusion to the appropriate authorities.
    • Minimise any public announcement(?)
  85. What is AAA?
    A framework for intelligently controlling access to computer network resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
  86. What are the individual areas of AAA(A) and what do they do?
    • Authentication: Validating the claimed identity of the user or device.
    • Authorisation: Granting access rights to system resources.(Time-of-day, QoS, Bandwidth, tunnelling)
    • Accounting: Tracking users usage of system resources. (billing, management)
    • Auditing: Ascertain the validity and reliability of information
  87. Name some technologies used in AAA(A)
    • CHAP: Challenge Handshake Authentication Protocol
    • DIAMETER Protocol: This protocol is designed to replace the RADIUS.
    • EAP: Extensible Authentication Protocol
    • Kerberos
    • MS-CHAP (MD4)
    • PAP: Password Authentication Protocol
    • PEAP: Protected Extensible Authentication Protocol
    • RADIUS: Remote Authentication Dial-In User Service
    • TACACS/TACACS+: Terminal Access Controller Access Control System
  88. What are the benefits of using AAA?
    • Increased flexibility and control of access configuration
    • Scalability
    • Standardized authentication methods, such as RADIUS, TACACS+, Diameter and Kerberos
    • Multiple backup systems
  89. What is an identity?
    • An assertion of who we are
    • Allows us to differentiate between one another
  90. What forms do identities take?
    • Username and password
    • Email address:
    • MAC address: 00-01-12-ab-3d-33
    • IP address:
    • Digital certificates
    • Biometrics
  91. What are identities used for?
    Used to grant appropriate authorisations: rights to services within a given domain
  92. What are some popular identity mechanisms
    • Terminal Access Controller Access Control System(TACAS):
    • TACACS
    • TACACS+
    • Remote Authentication Dial-In User Service (RADIUS)
    • Diameter
  93. Draw an overview of what identity mechanisims provide
    Image Upload 2
  94. What are static passwords? What attacks are the susceptible to? Why are they used?
    • Remains the same until changed
    • Susceptible to playback, theft, brute force, eavesdropping
    • For convenience distributed systems need to have one password to access all resources.
    • If it is possible to capture the password for off-line guessing then a much larger name space is required
  95. What is password storage site? What are the components?
    • Individually stored on all the services required.
    • Authentication Storage node: Central server
    • Authentication Facilitator node: An intermediary that passes on authentication requests of a central server.
  96. Describe the process for One-Time Passwords, for example S/Key
    • 1. The Client – provides pass phrase
    • 2. The server provides the seed phrase and hash algorithm - MD4, MD5 or SHA-1
    • 3. These are concatenated and passed through the algorithm a number of times. Output folded/reduced to 64 bits each time.
    • 4. On log in client challenged by server who provides seed, sequence number –1 and hash used.
    • 5. Client performs the same as 3 and sends the sequence number -1th password to server.
    • 6. Server passes this through the hash one more time and then compares.
    • 7. Server updates its database with new sequence number and new password.
  97. What are Token Passwords?
    How do they work?
    • A One-Time-Password (OTP) with added security
    • Time-based: Password loosely synchronised in time to the server.
    • Challenge-response: Token server sends a random string to remote client. Remote client uses this with stored cryptographic key to produce the “password” which is sent to the server for authentication
  98. What are Digital Signatures?
    • An encrypted hash appended to a document to confirm identity of the sender and the integrity of the document.
    • Based on public key encryption and secure one-way hash functions
  99. What are the different technologies utilised by Biometrics?
    • Fingerprint Scanning
    • Voice Recognition
    • Face Recognition
    • Signature Recognition
    • Retinal scanner
    • Iris scanner
    • Handprint readers
    • Keystroke timing
  100. What is Correct EAP?
    Name some of the different varieties of EAP.
    • Extension of PPP to provide additional authentication features
    • A flexible protocol used to carry arbitrary authentication information.
    • Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+
    • Specified in RFC 2284
    • Support multiple authentication types:
    • EAP-MD5: Plain Password Hash (CHAP over EAP). It has little use in a wireless authentication environment.
    • EAP-TLS: based on X.509 certificates [RFC2716].
    • EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data.
    • LEAP (EAP-Cisco Wireless): proprietary protocol developed by Cisco, and is not considered secure
    • PEAP (Protected EAP): currently an IETF draft
    • EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2
  101. What is a basic login only? What are its weaknesses?
    • Username and Password sent in clear.
    • Recipient verifies username and password and communication occurs: No encryption, no integrity checks
  102. What is a Nonce?
    • A quantity that a protocol only uses once:
    • Random number
    • Timestamp
    • Sequence number
  103. Describe the Authentication Protocol Checklist
    • Learn the contents of the messages between Alice and Bob.
    • Learn information that would enable Trudy to impersonate either Alice or Bob in subsequent exchanges.
    • Learn information that would enable Trudy to impersonate Alice to another replica of Bob.
    • Learn information that would allow Trudy to do an off-line password guessing attack against either Alice or Bob
    • Pick up a conversation to Bob and convince him that it is Alice.
    • Trick either into signing or decrypting something.
    • Use one protocol to mount an attack on another.
  104. Describe the four factors that motivate administrators to install IDS
    • Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons
    • Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons
    • Developing systems that are absolutely secure is extremely difficult, if not generally impossible
    • Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
  105. What are the different IDS Hypothesis detection models?
    • Attempted Break-in: Recognised by the abnormal number of password failures
    • Masquerading or successful break-in: Logged in at an unusual time for the legitimate user. Resource usage may be that of browsing directories and executing system status commands.
    • Penetration by legitimate user: Triggers excessive protection violations. Accessing material not usually used by them.
    • Leakage by legitimate user: Leaking sensitive documents by routeing data to remote printers not normally used.
    • Similarly for Trojan horses, virus and DOS
  106. Explain how IDS works, what its architecture is.
    • Collects, organizes, and analyzes information from any number of network based and host based IDS sensors;
    • Shows overall status at a glance;
    • Generates a report hierarchy that allows humans to start their investigation at any level and work up, down, and across as the trail leads;
    • Enables humans to interact with the system to test their intuitions;
    • Allows humans to direct further analysis and redirect how data is analyzed;
    • Is invisible to hackers and is secure, because it is physically isolated from the production network.
  107. Describe some of an IDS characteristics and components.
    • Network taps: Invisible to hackers. The whole IDS network is physically separate from the production network
    • One or more IDS sensors to prevent overload
    • The IDS sensors types perform preliminary analysis.
    • Central analysis server on the isolated IDS network to collect and allow analysis of the sensors data.
    • Capability of sensors and central analysis to tools to react in real time.
  108. Outline what a IDS is
    Outline what an IPS is and what mechanisms it provides.
    • IDS:
    • Similar to generic packet sniffer.
    • Compares packets with known attack patterns
    • IPS:
    • Provides the following active defence mechanisms:
    • Detection: identify attacks
    • Prevention: stop detected attacks from happening
    • Reaction: immunise the system from further attacks from a malicious source.
  109. What are the different things which can happen when an IDS/IPS makes a signaure match?
    • Alarm: sends alarm to a log/email and then forwards package.
    • Reset: sends packet with a reset flag to session participants.
    • Drop: immediately drop packet
    • Block: denies traffic from source attack address
  110. Name the the two types of IDS
    • Host-Based IDS (HIDS)
    • Network IDS (NIDS)
  111. Explain the process of Kerberos Authentication
    • 1. Once per kerberous session a client connects to the Autentication Server (AS) to obtain Ticket-Granting Server (TSG) session key and ticket granting ticket (TGT)
    • 2. Once per application session, client connects to TGS to obtain application session key (ASK) and application server's secret key
    • 3. The authenticated client sends its ticket, ASK and encrypted application server's secret key to application server and initiates a connection.
Card Set:
Network Security Slides 1
2011-08-04 16:34:08
Network Security Slides

Network Security Slides 1
Show Answers: