Module 002 general security concepts

Advanced TCP/IPIn the OSI model:  Each layer has a defined networking function  Each layer communicates with the layer above and below it  Layer seven provides services for programs t

Engineered by Hackers Presented by Professionals

General Security Concepts

Advanced TCP/IP

In the OSI model:

 Each layer has a defined networking function

 Each layer communicates with the layer above and below it

 Layer seven provides services for programs to gain access to the network

 Layers one and two define the network’s physical media and related tasks

Advanced TCP/IP

A web request moving along the TCP/IP model

TCP UDP

ARP IP IGMP ICMP

Ethernet Token Frame Relay Frame Relay

Ring

Token Ring

Advanced TCP/IP

 The function of IP

 Identifies every host with a unique IP address

 Identifies every packet with source and destination IP addresses

 Manages routing

IP Address Classes

Five classes defined:

A: Decimal 1-126 (127 reserved), first bit is 0

B: Decimal 128-191, first two bits are 10

C: Decimal 192-223, first three bits are 110

Classes A, B & C are used for addressing individual hosts D: Decimal 224-239, first four bits are 1110

Reserved for Multicasting E: Decimal 240-247, first five bits are 11110

Class E is experimental For additional info on Class E and its future implementation see RFC 1365

IP Address Classes

Private IP Address Ranges

The Subnet Mask

 A number that matches the length of the IP address that masks the host bits to reveal only the network ID

 The ‘AND’ing process

 To divide this network into 12 networks, you need to

‘borrow’ 4 bits from the host portion of the mask to the network portion, i.e.,

 11111111.11110000.00000000.00000000 = Subnet mask

 Which is = 255.240.0.0

Subnetting

Now that the mask is 255.240.0.0, you have 16 networks:

• 00001010.0000 0000.00000000.00000000 = 10 0.0.0 (first possible network)

 Communications from one network to another

 Packets are sent to a default ‘Gateway’ (router)

 The router ‘routes’ the packet to the appropriate interface, by looking at the destination IP address and its routing table

 The destination network may or may not be attached to that interface If the destination is not attached to that interface, the packet is sent to the next router.

Analyze the 3-Way handshake

Transport Layer Concepts

Connection-oriented Connectionless

Slower communications communications Faster Considered reliable Considered unreliable Transport layer Transport layer

TCP Control Flags

Analyze the 3-Way handshake

SYN (S)—Represents the first part of establishing a connection The synchronizing of communication will generally be in the first packet of communication

ACK (Ack)—Represents acknowledgment of receipt of data from the sending host This is sent during the second part of establishing a connection in response to the sending host’s SYN request

FIN (F)—Represents the sender’s intentions of terminating the communication in what is known as a graceful manner

RESET (R)—Represents the sender’s intentions to reset the communication

URGENT (Urg)—Represents that this data should take precedence over other data transmissions

PUSH (P)—Used when the sending host requires data to be pushed directly to the receiving application, and not fill in a buffer

Sequence and Acknowledgment Numbers

Analyze the 3-Way handshake

 When initiating a new connection, an Initial Sequence Number (ISN) is

generated

 The ISN is a 32-bit number that increments by one every 4 microseconds

 Acknowledgment Numbers are also 32-bit numbers, in response to a sequence number

 Reliable delivery by TCP

Analyze the 3-Way handshake

• Port numbers are located in the TCP (or UDP) header, and they are 16-bit values, ranging from 0 to 65,535

• Port numbers can be assigned to specific functions, or applications

• Ports also can be left open for dynamic use by two hosts during

Port numbers and associated services

Analyze the 3-Way handshake

 Port 23 - Telnet

 Port 80 - HTTP (standard Web pages)

 Port 443 - Secure HTTP (secure Web pages)

 Ports 20 and 21 - FTP

 Port 53 - DNS

 Port 25 - SMTP

Trojan associated Port numbers

Analyze the 3-Way handshake

 Port 12345 - NetBus

 Port 1243 - Sub Seven

 Port 27374 - Sub Seven 2.1

 Port 31337 - Back Orifice

 Port 54320 (TCP) - Back Orifice 2000

 Port 54321 (UDP) - Back Orifice 2000

 Monitor real-time network traffic

 Analyze network traffic

 Filter specific protocols to capture

 The default view of Network Monitor

 Displaying captures

 Network Monitor Filters

Network Monitor

 Very versatile third party tool - will run on many versions of Unix/Linux and Windows.

 Requires libpcap (Unix) or WinPcap 2.3 (Windows)

 Can read data off the wire, or from files of various formats.

 Can also save file to various formats.

 Freely available at www.wireshark.org

 Formerly called Ethereal, name changed in 2006.

Wireshark

 Three categories of cryptography: physical, mathematical, and quantum.

 Understanding Physical Cryptography

 Physical cryptography includes several different approaches The more common

methods involve transposition or substitution of characters or words.

 A cipher is a method used to encode characters to hide their value Ciphering is the

process of using a cipher to encode a message The three primary types of

cryptography or ciphering methods—substitution, transposition, and

steganography—are discussed in the following sections

 Substitution Ciphers: A substitution cipher is a type of coding or ciphering

system that changes one character or symbol into another

For example, let’s say you had the following message:

You can do this easily if you put your mind to it.

And the encrypted message read

You can do qhis zasily if you puq your mind to iq.

Notice in the encrypted example that every instance of z is substituted for e, and that every instance of q is substituted for t

Cryptography Basics and Methods

 Three categories of cryptography: physical, mathematical, and quantum.

 Understanding Physical Cryptography

 Transposition Ciphers: A transposition cipher involves transposing the letters in

a certain manner

 Example: Caesar Cipher: This simple algorithm rotates every letter 13 places in

the alphabet Thus an A becomes an N and a B becomes an O, and so forth

See if you can solve these encryptions:

1 Neg snve qrohgf urer fngheqnl.

2 Gevcyr pbhcbaf ng Xebtre!

3 Gel lbhe unaq ng chmmyrf.

The answers are

4 Art fair debuts here saturday.

5 Triple coupons at Kroger!

6 Try your hand at puzzles.

Cryptography Basics and Methods

 Three categories of cryptography: physical, mathematical, and quantum.

 Understanding Physical Cryptography

 Steganography: Steganography is the process of hiding one message in another

Consider the following message:

“Meet the mini me that ate later.”

The real message is every third word:

“Meet me later.”

Cryptography Basics and Methods

 Three categories of cryptography: physical, mathematical, and quantum.

 Understanding Mathematical Cryptography: Mathematical

cryptography deals with using mathematical processes on characters or

messages The most common is a function called hashing

Cryptography Basics and Methods

 Understanding Quantum Cryptography: a message is sent using a series

of photons If the receiver knows the sequence and polarity of the photons, they can decode the message If someone intercepts the photons, some of the photon positions will change polarity, and the message will be altered This will inform the receiver that someone is listening in on the message The sender, when

informed, can change the pattern and resend the message with a new photon position key Intercepting the data alters the data and ruins the message.

 The Science of Hashing: hashing is the process of converting a message, or

data, into a numeric value

 Secure Hash Algorithm (SHA): was designed to ensure the integrity of a message The SHA

is a one-way hash that provides a hash value that can be used with an encryption protocol This algorithm produces a 160-bit hash value SHA has been updated; the new standard is SHA-1

 Message Digest Algorithm (MDA): also creates a hash value and uses a one-way hash The

hash value is used to help maintain integrity There are several versions of MD; the most

common are MD5, MD4, and MD2.MD5 is the newest version of the algorithm It produces a 128-bit hash, but the algorithm is more complex than its predecessors and offers greater

security.

Understanding Cryptographic Algorithms

 Working with Symmetric Algorithms: require both ends of an encrypted

message to have the same key and processing algorithms

 DES (Data Encryption Standard ): It’s a strong and efficient algorithm based on a 56-bit key It

was replaced by AES

 AES (Advanced Encryption Standard ): AES is now the current product used by U.S

governmental agencies It supports key sizes of 128, 192, and 256 bits, with 128 bits being the default

 3DES: Triple-DES (3DES) is a technological upgrade of DES 3DES is still used, even though

AES is the preferred choice for government applications

The encryption algorithm is:

ciphertext = E K3 (D K2 (E K1 (plaintext)))

I.e., DES encrypt with K 1 , DES decrypt with K 2 , then DES encrypt with K 3

Decryption is the reverse:

plaintext = D K1 (E K2 (D K3 (ciphertext)))

I.e., decrypt with K 3 , encrypt with K 2 , then decrypt with K 1

Understanding Cryptographic Algorithms

 Working with Asymmetric Algorithms: Asymmetric algorithms use two

keys to encrypt and decrypt data These keys are referred to as the public key and the private key The public key can be used by the sender to encrypt a

message, and the private key can be used by the receiver to decrypt the message

 RSA: It’s widely implemented, and it has become a de facto standard RSA works for

both encryption and digital signatures RSA is used in many environments, including Secure Socket Layer (SSL)

 Diffie-Hellman: This algorithm is used primarily to send keys across public

networks The process isn’t used to encrypt or decrypt messages; it’s used merely for the transmission of keys in a secure manner

Understanding Cryptographic Algorithms

 Cryptographic systems exist for the same reasons that security exists: to

provide confidentiality, integrity, authentication, non-repudiation, and access control

 Confidentiality: This confidentiality may be intended to prevent the

unauthorized disclosure of information in a local network or to prevent the

unauthorized disclosure of information across a network.

 A strong cryptographic system is difficult to crack

 The system may be considered weak if it allows weak keys, has defects in its design,

or is easily decrypted

 Methods: DES, 3DES, AES

 Integrity: The second major goal of a cryptographic system involves providing

assurance that a message wasn’t modified during transmission

 Methods: MD5, SHA, SHA-1

Using Cryptographic Systems

 Authentication: Authentication is the process of verifying that the sender is

who they say they are.

 Non-Repudiation: Non-repudiation prevents one party from denying actions

they carried out

 Certificate authorities ( CAs) manage public keys and issue certificates verifying the validity of the sender’s message

 Digital Signature

Using Cryptographic Systems

 Access Control Models: Access control defines how users and systems

communicate It limits—or controls—access to system resources, including

data, and thus protects information from unauthorized access

 MAC (Mandatory Access Control): Mandatory Access Control (MAC) is a static

model that uses a predefined set of access privileges to files on the system The

system administrators establish these parameters and associate them with an

account, files, or resources

 DAC (Discretionary Access Control): The Discretionary Access Control (DAC)

model allows the owner of a resource to establish privileges to the information they own This allows the owner to grant or revoke access to individuals or groups of

individuals based on the situation

 RBAC (Role Based Access Control): This model allows a user to act in a certain

predetermined actions based on the role the user holds in the organization

Using Cryptographic Systems

 VLANs (Virtual Local Area Network): allows you to create groups of

users and systems and segment them on the network

 NAT (Network Address Translation): creates a unique opportunity to

assist in the security of a network Originally, NAT extended the number of usable Internet addresses

 Tunneling: Tunneling refers creating a virtual dedicated connection between

two systems or networks

Security Topologies

 Asset Identification:

 Asset identification is the process in which a company attempts to place a value

on the information and systems it has in place

 In some cases, the process may be as simple as counting systems and software licenses

 These types of physical asset evaluations are part of the normal accounting

procedures a business must perform routinely

 Risk Assessment

 In general, you should attempt to identify the costs of replacing stolen data

or systems, the costs of downtime, and virtually any risk factor you can

imagine

Risk Concepts

 Threat Identification: Implementing a security policy requires that you

evaluate the risks of both internal and external threats to the data and network

Risk Concepts

 224+225+226+226a+226b clauses in VietNam criminal law: see

appendix

VietNam Information Security Policies