Network Monitoring

1. Real-time => network sniffers

2. Following events using log files and security systems => IDS

IDS Approaches:

1. signature-based - evaluating attacks based on signature and audit trails.

ie TCP flooding attack signature
2. anomaly-based - monitor abnormal events or traffic patterns that deviates form baseline
values.
- behavior-based is one method

IDS responses;
1. Passive resposne
Logging
Notification
Shunning
2. Active response
terminating session or process
configuration changes
deception

TPM - store cryptographic keys, passwords or certificates

generate hash key for whole disk encryption

Hashing - for data integrity

1. SHA-1 - one-way hash, 160-bit hash
2. MD5 - one-way hash, 128-bit hash, faster than SHA-1
3. LANMAN - for authentication
4. NTLM - for authentication

Block cipher - encrypting by blocks/chunks of data

stream cipher - encrypting by bit or byte at a time

Symmetric algorithms:

DES - block cipher, 56-bit key

Blowfish - 64-bit block cipher;
Twofish is 128-bit block cipher
IDEA - 128-bit key, used in PGP
AES - 128 (default) to 256 bit key
CAST - 40-bit to 128-bit key
3DES - 168-bit key
AES256 - 256-bit key; classified as Top secret
RCx - up to 2.048 bit-key

Asymmetric Algorithms

RSA - for encryption and digital signature, used in SSL, use prime numbers to generate keys
Diffie-Hellman - for secure key exhange
ECC - like RSA but for smaller devices like cellphone and wireless devices
El Gamal - used in transmitting digital signature and key exchange
--------------------

PGP - de facto standard for e-mail encryption, use both symmetric and asymmetric
encryption
S/MIME - de facto standard for e-mail message, asymmetric encryption, secure e-mail
communication
Secure Electronic Transfer (SET) - encryption for credit card number transmission
Penetration testing – to actively assess deployed security controls

TCP/IP Model Layers:

Application (http https ftp telnet ssh smtp pop3 imap dns dhcp)
Transport (TCP UDP)
Internet (IP ICMP ARP RARP)
Network Interface (LAN & WAN technologies - PPP ethernet etc.)

IPv4 Classes
Class Address
A 1.0.0.0 - 126.0.0.0
B 128.0.0.0 - 191.255.0.0
C 192.0.0.0 - 223.255.255.0
D 224.0.0.0 - 239.0.0.0
E 240.0.0.0 - 255.0.0.0

RFC 1918 (private IP addresses) Request for Commons

A => 10.0.0.0 to 10.255.255.255
B => 172.16.0.0 to 172.31.255.255
C => 192.168.0.0 to 192.168.255.255

SYN Flood:
Attacker never sends ACK to server

Smurf Attack:
Flood host with ICMP packets, overwhelms with packet flood
Ping to broadcast address

Man-in-the-Middle Attack
Web spoofing
information theft
TCP Session hijacking
Attack methods:
ARP Poisoning
ICMP Redirect
DNS Poisoning

Replay Attack:
Intercepts and retransmit data
reuse authentication tokens
trick biometric systems

OSI Model Layers:

Application==> DNS, DHCP, FTP etc.
Presentation==> SSL, Shells
Session==> NetBIOS, sockets
Transport==> TCP-UDP
Network==>ip address;ipsec
Data-link==>MAC address, Bridges, Switches
Physical ==>repeaters and hubs

Access Control List:

Black lists & white lists
MAC or network address
Layer 2 or Layer 3

VLANS are broadcast domains = ip subnet

ROUTERS : go between various networks; packet-based networking

IDS = passive
IPS = active
Signature and anomaly based detection methods

Host based IDS (HIDS) = resides on the host (end point);anti-virus;anti-spyware;

Network Based IDS (NIDS) = Cisco 4200;AIP-SSM

Intranet=company private network

Extranet=extending intranet services to corporate partner,typically VPN connectivity
Perimeter network= DMZ;network between intranet and internet;not always used
DMZ options=Screened host;bastion host, three homed firewall;backtrack firewall;dead zone

Screened Host: splits DMZ after router

Bastion Host: typical a web server(prone to attack);must be hardened;
Three Homed Firewall:
Back to Back Firewall:
Dead Zone: connection between two routers

Benefits of NAC (network access control):

IPSec encryption ; two types of encryption - transport and tunnel encryption, secures from
network layer to application layer

Common Ports:
NetBIOS 135-139
LDAP 389
TACACS 49
RADIUS 1812
POP3 110
SNMP 161
HTTP 80
IMAP4 143
IPSec 50, 51
SSL 443
FTP 20,21
TFTP 69
CHARGEN 19
NNTP 119
DHCP 67,68
SMTP 25
SSH 22
TELNET 23
DNS 53
RAID Levels:
Parity = redundancy
Striping = multiple disks act as 1, i.e data spread between the disks
RAID 0- striping (redundancy, but no fault tolerance)
RAID 1- Mirroring and duplexing
RAID 3- Striping with a Parity disk
RAID 5- Striping with Parity

Alternate Sites:
Hot Site: fully functional, very expensive, fast continuity
Warm Site: systems and servers installed, but not configured
Cold Site: empty room, no equipment, or equipment in boxes, weeks to set up and configure

Fire Extinguisher:
Class A: ordinary combustibles : (water agent)
Class B: flammable liquids (oil, gas, grease) : (CO2 agent)
Class C: Electrical : (halon agent)
Class D: Flammable Metals : (Dry powder agent)

Study up on:
802.11 codes
TEMPEST
Security Models (least privilege etc.)
Study Cryptography
Types of Attacks
Viruses, Trojans, Descriptions

__________________________________________

Method for CIDR=

example:
200.10.10.9 /30

subtract 24 from the number, the result is 6, so count over the chart from the left to right six
spaces, leaves us at 252, which is our subnet mask. The number below the 252 is our
incremental value. So, i = 4. Increments start at 0 then count using value of (i). So,
0,4,8,12,16,20,24,28 . Our starting number was 9 (the last octet in the IP address). 9 falls
between the 8 and the 12 in our incremental list. So, our range would be .8 to .11 .

128 192 224 240 248 252 254 255

128 64 32 16 8 4 2 1

Default subnet masks:

/8 => 255.0.0.0

/16=> 255.255.0.0

/24=> 255.255.255.0

__________________________________________
802.11i = standard for wireless security