NETWORK SECURITY EXAM 2

Proxy

a server that acts as an intermediary between a user and the internet, routing traffic on the users behalf

transparent proxy

intermediates between a user & a web service without requiring client-side configuration

reverse proxy

acts as a single point of enry to a private network, incepting client request and forwarding them to appropriate server

forward proxy

acts as a single point of access for a client network to external; hides clients IP address

CGI proxy

built into a web page & allows users to access content through a search utility within the site

Anonymous Proxy

hides the client’s real IP address through proxy server; the website only sees the proxy IP address

high anonymous proxy

hides the client’s real IP address AND hides the fact that they’re using a proxy

ARP

maps a device’s IP address to its MAC address on the LAN

ARP poisoning

attacker sends forged ARP msgs over a LAN, linking attacker’s MAC address to the IP in the ARP request

Gratuitous message

an ARP broadcast packet where both the source and destination addresses are the same; used to detect IP conflict

How to defend against ARP poisoning

• Network IDS

• Host-based IDS

• DO NOT use IP address based auth.

IP protocol

a set of rules and params for routing data packets across a network

Teardrop Attack

• First packet is sent with a more fragmented bit with payload size N

• Second packet is sent WITHOUT the fragmented bit

• Upon reassembly, OFFSET + PAYLOAD is less than N, leading to overlapping packet fragments

Tiny fragment attack

• Unusually small packet fragments are used to breach a firewall’s security filters

Purpose of ICMP

allows for hosts to send error reports or control msgs

Smurf attack

a type of DoS where an attacker sends an abundance of ICMP request packets with a spoofed address, casusing devices on the network to flood victim with ICMP echo replies

Ping-to-Death

• attacker pings victim with a large ICMP packet such that it has to be fragments, however the packets are malformed.

• When the victim recieves the packet fragments, it cannot reassemble them, causing a buffer overflow of DoS

Fraggle Attack

attacker sends spoofed UDP echo packets, sent to the braodcast address to overwhelm the victim with response packets

UDP ping-pong (UDP flood attack)

• attacker sends a large number of UDP packets to a targeted server on random ports

• victim responds sends numerous response packets

• victim is overwhelmed, using excessive resources and causing DoS

TCP SYN attack

• attacker sends an abundance of SYN packets

• victim sends an equal abundance of SYN-ACK packets that do not get replies

• this leaves an abundance of “half-connections” open, consuming resources

SYN Cookie

• defends against SYN attack by attaching encoded sequence numbers with SYN-ACK packets, then terminates connection

• When legitimate ACK packets are sent with the “cookie”, the server decodes it & reconstructs the connection state information to establish the server-client connection

TCP RST attack

attacker disrupts an established TCP connection by sending forged TCP RST packets to one or both connection parties

hash

one-way mathematical function that defines how data is structured in a file, creating a unique digital fingerprint

Digital signature

unique cryptographic signature used to verify the authenticity & integrity of a message

IPSec

provides security to the IP and upper layer protocols of an IP packet

Transport Mode (IPSec)

• Does not protect the IP header

• ONLY protects payload information coming from the transport layer

Tunnel Mode (IPSec)

• Applies IPSec security methods to entire packet, including the header, and adds a new IP header

• Typically used in router-router, router-host, host-router

AH protocol (Authentication Header protocol)

designed to authenticate the source host & ensure the integrity of the payload carried in IP packets; DOES NOT PROVIDE ENCRYPTION

ESP (Encapsulation Security Payload)

• Adds ESP trailer to payload, and encrypts both the trailer and payload

• ESP header is added but not encrypted

• Authentication data is added to the end of the ESP trailer

VPN

type of private network that provides a private connnection via public telecommunications, such as the Internet

Remote-access VPN

used for clients to access central LAN from a remote location using VPN client software and VPN gateway on LAN

Site-to-site VPN

connects 2 or more LANs over secured public telecommunications

PPTP

• fastest VPN protocol

• uses Generic Routing encapsulation

• Not secure due to weak encryptioln

• easy to set up

• available for most OS

• performance issues on unsteady connections

L2TP

provides stronger encryption and authentication by utilizes IPSec protocol, paired with the VPN client software

• easy to config

• strong encryption and auth.

• slow performance due to double auth.

• incompatible with NAT routers

IPSec VPN protocol

• Utilizes the IPSec protocol to create secure, encrypted connections

• Compatible with NAT routers due to IPSec’s innate NAT traversal feature

SSL VPN

leverages secure protocols like HTTPS and TLS to create a secure, encrypted connection between the VPN client and the private network

Pros of VPN

• Reduces overall telecomm infrastucture (bulk is provided by ISP)

• Reduces tech maintencae cost

• simplifies network topology

Cons of VPN

• If ISP or internet is down, so is the VPN

• Central LAN must have permanent intertnet connection so that remote clients can connet at anytime

• VPN may provides users with less bandwidth

• Existing network devices may not support VPN transmissions 

public key cryptography

uses a pair of keys, public key to encrypt data, and private key to decrypt data

Diffie Hellman algorithm

method for two parties to securely exchange a shared secret key over unsecured channel, by parties agreeing on a pubic base and moduleis to generate private and public keys 

How does flowbits work in suricata rule?

• Flowbits allows on rule to set a flag during packet inspection and another rule to check for that flag later.

• Used in cases where one packet contains something suspicous and a later packet is carrying a malicous payload