Telecommunications and Network Security Concepts for CISSP Exam

Exclusive offer: get 50% off this eBook here
CISSP in 21 Days

CISSP in 21 Days — Save 50%

Boost your confidence and get a competitive edge to crack the exam

$23.99    $12.00
by M. L. Srinivasan | December 2009 | Networking & Telephony

The telecommunication and network security domain deals with the security of voice and data communications through local area, wide area, and remote access networking. The focus is to understand the networking models such as Open Systems Interconnect (OSI) and TCP/IP models, which are the most important models that follow a layered approach to networking, as well as the security mechanisms for Internet, Intranet, and Extranet in terms of firewalls, routers, and intrusion detection and protection systems.

The telecommunication and network security domain is one of the 10 domains of the Certified Information Systems Security Professional (CISSP) exam.

In this article by M.L.Srinivasan, we will discuss the following topics:

  • Different protocols that are in transport layer, network/internet layer, and link layer in the TCP/IP model
  • Some threats and vulnerabilities that are prevalent to such protocols
  • Common attacks and possible countermeasures
  • Important technologies and the security issues associated with them

Transport layer

  • The transport layer in the TCP/IP model does two things: it packages the data given out by applications to a format that is suitable for transport over the network, and it unpacks the data received from the network to a format suitable for applications.
  • The process of packaging the data packets received from the applications is known as encapsulation. The output of such a process is known as datagram.
  • Similarly, the process of unpacking the datagram received from the network is known as abstraction

A transport section in a protocol stack carries the information that is in the form of datagrams, Frames and Bits.

Transport layer protocols

There are many transport layer protocols that carry the transport layer functions. The most important ones are:

  • Transmission Control Protocol (TCP): It is a core Internet protocol that provides reliable delivery mechanisms over the Internet. TCP is a connection-oriented protocol.
  • User Datagram Protocol (UDP): This protocol is similar to TCP, but is connectionless.

A connection-oriented protocol is a protocol that guarantees delivery of datagram (packets) to the destination application by way of a suitable mechanism. For example, a three-way handshake syn, syn-ack, ack in TCP. The reliability of datagram delivery of such protocol is high.

A protocol that does not guarantee the delivery of datagram, or packets, to the destination is known as connectionless protocol. These protocols use only one-way communication. The speed of the datagram's delivery by such protocols is high.

Other transport layer protocols are as follows:

  • Sequenced Packet eXchange (SPX): SPX is a part of the IPX/SPX protocol suit and used in Novell NetWare operating system. While Internetwork Packet eXchange (IPX) is a network layer protocol, SPX is a transport layer protocol.
  • Stream Control Transmission Protocol (SCTP): It is a connection-oriented protocol similar to TCP, but provides facilities such as multi-streaming and multi-homing for better performance and redundancy. It is used in Unix-like operating systems.
  • Appletalk Transaction Protocol (ATP): It is a proprietary protocol developed for Apple Macintosh computers.
  • Datagram Congestion Control Protocol (DCCP): As the name implies, it is a transport layer protocol used for congestion control. Applications include Internet telephony and video or audio streaming over the network.
  • Fiber Channel Protocol (FCP): This protocol is used in high-speed networking such as Gigabit networking. One of its prominent applications is Storage Area Network (SAN).

SAN is network architecture that's used for attaching remote storage devices such as tape drives, disk arrays, and so on to the local server. This facilitates the use of storage devices as if they were local devices.

In the following sections we'll review the most important protocols—TCP and UDP.

Transmission Control Protocol (TCP)

TCP is a connection-oriented protocol that is widely used in Internet communications. As the name implies, a protocol has two primary functions. The primary function of TCP is the transmission of datagram between applications, while the secondary function is related to controls that are necessary for ensuring reliable transmissions.

Protocol / Service

Transmission Control Protocol (TCP)

Layer(s)

TCP works in the transport layer of the TCP/IP model

Applications

Applications where the delivery needs to be assured such as email, World Wide Web (WWW), file transfer, and so on use TCP for transmission

Threats

Service disruption

Vulnerabilities

Half-open connections

Attacks

Denial-of- service attacks such as TCP SYN attacks

Connection hijacking such as IP Spoofing attacks

Countermeasures

Syn cookies

Cryptographic solutions

 

A half-open connection is a vulnerability in TCP implementation. TCP uses a three-way handshake to establish or terminate connections. Refer to the following illustration:

Telecommunications and Network Security Concepts for CISSP Exam

In a three-way handshake, first the client (workstation) sends a request to the server (www.some_website.com). This is known as an SYN request. The server acknowledges the request by sending SYN-ACK and, in the process, creates a buffer for that connection. The client does a final acknowledgement by sending ACK. TCP requires this setup because the protocol needs to ensure the reliability of packet delivery.

If the client does not send the final ACK, then the connection is known as half-open. Since the server has created a buffer for that connection, certain amounts of memory or server resources are consumed. If thousands of such half-open connections are created maliciously, the server resources may be completely consumed resulting in a denial-of-service to legitimate requests.

TCP SYN attacks are technically establishing thousands of half-open connections to consume the server resources. Two actions can be taken by an attacker. The attacker, or malicious software, will send thousands of SYN to the server and withhold the ACK. This is known as SYN flooding. Depending on the capacity of the network bandwidth and the server resources, in a span of time the entire resources will be consumed. This will result in a denial-of-service. If the source IP were blocked by some means, then the attacker, or the malicious software, would try to spoof the source IP addresses to continue the attack. This is known as SYN spoofing.

SYN attacks, such as SYN flooding and SYN spoofing, can be controlled using SYN cookies with cryptographic hash functions. In this method, the server does not create the connection at the SYN-ACK stage. The server creates a cookie with the computed hash of the source IP address, source port, destination IP, destination port, and some random values based on an algorithm, which it sends as SYN-ACK. When the server receives an ACK, it checks the details and creates the connection.

A cookie is a piece of information, usually in a form of text file, sent by the server to client. Cookies are generally stored on a client's computer and are used for purposes such as authentication, session tracking, and management.

User Datagram Protocol (UDP)

UDP is a connectionless protocol similar to TCP. However, UDP does not provide delivery guarantee of data packets.

 

CISSP in 21 Days Boost your confidence and get a competitive edge to crack the exam
Published: December 2008
eBook Price: $23.99
Book Price: $39.99
See more
Select your format and quantity:

Ping of death refers to sending a large number of ICMP packets to the server in order to crash the system.

Protocol / Service

User Datagram Protocol (UDP)

Layer(s)

UDP works in the transport layer of the TCP/IP model

Applications

UDP is predominantly used where a loss of intermittent packets is acceptable, such as video or audio streaming

Threats

Service disruptions

Vulnerabilities

Weak validation

Attacks

UDP flood attacks such as ping of death

Countermeasures

Controlling ICMP access

Pinging is a process of sending Internet Control Message Protocol (ICMP) ECHO_REQUEST message to servers or hosts to check whether they are up and running. As the process implies, a server or host on network responds to a ping request which is known as echo.

Network or Internet layer

The Network or Internet layer in the TCP/IP model is for internetworking. This layer has a group of methods, functions, and protocols to facilitate communication between different networks. The communication between networks is achieved through a mechanism known as gateways.

Network/Internet layer protocols

The protocols in this layer primarily carry out the following functions:

  • They pass the outgoing packets to the next layer (datalink) through the gateway
  • They pass the incoming packets to the transport layer
  • They provide error detection and diagnostics for the incoming and outgoing packets

Some of the important protocols in this layer are Internet Protocol (IP), Internet Communication Message Protocol (ICMP), Internet Group Management Protocol (IGMP), and Internet Protocol security (IPsec).

The ICMP is used for error and diagnostic functions, and IGMP is used in multicasting.

Multicasting refers to one-to-many communications. For example, a stock exchange may require sending stock price data to multiple groups or an IPTV to multicast to many users at once.

We'll review some of the important concepts in the Internet Protocol (IP) that are used for packet transmission and IPsec. They provide authentication and encryption services to the IP packets.

CISSP in 21 Days Boost your confidence and get a competitive edge to crack the exam
Published: December 2008
eBook Price: $23.99
Book Price: $39.99
See more
Select your format and quantity:

Internet Protocol (IP)

A connectionless protocol that is used in packet-switched networks such as the Internet. The primary function of this protocol is to send data from one computer to other.

Protocol / Service

Internet Protocol (IP)

Layer(s)

The IP works in the Network Layer of OSI and Internet layer of the TCP/IP model.

Applications

The primary application is to send data packets across the network to the destination computer. The computers in such a network are known as hosts. IP is a connectionless protocol that tries the best effort method delivery of packets, but does not guarantee it. The Transmission Control Protocol (TCP) manages the reliability of the transmission.

Two versions are being used in the Internet: Internet Protocol version 4 (IPv4), and Internet Protocol version 6 (IPv6).

Threats

Mis-delivery or non-delivery of packets

Data corruption

Duplicate data

Vulnerabilities

Lack of validation

Lack of sequencing

Attacks

Identity theft

Hacking

Countermeasures

Transmission Control Protocol (TCP) and Address Resolution Protocol (ARP)

IPv6 and IPSec

 

Internet Protocol version 4 (IPv4) is a widely deployed protocol on the Internet. As the name implies, it is the fourth iteration of the protocol. It uses 32 bits for the length of the address and its maximum limit is up to 232 addresses. The number of publicly available IPv4 addresses is more or less consumed, and the Internet is moving towards IPv6.

Internet Protocol version 6 (IPv6) is designed as a successor to IPv4 address spaces. This protocol uses 128 bits for IP addresses and has an address space of 2128 IP addresses.

IPsec protocols

IPsec is a suit of protocols that is created to secure Internet Protocols (IP). It provides authentication and encryption functions. Compared to the upper-layer security protocols such as SSL or TLS, IPsec is independent of applications. It can be used to protect the application and transport layer protocols.

IPsec uses the following three protocols for various security functions:

  • Internet Key Exchange (IKE): It is used to negotiate protocols and algorithms, and also to generate keys for encryption and authentication
  • Authentication Header (AH): It is used to provide data origin authentication to datagrams and integrity assurance
  • Encapsulation Security Payload (ESP): It is used to support encryption-only and authentication-only configurations.

Protocol / Service

IPsec

Layer(s)

The IPsec works in the network layer of the OSI and the Internet layer of the TCP/IP model

Applications

The primary functions include authentication and encryption

This protocol suit is designed to protect transport layer protocols such as the TCP and UDP

The Virtual Private Network (VPN) is one of the key applications of the IPsec

Threats

Spoofing

Unauthorized connections

Vulnerabilities

Weak authentication

Lack of connection checks

Attacks

Man-in-the-middle attacks

Session hijacking

Countermeasures

Proper IPsec policies

Additional IPsec connection checks

A Virtual Private Network (VPN) is a virtual network that is set up to use larger public network such as the Internet. The VPN uses a concept known as "tunneling" to route the data and the IPsec protocols used for end-to-end encryption.

A tunnel in a computer network, such as the VPN, is a secure path or route for the datagram to pass through an insecure or un-trusted network. Protocols such as the IPsec, the Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP) are some example of tunneling protocols.

Link layer

The methods, protocols, and specifications that are used to link hosts, or nodes, in a network are grouped as a link layer. A link layer operates close to physical layer components.

Link layer protocols

The following protocols operate on the link layer:

  • Address Resolution Protocol (ARP): It is used for resolving hardware address for a given IP address
  • Reverse Address Resolution Protocol (RARP): It is used to obtain IP addresses based on hardware address
  • Neighbor Discovery Protocol (NDP): It is used to find neighbor nodes in an IPv6 network.
  • Address Resolution Protocol (ARP)

    This protocol is a standard method for finding hardware addresses from network layer addresses such as the Internet Protocol (IP).

 

Protocol / Service

Address Resolution Protocol (ARP)

Layer(s)

The ARP works in the network layer of the OSI and the link layer of the TCP/IP model.

Applications

The primary application of the ARP is to translate the IP addresses to the Ethernet Media Access Control (MAC) addresses.

The primary purpose of this protocol is to resolve hardware addresses such that communication can be established between two computers within the same network or over the Internet.

Threats

Sniffing

Spoofing

Vulnerabilities

Unsolicited ARP reply

Attacks

ARP poisoning

ARP Poison Routing (APR)

Denial-of-service (DoS)

Countermeasures

MAC to IP mapping

ARP poisoning refers to overwriting existing entries in the ARP table with malicious addresses.

Media Access Control (MAC) is a unique hardware address that is assigned to the Network Interface Cards (NIC) or the Network Adapters.

Border Gateway Protocol (BGP)

This protocol is a type of "routing protocol" that is used in the Internet. The primary purpose is to decentralize Internet routing.

Protocol / Service

Border Gateway Protocol (BGP)

Layer(s)

The BGP works in the network/data link layer of the TCP/IP model

Applications

The Internet Service Providers (ISP) predominantly use this protocol for routing the data and information between them

Threats

Mis-delivery or non-delivery of packets

Misuse of network resources

Network congestion

Packet delays

Violation of local routing policies

Vulnerabilities

Misconfigured routers

Software vulnerabilities

Attacks

Spoofing

Message injection

Countermeasures

Multi Protocol label Switching (MPLS)

 

Message or data injection refers to injecting arbitrary code to the system. This is used to compromise input validation techniques.

Multi Protocol Label Switching (MPLS) is often referred to as a Layer 2.5 protocol, as it lies between Layers 2 and 3 of the OSI model. It provides greater reliability and support for circuit and packet switching based clients.

Ethernet

It is a family of frame-based networking technologies that is used in a Local Area Network (LAN).

Protocol / Service

Ethernet

Layer(s)

The Ethernet operates in the data link layer and the physical layer of the TCP/IP model.

Applications

The Ethernet initially used co-axial cables for networking

The present day technologies include hubs or switches and twisted pair cabling

The Ethernet technologies have predominantly replaced other LAN standards such as token ring, FDDI, and ARC net.

Threats

Spoofing

Vulnerabilities

Reuse of frame buffers

Attacks

Denial-of-service (DoS)

Eavesdropping

Countermeasures

Segmentation

Filtering

Encryption

 

Summary

In this article, we focused on the transport, network, and link layers of the TCP/IP model. We discussed different layers and their associated protocols, covered some specific applications related to protocols such as threats, vulnerabilities, attacks, and countermeasures. We started with the transport layer and protocols such as the TCP and UDP operating in the transport layer. It is important to note that the TCP is used where the reliability of datagram's delivery is important, and the UDP where speed of datagram's delivery is important.

We moved on to discuss the Internet Protocol (IP) which is a connectionless protocol that operates on the Internet layer. This protocol tries the best effort method to deliver data packets across the network. In fact, TCP/IP is named after these two important protocols: TCP and IP. We've also discussed the all-important IPsec, which provides end-to-end security and works on the network layer. Remember that IPsec is used for assuring security in the areas of authentication and encryption to the IP-based communications.

We have also discussed about other protocols in the TCP/IP like the Address Resolution Protocol (ARP) that is used to resolve IP addresses, and the Border Gateway Protocol (BGP) that is a routing protocol operating in the link layer..

About the Author :


M. L. Srinivasan

Popularly known as MLS, the author is an Information Technology and Information Security professional and has about 18 years experience in various domains of IT such as Software Programming, Hardware Troubleshooting, Networking Technologies, Systems Administration, Security Administration; Information Security-related consulting, audit and training. MLS has been an avid trainer through out his career and has developed many short-term and long-term training programs. One such program is "Certified Vulnerability Assessor (cVa)", which is accredited by a leading ISO certifying agency. He's a prolific speaker and trainer and has presented many papers related to Network Security in International conventions and conferences.

He was the Technical Director of Secure Matrix, an India-based company that provides security consulting and audits. During his tenure in the last four years, he led the team of consultants to implement many ISO 27001-certification projects across India, the Middle East, and Africa.

He is a specialist IT and IS auditor with Det Norske Veritas (DNV), India region. He has performed many quality and information security audits to hundreds of medium and large organizations in the past 10 years.

He is at present the Chairman and CEO of ChennaiNet, a technology company focused on IT and IS-related product development, services, and training.

Contact M. L. Srinivasan

Books From Packt

Joomla! Web Security
Joomla! Web Security

Oracle Web Services Manager
Oracle Web Services Manager

CISSP in 21 Days
CISSP in 21 Days

SSL VPN : Understanding, evaluating and planning secure, web-based remote access
SSL VPN : Understanding, evaluating and planning secure, web-based remote access

Documentum Content Management Foundations: EMC Proven Professional Certification Exam E20-120 Study Guide
Documentum Content Management Foundations: EMC Proven Professional Certification Exam E20-120 Study Guide

Zenoss Core Network and System Monitoring
Zenoss Core Network and System Monitoring

Scalix: Linux Administrator’s Guide
Scalix: Linux Administrator’s Guide

OpenVPN: Building and Integrating Virtual Private Networks
OpenVPN: Building and Integrating Virtual Private Networks

No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
h
1
a
i
U
n
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software