information systems security
DESCRIPTION
Information Systems Security. Telecommunications Domain #7. OSI Reference Model. Physical Datalink Network Transport Session Presentation Application. Routing. Dynamic RIP I RIP II OSPF BGP. Cabling Types - Coaxial. Copper wire insulated by braided metallic ground shield - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/1.jpg)
Information Systems Security
Telecommunications
Domain #7
![Page 2: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/2.jpg)
OSI Reference Model
Physical Datalink Network Transport Session Presentation Application
![Page 3: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/3.jpg)
Routing
Dynamic– RIP I– RIP II– OSPF– BGP
![Page 4: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/4.jpg)
Cabling Types - Coaxial
Copper wire insulated by braided metallic ground shield
Less vulnerable to EMI Two main types
– 10BASE2 (Thinnet) (185 meters)– 10BASE5 (Thicknet) (500 meters)
Mainly used in one-way networks (TV) Two-way networks required special equipment Larger minimum arc radius than TP
![Page 5: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/5.jpg)
![Page 6: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/6.jpg)
Cabling Type - TP
Copper-based Two major types
– UTP Least secure Susceptible to EMI, cross-talk, and eavesdropping Less security than fiber or coaxial Most commonly used today
– STP Extra outer foil shielding
![Page 7: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/7.jpg)
Cabling Type - Fiber
Data travels as photons Higher speed, less attenuation, more secure Expensive and harder to work with Two major types
– Multimode Less expensive with slower speed
– Single mode Faster speeds available but more $ and delicate
![Page 8: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/8.jpg)
Signal Issues
Attenuation– Interference from environment– Cable runs are too long– Poor quality cable
Cross Talk– Signals radiate from a wire and interfere with
other wires– Data corruption– More of a problem with UTP
![Page 9: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/9.jpg)
Transmission Types
Analog– Carrier signal used to move data– Signal works at different frequencies– Used in broadband networks
Digital– Discrete units of voltage– Moves data in binary representation– Cleaner signal compared to analog
![Page 10: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/10.jpg)
Encoding Techniques
Parameter AM FM Digital
Signal-to-noise ratio
Low Moderate High
Cost Moderate Moderate High
Performance over time
Moderate Excellent Excellent
Installation Adjustments required
No adjustments
No adjustments
![Page 11: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/11.jpg)
Synchronous or Asynchronous
Sync– Prior agreement of data TX rules– Sending system sends a clocking pulse– Stop and start bits are not required– T-lines & optical lines use synchronous
Asynchronous– Must use start/stop bits– Dial-up connections use asynchronous
![Page 12: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/12.jpg)
Broadband or Baseband
Baseband– TX media only uses one channel– Digital signaling– Used over TP or Coax
Broadband– Multiple channels– TXs more data at one time– Can use analog signaling– Used over coax or fiber (at 100Mbps or more)– Can carry video, audio, data, and images
![Page 13: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/13.jpg)
Plenum Cable
Polyvinyl chloride can give off dangerous chemicals if burned
Plenum rated cable is made of safe fluoropolymers
Should be used in dropped ceilings and raised floorings and other ventilation areas
![Page 14: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/14.jpg)
Number of Receivers
Unicast– One system communicates to one system
Multicast– One system communicates to many systems– Class D addresses dedicated to this– “Opt-in” method (webcasts, streaming video)
Broadcast– One system communicates to all systems– Destination address contains specific values
![Page 15: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/15.jpg)
Types of Networks
Local Area Network (LAN)– Limited geographical area– Ethernet and Token Ring
Metropolitan Area Network (MAN)– Covers a city or town– SONET, FDDI
Wide Area Network (WAN)– ATM, Frame Relay, X.25
![Page 16: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/16.jpg)
Network Terms
Internet– Network of networks providing a communication
infrastructure– The web runs on top of this Internet
infrastructure Intranet
– Employs Internet technology for internal use HTTP, web browsers, TCP/IP
![Page 17: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/17.jpg)
Network Terms
Extranet– Intranet type of network that allows specific
entities to communicate– Usually business partners and suppliers– B2B networks– Shared DMZ area or VPN over the Internet
![Page 18: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/18.jpg)
Network Configuration
DMZ– Network segment that is between the protected
internal network and the external (non-trusted) network
– Creates a buffer zone – Systems in DMZ will be the 1st to come under
attack and must be properly fortified
![Page 19: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/19.jpg)
Physical Layer
Network Topologies– Physical connection of system and devices– Architectural layout of network– Choice determined by higher level technologies
that will run on it Types (Bus, Ring, Star, Mesh)
![Page 20: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/20.jpg)
BUS
Nodes are connected to a backbone through drops
Linear bus – one cable with no branches Tree – network with branches Easy to extend Single node failure affects ALL participants Cable is the single point of failure
![Page 21: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/21.jpg)
Ring
Interconnection of nodes in circle Each node is dependent upon the physical
connection of the upstream node Data travels unidirectionally One node failure CAN affect surrounding
nodes Used more in smaller networks
![Page 22: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/22.jpg)
Star
All computers are connected to central device
Central device is single point of failure No node-to-node dependencies
![Page 23: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/23.jpg)
Mesh
Network using many paths between points Provides transparent rerouting when links
are down High degree of fault tolerance Partial Mesh – Not every link is redundant
– Internet is an example Full Mesh – All nodes have redundancy
![Page 24: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/24.jpg)
Media Access
Dictates how system will access the media Frames packets with specific headers Different media access technologies
– CSMA– Token Ring– Polling
Protocols within the data link– SLIP, PPP, L2F, L2TP, FDDI, ISDN
![Page 25: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/25.jpg)
Carrier Sense Multiple Access
CSMA/CD (Collision Detection)– Monitors line to know when it is free– When cable not busy, data is sent– Used in Ethernet
CSMA/CA (Collision Avoidance)– Listens to determine is line is busy– Sends out a warning that message is coming– All other nodes go into waiting mode– Used in 802.11 WLANs
![Page 26: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/26.jpg)
Wireless Standards (802.x)
802.11 – 2.4 GHz range at 1-2 Mbps 802.11b – 2.4 GHz up to 11 Mbps 802.11a – 5 GHz up to 54 Mbps 802.11g – 2.4 GHz up to 54 Mbps 802.11i – Security protocol (replace WEP) 802.15 – Wireless PANs 802.16 – Wireless MANs
![Page 27: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/27.jpg)
Access Points
Connects a wireless network to a wired network
Devices must authenticate to the AP before gaining access to the environment
AP works on a specific frequency that the wireless device must “tune itself” to
![Page 28: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/28.jpg)
Service Set ID (SSID)
WLANs can be logically separated by using subnet addresses
Wireless devices and APs use SSID when authenticating and associating
Should not be considered a security mechanism
![Page 29: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/29.jpg)
Authenticating to the AP
Station sends probe to all channels looking for the closest AP
AP will respond with the necessary information and a request for credentials
If WEP key is required, AP sends a challenge to the device and device encrypts with key and send it back
If no WEP key, could request SSID value and MAC value
![Page 30: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/30.jpg)
Wired Equivalent Protocol (WEP)
Protocol used to encrypt traffic for all IEEE wireless standards
Riddled with security flaws Improper implementation of security
mechanisms No randomness (uses the same password) No Automated Dynamic Key Refresh
Method (DKRM), requires manual refresh
![Page 31: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/31.jpg)
More WEP Woes
Small initialization vector values– Uses a 24-bit value– Exhaust randomness is as little as 3 hours
Uses stream cipher (RC4) No data integrity Use XORs – flip a bit in ciphertext the
corresponding bit in plaintext is flipped
![Page 32: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/32.jpg)
Wireless Application Protocol (WAP)
Requires a different protocol stack than TCP/IP
WAP allows wireless devices to access the Internet
Provides functions at each of the OSI layers similar to TCP/IP
Founded in 1997 by cell phone companies
![Page 33: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/33.jpg)
Wireless Transport Layer Security
Security layer of the WAP Provides privacy, integrity, and
authentication for WAP applications Data encrypted with WTLS must be
decrypted and reencrypted with SSL or TLS
![Page 34: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/34.jpg)
Common Attacks
Eavesdropping on traffic and spoofing Erecting a rogue AP Man-in-the-middle Unauthorized modification of data War driving Cracking WEP
– Birthday attacks– Weak key attacks (airsnort, WEPCrack)
![Page 35: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/35.jpg)
War Driving
Necessary Components– Antenna (omnidirectional is best)– Sniffers (TCPDump, Ethereal)– NetStumbler, AirSnort, or WEPCrack
NetStumbler finds APs and Logs– Network name– SSID– MAC– Channel ID– WEP (yes or no)
![Page 36: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/36.jpg)
Wireless Countermeasures
Enable WEP Change default SSID and don’t broadcast Implement additional authentication Control the span of the radio waves Place AP in DMZ Implement VPN for wireless stations Configure firewall for known MAC and IP
![Page 37: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/37.jpg)
TCP/IP Suite
TCP – connection oriented transport layer protocol that provides end-to-end reliability
IP – connectionless network layer protocol that provides the routing function
Includes other secondary protocols
![Page 38: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/38.jpg)
Port and Protocol Relations
Well known port numbers are 0-1023– FTP is 20 and 21– SMTP is 25– SNMP is 161– HTTP is 80– Telnet is 23– HTTPS is 443
Source is usually a high dynamic number while destination is usually under 1024
![Page 39: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/39.jpg)
Address Resolution Protocol (ARP)
Maps the IP address to the MAC address Data link understands MAC, not IP Element in man-in-the middle attacks
– Intruder spoofs its MAC address against the destination’s IP address into ARP cache
Countermeasures– Static ARP, active monitoring, and IDS to detect
anomalies
![Page 40: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/40.jpg)
ARP Poisoning
Insert bogus IP to MAC addressing mapping in remote system
Misdirect traffic to attacker’s computer Ideal scenario for man-in-the-middle attack
![Page 41: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/41.jpg)
Internet Control Message Protocol (ICMP)
Status and error messaging protocol Ping is an example Used by hackers for host enumeration Redirects traffic by sending bogus ICMP
messages to a router
![Page 42: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/42.jpg)
Simple Network Management Protocol (SNMP)
Master and agent model Agents gather status information about
network devices Master polls agent and provides an overall
view of network status Runs on ports 161 and 162
![Page 43: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/43.jpg)
Simple Mail Transfer Protocol (SMTP)
Transmits mail between different mail servers
Security issue with mail servers– Improperly configured mail relay– Sendmail functions
![Page 44: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/44.jpg)
Other Protocols
FTP
TFTP
Telnet
![Page 45: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/45.jpg)
Repeater Device
Works at the physical layer Extends a network Helps with attenuation No intelligence built in
![Page 46: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/46.jpg)
Hub Devices
Works at the physical layer Connects several systems and devices Also called multipoint repeater/concentrators All data is broadcast No intelligence
![Page 47: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/47.jpg)
Bridge Device
Functions at the data link layer Extends a LAN by connecting similar or
dissimilar LANs Filtering capabilities Uses the MAC address Forwards broadcast data Transparent – Ethernet Source Routing – Token Ring
![Page 48: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/48.jpg)
Switch Device
Transfers connection from one circuit to another
Faster than bridges Originally made decisions based on MAC Major functionality takes place at Data Link
Layer Newer switches work at the Network layer
and use IP addresses
![Page 49: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/49.jpg)
Virtual LAN (VLAN)
Logical containers used to group users, systems, and resources
Does not restrict administration based upon the physical location of device
Each VLAN has its own security policy Used in switches Can be static or dynamic
![Page 50: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/50.jpg)
Router Device
Works at the network layer Can connect similar or dissimilar networks Blocks broadcast Uses routing tables Bases decisions on IP addresses Can work as a packet filtering firewall wit the
use of Access Control Lists
![Page 51: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/51.jpg)
Gateway Device
Translates different protocols or software formats
Mail gateways – allows for different mail applications to communicate
Data gateways – allow heterogeneous clients and servers to communicate
Security gateways – firewalls and perimeter security devices
![Page 52: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/52.jpg)
Bastion Host Device
Gateway between an internal network and an external network; used for security
Hardened system– Disable unnecessary accounts– Disable unnecessary services– Disable unnecessary subsystems– Remove administrative tools– Up to date with patches and fixes
All systems in DMZ should be Bastion Hosts
![Page 53: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/53.jpg)
Firewall Characteristics
Generation 1 – Packet Filtering Generation 2 – Proxy Generation 3 – Stateful Generation 4 –Dynamic Packet Filtering Generation 5 – Kernel Proxies All provide transparent protection to internal
users
![Page 54: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/54.jpg)
Packet Filtering
Simplest and least expensive Screens with a set of ACL Referred to as a Layer 3 device Access depends on network and transport
layer information Best in low-risk environments 1st generation firewall
![Page 55: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/55.jpg)
Circuit Level Proxy
Makes access decisions based on network and transport layer information
Not application or protocol dependent More protection than a packet filter SOCKS is the most common used Hides information about the network they
protect 2nd generation firewall
![Page 56: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/56.jpg)
Application Layer Proxy
Access decision is based on data payload Must understand the command structure of
payload Provides a high level of protection Can filter application specific commands Logs user activity Requires manual configuration of each client
computer 2nd generation firewall
![Page 57: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/57.jpg)
Stateful Firewall
Makes access decisions based on IP addresses, protocol commands, historical comparisons, and contents of packet
Uses a state engine and state table Monitor connection-oriented and
connectionless protocols Expensive and complex to administer 3rd generation firewall
![Page 58: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/58.jpg)
Dynamic Packet Filtering Firewalls
Combination of application proxies and state inspection firewalls
Dynamically changes filtering rules based on several different factors
May examine the contents and not just the header of packets
Decisions based on history and admin rules 4th generation firewall
![Page 59: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/59.jpg)
Firewall Placement
Segments internal network subnets and sections to enforce the security policy
Acts as a ‘choke point’ between trusted and untrusted entities
Creates a DMZ Could use screened host, dual-homed, or
screened subnet
![Page 60: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/60.jpg)
Screened Host
Usual configuration is a router filtering for a firewall
Reduces the amount of traffic the firewall has to work with
Screening device is a filtering router Screened host is the firewall
![Page 61: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/61.jpg)
Dual Homed
Two or more interfaces One interface for each network Allows for one firewall to create more than
one DMZ Forwarding and routing need to be turned
off or packets would not be inspected by firewall software
All inbound traffic directed to the Bastion Host, then proxied, and passed to 2nd router
![Page 62: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/62.jpg)
Screened Subnet
Buffer zone is created by implementing two routers or two firewalls and this creating a single DMZ
Provides the most protection out of the three architectures because three devices must be compromised before attacker can get through to the internal network.
![Page 63: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/63.jpg)
SLIP Dialup Protocol
Serial Line Internet Protocol Moves IP data over serial lines Largely replaced by PPP SLIP does not provide
– Header and data compression– Packet sequencing– Authentication features– Classless IP addressing
![Page 64: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/64.jpg)
PPP Dial Up Protocol
Point-to-Point Protocol Moves digital data over telecommunications lines Full duplex protocol Can use synchronous and asynchronous Authentication through
– PAP– CHAP– EAP
![Page 65: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/65.jpg)
Authentication Protocols
Password Authentication Protocol (PAP)– Authenticates remote users– Credentials are sent in plain text
Challenge Handshake Authentication Protocol (CHAP)– Authenticates remote users– Encrypts usernames and passwords– Client uses user’s password to encrypt the challenge– Protects against man-in-the-middle attacks
![Page 66: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/66.jpg)
EAP Authentication
Extensible Authentication Protocol Allows for authentication protocols to be
added to give more flexibility Supports multiple frameworks Developed for PPP, but now used in LAN
and wireless authentication
![Page 67: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/67.jpg)
VPN Technologies
Tunneling involves establishing and maintaining a logical network connection
Packets are encapsulated within IP packets and encryption is used for security
Voluntary tunneling – client manages connection setup
Compulsory tunneling – carrier provider manages connection setup
![Page 68: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/68.jpg)
PPTP Tunneling Protocol
Encapsulating protocol used more for end-to-end VPNs instead of gateway VPNs
Data link layer protocol that provides single point-to-point connection
Works only with TCP/IP Works at the Internet layer
![Page 69: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/69.jpg)
L2TP Tunneling Protocol
Works at the data link layer Can provide VPNs over WAN links using
frame relay, X.25, or ATM Cannot encrypt data Uses IPSec for security Developed by CISCO to combine L2F and
PPTP
![Page 70: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/70.jpg)
IPSec Tunneling Protocol
Provides network layer protection Used for gateway-to-gateway VPNs Provides authentication, integrity, and
confidentiality Only works over IP and is becoming the de
facto standard
![Page 71: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/71.jpg)
Domain Name Services
Works within a hierarchical naming structure Host name to IP address mapping DNS server that holds resource records for
a zone is the authority for that zone Uses forward-lookup tables and reverse-
lookup tables Uses iterative and non-iterative procedures
![Page 72: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/72.jpg)
Network Address Translation
Invented due to the shortage of IP addresses
Allows companies to use private addresses Can use static mapping on 1-1 relationship Can use dynamic mapping Port address translation (PAT)
– One address is used for all hosts– Older term was hiding NAT
Can be implemented with software (ICS)
![Page 73: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/73.jpg)
Fiber Distributed Data Interface (FDDI)
Token passing is the media method Two rings for fault tolerance Operates up to 100 Mbps CDDI is possible with shorted distances
![Page 74: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/74.jpg)
Synchronous Optical Network(SONET)
Physical layer standard used by telephony Dual ringed and self-healing Used to connect T1 and T3 channels Carries nearly any higher level protocol Supports 52 Mbps Built in support for maintenance SONET 3 is coming with 155.5 Mbps
![Page 75: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/75.jpg)
Dedicated Lines
Physical communication lines connecting two locations
Usually more expensive than other options Leased from larger service providers
– T1 – 1.544 Mbps– T3 – 44.736 Mbps
![Page 76: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/76.jpg)
Public Switched Telephone Network (PSTN)
Also known as POTS Interconnected systems operated by
different companies All digital except for the ‘last mile’ Analog converted to digital at Central Office
![Page 77: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/77.jpg)
Integrated Services Digital Network (ISDN)
Moves the ‘last mile’ from analog to digital Data rates of 64 Kbps Circuit-switched instead of packet-switched Uses bearer channels to move data and a
single separate channel (D) to setup Used by most companies as backup BRI – 2 64-kbps B channels and 1 D PRI – 23 64-kbps B channels and 1 D
![Page 78: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/78.jpg)
Digital Subscriber Line (DSL)
Digital solution for the ‘last mile’ Very high frequency Must be a POP within 2.5 miles Farther from a POP, lower the bandwidth ‘Always On’ technology 32 Mbps for upstream traffic 32 Kbps for downstream traffic
![Page 79: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/79.jpg)
Cable Modems
Service provided by local cable company Security issues of neighborhood sniffing Cable modem converts RF to digital Could overload cable companies Most offer speeds up to 2 Mbps but is
shared with neighborhood
![Page 80: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/80.jpg)
X.25
First WAN packet-switching technology Considered a ‘fat’ protocol because of error
detection and correction overhead Has been replaced by frame relay Virtual circuits are used Customers share and pay for the same
network
![Page 81: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/81.jpg)
Frame Relay
Fastest WAN packet-switching protocol Path set up for two locations to
communicate Path is permanently configured (PVC) Could be dynamically built (SVC) Customers are offered a dedicated rate of
flow (CIR) Inexpensive with rates from 56K to T1
![Page 82: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/82.jpg)
Asynchronous Transfer Mode (ATM)
Provides the highest bandwidth Uses 53-byte fixed cells Intelligence is hardware based Technology used for Internet’s backbone Equipment is expensive Available in Constant Bit Rate (CBR),
Variable Bit Rate (VBR), Available Bit Rate (ABR) or Unspecified Bit Rate (UBR)
![Page 83: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/83.jpg)
Multiplexing (MUX)
Receives data from different sources and places on one communication line
Combines two or more channels onto one transmission medium
Two types– FDM (used by broadband)– TDM (used by T1 and T3)
![Page 84: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/84.jpg)
Voice over IP (VoIP)
Moving voice data in packets Allows combining of voice and data Long distance calls can be done cheaply Uses packet switching instead of
telephone’s circuit switching Can experience jittering and latency
![Page 85: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/85.jpg)
Private Branch Exchange (PBX)
Telephone switch that resides on the customer’s property
A T1 or T3 connects the switch to the provider’s central office
Used for switching calls between internal lines and the PSTN
New versions are called Centrex where switching occurs at Central Office
![Page 86: Information Systems Security](https://reader036.vdocument.in/reader036/viewer/2022081520/56814af9550346895db80968/html5/thumbnails/86.jpg)
PBX Considerations
Not usually included in security assessment Compromising and reconfiguring the
telephone switch by hackers Attackers obtaining free long distance Disclosure of sensitive information Phreakers (telephone hackers)