Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
205 Cards in this Set
- Front
- Back
|
C.I.A. of Security
|
Confidentiality, Integrity, Availability
|
|
|
Confidentiality
|
Assurance that data is handled and shared only among those who are authorised and permitted to see it. In Security+ context generally refers to the method that the data is handled and stored
|
|
|
Integrity
|
Assurance that data is authentic, complete, un-altered, correct, and can be relied upon. In S+ connotation, Integrity is on of the primary indicators of security of lack of security.
|
|
|
Availability
|
Assurance that the SYSTEMS used for storing, processing, and delivery of information will be accessible to those who have a legitimate need for it. (Conversely, those who do not have a legitimate need cannot access it.
|
|
|
Operational Model of Security
|
Protection = Prevention + Detection + Response
|
|
|
Least Privilege
|
Give only the absolute minimum rights and privileges needed
|
|
|
Layers of Security
|
Multiple barriers working in conjunction help eliminate single points of failure
|
|
|
Diversity of Defense
|
Layers of security should be implemented using dissimilar methods and vendors. Layers should be so dissimilar that if one layer is penetrated, the next layer cannot be penetrated using the same method
|
|
|
Security Through Obscurity
|
Ice cream hidden in the back of the freezer will be found
|
|
|
Keep it Simple (Stupid) (KISS)
|
1. Turn off nonessential services, etc 2. Complex systems are difficult to secure
|
|
|
Access Control
|
The ability of a subject to interact with an object
|
|
|
Access Control List (ACL)
|
A list stating who has specific types access to what
|
|
|
Discretionary Access Control (DAC)
|
Access control based on identity of subjects or groups to which they belong *Certain subjects (eg ""Owner"") may pass permissions on to any other subject
|
|
|
Mandatory Access Control (MAC)
|
Access control based on levels of sensitivity assigned to objects (Labels) and formal levels of authorization (ie clearance) of subjects.
|
|
|
Mandatory Access Control (MAC)
|
Access control based on levels of sensitivity assigned to objects (Labels) and formal levels of authorization (ie clearance) of subjects. These relationships are strictly enforced
|
|
|
Role-Based Access Control (RBAC)
|
Access control based on subjects being assigned certain roles. Access control is managed at the role level instead of the subject level.
|
|
|
Authentication
|
Verifying the identity of a subject Note: Does NOT infer any test for any permissions, only the identity.
|
|
|
3 general Authentication methods
|
1. Something you know (ie password) 2. Something you have (ie token) 3. Something you are (ie biometrics)
|
|
|
Kerberos
|
Network authentication protocol. Default for all versions of Windows since 2000. Authentication can be by certificate or by username and password. Conceptually; a client, a service, and a trusted 3rd party (Kerberos). Allows one-time authentication, for access to many trusting services. Kerberos is time-monitored to ensure no "replay" authentication attemps succeed. Note: NO "permissions" requested or given - Kerberos TGT does return ALL of the client's SIDs, which is placed in a "security token" and presented to servers providing services to ascertain permissions.
|
|
|
Ticket, Authentication Server(AS)
|
One of the components of Kerberos. The Ticket Authentication service issues a TGT (Ticket Granting Ticket), which the client can use in future communications with Kerberos to prove pre-authentication and obtain
|
|
|
Kerberos Time-based
|
5 minutes skew in Windows, 10 minutes in other applications. If the client's time is not within the permissible skew, authentication is denied
|
|
|
Replay Attack
|
Any attack in which an attacker records an authentication or other credentials, to be replayed later to spoof the secure service. Typically, the attacker will couple a replay attack with a DoS attack on one of the stations, so the hijacked station is unaware of the attack
|
|
|
CHAP
|
Challenge Handshake Protocol - a vendor-neutral protocol, in which the server and the client are able to complete a handshake and obtain authentication over a PPP network connection, without the client's password EVER crossing the network. CHAP and PAP were the two methods of authentication - but PAP is no longer used, because the login and password were passed with clear text. CHAP involves a "3-way handshake." CHAP is the highest level of password security that non-microsoft clients can use. CHAP does not natively support data encryption, certificates, or tokens (See MSCHAP)
|
|
|
CHAP challenge/response (3-way handshake)
|
After the TCP link handshake is completed, CHAP (1) The "authenticator" (server) sends a random challenge message to the peer (2) The peer responds by creating a value (from the Challenge seed) obtained by doing a one-way hash, using the bits in the client's password, and returns this value to Server (3) Sever performs the same hash, using the bits in the proported client's password - and if the returned value matches the local calculation, authentication is granted. This challenge-response is repeated periodically. CHAP suffers compared to MS-CHAP V2, in that the authentication is one-way. Client has NO WAY of knowing that server is not an impostor. In addition, CHAP is highly subject to client's with weak passwords.
|
|
|
Certificate Multi-factor authentication
|
Uses more than one authentication mechanism at the same time (ie ATM card + PIN)
|
|
|
Token
|
Hardware device? used in authentication (something you have) (e.g. RSA secureToken)
|
|
|
Security Token
|
A list of all of the user and group SIDs (including Universal group membership), which is presented by client to service when requesting access to a resource
|
|
|
Multifactor Authentication
|
Uses more than one authentication mechanism at the same time (ie ATM card + PIN)
|
|
|
Mutual Authentication
|
Authentication of both sides of a communication. Helps prevent man-in-the-middle attacks. CHAP and MS-CHAP both suffer from single-sided authentication. With MS-CHAP V2, this was corrected and now, as soon as client completes the 3-way handshake with server, client challenges server with another 3-way handshake - result "Mutual Authentication"
|
|
|
Information Assurance
|
IA is the practice of managing information-related risks by ensuring CONFIDENTIALITY, INTEGRITY, AUTHENTICITY, AVAILABILITY, AND NON-REPUDIATION. IA is the process of insuring that AUTHORIZED USERS have access to AUTHORIZED INFORMATION at the AUTHORIZED TIME.
|
|
|
DoD Information Assurance
|
The Department of Defense implemented its version of IA, with the DoD instruction 8570.01-M, which mandates levels of training and certifications for all DoD, Civil service, and Contractors involved in DoD IT.
|
|
|
Information Security
|
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. Protection = Prevention + Detection + Response
|
|
|
Nonrepudiation
|
Nonrepudiation is a way to guarantee that information received is from the source indicated. This must be legally enforceable. This is usually accomplished by "digitally signing" of messages, computer programs and other data. Guarantee that senders cannot deny they sent a message
|
|
|
TCP 3-way Handshake
|
SYN -> <- SYN/ACK ACK/SYN -> Establishes a "Session" between two computers over a network. The first SYN is from the initiator to the desired target, and includes a "Syn" number to reference in future conversations. The Syn/Ack is from the target machine symbolizing that it is ready to establish a connection and is holding a session open. This returns the target's intended Syn number, and Ack's the sender's Syn number (+1), the Ack/Syn is from the initiator, acknowledging the target's Syn number (+1) and repeating it's own Syn number for reference. Once completed, the "session" will be maintained until the transmission is completed. (See SYN Attack)
|
|
|
DOS Attack
|
Denial of Service Attacks aim to disrupt the availability of services or to distract a station while an intruder hyjacks a session
|
|
|
SYN Flood / SYN Attack
|
DOS attack exploiting the TCP 3-way handshake. A multitude of SYN requests are sent to the target. The target responds with a SYN/ACK and waits for a default period for an ACK. The attacker will never reply so the target may use up all it available connections.
|
|
|
DDOS Attack
|
Distributed Denial of Service attacks rely on using multiple computers to conduct DOS attacks. A Smurf attack is a classical example of a DDoS, but not often used, now. Modern DDoS attacks are carried out by "BOT-Herders" using hundreds or even thousands of hijacked mom-and-pop PCs
|
|
|
Backdoor/Trap Door
|
NOT Synonymous terms. A backdoor is typically a program, such as BackOrifice, that opens and holds a dynamic port number open while the intruder uses that port number to "respond" to the backdoor program. A trapdoor is code segments that were deliberatedly coded into the security or OS, to be used by the coder at a future date. Modern hyjacking methods sometimes allow intruders to "patch" a trapdoor, then return later to exploit it.
|
|
|
Root kit
|
A dangerous, but hard to invoke attack. It is NOT viral, it requires someone with "root" permissions (Administrators, in Windows), to install it. Once installed, it is virtually undetectable, because it hides itself in the OS that is trying to detect it. Typically, it requires that the computer be booted from a CD or other OS source, to detect and remove it. Root kits, once installed have full system permissions, and controls the OS of the host. Root kits are typically stealthy, and do nothing to alarm the host system of its presence.
|
|
|
Sniffing
|
In Data security, sniffing is employed by the attacker and by the defender. Sniffers are specially configured computers which set their NIC cards to Promiscuous mode, then listen-in on all of the traffic on the network. Most sniffers have filters and traps to watch for key strings before beginning a capture; most also have the capability of translating the machine language of the network into human-readable form, and interpret it. In a fully-switched network, sniffers do not work, because the nature of the switch is to avoid passing packets out on ports that are not being addresses.
|
|
|
Spoofing
|
Making data look like it's coming from a different source than it is.
|
|
|
Smurf Attack
|
DOS attack where the attacker sends ICMP echo requests to the broadcast address of a network with the From address spoofed to be the IP address of the target.
|
|
|
Man-in-the-Middle Attack
|
An attack in which the attacker will intercept communications between two parties and, sometimes, modify the messages between them
|
|
|
Replay Attack
|
Attackers "record" portions of conversations (eg authentication sequences) and then replay them at a later time
|
|
|
Brute-force attack
|
A method of finding a cryptographic or other key by systematically trying all possible combinations of keys
|
|
|
Indirect attack
|
A method of breaking a cryptographic or other system by attacking the implementation of the system/algorithm rather than the system itself (ie using a weakness in a key exchange to find a key rather than using a brute-force attack)
|
|
|
Dictionary attack
|
A method of finding a key by trying many commonly used or probable keys (ie guessing a password using all the words in an English dictionary)
|
|
|
Birthday Attack
|
A brute force attack that takes advantage of the Birthday Paradox to simplify the attack.
|
|
|
Birthday Paradox
|
Tradition thinking about cryptographics assumes the complexity for a purely random population - and the numbers are overwhelming. The "Birthday Problem" or "Birthday Paradox," however, points out that just a a population people does not have purely random outcomes equal to the population, but rather, in a room with 23 people, there is a better than 50-50 chance that there are two people who have the same birthday (NOT random population). As the number of people in the room increases, the "randomness" DECREASES, until at about 57 people, the probability of the same birthday approaches 99%, In the same way, the English (French,,,,) language is NOT PURELY RANDOM. The non-randomness of the "population" (language, number system, ...) makes the brute force cryptographic attack far less of an obstacle.
|
|
|
Buffer overflow exploit
|
Programmers must set aside space for users' input, then process that input. Since your 8GB of memory is one, long string, programmers "create" an empty space, ask for input, stuff the input into the "empty" space, and then "JUMP" to the next memory cell past the previously empty buffer space to read and process the user input. Exploiters look for lazy or uninformed programmers who do not TEST the user's input before stuffing it into the empty buffer. If the exploiter can find the right place, they can craft an input that is LONGER then the programmer intended. The programmer unwittingly stuffs it into the buffer (space) and overflows the buffer over his own code. When the program executes the JUMP, it begins executing the EXPLOIT CODE.
|
|
|
Virus
|
Malicious software that self-replicates by copying itself to other executable files. A virus, unlike a WORM, must have a host file and a willing user to execute the host file.
|
|
|
Trojan
|
Malicious software that masquerades as useful software. Trojans rely on the end-user to run them.
|
|
|
Logic-bomb
|
Malicious software installed by an authorized user that is designed to drop it's payload at a designated time or after a set of conditions ha been met
|
|
|
Worm
|
Malicious, self-replicating software that runs stand-alone/without the need for a host file or a willing user to propogate it.
|
|
|
Social Engineering
|
Con-artistry. An indirect attack on a system that relies on the inherent trusting nature, or gullibility of human beings.
|
|
|
War-driving
|
Listening for the presence of wireless networks while driving
|
|
|
Telnet
|
Standard, insecure TCP/IP remote terminal session protocol
|
|
|
Telnet Standard Port #
|
23
|
|
|
SSH
|
Secure Shell - developed by the xNIX world to replace Telnet, which was their main means of remote management. SSH is functionally a secure version of Telnet.
|
|
|
SSH Standard Port #
|
22
|
|
|
Tunneling
|
The encapsulation of one packet in another, The inner packet is often encrypted and could not be forwarded by standard routers. The outer packet looks like a standard packet which can be handled by typical routers. Encapsulation can allow you to obfuscate communications or to change the network transport method. The contents of the data traveling within a tunnel only needs to be understood by the tunnel end-points
|
|
|
PPTP
|
Point-to-Point Tunneling Protocol. As the name implies, appears to operate in the Data Link (Layer 2), but the protocol functionally operates in the Session (Layer 5)
|
|
|
PPP
|
Point-to-Point Protocol - is to data transmission, what DHCP is to host configuration. It is the foundation for ALL modern transmission methods. (PPtP, l2tP). PPP was developed for serial communications (Modem, X.25, and ISDN), but its decendents are everywhere present in network communications.
|
|
|
GRE
|
Generic Routing Encapsulation(GRE). GRE is an IP Prototcol, which can encapsulate, encapsulate IPSEC tunnels, or be encrypted by IPSEC (GRE over IPSEC --AND-- IPSEC over GRE). It is NOT used in an L2TP/IPSEC VPN (it is often found used with PPTP Tunneling). GRE is often referred to as GRE protocol 47 - this does NOT refer to PORT 47. Firewall passthrough is automatically enabled when PPTP passthrough is enabled. PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session.
|
|
|
PSTN
|
Public switched telephone network = POTS
|
|
|
POTS
|
Plain Old Telephone Service = PSTN
|
|
|
L2TP
|
Layer 2 Tunneling Protocol (Current version L2TP V3). ACTS LIKE a layer 2 (the test calls it layer 2 or DataLink), but is actually a Layer 4 session layer. It always uses UDP packets to send the Payload and L2TP header, with PPP packets enclosed. L2TP authenticates the USER, but has no encryption. Typically IPSEC is used within the L2TP, to encrypt. IPSEC authenticates the HARDWARE. Therefore L2TP over IPSEC authenticates BOTH user and hardware. Requires UDP port 1701. ANY PROTOCOL, and even "private" IP addresses can be carried inside the tunnel.
|
|
|
L2TP Control Port #
|
UDP 1701
|
|
|
PPTP Port Number
|
TCP 1723. Do NOT open UDP port 1723!
|
|
|
802.16
|
Wireless MANs, typically called "WiMAX", is a family of protocols. 10-16 GHz line-of-sight band. 802.16a is 2-11 GHz band, and non-line-of-sight. Current version is 802.16e, which uses scalable OFDMA (orthogonal frequency division multiple access) in the 1.25 MHz to 20 MHz (note MHz, not GHz - this removes most line-of-sight requirements)
|
|
|
WEP
|
Wired Equivalent Privacy - fails. WEP can be cracked by modern equipment in minutes. Superceeded by WPA and WPA2. It is still being used widely (probably obsolete equipment or ease of implementation). Sometimes referred to as Wireless Encryption Protocol. Uses 40 or 128bit RC4 stream cipher with Static shared secret, variable initialization vector.
|
|
|
40 or 128bit RC4 stream cipher
|
The most widely used stream cipher, used in SSL and WEP. Also used in WPA for wireless cards and TLS. Simple and fast - but very easy to crack. By Ron Rivest or RSA security. There are also RC2, RC5, And RC6 versions by Ron. RC4 uses 2 parts, Permutation and 2-8bit index pointers. The Permutation uses a random keylength from 40 to 256 bits.
|
|
|
VPN
|
Virtual Private Network- an encrypted tunnel between two nodes over a public network.
|
|
|
IPSec
|
IETF Intenet Protocol Security - Actually a suite of protocols, which encrypts each IP packet (ESP), signs each packet header (AH), or BOTH. Operates in a "shim" at the bottom of layer 3, after all ARP and IP/UDP packetization is completed (and before DataLink layer framing). This provides transparent protection for otherwise unprotectable protocols (Telnet, FTP, Printer packets). Uses an IPSEC Policy to selectively determine which protocols are to be "IPSECed" and which ones pass through without IPSEC. Can provide data confidentiality, data integrity, and (machine) authentication between systems. Initial session keys (SA - Security Association) are pre-negotiated with IKE (UDP Port 500). IKE use the Diffie-Hellman Key Exchange and is a partner protocol to Oakley. IPsec has two defined methods—transport and tunneling—and these two methods provide different levels of security.IPsec also has three modes of connection: host to server, server to server, and host to host.
|
|
|
IPSec Transport Method
|
IPSEC has two modes, ONE of which is defined while creating the IPSEC policy. In the default mode "This policy does not define endpoints," IPSEC can be multi-point-to-multi-point, giving unrestricted access to hardware with appropriate IPSEC Policies. If you add endpoint IP addresses, IPSEC will be in "Tunnel Mode." In Tunnel mode, only the endpoints can communicate. This is typically used for router-to-router. In Transport mode, IPSEC is said to be "secure end-to-end." In tunnel mode, the link from the host to the router is not secured (unless a second IPSEC is defined to include the host) and IPSEC is said to be NOT end-to-end secure.
|
|
|
IPSec Tunneling Mode
|
IPSEC has two modes, ONE of which is defined while creating the IPSEC policy. In the default mode "This policy does not define endpoints," IPSEC can be multi-point-to-multi-point, giving unrestricted access to hardware with appropriate IPSEC Policies. If you add endpoint IP addresses, IPSEC will be in "Tunnel Mode." In Tunnel mode, only the endpoints can communicate. This is typically used for router-to-router. In Transport mode, IPSEC is said to be "secure end-to-end." In tunnel mode, the link from the host to the router is not secured (unless a second IPSEC is defined to include the host) and IPSEC is said to be NOT end-to-end secure.
|
|
|
Content protection
|
Obfuscation of the data within a conversation "protected movie dvd"
|
|
|
Context protection
|
Obfuscation of the identity of the sender and receiver of data
|
|
|
Diffie-Hellman Key Exchange
|
D-H The D-H is a method where two strange computers can agree on a secure password, over a non-secure network, which can subsequently be used for IPSEC encryption. It is the first step of a secure conversation. Because the D-H keys are changed with each conversation (or even with each packet), brute force attacks are not effective. The main vulnerability is if the seed is not complex enough and/or if the "random number" generator is not random (none are), and the attacker can guess the next random number. If a shared-secret is used for the key, it is also vulnerable to a man-in-the-middle attack, because there is no authentication (at this time). Use of password seeds and/or certificates for seeds can minimize the man-in-the-middle vulnerability.
|
|
|
Authentication Header (AH)
|
IPsec uses two protocols to provide traffic security.when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin. By protecting the non-changing elements in the IPheader,the AH protects the IPaddress,which enables data-origin authentication
|
|
|
Encapsulating Security Payload (ESP)
|
IPsec uses two protocols to provide traffic security.when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin. By protecting the non-changing elements in the IPheader,the AH protects the IPaddress,which enables data-origin authentication
|
|
|
Internet Security Association and Key Management Protocol (ISAKMP)
|
For key management and exchange, three protocols exist: • Internet Security Association and Key Management Protocol (ISAKMP) • Oakley • Secure Key Exchange Mechanism for Internet (SKEMI). These key management protocols can be collectively referred to as Internet Key Manage-ment Protocol (IKMP) or Internet Key Exchange (IKE).
|
|
|
Secure Key Exchange Mechanism for Internet (SKEMI) or (SKEME) or (TLS-KEM)
|
For key management and exchange, SKEME is an alternative key exchange mechanism to Oakley. SKEME is faster and less secure than Oakley. (Trades off security for performance)
|
|
|
IEEE 802.1x
|
802.1x is NOT and abbreviation for other 802.11 etc protocols. It is, instead, an add-on security mechanism. 1x is typically used with wireless, because of the extreme security shortcomings of all of the other wireless security methods. 1x can, however, be implemented in wired networks. In a nutshell, 1x turns the wireless network into a VPN. All traditional wireless security protocols leave the hardware-only authentication up to the access point - 1x limits the access point to a "way-station" In addition, authentication in 1x is about people security, and is left up to the domain security mechanism. 1x redefines the client as a "supplicant," the access point as an "authenticator," and a RADIUS or IAS server as the "Authentication Server." From there, authentication follows the same procedures as a VPN with a RADIUS server. The access point's role in this is to filter packets through the port, as long as it is "unauthorized" and remove the filter when authorized by the RADIUS server.
|
|
|
RADIUS
|
Remote Authentication Dial-In User Service. Although RADIUS (and IAS in Microsoft) now supports any kind of network connecton, the name reflects when it was invented. RADIUS has may roles, from managing RAS dial-up clients, via RADIUS policies, to providing internal and external authentication services for VPN access, and now for 802.1x. RADIUS does not authenticate - it handles relaying the authentication requests to the authenticating domain controller.
|
|
|
AAA or AAAA
|
Authentication, Authorization, and Accounting (Sometimes combined with Auditing - AAAA). The three legs of security. The first step is Authentication, then determine if Authorization is granted, then account for all access and/or attempted access.
|
|
|
Authentication
|
Establish the digital identity the client (in "mutual Authenticaton," establishes the identity of the sevice to the client)
|
|
|
Authorization
|
Grant specific types of privileges or permissions of an authenticated entity to specific resource
|
|
|
Accounting
|
Track the use of network resources by authenticated users
|
|
|
DIAMETER
|
DIAMETER is a proposed name for the new AAA protocol suite (A play on words - 2xRADIUS=DIAMETER. Diameter is the upgrade path for RADIUS. It is not "backward compatible", but it provides an upgrade path. Adds TCP, STCP, IPSEC, and TLS to the access protocols (vs UDP-only). Has many other upgrades.
|
|
|
TACACS+
|
Terminal Access Controller Access-Control System - Another AAA mechanism, which has been developed to replace RADIUS. Uses TCP port 49 (instead of UDP) and actually contains 3 protocols that can exist on different servers. Cisco and Apple are big on TACACS+
|
|
|
Port 49
|
TCP Port 49 is used for TACACS+
|
|
|
RADIUS ports
|
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
|
|
|
Port 1812
|
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
|
|
|
Port 1813
|
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
|
|
|
Port 1645
|
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
|
|
|
Port 1646
|
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
|
|
|
Kerberos Port #
|
Current version V5; TCP 88 is "assumed" to be Kerberos, and is therefore exempt from all IPSEC. Port 88 is for the KDC, but port 749 must also be opened for the admin server. KDC runs on EVERY DC.
|
|
|
MIT Kerberos Maximum Time Delta
|
10 minutes
|
|
|
Microsoft Kerberos Maximum Time Delta
|
5 minutes
|
|
|
monkey-in-the-middle
|
Another term for "Man-in-the-middle"
|
|
|
snoop
|
solaris built in sniffer
|
|
|
tcpdump
|
unix built in sniffer
|
|
|
nessus
|
Tenable Network Security Vulnerability Scanner. Free, with a 7-day delay on vulnerability scripts, which are released almost daily. Cand be immediately available and downloaded for a fee. Checks for remote cracker; open mail relays; missing patches; default, blank, dictionaly or weak passwords; DoS against the TCP/IP stack and by using mangled packets; port scans, and various attacks on scanned ports.
|
|
|
wireshark
|
Free network sniffer (formerly ethereal, just renamed because or a copyright suite). Very similar to Unix TCPDUMP
|
|
|
2 Roles of KDC
|
The KDC (Key Distribution Center) performs: (1) AS - Authentication Server (2) TGS - Ticket Granting Server
|
|
|
Ticket Granting Ticket (TGT)
|
Cached Authentication Credential from TGS allows client to request Session Ticket
|
|
|
Session Ticket
|
Authentication Credential from KDC allows client access to resource server
|
|
|
EAP
|
EAP (not, itself, a protocol, but rather the hooks and handles for deploying extended authenication methods), defined by RFC 3748, is an authentication framework providing a functionality for a variety of authentication mechanisms. It does not provide encryption itself, but rather the ability to utilize several encryption methods within an authentication construct.
|
|
|
EAP-TLS
|
EAP-TLS is considered a very secure form of authentication as it employs the security of TLS, which is the successor to SSL, and makes use of both server-side and client-side certificates. Although considered very secure (especially when client-side certificates are stored on devices like Smart Cards), the overhead of this form of authentication keeps it from being a more frequently implemented solution.
|
|
|
EAP-TTLS
|
EAP-TTLS (Tunneled Transport Layer Security) also provides very good security utilizing Public Key Infrastructure (PKI) certificates on the authentication server only to create a tunnel between the client and the server.
|
|
|
PEAP
|
PEAP is the result of a joint development effort from Microsoft, Cisco Systems, and RSA Security. Like EAP-TTLS, it provides security via server-side PKI certificates. There are at least two sub-types of PEAP certified for the WPA and WPA2 standard: PEAPv0/EAP-MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol) and PEAPv1/EAP-GTC (Generated Token Card)
|
|
|
TLS
|
Transport Layer Security. new version of ssl
|
|
|
supplicant
|
IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs..802.1x uses three terms that you need to know. The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. The protocol in 802.1x is called EAP encapsulation over LANs (EAPOL).
|
|
|
authenticator
|
IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs..802.1x uses three terms that you need to know. The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. The protocol in 802.1x is called EAP encapsulation over LANs (EAPOL).
|
|
|
LEAP
|
Cisco's "Lightweight EAP" utilized in 802.1x. It is much less secure than EAP-TLS and PEAP (Protected EAP). EAP-TLS is strong, but requires a certificate on the client (supplicant), PEAP is strong, but requires only a certificate on the authentication server. It uses MS-Chap V2 over a TLS tunnel to protect the initial contact by the supplicant. After the initial connection, the authentication server deposits a certificate cookie on the supplicant.
|
|
|
EAP over IP (EAPoIP)
|
EAP is, itstelf simply an enhanced methodology fo establishing Authentication (The A). It can be carried over numerous protocols, but it is typically carried over TLS or PPP. EAPoIP is still in the draft stages, but defines an authentication protocol which is carried over raw IP (V4 or V6) using UDP by preference, but TCP is ok also. EAPoIP makes initial authentication less complicated, but it must be strongly protected by an outside mechanism such as IPSEC AH and ESP.
|
|
|
EAP-MD5-CHAP
|
Extensible Authentication Protocol, using Message Digest Algorithm/Challenge-Handshake Authentication Protocol to authenticate (MD5 is essentially the same as CHAP)
|
|
|
stream cipher
|
A symmetric key cipher where plaintext bits are combined with a pseudo-random cipher bit stream. (As opposed to "Block Cipher" for most cipher systems.) Stream cipher is typically very fast, with little system impact - but it is highly suscpetable to cracking, because of the pseudo-random key (not truly random). Only one stream cypher, One Time Pad (OTP) has been certified for secure encryption, but it is a very heavy burden on the system, and defeats the purpose of the stream cipher.
|
|
|
Carrier Protocol
|
RE:TUNNELING The protocol used by the network (IP on the Internet) that the information is traveling over
|
|
|
Encapsulating Protocol
|
RE: TUNNELING This term includes both the tunneling protocol (PPTP,L2TP) and the encrypting protocol (IPSec,Secure Shell [SSH]) that is wrapped around the original data
|
|
|
Passenger Protocol
|
RE: TUNNELING The original data being carried
|
|
|
3 protocols required for tunneling
|
(1) Carrier Protocol (2) Encapsulating Protocol (3) Passenger Protocol
|
|
|
2 types of VPNs
|
site-to-site and remote access. Site to site goes from one IP address to another. Remote access can connect multiple IP addreses
|
|
|
VPDN
|
virtual private dial-up network
|
|
|
POP
|
Point of Presense. An access point to the internet, can be in the ISP, external to an ISP (sometimes an ISP has thousands of POPs), or leased from a carrier or aggregator.
|
|
|
TACACS+ Transport Protocol
|
TCP
|
|
|
RADIUS Transport Protocol
|
UDP
|
|
|
TACACS Transport Protocol
|
UDP
|
|
|
PPTP Transport Protocol
|
TCP
|
|
|
L2TP Transport Protocol
|
UDP
|
|
|
L2TP uses _______ for encrypted tunnels
|
IPSec
|
|
|
PPTP only works over ___ networks
|
IP
|
|
|
IPSec Layer
|
Network
|
|
|
IPSec Mode where only the data(payload) is encrypted
|
Transport Mode
|
|
|
IPSec Mode where data and IP headers are encrypted
|
Tunnel Mode
|
|
|
IKE
|
Internet Key Exchange is used to authenticate the two ends of a secure tunnel by providing a secure exchange of a shared key before IPSec transmissions begin.
|
|
|
HMAC
|
Hashed Message Authentication Code
|
|
|
MIME
|
Multi-Purpose Internet Mail Extensions
|
|
|
S/MIME encryption algorithms
|
DES, 3DES, RC2
|
|
|
PGP
|
Pretty Good Privacy Asymetric (Public Key Cryptography) encryption and signing system. Uses "web of trust" as opposed to "Hierarchical trust" (based on "certificate authorities"). Supports Encryption, authentication and Integrity. Subject to spoofing.
|
|
|
DNSBL
|
DNS Blackhole List
|
|
|
FCrDNS - Forward Confirmed reverse DNS
|
Verifies that an email's originating IP address matches the fqdn used in the email's "from address" by doing a reverse DNS lookup on the IP, a nslookup on the fqdn, and then comparing.
|
|
|
zero day
|
a vulnerability that is not known to the security public and therefore no protections, patches, or detection signatures exist for it
|
|
|
ciphertext attack
|
a vulnerability of all crypto-systems, but mainly PGP and Open-PGP. In this attack, the cryptoanalyst works from the cipher text alone, but is able to gather enough data to infer the rest. Especially weak, if the same cipher or key is used to sign and encrypt the email
|
|
|
PGP can fall victim to a _________________ attack,which occurs when a hacker creates a message and sends it to a targeted userid with the expectation that this user will then send the message out to other users.When a targeted user distributes a message to others in an encrypted form,a hacker can listen to the transmitted messages and figure out the key from the newly created ciphertext.
|
Ciphertext attack
|
|
|
Bastion Host
|
System located in a DMZ or connected to the internet that has been hardened against hackers
|
|
|
DNS Zone Transfer
|
If DNS zone transfer security is not set, an attacker can learn the infrastructure from a DNS zone transfer to a rogue DNS server. This can be accomplished from the command line, using NSLOOKUP | ls -d <domain name>, which will dump an entire zone transfer. Most DNS managers secure against these.
|
|
|
Intranet
|
Every part of a network that lies on the inside of the last firewall from the Internet
|
|
|
inside of the last firewall from the Internet"
|
|
|
|
proxy server
|
a server that sits between an intranet and its Internet
|
|
|
connection and handles requests to access internet resources on behalf of intranet clients "
|
|
|
|
extranet
|
Networking zone walled off from the general public, but open to certain authenticated hosts. Access to an extranet does not give access to the intranet.
|
|
|
honeypot/net
|
honeypot is a computer system/network that is deliberately exposed to public access for the express purpose of attracting and distracting attackers.
|
|
|
IDEA Key Length
|
128 bits
|
|
|
DES Key Length
|
56 bits
|
|
|
DES Blocksize
|
64 bits
|
|
|
IDEA blocksize
|
64 bits
|
|
|
IDEA Trivia
|
used in PGP,
|
|
|
Skipjack trivia
|
NSA for clipper and capstone chips, requires key escrow (ie nsa has your secrets)
|
|
|
skipjack key length
|
80 bits
|
|
|
skipjack blocksize
|
64 bits
|
|
|
gost trivia
|
russian,
|
|
|
gost key size
|
256 bits
|
|
|
blowfish trivia
|
designed to be fast on 32bit procs
|
|
|
blowfish key length
|
up to 448 bits
|
|
|
RC 5
|
RSA variable length block-cipher
|
|
|
RC 4
|
RSA variable length stream cipher
|
|
|
size of MD5 hash
|
128 bits
|
|
|
SHA 1 Hash Size
|
160 bits
|
|
|
MAC
|
Message authentication code is a key-dependent one-way hash
|
|
|
PGP
|
freeware electronic-mail security program, originally designed by Philip Zimmermann [1652]. It uses IDEA for data encryption, RSA (with keys up to 2047 bits) for key management and digital signatures, and MD5 as a one-way hash function. Key distribution and revocation is done ad-hoc w/ a web of trust model"
|
|
|
LFM
|
Log File Monitor is an IDS that reads log files to determine if the network is under attack
|
|
|
SIV
|
System Integrity Verifier is an IDS that notifies when essential files have changed
|
|
|
KHMAC
|
Key Hashing for Message Authentication Code is used to digitally sign packets on IPSec connections
|
|
|
Number of Rounds for DES
|
16
|
|
|
Number of rounds for 3DES
|
48
|
|
|
L2TP Port
|
1701
|
|
|
Kerberos Port
|
88
|
|
|
802.11 Media Access method
|
CSMA/CA
|
|
|
802.3 Media Access Method
|
CSMA/CD
|
|
|
WEP Low Security key size
|
nominally 64 bits
|
|
|
WEP high security key size
|
128 bits
|
|
|
Bluetooth promiscuous security mode
|
SM1
|
|
|
Bluetooth security modes
|
SM1(promiscous) < SM2 (establish security after pairing) < SM3 (establish security required first)
|
|
|
Microsoft's Tunneling Protocol
|
PPTP
|
|
|
AH Port
|
50
|
|
|
ESP Port
|
51
|
|
|
L2TP Packet Header Protocol Field Number
|
115
|
|
|
TCP Packet Header Protocol Field Number
|
6
|
|
|
UDP
|
17
|
|
|
ICMP
|
1
|
|
|
IGMP
|
2
|
|
|
SMIME RFC #s
|
2632 , 2634
|
|
|
Port 50
|
IPSEC in ESP (TCP port 50)
|
|
|
Port 51
|
IPSEC in AH (TCP port 51)
|
|
|
IPSEC in AH and ESP Ports
|
TCP 50 for ESP and TCP 51 for AH plus UDP 500 for IKE
|
|
|
Port 500
|
UDP Port 500 IKE (ISAKMP) for IPSEC in VPN Tunnels. Used for Key exchange and sync betweeen endpoints, used for negotiation of the IPSEC Security Association (SA)
|
|
|
Port 22
|
SSH (Secure Shell replaces Telnet)
|
|
|
Port 88
|
Kerberos V5 KDC Listening Port (Client uses random port) May be UDP or TCP (if packet is over 2KB)
|
|
|
Port 1701
|
L2TP UDP/TCP Operates in OSI Layer 2, the Data Link Layer, but is, in fact a Session Layer (layer 4) Protocol.
|
|
|
Port 1723
|
PPTP uses UDP/TCP port 1723
|
|
|
IPSEC OSI Layer
|
IPSEC operates in layer 3 (Network) - actually at the interface between layer 3 and layer 2, where all packetizing is completed.
|
|
|
OTP definition
|
One-time-Pad - considered the MOST difficult symetric (or "private key") encryption to crack. Each file uses a diffferent random number.
|
|
|
AES definition
|
Advanced Encryption Standard - one of the newest encryption methods, uses Rijndael algorythm 128bit 192 bit and 256 bit are typically used. The U.S. Government specifies AES 192 or 256 for highly sensitive data
|
