• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/205

Click to flip

205 Cards in this Set

  • Front
  • Back
C.I.A. of Security
Confidentiality, Integrity, Availability
Confidentiality
Assurance that data is handled and shared only among those who are authorised and permitted to see it. In Security+ context generally refers to the method that the data is handled and stored
Integrity
Assurance that data is authentic, complete, un-altered, correct, and can be relied upon. In S+ connotation, Integrity is on of the primary indicators of security of lack of security.
Availability
Assurance that the SYSTEMS used for storing, processing, and delivery of information will be accessible to those who have a legitimate need for it. (Conversely, those who do not have a legitimate need cannot access it.
Operational Model of Security
Protection = Prevention + Detection + Response
Least Privilege
Give only the absolute minimum rights and privileges needed
Layers of Security
Multiple barriers working in conjunction help eliminate single points of failure
Diversity of Defense
Layers of security should be implemented using dissimilar methods and vendors. Layers should be so dissimilar that if one layer is penetrated, the next layer cannot be penetrated using the same method
Security Through Obscurity
Ice cream hidden in the back of the freezer will be found
Keep it Simple (Stupid) (KISS)
1. Turn off nonessential services, etc 2. Complex systems are difficult to secure
Access Control
The ability of a subject to interact with an object
Access Control List (ACL)
A list stating who has specific types access to what
Discretionary Access Control (DAC)
Access control based on identity of subjects or groups to which they belong *Certain subjects (eg ""Owner"") may pass permissions on to any other subject
Mandatory Access Control (MAC)
Access control based on levels of sensitivity assigned to objects (Labels) and formal levels of authorization (ie clearance) of subjects.
Mandatory Access Control (MAC)
Access control based on levels of sensitivity assigned to objects (Labels) and formal levels of authorization (ie clearance) of subjects. These relationships are strictly enforced
Role-Based Access Control (RBAC)
Access control based on subjects being assigned certain roles. Access control is managed at the role level instead of the subject level.
Authentication
Verifying the identity of a subject Note: Does NOT infer any test for any permissions, only the identity.
3 general Authentication methods
1. Something you know (ie password) 2. Something you have (ie token) 3. Something you are (ie biometrics)
Kerberos
Network authentication protocol. Default for all versions of Windows since 2000. Authentication can be by certificate or by username and password. Conceptually; a client, a service, and a trusted 3rd party (Kerberos). Allows one-time authentication, for access to many trusting services. Kerberos is time-monitored to ensure no "replay" authentication attemps succeed. Note: NO "permissions" requested or given - Kerberos TGT does return ALL of the client's SIDs, which is placed in a "security token" and presented to servers providing services to ascertain permissions.
Ticket, Authentication Server(AS)
One of the components of Kerberos. The Ticket Authentication service issues a TGT (Ticket Granting Ticket), which the client can use in future communications with Kerberos to prove pre-authentication and obtain
Kerberos Time-based
5 minutes skew in Windows, 10 minutes in other applications. If the client's time is not within the permissible skew, authentication is denied
Replay Attack
Any attack in which an attacker records an authentication or other credentials, to be replayed later to spoof the secure service. Typically, the attacker will couple a replay attack with a DoS attack on one of the stations, so the hijacked station is unaware of the attack
CHAP
Challenge Handshake Protocol - a vendor-neutral protocol, in which the server and the client are able to complete a handshake and obtain authentication over a PPP network connection, without the client's password EVER crossing the network. CHAP and PAP were the two methods of authentication - but PAP is no longer used, because the login and password were passed with clear text. CHAP involves a "3-way handshake." CHAP is the highest level of password security that non-microsoft clients can use. CHAP does not natively support data encryption, certificates, or tokens (See MSCHAP)
CHAP challenge/response (3-way handshake)
After the TCP link handshake is completed, CHAP (1) The "authenticator" (server) sends a random challenge message to the peer (2) The peer responds by creating a value (from the Challenge seed) obtained by doing a one-way hash, using the bits in the client's password, and returns this value to Server (3) Sever performs the same hash, using the bits in the proported client's password - and if the returned value matches the local calculation, authentication is granted. This challenge-response is repeated periodically. CHAP suffers compared to MS-CHAP V2, in that the authentication is one-way. Client has NO WAY of knowing that server is not an impostor. In addition, CHAP is highly subject to client's with weak passwords.
Certificate Multi-factor authentication
Uses more than one authentication mechanism at the same time (ie ATM card + PIN)
Token
Hardware device? used in authentication (something you have) (e.g. RSA secureToken)
Security Token
A list of all of the user and group SIDs (including Universal group membership), which is presented by client to service when requesting access to a resource
Multifactor Authentication
Uses more than one authentication mechanism at the same time (ie ATM card + PIN)
Mutual Authentication
Authentication of both sides of a communication. Helps prevent man-in-the-middle attacks. CHAP and MS-CHAP both suffer from single-sided authentication. With MS-CHAP V2, this was corrected and now, as soon as client completes the 3-way handshake with server, client challenges server with another 3-way handshake - result "Mutual Authentication"
Information Assurance
IA is the practice of managing information-related risks by ensuring CONFIDENTIALITY, INTEGRITY, AUTHENTICITY, AVAILABILITY, AND NON-REPUDIATION. IA is the process of insuring that AUTHORIZED USERS have access to AUTHORIZED INFORMATION at the AUTHORIZED TIME.
DoD Information Assurance
The Department of Defense implemented its version of IA, with the DoD instruction 8570.01-M, which mandates levels of training and certifications for all DoD, Civil service, and Contractors involved in DoD IT.
Information Security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. Protection = Prevention + Detection + Response
Nonrepudiation
Nonrepudiation is a way to guarantee that information received is from the source indicated. This must be legally enforceable. This is usually accomplished by "digitally signing" of messages, computer programs and other data. Guarantee that senders cannot deny they sent a message
TCP 3-way Handshake
SYN -> <- SYN/ACK ACK/SYN -> Establishes a "Session" between two computers over a network. The first SYN is from the initiator to the desired target, and includes a "Syn" number to reference in future conversations. The Syn/Ack is from the target machine symbolizing that it is ready to establish a connection and is holding a session open. This returns the target's intended Syn number, and Ack's the sender's Syn number (+1), the Ack/Syn is from the initiator, acknowledging the target's Syn number (+1) and repeating it's own Syn number for reference. Once completed, the "session" will be maintained until the transmission is completed. (See SYN Attack)
DOS Attack
Denial of Service Attacks aim to disrupt the availability of services or to distract a station while an intruder hyjacks a session
SYN Flood / SYN Attack
DOS attack exploiting the TCP 3-way handshake. A multitude of SYN requests are sent to the target. The target responds with a SYN/ACK and waits for a default period for an ACK. The attacker will never reply so the target may use up all it available connections.
DDOS Attack
Distributed Denial of Service attacks rely on using multiple computers to conduct DOS attacks. A Smurf attack is a classical example of a DDoS, but not often used, now. Modern DDoS attacks are carried out by "BOT-Herders" using hundreds or even thousands of hijacked mom-and-pop PCs
Backdoor/Trap Door
NOT Synonymous terms. A backdoor is typically a program, such as BackOrifice, that opens and holds a dynamic port number open while the intruder uses that port number to "respond" to the backdoor program. A trapdoor is code segments that were deliberatedly coded into the security or OS, to be used by the coder at a future date. Modern hyjacking methods sometimes allow intruders to "patch" a trapdoor, then return later to exploit it.
Root kit
A dangerous, but hard to invoke attack. It is NOT viral, it requires someone with "root" permissions (Administrators, in Windows), to install it. Once installed, it is virtually undetectable, because it hides itself in the OS that is trying to detect it. Typically, it requires that the computer be booted from a CD or other OS source, to detect and remove it. Root kits, once installed have full system permissions, and controls the OS of the host. Root kits are typically stealthy, and do nothing to alarm the host system of its presence.
Sniffing
In Data security, sniffing is employed by the attacker and by the defender. Sniffers are specially configured computers which set their NIC cards to Promiscuous mode, then listen-in on all of the traffic on the network. Most sniffers have filters and traps to watch for key strings before beginning a capture; most also have the capability of translating the machine language of the network into human-readable form, and interpret it. In a fully-switched network, sniffers do not work, because the nature of the switch is to avoid passing packets out on ports that are not being addresses.
Spoofing
Making data look like it's coming from a different source than it is.
Smurf Attack
DOS attack where the attacker sends ICMP echo requests to the broadcast address of a network with the From address spoofed to be the IP address of the target.
Man-in-the-Middle Attack
An attack in which the attacker will intercept communications between two parties and, sometimes, modify the messages between them
Replay Attack
Attackers "record" portions of conversations (eg authentication sequences) and then replay them at a later time
Brute-force attack
A method of finding a cryptographic or other key by systematically trying all possible combinations of keys
Indirect attack
A method of breaking a cryptographic or other system by attacking the implementation of the system/algorithm rather than the system itself (ie using a weakness in a key exchange to find a key rather than using a brute-force attack)
Dictionary attack
A method of finding a key by trying many commonly used or probable keys (ie guessing a password using all the words in an English dictionary)
Birthday Attack
A brute force attack that takes advantage of the Birthday Paradox to simplify the attack.
Birthday Paradox
Tradition thinking about cryptographics assumes the complexity for a purely random population - and the numbers are overwhelming. The "Birthday Problem" or "Birthday Paradox," however, points out that just a a population people does not have purely random outcomes equal to the population, but rather, in a room with 23 people, there is a better than 50-50 chance that there are two people who have the same birthday (NOT random population). As the number of people in the room increases, the "randomness" DECREASES, until at about 57 people, the probability of the same birthday approaches 99%, In the same way, the English (French,,,,) language is NOT PURELY RANDOM. The non-randomness of the "population" (language, number system, ...) makes the brute force cryptographic attack far less of an obstacle.
Buffer overflow exploit
Programmers must set aside space for users' input, then process that input. Since your 8GB of memory is one, long string, programmers "create" an empty space, ask for input, stuff the input into the "empty" space, and then "JUMP" to the next memory cell past the previously empty buffer space to read and process the user input. Exploiters look for lazy or uninformed programmers who do not TEST the user's input before stuffing it into the empty buffer. If the exploiter can find the right place, they can craft an input that is LONGER then the programmer intended. The programmer unwittingly stuffs it into the buffer (space) and overflows the buffer over his own code. When the program executes the JUMP, it begins executing the EXPLOIT CODE.
Virus
Malicious software that self-replicates by copying itself to other executable files. A virus, unlike a WORM, must have a host file and a willing user to execute the host file.
Trojan
Malicious software that masquerades as useful software. Trojans rely on the end-user to run them.
Logic-bomb
Malicious software installed by an authorized user that is designed to drop it's payload at a designated time or after a set of conditions ha been met
Worm
Malicious, self-replicating software that runs stand-alone/without the need for a host file or a willing user to propogate it.
Social Engineering
Con-artistry. An indirect attack on a system that relies on the inherent trusting nature, or gullibility of human beings.
War-driving
Listening for the presence of wireless networks while driving
Telnet
Standard, insecure TCP/IP remote terminal session protocol
Telnet Standard Port #
23
SSH
Secure Shell - developed by the xNIX world to replace Telnet, which was their main means of remote management. SSH is functionally a secure version of Telnet.
SSH Standard Port #
22
Tunneling
The encapsulation of one packet in another, The inner packet is often encrypted and could not be forwarded by standard routers. The outer packet looks like a standard packet which can be handled by typical routers. Encapsulation can allow you to obfuscate communications or to change the network transport method. The contents of the data traveling within a tunnel only needs to be understood by the tunnel end-points
PPTP
Point-to-Point Tunneling Protocol. As the name implies, appears to operate in the Data Link (Layer 2), but the protocol functionally operates in the Session (Layer 5)
PPP
Point-to-Point Protocol - is to data transmission, what DHCP is to host configuration. It is the foundation for ALL modern transmission methods. (PPtP, l2tP). PPP was developed for serial communications (Modem, X.25, and ISDN), but its decendents are everywhere present in network communications.
GRE
Generic Routing Encapsulation(GRE). GRE is an IP Prototcol, which can encapsulate, encapsulate IPSEC tunnels, or be encrypted by IPSEC (GRE over IPSEC --AND-- IPSEC over GRE). It is NOT used in an L2TP/IPSEC VPN (it is often found used with PPTP Tunneling). GRE is often referred to as GRE protocol 47 - this does NOT refer to PORT 47. Firewall passthrough is automatically enabled when PPTP passthrough is enabled. PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session.
PSTN
Public switched telephone network = POTS
POTS
Plain Old Telephone Service = PSTN
L2TP
Layer 2 Tunneling Protocol (Current version L2TP V3). ACTS LIKE a layer 2 (the test calls it layer 2 or DataLink), but is actually a Layer 4 session layer. It always uses UDP packets to send the Payload and L2TP header, with PPP packets enclosed. L2TP authenticates the USER, but has no encryption. Typically IPSEC is used within the L2TP, to encrypt. IPSEC authenticates the HARDWARE. Therefore L2TP over IPSEC authenticates BOTH user and hardware. Requires UDP port 1701. ANY PROTOCOL, and even "private" IP addresses can be carried inside the tunnel.
L2TP Control Port #
UDP 1701
PPTP Port Number
TCP 1723. Do NOT open UDP port 1723!
802.16
Wireless MANs, typically called "WiMAX", is a family of protocols. 10-16 GHz line-of-sight band. 802.16a is 2-11 GHz band, and non-line-of-sight. Current version is 802.16e, which uses scalable OFDMA (orthogonal frequency division multiple access) in the 1.25 MHz to 20 MHz (note MHz, not GHz - this removes most line-of-sight requirements)
WEP
Wired Equivalent Privacy - fails. WEP can be cracked by modern equipment in minutes. Superceeded by WPA and WPA2. It is still being used widely (probably obsolete equipment or ease of implementation). Sometimes referred to as Wireless Encryption Protocol. Uses 40 or 128bit RC4 stream cipher with Static shared secret, variable initialization vector.
40 or 128bit RC4 stream cipher
The most widely used stream cipher, used in SSL and WEP. Also used in WPA for wireless cards and TLS. Simple and fast - but very easy to crack. By Ron Rivest or RSA security. There are also RC2, RC5, And RC6 versions by Ron. RC4 uses 2 parts, Permutation and 2-8bit index pointers. The Permutation uses a random keylength from 40 to 256 bits.
VPN
Virtual Private Network- an encrypted tunnel between two nodes over a public network.
IPSec
IETF Intenet Protocol Security - Actually a suite of protocols, which encrypts each IP packet (ESP), signs each packet header (AH), or BOTH. Operates in a "shim" at the bottom of layer 3, after all ARP and IP/UDP packetization is completed (and before DataLink layer framing). This provides transparent protection for otherwise unprotectable protocols (Telnet, FTP, Printer packets). Uses an IPSEC Policy to selectively determine which protocols are to be "IPSECed" and which ones pass through without IPSEC. Can provide data confidentiality, data integrity, and (machine) authentication between systems. Initial session keys (SA - Security Association) are pre-negotiated with IKE (UDP Port 500). IKE use the Diffie-Hellman Key Exchange and is a partner protocol to Oakley. IPsec has two defined methods—transport and tunneling—and these two methods provide different levels of security.IPsec also has three modes of connection: host to server, server to server, and host to host.
IPSec Transport Method
IPSEC has two modes, ONE of which is defined while creating the IPSEC policy. In the default mode "This policy does not define endpoints," IPSEC can be multi-point-to-multi-point, giving unrestricted access to hardware with appropriate IPSEC Policies. If you add endpoint IP addresses, IPSEC will be in "Tunnel Mode." In Tunnel mode, only the endpoints can communicate. This is typically used for router-to-router. In Transport mode, IPSEC is said to be "secure end-to-end." In tunnel mode, the link from the host to the router is not secured (unless a second IPSEC is defined to include the host) and IPSEC is said to be NOT end-to-end secure.
IPSec Tunneling Mode
IPSEC has two modes, ONE of which is defined while creating the IPSEC policy. In the default mode "This policy does not define endpoints," IPSEC can be multi-point-to-multi-point, giving unrestricted access to hardware with appropriate IPSEC Policies. If you add endpoint IP addresses, IPSEC will be in "Tunnel Mode." In Tunnel mode, only the endpoints can communicate. This is typically used for router-to-router. In Transport mode, IPSEC is said to be "secure end-to-end." In tunnel mode, the link from the host to the router is not secured (unless a second IPSEC is defined to include the host) and IPSEC is said to be NOT end-to-end secure.
Content protection
Obfuscation of the data within a conversation "protected movie dvd"
Context protection
Obfuscation of the identity of the sender and receiver of data
Diffie-Hellman Key Exchange
D-H The D-H is a method where two strange computers can agree on a secure password, over a non-secure network, which can subsequently be used for IPSEC encryption. It is the first step of a secure conversation. Because the D-H keys are changed with each conversation (or even with each packet), brute force attacks are not effective. The main vulnerability is if the seed is not complex enough and/or if the "random number" generator is not random (none are), and the attacker can guess the next random number. If a shared-secret is used for the key, it is also vulnerable to a man-in-the-middle attack, because there is no authentication (at this time). Use of password seeds and/or certificates for seeds can minimize the man-in-the-middle vulnerability.
Authentication Header (AH)
IPsec uses two protocols to provide traffic security.when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin. By protecting the non-changing elements in the IPheader,the AH protects the IPaddress,which enables data-origin authentication
Encapsulating Security Payload (ESP)
IPsec uses two protocols to provide traffic security.when added to an IP datagram, ensures the integrity of the data and also the authenticity of the data’s origin. By protecting the non-changing elements in the IPheader,the AH protects the IPaddress,which enables data-origin authentication
Internet Security Association and Key Management Protocol (ISAKMP)
For key management and exchange, three protocols exist: • Internet Security Association and Key Management Protocol (ISAKMP) • Oakley • Secure Key Exchange Mechanism for Internet (SKEMI). These key management protocols can be collectively referred to as Internet Key Manage-ment Protocol (IKMP) or Internet Key Exchange (IKE).
Secure Key Exchange Mechanism for Internet (SKEMI) or (SKEME) or (TLS-KEM)
For key management and exchange, SKEME is an alternative key exchange mechanism to Oakley. SKEME is faster and less secure than Oakley. (Trades off security for performance)
IEEE 802.1x
802.1x is NOT and abbreviation for other 802.11 etc protocols. It is, instead, an add-on security mechanism. 1x is typically used with wireless, because of the extreme security shortcomings of all of the other wireless security methods. 1x can, however, be implemented in wired networks. In a nutshell, 1x turns the wireless network into a VPN. All traditional wireless security protocols leave the hardware-only authentication up to the access point - 1x limits the access point to a "way-station" In addition, authentication in 1x is about people security, and is left up to the domain security mechanism. 1x redefines the client as a "supplicant," the access point as an "authenticator," and a RADIUS or IAS server as the "Authentication Server." From there, authentication follows the same procedures as a VPN with a RADIUS server. The access point's role in this is to filter packets through the port, as long as it is "unauthorized" and remove the filter when authorized by the RADIUS server.
RADIUS
Remote Authentication Dial-In User Service. Although RADIUS (and IAS in Microsoft) now supports any kind of network connecton, the name reflects when it was invented. RADIUS has may roles, from managing RAS dial-up clients, via RADIUS policies, to providing internal and external authentication services for VPN access, and now for 802.1x. RADIUS does not authenticate - it handles relaying the authentication requests to the authenticating domain controller.
AAA or AAAA
Authentication, Authorization, and Accounting (Sometimes combined with Auditing - AAAA). The three legs of security. The first step is Authentication, then determine if Authorization is granted, then account for all access and/or attempted access.
Authentication
Establish the digital identity the client (in "mutual Authenticaton," establishes the identity of the sevice to the client)
Authorization
Grant specific types of privileges or permissions of an authenticated entity to specific resource
Accounting
Track the use of network resources by authenticated users
DIAMETER
DIAMETER is a proposed name for the new AAA protocol suite (A play on words - 2xRADIUS=DIAMETER. Diameter is the upgrade path for RADIUS. It is not "backward compatible", but it provides an upgrade path. Adds TCP, STCP, IPSEC, and TLS to the access protocols (vs UDP-only). Has many other upgrades.
TACACS+
Terminal Access Controller Access-Control System - Another AAA mechanism, which has been developed to replace RADIUS. Uses TCP port 49 (instead of UDP) and actually contains 3 protocols that can exist on different servers. Cisco and Apple are big on TACACS+
Port 49
TCP Port 49 is used for TACACS+
RADIUS ports
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
Port 1812
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
Port 1813
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
Port 1645
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
Port 1646
Microsoft: UDP 1812 for authentication, 1813 for accounting; IANA/Cisco: UDP 1645 for authentication and 1646 for accounting. Most Radius servers monitor all of these
Kerberos Port #
Current version V5; TCP 88 is "assumed" to be Kerberos, and is therefore exempt from all IPSEC. Port 88 is for the KDC, but port 749 must also be opened for the admin server. KDC runs on EVERY DC.
MIT Kerberos Maximum Time Delta
10 minutes
Microsoft Kerberos Maximum Time Delta
5 minutes
monkey-in-the-middle
Another term for "Man-in-the-middle"
snoop
solaris built in sniffer
tcpdump
unix built in sniffer
nessus
Tenable Network Security Vulnerability Scanner. Free, with a 7-day delay on vulnerability scripts, which are released almost daily. Cand be immediately available and downloaded for a fee. Checks for remote cracker; open mail relays; missing patches; default, blank, dictionaly or weak passwords; DoS against the TCP/IP stack and by using mangled packets; port scans, and various attacks on scanned ports.
wireshark
Free network sniffer (formerly ethereal, just renamed because or a copyright suite). Very similar to Unix TCPDUMP
2 Roles of KDC
The KDC (Key Distribution Center) performs: (1) AS - Authentication Server (2) TGS - Ticket Granting Server
Ticket Granting Ticket (TGT)
Cached Authentication Credential from TGS allows client to request Session Ticket
Session Ticket
Authentication Credential from KDC allows client access to resource server
EAP
EAP (not, itself, a protocol, but rather the hooks and handles for deploying extended authenication methods), defined by RFC 3748, is an authentication framework providing a functionality for a variety of authentication mechanisms. It does not provide encryption itself, but rather the ability to utilize several encryption methods within an authentication construct.
EAP-TLS
EAP-TLS is considered a very secure form of authentication as it employs the security of TLS, which is the successor to SSL, and makes use of both server-side and client-side certificates. Although considered very secure (especially when client-side certificates are stored on devices like Smart Cards), the overhead of this form of authentication keeps it from being a more frequently implemented solution.
EAP-TTLS
EAP-TTLS (Tunneled Transport Layer Security) also provides very good security utilizing Public Key Infrastructure (PKI) certificates on the authentication server only to create a tunnel between the client and the server.
PEAP
PEAP is the result of a joint development effort from Microsoft, Cisco Systems, and RSA Security. Like EAP-TTLS, it provides security via server-side PKI certificates. There are at least two sub-types of PEAP certified for the WPA and WPA2 standard: PEAPv0/EAP-MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol) and PEAPv1/EAP-GTC (Generated Token Card)
TLS
Transport Layer Security. new version of ssl
supplicant
IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs..802.1x uses three terms that you need to know. The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. The protocol in 802.1x is called EAP encapsulation over LANs (EAPOL).
authenticator
IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs..802.1x uses three terms that you need to know. The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. The protocol in 802.1x is called EAP encapsulation over LANs (EAPOL).
LEAP
Cisco's "Lightweight EAP" utilized in 802.1x. It is much less secure than EAP-TLS and PEAP (Protected EAP). EAP-TLS is strong, but requires a certificate on the client (supplicant), PEAP is strong, but requires only a certificate on the authentication server. It uses MS-Chap V2 over a TLS tunnel to protect the initial contact by the supplicant. After the initial connection, the authentication server deposits a certificate cookie on the supplicant.
EAP over IP (EAPoIP)
EAP is, itstelf simply an enhanced methodology fo establishing Authentication (The A). It can be carried over numerous protocols, but it is typically carried over TLS or PPP. EAPoIP is still in the draft stages, but defines an authentication protocol which is carried over raw IP (V4 or V6) using UDP by preference, but TCP is ok also. EAPoIP makes initial authentication less complicated, but it must be strongly protected by an outside mechanism such as IPSEC AH and ESP.
EAP-MD5-CHAP
Extensible Authentication Protocol, using Message Digest Algorithm/Challenge-Handshake Authentication Protocol to authenticate (MD5 is essentially the same as CHAP)
stream cipher
A symmetric key cipher where plaintext bits are combined with a pseudo-random cipher bit stream. (As opposed to "Block Cipher" for most cipher systems.) Stream cipher is typically very fast, with little system impact - but it is highly suscpetable to cracking, because of the pseudo-random key (not truly random). Only one stream cypher, One Time Pad (OTP) has been certified for secure encryption, but it is a very heavy burden on the system, and defeats the purpose of the stream cipher.
Carrier Protocol
RE:TUNNELING The protocol used by the network (IP on the Internet) that the information is traveling over
Encapsulating Protocol
RE: TUNNELING This term includes both the tunneling protocol (PPTP,L2TP) and the encrypting protocol (IPSec,Secure Shell [SSH]) that is wrapped around the original data
Passenger Protocol
RE: TUNNELING The original data being carried
3 protocols required for tunneling
(1) Carrier Protocol (2) Encapsulating Protocol (3) Passenger Protocol
2 types of VPNs
site-to-site and remote access. Site to site goes from one IP address to another. Remote access can connect multiple IP addreses
VPDN
virtual private dial-up network
POP
Point of Presense. An access point to the internet, can be in the ISP, external to an ISP (sometimes an ISP has thousands of POPs), or leased from a carrier or aggregator.
TACACS+ Transport Protocol
TCP
RADIUS Transport Protocol
UDP
TACACS Transport Protocol
UDP
PPTP Transport Protocol
TCP
L2TP Transport Protocol
UDP
L2TP uses _______ for encrypted tunnels
IPSec
PPTP only works over ___ networks
IP
IPSec Layer
Network
IPSec Mode where only the data(payload) is encrypted
Transport Mode
IPSec Mode where data and IP headers are encrypted
Tunnel Mode
IKE
Internet Key Exchange is used to authenticate the two ends of a secure tunnel by providing a secure exchange of a shared key before IPSec transmissions begin.
HMAC
Hashed Message Authentication Code
MIME
Multi-Purpose Internet Mail Extensions
S/MIME encryption algorithms
DES, 3DES, RC2
PGP
Pretty Good Privacy Asymetric (Public Key Cryptography) encryption and signing system. Uses "web of trust" as opposed to "Hierarchical trust" (based on "certificate authorities"). Supports Encryption, authentication and Integrity. Subject to spoofing.
DNSBL
DNS Blackhole List
FCrDNS - Forward Confirmed reverse DNS
Verifies that an email's originating IP address matches the fqdn used in the email's "from address" by doing a reverse DNS lookup on the IP, a nslookup on the fqdn, and then comparing.
zero day
a vulnerability that is not known to the security public and therefore no protections, patches, or detection signatures exist for it
ciphertext attack
a vulnerability of all crypto-systems, but mainly PGP and Open-PGP. In this attack, the cryptoanalyst works from the cipher text alone, but is able to gather enough data to infer the rest. Especially weak, if the same cipher or key is used to sign and encrypt the email
PGP can fall victim to a _________________ attack,which occurs when a hacker creates a message and sends it to a targeted userid with the expectation that this user will then send the message out to other users.When a targeted user distributes a message to others in an encrypted form,a hacker can listen to the transmitted messages and figure out the key from the newly created ciphertext.
Ciphertext attack
Bastion Host
System located in a DMZ or connected to the internet that has been hardened against hackers
DNS Zone Transfer
If DNS zone transfer security is not set, an attacker can learn the infrastructure from a DNS zone transfer to a rogue DNS server. This can be accomplished from the command line, using NSLOOKUP | ls -d <domain name>, which will dump an entire zone transfer. Most DNS managers secure against these.
Intranet
Every part of a network that lies on the inside of the last firewall from the Internet
inside of the last firewall from the Internet"
proxy server
a server that sits between an intranet and its Internet
connection and handles requests to access internet resources on behalf of intranet clients "
extranet
Networking zone walled off from the general public, but open to certain authenticated hosts. Access to an extranet does not give access to the intranet.
honeypot/net
honeypot is a computer system/network that is deliberately exposed to public access for the express purpose of attracting and distracting attackers.
IDEA Key Length
128 bits
DES Key Length
56 bits
DES Blocksize
64 bits
IDEA blocksize
64 bits
IDEA Trivia
used in PGP,
Skipjack trivia
NSA for clipper and capstone chips, requires key escrow (ie nsa has your secrets)
skipjack key length
80 bits
skipjack blocksize
64 bits
gost trivia
russian,
gost key size
256 bits
blowfish trivia
designed to be fast on 32bit procs
blowfish key length
up to 448 bits
RC 5
RSA variable length block-cipher
RC 4
RSA variable length stream cipher
size of MD5 hash
128 bits
SHA 1 Hash Size
160 bits
MAC
Message authentication code is a key-dependent one-way hash
PGP
freeware electronic-mail security program, originally designed by Philip Zimmermann [1652]. It uses IDEA for data encryption, RSA (with keys up to 2047 bits) for key management and digital signatures, and MD5 as a one-way hash function. Key distribution and revocation is done ad-hoc w/ a web of trust model"
LFM
Log File Monitor is an IDS that reads log files to determine if the network is under attack
SIV
System Integrity Verifier is an IDS that notifies when essential files have changed
KHMAC
Key Hashing for Message Authentication Code is used to digitally sign packets on IPSec connections
Number of Rounds for DES
16
Number of rounds for 3DES
48
L2TP Port
1701
Kerberos Port
88
802.11 Media Access method
CSMA/CA
802.3 Media Access Method
CSMA/CD
WEP Low Security key size
nominally 64 bits
WEP high security key size
128 bits
Bluetooth promiscuous security mode
SM1
Bluetooth security modes
SM1(promiscous) < SM2 (establish security after pairing) < SM3 (establish security required first)
Microsoft's Tunneling Protocol
PPTP
AH Port
50
ESP Port
51
L2TP Packet Header Protocol Field Number
115
TCP Packet Header Protocol Field Number
6
UDP
17
ICMP
1
IGMP
2
SMIME RFC #s
2632 , 2634
Port 50
IPSEC in ESP (TCP port 50)
Port 51
IPSEC in AH (TCP port 51)
IPSEC in AH and ESP Ports
TCP 50 for ESP and TCP 51 for AH plus UDP 500 for IKE
Port 500
UDP Port 500 IKE (ISAKMP) for IPSEC in VPN Tunnels. Used for Key exchange and sync betweeen endpoints, used for negotiation of the IPSEC Security Association (SA)
Port 22
SSH (Secure Shell replaces Telnet)
Port 88
Kerberos V5 KDC Listening Port (Client uses random port) May be UDP or TCP (if packet is over 2KB)
Port 1701
L2TP UDP/TCP Operates in OSI Layer 2, the Data Link Layer, but is, in fact a Session Layer (layer 4) Protocol.
Port 1723
PPTP uses UDP/TCP port 1723
IPSEC OSI Layer
IPSEC operates in layer 3 (Network) - actually at the interface between layer 3 and layer 2, where all packetizing is completed.
OTP definition
One-time-Pad - considered the MOST difficult symetric (or "private key") encryption to crack. Each file uses a diffferent random number.
AES definition
Advanced Encryption Standard - one of the newest encryption methods, uses Rijndael algorythm 128bit 192 bit and 256 bit are typically used. The U.S. Government specifies AES 192 or 256 for highly sensitive data