Chapter Secure Network Architecture and Securing Network

of 60

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
PDF
60 pages
0 downs
12 views
Share
Description
Chapter 3 Secure Network Architecture and Securing Network Components THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE: 2. Telecommunications and Network…
Transcript
Chapter 3 Secure Network Architecture and Securing Network Components THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE: 2. Telecommunications and Network Security A. Understand secure network architecture and design (e.g., IP and non-IP protocols, segmentation): A.1 OSI and TCP/IP models A.2 IP networking A.3 Implications of multi-layer protocols B. Securing network components: B.1 Hardware (e.g., modems, switches, routers, wireless access points) B.2 Transmission media (e.g., wired, wireless, fiber) B.3 Network access control devices (e.g., firewalls, proxies) B.4 Endpoint security c03.indd 87 31/05/12 1:21 PM Computers and networks emerge from the integration of communication devices, storage devices, processing devices, security devices, input devices, output devices, operating systems, software, services, data, and people. The CISSP CBK states that a thorough knowledge of these hardware and software components is an essential element of being able to implement and maintain security. This chapter discusses the OSI model as a guiding principle in networking, cabling, wireless connectivity, TCP/IP and related protocols, networking devices, and firewalls. The Telecommunications and Network Security domain for the CISSP certification exam deals with topics related to network components (i.e., network devices and protocols); specifically, how they function and how they are relevant to security. This domain is discussed in this chapter and in Chapter 4, “Secure Communications and Network Attacks.” Be sure to read and study the materials in both chapters to ensure complete coverage of the essential material for the CISSP certification exam. OSI Model Communications between computers over networks are made possible by protocols. A protocol is a set of rules and restrictions that define how data is transmitted over a network medium (e.g., twisted-pair cable, wireless transmission). In the early days of network development, many companies had their own proprietary protocols, which meant interaction between computers of different vendors was often difficult, if not impossible. In an effort to eliminate this problem, the International Organization for Standardization (ISO) developed the Open Systems Interconnection (OSI) Reference Model for protocols in the early 1980s. Specifically, ISO 7498 defines the OSI Reference Model (more commonly called the OSI model). Understanding the OSI model and how it relates to network design, deployment, and security is essential in preparing for the CISSP exam. In order to properly establish secure data communications, it is important to fully understand all of the technologies involved in computer communications. From hardware and software to protocols and encryption and beyond, there are lots of details to know, standards to understand, and procedures to follow. Additionally, the basis of secure network architecture and design is a thorough knowledge of the OSI and TCP/IP models as well as IP networking in general. c03.indd 88 31/05/12 1:21 PM OSI Model 89 History of the OSI Model The OSI model wasn’t the first or only attempt to streamline networking protocols or establish a common communications standard. In fact, the most widely used protocol today, TCP/IP (which is based upon the DARPA model, also known now as the TCP/IP model) was developed in the early 1970s. The OSI model was not developed until the late 1970s. The OSI protocol was developed to establish a common communication structure or standard for all computer systems. The actual OSI protocol was never widely adopted, but the theory behind the OSI protocol, the OSI model, was readily accepted. The OSI model serves as an abstract framework, or theoretical model, for how protocols should function in an ideal world on ideal hardware. Thus, the OSI model has become a common reference point against which all protocols can be compared and contrasted. OSI Functionality The OSI model divides networking tasks into seven distinct layers. Each layer is responsible for performing specific tasks or operations for the ultimate goal of supporting data exchange (in other words, network communication) between two computers. The layers are always numbered from bottom to top (see Figure 3.1). They are referred to by either their name or their layer number. For example, layer 3 is also known as the Network layer. The layers are ordered specifically to indicate how information flows through the various levels of communication. Each layer communicates directly with the layer above it as well as the layer below it, plus the peer layer on a communication partner system. F I G U R E 3 .1 Representation of the OSI model Application 7 Presentation 6 Session 5 Transport 4 Network 3 Data Link 2 Physical 1 The OSI model is an open network architecture guide for network product vendors. This standard, or guide, provides a common foundation for the development of new protocols, networking services, and even hardware devices. By working from the OSI model, vendors are able to ensure that their products will integrate with products from other companies and be supported by a wide range of operating systems. If all vendors developed their own c03.indd 89 31/05/12 1:21 PM 90 Chapter 3 ■ Secure Network Architecture and Components networking framework, interoperability between products from different vendors would be next to impossible. The real benefit of the OSI model is its expression of how networking actually functions. In the most basic sense, network communications occur over a physical connection (whether that physical connection is electrons over copper, photons over fiber, or radio signals through the air). Physical devices establish channels through which electronic signals can pass from one computer to another. These physical device channels are only one type of the seven logical communication types defined by the OSI model. Each layer of the OSI model communicates via a logical channel with its peer layer on another computer. This enables protocols based on the OSI model to support a type of authentication by being able to identify the remote communication entity as well as authenticate the source of the received data. Encapsulation/Deencapsulation Protocols based on the OSI model employ a mechanism called encapsulation. Encapsulation is the addition of a header, and possibly a footer, to the data received by each layer from the layer above before it’s handed off the data to the layer below. As the message is encapsulated at each layer, the previous layer’s header and payload combine to become the payload of the current layer. Encapsulation occurs as the data moves down through the OSI model layers from Application to Physical. The inverse action occurring as data moves up through the OSI model layers from Physical to Application is known as deencapsulation. The encapsulation/deencapsulation process is as follows: 1. The Application layer creates a message. 2. The Application layer passes the message to the Presentation layer. 3. The Presentation layer encapsulates the message by adding information to it. Information is usually added only at the beginning of the message (called a header); however, some layers also add material at the end of the message (called a footer), as shown in Figure 3.2. FIGURE 3.2 Representation of OSI model encapsulation Application c03.indd 90 Header DATA Presentation DATA Session DATA Transport DATA Network DATA Data Link DATA Physical DATA Footer 31/05/12 1:21 PM OSI Model 91 4. The process of passing the message down and adding layer-specific information continues until the message reaches the Physical layer. 5. At the Physical layer, the message is converted into electrical impulses that represent bits and is transmitted over the physical connection. 6. The receiving computer captures the bits from the physical connection and recreates the message in the Physical layer. 7. The Physical layer converts the message from bits into a Data Link frame and sends the message up to the Data Link layer. 8. The Data Link layer strips its information and sends the message up to the Network layer. 9. This process of deencapsulation is performed until the message reaches the Application layer. 10. When the message reaches the Application layer, the data in the message is sent to the intended software recipient. The information removed by each layer contains instructions, checksums, and so on that can be understood only by the peer layer that originally added or created the information (see Figure 3.3). This information is what creates the logical channel that enables peer layers on different computers to communicate. FIGURE 3.3 Representation of the OSI model peer layer logical channels Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical The message sent into the protocol stack at the Application layer (layer 7) is called the data stream. It retains the label of data stream until it reaches the Transport layer (layer 4), where it is called a segment (TCP protocols) or a datagram (UDP protocols). In the Network layer (layer 3), it is called a packet. In the Data Link layer (layer 2), it is called a frame. In the Physical layer (layer 1), the data has been converted into bits for transmission over the physical connection medium. Figure 3.4 shows how each layer changes the data through this process. c03.indd 91 31/05/12 1:21 PM 92 Chapter 3 FIGURE 3.4 ■ Secure Network Architecture and Components OSI model data names Application Data stream Presentation Data stream Session Data stream Transport Segment (TCP)/Datagram (UDP) Network Packet Data Link Frame Physical Bits OSI Layers Understanding the functions and responsibilities of each layer of the OSI model will help you understand how network communications function, how attacks can be perpetrated against network communications, and how security can be implemented to protect network communications. We discuss each layer, starting with the bottom layer, in the following sections. For more information on the TCP/IP stack, search for TCP/IP on Wikipedia (http://en.wikipedia.org). Remember the OSI Although it can be argued that the OSI has little practical use and that most technical workers don’t use the OSI on a regular basis, you can rest assured that the OSI model and its related concepts are firmly positioned within the CISSP exam. To make the most of the OSI, you must first be able to remember the names of the seven layers in their proper order. One common method of memorizing them is to create a mnemonic from the initial letters of the layer names so they are easier to remember. One of our favorites is Please Do Not Teach Surly People Acronyms. Do take note that this memorization mnemonic works from the Physical layer up to the Application layer. A mnemonic working from the Application layer down is All Presidents Since Truman Never Did Pot. There are many other OSI memorization schemes out there; just be sure you know whether they are top-down or bottom-up. c03.indd 92 31/05/12 1:21 PM OSI Model 93 Physical Layer The Physical layer (layer 1) accepts the frame from the Data Link layer and converts the frame into bits for transmission over the physical connection medium. The Physical layer is also responsible for receiving bits from the physical connection medium and converting them into a frame to be used by the Data Link layer. The Physical layer contains the device drivers that tell the protocol how to employ the hardware for the transmission and reception of bits. Located within the Physical layer are electrical specifications, protocols, and interface standards such as the following: ■ EIA/TIA-232 and EIA/TIA-449 ■ X.21 ■ High-Speed Serial Interface (HSSI) ■ Synchronous Optical Network (SONET) ■ V.24 and V.35 Through the device drivers and these standards, the Physical layer controls throughput rates, handles synchronization, manages line noise and medium access, and determines whether to use digital or analog signals or light pulses to transmit or receive data over the physical hardware interface. Network hardware devices that function at layer 1, the Physical layer, are network interface cards (NICs), hubs, repeaters, concentrators, and amplifiers. These devices perform hardwarebased signal operations, such as sending a signal from one connection port out on all other ports (a hub) or amplifying the signal to support greater transmission distances (a repeater). Data Link Layer The Data Link layer (layer 2) is responsible for formatting the packet from the Network layer into the proper format for transmission. The proper format is determined by the hardware and the technology of the network. There are numerous possibilities, such as Ethernet (IEEE 802.3), Token Ring (IEEE 802.5), asynchronous transfer mode (ATM), Fiber Distributed Data Interface (FDDI), and Copper DDI (CDDI). Within the Data Link layer resides the technology-specific protocols that convert the packet into a properly formatted frame. Once the frame is formatted, it is sent to the Physical layer for transmission. The following list includes some of the protocols found within the Data Link layer: c03.indd 93 ■ Serial Line Internet Protocol (SLIP) ■ Point-to-Point Protocol (PPP) ■ Address Resolution Protocol (ARP) ■ Reverse Address Resolution Protocol (RARP) ■ Layer 2 Forwarding (L2F) ■ Layer 2 Tunneling Protocol (L2TP) ■ Point-to-Point Tunneling Protocol (PPTP) ■ Integrated Services Digital Network (ISDN) 31/05/12 1:21 PM 94 Chapter 3 ■ Secure Network Architecture and Components Part of the processing performed on the data within the Data Link layer includes adding the hardware source and destination addresses to the frame. The hardware address is the Media Access Control (MAC) address, which is a 6-byte (48-bit) binary address written in hexadecimal notation (for example, 00-13-02-1F-58-F5). The first 3 bytes (24 bits) of the address denote the vendor or manufacturer of the physical network interface. This is known as the Organizationally Unique Identifier (OUI). OUIs are registered with IEEE, who controls their issuance. The OUI can be used to discover the manufacturer of a NIC through the IEEE website at http://standards.ieee.org/regauth/oui/index.shtml. The last 3 bytes (24 bits) represent a unique number assigned to that interface by the manufacturer. No two devices can have the same MAC address. EUI-48 to EUI-64 The MAC address has been 48 bits for decades. A similar addressing method is the EUI-48. EUI stands for Extended Unique Identifier. The original 48-bit MAC addressing scheme for IEEE 802 was adopted from the original Xerox Ethernet addressing method. MAC addresses typically are used to identify network hardware, while EUI is used to identity other types of hardware as well as software. The IEEE has decided that MAC-48 is an obsolete term and should be deprecated in favor of EUI-48. There is also a move to convert from EUI-48 to EUI-64. This is preparation for future world-wide adoption of IPv6 as well as the exponential growth of the number of networking devices and network software packages, all of which need a unique identifier. A MAC-48 or EUI-48 address can be represented by an EUI-64. In the case of MAC-48, two additional octets of FF:FF are added between the OUI (first 3 bytes) and the unique NIC specification (last 3 bytes)—for example, ccccccFFFFeeeeee. In the case of EUI-48, the two additional octets are FF:FE—for example, ccccccFFFEeeeeee. Among the protocols at the Data Link layer (layer 2) of the OSI model, the two you should be familiar with are Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP). ARP is used to resolve IP addresses into MAC addresses. Traffic on a network segment (for example, cables across a hub) is directed from its source system to its destination system using MAC addresses. RARP is used to resolve MAC addresses into IP addresses. The Data Link layer contains two sublayers: the Logical Link Control (LLC) sublayer and the MAC sublayer. Details about these sublayers are not critical for the CISSP exam. Network hardware devices that function at layer 2, the Data Link layer, are switches and bridges. These devices support MAC-based traffic routing. Switches receive a frame on c03.indd 94 31/05/12 1:21 PM OSI Model 95 one port and send it out another port based on the destination MAC address. MAC address destinations are used to determine whether a frame is transferred over the bridge from one network to another. Network Layer The Network layer (layer 3) is responsible for adding routing and addressing information to the data. The Network layer accepts the segment from the Transport layer and adds information to it to create a packet. The packet includes the source and destination IP addresses. The routing protocols are located at this layer and include the following: ■ Internet Control Message Protocol (ICMP) ■ Routing Information Protocol (RIP) ■ Open Shortest Path First (OSPF) ■ Border Gateway Protocol (BGP) ■ Internet Group Management Protocol (IGMP) ■ Internet Protocol (IP) ■ Internet Protocol Security (IPSec) ■ Internetwork Packet Exchange (IPX) ■ Network Address Translation (NAT) ■ Simple Key Management for Internet Protocols (SKIP) The Network layer is responsible for providing routing or delivery information, but it is not responsible for verifying guaranteed delivery (that is the responsibility of the Transport layer). The Network layer also manages error detection and node data traffic (in other words, traffic control). Non-IP Protocols Non-IP protocols are protocols that serve as an alternative to IP at the OSI Network layer (3). In the past, non-IP protocols were widely used. However, with the dominance and success of TCP/IP, non-IP protocols have become the purview of special-purpose networks. The three most recognized non-IP protocols are IPX, AppleTalk, and NetBEUI. Internetwork Packet Exchange (IPX) is part of the IPX/SPX protocol suite commonly used (although not strictly required) on Novell NetWare networks in the 1990s. AppleTalk is a suite of protocols developed by Apple for networking of Macintosh systems, originally released in 1984. Support for AppleTalk was removed from the Apple operating system as of the release of Mac OS X v10.6 in 2009. Both IPX and AppleTalk can be used as IP alternatives in a dead-zone network implementation using IP-to-alternate-protocol gateways (a dead zone is a network segment using an alternative Network layer protocol c03.indd 95 31/05/12 1:21 PM 96 Chapter 3 ■ Secure Network Architecture and Components instead of IP). NetBIOS Extended User Interface (NetBEUI, aka NetBIOS Frame protocol, or NBF) is most widely known as a Microsoft protocol developed in 1985 to support file and printer sharing. Microsoft has enabled support of NetBEUI on modern networks by devising NetBIOS over TCP/IP (NBT). This in turn supports the Windows sharing protocol of Server Message Block (SMB) which is also known as Common Internet File System (CIFS). NetBEUI is no longer supported as a lower-layer protocol; only its SMB and CIFS variants are still in use. A potential security risk exists when non-IP protocols are in use in a private network. Because non-IP protocols are rare, most firewalls are unable to perform packet header, address, or payload content filtering on those protocols. Thus, when it comes to nonIP protocols, a firewall typically must either block all or allow. If your organization is dependent on a service that operates over only a non-IP protocol, then you may have to live with the risk of passing all non-IP protocols through your firewall. This is mostly a concern within a private network when non-IP protocols traverse between network segments. However, non-IP protocols can be encapsulated in IP to be communicated across the Internet. In an encapsulation situation, IP firewalls are rarely able to perform co
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks