Software Defined Networking
SDN is an approach to virtualize networking and decouple networking from the hardware typically employed for this service. Routing decisions can be made remotely instead of on each router. One of the goal is to use inexpensive white-box networking hardware to achieve nimle and customizable networking capabilities. OpenFlow (TCP/TLS based) is a well known protocol that allows for control of switching rules to be designated or updated at a central controller.
Wireless Local Area Networks
Wifi has historically been perceived as being insecure. 802.11i (WPA2) was the first standard that had reasonable security.
DoS and Availablitity
WLANS have no way to assure availability. DoS can be implemented by simply polutting the airspace with noise.
A Band is a contiguos radio spectrum. ISM (Industrial, Scientific and Medical) bands are set aside for unlicensed use, unlike FCC (Federal Communication Commission). ISM bands include cordless phones, 802.11 wireless, Bluetooth.
FHSS, DSSS, OFDM
- FHSS – Frequency Hopping Spread Spectrum – Uses a number of small frequency channels throughout the band and ops through them in pseudorandom order to maximise throughput whil minimizing effects if interference
- DSSS – Direct Sequence Spread Spectrum – Uses entire band at once, spreading signals through the band to maximise throughput whil minimizing effects if interference
- OFDM – Orthogonal Frequency Division Multiplexing – allowing simultaneous transmission using multiple independent wireless frequencies
Managed, Master, Ad-Hoc and Monitor Modes
- Managed (client mode) – 802.11 Wireless clients connect to an AP. Clients communicate with the AP only and not with other clients
- Master (Infrastructure Mode) – Used by wireless APs and can only communicate with connected clients.
- Ad hoc (peer to peer mode) – No central access. Computer with wired access can use this mode for internet sharing on the WLAN nic
- Monitor – Read only sniffering mode used by tools like Kismet and Wellenreiter
SSID and MAC address Filtering
- SSID – Clients join WLAN networks based on SSID. Can be broadcasted or hidden. Wireless sniffers can sniff the SSID even though broadcast is disabled
- MAC address filtering – Used to allow only trusted clients. MACs can be spoofed
Wired Equivaletnt Privacy Protocol. Uses 40 and 104bit key lengths and RC4 ciphers. WEP frames have no timestamp and no replay protection: attackers can inject traffic by replaying previously sniffed WEP frames. Inherently weak due to early cryptography export restrictions.
802.11 describes a RSN – Robust Security Network which allows for changes to cryptographic cipers (plugable authentication modules). Aka WPA2 which uses AES encryption for confidentiality, CCMP (Counter mode CBC MAC Protocol) to create a Message Integrity Check (MIC) providing for Integrity. WPA2 should be used over WPA (RC4 and TKIP).
AKA 802.15 is a Personal Area Network wihch operates in 2.4GHz for low power and small distances.
- Class 3: Under 10M
- Class 2: 10M
- Class 1: 100M
Bluetooth uses 128bit E0 symmetric stream cipher. Proven true strength to be only 38bits. The security relies on the 48bit MAC but can be guessed as first 24bits is the OUI and remaining 24bits can be guessed via brute forced. Sensitive devices should have discovery disabled.
Radio Frequency Identification
- Active – battery, broadcasts signal, larger distances
- Semi-Passive – battery, relies on reader’s signal for power
- Passive – no battery, relies on reader’s signal for power, less expensive
All RFID can be blocked via Faraday cage – wrapping with aluminum foil.
Secure Network Devices and Protocols
Repeaters and Hubs
Repeaters and hubs are layer 1 devices that simples repeats bits. They lack security (devices connected to hub can read and alter another’s packets), run in half duplex mode (cannot send and receive simultaneously) and have large collision domains (Any node may send colliding traffic with one another). It’s useful for traffic TAPs and SPAN ports.
Bridges are layer 2 devices and has 2 ports used to connect two network segments together. It learns addresses on either side and provides traffic isolation creating two collision domains.
A switch is a bridge with more than two ports. A switch shrinks the collision domain to a single port.
A virtual LAN by creating multiple virtual switches within a switch. It separated systems into multiple broadcast domains. It is often used to segment data and management networks to provide defense in depth.
Aka Private VLAN or PVLAN. It aims to provide isolation between ports where one system cannot reach the other system even though they are on the same VLAN. It can be useful in multitenant environments by creating logical segmentation in virtual environments.
Switched Port Analyzer (SPAN – or Mirror Port) can be used to mirror one ports traffic to another used in IDS scenarios. Multiple switch ports can be aggregated into one port, however, one should be aware of oversubscription.
Taps are the preferred way to provide promiscuous network access to a sniffer. It can fail open in the event of a failure and provide access to all traffic including malformed ethernet frames (switches often clean that traffic and not pass it).