CISSP Domain 4 Communication and Network Security Cheat Sheet


Secure Communications

Authentication Protocols and Framework

PAP & CHAP

  • PAP – Password Authentication Protocol – Very weak – sends username and password in cleartext
  • CHAP – Challenge-Handshake Authentication Protocol – uses pre shared secret. Does not expose clear text password, and not susceptible to cleartext attack

To authenticate, the client first creates an initial (unauthenticated) connection via LCP (Link Control Protocol). The server then begins the 3-way CHAP authentication process:

  1. Server sends a challenge, which is a small random string (nonce).
  2. The user takes the challenge string and the password, uses a hash cipher such as MD5 to create a hash value, and sends that value back to the chap server as the response
  3. The CHAP server also hashes the password and challenge, creating the expected response with the response received from the user.

If the response are identical, the user must have entered the appropriate password and is authenticated. CHAP server may authenticate by sending a new challenge otherwise an attacker can replay an older response. The one drawback is the preshared secret is stored in in plaintext on the CHAP server.

802.1x and EAP

  • 802.1x – Port based network access control
  • EAP – Extensible authentication framework that describes many specific authentication protocols – designed to authenticate at layer2 (both wired and wireless)

802.1x Roles

  • Supplicant – 802.1x client
  • Authentication Server – Server that authenticates supplicant
  • Authenticator – Device such as AP or switch that allows supplicant to authenticate and connect

Types of EAP

  • EAP-MD5 – Weakest, client to server authentication only – susceptible to MitM and password cracking
  • LEAP – Lightweight EAP – Cisco proprietary. Has significant security flaws
  • EAP-FAST – EAP Flexible authentication via Secure tunneling – Designed by Cisco to replace LEAP which uses PAC (protected access control) acting as a pre shared key
  • EAP-TLS – EAP Transport layer security – users PKI (requires client and server certificates). Very secure, but complex and costly
  • EAP-TTLS – EAP Tunneled Transport layer security – Developed by Funk and Certicom. Simplifies EAP-TLS by dropping need for client side certificates
  • PEAP – Protected EAP – Developed by Cisco, Microsoft and RSA. Like EAP-TTLS does not require client side certs

VPN

Virtual private networks VPNs secure data sent via insecure networks involving secure authentication, cryptographic hashes to provide integrity and ciphers to provide confidentiality.

SLIP and PPP

  • SLIP – Serial line internet protocol – Layer 2 protocol that provides IP connectivity via asynchronous connections such as serial lines and modems. It allowed for routing packets via modem links
  • PPP – Point to Point Protocol – designed to replace SLIP and is based on HDLC. Adds Confidentiality, Integrity and Authentication

PPTP and L2TP

  • PPTP – Point to Point tunneling protocol – tunnels PPP via IP. Uses GRE to pass PPP via IP and TCP for control channel (TCP/1723)
  • LT2P – Layer 2 tunneling protocol – combines PPTP and L2F (layer 2 forwarding). Focuses on authentication and does not provide confidentiality and is frequently used with IPSEC to provide encryption. Can be used on non-IP networks such as ATM.

    IPSEC

    IPv4 has no built in confidentiality unlike IPv6. IPSec has been ported to IPv4 to achieve that. IPsec is a suite of protocols; ESP encapsulating security protocol (ESP – Protocol 50) and Authentication Header (AH – Protocol 51).

    IPSec Architectures
    • Host to gateway – client mode – VPN client
    • Gateway to Gateway – point to point shared routable connection
    • Host to Host – connects two systems to each other.
    Tunnel and Transport Mode
    • Tunnel Mode – Provides confidentiality (ESP) and/or Authentication (AH) to entire packet, including original IP headers. New IP headers are added with source and destinations of the IPSec Gateways)
    • Transport Mode – protects IP data only leaving original IP headers unprotected

    SSL and TLS

    SSL was designed to protect HTTP data. HTTPS uses port 443. TLS is the latest version of SSL. Current version is TLS1.2. It can be used as VPN connections and is simpler than IPSec as IPSec makes fundamental changes to IP networking and requires super privileges to modify the OS. IPSec is also difficult to firewall unlike SSL

    Remote Access

    ISDN

    Integrated Services Digital Network (ISDN) was an earlier attempt to provide last mile digital service via copper pair via POTs. ISDN devices are called terminals. ISDN Basic Data Rate (BRI) service provides two 64K digital channels pls a 16k signalling channel. A PRI (Primary Rate Interface) provides 23 64K channels and one 16K signalling channel.

    DSL

    Digital subscriber Line (DSL) provides last mile solution using existing copper pairs.

  • Type Rate Additional info

    ISDN:
    BRI 128Kbps ISDN 2 64KB+1 16KD
    PRI(na) 1.480Mbps ISDN 23B+1D (all 64K) ~ T1
    PRI(eur) 1.930Mbps ISDN 30B+1D (all 64K) ~ E1

    x
    DSL:
    ADSL 640+Kbps up/
    1.544+Mbps down
    Asymmetric Digital Subscriber Line
    Nonmatching send/receive transmission rates
    HDSL 784+Kbps Typically matching send/receive rates, can reach T1 speeds
    SDSL 768Kbps Single Line Digital Subscriber Line aka HDSL2
    VDSL 19.2Mbps up/
    51.84Mbps down
    Very high rate Digital Subscriber Line
Related Posts with Thumbnails