Week 5 Notes - Networking Concepts

Summary

These notes offer a summary of networking concepts, including ports, different types of network vulnerabilities (such as port scanning and denial-of-service attacks), and security measures to counter these threats, like VPNs.

Full Transcript

**Ports**

Virtual start and end points for communications on networks.

Each port has an assigned number

Specific ports are assigned protocols to aid in distinguishing different
types of traffic to process it more easily. E.g. HTTP uses port 80

Key hardware components:

- **Network Interface Card (NIC)**: enables communication by
converting data into electrical signals.

- **Media Access Control (MAC) Address**: a unique hardware ID for
devices, crucial for LAN communication.

- **Hub and Switch**: connects multiple devices in a network; switches
direct data only to intended devices using MAC addresses.

**Key Internet components**:

- **HTTP (Hyper Text Transfer Protocol)**: governs how data is
communicated over the Internet, such as retrieving web pages.

- **IP Address**: unique identifier for devices on the Internet; can
change over time.

- **URL (Uniform Resource Locator)**: readable way to access an IP
address, translated by Domain Name Servers (DNS).

- **ARP (Address Resolution Protocol)**: translates IP addresses into
MAC addresses for local communication.

**Port and Router Vulnerabilities**

- **Port Scanning** -- a process which checks a hosts ports to see
which are open, and listens to data arriving and leaving a port.

- Attackers can exploit open ports to send malicious data (e.g.,
malware) or identify specific software versions with known
vulnerabilities.

- Port scanning tools, like **Nmap**, can be easily downloaded and
used to identify vulnerabilities or applications running on a
system.

- **Vanilla scans** check all ports sequentially, while **strobe
scans** target specific services on certain ports, making them less
detectable.

- Stealth scanning techniques, such as **fragmented packets**, make it
harder for packet filters to detect probes by splitting TCP headers
across multiple packets.

- Routers can also introduce vulnerabilities:

- **War driving** refers to unauthorized access to a wireless network,
especially if no password is set on the router.

- Unauthorized access can lead to serious legal and security issues if
malicious activities are conducted via your network.

- To mitigate risks, secure the router with strong passwords, enable
MAC address filtering, and block specific IPs via the router
interface.

**Server Vulnerabilities**

- Denial of service can happen unintentionally, such as when a server
experiences excessive traffic (e.g., a website crashing due to high
demand for movie tickets or during university registration).

- There are different types of DoS attacks:

- **Service Request Flood:** Overloading a server with too many
requests (e.g., HTTP/HTTPS) so it cannot handle them, causing it
to shut down**.**

- **Bandwidth Flood:** Sending requests that exceed the server\'s
bandwidth capacity, forcing a denial of service due to the size
of the requests rather than their quantity**.**

- **SYN Flood:** Exploits the **TCP/IP handshake** by sending many
requests to open connections without completing the handshake.
This overwhelms the server with open connections, leading to
denial of service.

- **Security Operation Centres (SOCs)** combine tools like firewalls,
demilitarised zones (DMZs), and intrusion detection/prevention
systems to monitor for signs of an attack and attempt to prevent
them.

**Packet Sniffing**:

- This is a passive attack where an attacker monitors and logs network
traffic, capturing packets passing through the network.

- **Packet sniffers** can capture sensitive, unencrypted data like
passwords or financial information.

- On a **hub-based network**, all packets are sent to all hosts,
making sniffing easier. However, even in a **switch-based network**,
sniffing can be possible if the switch is overloaded or placed into
**promiscuous mode**.

**Spoofing**

- In a LAN -- **Address Resolution Protocol** spoofing

- ARP maps IP addresses to MAC addresses

- Change the map of an IP to the attackers MAC

- Tools such as Ettercap can do this.

- On the internet -- **DNS Protocol**

- **Replay attack** - the attacker captures communication, such as
login credentials, and replays it later to gain unauthorized access.

- Even if the data is encrypted or hashed, replaying the same
communication packet can allow the attacker to exploit the system.

**VPNs:\
**

There are three main types of VPNs:

1. **Trusted VPN**: This older type used private lines that companies
could rely on for secure communication. These are less common today.

2. **Secure VPN**: This is the most widely used type today, which
relies on encryption protocols to secure communication.

3. **Hybrid VPN**: A combination of trusted and secure VPNs.

**Encryption**: To prevent an attacker from accessing the data, the VPN
encrypts the packets, either in **transport mode** (data is encrypted as
it\'s created) or **tunnel mode** (data is encrypted during
transmission). Different VPNs may use various encryption standards, such
as **AES (Advanced Encryption Standard)**.

**Digital Certificates**

They help verify server identities in **TLS (Transport Layer
Security)**.

- A **digital certificate** links a server\'s **public key** to its
identity and is issued by a **Certificate Authority (CA)**, a
trusted third party.

- The CA checks that the server belongs to the claimed entity and
digitally signs the certificate, ensuring it can be trusted.

- The server submits a **Certificate Signing Request (CSR)** to the
CA, which includes details like the server\'s public key, domain,
and organization.

- After verification, the CA issues the certificate with a **digital
signature** to prove its authenticity.

- Clients (e.g., web browsers) have pre-installed trusted CA
certificates, which allow them to verify server certificates and
ensure secure connections.

This process ensures that the client is communicating with the intended
server and not an imposter.

**Transport Layer Security (TLS)**

Used on the internet to deliver secure pages.

Builds on Secure Sockets Layer (SSL) Protocol

- It is the foundation of secure internet connections like **HTTPS**,
building on an older protocol called **SSL**, but with **stronger
security**.

The main process in TLS is the **handshake**, which involves:

1. The client sends a **\"Client Hello\"** message with its supported
**cipher suites** (cryptographic protocols) and **key shares**.

2. The server replies with a **\"Server Hello\"**, choosing a
compatible cipher suite, sending its **key share**, and a **digital
certificate** to verify its identity.

3. Both parties use their key shares to **agree on a symmetric key**
for encryption.

Two key properties of **TLS 1.3**:

- **Forward Secrecy**: Even if a key is compromised, previous
communications remain secure due to **ephemeral keys**.

- **Improved Security**: TLS 1.3 uses more secure cipher suites than
TLS 1.2, removing weaker protocols.

This makes **TLS 1.3** faster and more secure than earlier versions.