CISSP - EAP Protocols

Questions about EAP are annoying ones, at least for me and not many people really seem to know the difference. Furthermore, even the official CISSP guide from ISC2 does not tell much about them. However you can meet many questions about it in different tests.

I will try to give you the essentials about them so that you also know enough about it and discover more if you wish.

First of all, Extensible Authentication Protocols are created for 802.1x protocol, which aims to provide identity based authentication services. In a secure network environment both client who wants to connect to the corporate network and the network authentication server should properly authenticate each other.

When we speak about mutual authentication, the best way to do is digital certificates and the use of Public Key Infrastructure. Both client and server present their digital certificates to each other for authentication and sometimes use these certificates to build an SSL tunnel to exchange more information.

EAP-TLS (Transport Layer Security) requires both client and the authentication server to use digital certificates for authentication. This method is laborious and expensive as it requires too much effort for the proper management of the certificates mostly on the client side. If the client certificate is not renewed correctly or certificate store is not properly managed, clients may end up having problems connecting the network. Because many network administrators are not quite interested about PKI, troubleshooting is also painful.

EAP-TTLS (Tunneled TLS) eases the problems that EAP-TLS create by eliminating the client side certificates. The server side certificate is used to establish a secure SSL tunnel between client and authentication server and authentication information is shared over this tunnel. This method is of course less secure than EAP-TLS but it is also much easier to configure and maintain.

EAP-PEAP (Protected EAP) works just as the same way EAP-TLS that why it is confusing for me and many others I believe. After the establishment of the secure tunnel using the server certificate, a second method such as EAP-TLS or EAP-MSCHAPv2 (Microsoft’s flavor of EAP) can be used for authentication information.

These are all the methods given in the official guide. There are of course other protocols such as LEAP (Cisco’s first protocol of EAP, now considered insecure and no longer used), EAP-MD5 (Sending authentication information hashed with MD5, much less secure than those mentioned above) and EAP-MSCHAPv2 (just an inner authentication method after the first 3, authenticating using Active Directory credentials), but these are considered not essential it seems. It is good to know just that much about them for general knowledge and the exam.

I know Aaron Woland from Cisco Networkers events, he is one of the guys who designed Cisco’s famous ISE product and periodically speaks about Identity-based networking concepts and AAA in events. You can find a more detailed explanation in his blog following this link : 

http://www.networkworld.com/community/blog/what-eap-types-do-you-need-identity-projects

CISSP - Between the lines facts on Access Control

Access Control domain is considered as one of the top 5 domains of CISSP CBK and must be paid well attention. In this domain also, there are some concepts that an average IT professional is pretty unfamiliar and which should be well understood to obtain the certification. Markup languages and their use can be the best example for such concepts.

A subject is an active entity and an object is a passive entity.

Permission refers to the access granted for an object like read, creat,edit and delete.

Right refers to the ability to take an action on an object. E.g. Modify system time.

Privilege = permission + right

A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

A cognitive password is usually a series of questions about facts or predefined responses that only the subject should know. For example, what is your mother’s maiden name?

DAC is also referred to as identity-based access control because access is granted to subjects based on their identity.

A DAC model is implemented using access control lists (ACLs) on objects. It does not offer a centrally controlled management system because owners can alter the ACLs on their objects at will. Access to objects is easy to change, especially when compared to the static nature of mandatory access controls.

Within a DAC environment, users’ privileges can easily be suspended while they are on vacation, resumed when they return, or terminated when they leave.

Administrators centrally administer non-discretionary access controls and can make changes that affect the entire environment.

In a non-DAC model, access does not focus on user identity. Instead, a static set of rules governing the whole environment is used to manage access. Non-DAC systems are centrally controlled and easier to manage (although less flexible). Rule-based access controls and lattice-based access controls are both considered non-discretionary.

Subjects under lattice-based access controls acquire a least upper bound and a greatest lower bound of access to labeled objects based on their assigned lattice positions. A common example of a lattice-based access control is a mandatory access control.

A mandatory access control (MAC) system relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy.

Mandatory access controls are often considered to be non-discretionary controls because they are lattice based. However, the CISSP CIB lists them separately.

An expansion of this access control method is known as need to know. Subjects with specific clearance levels are granted access to resources only if their work tasks require such access.

Mandatory access control is prohibitive rather than permissive, and it uses an implicit deny philosophy. If access is not specifically granted, it is forbidden. It is generally recognized as being more secure than DAC, but it isn’t as flexible or scalable.

A distinguishing factor between MAC and rule-based access controls is that MAC controls have labels while the non-discretionary rule-based access controls do not use labels.

Objects have security labels (or sensitivity labels), subjects have clearances.

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).

A meta-directory gathers the necessary information from multiple sources and stores it in one central directory. This provides a unified view of all users’ digital identity information throughout the enterprise.

A virtual directory plays the same role and can be used instead of a meta-directory. The difference between the two is that the meta-directory physically has the identity data in its directory, whereas a virtual directory does not and points to where the actual data reside.

Web portals functions are parts of a website that act as a point of access to information. A portal presents information from diverse sources in a unified manner.

A web portal is made up of portlets, which are pluggable user-interface software components that present information from other systems. A portlet is an interactive application that provides a specific type of web service functionality.

XML is a common language used to exchange information.

Security Assertion Markup Language (SAML) is an XML-based language that is commonly used to exchange authentication and authorisation (AA) information between federated organisations. It is often used to provide SSO capabilities for browser access.

When there is a need to allow a user to log in one time and gain access to different and separate web-based applications, the actual authentication data have to be shared between the systems maintaining those web applications securely and in a standardized manner. This is the role that the SAML plays. It is an XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

The Service Provisioning Markup Language (SPML) allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This markup language allows for the integration and interoperation of service provisioning requests across various platforms. When a new employee is hired at a company, that employee usually needs access to a wide range of systems, servers, and applications. Setting up new accounts on each and every system, properly configuring access rights, and then maintaining those accounts throughout their lifetimes is time-consuming, laborious, and error-prone. What if the company has 20,000 employees and thousands of network resources that each employee needs various access rights to? This opens the door for confusion, mistakes, vulnerabilities, and a lack of standardization. SPML allows for all these accounts to be set up and managed simultaneously across the various systems and applications. SPML is made up of three main entities: the Re-questing Authority (RA), which is the entity that is making the request to set up a new account or make changes to an existing account; the Provisioning Service Provider (PSP), which is the software that responds to the account requests; and the Provisioning Service Target (PST), which is the entity that carries out the provisioning activities on the requested system.

Transmission of SAML data can take place over different protocol types, but a common one is Simple Object Access Protocol (SOAP). SOAP is a specification that outlines how information pertaining to web services is exchanged in a structured manner. It provides the basic messaging framework, which allows users to request a service and, in exchange, the service is made available to that user. Let's say you need to interact with your company's customer relationship management (CRM) system, which is hosted and maintained by the vendor—for example, Salesforce.com. You would log in to your company's portal and double-click a link for Salesforce. Your company's portal will take this request and your authentication data and package it up in an SAML format and encapsulate that data into a SOAP message. This message would be transmitted over an HTTP connection to the Salesforce vendor site.

The use of web services in this manner also allows for organizations to provide service oriented architecture (SOA) environments. An SOA is a way to provide independent services residing on different systems in different business domains in one consistent manner. For example, if your company has a web portal that allows you to access the company's CRM, an employee directory, and a help-desk ticketing application, this is most likely being provided through an SOA. The CRM system may be within the marketing department, the employee directory may be within the HR department, and the ticketing system may be within the IT department, but you can interact with all of them through one interface.

Extensible Access Control Markup Language (XACML) is used to define access control policies within an XML format, and it commonly implements role-based access controls. It helps provide assurances to all members in a federation that they are granting the same level of access to different roles.

Diameter supports a wide range of protocols, including traditional IP, Mobile IP, and Voice over IP (VoIP). Because it supports extra commands, it is becoming popular in situations where roaming support is desirable, such as with wireless devices and smart phones.”

Key steps in risk management are as follows:

• Identifying assets
• Identifying threats
• Identifying vulnerabilities

After identifying and prioritizing assets, an organization attempts to identify any possible threats to the valuable systems. Threat modelling refers to the process of identifying, understanding, and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

Access aggregation refers to collecting multiple pieces of non-sensitive information and combining (aggregating) them to learn sensitive information. Reconnaissance attacks are access aggregation attacks.

A birthday attack focuses on finding collisions. It is so named based on a statistical phenomenon known as the birthday paradox. The birthday paradox states that if there are 23 people in a room, there is a 50 percent chance that any two of them will have the same birthday.

Birthday attacks are mitigated by using hashing algorithms with a sufficient number of bits to make collisions computationally infeasible. There was a time when MD5 (using 128 bits) was considered to be collision free. However, computing power continues to improve, and MD5 is no longer considered safe against collisions. SHA-2 can use as many as 512 bits and is considered safer against birthday attacks and collisions—at least for now.

A drive-by download is a type of malware that installs itself without the user’s knowledge when the user visits a website. Drive-by downloads take advantage of vulnerabilities in browsers or plug-ins.

Network Segregation, perimeter security, control zone and cabling are physical controls.

Extended TACACS (XTACACS) separates authentication, authorization and accounting processes.

Employing a password generator is a bad idea as users will write down difficult passwords somewhere.

Two factor authentication is better than biometric authentication alone.

In Windows environments, administrators can use a Syskey utility that encrypts the database storing the passwords with a locally stored system key.

Signature dynamics is a method that captures the electrical signals when a person signs a name. Keystroke dynamics captures electrical signals when a person types a certain phrase.

A passphrase is a sequence of characters that is longer than a password and, in some cases, takes the place of a password during an authentication process. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application.

A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.

Two types of contactless smart cards are available: hybrid and combi. The hybrid card has two chips, with the capability of utilizing both the contact and contactless formats. A combi card has one microprocessor chip that can communicate to contact or contactless readers.

ISO/IEC standard for Smart Cards is ISO/IEC 14443.

Attackers often delete audit logs that hold this incriminating information. Deleting specific incriminating data within audit logs is called scrubbing.

CISSP - Between the lines notes about Telecommunications Security

Telecommunications and Network Security domain is one of the largest domains in CISSP CBK. Even people with important level of experience with network operations may find many points they miss during their daily lives.

In this blog entry, rather than explaining the facts that most people know, I tried to resume those little points that may have missed from many people’s attention up to now. These points may be lifesaving in answering questions. So let’s start with some information about Session Layer which network and security people maybe pay the less attention.

When two applications need to communicate or transfer data between themselves, a connection may need to be set up between them. The session layer is responsible for establishing a connection between the two applications, maintaining it during the transfer of data, and controlling the release of this connection. The session layer works in three phases: connection establishment, data transfer, and connection release.

Session layer protocols control application-to-application communication, whereas the transport layer protocols handle computer-to-computer communication. For example, if you are using a product that is working in a client/server model, in reality you have a small piece of the product on your computer (client portion) and the larger piece of the software product is running on a different computer (server portion). The communication between these two pieces of the same software product needs to be controlled, which is why session layer protocols even exist. Session layer protocols take on the functionality of middleware, which allows software on two different computers to communicate.

Session layer protocols provide interprocess communication channels, which allow a piece of software on one system to call upon a piece of software on another system without the programmer having to know the specifics of the software on the receiving system. The programmer of a piece of software can write a function call that calls upon a subroutine. The subroutine could be local to the system or be on a remote system. If the subroutine is on a remote system, the request is carried over a session layer protocol. The result that the remote system provides is then returned to the requesting system over the same session layer protocol. This is how RPC works.

One security issue common to RPC (and similar interprocess communication software) is the lack of authentication or the use of weak authentication. Secure RPC can be implemented, which requires authentication to take place before two computers located in different locations can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets. Session layer protocols need to provide secure authentication capabilities.

RPC and similar distributed computing calls usually only need to take place within a network; thus, firewalls should be configured so this type of traffic is not allowed into or out of a network.

Some protocols that work at session layer are SQL, NetBIOS, NFS, and (RPC).

The main protocols that work at layer 4 are TCP, UDP, SSL, TLS and SPX.

ICMP and IGMP are Layer 3 protocols.

RARP, PPP, PPTP, L2TP, SLIP, ATM, Ethernet, Token Ring and FDDI are Layer 2 protocols.

ISDN, DSL and SONET are Layer 1 protocols.

Port numbers up to 1023 (0 to 1023) are called well-known ports. Ports 0 to 1023 can be used only by privileged system or root processes.

Registered ports are 1024 to 49151, which can be registered with ICANN for a particular use.

Dynamic ports are 49152 to 65535 and are available to be used by any application on an “as needed” basis.

The SYN proxy is a piece of software that resides between the sender and receiver and only sends on TCP traffic to the receiving system if the TCP handshake process completes successfully.

If an attacker can correctly predict the TCP sequence numbers that two systems will use, then she can create packets containing those numbers and fool the receiving system into thinking that the packets are coming from the authorized sending system. She can then take over the TCP connection between the two systems, which is referred to as TCP session hijacking.

802.1AE (MACSec) defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication. Where a VPN connection provides protection at the higher networking layers, MACSec provides hop-by-hop protection at layer 2.

802.1AR standard specifies unique per-device identifiers (DevID, PKI, certificates) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers.

DHCP packet types are Discover, Offer, Request and Acknowledgment (DORA) in their order.

In environments that require extensive security, wires are encapsulated within pressurized conduits so if someone attempts to access a wire, the pressure of the conduit will change, causing an alarm to sound and a message to be sent to the security staff.

CSMA/CA will send out a message indicating to all other systems that it is going to put data on the line and CSMA/CD will listen to the wire and try to figure out when would be the best time to put data on the line.

Token Ring uses a token-passing technology with a star-configured topology. Each computer is connected to a central hub, called a Multistation Access Unit (MAU). Token ring operates either at 4 or 16 Mbps.

FDDI has a data transmission speed of up to 100 Mbps and is usually used as a backbone network. FDDI also provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data traveling clockwise and is used for regular data transmission. The second ring transmits data in a counterclockwise fashion and is invoked only if the primary ring goes down.

Copper Distributed Data Interface (CDDI) can work over UTP cabling. Whereas FDDI would be used more as a MAN, CDDI can be used within a LAN.

Devices that connect to FDDI rings fall into one of the following categories:

• Single-attachment station (SAS) Attaches to only one ring (the primary) through a concentrator
• Dual-attachment station (DAS) Has two ports and each port provides a connection for both the primary and the secondary rings
• Single-attached concentrator (SAC) Concentrator that connects an SAS device to the primary ring
• Dual-attached concentrator (DAC) Concentrator that connects DAS, SAS, and SAC devices to both rings

Loki is actually a client/server program used by hackers to set up back doors on systems and uses ICMP packets to carry control traffic.

The Ping of Death attack is based upon the use of oversized ICMP packets. If a system does not know how to handle ICMP packets over the common size of 65,536 bytes, then it can become unstable and freeze or crash.

In Smurf attack, the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address of victim to victim’s network broadcast address. This means that each system on the victim’s subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packets—which is the victim’s address.

Fraggle attack works with the same principle with Smurf but Fraggle uses the UDP protocol, and Smurf uses the ICMP protocol. They are both DDoS attacks.

In teardrop attack malformed fragments are created by the attacker, and once they are reassembled, they could cause the victim system to become unstable.

Within DNS servers, DNS namespaces are split up administratively into zones. One zone may contain all hostnames for the marketing and accounting departments, and another zone may contain hostnames for the administration, research, and legal departments. The DNS server that holds the files for one of these zones is said to be the authoritative name server for that particular zone. A zone may contain one or more domains, and the DNS server holding those host records is the authoritative name server for those domains.

The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity.

DNSSEC implements PKI and digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious.

Organizations should implement split DNS, which means a DNS server in the DMZ handles external hostname-to-IP resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed by being “Internet facing.” The internal DNS server should only contain resource records for the internal computer systems, and the external DNS server should only contain resource records for the systems the organization wants the outside world to be able to connect to.

Cybersquatters, individuals who register prominent or established names, hope to sell these later to real-world businesses that may require these names to establish their online presence (Domain grabbing).

IMAP provides all the functionalities of POP, but has more capabilities. If a user is using POP, when he accesses his mail server to see if he has received any new messages, all messages are automatically downloaded to his computer. Once the messages are downloaded from the POP server, they are usually deleted from that server, depending upon the configuration. POP can cause frustration for mobile users because the messages are automatically pushed down to their computer or device and they may not have the necessary space to hold all the messages. This is especially true for mobile devices that can be used to access e-mail servers. This is also inconvenient for people checking their mail on other people’s computers.

POP is commonly used for Internet-based e-mail accounts (Gmail, Yahoo!, etc.), while IMAP is commonly used for corporate e-mail accounts.

E-mail spoofing is a technique used by malicious users to forge an e-mail to make it appear to be from a legitimate source.

If source routing is allowed, the packets contain the necessary information within them to tell the bridge or router where they should go. The packets hold the forwarding information so they can find their way to their destination without needing bridges and routers to dictate their paths.

External devices and border routers should not accept packets with source routing information within their headers, because that information will override what is laid out in the forwarding and routing tables configured on the intermediate devices. Source routing can be used by attackers to get around certain bridge and router filtering rules.

A phreaker is a phone hacker.

Main charachteristics of different types of firewalls are :

• Packet Filters:(Network Layer) Looks at source and destination addresses, ports and services requested. Routers using ACLs to network monitor traffic.
• Application-level Proxy:(Application Layer) Looks deep into packets and makes granular access control decisions. Requires one proxy per protocol.
• Circuit-level Proxy:(Session Layer) Looks only at the header packet information. It protects a wider range of protocols and services than an application-level proxy, but does not provide the detailed level of control available to ALPs.
• Stateful : (Network Layer) Looks at the state and context of packets. Keeps track of each connection using a state table.
• Kernel Proxy : (Application Layer) Faster because processing is done in the kernel. One network stack is created for each packet.

Characteristics of application-level proxy firewalls:

• Each protocol that is to be monitored must have a unique proxy.
• Provides more protection than circuit-level proxy firewalls.
• Require more processing per packet and thus are slower than a circuit-level proxy firewall.

Characteristics of circuit-level proxy firewalls:

• Do not require a proxy for each and every protocol.
• Do not provide the deep-inspection capabilities of an application layer proxy.
• Provide security for a wider range of protocols.

SOCKS is an example of a circuit-level proxy gateway that provides a secure channel.

A system is considered a bastion host if it is a highly exposed device that is most likely to be targeted by attackers.

Firewall rules that should be implemented are as follows:

• Silent rule :  Drop “noisy” traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.
• Stealth rule :  Disallows access to firewall software from unauthorized systems.
• Cleanup rule : Last rule in rule-base that drops and logs any traffic that does not meet preceding rules.
• Negate rule: Used instead of the broad and permissive “any rules.” Negate rules provide tighter permission rights by specifying what system can be accessed and how.

A reverse proxy server is commonly on the network that fulfills clients’ requests; thus, it is handling traffic that is entering its network. The reverse proxy can carry out load balancing, encryption acceleration, security, and caching.

On a smaller scale, companies may choose to implement tarpits, which are similar to honeypots in that they appear to be easy targets for exploitation.

Vishing is voice phishing by the use of voice mail messages and other things.

The main protocols that make up the IPsec suite and their basic functionality are as follows:

• Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks.
• Encapsulating Security Payload (ESP) provides confidentiality, data-origin authentication, and data integrity.
• Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange.
• Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP.

AH and ESP can be used separately or together in an IPsec VPN configuration.

• PPTP is used when a PPP connection needs to be extended through an IP-based network.
• L2TP is used when a PPP connection needs to be extended through a non IP-based network.
• IPsec is used to protect IP-based traffic and is commonly used in gateway to gateway connections.
• SSL VPN is used when a specific application layer traffic type needs protection. 

The three core deficiencies with WEP are the use of static encryption keys, the ineffective use of initialization vectors, and the lack of packet integrity assurance.

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary protocol released before 802.1X was finalized. LEAP has significant security flaws and should not be used.

EAP-TLS (EAP-Transport Layer Security) uses PKI, requiring both server-side and client side certificates. EAP-TLS establishes a secure TLS tunnel used for authentication. EAP-TLS is very secure due to the use of PKI, but is complex and costly for the same reason. The other major versions of EAP attempt to create the same TLS tunnel without requiring a client-side certificate.

EAP-TTLS (EAP-Tunneled Transport Layer Security) simplifies EAP-TLS by dropping the client-side certificate requirement, allowing other authentication methods (such as password) for client-side authentication. EAP-TTLS is thus easier to deploy than EAP-TLS, but less secure when omitting the client-side certificate.

PEAP (Protected EAP) It is similar to (and may be considered a competitor to) EAP-TTLS, including not requiring client-side certificates.

802.11b uses DSSS, 802.11a uses OFDM and works in the 5GHz frequency band. But working at higher frequency means a device’s signal cannot cover as wide a range.

802.16 is WiMAX.

Bluejacking and Bluesnarfing are Bluetooth attacks.

War driving is the type of attack when one or more people either walk or drive around with a wireless device equipped with the necessary equipment and software with the intent of identifying APs and breaking into them.

The protocol field of the IP packet dictates what protocol the IP packet is using. TCP=6, ICMP=1, UDP=17, IGMP=2

Dedicated point-to-point protocols are HDLC and PPP.

Packet-switched protocols are X.25, Frame Relay and ATM.

Circuit-switched protocols are ISDN and Leased Line.

HDLC provides a higher throughput and supports full-duplex transmissions comparing to SDLC. IBM Mainframe systems used SDLC.

DSL is considered as an “always on” technology.

Footprinting is a method used by an attacker to learn information about a victim before carrying out scanning and probing activity.

802.2 is LLC and 802.3 is MAC. LLC communicates with Layer 3.

SNMP community string is a password a manager uses to request data from the agent.

In PPP protocol, LCP establishes, configures and maintains the connection and NCPs are used for network layer protocol configuration and authentication.