Hi nanosumaila!!
Before start with this answer I want to tell you that due the extent
of the work, there is the possibility of some point will be missed or
will be incomplete for you. So please don´t consider this answer
finished until you feel satisfied with it. Use the clarification
feature to request further assistance if it needed before rate this
answer.
Thank you.
LAN Definition:
The Institute of Electrical and Electronic Engineers (IEEE) has
defined a LAN as "a datacomm system allowing a number of independent
devices to communicate directly with each other, within a moderately
sized geographic area over a physical communications channel of
moderate rates".
A LAN enables users to share resources and functionality by connecting
servers, printers, workstations and storage devices.
The LAN provides applications that include distributed file storing,
remote computing and messaging:
·Distributed File Storing provides direct accessing to the mass
storage of a remote server. It also provides capabilities such as a
remote filing and remote printing.
·Remote computing provides the ability of run an application or
applications on remote components. It allows users to remotely login
to another component on the LAN, remotely execute an application that
resides on another component, or remotely run an application on one or
more components, while having the appearance, to the user, of running
locally.
·Messaging applications are associated with mail and conferencing capabilities.
The above paragraphs show the advantages of using a LAN, but these
advantages do not come without risks.
BRIEF INTRODUCTION TO COMPUTER SYSTEMS SECURITY:
If an organization has a computer system and manage sensitive
information, it wants to protect that information.
The major threat to the computer systems and the information that they
manage comes from humans, it materializes by actions that can be
malicious or ignorant. When the action is malicious, there are
motivations behind the attack.
In order to perform the attack, techniques and methods to exploit
vulnerabilities in security policies and systems are used.
To protect the computer systems and their information you must deal
with Computer security.
"(Computer security) deals with the prevention and detection of
unauthorized actions by users of a computer. Lately it has been
extended to include privacy, confidentiality, and integrity...
...This definition implies that you have to know the information and
the value of that information in order to develop protective measures.
You also need to know to which individuals need unique identities and
how much information may be divulged to the outside world. A rough
classification of protective measures in computer security is as
follows:
·Prevention: Take measures that prevent your information from being
damaged, altered, or stolen. Preventive measures can range from
locking the server room door to setting up high-level security
policies.
·Detection: Take measures that allow you to detect when information
has been damaged, altered, or stolen, how it has been damaged,
altered, or stolen, and who has caused the damage. Various tools are
available to help detect intrusions, damage or alterations, and
viruses.
·Reaction: Take measures that allow recovery of information, even if
information is lost or damaged.
The above measures are all very well, but if you do not understand how
information may be compromised, you cannot take measures to protect
it. You must examine the components on how information can be
compromised:
·Confidentiality: The prevention of unauthorized disclosure of
information. This can be the result of poor security measures or
information leaks by personnel. An example of poor security measures
would be to allow anonymous access to sensitive information.
·Integrity: The prevention of erroneous modification of information.
Authorized users are probably the biggest cause of errors and
omissions and the alteration of data. Storing incorrect data within
the system can be as bad as losing data. Malicious attackers also can
modify, delete, or corrupt information that is vital to the correct
operation of business functions.
·Availability: The prevention of unauthorized withholding of
information or resources. This does not apply just to personnel
withholding information. Information should be as freely available as
possible to authorized users.
·Authentication: The process of verifying that users are who they
claim to be when logging onto a system. Generally, the use of user
names and passwords accomplishes this. More sophisticated is the use
of smart cards and retina scanning. The process of authentication does
not grant the user access rights to resources?this is achieved through
the authorization process.
·Authorization: The process of allowing only authorized users access
to sensitive information. An authorization process uses the
appropriate security authority to determine whether a user should have
access to resources."
Extracted from "Microsoft TechNet - Security Threats":
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpent/sec1/secthret.asp
DEFINITIONS:
Access Points:
In a wireless local area network (WLAN), an access point is a station
that transmits and receives data (sometimes referred to as a
transceiver). An access point connects users to other users within the
network and also can serve as the point of interconnection between the
WLAN and a fixed wire network. They work similar to Hubs and Switches
in a conventional wired network.
Ports:
A port (noun) is a "logical connection place" and specifically, using
the Internet's protocol, TCP/IP, the way a client program specifies a
particular server program on a computer in a network. Higher-level
applications that use TCP/IP such as the Web protocol, Hypertext
Transfer Protocol, have ports with preassigned numbers. These are
known as "well-known ports" that have been assigned by the Internet
Assigned Numbers Authority (IANA). Other application processes are
given port numbers dynamically for each connection. When a service
(server program) initially is started, it is said to bind to its
designated port number. As any client program wants to use that
server, it also must request to bind to the designated port number.
Port numbers are from 0 to 65536. Ports 0 to 1024 are reserved for use
by certain privileged services. For the HTTP service, port 80 is
defined as a default and it does not have to be specified in the
Uniform Resource Locator (URL).
IP Address:
An IP address is the logical address of a network adapter. The IP
address uniquely identifies computers on a network.
An IP address can be private, for use on a LAN, or public, for use on
the Internet or other WAN. IP addresses can be determined statically
(assigned to a computer by a system administrator) or dynamically
(assigned by another device on the network on demand).
IP addresses consist of four bytes (32 bits). Each byte of an IP
address is known as an octet. Octets can take any value between 0 and
255, but various rules exist for ensuring IP addresses are valid. It
is usually presented in four-part numerical format that uniquely
identifies a computer accessible over a TCP/IP-based LAN or the
Internet. For example, 127.0.0.10.
An IP address has two parts: the identifier of a particular network on
the Internet and an identifier of the particular device (which can be
a server or a workstation) within that network.
Topology:
-----------------------------------------------------------
Security threats at access points:
In a wired network you have physical connections to transfer or
receive network traffic. In consequence you have a strong control on
who has network access by controlling the physical access. But the
implementation of a wireless network (WLAN) implies the use of a radio
transmitter and receiver.
You can to some extent control the direction and range of the signal
by choice of antenna and adjusting output power, but you can not set
up absolute boundaries and expect the radio signal to stop at the
door. This means that, in a WLAN, you cannot control who might be
receiving and listening to your transmissions.
Most wireless LAN use spread spectrum, a modulation technique
developed to avoid from jamming radio communications. Spread spectrum
is capable of changing the "spreading codes" in a secretive way, which
makes it nearly impossible for someone to decipher the signal's
intelligence unless they know the code. The problem, however, is that
the 802.11 standard clearly describes the spreading codes publicly so
that companies can design interoperable 802.11 components. As a
result, a hacker only needs an 802.11-compliant radio NIC as the basis
for connectivity, which obliterates the security benefits of spread
spectrum.
The consequence of this is that use of a wireless network implies the
understanding of the fact that anyone can listen, and also you must
accept the fact the if one can receive data from your network, he can
send data to your network making it useless if he have the tools and
the skills.
SSID (Service Set Identification):
The SSID is specified by the 802.11 standard as a form of password to
let user's radio NIC to join a particular WLAN. It requires that the
radio NIC have the same SSID as the access point have to enable the
connection. This is the only security feature that the access point
requires to enable connections if no optional security features are
active.
As a security mechenism, SSID is not very strong because access points
broadcast the SSID multiple times per second as part of the answer to
clients calling for a broadcast request; this gives the opportunity to
a hacker to identify the SSID by using 802.11 analysis tools. Windows
XP does is a good sniffer of SSID in use by the network and
automatically configure the radio NIC within the end user device!!
Using these tools for discovering "open" access points is called
"WarDriving". Note that some administrators use the vendor's default
SSIDs, which are well known, making easy to a "WarDriver" to discover
the system SSID.
Sniffers:
They are tools that are capable of mapping the access points in the
area, these tools give an atacker the power to detect the access
points and to "snif" the SSIDs.
There are also some powerful tools that receive ALL the network
packets and decode them for easy reading, they are called Network
Sniffers.
Network sniffers are great tools to analyse network traffic and detect
errors, but their functions can also be abused.
For example the plaintext traffic is easy to read. There are several
popular plaintext protocols and services in use such are ICQ, IMAP,
POP3, SMTP, FTP, and in consequence of this is that usernames,
passwords, texts in mails and/or messages are easily retrieved.
Another example come from the use of hidden SSID, this is the use of
products that can be configured to not to not return the SSID in
response of a broadcast request. In this case, the users must have the
correct SSID to be able connect to a determined access point. When a
client broadcast the SSID to find an access point a hacker can easily
picked it up by a network sniffer and use this for his malicious
purposes.
Use of DHCP (dynamic host configuration protocol):
If an intruder catch an access point SSID, to access to the network
resources he must have an applicable IP address. Unfortunately WLAN's
administrators use DHCP to assign IP addresses automatically. With
this, an attacker receives an applicable IP address as if he was a
legitimate user.
MAC Address Access Control:
The MAC (Media Access Control) address is your computer's unique
hardware number. More specifically it is a hardware address that
uniquely identifies each node of a network. Access points can manage a
list of MAC addresses that are allowed/disallowed on the wireless
network. Since the MAC address of the network card is static you can
use such list to control the network access and also the host and
user.
MAC address was never be used as a top level security measure because
it can be easily spoofed using one of the following methods:
· The network card can be switched or stolen, with this you loose
control of the allowed/disallowed host and user.
· With a network sniffer a hacker can compile the list of allowed MAC
addresses by sniffing to find what hosts are talking. Follow the use
of this stolen info to spoof the MAC address by changing the MAC
address of the atacker's card using the proper tool, for example on
Windows it can be done on some cards by editing the registry. there
are also specific tools to do this task.
· It is common that, when a WLAN is set, the network cards are bought
in bulk, in consequence the MAC addresses of these cards are often in
sequence, then if a hacker can catch at least one allowed MAC address
it is easy to him to figure out what MAC addresses are used.
Rogue Access Points:
It is easy for anyone to deploy an access point of their own. A rogue
access point can be installed in a secret place for the intruder, with
this the attacker can access easily to the network either locally or
remotely. He could also replace an "good" access point (installed by
the network administrator) with other one on which he has full
configuration and monitoring access; remember that it is possible to
define MAC address on some access points.
With a rogue access point an intruder can perform a Man-In-The-Middle
Attack, attacker appears as the access point to the client and the
client to the real access point. All traffic will now flow through the
Main-In-The-Middle and your network is open to him.
Social Engineering:
Social Engineering is the art of getting people to comply to your
wishes, in system security terms it is the use of social (interaction
with others) techniques to deceive people in order to gather sensitive
and confidential information that they wouldn?t normally share, this
is accomplished by exploiting the vulnerabilities of the human nature.
This is not a unique wireless security problem.
Social engineering can incorporate many types of attacks. A person can
attempt to get information in person through questioning, by
pretending to be someone else, or even by using a disguise. An example
is when a cracker tries to con a password out of an authorized user
while pretending to be part of the system's maintenance crew. Dumpster
diving is another low-tech form of social engineering. This is the
process of going through someone's trash to find confidential
information. Another less targeted method is through the acquisition
of used computers or media.
Pirate Access Point:
An attacker can configure his network card to access point mode by
setting it with SSID and WEP similar to the real access point, he can
also use a spoofed MAC to match the real access point if it is
necessary. If the network access is protected by a web portal, the
fake access point also runs a web server that intercepts all HTTP and
HTTPS requests to a custom made "login page" that looks like the real
login page of the portal. He only need to wait that a victim enters
his username and password. Immediately after that a disassociate
message is sent to disconnect the victim to the pirate access point,
he is also banned from further associations. The victim will think
that he wrote a wrong password and try a new connection, this time he
will be connected to the real access point and login page.
Obviously, victim's password and username are logged by the attacker
to use it in future attacks.
Securing the Access Points:
There is a list of measures to implement security mechanisms to
protect your access points.
- Turn SSID broadcasting OFF (Hidden SSID)(if your product allow that):
With this the only time the SSID is broadcast is when a client is
associating reducing the chances to a hacker of identify the SSIDs
with an analysis tool.
- Change the default Service Set Identifier (SSID):
Use a password generation program to produce new SSIDs on a regular basis.
- Access Points Location:
When it is possible place access points away from windows. The idea
here is to not place the access points close to the perimeter of the
network facility, doing that you will reduce the chances of
intercepting communications, because the radio signal will be degraded
to the exterior. Try also to orient antennas in a form that the area
covered be smaller as possible. If you can reduce the radio wave
propagation in public areas like parking, lobbies and adjacent
offices, you will minimize the risk of a hacker sniffing your
sensitive broadcasts.
- Disable Access Points During Non-Usage Periods:
If possible, shut down access points when users are not connecting to
them. If there are just a few access points in a WLAN, simply pulling
the power plug is sufficient. For a larger network, consider
Power-over-Ethernet (PoE) equipment that lets you power down all
access points remotely.
- Use Intrusion Detection Tools (IDS - Intrusion detection systems):
Network-based IDSs are designed to sit on your network, monitor
traffic and send alarms whenever suspicious behavior occurs. IDSs can
monitor and analyze user and system activities, recognize patterns of
known attacks, identify abnormal network activity, and detect policy
violations for WLANs. Use these tools tools to scan the network for
rogue users.
Popular wireless IDS solutions include Airdefense RogueWatch and
Airdefense Guard and Internet Security Systems Realsecure Server
sensor and wireless scanner products.
Use wireless packet sniffer programs to intercept and decode the
traffic, packet headers include MAC and IP addresses. Then if you know
the MAC and IP addresses of all the allowed users, scanning with a
sniffer will expose the intruders. There are several excellent tools
that are capable of mapping the access points in the area. They are
also useful tools for installation and detecting rogue access points:
NetStumbler (Windows) and MiniStumbler (Pocket PC)
PocketWarrior (Pocket PC)
Kismet (Linux)
Dstumbler (NetBSD, FreeBSD, OpenBSD)
Wellenreiter (Linux, experimental BSD)
802.11 Network Discovery Tools (Linux)
iStumbler (Mac)
AirMagnet (Windows, PDA)
THC-WarDrive (Linux)
PrismStumbler (Linux)
WaveStumbler (Linux)
ssidsniff (Linux)
WaveMon (Linux)
For more reference on this topic visit "Wireless Intrusion Detection
Systems" by Jamil Farshchi:
http://www.securityfocus.com/infocus/1742
- IP addresses:
Use static IP addresses rather than a Dynamic Host Configuration
Protocol (DHCP) server. If you use DHCP an attacker only need to steal
SSIDs, because you asign automatically a valid IP address to every
connection. Using static IP addresses the intruder must know the legal
range for IP addresses in your network and also know which one are not
in use at the moment of the attack. You can improve the network
security keeping the range of legal IP addresses small.
- WEP:
Implement 802.11(b) wired equivalent protocol (WEP) encryption. It
will not stop hackers, but it will make more difficult to complete the
attack, it is a deterrent. Despite of the keys are cumbersome to
change, you must update them often. In order to use different keys,
you must manually configure each access point and radio NIC with new
common keys.
- Use MAC Address Access Control:
Use products that support having a list of MAC addresses that are
allowed/disallowed on the wireless network.
As additional measure, use tools to change MAC addresses (these tools
are used by hackers too) in order to change the default MAC addresses
of the devices bought in bulk, which normally have sequential MAC
addresses.
Again, this will not stop a hacker, but it is a deterrent.
- Set access points outside the firewall:
Put wireless access points outside the enterprise firewall and set up
rules that let in only the IP and/or MAC addresses of legitimate
users. This will make difficult (but not impossible) for a hacker to
gain access on your system.
- Use authentication mechanisms (added to WEP):
You can use a RADIUS (Remote Authentication Dial-In User Service)
server, an authentication and accounting system. With it you will
force users to enter a login ID and password when they want to come
inside the enterprise LAN. This information is passed to a RADIUS
server, which checks that the information is correct, and then
authorizes access to the system.
You can implement the use of Access Controller servers, which provide
centralized intelligence behind the access points to regulate traffic
between the relatively open wireless LAN and important network
resources. The access controller is a hardware set on the wired part
of the WLAN, between the access points and the protected side of the
network.
For more reference about Access Controller see:
"Access Controllers are Key to WLAN Deployment" By Jim Geier:
http://www.wi-fiplanet.com/tutorials/article.php/1380911
"Guarding The Flank With RADIUS & TACACS+" (and subsequent pages) by Dan Backman:
http://www.networkcomputing.com/902/902ws1.html
- Use VPN (Virtual Private Network):
This implies the use of third party encryption mechanism for all data
on the WLAN. The user installs VPN client software on their wireless
device, which communicates securely with the VPN network. These
systems use encryption and other security mechanisms to ensure that
only authorized users can access the network and that the data cannot
be intercepted.
Implement a VPN using IPSec or a similar technology to ensure
confidentiality. Place all access points outside of a firewall
configured to only allow VPN traffic to pass through.
This can be an expensive solution, but it provides excellent security.
For references about VPN visit:
"Virtual Private Networks (VPNs)" from Cisco website:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/vpn.htm
"How Virtual Private Networks Work" (and subsequent pages):
http://computer.howstuffworks.com/vpn.htm
-----------------------------------------------------------
TOPOLOGY:
Topology is the schematic description of the arrangement and
interlinking of computers in a computer network. It describes the
network layout related to the servers, nodes and connections.
There are some common types of network topologies: Bus, Star, Ring, Mesh and Tree.
-Bus topology:
All nodes are connected to a central line (the BUS), which act as a
system backbone, and the nodes connect only to this bus. The bus has
an end piece that returns the signal. The signal does not go through
each node in turn but does travel down the bus with the address of the
intended station within it.
-Star topology:
The nodes are connected directly to a server or central node. The
central node is the central controlling point, controlling access,
software distribution and access to peripherals such as printers. When
ever a new computer is added it requires a new cable run to the
server. The failure of a transmission line linking any peripheral node
to the central node will result in the isolation of that peripheral
node from all others.
-Ring Topology:
This is network topology in which every node has exactly two branches
connected to it. These nodes and branches form a ring. If one computer
goes down then the whole network goes down, because the packet/frame
needs to pass through each computer to get to its destination. Faults
in this type of network topology can be difficult to find because the
problem could be located anywhere in the ring. A variation of this
type of network topology is the Token Ring type. This is where a token
is passed from computer to computer. If one needs to send data to
another then it has to wait for an empty token to take the data. The
destination computer takes the data out of the token returns the token
back to its empty state and sends it around the network once more.
-Mesh Topology:
A network topology in which there are at least two nodes with two or
more paths between them. This means that devices are connected with
many redundant interconnections between network nodes. There are two
types of mesh topologies: full and partial mesh.
In full mesh topology, each node is connected directly to each of the
other nodes. In partial mesh topology there are some nodes connected
directly to all the others, but there are some nodes connected only to
nodes with which they exchange the most data.
-Tree topology:
A network topology in which the nodes are arranged as a tree. This
topology is the result of the combination of linear bus and star
topologies. It consists of groups of star-configured nodes connected
to a backbone bus. Thus, a tree network is a bus network of star
networks.
All these topologies can also be mixed to obtain a hybrid topology. A
hybrid topology is always produced when two different basic network
topologies are connected and the resulting network topology fails to
meet one of the basic topology definitions, and in the real life
hybrid topologies are mostly used.
Basic Network Topologies image:
http://www.ictp.trieste.it/~radionet/1997_workshop/networking/notes/sld011.htm
When you define your network topology, you must define it from the
outside to the inside. In other words, you define from the point of
the access router belonging to your Internet service provider (ISP)
down into your network.
"The interconnection of the nodes in a network consisting of more than
five nodes can be achieved in a variety of ways. The moment that the
number of nodes increases, the number of different ways of connecting
the nodes rises exponentially. Nevertheless for obvious reasons it is
best not to build a network from a random structure.
Normally when a network is designed the expected traffic and number of
hosts connected is studied, the needs of the users and various other
things so that a structure can be devised which can give the best
possible service to the clients. Wireless networks which grow in an
uncontrolled way will require a special design or a continual
adjustment to the structure to ensure that the services offered can be
done so effectively.
The following points are those which should be taken into account when
we design a network:
·Avoid congestion in a single point in the network.
·Reduce the number of hops between one host and another where possible.
·Try and ensure that multiple links to other nodes in the network
exist from one node. If one node fails the other link can be used, and
if we are using dynamic routing this change will be immediate and
transparent to the users.
·Use tools which can monitor the network and prevent future problems.
·Separate client traffic, from traffic between nodes.
·Avoid as much as possible manual configuration and use standard
configurations for each of the different installed components.
·Use links between nodes with the highest possible bandwidth (where
possible by radio).
·Maintain good communications with the nodes' administrators. Normally
the people who maintain a company network manage the whole network:
with a wireless network each administrator manages his own node so
that communication between the different administrators is very
important when solving problems which might occur.
It will be important during a network's initial stages of growth to
discuss the addition of new nodes and the best place to connect them
to, as the tools which could be used to monitor the various parts of
the network."
From "Wireless Network Structure - Network Topology" (Copyright © 2002
by Simon Mudd, Ángel Moncada "c4n", Joaquín Béjar "ShuoData"):
http://www.wl0.org/~sjmudd/wireless/network-structure/english/article.html#AEN269
After this introduction we will discuss some examples of network
topologies that show, in general, how most networks are configured.
These examples was summed up from the page "Securing a Solaris Server
- Network Topology" (please refer to this page for further info and
for diagrams, because it is not possible to include them here):
http://www.accs.com/p_and_p/SolSec/network.html
Co-located Server:
In this topology must place a server at an ISP. There is a direct
connection from the ISP's router (or switch) to your system, usually
over a 100 Megabit connection. This topology puts the highest possible
security demands on the server, as it is fully and directly accessible
from the Internet. The high speed of the connection will also allow
large amounts of data to be transferred if an intrusion occurs.
Flat Network:
Here the router is not filtering packets. Often, the router will be a
DSL or Cable modem. This topology is often used in a Small Office/Home
Office (SOHO) network.
With this topology, all systems on your network are fully and directly
accessible from the Internet. The security demands on each system on
your network are similar to those for a Co-located Server. The only
improvement over the Co-located Server is that the bandwidth through
which a compromised system can be exploited is usually lower.
If there are a very small number of systems on your network, this
network topology is acceptable. Careful configuration of network
routes can improve the security of this topology, but it's a complex
task.
VPN connections are possible with this network configuration.
Medium Office Network:
This network has the same topology as is shown for the SOHO Network
(Flat Network). The main difference is that packet filtering is being
performed in the Border Router.
Usually, VLANs are being used in the switch(es), to simplify
communications configuration. A virtual (or logical) LAN is a local
area network with a definition that maps workstations on some other
basis than geographic location (for example, by department, type of
user, or primary application). It is a network of computers that
behave as if they are connected to the same node; VLANs are configured
through software. This makes VLANs very flexible, for example when a
computer is physically moved to another location, it can stay on the
same VLAN without any hardware reconfiguration.
The Authentication Server and the Internal File Server must be
connected to dedicated switched ports. Both systems should not have
any direct communications with external systems.
Properly authenticated users (login and password) of the Dial-in
Server must be allowed connections to external systems and should
receive the same degree of protection. File sharing should only be
done to dial-in systems that are appropriately authorized (a separate
issue from authentication). Optimally, only secured connections to the
internal systems should be allowed.
Partitioned Network:
This topology can be very secure. Packet filtering is performed by the
border router and the main router. The presence of the firewall makes
the big difference with the Medium Office Network (if it is not used,
the Medium Office Network configuration can be used, with the second
router providing little additional security). The firewall monitors
the state of the connection, this gives a high assurance that
connections aren't being made to unprotected internal ports.
If additional protection of, and from, the Dial-in Server is desired,
it could be connected to a port on the Firewall, thus providing
additional protection for the internal network and the dial-up user.
If there exists a portion of the network where there is external
access to the switch that network must be connected through the
firewall. This security risk is common on wireless networks.
If VPN is used in this configuration, it should be done in the border
router. A connection request should not be allowed to enter the border
router from the ISP, unless it's for one of the external servers, or
for the Firewall. Also, no RPC or UDP requests should be accepted from
the ISP, unless they're for one of the external servers that's
supposed to receive them, or responses to DNS or NTP requests.
For additional reference see:
"Designing a Network Topology":
http://barolo.ita.hsr.ch/vorlesungen/nwd/pdf/Chapter_5_Logical%20Network%20Topology.pdf
"Configure IT: Design the best security topology for your firewall
(Choose a network topology without sacrificing security)" by Steven
Warren:
http://techrepublic.com.com/5100-6264-1039779-1.html
From Microsoft:
"Topology Security" by Chris Brenton:
http://www.microsoft.com/technet/security/topics/network/topology.mspx
From Cisco website:
"Define Your Network Topology ":
http://www.cisco.com/univercd/cc/td/doc/product/ismg/security/tutorial/topology.htm
"Guidelines and Techniques for Defining Your Network Topology":
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver20/topology/nwgdlin.htm
------------------------------------------------------------
IP Addresses:
Note: this paragraph was summed up from "Wireless Network Structure -
IP Addresses" (Copyright © 2002 by Simon Mudd, Ángel Moncada "c4n",
Joaquín Béjar "ShuoData"):
http://www.wl0.org/~sjmudd/wireless/network-structure/english/article.html#AEN78
A group of IP addresses are required to setup a wireless network.
A wireless network need a range of IP addresses to enable connections
between clients within a node, connections between nodes and
connections with other wireless networks (if they are needed).
To avoid conflicts when your network connects with other it is
recommended that the IP addresses used are assigned from the private
RFC 1918 networks.
The three groups of IP addresses designated by RFC 1918 for private use are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Client Connections:
For the allocation of IP addresses used by clients connecting to the
network and the nodes it is recommended that the range 10.0.0.0/8 be
used before using addresses from the other RFC 1918 blocks.
Inter-Node Assignments (links within one group):
While not necessary it is often more convenient to use a separate
range of addresses for the network connections within a group used to
connect the different nodes. For this use it is recommended that an
assignment is made from the range 172.16.0.0/12, avoiding the
intra-group assignment.
Intra-Group Assignments (links between different groups):
It is recommended that a subrange of 172.16.0.0/12 must be reserved
for connections between different wireless groups. The addresses from
this range which are actually used for this purpose should be
registered in a public place to avoid duplication.
Assignments within a Wireless Group to a Node:
The local assignment of a block of IP addresses to a node will be
centralised locally by some of the group's members. These members will
decide the procedures for assigning blocks of IP addresses, the number
of IP addresses each block will have and the requirements which each
node must fulfill to be added to the network.
If a node is not connected to any other node then it can use any IP
address range it wants. However it would be convenient that it uses an
address from the range 10.254.0.0/16 recommended on the
freenetworks.org website for non-connected networks. If you use these
addresses you will not need to request a block from your local
wireless group.
Standard Assignment:
To each node a block of addresses will be assigned from the group's
global assignment mentioned. Each node will consist of at least 32 IP
addresses of which 30 will be usable. In principle one address will be
used by the actual node/router leaving the remaining addresses for use
by clients.
The block of 32 addresses will be assigned in the following way:
10.x.y.0 Network Address
10.x.y.1 Router or node's IP Address
10.x.y.2-30 The node's Clients' IP Addresses
10.x.y.31 Broadcast address
The netmask in this case will be 255.255.255.224.
Each class C network, 10.x.y.0/24, will be composed of 8 sub-net whose
last digit ends in .0, .32, .64, .96, .128, .160, .192 and .224.
As the assignment of blocks of 32 IP addresses may be insufficient in
urban zones with a high population density, it may be necessary to
consider assigning additional blocks of 32, 64, 128 o even 256 IP
addresses to a node, each block with its appropriate network address
and netmask.
--------------------------------------------------------------
Ports:
From "searchNetworking.com Definitions" we have the following definition of port:
"In programming, a port (noun) is a "logical connection place" and
specifically, using the Internet's protocol, TCP/IP, the way a client
program specifies a particular server program on a computer in a
network. Higher-level applications that use TCP/IP such as the Web
protocol, Hypertext Transfer Protocol, have ports with preassigned
numbers. These are known as "well-known ports" that have been assigned
by the Internet Assigned Numbers Authority (IANA). Other application
processes are given port numbers dynamically for each connection. When
a service (server program) initially is started, it is said to bind to
its designated port number. As any client program wants to use that
server, it also must request to bind to the designated port number.
Port numbers are from 0 to 65536. Ports 0 to 1024 are reserved for use
by certain privileged services. For the HTTP service, port 80 is
defined as a default and it does not have to be specified in the
Uniform Resource Locator (URL)."
Any server makes its services available using numbered ports, one for
each service that is available on the server. For example, if a server
machine is running a Web server and an FTP server, the Web server
would typically be available on port 80, and the FTP server would be
available on port 21. Clients connect to a service at a specific IP
address and on a specific port.
That means open ports correspond to listening services, and for
protect your system you must configure your system so that a minimal
number of ports are open on it, by closing unnecessary ports, you can
block attackers from gaining access to your machine.
The better way of closing listening ports is to shut off the
correspondent service listening on the port. Beyond shutting off
services, you can also block ports using a firewall.
Blocked ports should not give end users a false sense of security,
blocking ports should be viewed as a preventive measure. They help
prevent damage if something does go wrong. Blocking ports is a
sensible additional layer of defense because filtering ports will
reduce malicious traffic.
Each of the most well-known services is available at a well-known port
number. Here are some common port numbers:
·echo: 7
·daytime: 13
·qotd: 17 (Quote of the Day)
·ftp: 21
·telnet: 23
·smtp: 25
·time: 37
·nameserver: 42
·nicname: 43 (Who Is)
·gopher: 70
·finger: 79
·WWW: 80
For a complete list of IETF assigned port numbers see the following document:
"PORT NUMBERS" (last updated 2004-03-04):
'The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports:
-Well Known Ports are those from 0 through 1023.
-Registered Ports are those from 1024 through 49151
-Dynamic and/or Private Ports are those from 49152 through 65535'
http://www.iana.org/assignments/port-numbers
------------------------------------------------------------
DIFF Attacks:
An effective attack method against standard software protection
mechanisms is differential analysis, which compares multiple versions
of the same protected program to identify their differences. If some
of these versions are unprotected, the differences identified through
differential analysis will reveal the software protection mechanisms
used, allowing newly introduced security features to be more easily
defeated.
More clearly, given two closely related pieces of software X and Y
(they can be an original version and an update), where Y differs from
X through a number of small but important (from a security point of
view) modifications that were done to Y, the "diff" attack consists of
comparing X and Y so as to pinpoint the fragments of code in which
they differ. The differences between X and Y could include, among
other things, the fact that Y contains credentials-checking mechanisms
that were lacking in X, such as password protection,
biometrically-based access controls, challenge-response protocol with
a remote server, etc. Pinpointing those differences makes it easier
for an attacker to defeat the security-related features of Y that the
attacker dislikes (not only credentials-checking, but also
integrity-checking and other kinds of policy-enforcement that the
attacker wishes to circumvent).
So, to sum up adding protection to fielded software provides an
attacker with a point of leverage: By comparing the original code (or
executable) with the updated version, an attacker may be able to
locate the "protective" modifications and thereby defeat them.
Due to the complexity of the software applications, developers use to
update applications in a modular fashion. This leaves much of the
final object code unchanged, then, when new versions are released, a
differential analysis of the new and old version would indicate where
differences in the code exist.
Several tools, like disassemblers, debuggers and virtual execution
environments, can be used to perform the differential analysis.
The attacker must do one of two things:
1) Utilize the instruction set of the processor that the software and
operating system was designed to operate on.
2) He can dynamically monitor the activity of the software executable
during real time operation.
To protect software binaries from reverse engineering,you must develop
protective techniques like:
? Detecting hostile reverse engineering applications including
debuggers and disassemblers
? Detecting falsified operating environments
? Memory and file protection
A developer can protect his software by using (1) A polymorphic binary
encryption tool that ensures that different versions of the same
program are syntactically different, (2) A metamorphic code decryption
engine generator ensures that the decryption engines embedded in the
final protected binaries are themselves different from one another
without relying code encryption, and (3) Insertion of additional
anti-reverse-engineering code into the run-time decryption engine
ensures that attackers cannot easily apply commercial user-level
debuggers to trace the instruction execution and thus uncover the
underlying logic of the run-time decryption engine.
One of the requirements for protecting software executables is the
ability to "lock-down" a particular application to one computer
system. The program software uses the some kind of HD signature to
determine if it is still operating on the same computer platform. If
not, the software will not run or erases itself. The end result is a
"locked-down" version of the software that helps prevent illegal uses
of the software application.
Software protection provides an additional layer of security.
Sources for DIFF attacks paragraph:
"Software Protection and Application Security: Understanding the
Battleground" by A. Main1 and P.C. van Oorschot:
http://www.scs.carleton.ca/~paulv/papers/softprot8a.pdf
"Advancing Software Security? The Software Protection Initiative" by
Mr. Jeff Hughes and Dr. Martin R. Stytz, Ph.D. :
http://www.preemptive.com/documentation/SPI_software_Protection_Initative.pdf
"DoD SBIR Resource Center - OSD selections":
http://www.dodsbir.net/awardlist/abs031/osdabs031.htm
---------------------------------------------------------------
Additional reference for Network Security:
"The Unofficial 802.11 Security Web Page":
http://www.drizzle.com/~aboba/IEEE/
"Computer Security Threats":
http://www.caci.com/business/ia/threats.html
From Microsoft: "Protecting Your Network: Wireless, Firewall, and
Perimeter Security":
http://www.microsoft.com/technet/Security/topics/network/default.mspx
"An initial Security Analysis of the IEEE 802.1x standard":
http://www.uninett.no/wlan/download/1x.pdf
"Wireless Local Area Networks - Security Challenges and Best
Practices" by Thomas Stripling:
http://www.sema.atosorigin.com/infrastructure/pdf/whitePapers/03SNS487-WLAN_layout3.pdf
----------------------------------------------------------------
I hope this helps you. Remember to request for any clarification needed.
Best regards.
livioflores-ga |
,
1 Comment
)