Friday, April 7, 2017

3+ years later - I passed the CISSP exam

I honestly had forgotten this blog existed. I completed this my last semester while attending UGA. Following graduation, I went on to accept a position as a consultant with KPMG where I worked for just over 3 years. I completed a number of projects in the cybersecurity space, and I learned a great deal along the way. In Winter of 2016, I sat down to take the CISSP exam (after a fairly intense three month study schedule) and I passed it. I'm not fully certified yet, I'm still short about 9 months of work experience, but I'll gain that soon.

I've just recently left my position with KPMG. After three years I learned that while I'm still passionate about security, I am not as passionate about consulting. I felt a lack of connection with my everyday work assignments, and most of all I missed having opportunities to build and work directly with technology. That's why I left to pursue a career in software development. As a developer, I'll have the opportunity to build and create, and to solve complex problems. I'll have the opportunity to apply my security expertise in a new way by considering how the applications I build should incorporate security and protect user data and privacy.

As part of the move, I've set up a new site - https://jongrim.github.io. There I'll be writing new posts about what I'm learning during my transition, and probably more importantly, I'll host my portfolio of projects. Of course if you're just interested in the projects, you can jump straight to my github.

I'm planning to leave all of the old posts up for posterity. I think they still get page views from time to time, and hopefully they'll help others with studying. If the information becomes too outdated though, and I remember to check, then I'll remove it to avoid creating confusion.

All the best,
Jon

Thursday, November 21, 2013

Network Protocols

Networks run on many different protocols that offer many different functions. I have previously discussed protocols such as TCP and UDP which control the communication sessions between two systems. There are many more protocols that enable a network to function as a whole. Some of these are discussed next.

Address Resolution Protocol

The ARP protocol works at the Data Link Layer and provides addressing capability. Whereas the transport layer uses the IP protocol for addressing, the data link layer uses what's referred to as the Media Access Control (MAC) address. The MAC address is programmed into the NIC by the manufacturer and is a combination of an ID unique to the manufacturer, and an ID that the manufacturer assigns. When systems communicate on a network, the data layer needs to be able to add the MAC address for the intended recipient. For it to be able to do this, it must be able to look at the IP address the transport layer used and resolve it to a MAC address. This is done through the ARP protocol. ARP maintains a table, or cache, that lists which IP address corresponds which MAC. If there is no MAC listed for an IP address, ARP can send a broadcast packet requesting the MAC address of whatever system has a certain IP.

A common attack against ARP is known as ARP cache poisining. When ARP was designed, there was no security built into the protocol. The vulnerability lies in that ARP does not authenticate where other ARP packets come from. Because of this, any system can send an ARP reply, unsolicited, to another system claiming to have a certain IP address. The target will accept this packet and update it's ARP cache. From then on, anytime a packet needs to be sent to that IP address, it will be instead routed to the attacker. This is a simple way to perform a man-in-the-middle attack.

Dynamic Host Configuration Protocol

DHCP is a protocol that can assign systems IP addresses in real time. DHCP functions over UDP and is commonly implemented as a service on routers. DHCP leases out IP addresses from a set range and maintains a table of currently leased out IP addresses. This prevents any two systems from accidentally receiving the same IP address which would cause a conflict. Each IP address that is assigned is given a lease time. When the time expires, the system must renew its IP address. The steps to receive an IP address via DHCP are listed below:
  1. A client computer connects to a network and sends a DHCP discover packet.
  2. The DHCP server responds with a DHCP offer packet, which gives the client an available IP address and details configuration settings.
  3. The client responds with a DHCP request packet confirming its acceptance of the settings.
  4. Finally, the DHCP server responds with a DHCP ack packet which acknowledges the client's acceptance and includes the lease period of the address.

Internet Control Message Protocol

ICMP is used for testing connectivity and sending messages. Perhaps its most well know implementation is through the ping utility. When administrators wish to test if they are able to connect to a system, they may ping it to see if they get a reply. When ping is used, an ICMP echo request packet is sent. If the intended recipient receives the packet, it will reply with an ICMP echo reply packet. This packet can tell the sender that the message was received and provide information about the connection, such as response time. ICMP is also commonly used by routers to gain information about the state of connections. When a problem occurs with a route, ICMP can be used to send information to surrounding routers letting them know about the issues. Routers also use ICMP to send information about packets that were not able to reach their target.

There are a couple of attacks that use ICMP to cause damage. One such attack is the ping of death. ICMP packets are normally set to not exceed 65,536 bytes. If an attacker crafts a packet larger than this common size, the receiver may freeze or become unstable, bringing the system down. Another attack is know as the smurf attack. This attack takes advantage of the fact that most system actively listen for and respond to ICMP traffic. An attacker can craft an ICMP echo request packet with an address of a system that they wish to attack. This packet is sent to all the other systems who, upon receiving it, send an ICMP echo reply to the target system. The target then receives so many ICMP packets at once that it doesn't know what to do and goes down.

Simple Network Management Protocol

SNMP was developed in the late 1980's to aid in network management. The protocol functions with a manager/agent relationship. The manager is the server portion which periodically polls the agents to request new information. Each agent is assigned a group of objects that it is to watch and maintain information about. This information is tracked in a database-like structure called the Management Information Base (MIB). An MIB is a logical grouping of related objects that contain data used for specific management tasks and status checks. The manager will periodically poll the agents requesting the information in the MIB. This gives the administrator a good way to monitor the network as a whole.

Saturday, November 16, 2013

Network Topology

The physical arrangement of computers and devices is called network topology. The topology of a network determines the manner in which a network is physically connected and shows where resources are located. It is possible that while a network has a certain physical topology, it may be logically connected in a different way. For instance, a network may be physically laid out as a star topology but be logically controlled as a ring. The type of topology that is used will depend on what configuration makes the most sense for the resources involved and the context of the network. In reality, company networks are made up of many smaller networks that may vary greatly in topology.

Ring topology

In a ring topology, devices within the network are laid out in a closed loop. Each system is part of this loop and is connected to the rest of the network through the device on either side of it. The transmission link is unidirectional in a ring topology, so data flows only in one direction. Because there is no central device to which the rest of the network connects, a packet must travel through each device along the ring until it reaches it's destination. In a simple network, this could be a source of failure because if one system goes down there is no way for information to continue flowing through the network. In modern systems, there are redundancies in place to prevent this from happening.

Bus topology

A bus topology uses a single cable as a backbone for the network. Nodes are connected to this cable through drop points and have the ability to look at each packet as it travels along the cable. When a device transmits to another on the network, the packet gets placed on the cable and is examined by each node until the one it's addressed to sees it and pulls it. Because the cable serves the entire network, it is a possible single point of failure.

Star topology

In a star topology, each node is connected to a central device such as a switch. A dedicated link exists between each node and the central device, so devices are not as dependent on each other as they are in other networks. Aside from the central device going down, a node going out will not negatively impact the network. This topology also requires less cabling than other topologies. Most networks are based on a star topology today because this type of network is more resilient than ring or bus.

Mesh topology

The final topology is mesh topology. In a mesh topology, all systems are connected to each other. This topology offers a large amount of redundancy because every node is connected to every other node, but a large amount of cabling is required, and it can be a real mess to handle. A partial mesh topology would be a network where there exists many connections between nodes, but not every node is connected to every other system. The internet is an example of a partial mesh network.

The diagram below illustrates the different network topologies.

Friday, November 15, 2013

The format of network communications

Every data transmission has three fundamental characteristics. Format (analog vs. digital), synchronization (synchronous vs. asynchronous), and how communication sessions are handled (baseband vs. broadband). These characteristics are discussed next.

Analog vs. Digital

To transfer data from one location to another, a signal must be created. This signal serves as the medium by which data is transported. There are two signaling formats; analog and digital. Analog signals are used by technologies such as radios and have a wave shape. The wave shape enables an analog signal to express an infinite amount of values that flows continuously. Digital signals, on the contrary, are discreet and a voltage within a certain range will represent either a 0 or a 1. As a comparison, think of how an analog watch is different than a digital watch. With an analog watch, hands are used to convey the current time, and, if the watch has a second hand, the time is constantly flowing. A digital watch simply read the time at that moment. There is no movement or flow involved.

For the purposes of networking, digital signals are the preferred format. Computers have always processed data in 0's and 1's. When telecommunications networks carried only analog signals computers required a modem to modulate and demodulate analog signals. With new advances this is no longer needed. Digital signals are also able to travel for much further distances before they degrade. These are a couple of the reasons why telecommunications and other networks are moving to all digital formats.

Asynchronous and Synchronous

When two machines need to share data over a network, this is much like two people having a conversation. As people speak with each other, there are natural pauses between sentences and thoughts. Theses gaps allow the other to process what has been said, and it helps form a natural rhythm to the conversations. We also have rules for written language. Periods and commas can show when a thought ends, and spaces seperate words into individual units. These rules allow us to synchronize our communications. Just as we have grammar rules to synchronize our conversations, so do computers. Asynchronous and synchronous describe two different sets of rules for how computers communicate with one another.

In asynchronous mode, start and stop bits are used to distinguish when a character starts and ends. This is done for the whole message so that the receiving system is sure to correctly interpret the message. This is just like the earlier example of inserting spaces between words so that a person can easily read them. In synchronous communication, there are no start and stop bits used. Instead, the data is transmitted in a continuous stream. To synchronize the transmission, a clock pulse is used. This is similar to when we verbally talk and I use pauses to form a natural rhythm. For synchronous transmission to be used, both systems must be using a synchronous protocol such as high-level data link control (HDLC). This protocol allows the system to interpret the information it's sent. Asynchronous transmission happens through a protocol known as asynchronous transmission mode (ATM).

Baseband and Broadband

Baseband and broadband refer to how communication sessions are handled in the physical transmission media. A baseband technology uses all of the communication channel for its transmission. A broadband technology divides the channel into sub-channels so that multiple transmissions can occur simultaneously. For instance, a coaxial cable TV is a broadband technology that delivers multiple television channels over the same cable.

There is an important distinction that just because a technology could transmit multiple signals on one channel, doesn't mean it is broadband. Unless there are specific rules for how the channel will be divided, it is still a baseband technology. As an analogy, think of a large one lane highway. Because there is only one lane through which to travel it is baseband. But if we go and paint white lines down the middle (put in rules for dividing the channel) the highway now supports more traffic and is broadband.

All of these characteristics come together to make up a transmission technology. For instance, WiFi is an analog transmission that uses ATM for synchronization and is broadband because it divides set frequencies into channels. These characteristics exist for every transmission media and are important to understanding how data is transmitted.

Physical Layer

The bottom layer of the OSI model is the physical layer. This is where the bits hit the wire. Depending on the transmission technology, the frames will be encoded to match. Each transmission technology (Ethernet, Token Ring, FDDI) has it's own standard for how the data should be transmitted. The protocols at the above layer know what kind of technology the network is transmitting on and tells the physical layer what voltage and signaling scheme should be used. The network interface card serves as a bridge between the data link layer and the physical layer. It's the NIC's responsibility to physically encode the frames.

Wednesday, November 6, 2013

Data Link Layer

We are nearing the bottom of the OSI model now. Layer 2 is the data link layer. As the packet moved down the protocol stack, information has been added that tells the recipient what kind of data the packet contains, if it's part of an ongoing conversation, where this packet falls in the sequence of total packets, and if this packet is indeed intended for them. Now it is time to translate the packet to the proper format for the technology that it will be broadcast over. This is the job of the data link layer.

LAN and WAN technologies can use different protocols and mediums for transmission. Each has it's own specifications for how data should be packaged for transmission and for how it interprets electrical signals. If a computer is communicating over an Ethernet network then the headers must be a certain length with the flags properly set. If the specifications of the transmission technology are not followed the receiving system will not be able to properly interpret the data.

The data link layer handles preparing a packet to be transmitted. The layers above it do not know how the packet is going to be transmitted and do not need to be concerned with it. The data link layer will add the necessary information to the packet headers, change the data into the necessary format, and fix sequencing of received packets. If there are transmission errors then the data link layer will also alert upper-layer protocols.

The data link layer is divided into two functional sub-layers. The top of the these two sub-layers is the Logical Link Control (LLC). This sub-layer works with the network layer directly above it. The logical link control handles flow control and error-checking. So if a packet is received out of sequence or there is an error, the LLC will alert the network layer to take action. Below the LLC is the Media Access Control (MAC) sub-layer. This is where a packet is translated to the necessary format for the technology it will be placed on. The technology at the MAC layer knows if the network is an Ethernet, Token Ring, FDDI, or something else and will place the final headers and convert the data to it's appropriate electrical signal. Note that once the data link layer applies the last header and trailer the unit of data is now called a frame.

Some protocols that work at the data link layer include Point-to-Point Protocol (PPP), ATM, Layer 2 Tunneling Protocol (L2TP), FDDI, Ethernet, and Token Ring. Each network technology (Ethernet, FDDI, ATM, Token Ring) also defines the compatible physical transmission type (coaxial cable, twisted pair, fiber) and electrical signaling and encoding. The MAC sub-layer understands these requirements and tells the physical layer what type of electrical signal to create.

Network Layer

Moving down the OSI model to layer 3 we have the network layer. This layer's main responsibility is addressing and routing packets to their proper destination. To accomplish this, the network layer adds information to the header of packets that details what computer a packet is intended for. The packet is then passed on to the lower layers where it will eventually be placed on the wire. As a packet traverses a network, each system examines the header of the packet to see where the packet is addressed for and how to route it. The protocols at this layer will also help in routing the packet to it's destination. Routing tables are built and maintained which detail the layout of the network. Some routing protocols are able to determine the best path for a packet to take based on multiple factors including distance and transmission rate. So when a packet needs to be sent the routing protocol will check it's routing table, add the necessary information, and send it on its merry way.

Protocols that work on this layer do nothing to ensure delivery. They rely on the protocols of the transport layer to provide that functionality (if the protocol used by that layer even provides that option). Protocols at the network layer are solely concerned with routing and addressing. The most well known protocol at this layer is the Internet Protocol (IP). As the name suggests, this is the core protocol that much of the internet functions on. Other protocols include Internet Control Message Protocol (ICMP), Border Gateway Protocol (BGP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Internet Group Management Protocol (IGMP).