Tuesday, November 18, 2008

ICND1 Networking Summarization Cont'd

A sudden burst of serenity, I believe life is but what you make it to be. We live in the millennium now, any thing is possible, creation is but at the tip of our fingers....

Now who do you know that dual screens with a blog on a 37" and dictionary on a 21" hmmmmm, well your reading his notes.

Now to stray from my digression and soak our heads back into the networking world, as I left off:

Ping is an important part of survival with a device, no answer to your request a diagnosis is required. We just about have every detail and step by step instructions on how to set any service on a machine. The real hard problem, getting it to work interactively with other machines. Imagine a group of people playing a friendly game of soccer, 5 to be exact, they are playing for 2 hours straight, and boom one of them hurt their leg and unable to join. Our soccer players are actually nice people that figure out that the only way to include their hurt friend is to play catch in a circle with the ball. Now that is how networking works, you add something new you use the machine to adapt to the new service or something is wrong with the machine you configure it to run the services. Some common mistakes when creating a universal deploy of any application, machines are not reaching each other this is caused by a interference between a machine(shutdown of machine, user logged off), or another machine doing its job that won't let you do yours. A little advice when handling new installations setups or whatever... know your network and know it well.

I will be attacking the Datalink Layer:

Another hard part to the puzzle of connection, MAC address its a 48 bit 6 byte mac address that has precedence within our networking worlds. MAC is derived from Ethernet, Ethernet is the standard low bit encapsulation package that has become the renown in the world of networking, screw token ring.

Why so important MAC, MAC is burned into your network card, each MAC address contains specifics of your NIC, part of your MAC is learned by our lovely powerful devices called switches, there for in order to understand a switch clearly you must understand MAC.

Starting from the inside out, I would like to yet again to imagine a picture that I have been looking at for the last 2 years, one that should be so familiar to you that every time it is mentioned you should gasp in AH!! meaning you do understand.

4 PCS attached to 1 SWITCH


SWITCH
------------|-----------
| | | |
PC1 PC2 PC3 PC4

Each connected to a switch port, what do you know about a SWITCH, each RJ-45 has a separate collision domain, the other half of the DataLink Layer is deciphered as the LLC layer, this layer tells the PC when passing the packet to the physical layer what lucky protocol will get the job in delivering the packet.

Stick with me here this is important, and I'm not showing you any history to learn, I'm showing modern day logic and fact.

Each PC is on a separate line and because each have a separate collision domain no interference (internal) will occur. Embedded within MAC/LLC is CSMA/CD stands for the acts exactly has it sounds

Carrier : Signal
Sense : Detect
Multiple : Equals Access
Collision : Two devices at one
Detections: How to handle the collision

to send the signal containing the 1's and 0's to the switch for it to be compiled and understood and sent to the right interpreter to be received.

Damn how I've strayed away from my original question...if you don't remember.... Why do we need MAC.

Well we'll get their real soon, as for signals a device can send out their are three

UNICAST - 1 to 1
Multicast - 1 to many
Broadcast - 1 to every 1

to send to multiple clients servers whatever you may be doing within your network, the whole point of this is that MAC traces your PC in a table in order to identify where you are in the network, no not to spy on you, but make it easier for the other users to send stuff to your PC. MAC addresses are stored in ARP, ARP is backward compatible with IP and make a great datalink layer protocol in order to send data fast to the recipient.

And to be VERY clear on it ARP saves time, MAC is saved within your NICS arp table and MAC is saved in the CAMTable within switch's this creates the switch to become intelligent and your PC to be even more intelligent.

This function of ARP is called gratuitous ARP sending a broadcast (0xFFFFFFFFFFFF)to let know every machine on its segment that is connected. Most likely notified the router. ARP(0x0806) is encapsulated in the Ethernet Frame.

----------------------------------
As I can ramble on about the ARP protocol for years I think this is sufficient enough post to have you up to par with the common ground of networking....boy is their alot more to come.......


---All we have is time

Saturday, November 15, 2008

ICND1 Networking Summarization

The studying for my ICND1 has been doing rather well, due to some minor set backs from the last week I should be done all my ICND1 videos for my CCNET certification. This blog entry will summarize all 14 videos I have viewed. In the course that I have skipped any critical information I will be using my notes and this entry as a reference when re-viewing the videos before the exam.

Brace yourself here is what I've got out of 14 videos:


The common question that anyone should ask a network engineer is WHAT IS A NETWORK?

Now before reading on please ask yourself the question and consider.

Okay since you have the answer I will share what I have come up with:

Through civilization we have always strive to come together, build as one, and most of the trying actually got done. Sometimes what got done was by force by now is usually compensated with mula the bucks. As I vision it like we use cement to build roads and highways, we use wire(copper. coaxial, (air)frequencies) to build roads for information sharing. When we share information before computing we used the post office, and Networking is similar as sending a letter in the mail, the envelope(packet) gets tossed(transmitted) in a bin(NIC card) then carried to the post office(wire) where it's sorted out (digital device like a router) and sent to the right destination, and sometimes it must hit multiple destinations before it arrives.

So for a more simple answer a Network is the fabric that ties, through multiple digital devices, information to reach its destination.

Some key attributes in networking:

Switch - Central meeting place for all packets, has separate collision domains

Router - Relays information to the WAN (Internet)

Internet - Multiple routers connected together

WAN - fast link ---AT&T


In order to use a network efficiently companies and people have needs in order for them to co-operate and operated effectively in today's modern fast changing world. The dire commonality is the communication between services within high end servers. Like human's computers now have a set a tools that have a commonality with standards which are called ports.

Some well known PORT numbers:
TCP UDP
21 -FTP
22 -SSH
23 -Telnet -69 TFTP
25 -SMTP
53 -DNS -53
80 -HTTP
110 - POP3
443 -HTTPS

Each port has its funcation which should be already be known at this stage of the game by the reader, due to the practice of hard school work.

In order to test things are working properly and things are 'alive' as I like to call it, a ping request is sent to the ports, alive will signal back !!!!!!!.



--------------------
Yes it has to end now I seem to have gone into a mind flux which needs a bit of entertainment.

Stay tuned to next post it will be more dynamic and lengthier.

Wednesday, July 2, 2008

SEC703 1st Lecture

Core Distribution and Access Layers



Router , Firewall, DMZ then another firewall,



The first router does basic access control lists,



Standard things to block, telnet traffic, secure shell traffic except for specific devices, at the router level



then the Firewall gets specific,



Then DMZ, any devices that needs to be accessed from the internet, web servers, databases (sales), the web server access the database server,



you put ur e-mail transfer agent, then the transfer goes inside,



A DNS here at DMZ, broadcasting the name resolution on the dmz, receiving info from the inter organization,



Look by name instead of ip, nothing transferred out, another firewall in DMZ



realistically another firewalls to the entrance to the data center



Separate them through blades, firewall blade, diff ports for different functions,



VPN blade terminates inside the firewall, VPN access secure encrypted tunnel between point A and B

-adds a second address header, it will have ENCRYPTED[Application Presentation Session Transport network ]Network Data link and physical



IDS -specific blade, specific traffic at all times, shows you whats going on, you must write the list and implement it



IPS - write information to block new traffic , does it auto magically.



Honeypots, put in DMZ to attract hackers,



-------------------------

Traffic shaping aka QoS guardsmen throughput, throttle back specific types of traffic, organizations you this all the time,



Mission critical and non mission critical data, if info is going slow theirs something wrong,



Info that music flow, Voice and Video, priority



Internet Proxy - (Specific HTTP and HTTPS traffic) Single device buffering and monitoring device, everyone goes through the proxy, all HTTP HTTPD traffic, through the firewall is the proxy device, it will collect the info and send into you, 1 line in the ACL, you can put web monitoring tools into the proxy, block stuff



Networking Devices - talking about controlling traffic

Friday, June 27, 2008

Mitnick - Communications Technology

Mail Drop - The Social engineer's term a rental mailbox, typically rented under an assumed name which is used to deliver documents or packages the victim has been duped into sending.

Data Classification Policy - the differentiation of securing public and private information

Innocuous - not harmful or injurious, harmless

Information Security Department - ISD
Conducts:
-awareness training
-detail methods

Explanation: Social Engineer Employees

-Lingo| "Use None Sensitive things" [Poker Chip]

Types of Security Violations

Here are some basic component violation in security, in the perspective of the malicious code,

Virus :Typical piece of code copies itself into a program, and executes when the program runs

-modifys other programs
-loss or contamination of data, or program

Worm: Reproduces itself until slowd down or shuts down a comptuer system or network, does not notify other programs

Clogging or Flodding : Form of a worm
- sending large amounts of bogus traffic too a node until clogged and unable to serve a legitamate user. AKA DoS Attack (Denial of Service)

Trojan Horse : piece of code, hides itself in another piece of a program

"Think" a simple login screen
Login Code
Hidden Code <--------interlopes exits with no trace (steals info)
Login Code

BOMB: Same as a Trojan
signature" time or logic trigger

Trigger software routine, upon detecting the absence of the rogue program records, initiats actions to damage the system

Trap Door: Allows penetration into the system can be programmed in code by programmer. Usually used in case you must get back into the program to fix something. Usually guarded by authentication process.

Salami: Small alteration of numbers in files having of numbers and distorting the system.

Replay violation: Active attack on a resource.
entails: capturing data, perhaps modifying and resending it.

Monday, June 23, 2008

John Searle, The Chinese Room

Philosophy professor at Berkeley, On Intelligence

The Chinese Room:

Suppose you have a room with a slot in one wall, and inside is an English-speaking person sitting at a desk, He has a big book of instructions and all the pencils and scratch paper he could ever need. Flipping through the book, he sees that the instructions, written in English, dictate ways to manipulate, sort and compare Chinese characters. Mind you, the directions say nothing about the meanings of the Chinese characters; they only deal with how the characters are to be copied, erased reordered, transcribed and so forth.

Someone outside the room slips a piece of paper through the slot. On it is written a story and questions about the story, all in Chinese. The man inside doesn't speak or read a word of Chinese, but he picks up the paper and goes to work with the rulebook. He toils and toils, rotely following instructions in the book. At the times the instructions tell him tow rite characters on scrap paper, and at the other times to move and erase characters. Applying rule after rule, writing and erasing characters, the man works until the book's instructions tell him he is done. When he is finished at last he has written a new page of characters, which unbeknownst to him are the answers to the questions. The book tells him to pass his paper back through the slot. He does it, and wonders what this whole tedious exercise has been about.

Outside, a Chinese speaker reads the page. The answers are all correct, she notes--even insightful. If she is asked whether those answers came from an intelligent mind that had understood the story, she will definitely say yes. But can she be right? Who understood the story? It wasn't the fellow inside, certainly; he is ignorant of Chinese and has no idea what the story was about. It wasn't the book, which is just, well, a book, sitting inertly on the writing desk amid piles of paper. So where did the understanding occur? Searle's answer is that no understanding did occur; it was just an bunch of mindless page flipping and pencil scratching. And now the bait-and-switch: the Chinese Room is exactly analogous to a digital computer. The person is the CPU, mindlessly executing instructions, the book is the software program feeding instructions to the CPU, and the scratch paper is the memory. Thus, no matter how cleverly a computer is designed to simulate intelligence by producing the same behavior as a human, it has no understanding and it is not intelligent. (Searle made it clear he didn't know what intelligence is; he was only saying that whatever it is, computers don't have it)

--Jeff Hawkins, On Intelligence

Saturday, June 14, 2008

SEC520: 10 More

Here are 10 more Security Log Management at both the Infrastructure and System Levels

Log parsing: using log data to be used as another part of the logging process

Event filtering: suppress data that is not needed like the duplication of a record.

Event Aggregation: Logging same events as one and counting each occurrence.
Log rotation: rotate logs to make them manageable, ex: examine archived logs to perform filtering.

Log archival: keeping logs for a extended period of time on a SAN’s network, two types Log retention archive on a regular basis, or Log preservation, keeping logs that would be discarded because they contain records of activity of particular interest.
--------------------------
Log compression: reduce the amount of storage space needed (filter)

Log reduction: remove entries of no important to make the log smaller

Log conversion: convert logs to different formats XML or database

Log Normalization: Ordered in a particular data representation and categorized consistently. DATES and TIME in a single format

Log file integrity checking - having a message digest for each file MD5 or SHA1
-------------------------------------
Event correlation: finding relationships between one or more entries

Log viewing :Display log entries in human readable format

Log reporting: displays the results of log analysis
-------------------------------------
Log clearing: removing all entries from the log that precede certain date and time. Remove old logged data b/c importance has been archived.
-------------------------------------
Syslog is a central framework for log entry generation, storage and transfer, the syslog format assigns messages based on importance. Two attributes to consider are message type, known as a facility(kernel messages, mail system messages, authorization messages, printer messages, and audit messages). Severity a value assigned, from 0(emergency) to 7 debug.
Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!
----------------------------
Syslog security does not conform to the use of basic security controls that would give it the confidentiality, integrity and availability of logs. Weaknesses the syslog protocol encounters is the UDP transfer of data, anyone can send information to the syslog server(DOS ATTACKS). MITM on the syslog, and analyze the syslog for a vector.
----------------------------
Reliable Log Delivery, TCP
Transmission Confidentiality Protection, SSH TLS
Transmission Integrity Protection and Authentication,MD5 SHA-1
----------------------------
Robust Filtering –handles messages based on programs or hosts that generate a message or RE matching content in the body.

Log Analysis –Use separate add on programs to analysis data

Event Response – Alert admins through pages or e-mails

Database storage logs, log file encryption,

----------------------------
Security Information and Event Management Software that is a centralized loggin software , SEIM does its job
Agentless which would mean it pulls logs from the hosts by authenticating to each host and retrieving logs, or the host pushing log files on the server this server will then perform even filtering and aggregation and log normalization and analysis on the collected logs

Advantage no installation on hosts, Disadvantage – large amounts of data transferred, some need credentials so you have to install an agent on the host.

Agent-Based all the filtering and aggregation and log normalization is done at the host then transmitted

Advantage all filtering and aggregation don’t on the host, small load going over the network , Disadvantage – installing agents on every host