2. Network Security


Basic Connectivity Protocols

  • TCP – Handshaked session-oriented communication
  • UDP – Best effort communication
  • IP – Host identification
  • ICMP – Basic connectivity, traceroute, ping
    • Can cause DoS vulnerabilities
  • ARP – IPv4 to MAC address
    • ARP poisoning gives false updates to redirect or interrupt traffic
  • NDP – Neighbor Discovery Protocol
    • IPv6 protocol similar to ARP, also identifies default gateway and performs other autoconfiguration efforts

Encryption Protocols

  • SSH – Encrypts SCP – Secure Copy and SFTP – Secure File Transfer Protocol among a wide variety of others.
    • SSH can also encrypt TCP Wrappers, a type of access control list on Unix systems
    • Uses port 22
  • SCP – Based on SSH and copies encrypted files over a network
  • SSL – Secure Socket Layer
    • Secures HTTP into HTTPS with the use of certificates
    • Can also secure SMTP and LDAP
    • TCP 443 for HTTPS
    • TCP 465 for SMTPS
    • TCP 636 for LDAP with SSL
  • TLS – Transport Layer Security
    • Designated replacement for SSL
    • Same ports as SSL
  • IPsec
    • Encrypt IP traffic
    • Native to IPv6 but works on IPv4
    • Encapsulates and encrypts packets and then uses tunnels to protect VPN traffic
    • Authentication Header – AH – Protocol ID number 51
    • Encapsulating Security Payload (ESP) – Protocol ID number 50
    • Uses Internet Key Exchange (IKE) over UDP 500 for VPN security

Application Protocols

  • HTTP
    • Port 80
    • Port 443
  • FTP
    • 21 for connection
    • 20 for data
  • SFTP – Secure File Transfer
    • 22 for data because it uses SSH
  • FTPS – File Transfer Protocol Secure
    • Like SFTP but uses SSL or TLS
    • Ports 989 or 990
  • TFTP – Trivial File Transfer
    • UDP port 69
  • Telnet – Outdated CLI based remote connection protocol
    • Sometimes still used to connect to routers
    • Cleartext, insecure
    • Port 23
    • PuTTY operates similarly to telnet but includes SSH
  • SNMP – Simple Network Management Protocol
    • Monitors and manages network devices like routers and switches
    • Sends requests to SNMP agents on devices on UDP 161
    • Receives info back from agents on UDP 162
  • NetBIOS
    • Allows for basic LAN identification and sessions
    • UDP Ports 137 and 138
    • TCP Port 139, and rarely 137
  • LDAP
    • Communicates with directories like Microsoft Active Directory and Novell Network Directors Services (NDS)
    • Provides a single location for object management
    • TCP 389
    • When encrypted with TLS or SSL, Port 636
  • Kerberos – Authenticates in Windows domains and some Unix environments
    • Uses KDC – Key Distribution Center to issue timestamped tickets
    • UDP Port 88
  • Microsoft SQL Server
    • SQL server hosts databases that web servers and applications use
    • Port 1433
  • RDP – Remote Desktop Protocol
    • Connect to systems from remote locations
    • Used in Remote Desktop Services and Remote Assistance
    • TCP or UDP 3389

E-mail Protocols

  • SMTP
    • Transfers email between client and SMTP server
    • TCP port 25
    • Secure SMTP with SSL or TLS uses Port 465
  • POP3
    • Transfers emails from servers to clients
    • TCP 110
    • Secure POP3 with SSL or TLS uses TCP 995
  • IMAP4
    • Stores email on a server
    • Allows user to organize and manage email in folders on server
    • TCP 143
    • Secure IMAP4 with SSL or TLS uses TCP 993


Assorted DNS

  • DNS uses UDP 53 for URL queries
  • DNS uses TCP 53 for zone transfers- when name servers exchange updated records
  • DNS uses BIND – Berkley Internet Name Domain software on Unix/Linux servers



  • IANA – Internet Assigned Numbers Authority maintains a list of official port assignments
  • Ports are default routes that different protocols use for data- this allows administrators to block certain protocol interactions just by closing or opening ports
  • 65,535 UDP and TCP ports
  • Well-Known Ports 0-1023
  • Registered Ports 1024-49151

These can be registered by single companies for proprietary use, or by multiple companies to establish a standard.

  • Dynamic and Private Ports: 49,151-65,535

Any application can use these and they can be temporarily mapped

  • Most attacks are on well-known ports
  • Port scanners check what ports are open and then know which data can be tampered with
  • Protocol IDs are not to be confused with ports.

You can allow or block traffic by the protocol ID, but the ID does not match up with ports.

Port numbers

Assorted Basic Network Security

  • Switches are more secure than hubs because they limit where traffic is sent and received, thus disabling sniffers
  • Switches can be affected by loops- when a cable is connected needlessly between two ports, and data is unicast looped through the connection
    • STP (Spanning Tree Protocol) and RSTP trivialize this risk by not letting routing suck that bad
    • STP also protects against attacks because a jerk could always just mess with two rj45 jacks and slow down the whole network
  • Switches can also group several computers into a VLAN, isolating network traffic
    • This allows people who are not in the same physical proximity to work together securely
  • Physical ports that are not being used can also be disabled on the switch to prevent people from connecting to the network
  • Mac address filtering can also accomplish this, where a port only accepts specifically named mac addresses for connections
  • 1x is much better security than mac address filtering or physical port disabling.
    • Works as RADIUS or Diameter user
    • Requires authentication to connect
    • Can customize features, such as allowing non-authenticated users internet access, but no local data


  • Routers don’t pass broadcasts, so segments separated by routers are broadcast domains
  • Routers allow the use of ACLs (just like firewalls) to identify allowed traffic
    • This filtering can be for IP addresses, ports, protocols
    • This means you can block traffic from specific computers or network segments
    • Implicit Deny is pretty important for security, and insists that anything not specifically allowed is denied


  • Offer similar ACL based security features as routers
  • A brick wall between inside and out that prevents certain kinds of traffic.
  • Advanced firewalls that fall under “Unified Threat Management” can do much more than simple packet filtering
  • Host Based Firewalls operate for a single host and can prevent invasions and exploitation through an NIC
    • These are essential when using public wifi
  • Network Based Firewalls
    • Controls traffic going in and out of larger network segments
    • Best between internal network and internet
    • Usually a dedicated system with monitoring, filtering, and logging
    • Sidewinder is a dedicated server with proprietary firewall software
  • Rules
    • Similar to routers ACL
    • Permit/Allow or Deny
      • Protocol ID/Port
      • Source
      • Destination
    • When configuring, start with implicit deny, and allow all traffic that you know you want
  • Web Application Firewall (WAF)
    • Specifically protects web apps hosted on a server
    • Blocks traffic such an NOOP sleds and NOOP ramps
    • Detects malicious code sent to web server
  • Advanced Firewalls
    • First Gen – Packet filtering rules, stateless- works only according to ACL
    • Second Gen – Stateful inspection- tracks sessions and inspects traffic based on session status
    • Third Gen – Application Level firewalls. Aware of specific commands used in apps or protocols. WAF are third gen that inspect HTTP.
    • Next Gen – Closer to UTM and frequently adding new features
  • Firewall Logs and Analysis
    • Log all allowed traffic, all blocked traffic, or both
    • Scripts and apps make it easier to review logs
    • IDS use firewall logs to identify intrusions
      • For example, a port scan attack will query lots of well known logical ports. If logs are enabled, this is visible and can be used to prevent further attacks

Protecting the Network Perimeter

  • DMZ
    • A section of the network available to external hosts, but segmented and secured so that it does not allow access to secure local data
    • Mail servers are often in the DMZ but surrounded by firewalls on both sides
    • Often servers within the DMZ can communicate with internal hosts/servers in order to relay info while remaining secure, because this requires special permissions with the second firewall
  • NAT and PAT
  • Proxies
    • Can cache content for easier access, or restrict content with advanced filtering
    • Exists on the far edge of the intranet, but typically only filters HTTP and HTTPS, though its capable of also filtering protocols like FTP
    • Filtering is typically through URL filtering, which blocks specific websites.
      • Many services sell lists of URLs that fit under certain categories a company may want to block
    • Proxie servers also watch and log everything, so be careful dummy
  • Unified Threat Management
    • All-in-one tools with antivirus, url filtering, etc
    • Web Security Gateway
      • Blocks malware in email or webpages and spam
      • Often include firewall capabilities
      • Their golden tool is content filtering, where they analyze all packets for malicious code
      • Cisco sells WSA – Web Security Appliance which even includes Data Loss Prevention which means it scans outgoing data for confidential info as well
    • UTM Security Appliance
      • “Just works” all-in-one UTM
      • URL Filtering
      • Malware Inspection
      • Content Inspection
    • Very little difference between the two, and most are just referred to as UTM

I post all things that interest me. Mainly computers.

%d bloggers like this: