Introduction to the TCP/IP Protocol Framework

Alright, time to dive into one of the most important parts of cybersecurity. NETWORKING! This blog will teach about network basics of TCP/IP and OSI models, DNS, DHCP, as well as switching and routing concepts, IP addressing, NAT, packet sniffing and finally, structures and vulnerabilities of key databases including SQL, CouchDB, Oracle and MongoDB. Let's get started!

Stateless Inspection

To start off the topic of networking let's discuss what firewalls are and how they utilize stateless and stateful inspection, then compare stateless firewalls to stateful firewalls. According to Cisco (one of the leading companies in network technology) firewalls are "A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. A firewall can be hardware, software, or both.". Now that we know what a firewall is, let's dig a little deeper into how firewalls filter incoming and outgoing network traffic stateless and stateful inspection. Regular routers and some firewalls use the stateless way of filtering packets, this means the firewall inspects each packet without any knowledge of previous packets, the firewall will inspect the destination and source address of the packet and then block or restrict addressess that are deemed untrusted. There may also be an Access Control List rule (ACL) that will determine weather the source addess and destination port of the packet is allowed on the network or if the destination address is allowed to be accessed or not. A few use cases for stateless inspection include:

  • Protecting routing engine resources.
  • Controlling traffic going in or out your organization.
  • Troubleshooting purposes.
  • Control traffic routing (through the use of routing instances).
  • Perform QoS/CoS (marking the traffic).
  • Stateful Inspection

    Heading back over to Cisco, a Stateful Inspection is "Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.". In some cases there can be a stateless and stateful inspection, the stateless inspection is going to be performed first and then will be followed up by an evaluation of the stateful data. Now that we know about stateless and stateful inspections what are the pros and cons of each method ? Below is a list of the pros and cons of each inspection method courtesy of CDW.

    IDS and IPS Systems

    Now that we've talked about firewalls and the different types of firewalls, let's talk a little about 2 types of firewall filters. Intrusion Detection and Intrusion Prevention Systems. An Intrusion Detection System (IDS) "is a network security technology originally built for detecting vulnerability exploits against a target application or computer.". Intrusion Prevention Systems (IPS) "extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies.".

    Intrusion Detection Systems

    An IDS needs to only detect threats on a network, because the IDS only detects threats and reports it's finds to an administrator. It is placed outside of the real-time communication path of the sender and receiver of information, which makes it a passive system. Due to the IDS not keeping up with real-time communication it will often take advantage of a TAP or SPAN port to analyze a copy of the inline network traffic stream. This ensures that the IDS does not impact inline network performance. Unfortunately due to the nature of IDS solutions, they lack the ability to prevent a detected exploit from taking over the system. Attackers are capable of quickly exploiting vulnerabilities once they've infiltrated the network. Rendering the IDS useless.

    Intrusion Prevention Systems

    IPS on the other hand, has the ability to block threats along with detecting them. The IPS often sits directly behind the firewall and adds a layer of analysis that actively searches for dangerous content. The IPS sites inline or in the direct path of communication of the sender and receiver and takes automated actions on all traffic flows that enter the network. The actions performed by an IPS include:

  • Sending an alarm to the administrator(as would be seen in an IDS)
  • Dropping the malicious packets
  • Blocking traffic from the source address
  • Resetting the connection

  • Since the IPS works as an inline security component, it is crucial that the IPS works fast and efficiently to avoid degrading network performance as well as detect and respond to exploits accurately since exploits can happen in near real time. When it comes to detection methods IPS has a number of different detection methods but signiture-base and stistical anomaly-based are the two dominant methods. Signature-based detection "is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:"
  • Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream
  • Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild, but also raise the risk of false positives.
  • Statistical anomaly detection "takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation."

    Network Address Translation

    NAT or Network Address Translation is essentially a method of converting a private IP address to a public IP address when connecting to the Internet. NAT remaps the IP address by modifying information in the IP datagram packet headers as they transit across a traffic routing device. This is just a summerized version of what NAT is but you can read more about it through a FAQ form on CISCO's website Network Address Translation (NAT) FAQ. Below is a diagram of a Juniper NAT router and 4 key facts about NAT.

    Static, Dynamic, and PAT Address

  • Static NAT- Allows one-to-one mapping between local and global addresses.
  • Dynamic NAT- A technique in where multiple public IP addresses are mapped to a local IP address to be used.
  • Port Address Translation (PAT) - Maps multiple local IP address to a single public address to conserve IP addresses. This method is often referred to as "Overloading". By using overloading, thousands of users can be connected to the Internet by using only one real public IP address.
  • I am actively looking for work, feel free to connect with me and lets talk business. Also feedback is appreciated! Thank you!

    Connect With Me 😊

    Website Website Website Website