Notes

Protocol analyzer
Hardware or software for monitoring and analyzing digital traffic over a network
Also called
Packet sniffers
Packet analyzers
Network analyzer
Network sniffers
Network scanners
Copies frames and allows viewing of frame contents
Monitor and log network traffic
Check for specific protocols on the network,such as smtp,dns,pop3, and icmp
Identify frames that might cause errors
Examine the data contained within a packet
Identify users who are connecting to an unauthorized website
Discover clear text passwords
Identify encrypted traffic that includes sensitive data
Analyze network performance
Troubleshoot communication problems
Nic and switch setup
Nic’s will accept frames addressed only to that nic
Configure the nic in promiscuous mode
In p-mode, the nic will process every frame it sees
Switch’s will only forward packets to the switch port that holds a destination devices
Configure port mirroring on the stich. With port mirroring, all frames sent to all other switch ports will be forwarded on the mirrored port
Filters show only those frames or packets to or from specific addresses, or frames that include specific protocol types
Capture filter captures ( records) only the frames identified by the filter
Attacks using protocol analyzers
Spoofing
Man in the middle
Replay
tcp/ip session hijacking
Mac flooding
Common analyzers
Wireshark
Ethereal
Dsniff
Ettercap
Tcpdump
Microsoft network monitor
6.11 remote access
Allows a host to connect to a server or even a private network and access resources as if they were connected to the LAN locally
Public switch telephone network (pstn)
Used modems to connect to a remote access server
Outdated
To slow to use for most things
Point-to-point protocol (ppp) & point-to-point protocol over ethernet (pppoe)
Used at the data link layer
Ppp was used for dial-up
Pppoe requires a static ip from the isp and sometimes a user name and a password to authenticate with the isp
Proxy ARP
Used when a host fakes the identify of other machines in order to receive the packets intended for those other machines and takes responsibility for routing the packets to the intended machine
Proxy address resolution protocol (proxy ARP)
Answers the arp querles for a network address that is not on that network
Address resolution protocol (arp)
Finds mac address from an ip address
Challenge handshake authentication protocol ( CHAP)
challenge/response (three-way handshake) mechanism to protect passwords.
The only remote access authentication protocol that ensures that the same client or system exists through a communication session by repeatedly and randomly retesting the validated system
Microsoft challenge handshake authentication protocol (ms-chap)
Encrypts the shared secret on each system
Allows for mutual authentication, in which the server authenticates to the client
Help to prevent man in the middle attacks and server manipulation
Extensible authentication protocol ( EAP)
When a connection is established, the client and server negotiate the authentication type that will be used based on the allowed or required authentication types configured on each device
CHAP and MS-CHAP------- username and password
EAP--- many different methods---- password, certificates, and smart cards
Remote access policies
Authorization can be restricted based on the following
Time of day
Type of connection ( ppp or pppoE, wired or wireless)
Location of the resources (restricts access to specific servers)
AAA Server/Accounting
Authentication, authorization, and accounting
Connection requests from remote clients are received by the remote access server and forwarded to the AAA server to be approved or defined
Policies defined on the AAA server apply to all clients connected to all remote access servers
Radius server
Remote authentication dial -in user service ( radius)
USED BY MICROSOFT servers for centralized remote access administration
Used as an authentication and authorization mechanism that uses udp for authorization
User datagram protocol (udp) - alternative communication protocol to tcp used primarily for establishing low - latency and loss tolerating connection between applications on the internet
Supports ppp,CHAP, and PAP.
Does not transmit passwords in cleartext
Password is hashed and the hash is added to the password before it is transmitted
Encrypts only the password using MDS
Uses UDP ports 1812 and 1813
Vulnerable to buffer overflow attacks
Set up -- configure a server as a radius server to provide aaa services. Then configure all remote access servers as radius clients
TACACS and TACACS+
Terminal access controller access -control system (TACACS)
TACACS+ is the newer version
Separate authentication,authorization, and accounting into different services
Can all be on the same server or split between different servers
Use TCP instead of UDP
TACACS
Developed by cisco for centralized remote access administration
TACACS+ is cisco proprietary
Provides 3 protocols, one each for authentication , authorization, and accounting. ( each service to be provided by a different server.)
Uses TCP port 49
TACACS+
Encrypts the entire packet contents
The client server dialogs are also encrypted.
Remote access severs become TACACS+ clients to the backend TACACS+ server similar to a radius solution
TACACS+ and RADIUS
RADIUS is more interoperable because TACACS+ is Cisco
Proprietary
TACACS+ is considered more reliable because of TCP
TACACS+ is more secure
Both are vulnerable to buffer overflow attacks,birthday attacks, and packet sniffing