CCNA Router and Catalyst Switch IOS Command Reference
CCNA Router and Catalyst Switch IOS Command
Reference
|
By Jamison Schmidt
This reference guide provides router and switch commands to help you prepare for Cisco's CCNA certification exam. This guide covers IOS version 11 and higher. We will try to get VLSM and Supernetting commands added for the new 640-801 CCNA exam.
Reference Quick Links
Router Commands
Show Commands
Catalyst Commands
Router Commands
Terminal Controls:
·
Config# terminal editing - allows for
enhanced editing commands
·
Config# terminal monitor - shows
output on telnet session
·
Config# terminal ip netmask-format
hexadecimal|bit-count|decimal - changes the format of subnet masks
Host Name:
Host Name:
·
Config# hostname ROUTER_NAME
Banner:
Banner:
·
Config# banner motd # TYPE MESSAGE HERE #
- # can be substituted for any character, must start and finish the message
Descriptions:
Descriptions:
·
Config# description THIS IS THE SOUTH ROUTER
- can be entered at the Config-if level
Clock:
Clock:
·
Config# clock timezone Central -6
# clock set hh:mm:ss dd month yyyy - Example: clock set 14:35:00 25 August 2003
Changing The Register:
# clock set hh:mm:ss dd month yyyy - Example: clock set 14:35:00 25 August 2003
Changing The Register:
·
Config# config-register 0x2100 - ROM
Monitor Mode
·
Config# config-register 0x2101 - ROM
boot
·
Config# config-register 0x2102 - Boot
from NVRAM
Boot System:
Boot System:
·
Config# boot system tftp FILENAME SERVER_IP
- Example: boot system tftp 2600_ios.bin 192.168.14.2
·
Config# boot system ROM
·
Config# boot system flash - Then - Config# reload
CDP:
CDP:
·
Config# cdp run - Turns CDP on
·
Config# cdp holdtime 180 - Sets the
time that a device remains. Default is 180
·
Config# cdp timer 30 - Sets the update
timer.The default is 60
·
Config# int Ethernet 0
·
Config-if# cdp enable - Enables cdp
on the interface
·
Config-if# no cdp enable - Disables
CDP on the interface
·
Config# no cdp run - Turns CDP off
Host Table:
Host Table:
·
Config# ip host ROUTER_NAME INT_Address
- Example: ip host lab-a 192.168.5.1
-or-
-or-
·
Config# ip host RTR_NAME INT_ADD1 INT_ADD2
INT_ADD3 - Example: ip host lab-a 192.168.5.1 205.23.4.2 199.2.3.2 -
(for e0, s0, s1)
DNS:
DNS:
·
Config# ip domain-lookup - Tell
router to lookup domain names
·
Config# ip name-server 122.22.2.2 -
Location of DNS server
·
Config# ip domain-name cisco.com -
Domain to append to end of names
Clearing Counters:
Clearing Counters:
·
# clear interface Ethernet 0 - Clears
counters on the specified interface
·
# clear counters - Clears all
interface counters
·
# clear cdp counters - Clears CDP
counters
Static Routes:
Static Routes:
·
Config# ip route Net_Add SN_Mask
Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
·
Config# ip route 0.0.0.0 0.0.0.0
Next_Hop_Add - Default route
-or-
-or-
·
Config# ip default-network Net_Add -
Gateway LAN network
IP Routing:
IP Routing:
·
Config# ip routing - Enabled by
default
·
Config# router rip
-or-
-or-
·
Config# router igrp 100
·
Config# interface Ethernet 0
·
Config-if# ip address 122.2.3.2
255.255.255.0
·
Config-if# no shutdown
IPX Routing:
IPX Routing:
·
Config# ipx routing
·
Config# interface Ethernet 0
·
Config# ipx maximum-paths 2 - Maximum
equal metric paths used
·
Config-if# ipx network 222 encapsulation sap
- Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial
·
Config-if# no shutdown
Access Lists:
Access Lists:
IP Standard
|
1-99
|
IP Extended
|
100-199
|
IPX Standard
|
800-899
|
IPX Extended
|
900-999
|
IPX SAP Filters
|
1000-1099
|
IP Standard:
·
Config# access-list 10 permit 133.2.2.0
0.0.0.255 - allow all src ip’s on network 133.2.2.0
-or-
-or-
·
Config# access-list 10 permit host 133.2.2.2
- specifies a specific host
-or-
-or-
· Config# access-list 10 permit any - allows any
address
·
Config# int Ethernet 0
·
Config-if# ip access-group 10 in -
also available: out
IP Extended:
IP Extended:
·
Config# access-list 101 permit tcp
133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet
-protocols: tcp, udp, icmp, ip (no sockets then), among others
-source then destination address
-eq, gt, lt for comparison
-sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
-or-
-protocols: tcp, udp, icmp, ip (no sockets then), among others
-source then destination address
-eq, gt, lt for comparison
-sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
-or-
·
Config# access-list 101 deny tcp any host
133.2.23.3 eq www
-or-
-or-
· Config# access-list 101 permit ip any any
·
Config# interface Ethernet 0
·
Config-if# ip access-group 101 out
IPX Standard:
IPX Standard:
·
Config# access-list 801 permit 233 AA3
- source network/host then destination network/host
-or-
-or-
· Config# access-list 801 permit -1 -1 - “-1” is the
same as “any” with network/host addresses
·
Config# interface Ethernet 0
·
Config-if# ipx access-group 801 out
IPX Extended:
IPX Extended:
·
Config# access-list 901 permit sap 4AA all
4BB all
- Permit protocol src_add socket dest_add socket
-“all” includes all sockets, or can use socket numbers
-or-
- Permit protocol src_add socket dest_add socket
-“all” includes all sockets, or can use socket numbers
-or-
· Config# access-list 901 permit any any all any all
-Permits any protocol with any address on any socket to go anywhere
-Permits any protocol with any address on any socket to go anywhere
·
Config# interface Ethernet 0
·
Config-if# ipx access-group 901 in
IPX SAP Filter:
IPX SAP Filter:
·
Config# access-list 1000 permit 4aa 3
- “3” is the service type
-or-
-or-
· Config# access-list 1000 permit 4aa 0 - service
type of “0” matches all services
·
Config# interface Ethernet 0
·
Config-if# ipx input-sap-filter 1000
- filter applied to incoming packets
-or-
-or-
·
Config-if# ipx output-sap-filter 1000
- filter applied to outgoing packets
Named Access Lists:
Named Access Lists:
·
Config# ip access-list standard LISTNAME
-can be ip or ipx, standard or extended
-followed by the permit or deny list
-can be ip or ipx, standard or extended
-followed by the permit or deny list
· Config# permit any
·
Config-if# ip access-group LISTNAME in
-use the list name instead of a list number
-allows for a larger amount of access-lists
PPP Setup:
-use the list name instead of a list number
-allows for a larger amount of access-lists
PPP Setup:
·
Config-if# encapsulation ppp
·
Config-if# ppp authentication chap pap
-order in which they will be used
-only attempted with the authentification listed
-if one fails, then connection is terminated
-order in which they will be used
-only attempted with the authentification listed
-if one fails, then connection is terminated
·
Config-if# exit
·
Config# username Lab-b password 123456
-username is the router that will be connecting to this one
-only specified routers can connect
-or-
-username is the router that will be connecting to this one
-only specified routers can connect
-or-
·
Config-if# ppp chap hostname ROUTER
·
Config-if# ppp chap password 123456
-if this is set on all routers, then any of them can connect to any other
-set same on all for easy configuration
ISDN Setup:
-if this is set on all routers, then any of them can connect to any other
-set same on all for easy configuration
ISDN Setup:
·
Config# isdn switch-type basic-5ess -
determined by telecom
·
Config# interface serial 0
·
Config-if# isdn spid1 2705554564 -
isdn “phonenumber” of line 1
·
Config-if# isdn spid2 2705554565 -
isdn “phonenumber” of line 2
·
Config-if# encapsulation PPP - or
HDLC, LAPD
DDR - 4 Steps to setting up ISDN with DDR
DDR - 4 Steps to setting up ISDN with DDR
- Configure switch type
Config# isdn switch-type basic-5ess - can be done at interface config
- Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to network 192.3.5.5 (through bri0)
- Configure Interface
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# encapsulation ppp
Config-if# dialer-group 1 - applies dialer-list to this interface
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212” instead if there is only one router to connect to
- Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the access-list 101 as the dialer list
- Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either
Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120
Frame Relay Setup
·
Config# interface serial 0
·
Config-if# encapsulation frame-relay
- cisco by default, can change to ietf
·
Config-if# frame-relay lmi-type cisco
- cisco by default, also ansi, q933a
· Config-if# bandwidth 56
·
Config-if# interface serial 0.100
point-to-point - subinterface
·
Config-if# ip address 122.1.1.1
255.255.255.0
· Config-if# frame-relay interface-dlci 100
-maps the dlci to the interface
-can add BROADCAST and/or IETF at the end
-maps the dlci to the interface
-can add BROADCAST and/or IETF at the end
·
Config-if# interface serial 1.100 multipoint
·
Config-if# no inverse-arp - turns
IARP off; good to do
·
Config-if# frame-relay map ip 122.1.1.2 48
ietf broadcast
-maps an IP to a dlci (48 in this case)
-required if IARP is turned off
-ietf and broadcast are optional
-maps an IP to a dlci (48 in this case)
-required if IARP is turned off
-ietf and broadcast are optional
·
Show access-lists - all access lists
on the router
·
Show cdp - cdp timer and holdtime
frequency
·
Show cdp entry * - same as next
·
Show cdp neighbors detail - details
of neighbor with ip add and ios version
·
Show cdp neighbors - id, local
interface, holdtime, capability, platform portid
·
Show cdp interface - int’s running
cdp and their encapsulation
·
Show cdp traffic - cdp packets sent
and received
·
Show controllers serial 0 - DTE or
DCE status
·
Show dialer - number of times dialer
string has been reached, other stats
·
Show flash - files in flash
·
Show frame-relay lmi - lmi stats
· Show frame-relay
map - static and dynamic maps for PVC’s
·
Show frame-relay pvc - pvc’s and
dlci’s
·
Show history - commands entered
·
Show hosts - contents of host table
·
Show int f0/26 - stats of f0/26
·
Show interface Ethernet 0 - show
stats of Ethernet 0
·
Show ip - ip config of switch
·
Show ip access-lists - ip
access-lists on switch
·
Show ip interface - ip config of
interface
·
Show ip protocols - routing protocols
and timers
·
Show ip route - Displays IP routing
table
·
Show ipx access-lists - same, only
ipx
·
Show ipx interfaces - RIP and SAP
info being sent and received, IPX addresses
·
Show ipx route - ipx routes in the
table
·
Show ipx servers - SAP table
·
Show ipx traffic - RIP and SAP info
·
Show isdn active - number with active
status
·
Show isdn status - shows if SPIDs are
valid, if connected
·
Show mac-address-table - contents of
the dynamic table
·
Show protocols - routed protocols and
net_addresses of interfaces
·
Show running-config - dram config
file
·
Show sessions - connections via
telnet to remote device
·
Show startup-config - nvram config
file
·
Show terminal - shows history size
·
Show trunk a/b - trunk stat of port
26/27
·
Show version - ios info, uptime,
address of switch
·
Show vlan - all configured vlan’s
·
Show vlan-membership - vlan
assignments
·
Config# ip address 192.168.10.2
255.255.255.0
·
Config# ip default-gateway 192.168.10.1
Duplex Mode:
Duplex Mode:
·
Config# interface Ethernet 0/5 -
“fastethernet” for 100 Mbps ports
·
Config-if# duplex full - also, half |
auto | full-flow-control
Switching Mode:
Switching Mode:
·
Config# switching-mode store-and-forward
- also, fragment-free
MAC Address Configs:
MAC Address Configs:
·
Config# mac-address-table permanent
aaab.000f.ffef e0/2 - only this mac will work on this port
· Config# mac-address-table restricted static
aaab.000f.ffef e0/2 e0/3
-port 3 can only send data out port 2 with that mac
-very restrictive security
-port 3 can only send data out port 2 with that mac
-very restrictive security
·
Config-if# port secure max-mac-count 5
- allows only 5 mac addresses mapped to this port
VLANS:
VLANS:
·
Config# vlan 10 name FINANCE
·
Config# interface Ethernet 0/3
·
Config-if# vlan-membership static 10
Trunk Links:
Trunk Links:
·
Config-if# trunk on - also, off |
auto | desirable | nonegotiate
·
Config-if# no trunk-vlan 2
-removes vlan 2 from the trunk port
-by default, all vlans are set on a trunk port
Configuring VTP:
-removes vlan 2 from the trunk port
-by default, all vlans are set on a trunk port
Configuring VTP:
·
Config# delete vtp - should be done
prior to adding to a network
·
Config# vtp server - the default is
server, also client and transparent
·
Config# vtp domain Camp - name
doesn’t matter, just so all switches use the same
·
Config# vtp password 1234 - limited
security
·
Config# vtp pruning enable - limits
vtp broadcasts to only switches affected
·
Config# vtp pruning disable
Flash Upgrade
Flash Upgrade
·
Config# copy tftp://192.5.5.5/configname.ios
opcode - “opcode” for ios upgrade, “nvram” for startup config
Delete Startup Config:
Delete Startup Config:
· Config# delete nvram
| Cisco Hierarchical Model: For more information about this, please read our separate tutorial titled "The Cisco Hierarchical Model". OSI Model: The OSI model is a layered model and a conceptual standard used for defining standards to promote multi-vendor integration as well as maintain constant interfaces and isolate changes of implementation to a single layer. It is NOT application or protocol specific. In order to pass any Cisco exam, you need to know the OSI model inside and out. The OSI Model consists of 7 layers as follows:
Here is an easy way to memorize the order of the layers: All People Seem To Need Data Processing. The first letter of each word corresponds to the first letter of one of the layers. It is a little corny, but it works. The table above mentions the term "MAC Address". A MAC address is a 48 bit address for uniquely identifying devices on the network. Something likes 00-00-12-33-FA-BC, we call this way of presenting the address a 12 hexadecimal digits format. The first 6 digits specify the manufacture, while the remainders are for the host itself. The ARP Protocol is used to determine the IP to MAC mapping. And of course, MAC addresses cannot be duplicated in the network or problems will occur. For more information about ARP and related protocols, read Guide To ARP, IARP, RARP, and Proxy ARP. Data encapsulation takes place in the OSI model. It is the process in which the information in a protocol is wrapped in the data section of another protocol. The process can be broken down into the following steps: User information -> data -> segments -> packets/datagrams -> frames -> bits. When discussing the OSI model it is important to keep in mind the differences between "Connection-oriented" and "Connectionless" communications. A connection oriented communication has the following characteristics:
In contrast, a connectionless communication has
the following characteristics:
(Note: Connectionless communication does have
some reliability PROVIDED by upper layer Protocols.)
LAN Design: Ethernet When we talk about a LAN, Ethernet is the most popular physical layer LAN technology today. Its standard is defined by the Institute for Electrical and Electronic Engineers as IEEE Standard 802.3, but was originally created by Digital Intel Xerox (DIX). According to IEEE, information for configuring an Ethernet as well as specifying how elements in an Ethernet network interact with one another is clearly defined in 802.3. For half-duplex Ethernet 10BaseT topologies, data transmissions occur in one direction at a time, leading to frequent collisions and data retransmission. In contrast, full-duplex devices use separate circuits for transmitting and receiving data and as a result, collisions are largely avoided. A collision is when two nodes are trying to send data at the same time. On an Ethernet network, the node will stop sending when it detects a collision, and will wait for a random amount of time before attempting to resend, known as a jam signal. Also, with full-duplex transmissions the available bandwidth is effectively doubled, as we are using both directions simultaneously. You MUST remember: to enjoy full-duplex transmission, we need a switch port, not a hub, and NICs that are capable of handling full duplex. Ethernet’s media access control method is called Carrier sense multiple access with collision dectection (CSMA/CD). Because of Ethernets collision habits it is also known as the “best effort delivery system.” Ethernet cannot carry data over 1518 bytes, anything over that is broken down into “travel size packets.” Click here for a website with tons of information related to ethernet. Fast Ethernet For networks that need higher transmission speeds, there is the Fast Ethernet standard called IEEE 802.3u that raises the Ethernet speed limit to 100 Mbps! Of course, we need new cabling to support this high speed. In 10BaseT network we use Cat3 cable, but in 100BaseT network we need Cat 5 cables. The three types of Fast Ethernet standards are 100BASE-TX for use with level 5 UTP cable, 100BASE-FX for use with fiber-optic cable, and 100BASE-T4 which utilizes an extra two wires for use with level 3 UTP cable. Gigabit Ethernet Gigabit Ethernet is an emerging technology that will provide transmission speeds of 1000mbps. It is defined by the IEEE standard The 1000BASE-X (IEEE 802.3z). Just like all other 802.3 transmission types, it uses Ethernet frame format, full-duplex and media access control technology. Token Ring Token Ring is an older standard that isn't very widely used anymore as most have migrated to some form of Ethernet or other advanced technology. Ring topologies can have transmission rates of either 4 or 16mbps. Token passing is the access method used by token ring networks, whereby, a 3bit packet called a token is passed around the network. A computer that wishes to transmit must wait until it can take control of the token, allowing only one computer to transmit at a time. This method of communication aims to prevent collisions. Token Ring networks use multistation access units (MSAUs) instead of hubs on an Ethernet network. For extensive information on Token Ring, read Cisco's Token Ring/IEEE 802.5 tutorial. Network Devices: In a typical LAN, there are various types of network devices available as outlined below.
The goal of LAN segmentation is to effectively
reduce traffic and collisions by segmenting the network. In a LAN
segmentation plan, we do not consider the use of gateways and hubs at all and
the focus turns to device such as switches and routers.
Bridging/Switching:
· Bridge - A layer 2 device used to connect
different networks types or networks of the same type. It maps the Ethernet
addresses of the nodes residing on each segment and allows only the necessary
traffic to pass through the bridge. Packet destined to the same segment is
dropped. This "store-and-forward" mechanism inspects the whole
Ethernet packet before making a decision. Unfortunately, it cannot filter out
broadcast traffic. Also, it introduces a 20 to 30 percent latency when
processing the frame. Only 2 networks can be linked with a bridge.
· Switch - Switches are layer 2 devices that
can link up four, six, eight or even more networks. Switches are the only
devices that allow for microsegmentation. Cut-through switches run faster
because when a packet comes in, it forwards it right after looking at the
destination address only. A store-and-forward switch inspects the entire
packet before forwarding. Most switches cannot stop broadcast traffic.
Switches are considered dedicated data link device because they are close to
a 100 % of the bandwidth. While bridging does most of its work by hardware,
switches use fabric/software to handle most of its work.
Store-and-forward - The entire frame is received before any forwarding takes place. The destination and/or the source addresses are read and filters are applied before the frame is forwarded. Latency occurs while the frame is being received; the latency is greater with larger frames because the entire frame takes longer to read. Error detection is high because of the time available to the switch to check for errors while waiting for the entire frame to be received. This method discards frames smaller than 64 bytes (runts) and frames larger than 1518 bytes (giants). Cut-Through - The switch reads the destination address before receiving the entire frame. The frame is then forwarded before the entire frame arrives. This mode decreases the latency of the transmission and has poor error detection. This method has two forms, Fast-forward and fragment-free.
Spanning-Tree
Protocol - Allows duplicate
switched/bridged paths without incurring the latency effects of loops in the
network.
The Spanning-Tree Algorithm, implemented by the Spanning-Tree Protocol, prevents loops by calculating stable spanning-tree network topology. When creating a fault-tolerant network, a loop-free path must exist between all nodes in the network The Spanning-Tree Algorithm is used to calculate a loop-free paths. Spanning-tree frames, called bridge protocol data units (BPDUs), are sent and received by all switches in the network at regular intervals and are used to determine the spanning-tree topology. A switch uses Spanning-Tree Protocol on all Ethernet-and Fast Ethernet-based VLANs. Spanning-tree protocol detects and breaks loops by placing some connections in standby mode, which are activated in the event of an active connection failure. A separate instance Spanning-Tree Protocol runs within each configured VLAN, ensuring topologies, mainly Ethernet topologies that conform to industry standards throughout the network. These modes are as follows:
The state
for each VLAN is initially set by the configuration and later modified by the
Spanning-Tree Protocol process. You can determine the status, cost and
priority of ports and VLANs, by using the show spantree command. After the
port-to-VLAN state is set, Spanning-Tree Protocol determines whether the port
forwards or blocks frames.
VLANs: A VLAN is a logical grouping of devices or users. These devices or users can be grouped by function, department application and so on, regardless of their physical segment location. VLAN configuration is done at the switch via switching fabric. A VLAN can be used to reduce collisions by separating broadcast domains within the switch. In other words, VLANs create separate broadcast domains in a switched network. Frame tagging at layer 2 does this. Frame tagging is a gaining recognition as the standard for implementing VLANs, and is recognized by IEEE 802.1q. Frame tagging uniquely assigns a VLAN ID to each frame. This identifier is understood and examined by each switch prior to any broadcasts or transmissions to other switches, routers, and end-stations devices. When the frame exits the network backbone, the switch removes the identifier before the frame is transmitted to the target end station. This effectively creates an environment with fewer collisions. The key to this is that ports in a VLAN share broadcasts, while ports not in that VLAN cannot share the broadcasts. Thus users in the same physical location can be members of different VLANs. We can plug existing hubs into a switch port and assign them a VLAN of their own to segregates users on the hubs. Frame filtering examines particular information about each frame. A filtering table is developed for each switch; this provides a high level of administrative control because it can examine many attributes of each frame. Frame filtering is slowly being erased and replaced by the frame tagging method. VLANs can be complicated to set up. VLANs use layer 2 addressing, meaning that routers are required between separate VLANs. The advantage of deploying layer 2 addresses is that layer 2 addressing is faster to process. It is also quite common for administrators to set up multiple VLANs with multiple access lists to control access. Layer 3 routing provides the ability for multiple VLANs to communicate with each other, which means that users in different locations can reside on the same VLAN. This is a flexible approach to network design. VLANs are configured on the switch three ways, port centric, static and dynamically. In port-centric VLANs, all the nodes connected to ports in the same VLAN are assigned the same VLAN ID. Packets do not “leak” into other domains, and are easily administered and provide great security between VLANs. Some say that static configured VLANs are the same as port centric, because static VLANs use the port centric method for assigning them to switch ports. Dynamic VLANs are ports on a switch that can automatically determine their VLAN assignments. Dynamic VLAN functions are based on MAC addresses, logical addressing, or protocol type of the data packets. When a station is initially connected to an unassigned switch port, the appropriate switch checks the MAC entry in the management database and dynamically configures the port with the corresponding VLAN configuration. The major high points of this method are less administration overhead, of course only after the first administration of the database within the VLAN management software. Creating and Maintaining VLANs VLAN Considerations Lan Protocols: The following sections will introduce the core LAN protocols that you will need to know for the exam. TCP/IP: Every IP address can be broken down into 2 parts, the Network ID(netid) and the Host ID(hostid). All hosts on the same network must have the same netid. Each of these hosts must have a hostid that is unique in relation to the netid. IP addresses are divided into 4 octets with each having a maximum value of 255. We view IP addresses in decimal notation such as 124.35.62.181, but it is actually utilized as binary data so one must be able to convert addresses back and forth. The following table explains how to convert binary into decimal and visa versa:
IP addresses are divided into 3 classes as shown below:
A subnet mask blocks out a portion of an IP address and is used to differentiate between the hostid and netid. The default subnet masks are as follows:
In these cases, the part of the IP address blocked out by 255 is the Net ID. In the table above, the it shows the default subnet masks. What subnet mask do you use when you want more that 1 subnet? Lets say, for example, that you want 8 subnets and will be using a class C address. The first thing you want to do is convert the number of subnets into binary, so our example would be 00001000. Moving from left to right, drop all zeros until you get to the first "1". For us that would leave 1000. It takes 4 bits to make 8 in binary so we add a "1" to the first 4 high order bits of the 4th octet of the subnet mask(since it is class C) as follows: 11111111.11111111.11111111.11110000 = 255.255.255.240. There is our subnet mask. Lets try another one...Lets say that you own a chain of stores that sell spatulas in New York and you have stores in 20 different neighborhoods and you want to have a separate subnet on your network for each neighborhood. It will be a class B network. First, we convert 20 to binary - 00010100. We drop all zeros before the first "1" and that leaves 10100. It takes 5 bits to make 20 in binary so we add a "1" to the first 5 high order bits which gives: 11111111.11111111.11111000.00000000 = 255.255.248.0. The following table shows a comparison between the different subnet masks.
Note: 127.x.x.x is reserved for loopback testing on the local system and is not used on live systems. TCP/IP Ports - Ports are what an application uses when communicating between a client and server computer. Some common TCP/IP ports are:
· 20 FTP-DATA
· 21 FTP
· 23 TELNET
· 25 SMTP
· 69 TFTP
· 70 GOPHER
· 80 HTTP
· 110 POP3
· 137 NetBIOS name service
· 138 NetBIOS datagram service
· 139 NetBIOS
· 161 SNMP
You need to understand Buffering, Source quench messages and Windowing. Buffering allows devices to temporarily store bursts of excess data in memory. However, if data keep arriving at high speed, buffers can go overflow. In this case, we use source quench messages to request the sender to slow down. Windowing is for flow-control purpose. It requires the sending device to send a few packets to the destination device and wait for the acknowledgment. Once received, it sends the same amount of packets again. If there is a problem on the receiving end, obviously no acknowledgement will ever come back. The sending source will then retransmits at a slower speed. This is like trial and error, and it works. Note that the window size should never be set to 0 - a zero window size means to stop transmittion completely. 3COM’s IP addressing tutorial is just superior. It covers basic IP addressing options as well as subnetting and VLSM/CIDR. IPX/SPX: IPX will also be an important issue to consider in network management given the fact there many companies still use Netware servers. There are two parts to every IPX Network address - the Network ID and the Host ID. The first 8 hex digits represent the network ID, while the remaining hex digits represent the host ID, which is most likely the same as the MAC address, meaning we do not need to manually assign node addresses. Note that valid hexadecimal digits range from 0 through 9, and hexadecimal letters range from A through F. FFFFFFFF in hexadecimal notation = 4292967295 in decimal. Sequenced Packet Exchange(SPX) belongs to the Transport layer, and is connection-oriented. It creates virtual circuits between hosts, and that each host is given a connection ID in the SPX header for identifying the connection. Service Advertisement Protocol(SAP) is used by NetWare servers to advertise network services via broadcast at an interval of every 60 minutes by default. WAN Protocols: In general, there are three broad types of WAN access technology. With Leased Lines, we have point-to-point dedicated connection that uses pre-established WAN path provided by the ISP. With Circuit Switching such as ISDN, a dedicated circuit path exist only for the duration of the call. Compare to traditional phone service, ISDN is more reliable and is faster. With Packet Switching, all network devices share a single point-to-point link to transport packets across the carrier network - this is known as virtual circuits. When we talk about Customer premises equipment(CPE), we are referring to devices physically located at the subscriber’s location. Demarcation is the place where the CPE ends and the local loop begins. A Central Office(CO) has switching facility that provides point of presence for its service. Data Terminal Equipment(DTE) are devices where the switching application resides, and Date Circuit-terminating Equipment(DCE) are devices that convert user data from the DTE into the appropriate WAN protocol. A router is a DTE, while a DSU/CSU device or modem are often being referred to as DCEs. Frame Relay: Frame Relay has the following characteristics:
Cisco has a web page that describes the
configuration and troubleshooting of Frame relay - Comprehensive Guide to Configuring and
Troubleshooting Frame Relay
ATM: ATM stands for Asynchronous Transfer Mode and is a high-speed, packet-switching technique that uses short fixed length packets called cells which are about 53 bits in length. ATM can transmit voice, video, and data over a variable-speed LAN and WAN connections at speeds ranging from 1.544Mbps to as high as 622Mbps. I recently read that the new standard may be 2Gbps. ATM's speed is derived from the use of short fixed length cells, which reduce delays, and the variance of delay for delay-sensitive services such as voice and video. ATM is capable of supporting a wide range of traffic types such as voice, video, image and data. PPP: As an improvement to Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP) was mainly for the transfer of data over slower serial interfaces. It is better than SLIP because it provides multiprotocol support, error correction as well as password protection. It is a Data Link Layer protocol used to encapsulate higher protocols to pass over synchronous or asynchronous communication lines. PPP is capable of operating across any DTE/DCE device, most commonly modems, as long as they support duplex circuits. There are 3 components to PPP:
PPP communication occurs in the following
manner: PPP sends LCP frames to test and configure the data link. Next,
authentication protocols are negotiated to determine what sort of validation
is used for security. Below are 2 common authentication protocols:
Then NCP frames are used to setup the network
layer protocols to be used. Finally, HDLC is used to encapsulate the data
stream as it passes through the PPP connection.
Point-to-Point Tunneling Protocol(PPTP) provides for the secure transfer of data from a remote client to a private server by creating a multi-protocol Virtual Private Network(VPN) by encapsulating PPP packets into IP datagrams. There are 3 steps to setup a secure communication channel:
1. PPP
connection and communication to the remote network are established.
2. PPTP
creates a control connection between the client and remote PPTP server
3. PPTP
creates the IP datagrams for PPP to send.
The packets are encrypted by PPP and sent
through the tunnel to the PPTP server which decrypts the packets,
disassembles the IP datagrams and routes them to the host. Setting Up PPTP
requires a PPTP Client, PPTP Server and a Network Access Server(NAS).
Cisco IOS: Cisco routers use the Internetworking Operating System(IOS) which stores the configuration information in Non-Volatile RAM(NVRAM) and the IOS itself is stored in flash. The IOS can be accessed via Telnet, console connection(such as hyperterminal) or dialin connection. You can also configure the router as a web server and then access a web-based configuration panel via http. There are a variety of sources for booting include Flash memory, TFTP and ROM. It is always recommended that new image of IOS be loaded on a TFTP server first, and then copy the image from the TFTP server to the flash memory as a backup mechanism. The copy command such as "copy tftp flash" allows us to copy the IOS image from TFTP server to the Flash memory. And of course, we can always do the reverse. Now, we need to inform the router to boot from the correct source. The following commands are examples of what we should type in depending on the situation. Typically, it is a good idea to specify multiple boot options as a fall back mechanism.
· boot system flash {filename}
· boot system tftp {filename} {tftp server IP
address}
· boot system rom
After the boot up process we can prepare to login. The User EXEC is the first mode we encounter. It gives us a prompt of "Router>". To exit this mode means to log out completely, this can be done with the logout command. If we want to proceed to the Privileged EXEC, we need to use the enable EXEC command. Once entered, the prompt will be changed to ‘Router#". To go back to user EXEC mode, we need to use the disable command. Note that all the configuration works requires the administrator to be in the Privileged mode first. Put it this way, Privileged EXEC mode includes support for all commands in user mode plus those that provide access to global and system settings. The setup command facility is for making major changes to the existing configurations, such as adding a protocol suite, modifying a major addressing scheme changes, or configuring a newly installed interface. If you aren't big on reading manuals, finding out the way to access help information is a MUST. To display a list of commands available for each command mode, we can type in a ? mark. IOS also provides context-sensitive help feature to make life easier. In order to pass this exam, you will need to be able to find your away around the IOS. We will list some the information here, but there is too much to list all of it. You will definitely need access to a router or get the software listed at the beginning of this study guide so that you can practice. Useful editing commands include:
You will find most of the IOS commands at the following 2 links: Router and Switch Commands http://www.cisco.com/warp/cpropub/45/tutorial.htm Security: Access Lists allow us to implement some level of security on the network by inspecting and filtering traffic as it enters or exits an interface. Each router can have many access lists of the same or different types. However, only one can be applied in each direction of an interface at a time (keep in mind that inbound and outbound traffic is determined from the router's perspective). The two major types of access lists that deserve special attention are the IP Access Lists and the IPX Access Lists. Standard IP access lists can be configured to permit or deny passage through a router based on the source host's IP address. Extended IP access list uses destination address, IP protocol and port number to extend the filtering capabilities. Access can be configured to be judged based on a specific destination address or range of addresses, on an IP protocol such as TCP or UDP, or on port information such as http, ftp, telnet or snmp. We use access list number to differentiate the type of access list. In standard IP access lists we have numbers from 1 through 99, and in extended IP access lists we have numbers from 100 through 199:
When dealing with Access Control Lists or preparing for your CCNA exam, you have to deal with a 32-bit wild card address in dotted-decimal form, known as your inverse mask. By Cisco’s definition it is called inverse, but you can think of it as the “reverse” of your subnet mask in most cases. When dealing with your wild card mask, you have two values that you are working with. Like subnetting you have a 0 as "off" and a 1 as the "on" value. Wild cards deal with the 0 value as “match” and the 1 value as "ignore". What do I mean by ignore or match? If you have studied ACLs you should know that your goal is to set criteria to deny or permit and that is where your Inverse mask comes into play. It tells the router which values to seek out when trying to deny or permit in your definition. If you have dealt with subnetting you know that most of your address ended with an even number. With your inverse mask you will end up with an odd number. There are several different ways to come up with your inverse mask; the easiest is to subtract your subnet mask from the all routers broadcast address of 255.255.255.255. Example: You have a subnet mask of 255.255.255.0. To get your wild card mask all you have to do is: 255.255.255.255. -255.255.255.0 0.0.0.255 Then you can apply it to the definition, whether using a standard or extended ACL. Standard example: Router(config)# access-list 3 deny 170.10.1.0 0.0.0.255 How you would read this list. With this wild card you told the router to “match” the first three octets and you don’t care what’s going on in the last octet. Extended example: Router(config)# access-list 103 permit 178.10.2.0 0.0.0.255 170.10.1.0 0.0.0.255 eq 80 How you would read this list? With this wild card you have told the router to match the first three octets and you don’t care what’s going on in the last octet. Think of it this way. If you had broken the decimal form down to binary, the wild card mask would look like this. 00000000.00000000.00000000.11111111 As you know the “1” means ignore and “0” means match. So in that last octet it could have been any value on that subnet line ranging from 0-255. For more information on IP Access Lists, read Configuring IP Access Lists |
Access List Commands
Command
|
Description
|
show
access-lists
|
Displays all access lists and their parameters configured
on the router. This command doesn't show which interface the list is
configured on.
|
show
access-list [list #]
|
Shows only the parameters for the access list
specified. This command does not show you the interface the list is configured
on.
|
show
ip access-list
|
Shows only the IP access lists configured on the router.
|
show
ipx access-list
|
Shows only the IPX access lists configured on the router.
|
show
ip interface
|
Shows which interfaces have IP access lists on them.
|
show
ipx interface
|
Shows which interfaces have IPX access lists on them.
|
show
running-config
|
Shows the access lists and which interfaces have access
lists set.
|
any
|
Keyword used to represent all hosts or networks, replaces
0.0.0.0 255.255.255.255 in access list.
|
host
|
Keyword that specifies that an address should have a
wildcard mask of 0.0.0.0 (i.e will match only 1 host)
|
clear
access-list counter [list#]
|
Clears extended access lists counter of the number of
matches per line of the access list.
|
-1
|
Applies to any IPX network or any protocol when used in
extended IPX access lists.
|
0
|
Used for all sockets in extended IPX access lists.
|
ip
access-group
|
Applies an IP access list to an interface.
|
ipx
access-group
|
Applies an IPX access list to an interface.
|
ipx
input-sap-filter
|
Applies an inbound IPX SAP filter to an interface.
|
ipx
output-sap-filter
|
Applies an outbound IPX SAP filter to an interface.
|
Access List Ranges
|
|
Access List Type
|
Number
|
Standard IP Access Lists
|
1-99
|
Extended IP Access Lists
|
100-199
|
Standard IPX Access Lists
|
800-899
|
Extended IPX Access Lists
|
900-999
|
IPX SAP Filters
|
1000-1099
|
Standard Access List Syntax
IP
access-list 1-99 {permit|deny} address mask
Variable
|
Definition
|
1-99
|
Standard IP access lists are represented by a number
ranging from 1-99 or text names with IOS 11.2 or greater.
|
{permit|deny}
|
Used to specify the nature of the access list, either a
permit or deny statement.
|
address
|
The IP address of the source.
|
mask
|
A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant.
|
IPX
access-list 800-899 {deny|permit} source-network[.source-address[source-mask]]
destination-network[.destination-address[destination-mask]]
Variable
|
Definition
|
800-899
|
Standard IPX access lists are represented by a number
ranging from 800-899.
|
{deny|permit}
|
Used to specify the nature of the access list either a
permit or deny statement.
|
source-network[.source-address[source-mask]]
|
The IPX address of the source network or node.
|
destination-network[.destination-address[destination-mask]]
|
The IPX address of the destination network or node.
|
Extended Access List Syntax
IP
access-list 100-199 {permit|deny} {ip|tcp|udp|icmp} source source-mask [lt|gt|eq|neq]
[source-port] destination dest-mask [lt|gt|eq|neq] [dest-port] [log]
Variable
|
Definition
|
100-199
|
Extended IP access lists are represented by a number
ranging from 100-199 or text names with IOS 11.2 or greater.
|
{permit|deny}
|
Used to specify the nature of the access list either a
permit or deny statement.
|
{ip|tcp|udp|icmp}
|
The IP protocol to be filtered can be IP (includes all
protocols in the TCP/IP suite) TCP,UDP,ICMP,or others.
|
source
|
The IP address of the source
|
source-mask
|
A wildcard mask, or inverse mask, applied to determine
which bits of source address are significant.
|
[lt|gt|eq|neq]
|
Can contain lt (less than), gt (greater
than), eq (equal to), or neq (not equal to). It is used if an
extended list filters by a specific port number or range of ports.
|
[source-port]
|
If necessary, the source port number of the protocol to be
filtered.
|
destination
|
The IP address of the destination
|
dest-mask
|
A wildcard mask, or inverse mask, applied to determine
which bits of destination address are significant.
|
[lt|gt|eq|neq]
|
Can contain lt (less than), gt (greater
than), eq (equal to), or neq (not equal to). It is used if an
extended list filters by a specific port number or range of ports.
|
[dest-port]
|
If necessary, the destination port number of the protocol
to be filtered.
|
[log]
|
Turns on logging of access list activity.
|
IPX
access-list 900-999 {deny|permit} protocol source-network.[source-address[source-mask]] socket
destination-network.[destination-address[dest-mask]] destination-socket
Variable
|
Definition
|
900-999
|
Extended IPX access lists are represented by a number
ranging from 900-999.
|
{deny|permit}
|
Used to specify the nature of the access list either a
permit or deny statement.
|
protocol
|
IPX protocol, a -1 specifies all IPX protocols.
|
source-network.[source-address[source-mask]]
|
The IPX address of the source network or node.
|
socket
|
Source socket similar to the port value in IP access
lists, points to a particular service, a 0 specifies all sockets.
|
destination-network.[destination-address[dest-mask]]
|
The IPX address of the destination network or node.
|
socket
|
Destination socket, similar to the port value in IP access
lists, points to a particular service, a 0 specifies all sockets.
|
SAP Filters
SAP
access-list 1000-1099 {permit|deny} network.[address] [service-type]
Variable
|
Definition
|
1000-1099
|
IPX SAP filters are represented by a number in the range
of 1000-1099.
|
{permit|deny}
|
Used to specify the nature of the access list either a
permit or deny statement.
|
network.[address]
|
The IPX address of the source network or node.
|
[service-type]
|
IPX services such as print services, file services, or
directory services, a 0 is for all services.
|
Security+ Study Guide |
CIA Triangle
- Confidentiality: assuming information is secure with access limited to appropriate people.
- Integrity: assuring information is not accidentally or maliciously altered or destroyed.
- Availability: assuring information and communication services will be ready for use when expected.
MAC, DAC,
RBAC
- MAC Mandatory Access Control (MAC): Highest level of Control. Permissions are explicitly denied unless otherwise changed. The OS is in control of the data. This model is used with highly confidential data, such as military or government.
- DAC Discretionary Access Control (DAC): Allows owners of data to specify what users can access data used most. Access control is based on discretion of data owners. Most common model. Users themselves can assign access to their own data.
- Role Based Access Control (RBAC): ( also called Non-discretionary access control ) Centrally controlled model allows access based on the role the user holds in the organization; often hierarchical. Access is given to a group of users that perform a similar function. Based on the separation of duties.
ACCESS
Control
- A reference model is a system component that enforces access controls on an object. The security Kernel implements the concept.
- The reference model must mediate all processes, it must be protected from modification, it must be verifiable as correct.
- Type I: Something you know ( passwords, pins )
- Type II: Something you have ( Token, ATM card )
- Type III: Something you are ( Biometrics )
- Before a user can access a resource, several levels of security must be passed: 1. Identify, 2. Authenticate, 3. Authorize
Kerberos
- A trusted, third party authentication protocol developed under project Athena at MIT
- Rather than sharing a password, communication partners share a cryptographic key, and they use knowledge of this key to verify one another's identity. For the technique to work, the shared key must be symmetric — a single key must be capable of both encryption and decryption. One party proves knowledge of the key by encrypting a piece of information, the other by decrypting it.
- Kerberos uses SSO ( Single sign on )
- The KDC knows the secret keys of all clients on the network. The KDC initially exchanges information with the client and server using these secret keys.
- Kerberos authenticates a client to a requested service on a server via TGS and by issuing temporary symmetric keys for communication between the client and the KDC, the server and the KDC and the client and the server. Communication then takes places between the client and the server using those keys.
- For more information read Kerberos Security.
CHAP
- Challenge handshake Authentication Protocol uses a stronger authentication process.
- Non-replayable challenge/response dialog that verifies the identity of the node attempting the access.
- PAP is clear text / username password
RADIUS,
TACACS, TACACS+
- RADIUS is used to provide authentication, authorization, and accounting services (vulnerable to buffer overflow attacks)
- RADIUS supports PPP, PAP, CHAP
- RADIUS compares users password/name to a database
- RADIUS uses UDP
- TACACS offers authentication, authorization NO ACCOUNTING
- TACACS uses UDP
- TACACS+ uses TCP offers full aaa model, Cisco
- TACACS+ weakness include: Birthday attacks, buffer overflow, packet sniffing lack of integrity checking
PPTP,
L2TP
- PPTP encrypts data being transmitted but does not encrypt information being exchanged during negotiation
- PPTP only works over IP, cannot use IPSEC
- PPTP does not work with RADIUS or TACACS
- L2TP requires IPSEC to offer encryption
- L2TP offers RADIUS, TACACS
- L2TP can be hardware solution
- L2TP works over IPX, IP, SNA
- Using L2TP with IPSEC provides: Per packet data origin authentication, Replay protection and Data confidentiality
IPSEC
- Provides two modes: 1 Transport mode, only the payload is encrypted, 2 Tunnel mode, both data and IP headers are encrypted
- IPSEC is made of two different protocols: AH and ESP
- AH Authentication header, responsible for authenticity and integrity
- ESP Encapsulating Security payload: Encrypts payload
EAP
- Extensible Authentication Protocol
- Sits inside PPP and provides generalized framework for many different authentication methods. By supporting EAP, the RAS server is no linger a middle man, it just hands packets to the Radius server
802.1x
- Standard for passing EAP over a wired or wireless LAN.
- 802.1x uses EAP for passing messages between supplicant and authenticator. Works without PPP
- Does Authentication only: Supplicant = client; Authentication server = Radius; Authenticator = WAP or Bridge
Biometrics
- Based on Type 3 authentication mechanism: something you are
- Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on psychological or behavioral characteristics.
- Process of enrollment: images are collected and features extracted, no comparison. The info is stored for later use.
- When a person need access a ONE to ONE comparison is used between the person and their stored samples.
- Biometric Characteristics include: Fingerprints, retina, iris, facial, palm scans, hand geometry, voice, handwritten signature and keystrokes pattern
- FINGERPRINT&PALM = Strongest / Handwriting = weakest
Smartcards
/ Tokens
- Used to supply static or dynamic passwords
- Type 2: Something you have. Smartcard is Encrypted with RSA or MD5
- Static password tokens: owner authenticates himself to the token, token authenticates owner to the IS
- Synchronous Dynamic password tokens: token generates a new unique password at fixed intervals. Password and pin entered into IS, time sent
- Asynchronous Dynamic Password Tokens: same as above without the timestamps
- Challenge Response Tokens: System generates a challenge string, owner puts string into token. Token generates response. That is entered in IS.
Accounts
and Password Management
- Naming conventions: Never have a name the resembles a job position
- Limit Logon attempts
- Expiry Dates: Have your accounts expire
- Disable account when employee leaves company
- Time restrictions
- Machine restrictions
- PASSWORD POLICIES
- Minimum password length
- Password rotation: systems remember old passwords, cannot reuse
- Password aging: Force users to change password regularly
Attacks
- Birthday Attack: Probability of two different messages using the same hash function that produces a common message digest. Birthday comes from the fact that in a room of 23 people, the probability of two people having the same birthday is greater than 50%.
- Man-in-the-Middle attack: Intercepting messages and forwarding modified versions of the original message while attempting secure communications between the hosts.
- DoS Attack: common attacks include: filling up a targets hard drive by huge email attachments or file transfer. Sending a message which resets targets subnet mask. Using up all ports on a web server
- Buffer Overflow attack: occurs when a process receives much more data than expected: aka ping of death Use of 256 char email names
- SYN attack: occurs when an attacker exploits the buffer space during a TCP session handshake by not responding with a FIN
- Teardrop attack: consists of modifying the length and fragment offset in IP packets. Target systems become confused on re-ordering packets.
- Smurf Attack: uses a combo of IP spoofing and ICMP to saturate a target network with traffic. Smurf consists of three elements; source site, bounce site and target site. The attacker ( source site ) sends a modified ping to the broadcast address of a large network ( bounce site ). The modified packet contains a source address of the target site; everyone at the bounce site replies to the target site.
- Brute Force: trying every possible key/combo, longer the key, the longer this attack takes.
- Dictionary: A type of brute force that uses a program that tries common words.
- Replay: using a network capture; replay username/password
Thwarting
Attacks
- DoS: Disable ICMP in your network
- Backdoor: use anti-virus, personal firewalls, no modems
- Spoofing: Router or Firewall needs to be set to disallow internal IP entering from outside
- Smurf or DDoS: Disable IP broadcast, IP re-directs
- TCP/IP hijacking: Use IPSEC
- Man-in-the-middle: Unique server host key / new SSL
- Replay: Use timestamps : Kerberos
- Birthday/Brute Force: Use long 128 bit keys
- Brute Force: Limit Logon attempts
- Password guessing: Use 6 to 8 upper/lower case letters and numbers
- Social Engineering: Educate Employees
Worms,
T-Horses and Viruses
- Worm: parasitic, self-contained computer program that replicates itself or smaller parts of itself, but unlike viruses do not infect computer files. Worms create copies of themselves on the same computer or send themselves to other computers via IRC, internet relay, email.
- Trojan Horse: Malicious program that pretends to be a benign application. Trojans do not replicate. Hides in computer until called on to perform a certain task.
- Virus: A computer program capable of attaching itself to disks or files and replicating itself without user knowledge or prevention. Polymorphic Viruses change each time a new infection occurs. Boot Sector, File Infector, Macro: ( attach to Word or Excel ), metamorphic, and stealth are the kinds of viruses present.
WEP, WAP,
WTLS
- WEP: Wired Equivalency Protocol
- Uses RC4, a stream cipher operates by expanding a short key into a stream. The sender combines the key stream with the plain text to product the cipher text. Shared Key. Key changes on every packet.
- Weakness: If an eavesdropper intercepts two cipher text encrypted with the same keystream they can obtain the exclusive OR ( XOR ) of the two plain texts and find the key.
- WTLS: Wireless Transport Layer Security, The WTLS is designed to provide security in the Wireless Application Environment.
- The WTLS is based on the well known TLS v1.0 security layer used in Internet.
- WAP: Wireless Application Protocol; The WAP, by means of the WTLS, provides end-to-end security between the WAP protocol endpoints. Actually the end points are the mobile terminal and the WAP gateway. When the WAP gateway makes the request to the origin server, it will use the SSL below HTTP to secure the request. This means that the data is decrypted and again encrypted at the WAP gateway
- WAP defines a set of protocols in the transport, the session, and the application layers. It also specifies an application framework
Hashes
- Hash: Cryptographic hash is a one-way function that takes an input of a variable size and produces a fixed-size output which is commonly referenced to as "hash" or "digest". It is "one-way", which means that when given: ,an input, it is easy to compute its hash; a hash, it is hard to compute the corresponding input; a block of data as an input, it is hard to find another block of data with the same hash Another important requirement to hash functions in cryptography is the collision-resistance: it is hard to find two random inputs with the same hash.
- MD4 ( Message Digest 4 ) Produces 128 bit message digest, very fast and appropriate for medium security usage.
- MD5 Produces 128 message digest, fast ( not as fast as MD4 ) more secure. MD5 is a hash function designed by Ron Rivest and widely used in cryptographic applications. It is an improved version of MD4. However, there are some known problems with MD5 - in particular there is an attack that produces collisions using the compression function in MD5.
- SHA-1 160 bit MD ( standard for US GOVT ) slower than MD 5
Symmetric
Encryption Algorithms
- In symmetric cryptosystems, the same key is used to encrypt and decrypt data and in symmetric authentication schemes the same key is used to sign and verify documents. This means that symmetric cryptography is based on the notion of "shared secret".
- Advantages: Speed & Strength Disadvantages: Poor Key distribution, Single key
- DES stands for Data Encryption Standard, the most popular symmetric encryption algorithm (block cipher) in the past years. It was designed by IBM and the U.S. government. Considered now WEAK, slow
- Triple DES ( 3DES ) is a symmetric encryption algorithm based on repeating encryption with DES. It uses 168-bit long keys which are considered as sets of three independent keys for triple encryption with DES. 3DES is more secure than DES but also considerably slower.
- Blowfish is a symmetric encryption algorithm (block cipher) with a variable-length (up to 448 bits) key. It operates on 64-bit data blocks. Blowfish was designed by Bruce Schneier and it is optimized for applications where the key does not change often.
- EAS Advanced Encryption standard for US GOVT; replaces DES The AES will specify three key sizes: 128, 192 and 256 bits.
- IDEA is the International Data Encryption Algorithm designed by Xuejia Lai and James Massey. IDEA is a symmetric encryption algorithm (block cipher) which uses 128-bit long keys and operates on 64-bit data blocks. IDEA is, on average, much faster than DES and it is considered to be quite secure.
- RC4 encryption algorithm is stream cipher, which can use variable length keys. The algorithm was developed in 1987 by Ron Rivest, for RSA Data Security, and was a propriety algorithm until 1994
Four
goals of Cryptography
- Provide data Confidentiality
- Data integrity
- Identification and Authentication
- Non- repudiation
- Other facts:
- Large amounts of data use shared-secret symmetric encryption to provide confidentiality.
- Asymmetric Encryption can be used to generate a digital signature which can be attached to email to provide non-repudiation.
Asymmetric
Algorithms
- Asymmetric systems and schemes use key pairs which consist of a public key and private key. The former is made public (for example, by publishing it in a directory) and the latter is kept secret. So the asymmetric cryptography does not involve shared secrets.
- Advantages: Provides a secure way to communicate; provides method of validation; non-repudiation Disadvantages: Slower than Symmetric
- RSA is the first full-fledged and most widely used public-key cryptographic algorithm designed by R. Rivest, A. Shamir, and L. Adleman. Its security is based on the factoring problem, which means that it is computationally unfeasible to factor large numbers.
- Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman in 1976. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. The Diffie-Hellman key exchange is vulnerable to a middleperson attack.
- Elliptic Curve PSEC--3 is a public-key encryption system that uses the elliptic curve El Gamal trapdoor function and two random functions (hash functions) as well as any semantically secure symmetric encryption scheme, such as the one-time pad, or any classical block-cipher. Too Slow
Digital
Signatures
- Digital Signature is usually the encryption of a message or message digest with the sender's private key. To verify the digital signature, the recipient uses the sender's public key. Good digital signature scheme provides:
- authentication
- integrity
- non-repudiation
- RSA algorithm can be used to produce and verify digital signatures; another public-key signature algorithm is DSA.
PKI
Public Key Infrastructure
- A PKI uses asymmetric key pairs and combines software, encryption and services to provide a means of protecting security of business communication and transactions.
- PKCS ( Public Key Cryptography Standards ) Put in place by RSA to ensure uniform Certificate management throughout the internet.
- A Certificate is a digital representation of information that identifies you as a relevant entity by a trusted third party ( TTP )
- A CA ( Certification Authority ) is an entity trusted by one or more users to mange certificates.
- RA ( Registration Authority ) Used to take the burden off of a CA by handling verification prior to certificates being issued. RA acts as a proxy between user and CA. RA receives request, authenticates it and forwards it to the CA.
- CPA ( Certificate Practice Statement ) describes how the CA plans to manage the certificates it issues.
- CP ( Certificate Policy ) is a set of rules that defines how a certificate may be used.
- X.509 This is an international standard for the format and information contained in a digital certificate. X.509 is the most common type of digital certificate in the World. It is a digital document that contains a public key signed by the trusted third party which is known as a Certificate Authority, or CA.
- CRL ( Certificate Revocation List ) is a list of certificates issued by a CA that are no longer valid. CRLs are distributed in two main ways: PUSH model: CA automatically sends the CRL out a regular intervals. Pull model: The CRL is downloaded from the CA by those who want to see it to verify a certificate. End user is responsible.
- Status Checking: The concept of Status checking is to use a relying party to “real-time” check the validity of evidence supporting a high-value transaction. CRLs are created with specific lifetimes (possibly unbounded) they are not suitable for real-time status checks. The most prominent technology proposed for this type of verification within the PKIX infrastructure is the “Online Certificate Status Checking Protocol” [OCSP], and it is on track to become an Internet standard. OCSP has two important characteristics: first, OCSP depends upon the emergence of its own three-tier (Client - Certificate Authority – Designated Responder) infrastructure, and second, OCSP defines a new set of message formats extending beyond those contained in the base PKIX standard
PKI
Trusts:
- Trusts are established between CAs by having each CA issue a certificate to the other CA
- MESH ( Web-of-trust ) trust architecture: All CA’s issue certificates for all other CA’s. This provides multiple trust paths that can be used for certificate validation.
- Hierarchical trusts establish a top level CA, known as the ROOT CA. Subordinate CAs can be created below. Certificates validate through the root.
- Browser Trust List model: ( Sometimes called a CA list ) Each user has public keys of all the Cas the user trusts. Different CA’s can be used for different applications.
- Policy Trust List Model: restricts access based on the policy under which the certificate is issued.
- Bridge model: Connects MESH and hierarchical models Bride. CAs only issues to other CAs and never end users.
Key and
Certificate Management:
- M of N Control can be used for certificate revocation – two different entities are needed to agree to revoke a certificate. M of N also refers to a method of storing a private key, protected and encrypted with a separate unique key. The key used for recovery is split into two or more parts and distributed to various individuals. To recover the key, all the individuals must be present. Just like launching a nuclear missile.
- Key Escrow: Third party holds additional key ( on top of public/ private pair ). This third key is used to encrypt the private key; which is then stored. A common key escrow entity can be a CA.
- Key Life Cycle is broken into several stages: Certificate: Enrollment, Distribution, validation, revocation, renewal, destruction and auditing.
- Multiple Key Pairs: Dual purpose, multiple key pairs exist when forged digital signatures are a concern. Secondly, a dual key pair can be used to satisfy Security and Back-up requirements. One key pair can be used for encryption and decryption and the other key pair can be used for digital signatures and no-repudiation.
- Single Key: A single Key used for multiple purposes violates non-repudiation.
Email
- S/MIME: Secure Multi Purpose Internet Mail Extension was developed by RSA Data, it is based on PKCS data format for messages and the X.509v3 format for certificates. S/Mime is used for send confidential emails. Symmetric encryption, 3DES DES, and RC2. S/MIME looks to the headers to determine how data encryption and digital certificates are to be handled.
- PGP/MIME: based on PGP, distributed freely. Another great way to secure email. Unlike S/MIME, Individual users are responsible for exchanging their keys with each other and deciding they trust the public key Both use SHA-1 for hash. Key Ring held locally. Weakness is Chosen Cipher text. Uses combo of Public and private keys.
SSL
- SSL Secure Sockets Layer: Runs above TCP below Application layer of the OSI model. SSL/TLS is an encryption system used by most web pages to secure ecommerce.
- SSL Provides for mutual authentication using the public key digital signatures such as RSA
- SSL Server Authentication – SSL client enabled software uses a public key to check servers certificate and public ID against a CA.
- SSL contains two sub-protocols:
- SSL RECORD protocol, it defines the format used to transmit data.
- SSL HANDSHAKE PROTOCOL, it uses the SSL record protocol to exchange messages between SSL server & SSL client when they first establish a connection: this exchange of messages facilitates the flowing actions:
- Authenticate Server to Client.
- Allow server and client to select cryptography ciphers they both support
- Optionally authenticate client to server
- use public key encryption to generate shared secrets
TLS
- TLS ( Transport Layer security ) Transport Layer Protocol based on SSL. Not compatible with SSL 3.0. Unlike SSL, it IS application independent.
- An IETF-sponsored protocol intended to secure and authenticate communications across a public network through data encryption. It is designed as a successor to SSL.
- The protocol consists of two layers - a TLS Handshake Protocol and, below that, a TLS Record Protocol. The handshake protocol creates a "secret" used by the record protocol to encrypt messages. The record protocol also provides mechanisms for preventing a message from being altered.
- The overall protocol is designed to be application independent, so that application or higher-level protocol developers can choose the best way for initiating TLS handshaking and interpreting authentication certificates
Web
·
Active X is a Microsoft Technology for downloading miniature executable
programs. Vulnerabilities: ActiveX: because active X has full access to a
user’s hard drive, and will run under the right and privileges as the person
currently logged in. ActiveX relies on digital signing to verify that trusted
components are safe to run.
·
JavaScript: Created by Netscape. Allows executable content to be
embedded in web pages. Vulnerabilities include malicious code, reading info on
hard drive, retrieving data etc...
·
JAVA: Object-oriented platform independent programming language created
by Sun. JAVA provides small programs called applets. Requires JAVA virtual
machine to run., JAVA runs in a special area called a Sandbox, which restricts
the program from moving to other areas of the computers. Hackers can bypass the
sandbox routine.
·
CGI Common Gateway Interface: Means of executing an external script by
sending to the web server a URL request of a program to start. Every time a new
CGI script is executed, a new process is started. This can slow the server. CGI
is prone to bugs. Scripts that utilize user input can be used against the
client machine. IPSEC / IKE / ISAKMP
- IPSEC IP Security: IPSEC has tow modes: 1) Transport mode where only the payload is encrypted 2) Tunnel mode where both the data and the IP headers are encrypted
- IPSEC is comprised of two different protocols AH & ESP
- AH: Authentication Header, responsible for authenticity and integrity. Authenticates packets by signing them.
- ESP Encapsulating Security Payload. Handles payload
- IKE: Internet Key Exchange is used to authenticate two ends of a secure tunnel by providing a secure exchange of a shared key before IPSEC transmissions begin.
- ISAKMP: Internet Security Association Key Management Protocol: A framework for establishing, negotiating, modifying and deleting security associations between to parties.
- A Security Association can be established manually or thru ISAKMP.
VPN /
Tunnel
- There are two types of VPN:
- Site to Site,
- Remote Access
- Tunneling requires 3 Protocols:
- Carrier Protocol, like IP
- Encapsulating Protocol, PPTP, L2TP
- Passenger Protocol, the data that is being tunneled.
Comments
Post a Comment