Category: Security Basics

Networking Basics – OSI Model

I would like to write some posts on Networking Basics. One of the first things someone should try to understand is the OSI model. It is used to reference different technologies in security and in networking, you might have heard someone saying “It’s a layer 3 issue” or “That is at layer 2” what they are referring to is the OSI model and its different layers. The OSI model has a total of 7 layers as shown below.

92938

Different protocols and networking devices work at a certain layer within the OSI model, for example, a router would be a layer 3 device while the TCP protocol is found at the transport layer which is at layer 4. The OSI model was developed so that a network device from vendor A would work with vendors B device there would be no interoperability issues as there would be if they went off and used their own protocols and rules.

Let us start of layer 7 the Application layer and work our way down the OSI model. Going down the OSI layers is known as encapsulation, each layer is encapsulated by the next layer and that layers header is added as it is passed down each layer, the opposite happens when data is being received and the data is then decapsulated as it is passed up the layers, note you can’t skip any of the layers all 7 are used.

Application Layer (7)

The application layer is made up of different applications like HTTP, DNS, SSH, FTP etc the application isn’t the browser itself it is the layer 7 protocol that is used with the browser, for example, HTTP and HTTPS.

Presentation Layer (6)

The presentation layer is used to make sure that the data that is being presented up to the application layer is in the correct format for it to be able to read the data correctly. It also handles encryption and data compression.

Session Layer (5)

The session layer keeps track of all the different sessions, think of a web server and all the clients that are accessing that resource the web server has to keep track of each session and who it belongs to.

Transport Layer (4)

The transport layer is used to transport traffic between two devices, there are two main protocols used at the transport layer TCP and UDP. TCP is the Transmission Control Protocol and is used to deliver traffic reliably if a packet is lost along the way it will be retransmitted so no parts of the packet are missing. UDP is the User Datagram Protocol and is unreliable it is used a lot with real-time applications such as Voice services or Streaming video if a packet is lost in the transmission that is ok it can be tolerated.

Network Layer (3)

The network layer is where IP addressing lives which includes IPv4 and IPv6 versions. A router is called a layer 3 device and its job is to route packets between different networks, it does this by using routing protocols such as RIP, OSPF, BGP, or you can add static routes which is fine in very small networks but in large networks it doesn’t scale well at all and this is when routing protocols are used mostly.

Data Link Layer (2)

The data link layer is used to deliver frames to the correct device on a network. Each device in an Ethernet network will have a unique MAC address and it is used to deliver frames to the correct device. A switch is a layer 2 device and is used to connect 100s of PCs, laptops, printers etc to a network and its job is to manage all those connections and deliver the traffic to the end device, it does this by building a MAC address table which maps MAC addresses to a physical port to which the end device is attached to.

Physical Layer (1)

The physical layer used to put the traffic from the upper layers onto the wire i.e cable towards its destination.

If we take an example of this process from start to finish were a client (PC) requests a webpage from a web server.

  1. The user on the PC opens up a web browser and types in their favourite web URL in the browser such as http://www.cybersecuritylabs.net and hits enter. The web browser will use the HTTP protocol at layer 7 to request this page from the web server.
  2. The presentation layer will make sure that the request is in the correct format.
  3. The session layer will keep this session from the client separate from others.
  4. At the transport layer depending on the application in use either TCP or UDP will be used. In my case, it will be TCP as you want a reliable connection between the client and the server to make sure all data is delivered correctly and nothing is missing otherwise the web page could have pieces of data missing which would make the requested webpage look odd and hard to understand. It is the application in use that tells the transport layer which protocol to use either TCP or UDP.
  5. This is where IP packets are built. At the network layer, my IP address will be the source address of the request and the destination address will be the web servers address, to get the destination address of the website DNS is used to look up the URL http://www.cybersercuritylabs.net and from that it gets the IP address. DNS makes it easier for us humans to navigate the web, trying to remember IP addresses would be much harder than remembering web addresses.
  6. At the data link layer, Ethernet is used in most networks today and each device in an Ethernet network has a unique MAC address.  A layer 2 Frame is built here with my MAC address as the source and the servers MAC address of the destinations.
  7. Finally, the data from the upper layers are converted to bits and placed on the wire to be delivered to its destination.

Any questions please leave a comment.

Layer 2 Best Practices

layer2

I am currently working Layer 2 best practices. To help reinforce this I am using the above lab setup. I’ll be mainly working on the switches you see in the topology although I might call in the Kali Linux machine and run some attacks on the switches after I have configured some of the security features to demonstrate how they work.

To get started lets see what the current state of the interfaces are, are they access ports or trunk ports and what vlan are they in? To do this use the command:

show interfaces status

int status

We can see that port Gi0/0 is a trunk port. This is the port connected to R1. Gi0/1 is an access port and in VLAN 10 this is the port connected to the PC1 and ports Gi3/2 and Gi3/3 are trunk ports connected to SW2.

Locking Down Ports

In the printout below I move ports Gi0/2 and Gi0/3 using the range command into VLAN 100. This VLAN is used as a placeholder for ports that haven’t been assigned to particular VLAN yet. I’ve also configured the port as an access port and disabled auto-negotiate which turns off DTP. To finish off I’ve ‘shutdown’ the ports instead of leaving them up.

accessports

Run #show interface status

latest_int_status

As you can see ports (interfaces) Gi0/2 and Gi0/3 are now members of VLAN 100 and are also disabled i.e. shutdown. You would repeat this for all other unused ports on the switch to secure it. When a port is needed you just go into the interface and configure the VLAN it belongs to and do a ‘no shut’ to bring the port back up. Or you could change it over to a trunk port using the following commands:

trunkport

Above shows how to configure a port (interface) as a trunk port. You first need to tell the port what encapsulation to use you can select dot1q or isl (cisco proprietary) or negotiate. I selected dot1q. I configured the port as a trunk and also told it to use the native vlan 99. Although not shown here you would also disable DTP on the port using the nonegotiate command.

So why disable DTP? Well if someone wanted to gain access to your network they could plug in their laptop to a switchport or a wall jack and run a piece of software that could run DTP and negotiate a trunk port tricking the switch into thinking it is connected to another switch. The attacker would have access to all the VLANs on that switch and could sniff the traffic to see what was on the network. By disabling DTP using the ‘nonegotiate’ command you prevent this from happening.

In my next couple of posts, I’ll be covering port security, BPDU Guard, Root Guard, DHCP snooping, and access lists and showing how to configure them and run some attacks against them.

 

 

1.1a CIA

No not that CIA! The CIA that is related to the security industry stands for Confidentiality, Integrity and Availability these form the security triad.

 Confidentiality

Confidentiality allows access to data only to authorized personnel unauthorized personnel cannot access the data. You can ensure confidentiality using Encryption such as AES (Advanced Encryption Standard).

 Integrity

When you receive data you want to make sure what you are receiving is the original piece of data such as a file. One way to ensure Integrity is using hashing algorithms such as MD5 and SHA-1. If I was to send you a file over the internet I cannot guarantee that it wasn’t intercepted along the way and changed by someone else. However if I was to use a hashing algorithm like MD5 I could make a hash of the file before sending it to you and send you the hash along with the file (via email) that way when you receive the file you could run the same MD5 hash on the file, if they match you can safely say that the file hasn’t been changed along the way.

 Availability

It is important to make sure your data is available when needed. Companies would do this by having a second (backup) web server available if their primary web server went down or was taken down by an attacker. This also applies to power, off site backups and cooling systems.