Tuesday, February 28, 2012

Protocol IDs for Security+ and SSCP Exams

If you're preparing for the Security+ or SSCP exams, you'll need to know a few of the protocol IDs used by TCP/IP. The protocol ID is a number embedded in the header of the packet to identify the protocol. It is used for many protocols that are not identified with a port number.

I recently wrote a blog titled Ports for Network+, Security+, and SSCP Exams which covered the relevant port numbers for these exams. Both port numbers and protocol IDs are used to identify protocols by devices such as routers and firewalls. However, they are different numbers. For example, Hypertext Transfer Protocol (HTTP) uses port number 80, but it is not accurate to say that it uses protocol ID 80. In fact, there isn't a protocol ID that identifies HTTP.

Practice Test Question

Test your knowledge of protocol IDs with this question. This is an example that you may see on the SSCP exam.

Q. You want to block DoS attacks using ping at a firewall. What would you do?

A. Block port 1 at the firewall

B. Block protocol ID 1 at the firewall

C. Block port 6 at the firewall

D. Block protocol ID 6 at the firewall

Answer at end of blog

Protocol IDs

The following table identifies some of the commonly used protocol IDs that you may be tested on.
Protocol Protocol ID
ICMP - Internet Control Message Protocol 1
IGMP - Internet Group Management Protocol 2
TCP - Transmission Control Protocol 6
UDP - User Datagram Protocol 17
IPsec ESP - Internet Protocol security Encapsulating Security Payload 50
IPsec AH - Internet Protocol security Authentication Header 51
You are more likely to be tested on the protocol IDs in the SSCP exam. If you do see this content on the Security+ exam, it will probably only focus on IPsec ESP or IPsec AH. If you want to see a full listing of protocol ID numbers, check out this list on Internet Assigned Numbers Authority (IANA).
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
Routers and firewalls use access control lists (ACLs) to filter traffic. They can filter traffic based on IP addresses, network IDs, ports, and protocol IDs. The ports are used to filter traffic using well-known ports mapped to specific protocols. For example, you can block or allow outgoing email by closing or opening port 25, the well-known port for Simple Mail Transport Protocol (SMTP). Similarly, you can block ICMP traffic (used by ping) by blocking any traffic using protocol ID 1.

Q. You want to block DoS attacks using ping at a firewall. What would you do?

A. Block port 1 at the firewall

B. Block protocol ID 1 at the firewall

C. Block port 6 at the firewall

D. Block protocol ID 6 at the firewall

Answer: B

Ping uses Internet Control Message Protocol (ICMP) and ICMP is identified with protocol ID 1. Blocking protocol ID 1 blocks all pings including a denial-of-service (DoS) attack using ping.

Ports 1 and 6 are unrelated to ping or ICMP so would not have any effect on blocking pings.

Protocol ID 6 identifies Transmission Control Protocol (TCP) so by blocking protocol ID 6, you would block all TCP traffic.


Listening for Inspiration

The second step to achieve success with any worthwhile goal you desire is to listen for inspiration. This is part of a four part series:
Once you’ve set your goal, you’re ready to start looking for ways to achieve it. Often, when you first set a goal, you won't know how to achieve it but once you set your sights on your goal, you can then start working towards it.

What should you do after setting your goal? Listen for inspiration on how to achieve it.

Defining Inspiration

Inspiration is the process of being motivated or stimulated to do or feel something.

It often comes in a flash as a sudden moment of clarity. Inspiration can come as a sudden idea that catapults your knowledge giving you the means to do or accomplish something. Driving down the road, you
may see a billboard in a different way and get a flash of insight. Listening to someone talking, you may suddenly gain a deeper understanding of a topic that has been elusive. You may get a sudden shift in your perception while reading a book or article.

Great speakers, such as John F. Kennedy often inspire us. In one speech in 1962, he said “We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are
hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win.” These words inspired many people within the United States space program and seven years later in 1969, Neil Armstrong and Buzz Aldrin landed on the moon in Apollo 11.

We are often inspired by other people’s actions. It can be as simple as seeing someone bend down to pick up a piece of paper and throw it away, and become inspired to do something similar, or as grand as
seeing someone raise a million dollars for a worthwhile cause and decide to do something similar.

There’s an important point to remember here. After inspiration is action. After you receive the flash, you need to do something with it.

Encouraging Inspiration

If you want to achieve a specific goal, you’ll want the inspiration to achieve it. One of the best things you can do to encourage inspiration related to your goal is to repeat it daily. Write it on 3 X 5 card and repeat it in the morning, or before you go to bed, or whenever works best for you. However, repeat it daily. This keeps your goal at the forefront of your thoughts and helps get your mind working on receiving and recognizing inspiration when it comes.

As an example, imagine your goal is to take and pass the Security+ exam by a certain date. When you remind yourself of this daily, it will be on your mind and you’ll be more likely to think about ways to achieve your goal.

In contrast, imagine someone thought to himself on the first day of last month that he might like to get the Security+ certification. However, he did not set a goal and did not regularly remind himself of this desire. It’s very possible his mind will be occupied with thoughts that have nothing to do with the Security+ exam.

Create a List of Action Steps

One way to get going on a goal is to sit down, think about your goal, and come up with a list of at least ten things you can do to get a step closer. You’ll probably come up with five rather quickly but
stick with it until you’ve written at least ten.

If your goal is to earn the Security+ certification by a certain date, your list may start with:
  • Identify the objectives of the exam
  • Identify study resources
  • Purchase study resources
  • Read ____ pages a day
  • Spend ____ minutes daily creating notes
Once you come up with the list, prioritize the action steps. Identify what needs to be done first, second, and so on. This is very useful when you move onto the next step for success: taking action. This
list tells you exactly what you need to do. You start with item 1, and when you’re done, you move on to item 2. Keep doing this until you complete the list and achieve your goal.

It’s very possible that the first list you create isn’t the best. No problem. Creating the first of anything is often the hardest but once you’ve created it, improving it is easy.

As you start working on your goal, you will likely get flashes of inspiration to add steps to your list or to do things a little differently. Excellent. Modify your list. But notice that these flashes of inspiration come because you are focused on your goal and how to achieve it.

There’s More

There are certainly many more ways to encourage inspiration. However, the two items I’ve mentioned (repeat your goal daily and create a list of action steps) are enough to get you started.

Also, I want to stress that this can work for any worthwhile goal that you believe in. Imagine Nicole has the following goal:
  • “I am earning more than $5,000 a month providing a worthwhile service to others.”
When she sets the goal, she may not have any idea what worthwhile service she could provide to others that could earn her $5,000 a month. However, there are many people in the world that are doing so, so why not Nicole? And the number doesn’t need to be $5,000. It can be any number Nicole believes is possible for her. If she sets it at $5,000 and achieves success with her goal in a year, she may choose to
set a new goal with a higher number that didn’t seem so believable to her at first.

Your Turn

If you haven’t done so, I strongly encourage you to take the time to write down a goal for yourself and use this information to help you listen for inspiration. Success is within your grasp for any worthwhile goal you desire.

Coming next: Taking Action.

Saturday, February 25, 2012

Ports for Network+, Security+, and SSCP Exams

If you're planning on taking a certification exam such as CompTIA Security+, CompTIA Network+, or SSCP you should have many of the well-known ports memorized. The objectives for the CompTIA Network+ exam lists many of the protocols and the ports spelling out exactly what you need to know. Similarly, the objectives for the CompTIA Security+ exam lists several protocols with a statement to identify the ports for each. The SSCP exam objectives are very generic but do indicate port numbers are needed.

Well known port numbers are matched to specific protocols and when you see the port, you should be able to identify the protocol. Sometimes you may be given the protocol and be required to identify the port. There are 1024 well known TCP and UDP (numbered 0 through 1023) but you don't need to memorize them all. However, you do need to know certain ports for the CompTIA Security+, CompTIA Network+, and SSCP exams.

Logical Ports

The well-known ports are logical ports and have nothing to do with physical ports. For example, port 80 is the port used for Hypertext Transfer Protocol (HTTP) and port 443 is the port used for Hypertext Transfer Protocol Secure (HTTPS).

In contrast, a physical port on a switch or router is used to make a physical connection between devices. You can touch the physical port while the logical port is simply a number embedded in the packet.

Every packet has both a source port and a destination port along with a source IP address and a destination IP address. The IP address is used to get the packet to the destination system and when the packet is received, TCP/IP uses the port information to determine how to handle the packet. This blog on Understanding Ports for Security+ describes the process of how logical ports are used in more detail.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

TCP and UDP

Each of these logical ports are technically identified as either a Transmission Control Protocol (TCP) port or a User Datagram Protocol (UDP) port depending on which transport protocol they use. For example, HTTP can use either UDP port 80 or TCP port 80. It almost always uses TCP for guaranteed delivery but both TCP port 80 and UDP port 80 are reserved for HTTP.

Some protocols use only the UDP port. For example, Trivial File Transport Protocol (TFTP) uses UDP port 69 but not TCP port 69.

As you advance in the IT field, you'll find that you need to know whether a protocol is using a TCP port or a UDP port. However for these exams, this depth of knowledge is rarely needed. Instead, you should focus on memorizing the port number. If you want to know specifically which transport protocol is used for any protocol, check out Wikipedia's list of TCP and UDP port numbers.

Interestingly, Internet Assigned Numbers Authority (IANA) previously identified which transport protocol was used for each port in their Service Name and Transport Protocol Port Number Registry . However, they seem to have defaulted to just listing both TCP and UDP for each port. For example, Telnet (defined in RFC 854) only uses TCP port 23, not UDP. However, IANAs port number registry lists both TCP and UDP for Telnet.

Network+ Ports

When preparing for the Network+ exam, you should know these ports.
Protocol Port
FTP - File Transport Protocol 20, 21
SSH - Secure Shell 22
Telnet 23
SMTP - Simple Mail Transport Protocol 25
DNS - Domain Name System 53
DHCP - Dynamic Host Configuration Protocol 67, 68
TFTP - Trivial File Transport Protocol 69
HTTP - Hypertext Transfer Protocol 80
HTTPS - Hypertext Transfer Protocol Secure 443
SSL VPN - Secure Sockets Layer virtual private network 443
POP3 - Post Office Protocol version 3 110
NTP - Network Time Protocol 123
IMAP4 - Internet message access protocol version 4 143
SNMP - Simple Network Management Protocol 161
IPsec - Internet Protocol security (through the use of ISAKMP - Internet Security Association and Key Management Protocol) 500
RDP - Remote Desktop Protocol 3389
When you know the ports and understand the protocols, questions are much easier to answer. For example, consider this practice test question that could be in a Network+, Security+, or SSCP exam:

Q. What port do you need to close to block outgoing email?

A. Port 22

B. Port 25

C. Port 110

D. Port 443

Answer at the end of the blog.

Security+ Ports

When preparing for the Security+ exam, you should know these ports.
Protocol Port
FTP - File Transport Protocol 20, 21
SSH - Secure Shell 22
SFTP - Secure File Transport Protocol (uses SSH) 22
SCP - Secure Copy (uses SSH) 22
Telnet 23
SMTP - Simple Mail Transport Protocol 25
TACACS - Terminal Access Controller Access-Control System 49
DNS - Domain Name System 53
DHCP - Dynamic Host Configuration Protocol 67, 68
TFTP - Trivial File Transport Protocol 69
HTTP - Hypertext Transfer Protocol 80
HTTPS - Hypertext Transfer Protocol Secure 443
SSL VPN - Secure Sockets Layer virtual private network 443
Kerberos 88
POP3 - Post Office Protocol version 3 110
NNTP - Network News Transfer Protocol 119
IMAP4 - Internet message access protocol version 4 143
SNMP - Simple Network Management Protocol 161
SNMP Trap - Simple Network Management Protocol Trap 162
LDAP - Lightweight Directory Access Protocol 389
ISAKMP (VPN) - Internet Security Association and Key Management Protocol (virtual private network) 500
Syslog 514
L2TP - Layer 2 Tunneling Protocol 1701
PPTP - Point-to-Point Tunneling Protocol 1723
RDP - Remote Desktop Protocol 3389

SSCP Ports

The list of SSCP ports is a little easier for me to create. It's simply all of the ports listed in the previous two tables. The (ISC)2 objectives do not list specific ports that you need to know but instead include the words "Commonly Used Ports and Protocols". Theortically, they can ask you about any of the ports but you're unlikely to see anything other than what is listed here. If you do, please let me know.

Practice Test Question Answer

Q. What port do you need to close to block outgoing email?

A. Port 22

B. Port 25

C. Port 110

D. Port 443

Answer: B

Port 25 is used for SMTP and SMTP is used for outgoing email.

Port 22 is used for SSH, SFTP, and SCP but not for email.

Port 110 is used for POP3 but POP3 is only used for incoming email, not outgoing email.

Port 443 is used for HTTPS, not email.

Saturday, February 18, 2012

Setting Goals for Success

The first of three simple steps to achieve success with any worthwhile goal you desire is to set a goal. This is part of a four part series:
Goals. There’s no telling what you can do when you get inspired by them. There’s no telling what you can do when you believe in them. And there’s no telling what will happen when you act upon them.
- Jim Rohn

Goals Matter

I’ve taught many courses over the years. In one University course, students were given enough information that they could take and pass a technical certification exam. I stressed to students each time I taught the course that it was achievable, but they needed to take it shortly after class ended.

Often, I was disappointed to learn that as many as 90 percent of the students simply didn’t take it. When I asked what prevented them from taking the exam, they gave me a whole range of reasons but nothing that was insurmountable.

At some point, I changed my approach. On the first night of the course, I told the students the date when the course ended. After explaining they could successfully pass the exam shortly after the course ended, I asked them to pick a date when they thought they’d have time to take it. Then, as a class, we all went to the registration center in the University and I helped them register to take the exam on the date they picked.

They were able to change the date if they had to, but now they had a real, concrete goal.

Interestingly, the numbers flipped. Instead of only about 10 percent of the students taking and passing the exam, it changed to about 90 percent. People had the date in mind and they made a solid commitment to achieve it.

I used the same procedure for about a year and the results were consistent - about 90 percent of the students that completed the course, also took and passed the exam.

Unfortunately, people in the registration center started complaining about me flooding them with 15 to 20 people on my first night of this class. The University told me I had to stop and students had to register individually on their own. Despite teaching the exact same course and providing a lot of encouragement for the students to register on their own, the number of people taking and passing the exam shortly after the course ended went back down to about 10 percent.

Admittedly, I helped this process along. I encouraged them to set a date and helped them register which solidified their chosen date as a goal.

However, anyone could set a date and register on their own. And actually about 10 percent of the students did so without my help. I still taught the same course and gave the same level of knowledge needed to take and pass the exam. The only difference was when all of the students wrote a date down and registered for the exam, it resulted in 90 percent of the class taking and passing the exam instead of 10 percent.

Try It With an Exam

If you're studying for an exam, try this. Write down a simple goal statement identifying the exam you'll pass and the date. For example, if you're studying for Security+, identify a date within 45 days from today and write down something like this:

I am so happy that I have taken and passed the Security+ exam by _____(the date you set).

Feel free to substitute any other word for "happy" that will express how you'll feel once you've passed.

More Than Just Exams

It's easy to think that this only applies to taking and passing certification exams. It is actually much more. The truth is that when you take the time to set a goal and write it down, you are much more likely to achieve it.

You can do anything you truly desire if your intentions are clear and focused. Anything. The first step is declaring your intention by setting a goal. If you set goals, you’ll have a clear idea of where you want to go and what you want to achieve. On the other hand, if you never identify where you want to go, well, who knows where you’ll end up.

Maybe you want to earn a six figure income in a job you love providing a service to others. Set a goal. Maybe you want to write a book that will be enjoyed by millions. Set a goal. Maybe you want to... Well you get the idea. Just make sure it is a worthwhile goal and is something you desire.

Create Well-Formed Goals

You give yourself the best chance for success if you use well-formed goals. I'll write more about well-formed goals sometime later, but here some basics.
  • State what you want. Use positive words identifying what you want, not negative words indicating what you don’t want.
  • Set measurable goals. Your goal needs to be specific enough so that you’ll know when you’ve achieved it.
  • Set believable goals. If you believe in the possibility of achieving your goal, you will put in the time and energy required to achieve it.
  • Write your goals down. The process of writing your goals down helps you to focus and ensure they are clear. They are also easier to remember and measure.

You Don't Need to Know How

One last thing. You don't need to know how you'll achieve a goal to set it. As long as you set a worthwhile goal and it's something that you desire, you'll figure out how. As a simple example, suppose Bob decides he wants to earn the CompTIA A+ certification. He won't necessarily know how to do so. However, once he decides it's something he wants to achieve, and starts focusing on the goal, ideas to achieve his goal will start to come.

In the next article in this series I'll talk about listening for inspiration. After setting a goal, ideas to achieve it will start popping into your head. As ideas come, you need to take action. After taking some action, more inspirational ideas will come.

Wednesday, February 8, 2012

Intrusion Detection Systems and Intrusion Prevention Systems

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ you'll come across intrusion detection systems and intrusion prevention systems. An intrusion detection system can detect and alert on potential intrusions, and an intrusion prevention system goes a step further and can block an attack. There's a lot of depth to these topics and if you want to take a deep dive into the topics, check out NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS). This blog outlines the basics.

Host-based and Network-based

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are either host-based (HIDS or HIPS) or network-based (NIDS or NIPS).
  • Host-based. A host-based system is installed on a single computer such as a workstation or server. Its goal is to protect local resources on the host and it can detect attacks or intrusions on this system, but it cannot detect attacks on other systems.
  • Network-based. A network-based system monitors network activity and will include multiple sensors installed on network devices such as routers and firewalls. These sensors report activity back to a central monitoring console. It can detect network-based attacks, but it cannot detect anomalies on individual systems.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide




Detection Methods

IDSs and IPSs primarily detect intrusions using one of two methods, knowledge-based or behavior-based.
  • Knowledge-based. This uses a database of known attack patterns and is similar to the signature file used to detect different types of viruses. It is also called signature-based and definition-based. The key is that the intrusion is using a known method that can be recognized. It's important to keep antivirus definitions up-to-date to detect emerging threats. Likewise, it's important to keep a knowledge-based IDPS signature file up-to-date.
  • Anomaly-based. Anomaly-based detection starts by creating a baseline of normal behavior. This baseline can take days or even weeks to create and is often called a training period. After the baseline is created, it then monitors activity and can report when activity varies from the baseline. For example, if network bandwidth usage is typically at 50 percent utilization for a specific connection, but increases to 95 percent sustained utilization, it indicates a change from the norm or an anomaly and will raise an alert. If the environment is updated or changed, the baseline needs to be updated.
Another method is known as stateful protocol analysis (also called deep packet inspection). In this method, traffic is examined for suspicious activity based on the protocol. For example, a typical File Transfer Protocol (FTP) session follows a predictable pattern where a user authenticates and then begins issuing commands. However, if the session deviates from the pattern, perhaps with the user issuing commands without authenticating, it may indicate an attack.


Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide




False Alarms

Both knowledge-based and anomaly-based systems are susceptible to false alarms (also called false alerts and false positives). In other words, they may report an attack that isn't actually an attack. The goal of security administrators is to reduce the number of false alarms to a minimum, while also ensuring that actual attacks are reported.

Thresholds are used to set the limit between normal behavior and abnormal behavior that may indicate a potential attack. As an example, consider a TCP SYN flood attack where an attacker sends a SYN packet but not the ACK packet to complete a connection. If this happened once in a ten minute period, it probably isn't an attack. If it happened one thousand times within a minute, it very likely is an attack. An IDS would use some number between 1 and 1,000 to as the threshold and when that number is reached, it raises an alert.

There isn't a perfect number for any threshold so administrators seek a balance. If it is set too high, attacks will not be detected. If it is set too low, the IDS won't be trusted due to the high number of false alarms. Most administrators are willing to accept some false positives if it will ensure they are notified when actual attack occurs.


Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions




Responses

When an IDS or IPS detects a potential intrusion it can respond either passively or actively.
  • Passive. A passive response will log the event and possibly provide a notification. The notification can be an email, text message, or page sent to key personnel, or perhaps a pop-up dialog box on the system.
  • Active. An active response will include the passive capability but will also take action to block the attack. It may terminate a connection or modify the access control list (ACL) on a router or firewall to block the attack.

IDS vs IPS

Active intrustion detection systems are often called intrusion prevention systems but this isn't always the case. The distinguishing difference is that an IPS is placed inline with the traffic. In other words, all traffic to a network passes through an IPS giving the IPS the ability to block malicious traffic. In contrast, an active IDS may be able to block an attack but if it is not placed inline with the traffic, it can only block it after the attack has started.

Sunday, February 5, 2012

Security+ Audio Files Now Available

Security+ SY0-401 Audio

Learn by Listening

Supplement your Security+ SY0-401 studies with audio files you can listen to while on the go. Listen to key topics from all the chapters of the top selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, or focus on just the topics you want to brush up on.
  • Learn while driving or commuting
  • Learn while exercising
  • Learn any time
Note that these audio files are not the entire book which could easily be forty hours of listening time. Instead, they focus on key information to supplement your studies.

Choose from one of two audio downloads currently available:
  • Remember This Blocks 
  • Questions and Answers 



Introduction and Remember This Blocks

  • Includes the full book introduction, and Remember This blocks from each of the 11 chapters.
  • The Remember This blocks highlight key testable information. Listening to these files will reaffirm key testable concepts.
  • 12 MP3 files zipped to about 71 MB in size.
  • Over one hour and 20 minutes of audio.
Audio files are only a few clicks away.

Buy the Remember This Audio here.



Listen on your iPod or MP3 player




Introduction and Practice Test Questions and Answers

Includes the full book introduction, and all of the practice test questions the end of each of the 11 chapters.
  • Each question includes a full explanation to help you understand why the correct
    answers are correct, and why the incorrect answers are incorrect.
  • 12 MP3 files zipped to about 175 MB in size.
  • Over three hours and 20 minutes of audio.
Audio files are only a few clicks away.


Buy the Practice Test Questions and Answers Audio here.





Audio files read directly from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide by a professional voice actor.

Free sample from chapter 8 available for a limited time from this page. This audio sample includes the Remember This blocks from chapter 8 which are key topics to know for the exam.

Three Simple Steps to Success

You can achieve success with any worthwhile goal you desire by following three simple steps. It’s true. Anything. I could call them the three secret steps to success but they really aren’t secret. They are:
  1. Set a goal
  2. Listen for inspiration
  3. Take action
This simple formula works for anything you may want to achieve. It can work to help you pass a certification exam, get into the college of your choice, get the job of your dreams, write and publish a book, fill your life with wealth and abundance, create a product, or provide a service.

Anything.

If it’s so easy, why aren’t more people doing it? That’s a great question.

I know these three steps are easy to follow. However, I also know they aren’t common knowledge. For example, there are important elements to goal setting that can help people set and achieve their goals. Unfortunately, these elements aren’t widely known, taught, or practiced. Similarly, many people don’t understand how accessible inspiration is, or even how to recognize it when it comes.

These steps also take a little bit of discipline. Success comes by taking regular action toward a worthwhile goal and it takes discipline to set a goal and take regular action toward that goal. Failure is much easier because you can simply choose not to act. However, if you’re willing to take a few steps to identify what you want and bring it into your life, success is within your reach.

How Do You Achieve Success

Many times I’m asked how I’ve achieved something. For example, someone may ask how I earned my certifications, or how have I been able to write various books. The answers can be long and varied, but there’s a simpler answer. I’ve learned the secret of succeeding at any worthwhile goal I desire by following these three steps.

I won’t say that I’ve perfected them in my life. I continue to work on self-improvement. However, these steps have helped me enjoy some personally rewarding successes, and I continue to use them in my life.

If you give these steps a try, see how they work, and start using them regularly, you’ll notice that there is a great deal of depth to the concepts. There are many underlying reasons why they work. I’m won't attempt to describe the full depth of these steps within this series of articles, but I do want to give you practical steps you can start using right away for any worthwhile goal.

Worthwhile Goal

A worthwhile goal will not cause harm to you or anyone else. Often, you’ll find that a worthwhile goal not only provides benefits to you, but also benefits others. For example, you may be seeking a certification. Earning the certification will benefit you, but it will often increase your value to an employer and the knowledge you gain may help you prevent or resolve problems as an employee. Of course, the more valuable you are to an employer, the more likely you’ll be to earn more compensation for the services you provide.

Desire

When seeking success, your desire is an important element. In other words, seeking success based on someone else’s desire probably won’t get you far. However, if this is something you want to achieve, you can.

Of course, it is possible for others to motivate us to desire something and this sometimes works. For example, an employer may tell you that you have 30 days to pass a Security+ certification exam. Assuming you want to keep your job, the desire to earn this certification will be strong.

My Success

Many times I’m asked how I’ve achieved something. For example, someone may ask how I earned my certifications, or how have I been able to write various books. The answers can be long and varied, but there’s a simpler answer. I’ve learned the secret of succeeding at anything I desire by following these three steps. I won’t say that I’ve perfected them in my life. I continue to work on self-improvement. However, these steps have helped me enjoy some personally rewarding successes, and I continue to use them in my life.

I’ll follow this article up with three more blogs on the following topics.
If you’re interested, stay tuned.

You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.”
- Marie Curie

Wednesday, February 1, 2012

DoS, Smurf, and Fraggle Attacks

Denial of service (DoS) attacks such as smurf and fraggle attacks are important to understand when studying for any security certification including Security+, SSCP, or CISSP. Smurf and fraggle attacks are similar but they have subtle differences.

DoS Attack

A DoS attack comes from a single entity and is intended to make a computer’s resources or services unavailable to users. DoS attacks against a server prevent the server from responding to legitimate requests from users. A distributed DoS (DDoS) attack comes from multiple attackers at the same time.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide




Smurf Attack

A smurf attack uses Internet Control Management Protocol (ICMP) to send a broadcast ping with a spoofed source address. It's easier to understand this by looking at one step at a time.
  • Normal ping. A regular ping sends one or more ICMP echo requests to a system and the system responds with one or more ICMP echo replies. This provides verification the remote system is operational. A regular ping uses unicast. In other words, the ICMP packet is addressed to one system from one system.
  • Broadcast ping. A broadcast ping is not normal. It sends the ICMP echo request to a broadcast address sending it to virtually all systems on the network. Each system will then respond to the system that sent it flooding this system with ICMP echo replies.
  • Spoofed source broadcast ping. The smurf attack spoofs the source address with the address of the victim, and then sends it out as a broadcast ping. Each system on the network will then respond, and flood the victim with echo replies.
There's an important point to remember though. Routers do not pass broadcast packets. This was actually a change in RFC 2644 released in 1999 in direct response to smurf attacks and the use of networks as smurf amplifiers. RFC 2644 is an update to RFC 1812 which stated that a router must default to forwarding directed broadcasts. Routers today comply with RFC 2644 so smurf attacks are limited to a broadcast domain. They will not go beyond a router.

With this in mind, it would be rare to see a smurf attack. However, that doesn't mean it won't be tested.

Note: Many firewalls block ICMP packets to prevent any type of attack using ICMP. If a ping succeeds, it verifies that the system is operational. However, if a ping fails it doesn't prove that the system is not operational. ICMP may be blocked preventing the ping.


Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide




Fraggle Attack

Fraggle attacks are similar to smurf attacks but instead of using ICMP, they use UDP ports 7 and 19.

As described earlier, the ping command uses ICMP and it is used to check if a system is operational. Tools are available that use UDP instead of ICMP and instead of checking to see if a system is operational, they check to see if the system is listening on a specific port. This is commonly done with many different types of vulnerability scanners used by both attackers and security administrators.

Chargen (character generator) is an older protocol described in RFC 864 (dated May 1983). A system listens on either TCP or UDP port 19 (known as the chargen port) for chargen requests. When a connection is established to this port, the system would respond with a constant stream of characters to the original system. Typically the original system would use TCP or UDP port 7 (known as the echo port) but this isn't required. When the original system begins receiving the characters, it knows the target system is operational, and closes the connection.

In a fraggle attack, a spoofed broadcast packet is sent to port 17. The spoofed address is the address of the victim. Since it is broadcast, it goes to every system on the network. If port 17 is open and the character generator service is running on these systems, they will send a stream of characters to the victim.

Realistically, systems today will not have port 17 open or the chargen service running. Additionally, routers do not pass broadcasts so any attacks are limited to a single network. Said another way, it is very unlikely you will ever see a fraggle attack today.


Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions




Basic Protection

In addition to ensuring that routers are configured in compliance with RFC 2644 and do not pass broadcasts, there are some other basic steps that protect you from these types of attacks:
  • Disable unnecessary services and protocols. If a service or protocol is not needed on a system, it should not be enabled. I cannot think of a system in use today that would need the chargen service so it should be disabled if it is even available on the system.
  • Close unneeded ports. If a port is not needed, it should be closed on both network-based and host-based firewalls. With the port closed, all traffic is blocked and attacks are stopped.
  • Use ingress filters on firewalls. Don't allow traffic into a network that shouldn't be there. A common ingress filter on a boundary firewall (between the Internet and an internal network), blocks all traffic coming from the Internet with a spoofed private IP address.

Summary

In summary, DoS attacks such as smurf and fraggle attacks attempt to prevent a system from responding to legitimate attacks. A smurf attack sends a broadcast ping with a spoofed IP address (the IP address of the victim), and ping uses ICMP. A fraggle attack uses UDP ports 7 and 19 instead of ICMP, and sends broadcast UDP traffic with a spoofed IP address (the IP address of the victim).