pyeung.com - Security Cheat Sheet

Security Cheat Sheet

Terms and Definitions

RFC-1918 - Reserved Private IP Address Ranges
  Class A - 10.x.x.x
  Class B - 172.16.x.x - 172.31.x.x
  Class C - 192.168.x.x

RFC-2644 - Changing the Default for Directed Broadcasts in Routers

DES - Data Encryption Standard - 56-bit encryption method
3DES - Triple Data Encryption Standard - (Pronounced Triple DES) 168-bit encryption method

PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol - framework that relies on an external security server to handle authentication for PPP sessions

PPTP - Point to Point Tunneling Protocol
L2TP - Layer 2 Tunneling Protocol - IPSec with authentication

IPSec - Internet Protocol Security - Encrypted method of exchanging IP packets, used to create Virtual Private Networks (VPNs).
ISAKMP - Internet Security Association and Key Management Protocl

AAA - Authentication, Authorization, and Accounting - the benefits derived from a centralized security server.
  Authentication - Verifies identity using various authentication methods
    Username/Password (Static)
    Username/Password (Aging)
    Token Cards
    S/Key One Time Passwords
    One Time Passwords (OTP)
    No Username or Password
  Authorization - Assigns rights based on authenticated login
  Accounting - Records actions by authenticated users, used for accounting, auditing, and possibly forensics.

Kerberos - Network authentication protocol based on secret-key cryptography, which provides strong encrypted communications between server and client.

RADIUS - Remote Authentication Dial-In User Service - Protocol used to authenticate users connecting to network access servers and routers. RADIUS provides centralized administration, accountability, and allows a single username/password for several devices.

TACACS - Terminal Access Controller Access Control System
  TACACS - Security protocol used to validate dial-up users for a terminal server. (Deprecated by Cisco.)
  Extended TACACS - Adds information about protocol translator and router use.
  TACACS+ - Current version of TACACS.

SYN Packet - TCP synchronization packet, used to establish a TCP connection between a requesting client to a server.

Typical SYN Sequence - In a legitimate TCP connection, a client sends a SYN packet to a server ("Hello."). The server replies with a SYN ACK, or a synchronization acknowledgement packet ("Who's there?"). The client responds with an ACK, or acknowledgement packet ("Client X."). The server then completes a TCP connection.

Types of Attacks

SYN Flood - Malicious attack that exploits memory allocation on the server. A client is set up to continuously issue SYN packets to a server. The server allocates a certain amount of memory for a Transfer Control Block (TCB), and issues a SYN ACK to the client. The client's attack is designed to provide a bogus, unreachable source IP addresses, so the server's SYN ACK will never be acknowledged. If an ACK never reaches the server, the server does not release the TCB. A SYN flood basically pummels the server with SYN packets, but never acknowledges them. The result is that the server runs out of memory and can not issue additional TCB's for legitimate users, essentially locking out the service.

IP Spoofing - Method of gaining unauthorized access to networked resources, using a forged IP address that resides within the target's trusted range. This type of attack requires some knowledge of the target's internal network address scheme. The typical spoofing attack is often used to first gain entry into a target's network, then to create a backdoor entry point. Spoofing is a well-known hacking technique, and can be easily filtered by blocking all inbound RFC-1918 addresses (10.x.x.x, 172.168.x.x, etc.).

IP Smurfing - DoS attack which uses IP spoofing to send an ICMP echo request to a victim's IP broadcast address. The resulting cavalcade of ICMP reply packets floods the network to the point of inoperability. The best way to defend against smurfing is to deny ICMP packets destined to IP broadcast addresses.

LAND Attack - DoS attack where a target host is flooded with forged SYN packets with source IP addresses that match the target's. The target host becomes unavailable while trying to respond to itself.

DNS Cache Poisoning - A type of attack targeted at DNS servers that injects false domain name resolution information. An attacker replaces legitimate IP addresses with different addresses to redirect traffic to the attacker's desired destination. For example, unwary users would browse to a website by URL and be redirected to a rogue site. The victim may unknowingly enter account or personal information on the fake site, or may become infected with a virus or Trojan horse.