Escogido's Blog

New Place

Vahid-Shokouhi — Sat, 03 Apr 2010 06:50:18 +0000

My new place :

http://vahidshokouhi.wordpress.com/

IPS/IDS Terminology

Vahid-Shokouhi — Tue, 12 Jan 2010 06:39:28 +0000

False alarms
False alarms are IPS events that you do not want occurring in your implementation. There are two types of these alarms: false positive and false negative. Both are undesirable.

False Positive : A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. This type of traffic is often referred to as benign traffic.

False Negative : A false negative occurs when attack traffic does not trigger an alert on the IPS device. This is often viewed as the worst type of false alarm, for obvious reasons.

True alarms
There are two types of true alarms in IPS terminology. Both true positives and true negatives are desirable.

True positive : A true positive means that an attack was recognized and responded to by the IPS device.

True negative : This means that nonoffending or benign traffic did not trigger an alarm.

CAM(Content-Addressable Memory) Table Overflow Attack

Vahid-Shokouhi — Sat, 19 Dec 2009 13:34:39 +0000

This attack involves an attacker who floods the switch with fake MAC addresses in an effort to cause the switch to flood all packets out of all its ports. MAC flooding is the attempt to exploit the fixed hardware limitations of the switch CAM table. For example the CAM table on the Cisco Catalyst 6000 series switch can contain 128000 entries; these 128000 entries are organized as 8 pages that can store approximately 16000 entries. CAM tables are limited in size. If enough entries are entered into the CAM table before other entries are expired, the CAM table fills up to the point that no new entries can be accepted. When that occurs, the switch will flood all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table. The switch, then, acts as a hub.

The Macof tool was released in 1999. Written in Perl code, the Macof tool floods a switch with packets containing randomly generated source and destination MAC and IP addresses. When the CAM table of the switch fills up with these addresses, the switch begins to forward all frames that it receives to every port.

Challenge Handshake Authentication Protocol (CHAP)

Vahid-Shokouhi — Mon, 14 Dec 2009 13:30:22 +0000

The Challenge Handshake Authentication Protocol (CHAP), described in RFC 1994, provides authentication after the establishment of the initial communication link between the user and CHAP. CHAP operation comprises a three-way handshaking procedure summarized in the following steps:

1. The CHAP authentication mechanism sends a “challenge” to the user following the establishment of the communication link.

2. The user responds to the challenge with a string produced by a one-way hash function.

3. The hash value transmitted by the user is compared with a hash result calculated by the authentication mechanism. If the two hash values are identical, authentication of the user is verified. If the values do not match, the connection
is terminated.
4. For increased security, Steps 1 through 3 are repeated at random time periods.

Password Authentication Protocol (PAP)

Vahid-Shokouhi — Mon, 14 Dec 2009 13:24:49 +0000

In PAP, a user provides an unencrypted user name and password, which are compared with the corresponding information in a database of authorized users. Because the user name and password are usually sent in the clear, this method is not secure and is vulnerable to an attacker who intercepts this information. PAP is described in RFC 1334. In operation, after a communication link is established between the remote user and PAP, a user ID and password are transmitted repeatedly until authentication is completed or the communication is terminated. PAP is vulnerable to ID and password guessing. An improved approach is the Challenge Handshake Authentication Protocol (CHAP).

Wavelength Division Multiplexing(WDM)-DWDM-CWDM

Vahid-Shokouhi — Wed, 09 Dec 2009 07:25:06 +0000

WDM is a method of transmitting data from different sources over the same fiber optic link at the same time whereby each data channel is carried on its own unique wavelength over a fiber optic cable.Typically WDM is using to increase signaling and bandwidth capacity over single mode fiber optic cable, The result is a link with an aggregate bandwidth that increases with the number of wavelengths employed. In this way WDM technology can maximize the use of the fiber optic infrastructure that is available; what would normally require two or more fiber links instead requires only one. Dense Wave Division Multiplexing (DWDM) combines up to 64 wavelengths onto a single fiber. DWDM technology uses an ITU standard 100GHz or 200GHz spacing between the wavelengths, arranged in several bands at ~1500-1600nm. With DWDM technology, the wavelengths are close together (compared to CWDM), meaning that transponders are generally more complex and expensive than CWDM. However, with DWDM, the advantage is a much higher density of wavelengths, and also longer distances.

Coarse WDM (CWDM) are WDM systems with fewer than eight active wavelengths per fiber. CWDM can match the basic capabilities of DWDM but at lower capacity and lower cost. CWDM enables carriers to respond flexibly to diverse customer needs in metropolitan regions where fiber may be at a premium. The point and purpose of CWDM is short-range communications. It uses wide-range frequencies and spreads wavelengths far apart from each other. By design, CWDM equipment is compact and cost-effective as compared to DWDM designs.

Email Authentication – APOP

Vahid-Shokouhi — Tue, 08 Dec 2009 08:22:02 +0000

Authenticated Post Office Protocol (APOP) encrypts the user’s password during a POP session. The password is encrypted by using a secret that the user provides to the server long before the APOP session. The strength of the secret depends on number of factors including The complexity of password and how often it’s used.

There are three security concerns when using APOP :

1) The password used is not the same as the user login; therefore, a separate file must be used to keep this password. This becomes another point of failure and possible way to exploit.

2) Not all clients support APOP. This may lead organizations to settle for a more universal, although less safe method of authentication, such as the basic user name and password used by POP3.

3) APOP is concerned only with encrypting the user name and password and does not encrypt the e-mail messages itself.

Fucked Up!

Vahid-Shokouhi — Sat, 05 Dec 2009 13:27:29 +0000

Listen up, listen up!
Here we go
It’s a fucked up world
A fucked up place
Everybody’s judged by their fucked up face
Fucked up dreams
Fucked up life
A fucked up kid
With a fucked up knife
Fucked up moms
And fucked up dads
There’s a fucked up a cop
With a fucked up badge
Fucked up job
With fucked up pay
And a fucked up boss
Is a fucked up day
Fucked up press
And fucked up lie…

IPSec Modes- Transport & Tunnel

Vahid-Shokouhi — Sat, 05 Dec 2009 13:21:32 +0000

IPsec defines two modes that determine the extent of protection offered to the original IP packet.

When IPsec headers are simply inserted in an IP packet (after the IP header), it is called transport mode. In transport mode, the original IP header is exposed and unprotected. Data at the transport layer and higher layers benefits from the implemented IPsec features. Another way to think of this is that transport mode protects the transport layer and up. As such, when the IPsec packet travels across an untrusted network, all of the data within the packet is safe (based on the IPsec services selected). Devices in the untrusted network can see only the actual IP addresses of the IPsec participants.

IPsec offers a second mode called tunnel mode. In tunnel mode, the actual IP addresses of the original IP header, along with all the data within the packet, are protected. Tunnel mode creates a new external IP header that contains the IP addresses of the tunnel endpoints (such as routers or VPN Concentrators). The exposed IP addresses are the tunnel endpoints, not the device IP addresses that sit behind the tunnel end points.

Web Application Firewall- WAF

Vahid-Shokouhi — Sat, 05 Dec 2009 08:29:19 +0000

WAF is an intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. Standard firewalls are designed to restrict access to certain ports, or services that an administrator doesn’t want unauthorized people to access. Web Application Firewalls are often called ‘Deep Packet Inspection Firewalls’ because they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some Web Application Firewalls look for certain ‘attack signatures’ to try to identify a specific attack that an intruder may be sending, while others look for abnormal behavior that doesn’t fit the websites normal traffic patterns. Web Application Firewalls can be either software, or hardware appliance based and are installed in front of a webserver in an effort to try and shield it from incoming attacks.