Monday, November 7, 2011

Misc 52

It's been such a long time since I've come up with an article that I find it hard to name this one. It seems miscellaneous anyway, so I'll name it that way.
This article is about using port-mirroring with Linux iptables for purposes such as Sniffing, IDS Monitoring and so on.

For this article, I'm going to show you how to capture DNS requests made by an application on an Android phone. Sounds difficult, but with sniffing, you can finish this task in less than 5 minutes!

First, you need to get on the Linux box (via Telnet or whatever) doing the routing. (Well, I'm technically on a WRT160NL running DD-WRT, so it is a Linux box)

We'll need to enter the following commands:
iptables -t mangle -A PREROUTING -s -j ROUTE --tee --gw

In this case, is the phone's IP address, while is the IP of the system doing the sniffing. The above command redirects traffic coming FROM the phone.

In iptables, a packet goes through the following tables:
1) Filter
2) NAT
3) Mangle

Filter is for filtering of unwanted packets, NAT is for address translations, and Mangle is for final modification of packets (for things like QoS or mirroring).

Visit here to have a clearer idea of how the packet is routed.

The ROUTE target is an experimental target that performs routing in the mangle table. The -tee parameter specifies to MIRROR a packet, and the -gw parameter specifies the gateway to send it through.

Here is the documentation for the ROUTE target

Next, if we're interested in the return traffic, we can also enter the following commands:
iptables -t mangle -A POSTROUTING -d -j ROUTE --tee --gw

If we are interested in ALL traffic, we can omit the -d and -s parameters.

Now we can fire up Wireshark and do some sniffing. First, we'll need to select the right interface for sniffing. Mine is quite obvious:

Now, as we are interested in DNS traffic in this scenario, we'll use the filter:
ip.addr == && udp.port == 53

Go generate the request in your phone. Lo and behold, as if black magic, you now know the DNS names your phone applications are connecting to.

From here you can do what you want. Let's say you want to find out what port the phone is accessing and what type of traffic goes through. No problem, just scroll down and look for the line where the answer comes back in (usually one line after the request).

We'll then use the following filters:
ip.addr == && tcp.flags.syn == 1

Of course, replace with the response address. You'll get something like this:

In our case, it's port 8300 we're looking for!

Of course, this is not where we stop. Remember, the extra rule takes up extra CPU cycles. When you're done, remember to remove everything using:
iptables -t mangle -D PREROUTING -s -j ROUTE --tee --gw
iptables -t mangle -D POSTROUTING -d -j ROUTE --tee --gw

Saturday, February 26, 2011


Last chapter, then time for exam papers!

Identification is not the same as Authentication. Identification is concerned with "Who you are?", while Authentication is concerned with "Are you really who you are?"

An example of Identification is a username, and Authentication is a password.

Authentication can be done in three ways:
-What you have - Smart card, Token
-What you know - Passwords, secret answers, PIN
-What you are - Biometrics like fingerprint

2FA is simply a combination of any of these two.

The disadvantage of "What you have" is that it can be stolen or forged.

The disadvantage of "What you know" is that it can be brute-forced. Most of the time it is easily cracked via technical methods.

The most secure method thus far (the level of security depends on the accuracy of the system) is "What you are". Biometrics such as voice, fingerprint and iris are things that cannot be forgotten, lost or stolen and is extremely impractical to forge (with current technologies. Who knows, maybe you're from 2020 and they've forged people).

Biometric must be something that is completely unique to an individual. Biometrics that meet these requirements include fingerprints, finger scans, retinal scans, voice scans, handwriting recognition, face recognition, and hand scans.

Biometrics require a hardware infrastructure (scanners, etc) and a database to store these information in digital form. They must also be smart enough to be able to compare newly scanned biometric information with stored information (which are bound to be slightly different).

The biometric protocol is to (in case of Fingerprint):
1) Capture - The fingerprint of those permitted are scanned
2) Process - The fingerprint is processed and quantized into binary data
3) Store or Verify (First time only) - The data is stored, or in case of verification, the data is compared against the one stored in the database.

Advantages of Fingerprinting:
-Moderately Reliable
-Cheap to manufacture
-Little data needs to be stored (<1kbyte br="">-Easy to implement everywhere (e.g. Even in webpages)

-Requires close contact with scanner
-Dirt on finger can affect recognition
-Fingerprint readers have to be cleaned

Another way of scanning as mentioned is the Iris/Retinal scans. Advantages are:
-More accurate and have more characteristics to match
-Can scan through glasses and contact lenses (in case of Iris)
-Low error rate (one in 2 million)

-Difficulty reading blind or cataract patients
-Cumbersome to use

And now we're done.


Here comes my favorite chapter in the whole book. It's probably the final chapter since biometrics isn't important. Let's begin!

Oh did I mention, it's CRYPTOGRAPHY TIME!

Cryptography is the conversion of information into an form incomprehensible by people who do not have secret knowledge. In other words, creating the encryption/decryption system is the essence of cryptography.

Cryptanalysis is the opposite. Cryptanalysis is the breaking of the cryptography system by obtaining the secret through various means to break a code.

Plaintext (or less technically cleartext) is the original data. It is directly readable, or in case of data, useful.

Ciphertext is the plaintext that has gone through a cipher to make it unreadable.

Cipher is the encryption algorithm.

Key is the secret (typically a series of bits or a String which is later converted into bits) used by the cipher to encrypt/decrypt the plaintext into the ciphertext and vice versa.

Encryption is the conversion of plaintext into ciphertext using a cipher and key.

Decryption is the conversion of ciphertext into plaintext using a cipher and key.

cipherEncrypt(plainText,key) = cipherText;
cipherDecrypt(plaintext,key) = plainText;

In other words, the input of encryption is plaintext, and the output is ciphertext. The input of decryption is ciphertext, and the output is plaintext.

The goals of cryptography are slightly different, it now is:
C - Confidentiality
I - Integrity
A - Authentication
N - Non-Repudiation

Repudiation occurs when a user denies that he has sent something after he did. Non-repudiation ensures that he cannot do that, which we will see later in Asymmetric Encryption. It makes sure that NOBODY CAN PROVE that a transaction didn't take place if it did.

Private key encryption is known as symmetric cryptography, secret key, or single key.
Public key encryption is known as asymmetric cryptography.

The common symmetric key algorithms (ciphers) are:
-DES - Data Encryption Standard
-3DES - Triple DES
-AES - Advanced Encryption Standard
-IDEA - International Data Encryption Algorithm)
-RC[2,4,5] - Ron's Code, or Rivest Cipher

-Symmetric encryption is faster than asymmetric cryptography as the algorithm is computationally less complex
-Both side uses the same keys, therefore it must be private
-Shorter key length can be used to achieve the same level of security provided by an asymmetric system using longer key length

Both sides need to have the key before communication can take place. This is sent to the other side through various secure and insecure means (can be in-band and out-of-band).

The main disadvantage of symmetric encryption is the difficulty of sending the keys across securely. Keys may be lost/stolen/modified as it transits an insecure medium.

Assuming that 5 parties need to communicate, and they are NOT to be able to decipher each other's communication, then the number of keys required would be exponential according to the formula:

2 parties would need 1 key, 3 parties would need 3 keys, 4 parties would need 6 keys, 5 parties would need 10 keys, and so on. 50 parties would need 1225 keys which is really impractical.

The problem with key distribution is solved through asymmetric encryption. Whitfield Diffie and Martin Hellman introduced the Diffie Hellman scheme in 1976. Another scheme, known as RSA (Rivest, Shamir and Adelman) was introduced later on.

Asymmetric encryption involves two mathematically related keys known as the public and private key. Either key can be public or private, as long as the private key is only owned by the owner.

Let k be the keys, p be the plaintext, c be the ciphertext, and f(x,y) be the encryption and g(x,y) be the decryption functions of the cipher. An asymmetric encryption would satisfy:

f(p1,k1) = c1;
g(c1,k2) = p1;

f(p2,k2) = c2;
g(c2,k1) = p2;

f'(c1,k1) = p1; DOES NOT EXIST
f'(c2,k1) = p2; DOES NOT EXIST
h(k1) = k2; DOES NOT EXIST

You may not encrypt and decrypt using the same key. You cannot derive the other key using the first key (you may only use bruteforce). The public key would be public and should be available for everyone. These are usually stored into key servers such as http://pgp.mit.edu/. You may also send public keys through email and websites. The private key, however, MUST be kept only to the owner.

Private keys are typically kept secure using a passphrase. The passphrase is used to encrypt/decrypt the private key, which is used to decrypt anything encrypted with the public key. (I love this chapter).

An example of asymmetric encryption would be:
I want to send YOU a mail
I obtain YOUR public key somehow (through online directories or otherwise)
I encrypt my mail with YOUR public key and send it to you
YOU decrypt the mail with YOUR private key

Two advantages of symmetric over asymmetric is:
-Less computationally complex, so symmetric is faster
-Symmetric key needs a shorter key length to have the same key strength

Two advantages of symmetric key over asymmetric are:
-It is difficult to transmit the key
-Difficult to manage keys (keys increase exponentially to the number of parties)

The number of keys required is simply: 2*n;

Remember, when referring to decryption and encryption, always use the keyword "corresponding". For example, use the "corresponding" public key to decrypt something encrypted with a private key.

If I want to send you something, and I encrypt with my public key instead, then you must have my private key to decrypt. Since only I have my private key, you will never be able to read that message unless you stole it from me.

Encryption with my private key is only done so that you can verify that I indeed AM the one that sent that message. This is not for confidentiality because anyone can get the public key for decryption. It's more for non-repudiation (i.e. If the message can be decrypted with the public key, then the owner of the public key definitely sent it, unless the private key was compromised).

The advantages of asymmetric keys are:
-Keys can be exchange easily without any special arrangement.
-Can be used to implement non-repudiation

The disadvantages are:
-Slow compared to symmetric key cryptography
-Computationally very complex, and programming is very difficult

As a review:
To send a confidential message - Use the receiver's public key to encrypt
To receive a confidential message - Decrypt with your own private key
To sign a message - Encrypt the message with your own private key
To verify a signature - Decrypt the message with signer's public key

If you use the wrong public key to sign, then the intended recipient would not be able to see the message. Certificates are used to store the public key for identification. We'll cover this later.

Let's now talk about hash functions. Hash functions are one way message-digest functions used to find the fingerprint of a particular object. It performs one-way transformation in a way where:

f(x) = y; Exists
f'(y) = x; Does not exist

Hash is not an encryption. The original document cannot be derived from the hash.

Hashes are typically used to check the integrity of the message. Message X has fingerprint x, but Modified Message X will have a fingerprint of y.

Properties of Hashes are:
A small change in input results in a big change in output - The Avalanche Effect
-As an example, if "An apple" gives abc1298fe, "An Apple" would give 1029defef

Input of different lengths always produce same length outputs
-If "Apple" gives abc1298fe, "An Apple" would give 1029defef

Two different inputs will not produce the same input (Anti-collision)
-By definition, since the hash output is 128-bits, then out of every 2^(128) input, only two would give the same output. That is a huge number.

It would take 128 bits * 2^(128) bits of space to store rainbow tables to defeat MD5. It is even more impractical to defeat SHA-1.

Same input always same output
-If "Apple" gives abc1298fe now, it will ALWAYS be abc1298fe.

These are the tested MD5 algorithms:
-MD4/MD5 (128-bits)
-SHA-1 (160-bits)
-SHA-2 (comprises of SHA-224, SHA-256, SHA-384, SHA-512)

Verification of the message Integrity through hash is as such:
I send you a message, and a hash of that message
You hash the received message, and compare it with the attached hash

A Digital Certificate is used to identify the owner. It is used in a Public Key Infrastructure and issued by Certificate Authorities. The Public Key is stored in the Digital Certificate, and the hash of a portion of the Digital Certificate is signed using the Certificate Authority's private key. This lets you:
-Verify and communicate with the owner
-Verify that the Digital Certificate came from a real CA

Digital certificates typically have a common name used in proving the identity of e-commerce sites (SSL/TLS). The most common digital certificate standard is the X.509. (There is a mistake in seminar, it's not a signature, it's a certificate).

A benefit of Asymmetric encryption is the use of Digital Signatures to implement non-repudiation and origin authenticity. It can also be used to verify that information is not lost in transit.

A digital signature is "a type of asymmetric cryptography used to simulate the security properties of a signature in digital form". It provides:
-Authentication - The signer is really who he is
-Non-repudiation - The signer cannot deny that he did not sign it
-Integrity - The data was sent and received without alteration

Signing is done in two simple steps:
-Hash the message
-Sign the has, then attach it with the message

The message sent is...

The receiver then takes the hash, and decrypts it with the public key of the sender (If it can be decrypted, it verifies the sender and provides non-repudiation).

Now he hashes the message, and compares it with the decrypted hash (Verifies the Integrity of the message if it matches).

PGP is a software that makes use of asymmetric encryption to provide services such as signing and encryption for mainly email. In this case, event the sent message is encrypted, so a message to you looks like:

Don't have funny ideas about "myPrivate" here. It's a key not a part.


We now go into a short chapter of Wireless Security. The advantage of having wireless is that it is convenient, doesn't require extensive cabling and planning, has a high ROI and can increase productivity (mobile users). It can also be used for temporary deployments such as during a trade show.
Wireless operates on the 2.4GHz and the 5GHz radio frequency ranges. The NIC has a Radio transceiver attached to it to allow communication with the AP. Wireless can experience interference when communicating through heavy walls, large metal objects, etc.

Wireless can operate in two modes:
-Infrastructure - Indirectly through a central place, e.g. AP
-Ad-Hoc - Directly between two hosts

APs are typically used to connect wireless clients to a wired network.

Each wireless network is identified with an SSID (Service Set Identifier) and it can be configured as Infrastructure mode on the AP or Ad-Hob mode on the initial client. SSIDs are periodically advertised through beacons.

Ad-Hoc clients do not require an access point and is easier to set up temporarily. Infrastructure mode takes advantage of the high powered antennae to cover wide areas.

802.11 refers to the wireless standards established by the IEEE. Here's a simple breakdown:

-Operates on 5GHz, less crowded, and less interference from other appliances
-Speed up to 54Mbps
-Incompatible with b/g

-Operates on 2.4GHz, more crowded, likely to be interfered by microwaves, cordless phones, etc.
-Speed up to 11Mbps but can operate over further distances
-More susceptible to heavy walls and big metal objects

-Operates on 2.4GHz
-Speed up to 54Mbps, same range as b
-Backwards compatible with b, but will operate at lower speeds

-Operates on both 2.4GHz and 5GHz (or either)
-300Mbps through MIMO technology

All vulnerabilities of a wired ethernet applies to wireless, and in addition, it is especially prone to interception attacks, as well as interruption through jamming.

Frames are sent as far as the radio transmissions take it, and any device within range of an unprotected network can intercept every packet.

War Driving refers to the technique that involves driving through a neighborhood to map APs using a wireless-enabled laptop. The information can then be used to plan attacks on insecured networks, or badly secured ones. AirSnort and NetStumbler are two free wireless network detectors.

To combat insecurities, the WEP (Wired Equivalent Privacy) was developed. Ideally, only the receiver can comprehend the received data. It is designed to provide the same level fo security of a wired LAN, prevent malicious users from sniffing, and prevent malicious users from sending crafted frames. It uses the RC4 encryption with a 40- or 128-bit key (symmetric) for Confidentiality and the CRC32 checksum for Integrity. The keys need to be configured on both ends. It works no the Data Link and Physical Layers, so it does not offer end-to-end security (and it is not designed to).

All that being said, WEP is not very secure, and can be cracked under 5 minutes, but it should be the bare minimum.

Measures against sniffing (some more effective than others) include:
-Changing the default SSID
-Disable SSID broadcasting
-Use MAC filtering
-Use an encryption scheme
-Change WEP keys often (or make use of TKIP)
-Only share what is needed
-Disable access point administration over wireless

Short chapter eh?


We now go into the topic of Malicious Code. Malicious Code can be any code that is capable of causing harm to a system. Malicious code include Viruses, Worms, Trojan Horses, and can include certain malicious Java Applets and ActiveX Controls.
It is sometimes not possible to classify a code under a specific class, so the general term "malware" is used. A malware is not necessarily a virus, but is a virus is definitely a malware.

Malicious code cause harm to the network by attacking the goals of network security (cause DoS, modify data, leak out confidential information). This would end up reducing productivity, causing bad reputation and loss of revenue.

A virus is a program that attaches itself into another program. It can be embedded at the start (similar to a launcher), or at the end of a program (similar to the use of a codecave).

For a virus to start working, the infected program must be executed. Some virus perform deadly operations immediately, while others remain inactive until conditions are met (e.g. A command is sent from the attacker, or a certain day and time).

Most viruses are written in assembly language, with the exception of macro viruses. Viruses can be playful or harmful (causing loss or corruption of data and/or services).

The life cycle of a virus is:

There are several kind of viruses. The most common of which are:

File Infector viruses - The most common virus class. It infects a file and hides within the code of another program. The infected program is an executable file which activates the virus and the program when run. The virus can then continue to run after the program is closed.

Viruses cannot exist in data/text files because the code within are not run. Instead, they are simply interpreted as ASCII characters. So even if a text file is infected, it would just appear to be a bunch of corrupted characters when open.

Boot sector viruses are stored in the boot sector of media (C/DVDs, diskettes, HDDs). It is executed when a computer first turns on, searches for the boot sector, and executes it. The virus is then loaded into the computer before, while or after the bootstrapper initializes the OS.

A boot sector virus can only be used to infect a machine if it is used to start it up. It cannot be used to infect a machine if it is introduced after bootup. A boot sector virus can then spread to other media while the OS is running.

A macro virus is a virus that makes use of powerful macro languages provided by certain programs (e.g. Word, Excel). These viruses execute each time the document is opened and may infect all future documents created with the application. The Melissa virus is an example of the macro virus, which causes the victim machine to mail out confidential documents with the Melissa virus attached to it.

A worm is a type of virus that can replicate itself but cannot attach itself to other programs. It is self-replicating and does not alter files but resides in active memory and duplicates itself. Mainly worms are used to use up objectives, but can also perform other tasks.

Viruses can spread through:
-Infected media
-Files from the internet

Antivirus softwares are used to remove malwares. They involve scanning and removing them. Anti-virus softwares can be:
-Virus scanning software
-Memory scanning software
-Integrity checkers
-Activity blockers

Virus scanning software can scan files and boot records. It may be able to notify the user, clean, delete, or quarantine the files/directories/disks affected. Virus scanners can look for known viruses, as well as new viruses.

Known viruses are found using signature scanning - a unique pattern of bits or binary data in the virus/program. The signature is like the fingerprint of a virus which is made as unique as possible for the identification of the virus.

Signature scanning may be able to find variants of existing viruses. False positives is relatively low. New viruses with different methods may not be detected as they may have different signatures.

Since antivirus softwares may not know the existence of new viruses, they make use of heuristic algorithms to scan. It is similar to signature scanning, but it looks for certain characteristics of the code (e.g. certain instructions that typically are not found in normal programs, such as modifiction of a driver, or modification of the registry).

If it finds a program that does unusual things, then it classifies it as a virus. However, it is more prone to false positives as legitimate programs (such as a Registry scanner) may be classified as malicious.

A Trojan Horse is a malicious, security breaking program that is disguised as something benign. An apparently useful program may have additional code to collect, exploit, falsify or destroy data.

A Trojan Horse is not a virus, in that although it does everything a virus can do, it does not attach itself to another program or attempt to replicate themselves. Trojans can be used for:
-Relaying malicious connections (redirect connections to cause attacks to appear from another vector)
-Access restricted resources
-Launch a DDoS attack
-Capture keystrokes (Keylogger)

Trojans typically comprise of two parts:

The server is installed in the victim's machine, and the client is used by the attacker to connect to the victim's machine.

An example would be: Attacker makes the victim accept the Trojan server disguised as a game. The victim accepts and executes the file, causing the Trojan to be installed somewhere in the directory structure. The Trojan also modifies the Registry to cause it to be loaded automatically the next time the PC boots up. The attacker then connects to the Trojan to do work. The victim may also need to relay the IP of itself back to the attacker through means like DynDNS or email.

Defenses include:
-Do not download programs from dubious sites
-Do not open suspicious email attachments
-Prevent execution of ActiveX controls
-Don't accept programs in chatlines
-Check comments for files in P2P networks
-Use anti-spyware to detect and remove
-Configure a firewall to check for attempts to open ports
-Scan floppies and CDs before using

A Trojan may or may not be detected by Anti-Virus programs because they do things many other servers do, but famous ones like Sub Seven are definitely detected.

An example security policy for prevention of viruses can be:
1) All systems in the organization must be installed with firewalls and antivirus
2) Virus signatures must be updated
3) All media must be scanned for viruses before use
4) Programs downloaded from the Internet must be approved by the administrator before use


Let's go back to the first chapter and discuss why LANs are connected to the internet. The most common reason is for company to sell goods or advertise products through their website. Companies may also better communicate with partners and employees. Employees would also be more productive due to the resources available in the Internet.
However, this exposes the company to dangers such as:
-Port scanning
-Undesired packets
-Connection to untrusted networks

A firewall is a device, or a system of devices, that is designed to prevent unauthorized access to or from a private network. It isolates the LAN from the Internet by implementing the company's security policy with respect to Internet connections.

Typically, a Router is needed to connect to the Internet. As it is the border of the network, a firewall is typically implemented in a router. The router is then known as a screening router (discussed later). The perimeter device (whether it is a dedicated firewall or a screening router) is the first line of defense, and typically provides logging functions as well.

There are three main types of firewalls:
-Packet filter
-Application gateway
-Proxy server

Packet filters look at each packet and checks it against the firewall rules (typically a table that is matched from top to bottom). If it matches a rule (either PERMIT or DENY), it is applied to the packet. Packet filtering is effective, fast, and transparent to users.

An application gateway provides the highest level of security. This involves inspection of the application layer data, such as in the case of NBAR, where it is able to defend against tunneled traffic (e.g. Port 80 but not HTTP inside).

A proxy server is an intermediate server that makes connections on behalf of users. It breaks the client-server model. Each connection would then need two handshakes: One between client and firewall, and one between firewall and target host.

Proxy servers conceal the internal addressing of the clients, and it allows inspection of the application layer data (i.e. able to inspect tunneled traffic), allowing them to filter viruses, malware and other malicious content. However, it adds latency and sometimes bandwidth problems as extra steps are required to establish connections.

How a firewall works depend on what its filters are based on and also the OSI layer it operates on. Firewalls typically work at Layers 2 and above (it is not possible, feasible or practical to filter based on Layer 1 characteristics).

A perimeter firewall, however, cannot defend against internal attacks or any other attack that doesn't go through the firewall such as social engineering. Clients can also bypass perimeter firewalls by dialing out through a modem or using a VPN tunnel (such as HotSpot Shield)

The most basic type of firewall is the packet filter firewall, which examines the headers and fields of the protocols to determine whether it is permitted or denied. The action to take is stored in an ACL (Access-Control List).

Ingress filtering and egress filtering denotes filtering of incoming and outgoing packets respectively. The direction is with respect to the LAN.

Packet filter can be placed on the network-level (router-based) or the host-level (host-based). Network-level firewalls are typically implemented in routers, making it a screening router. It protects against threats passing through it.

At Host-level, it is typically a personal firewall installed on each host to protect ONLY that host.

Information used in packet filtering include:
Source/Destination IP, MAC, Port, Direction of traffic, Protocol and fields/flags (such as TCP bits, and IP Fragments/DSCP options).

The information can be used to block access to specific websites (by IP, not domain name) and connection to specific ports (e.g. cannot use FTP). It can also be used to block certain hosts from entering. A lot of flexibility can be added by specifying the port.

The ACLs can be default allow or default deny. It is typically default deny, which means that traffic that doesn't match any policy is implicitly denied at the end.

Packet filtering has the advantage of being faster due to having low overhead. This results in higher throughput than other types of firewall. This is due to the fewer evaluations it needs to perform.

However, certain rules are complex to specify, test, and modify. Exceptions may be difficult to create and it is difficult to block services using dynamic ports. IP Spoofing attacks can also defeat this type of firewall to a certain extend (attacks that require one sided communication, for example, can use a spoofed source IP).

An IDS (Intrusion Detection System) is similar to a firewall in that it is used to monitor the network. However, it monitors based on things like signatures (specific pattern that indicate an attack) and anomalies (network activity deviation). An IDS does not typically prevent intrusions as it is not inline with the traffic (it works with mirrored traffic), so it would have to rely on a secondary device (such as a router) to block attacks. It is vulnerable also to single-packet attacks.

IPSs are IDS that are inline with the traffic, and can block attacks without the help of a secondary device.

Think of IDS as simply a burglar alarm and a security camera combined. It detects attacks, attempts to enforce policies, and provides an audit trail after the attack is done.

An IDS can detect if a worm is attacking the network, or if a system has been compromised. It can also alert the administrator in such a case. An IDS can be configured to detect activities that does not confirm to security policies. Finally, an IDS can provide an after-attack audit trail to see how far an attacker got and where it came from.

There are different ways to categorize detection:
False Positive - Test turns out positive (e.g. ALERT!) but it's false (there is no attack).
False Negative - Test turns out negative, but it's false (there is an attack).
True Positive - Test turns out positive, and indeed there is an attack.
True Negative - Test turns out negative, and there indeed is no attack.

Like firewalls, IDS can be host-based or network-based. If they are on a single host, they would have limited view of the entire network and cannot detect attacks (or can only detect to a certain extent) attacks targeted at another host.

A honeypot is a server that is used to attack hackers. They look like tempting targets like a database server but there is actually no service running there. It is used for distracting hackers away from real targets, and to study the attack methods. However, it may not be used to convict a hacker.


Attacks can be classified into 4 types:-Interruption (Availability)
-Modification (Integrity, Availability)
-Interception (Confidentiality)
-Fabrication (None, or Authentication/Authenticity)

Visually, the attacks look like this:

These only categorizes Active Attacks, as at least one of the goals are harmed.

Attacks can be classified further. The most common class of attack is the MITM attack (Man-in-the-Middle). In MITM attacks, the attacker sits between the victim transparently. The attacker may then capture and/or modify the data before it reaches the victim. (As in a modification attack, or an interception attack).

Examples of MITM attacks are SSL Stripping and ARP Poison Routing (APR).

Another type of attack can be the Spoofing Attack. Spoofing attacks spoof a field in the protocol (such as source IP or MAC) to appear to be coming from a trusted vector. IP spoofing exists because certain services authenticate based on IP address. The existence itself is a vulnerability.

Defenses are to use 2FA, and to perform egress filtering to make sure that a router's originating LAN is not the source of spoofing. (e.g. Only allow source addresses that correspond to the company LAN to go out to the Internet).

Another type of spoofing can be web site spoofing, in case of a phishing attack. The attacker creates an authentic-looking page (such as a Bank Login Page) and lures the victim into the site by other means (e.g. Authentic-looking Email).

Finally we have the well-known ARP spoofing.

Another type of attack is the DoS attack (Denial of Service). DoS is primarily aimed at the Availability of the network/services. It is the simplest of attacks. Typically DoS attacks are done if the hacker fails to gain access to a computer (e.g. If he can't own it, no one else can).

DoS attacks are used to kill business competition. It is also used for revenge, for fun, or may be accidental (e.g. Janitor trips over a wire).

DoS attacks result in decreased productivity, lost revenue, and damaged reputation.

The types of DoS attacks are:
1) Consumption of network or computational resources
2) Disruption of configuration information
3) Physical damage

When it comes to consuming resources, typically a single attacker is not enough. It may sometimes take multiple attackers to bring a victim down. Therefore, we need to employ Distributed DoS or simply DDoS.

DoS relies on zombies or a botnet (infected hosts) which has either a server (listens for incoming commands) or a reverse client (connects to a server which it receives commands from) installed in it. It is difficult to trace who the real attacker is since the attack appears to be coming from multiple vectors, sometimes even from trusted hosts.

Session hijacking is the act of taking control of a session. Hackers get around sophisticated authentication schemes by taking over a victim's existing session AFTER it has been established and authenticated.

Password attacks are primarily brute force attacks. Brute-force attacks involve a systematic guessing of the password until a correct one is found. However, as most passwords contain common words, a dictionary brute-force attack (or simply, dictionary attack) can allow the attacker to resolve a password in a shorter time.

Passwords can be weak or strong. A strong password is one that is difficult to discover. Strong passwords are made up of:
1) Long strings
2) A large mix of character types in no apparent order (e.g. AbCd13!@ is bad, !A1C@b3e is good)
3) Words not found in dictionaries (Even H3ll0 may be bad, because of 1337 brute-force methods)

A weak password is the other way round:
1) Uses a word found in the dictionary, or a word
2) Uses very little mix of characters, such as all lowercase alphabets

The theory behind brute-force is that by definition, it is able to crack EVERY password encryption scheme EVENTUALLY. It is the feasibility of such an attack that makes it fail.

There are two types of brute-force targets. You can either brute-force the key (in case of encryption), or brute-force the plaintext (in case of hash).

Here's a practical example:
If a computer can try 72000 keys in a second, find the time it takes to brute-force...

The formula, by the way, is radix^characters/speed.


Since this is all in lower-case, then 26^4/72000 is the time-maximum (t-max) of the attack. On average, passwords are cracked in half the time-maximum (t-max).


Since this only involves numbers, then it takes 10^5/72000.


Since there is lower-case (26), upper-case (26) and numbers (10), the radix is 62. Therefore it takes 62^8/72000 to crack. Much longer.


Now, there's the previous 62, AND all symbols. I don't know how many there are, but let's assume there's 16 symbols. You'll have 78^8/72000.

Sniffing is the easiest done in Token Ring networks, followed by Ethernet networks. Sniffing is the act of promiscuously inspecting every packet received by the NIC even if it is not intended for the computer. Sniffing can also be described as simply the act of intercepting packets traveling over a network. It is equivalent of eavesdropping.

A sniffer can be a program/device or the person using such a program. It can be used both for network management/troubleshooting (detect bottlenecks, programmers checking their program's packets, logging traffic) as well as malicious activities (stealing information off networks).

These three prerequisites must be met before sniffing can occur:
1) NIC must be in promiscuous mode
2) Hub is used to connect nodes (or ARP poisoning would be required)
3) Sniffer must be in the same LAN segment

By default, NICs are in non-promiscuous mode. That means that it will ignore packets not destined for its own MAC. However, NICs can capture and save packets not intended for itself when it is in promiscuous mode.

Information can be obtained through sniffing include: Email traffic, login usernames and passwords, and information useful for other attacks (including sequence numbers of TCP sessions). Any cleartext protocols such as HTTP, FTP, SMTP and POP3 can be sniffed.

Defenses for sniffing include:
-Replacing hubs with switches that can perform ARP snooping
-Physically check networks to ensure no unregistered hosts
-Use encryption to hide sensitive data

No matter how strong a password, once sniffed, is broken.

It is very difficult to detect sniffing because it is passive, but if the sniffing software makes use of the DNS for reverse-lookup, then it may be possible to identify suspicious hosts.

Phishing is a form of social engineering that makes use of fraudulent techniques to obtain sensitive information such as password and credit card details.

A web site phishing technique involves creating an authentic-looking site of a well-known company (such as a banking company). The phishers then create authentic-looking emails to trick recipients into accessing the phishing site. The victims would then divulge information as passwords, credit card numbers, usernames, and other things into a form on the website (e.g. When they try to log in).

Defenses for phishing include:
-Be skeptical of email with urgent requests
-Verify the emails with the company it "supposedly" came from
-Don't click on links in an email if it is suspicious
-Visit phishing guides like http://www.antiphishing.org

All the attacks described thus far are technical attacks. Technical attacks require the assailant to have good knowledge of computers, networking, programming and so on. His knowledge is used to identify vulnerabilities (he is the threat) and to carry out the attacks.

Non-technical attacks involve very little technical knowledge. These are the different non-technical attacks:

Dumpster diving - this involves digging into rubbish bins to look for sensitive data that has not been properly disposed off. Defenses include shredding of documents, credit cards and CDs.

Shoulder surfing - this involves looking over the victim's shoulders when he/she is inputting sensitive data into the computer (such as during logins).

Social Engineering is the most powerful attack in the world. It relies heavily on human interaction and is designed to exploit the natural helpfulness of humans. Social engineering works because people are not aware of the value of the information they hold, so they are careless in protecting it.

Social engineering can be performed through:
-appeal to Vanity (praises and such)
-appeal to Authority (appear to be an authoritative individual)
-eavesdropping (e.g. Shoulder Surfing, or eavesdropping for information to be used in the above two)

Social Engineering attacks can be classified under online and offline. (Or rather, technical or non-technical).

Emails containing tempting subject lines (e.g. "Nude XXX") but containing a trojan can be classified as an online social engineering attack. It can also cause damage by making people delete innocent operating-system critical files, such as the example given in the seminar where people are told to delete jdbgmgr.exe, claiming that it's a virus.

Friday, February 25, 2011


We will now talk about the phases in an attack. Although the full attack process is done in 7 steps, the simplified one in the syllabus just involve:1) Reconnaissance - Find out information about the network and gauge feasibility
2) Active Attack - Cause damage to the victim
3) Clearing Traces - Clear evidence of the attack

A simple way to find machines in a network is to do a ping (echo-request) scan. Replies typically mean a live host, while no reply may indicate a firewalled host or a down host.

We can also perform scans on specific hosts to find open ports, and also to find the network architecture and the operating systems involved.

A good utility is the Whois database which allows anyone to look up a domain. The contact information (name of authoritative figures) and various other information such as the registered DNS can be obtained.

The information found can then be used to perform social engineering attacks or phishing attacks. A good way to prevent this is to fill in only generic names, such as webmaster@domain.com.

We can also use search engines to find out information about the company network. We can also find the company website to see the different services they provide, and the different critical employees (to attack, or to impersonate).

Network scanning refers to the procedure for identifying active hosts on a network, either for attacking or assessment. This is the footprinting phase where the attacker creates a profile of the target organization such information such as DNS, email-servers and IP address range.

Tools, some free and some commercial, can be used to scan. The simplest, but the most inconvenient tool for scanning is the "ping". Ping stands for Packet Internet Groper and it works like a sonar, with a Echo-Request (ICMP 8) and a Echo-Reply (ICMP 0).

As mentioned, the lack of a reply may indicate a down host, or a firewalled host. Firewalls can be used to ignore Echo Requests, or to restrict Echo Replies.

We now go to the topic of Port Scanning. A port is a logical endpoint in a host, like a door to a house. As certain applications listen to specific port numbers, it can be used to identify the services running on a host. A host can have at most 65535 ports (excluding 0).

Services are referred to as daemons in Unix. Servers typically use a low port number >1024 while clients use port numbers <=1024.

Some common ports and services are:
FTP Active - 20
FTP Passive - 21
SSH - 22
Telnet - 23
SMTP - 25
DNS - 53
HTTP - 80
POP3 - 110

Port scanning is the systematic scanning of a host's ports to discover the services running on a target machine. Port scanning identifies the possible ways of connecting to a computer network. Port scanning can be legally used to manage a network, or maliciously used to look for vulnerabilities. Port scanning is usually one of the first things an attacker perform before penetration of a computer.

It gives an idea where to probe for weaknesses and is accomplished by sending certain crafted packets (such as a SYN packet) to each port and interpreting its reply (or its lack thereof).

In a SYN scan, if a port is open, the attacker would receive a SYN,ACK from the victim. If it's close, the victim will respond with a RST.

Port scanning itself is not illegal, and it's difficult to stop port scans (unless we employ an IDS or IPS). These are the different types of port scanning methods covered in lecture:

Vanilla - The scanner attempts to connect to all 65535 ports on the same machine.
Strobe - The scanner connects to only selected ports on the same machine.
Sweep - The scanner connects to the same port(s) on more than one computer.
Stealth - The scanner attempts to prevent the scanning from being recorded.
UDP - UDP variant of all the above methods.

Defenses for port-scanning can be to close all unnecessary ports. Firewalls and IDS can help block the scans. Changing the default port numbers can defend against Sweep scans (but Vanilla scans will still find it, though they wouldn't know what service is it). (To close ports, shut down the service using that port.)


When TCP/IP was designed, there was no provision for security. Therefore, there was no automatic encryption, and neither was there encryption. The concern was only how to get data from one point to the other. The original Internet is small, and everyone trusted everyone else.
No automatic encryption means that data in packets are sent in cleartext. Anyone who captures this packet can see what's in it. It's like a postcard.

No authentication means that packets can have spoofed IP and MAC addresses and there is no way to verify them.

The designers did not implement security features because they did not expect that the mechanisms designed to handle service requests could also be used to expose servers to hijack attempts, compromise or mangling their data and services.

If asked, the vulnerability of TCP/IP is the lack of automatic encryption and authentication.

We'll now go through the different attacks starting from Layer 4. Layer 4 is vulnerable to things like SYN Flooding, Sequence Number Prediction and UDP Flooding.

A half-open connection is a three-way handshake with the missing third part. It lasts for a length of time (timeout) before it is torn down. Attackers may send many SYN requests to the victim using spoofed source IP addresses. The victim would reply to a spoofed location, and would allocate resources for each half-open connection until resources are exhausted.

Defense against SYN flooding can be to decrease the timeout, disable non-essential services, using IDS/IPS and to reduce the maximum number of half-open connections (thus using less RAM so it would not result in crashing).

Attackers can also hijack a connection through sequence number guessing. If they can predict the sequence number, then they can take over an existing TCP session. Packets from the victim would then be invalid as the sequence number would have been different by then. Sequence numbers can be predicted depending on the destination system.

The defense for sequence number prediction is to randomize the ISN.

Another attack is the UDP flooding in which millions of UDP packets are sent to the victim. The victim would not cope and would crash. As usual, the defense would be to implement IDS/IPS.

Now we move on to Layer 3 attacks. Layer 3 attacks focus mainly on the routing portion. Routers maintain a routing table to decide the route a packet goes to, and if we can attack that table, we can send packets to wrong destinations.

As RIP is not encrypted, hosts can sniff a router's routing updates as part of reconnaissance. RIPv1 also does not have an authentication mechanism, so hosts can query routers using RIP request packets. RIPv1 is also susceptible to forged routing updates and attackers can modify a network's routing table. This can be used to redirect an existing connection to somewhere else (for hijacking) or would be able to cause DoS due to wrong routing information. If the targeted system is a website, the victim may find themselves at a bogus site.

Defenses against RIP attacks may be to authenticate RIP packets, and to block updates about local networks. RIP packets can also be encrypted via an encryption suite such as IPSec.

ICMP's lack of authentication also makes it a candidate for abuse. ICMP messages such as forged redirects, unreachable or TTL-exceeded messages can cause a valid connection to be dropped. Using redirects, attackers can also cause hosts to use a bogus route to intercept or hijack a connection.

Redirects can be used to make unsolicited change to the host's routing tables, and the result is similar to a RIP attack. ICMP can also be used to perform DoS attacks either through the previously mentioned Unreachable and TTL-messages or even through sophisticated attacks like the Smurf attack.

A defense can be to disable processing of Redirects on hosts, disabling forwarding of Redirects on routers, and to check if ICMP messages from a host are consistent (ICMP-snooping).

Finally we go into the Layer 2 attacks. The most common Layer 2 attack is the ARP spoofing. The problem with ARP is that it allows Gratuitous ARPs which is essentially an ARP Reply sent without a ARP Request. Any system can create a Gratuitous ARP, and any system can spoof a reply to an ARP request.

If requested, the reply would overwrite an existing entry or add a new one if it does not exist. If not requested, an ARP Reply can only be used to modify an existing entry.

By providing a non-existent MAC address in the reply, or the wrong host, an attacker can perform a DoS or a MITM attack. The Gratuitous ARP must be sent continuously to make sure that the entry does not expire.

If Host A requests for Host B's MAC in an ARP reply, and no malice is involved, Host B would reply with his IP and MAC.

However, if Host B is offline, and Host C is up to mischief, then Host C would reply with Host B's IP but Host C's MAC. This would cause all packets for Host B to go to Host C as long as the ARP entry doesn't expire.

ARP Spoofing is simple and powerful, but it is limited to a local network. The attacker needs to be in the same LAN segment as the victim to perform this attack.

Defense for ARP can be to resolve through a centralized server, or to make switches perform ARP-snooping (verification of ARP requests/replies) and to enter the ARP entries manually.

Finally we go to the Physical attacks. Physical Attacks are usually tangible attacks such as cutting of a wire.

Defense for physical attacks would be to restrict access to important areas, to implement access schemes (e.g. card or PIN access), to lock up and hide equipment, and to implement surveillance (serves also as deterrence).


We now go into the topic of Networking Protocols.
In the past, computers were standalone. They were not able to connect to the internet. All resources are only for a single computer. Data was transferred around in diskettes. However, this was not really productive.

A "node" refers to any entity that can access a network. A "node" can be referred to as a "device" or a "host". Clients, printers and servers are examples of such.

Back to the previous example, if a printer is connected to the computer, then only it can use it. However, if we connect the printer to a network through a hub or switch, we would be able to then share the printer among all computers connected to the network. This increases productivity and convenience.

There are many different types of network topologies such as Star, Ring, and Bus. The most common topology is the Star Topology, where all computers are connected to a physical hub or switch. Unlike the Ring topology where all nodes connect to each other in a closed ring, one malfunctioning node does not affect the network adversely. It is also easy to add and remove nodes. However, there exists a Single Point of Failure which is the hub connecting the rest of the devices.

If the connecting node is down, then availability would be affected. To defend against this, place the switch in a physical lockdown and add redundant switches linked together.

Networks can be classified with respect to size. From the smallest to biggest, they are:
-LAN - Typically in a building, or a level of a building, or a room.
-MAN - Typically a city or town
-WAN - Typically cross country

Note that there is a different between internet and Internet. An internet is simply a group of networks joined together. An Internet, however, is THE Internet. The Internet is actually an internetwork of internets.

An internetwork is a connection of 2 or more distinct (or probably dissimilar) networks. A router is typically used to connect these.

A hub/switch is used to connect nodes to form a network segment (a LAN), while a router is used to join LANs together.

We now look at Layer 4 of the OSI model where TCP and UDP resides. FTP, HTTP and Telnet use TCP, while DNS, TFTP and DHCP use UDP.

TCP is reliable because it is connection oriented. Its reliability is dependent on the handshakes and the need for acknowledgment. Before two hosts can communicate using TCP, they must establish the connection through a Three-Way Handshake like this:
Host 1 - SYN
Host 2 - SYN, ACK
Host 1 - ACK

Each TCP packet contains two sequence numbers: The Sequence Number and the Acknowledgment Number.

If a TCP packet has its SYN bit set, it is trying to establish a connection (or it is trying to synchronize with the remote/destination host).

ACK(b) = ISN(a)+1

A UDP packet has no such facility as it is connectionless.

Here's how the ISN would look like:
Client - SYN - ISN(c) = 500
Server - SYN, ACK - ISN(s) = 4237, ACK(s) = 501
Client - ACK - ACK(c) = 4238

Now let's talk about UDP. UDP is an unreliable service that provides no guarantees for delivery and no protection from duplication. The simplicity reduces overhead and may be adequate for certain services. Examples of services that use UDP are DNS and DHCP.

IP is used to route data between systems and across the network to ensure that data arrives at the correct destination. IP implements, among other features, addressing and fragmentation. IP is an unreliable and connectionless delivery service, so it would need to rely on the higher layer for these functions.

An IP address is a 32-bit number to determine the sender (source) and receiver (destination). Routing is the process of moving the packet from source to destination, usually done by a router. Routing is a key feature of the Internet because it allows the message to traverse networks eventually reach the target machine.

Routes keep changing so we need to have the latest routing information. The Routing Table is maintained through two main IGPs: RIP and OSPF.

ICMP is one of the core protocols of the TCP/IP suite. It is usually not used directly by end-users (with ping being the exception). ICMP is used for error reporting and control messages. Gateways and hosts use ICMP to inform a sender of certain problems, such as unreachables or, in the event that there is a better route, redirects. ICMP can also be used to test whether a destination is alive and reachable, and for reporting parameter problems in a datagram header.

The functions can be summarized into two things:
-Error Reporting

Examples of Error Reporting:
-When a packet cannot reach its destination
-When a gateway does not have the buffering capacity to forward a packet
-When a gateway can direct a host to send traffic on a shorter route

Examples of Query
-Traceroute (reliant on Ping)

The DNS is an essential part of the Internet because it is impossible for humans to remember millions of IP addresses. IP addresses are dynamic, so the DNS provides a dynamic directory of the usually the latest IP addresses. Certain services also rely on the DNS for resolution, such as the Windows Active Directory.

Internet is IP-based, and most operations end up using an IP address. The DNS is used for resolving a domain name into its corresponding IP address. DNS stands for Domain Name System and it is similar to a telephone book.

DNS keeps a list of domain names and their corresponding IP addresses. If a DNS does not know how to translate a domain name, it can perform either a Recursive or Iterative resolution.

In the recursive resolution, the DNS first asks the Root NS (usually have static IPs) which in turn asks the corresponding DNS servers responsible for the domain until an answer is found. The answer is then forwarded back the chain to the initial DNS which forwards to the user.

In Iterative, the DNS replies with the next possible DNS to ask, which the client continues to query until an answer is found. In this case, the client does all the work.

The Data Link layer defines the rules for sending and receiving information from one computer to another within a LAN. When we attempt to communicate with another host in the LAN, it must first know its MAC address. This is where ARP comes in.

IP is used for end-to-end communication, while MAC (a Layer 2 addressing) is used to communicate from point-to-point (i.e. Within the same LAN).

Each NIC has a burned in MAC address known as the physical address. ARP works by sending an ARP Request and getting the ARP Reply. Every host in the network receives the request, but only one host gets the reply.

If Host A of IP and MAC A wishes to communicate with Host B of IP and MAC B, it must first send out an ARP request (assuming ARP table is empty)

Host A sends out a broadcast request like this:
Sender MAC (SMAC) - A
Destination MAC (DMAC) - FF-FF-FF-FF-FF-FF
Sender Hardware Address (SHA) - A
Sender Protocol Address (SPA) -
Target Hardware Address (THA) - 00-00-00-00-00-00
Target Protocol Address (TPA) -

The reply then comes back as a unicast like this:

The physical layer is concerned with the transfer of information between devices in terms of bits, voltages, etc. A Hub is an example of a Layer 1 device, while a Switch is an example of a Layer 2 device. Router, of course, is a Layer 3 device. The layer here actually refers to the operation in that layer AND BELOW.


Most companies have networks, and they connect their LANs to the WAN. These networks hold critical information about their businesses and provides the main means of transport for bulk and sensitive information.
Network security focuses to protect the company's assets. This can be either to gain competitive advantage or to retain customer confidence. A downtime in the network would result in negative publicity, loss of revenue and loss of productivity.

As mentioned, companies have to protect their assets. These assets range from trade secrets like scientific/chemical formulae, proprietary designs to financial information.

Companies place critical information in their networks even when they know hackers can steal this information because the benefits of networking outweighs the possible loss - It increases productivity and revenue among other things simply because it is convenient.

Network Security focuses on protecting three things:

Confidentiality ensures that information cannot be read or copied (if a person is ABLE to, but doesn't, it still is a confidentiality problem) by unauthorized parties. Confidentiality includes protecting data on a server or when it is travelling across the network. This data can be payrolls, passwords, or customer information.

Consequences of breach of confidentiality include loss of trade secrets and other data to competitors. May cause financial damage or embarrassment.

Integrity ensures that information cannot be modified by unauthorized people. Loss of integrity can be intentional or unintentional, and may even be due to human error. Improperly modified and inaccurate information can become useless or dangerous. Examples of breach of Integrity is the modification of your salary in the HR database, and hacking a website to add extra information.

Loss of integrity will result in customers or partners getting the wrong information, or may even lead to an availability problem (program cannot be run).

Availability focuses on preventing resources from becoming inaccessible. This applies not only to information, but also networking devices (such as routers). An attack against availability is called a "Denial of Service" attack.

Attacks against availability would cause loss of productivity, loss of customers and customer confidence.

From the seminar, we have the following scenario:
Lambda is a company that specializes in providing online financial services to its several thousand clients all over the world. It has more than 100 employees and has its own LAN with connections to the WAN. As a high-tech company, all its records, including customer information, economic data, its employee records are in electronic form and stored in several servers in its LAN.

First of all, they would need Confidentiality because only authorized people should have access to confidential data in the servers. They would also need Integrity because the records should not be modified without permission. Finally, availability is required to ensure the financial services among other things are accessible.

Attacks can happen from outside of the network (External Attack) or inside (Internal Attack). Internal attacks are more dangerous because the attacker has privileged information and usually more clearance that an external attacker probably would not have.

Security problems can be further classified into Threats, Attacks and Vulnerabilities.

Threats are activities or people that has the potential to cause harm to the system, whether intentional or not. A threat can be a nearby volcano, a virus, or a disgruntled employee.

A vulnerability is an inherent weakness in design, configuration or implementation of a system that makes it susceptible to threats. Locating an office near a volcano is a vulnerability (the volcano is the threat). A vulnerability can also be a software bug or a misconfigured firewall.

An attack is a vulnerability being exploited by a threat. There are two types of attacks: Passive and Active.

Passive attacks are usually used to collect information without anyone knowing it. It is very silent and difficult to detect and prevent. It is usually done in reconnaissance to be used for an active attack later.

Active attacks are the realization of the threats and involves active work done by the attacker. This involves changing transmitted or stored data, deleting corrupting or delaying transmissions. An active attack is much more destructive, but easier to detect. At least one goal is harmed in an active attack.

Direct lifting from the seminar: A security policy is a document that states in writing how a company plans to protect the company's physical and information technology. It is a "living" document, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. An AUP is an example of a security policy which describes allowed vs disallowed behaviors.

There are two kinds of security policy:
Default-Allow - e.g. Everyone is permitted except Tom
This can be a Wiki site where everyone is permitted to visit and read except those banned.

Default-Deny - e.g. Only Tom is allowed
This can be an email account, where only a person is permitted to enter.

Examples of security policies are:
-No internet access for anyone except those authorized
-No installation of software on work computers without approval
-No downloading of software applications of any kind (including freeware)

Policies are useless if involved parties do not know and understand them, so it's important to publicize existing policies, changes, modifications and security alerts to the organization staff.

The Return on Investment is the consideration of how much is spent on protecting an asset vs the value of the asset itself. It is not advisable to spend a $10000 security suite to protect a $500 data. A general rule is to spend less than the value of the data being protected.

There are three types of backups:
1) Full backup - Perform a full backup of the system
2) Incremental Backup - Perform a full backup first, then backup things changed since the last backup
3) Differential - Backup things changed since the last FULL backup.

Security is a battle between convenience and security. Too much security means inconvenience, and too little security opens doors for attacks. A balance needs to be found.

There are three types of hackers:
1) Black hat - A hacker that break into networks with malicious intent (e.g. personal gain, money, fame).
2) White hat - A computer security analyst who specialize in penetration testing and other testing methodologies to ensure a company's security. Also known as "Ethical Hackers". Many white hats are former black hats.
3) Grey hat - A white hat hacker who sometimes acts illegally, and sometimes in good will. They do not hack for personal gain, but may commit crimes during the course of their contract.

Motivations to hack a network include:
1) Sheer pleasure, to overcome boredom
2) To command respect and admiration of fellow hackers
3) To kill off business competitors
4) To take revenge (as in the case of a disgruntled employee)

Script kiddies are someone who downloads programs to perform their hacking. They do not need much knowledge to execute attacks and generally do not have the capability to write such malicious programs themselves.

The Morris Worm was considered the first computer worm on the Internet. It exploded in November 1988, taking advantage of a vulnerability in UNIX. The program was written to gauge the size of the internet and did not do anything malicious.

The I Love You virus on the other hand sent mails with the subject of "I Love You" and an corresponding vbs attachment. The virus spread across the world over a 5 hour period. This, however, was malicious as it clogged web servers, overwrote personal files, and caused IT managers to shut down e-mail systems.


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
Redundant network topologies are used to eliminate Single Points of Failure. In case of failure, a network is able to switch to a redundant link, making it more resilient and reliable.

Redundant links, however, lead to serious problems such as Broadcast Storms. A broadcast storm is when a broadcast packet loops around redundant links. As by definition, a switch forwards a broadcast Frame out of all links except the one it received it from, a broadcast frame received from one link will be forwarded back through the other, and it will come back again.

A broadcast storm is a result of a bridging loop.

As frames do not have TTL features unlike IP packets, it will continue to travel around indefinitely. As more broadcast packets are transmitted, more continue to loop and performance will continue to decrease.

A bridging loop may also cause multiple frame transmissions. In this case, if a switch's CAM table is empty, the first frame would be forwarded out of all ports except the one it came from. The second switch would do the same since its CAM table is empty. This problem is pertaining to Unknown Unicasts in bridging loops.

Another problem is the MAC address database instability. In case of multiple frame transmissions, as the second switch received the frame from the wrong port, it would record the source MAC at the wrong port as well. If the switches are connected by a hub, then it would receive the frame on two interfaces at the same time (one correct, and one due to the broadcast).

In large enterprises, redundancy is required, so switches are connected in switch blocks. In this case, a method of maintaining this redundancy, preferably automatic, is desired.

Spanning Tree is designed with the primary goal of maintaining a redundant - yet loop free - topology. It does this by placing redundant links in "blocking" state. Blocked ports can be changed to forwarding when required (e.g. The primary link goes down).

The first step of spanning tree is to elect a root bridge. Each bridge (from now on, switches will be referred to as bridges) possess a bridge-ID. This bridge-ID is formed by appending a priority and its MAC address. The default priority for all bridges is 32768, so by default, the bridge with the lowest MAC address will be the root bridge. This may not be desirable as a lower MAC address typically is assigned to an older bridge.

After the root bridge is elected, all switches calculate the best path back to the root bridge. This cost is a value assigned to links dependent on its media speed. The cost is a cumulative value specified in the BPDU received during the Listening stage. BPDUs also contain the BID and sending port of the originating bridge which is essential for the root bridge election.

This is the breakdown of the BPDU:
Root BID - Who does the originator think is the root bridge?
Root Path Cost - How far is it away from the root bridge?
Sender BID - What is the originator's BID?
Port ID - What port is the originator sending the BPDU out of?

The lowest cost path is the accumulated cost of all link on a specified path. Redundant Links not part of the lowest cost paths are blocked. (The bridge with the worse path back to the root bridge has the blocking port, or in other words, becomes non-designated). In the end, we would have a "tree" similar to an SPF tree with the root bridge as the root of the tree.

Here's a general guideline:
-One root bridge per network (or per VLAN in PVST+)
-One root port per non-bridge
-One designated port per segment

Some tips are:
-All connected ports on a root bridge is designated
-All non-bridge has a root port that is the closest to the root bridge
-On a blocking link, the bridge nearer to the root bridge is designated, while the bridge further away from the root bridge is non-designated.

These are the states a bridge transits when it boots up:
Blocking - All ports are blocking at first. When a switch first boots up, it would think that it is the root bridge and would attempt to switch all ports to designated. However, the ports still must go through the stages.

Listening (15 seconds) - The switch sends and receives BPDUs. This is the time where it finds out whether it is really the root or not. The information used here will be used to elect the root bridge, calculate the lowest cost paths, and so on. If the port is non-designated, it is put back to blocking state.

Learning (15 seconds) - If a port is designated, it will begin to listen out for MAC addresses to perform bindings in the MAC address table.

Forwarding - The port is ready and forwarding.

If a link goes down, the port stays at forwarding for another 20 seconds. This 20 seconds is known as the "max age" timer, which is a hold-down mechanism. This is the longest time a switch port can stay designated without a BPDU. Once this timer passes, the switch believes that there is a topology change and there will be a recalculation of the STP tree.

A new link will take 30 seconds to establish.

A dropped link will take 50 seconds to recover.

A converged STP topology is a topology where all ports are either blocking or forwarding.


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
A trunk is a physical link that assumes the role of multiple logical links. In a VLAN switching environment, a trunk is a single point-to-point link that carries multiple VLANs. The purpose of a VLAN is to save ports between switches implementing VLANs.

Tagging protocols, such as 802.1Q and ISL, form an agreement to transmit different VLANs across a trunk link according to the available VLAN ports on both ends. A trunk link does not belong to a specific VLAN, though the native VLAN of a trunk determines where untagged traffic belong.

ISL is Cisco proprietary. 802.1Q is an IEEE standard that tags each frame with a VLAN ID as it crosses the trunk link. The tag is removed on the receiving end and forwarded accordingly.

End-user stations do not see tags as it is removed before they are forwarded out Access ports.

Trunk configuration must be done on both sides. The first step is to change it to a trunking mode. We would then have to choose a trunk encapsulation.

VTP is a Cisco proprietary protocol that is used to solve potential operational problems (due to human errors or otherwise). It ensures consistency of VLAN information across all switches and simplifies the complexity of managing and monitoring VLAN networks. (In other words, simplifies administration).

VTP is a messaging protocol (?) that makes use of trunk links for propagating addition, deletion and renaming of VLANs. VTP centralizes the administration of the VLAN. VTP messages are encapsulated in ISL or Dot1Q messages before it crosses the trunk link.

According to the seminar, VTP allows trunking of VLANs over mixed media (such as through FDDI). (But I believe this is not a VTP function, but rather a standard). VTP tracks, monitors and reports VLAN changes across the network. We would also have plug-and-play configuration when adding new VLANs, or adding new switches.

All switches must belong to the same VTP domain before they will exchange VTP information. A domain is made up of one or more interconnected switches that share the same domain name. Each switch can only be configured to be in one VTP domain. The domain name is stored in the VTP message as it is sent out of the trunk.

VTP operates in these three modes:

VTP servers can create, modify and delete VLANs. They are allowed to save the VLAN information. VTP servers are also able to propagate updates sent by other servers.

VTP clients cannot create, modify or delete VLAN information. VTP clients are not allowed to save VLAN information if they've made any changes (because they are not allowed to modify). VTP clients can receive, process and propagate incoming VTP messages.

VTP transparent switches do not synchronize its VLAN table with other switches. Transparent switches only forward VTP information to other trunk ports. It does not process the information. It maintains its own VLAN table and will not send out updates about its own table.

VTP advertisements are sent out via a multicast address so that all VTP capable switches receive it.

For some reason, the seminar notes go back to Inter-VLAN routing. So here goes:
InterVLAN routing traditionally require one physical link for each VLAN. So a switch with 4 VLANs would require 4 physical links, which is a wastage. Network designers begin to use trunking protocols such as ISL and Dot1Q to interconnect switches and routers. A subinterface is created on the link for each VLAN required. Each subinterface can be configured an IP address and a VLAN it represents.


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
A VLAN is a LAN that may span multiple physical segments. This means that it is not restricted to a single switch.

VLANs are used to segment a network based on function, team grouping and applications without worry about the physical location of the devices.

Configuration and reconfiguration of switches are done through software and physical intervention (such as moving a cable from switch to switch) is not necessary.

If you have a three departments of 4 computers each, and a 16 port switch, you can simply segment the switch into 3 VLANs to connect them instead of having to allocate three switches. Routing between the VLANs can be done as per normal through a router (i.e. Three different interfaces of a router, each belonging in a different VLAN) or through a trunk link (discussed later).

A VLAN is like a LAN, in that it is a separate broadcast domain itself. Each VLAN also corresponds to a subnet (or network).

Using a router can actually allow you to implement security features such as ACLs on the interfaces (or subinterfaces). In the seminar, up to 255 VLANs can be supported on each switch. Some switches in real-life, however, can use up to 4096 non-extended VLANs.

Every switch port would be in the default VLAN of 1 when it is first taken out. According to the seminar, the management VLAN must be 1 and an IP address must be configured on VLAN 1. However, this is not true. Besides, it is best practice to use another VLAN as the management VLAN. Also, the default VLAN (1) may not be deleted or renamed. According to the seminar, VTP messages are sent on VLAN 1 (covered later).

The switch maintains a separate bridging table for each port. Learning, forwarding and filtering is done only against the table allocated to the VLAN.

Each port can be assigned to a different VLAN, and ports assigned the same VLAN shares a broadcast domain. VLANs can be statically assigned to a port or assigned based on the MAC address of the connected device (this can be done through AAA or VPMS).

Static VLAN assignments will cause any device connected to the port to belong to that configured VLAN. Static VLANs are easily Administered via GUIs. Security is easily enforced and VLAN traffic leakage is uncommon. It is also easily controlled across the entire network. This is used when switch ports cannot be switched by users, a good software can be used to manage the ports, and when the overhead of administration of Dynamic VLAN outweighs the benefits.

Dynamic VLAN by MAC addresses adds flexibility at the expense of administrative overhead, performance and scalability.

Another type of VLANs not discussed is the Protocol Based VLAN. According to the seminar, it is the same as Dynamic VLAN except that it works based on IP and it is not common anymore due to DHCP. (I am not convinced.)

Advantages of VLANs:
-Less expensive than routers for broadcast segmentation
-Allows nodes to move logically rather than physically
-Improves security
-Able to segment a switch into multiple switches

Limitations of VLANs:
-May require extensive planning and design
-VLANs are proprietary, single vendor solutions (What? For VLANs to cross, one simply requires the switches to support 802.1Q. It's only the extra features that are proprietary. Where did they get this text from?)

When a VLAN is deleted, ports associated to that VLAN becomes inactive. The port remains associated with the deleted VLAN until assigned to a new VLAN.


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
In the past, all LANs are shared. There was the bus topology which is similar in behavior to the hub. In this case, every Unicast packet is sent out to all connected interfaces (except the one where it came from), as if it's a broadcast. (Of course, that's where the MAC address comes in to determine who it is for).

In a hub, there is only one collision domain. Which means to say, communications is half-duplex and only one device may communicate at one time. If two devices begin transmission at the same time, then there is a collision. That is why we need CSMA/CD to detect and resolve collisions. If two hosts attempt to communicate at the same time, then there would only be 50% bandwidth for each host on average.

When a collision is detected, a jam signal is generated, and both parties wait for a random amount of time before retransmission.

In a full-duplex environment, both hosts can communicate at 100% of the link's bandwidth. Which means to say, in Fast Ethernet full-duplex, hosts can send and receive at 100MBps, resulting in 200MBps gross throughput. There can be no collisions in a full-duplex environment.

Latency is the time it takes for a packet to travel from source to destination. Sometimes, Latency may be the SRTT (Source Round-Trip Time) which is the time taken from source to destination and back.

Segmentation of the collision domain can be performed through switches (or traditionally, bridges). Bridges connect to hubs which in turn connect to devices. Each port of the bridge (or switch) is a collision domain. As the number of users decrease in each collision domain, so will the collisions.

Switches work like bridges, in which they maintain a list of Layer 2 addresses called the CAM table. The CAM table is then used to determine whether a frame should be forwarded out of a particular port. Bridges are software based, however, so they increase the latency when sending across different segments.

The segmentation of collision domains by either bridge or switch (but only the switch was mentioned) is known as microsegmentation. In microsegmentation, the switch is seen to create point-to-point segments between two communicating hosts. In a switch, all stations are given dedicated bandwidth, and there is almost no collision.

Ethernet Switch latency is the time it takes for a frame to enter and exit a switch. This is said to be negligible as switches perform switching at "wire speed", but as traffic increase, the switch may need to buffer some of the request resulting in this latency. The latency may also be a result of the switch making decisions on which port to forward a frame out of.

Now, even though switches segment collision domains, they do not segment broadcast domains. That is to say, a broadcast will still reach everyone connected to the switch. A normal switch accounts for one LAN, so we would need to use Routers to separate hosts into multiple LANs. This is the segmentation of Broadcast Domains through the use of Routers.

As we recall, there are three modes of IPv4 communication:
Unicast - One to One communication
Broadcast - One to All communication (MAC address is filled with binary 1)
Multicast - One to Group communication

Frame Forwarding refers to a Frame being forwarded out of a particular port. Frame Filtering refers to a Frame being prevented from exiting a particular port. Switches and bridges performs both.

From this point onwards, switches and bridges will be used interchangeably unless specified.

Switches perform Frame Forwarding and Filtering only if it knows enough information to do so. This information, most importantly the MAC addresses associated to the ports, are stored in the CAM (Content Addressable Memory) table. The CAM table is actually the MAC Address Table being stored in the CAM. Switches can perform filtering based on any Layer 2 field.

Initially all MAC address tables are empty. The switches need to learn MAC addresses through the Source MAC address of each Frame. Frames are Forwarded out of all ports (except the one it came in from) if the Frame is a Broadcast, Multicast or an Unknown Unicast.

A switch would only Forward a Frame if it determines that the destination belongs to a different interface from which it came from. If the destination MAC belongs to the port it came in from, the Frame is said to be Filtered.

Let's look at an example CAM Table:
MAC - Port
A - 1
B - 3
C - 4

Assuming that A sends a packet to B. It does not need to learn A because it already knows it. The since it knows the destination, the Frame is forwarded out of port 3.

If A sends a packet to D, the switch would check its CAM table and realize that it doesn't know the destination. The Frame is forwarded out of all ports except the one it came in from.

When D replies, it learns D's MAC address from the interface the reply came in from. Since the destination of the reply is A and it is known, it is forwarded only out of port 1.

The end result would look like this:
Let's look at an example CAM Table:
MAC - Port
A - 1
B - 3
C - 4
D - 2

Switches can perform symmetric switching (switching between interfaces of the same speed) or asymmetric switching (switching between interfaces of different speeds). A real-life example of symmetric switching is through the use of the Gigabit link to connect to an uplink switch while all other computers are connected to Fast Ethernet ports. Asymmetric requires memory buffering.

Memory buffering can be port-based. Port-based buffering is done for the INCOMING port. Each incoming frame is queued. If the queuing mechanism is FIFO, it is possible for a single frame to cause blocking when the destination port is busy.

Another type of buffering is the shared buffering where all frames use a common memory buffer. Frames in the buffer are linked to the appropriate destination port. This helps balancing between ports of different speeds (In what way? Not explained?).

There are also two ways of forwarding frames. A cut-through switch forwards a Frame immediately after reading the destination MAC. This results in lower latency. However, there are no error checking.

The other way is the Store-and-Forward method, which requires a switch to fully receive a Frame before it is processed. This allows proper processing of the Frame, such us for CRC checks. The Frame is fully copied onboard, checked for CRC, determines the output interface (or interfaces), then forwards it. This is the most reliable method but it results in the highest latency.

Another type of switch is the Fragment Free switching which checks for the Source Address as well as the Length. It filters most errors and checks for collision. (This is the only thing explained about this method).

When we are determining bandwidth in shared environments, remember to count the switch as a device (i.e. If there are 10 computers, divide the bandwidth by 11).


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
Load balancing is the act of balancing a stream of packets for a network over different paths. The paths can be derived statically or using a dynamic protocol.

Here's the decision in pseudocode:
if (sameNetwork())
if (sameAD())
if (sameMetric())

Load balancing can be done per-packet or per-host. Per-packet splits the stream of packets towards the same host over different paths. Per-host allocates each stream of packet to different hosts a different path.

Routing Loop problems such as the Count To Infinity occurs when neighbors are not immediately updated when a route goes down. The neighbors may then re-advertise the downed down back to the originator, resulting in the originator believing that there exists an alternate route through the neighbor. The neighbor still thinks that the route exists through the original router, therefore resulting in a loop. The original router then re-advertises back to the neighbor at a higher metric. The higher metric path replaces the previous one. The neighbor then re-advertises back to the originator, and it replaces the path. This will cause the hop-count to count up.

The crude solution to fixing Count to Infinity is the restriction of the hop-count to a maximum of 15. That way, if there really is a loop, it would only count to 15 and be dropped.

According to the seminar, these are the three conditions that may result in a routing loop:
-Alternate Routes
-Slow Convergence
-Inconsistent Routing Tables

Another way to solve the Count to Infinity is to prevent updates about a network from being sent to interfaces where you learned that network from. This means, if you learned about Network A from F0/0, you will not send information about Network A out of F0/0.

Split horizon would reduce incorrect information as well as bandwidth overhead.

Route Poisoning is the poisoning of routes by setting an originated route's Hop Count to 16 if the connected interface goes down. (This is done by the router originating the network).

Poison Reverse is another form of Split Horizon, but it does not reduce bandwidth overhead. This mechanism simply causes information going back to the originator to be marked with the hop count of 16. (e.g. If you learn of Network A through F0/0, then you would advertise Network A as Hop 16 out of F0/0).

Triggered update, as used in LS, can also be used in DV. This causes any information to be sent immediately after a topology change. These triggered updates are sent with poisoning (i.e. They are sent with a hop-count of 16) to cause the routes to be dropped immediately without waiting for the hold-down timer to expire.

Hold-down timers can also be a route-prevention mechanism. The hold-down timer is always activated and reset whenever an update is received. While the timer is counting down, an update from another neighbor with a poorer metric is ignored. An update from another neighbor with a better metric would cause the update to be installed in the routing table and the hold-down timer would reset.

RIP uses the following mechanisms to reduce/avoid Count-down to Infinity:
-Hold-down timers
-Triggered Updates
-Poison Reverse and Route Poisoning
-Split Horizon
-Maximum Hop-count

RIP performs round-robin load balancing only. Which means to say, RIP does per-packet load balancing for a particular destination.

Routing Protocols can be used to advertise and receive default routes as well. As like all Routing Protocols, dynamic routing can be overridden with static routes by adjusting the AD.

The Metric of IGRP is 10,000,000Kbps/(Smallest Bandwidth in Kbps)+(Sum of all Delays in microseconds/10).

IGRP uses Hold-down, Split Horizon and Poison-Reverse.


(Note that this is not an official Basic Draft article. It does not meet Basic Draft standards and will not be listed. If you've arrived through a search engine, please use the search function (top-left) to find a more suitable article).
Routing is the process a router goes through to forward a packet towards a destination network.

Switching is the process a switch goes through to switch a frame out of the correct interface (or interfaces in case of a broadcast).

A router determines the best path to take through the destination IP address (or any Layer 3 address) using the Routing Table.

An Ethernet switch determines the interface to forward frames out using the CAM Table.

For routers to make a proper decision, it must learn routes. These routes are stored in a routing table. Routes can be static (manually entered by an Administrator) or dynamic (learned through a Routing Protocol from other routers).

A Routed protocol is a protocol that is routed by a Routing protocol.

Here is a list of example Routed protocols:

A routed protocol basically worries about only the encapsulation of the packets and the fields within the encapsulation. It is concerned with storing information used by routers to make decisions. A routed protocol is routed through the Routing Table.

A Routing protocol is a protocol that routes the Routed protocols.

Here is a list of example Routing protocols:

A routing protocol supports a routed protocol. It is concerned with populating, updating and maintaining the Routing Table with information to correctly move the routed protocols around.

Routers can support multiple routing and routed protocols. In this way, they are capable of supporting many different types of networks. Each routed protocol, of course, has its own Routing Table relevant to it.

From the seminar, a Static route is a programmed route that the Administrator enters into the router. A Dynamic route is a route that a routing protocol adjusts automatically for topology or traffic changes.

A Static Route is a fixed path from source to destination. It is manually entered and so therefore must be manually updated.

Static route can be used to reveal information about hidden networks without entering it into the routing protocol.

Static route can also be used to specify stub networks - Networks that can only be accessed via one path (this is to avoid overhead related to dynamic routing).

Static routes can be entered from Global Configuration context using:

When specifying static routes, the administrative distance is an optional parameter to specify how reliable a route is. The lower the administrative distance, the more reliable a route is perceived to be. If there are multiple paths to the same network, then the one with the lower administrative distance is chosen. A static route can have administrative distance of 0 or 1 depending on whether an outgoing interface or a next-hop address is specified, respectively.

As an administrative distance is an 8 bit value, it can range from 0 to 255.

Here's a list of the common Administrative Distances:
Connected - 0
Static Outgoing Interface - 0
Static Next-Hop - 1
EIGRP - 90
IGRP - 100
OSPF - 110
RIP - 120
Unknown - 255

Using this Administrative Distance concept, we can create backup routes using static routes by specifying a static route with a lower administrative distance for an existing route.

For example, if you have an existing RIP route of 120 AD, then we can create a static route of 121 AD. The static route will be taken if the RIP one fails.

A default route is a special route that is taken when the routing table does not contain an entry that matches the destination address requested. To declare a default route, simply use for both the NETWORK_ADDRESS and SUBNET_MASK in the "ip route" command.

This is typically used by routers to forward Internet-bound traffic to the ISP Provider Edge routers.

Dynamic Routing Protocols are used to automatically create, update and maintain tables when there are network:

Dynamic Routing finds all possible routes, and puts the Best Route into the routing table. Routes are removed when they are no longer valid.

A network is said to have converged when all routers operate with the same knowledge, and routing updates have stabilized. Fast convergence is desirable.

If a Dynamic Routing protocol finds two equal paths, both paths would enter the routing table and they would perform load balancing over them. The Dynamic Routing protocol defines the set of rules routers follow when exchanging information.

The two goals of Dynamic Routing protocols are:
-Maintenance of a routing table
-Timely distribution of knowledge (routing updates)

There are three classes of Distance Vector routing protocols learned in the seminar.

RIP and IGRP are Distance Vector protocols. DV protocols determine the distance and direction to the networks. DV protocols typically send broadcast periodic updates (30 seconds RIP, 90 seconds IGRP) in the form of the entire routing table to neighbors (RIP version 2 uses multicasts instead; not tested). It accumulates distances found in the updates (e.g. If it's 5 hops away from the neighbor, it's 6 hops away from itself). It does not know the exact topology, and it only knows what its neighbors know. Typically DV are slow to converge. The updates are the only keepalives.

OSPF and IS-IS are Link State protocols. LS protocols learn the whole network topology, and find their way around by computing the cost to get to each network using the SPF algorithm. The lowest cost routes are used. LS uses triggered updates and send only the required updates in the form of LSAs (containing many LSPs, one for each route). Every time an update occurs, every router in the domain recomputes the SPF tree with itself as the root. It also uses Hello packets as a keepalive.

Link State requires more processor and memory, but is more bandwidth efficient in the end (the seminar says that Link State is bandwidth inefficient?).

Metric is what a router uses to determine what path is better. In case of the above examples, Hop Count and Cost are the metrics. Other metrics include Bandwidth, Delay, Load, Reliability and Ticks.

Advanced DV (referred to as Hybrid in the seminar) is a class of Routing Protocols that use DV metrics, but exhibit LS behaviors such as the maintenance of a Topology Database, the use of multicast Triggered Updates and Fast Convergence. As Advanced DV doesn't need to compute an SPF tree, but instead (in the case of EIGRP) uses more efficient algorithms such as DUAL, it is more processor efficient. It also does not need as much memory as the LS protocols. As with LS, other than the initial flooding, it is very bandwidth efficient. It uses the Hello as the keepalive mechanism.

Some characteristics of RIPv1 are: DV, Uses Hop Count, Broadcasts Updates every 30 seconds, Route Timeout 180 seconds, Hop Count cannot be more than 15, Classful.

Some characteristics of IGRP are: DV, Proprietary, handles Complex Topologies well, uses Bandwidth and Delay (can be configured to include Load and Reliability), Broadcasts Updates every 90 seconds, Classful.

Some characteristics of OSPF are: LS. (That's all?)

Some characteristics of EIGRP are: ADV (or "Hybrid"), Proprietary, keeps Successors and Feasible Successors for backup routes.

An AS is a group of networks under a common administration, and sharing a common routing strategy. IGRP, EIGRP and BGP requires AS numbers, and they must be the same for neighbors (applies to IGRP and EIGRP only) to exchange information.

IGPs are protocols used within an organization. Examples are RIP, OSPF, IGRP, EIGRP, IS-IS. The AS numbers for IGRP and EIGRP can be arbitrary as long as they are the same for devices meant to exchange information.

EGPs are protocols used to connect networks of different organizations together. Examples are EGP (a routing protocol succeeded by BGP, not referring to the class) and BGP. AS numbers for each organization in this case must be unique and assigned by an Internet authority.