Date post: | 05-Jul-2015 |
Category: |
Technology |
Upload: | ajinkya-patil |
View: | 1,408 times |
Download: | 6 times |
FUNCTIONS
• Connection & termination to media.
• Modulation – conversion of digital data to signals
Points 2 rememberParallel SCSI buses operate in this layer
PS: Logical SCSI protocol is transport layer protocol & runs over this busDATA UNIT: BIT
VULNERABILITIES• Van Eck Phreaking -- remote eavesdropping on the
signals in CRT or VDT
• Loss of Power &/or Environmental Control
• Physical Theft, Damage or Destruction of Data And Hardware
• Unauthorized changes to the functional environment (data connections, removable media, adding/removing resources)
• Disconnection of Physical Data Links• Undetectable Interception of Data• Keystroke & Other Input Logging
CONTROLS• Locked perimeters and enclosures
• Electronic lock mechanisms for logging & detailed authorization
• Video & Audio Surveillance
• PIN & password secured locks
• Biometric authentication systems
• Data Storage Cryptography
• Electromagnetic Shielding
FUNCTIONS
• physical addressing; Bridges, Layer 2 Switches
• network topology
• line discipline (how end systems will use the network link)
• error notification
• ordered delivery of frames
Points 2 rememberFlow control using selective repeat Sliding Window Protocol.
Arrange bits into logical sequences called framesDATA UNIT: FRAMES
MAC LAYER
• Connections b/w applications running on a LAN• flow control to the upper layer by means of ready/not ready codes• sequence control bits.
LLC LAYER
• Provides orderly access to the LAN medium.
• defines a hardware, or data-link address called the "MAC address"
VULNERABILITIES• War-driving – traveling around public areas & randomly accessing
802.11 wireless access points with lax or default security settings
• MAC Address /ARP Spoofing
• VLAN circumvention
• Spanning Tree errors
• Switches– VLAN trunking protocol vulnerabilities
– negotiate access to multiple VLANs
-- VLAN traffic flooding
Points 2 rememberWardriving is layer 1 & 2 vulnerability
CONTROLS• MAC Address Filtering- Identifying stations
by address and cross-referencing physical port or logical access
• Do not use VLANs to enforce secure designs. Physically isolated from one another, with policy engines such as firewalls between.
• Wireless applications must be carefully evaluated for unauthorized access exposure.
FUNCTIONS
• Quality of service requested by the Transport Layer
• Routing
• Path determination
• Devices:-
– IP, IPX, Routers, Routing Protocols
(RIP, IGRP, OSPF, BGP etc.), ARP, RARP, ICMP.
Points 2 rememberMight perform fragmentation and reassembly, and report delivery errors.
DATA UNIT: PACKET
VULNERABILITIES
• Route spoofing - propagation of false network topology
• IP Address Spoofing- false source addressing on malicious packets
• Identity & Resource ID Vulnerability - Reliance on addressing to identify resources and peers can be brittle and vulnerable
CONTROLS
• Route policy controls - Use strict anti-spoofing and route filters at network edges
• Firewalls with strong filter & anti-spoof policy
• ARP/Broadcast monitoring software
• Implementations that minimize
the ability to abuse protocol features
such as broadcast
FUNCTIONS• Multiplexing upper layer applications the establishment,
maintenance, and orderly termination of virtual circuits
• Sequencing – Acknowledgements &Flow Control (Windowing)
• Transport fault detection andrecovery
• Tunneling protocol operate atthe Transport Layer
Points 2 rememberPerform segmentation and reassembly, and report delivery errors.
DATA UNIT: SEGMENT
VULNERABILITIES
• Mishandling of undefined, poorly defined, or “illegal” conditions
• Differences in transport protocol implementation allow “fingerprinting’ and other enumeration of host information
• Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic.
• Transmission mechanisms can be subject to spoofing
CONTROLS
• Strict firewall rules limiting access to specific Transmission protocols & subprotocol information such as TCP/UDP port number or ICMP type
• Stateful inspection at firewall layer, preventing out-of-state packets “illegal”flags & other phony packet profiles from entering the perimeter
• Stronger transmission and layer sessionIdentification mechanisms to prevent the attack and takeover of communications
FUNCTIONS• Control i.e. establishes, manages and terminates
dialogues or "sessions“
• Establishes checkpointing, adjournment, termination, and restart procedures
• Dialogs can be– simplex (one-way)– half-duplex (alternate)– full-duplex (bi-directional)
Points 2 rememberImplemented explicitly in application environments that use remote procedure calls.
DATA UNIT: SPDU
VULNERABILITIES• Weak or non-existent authentication mechanisms
• Passing of session credentials such as user ID and password in the clear,allowing intercept and unauthorized use
• Session identification may be subject to spoofingand hijack
• Leakage of information based on failed authentication attempts
• Unlimited failed sessions allow brute-force attacks on access credentials
CONTROLS
• Encrypted password exchange and storage
• Accounts have specific expirationsfor credentials and authorization
• Protect session identification information via cryptographicrandom means
• Limit failed session attempts via timing mechanism, not lockout
FUNCTIONS• Mapping different syntax and semantics
• Formats and encrypts data to be sent across a network.
• Serialization of objects & data structures
• Data Compression, Encryption
Points 2 rememberAlso called as SYNTAX LAYER.
DATA UNIT: PPDU
VULNERABILITIES
• Poor handling of unexpected input can lead to execute arbitrary instructions.
• Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage.
• Cryptographic flaws may be exploited to circumvent privacy protections
Points 2 rememberFormat String Vulnerability & Buffer Overflow
DATA UNIT: PPDU
CONTROLS
• Careful specification and checking of received inputincoming into applications or library functions
• Separation of user input and program
control functions
– sanitized input
• Careful and continuous review
of cryptography solutions
FUNCTIONS• Provides a set of interfaces for applications to
obtain access to networked services
• End-user interface
• Performing input to and output from mass storage devices.
• Transferring information to hosts
Points 2 rememberFTP ,SMTP, Telnet, HTTP, DNS work here
DATA UNIT: APDU
VULNERABILITIES• Open design issues allow free use of application resources by unintended
parties
• Backdoors and application design flaws bypass standard security controls
• Inadequate security controls force “all-or-nothing” approach, resultingin either excessive or insufficient access.
• Overly complex application security controls tend to be bypassed or poorlyunderstood and implemented.
• Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behaviour
CONTROLS• Application level access controls to define and enforce
access to application resources. Controls must be detailed, flexible, straightforward.
• Standards, testing, and review of application code and functionality-A baseline.
• IDS systems to monitor application activity
• Host-based firewall systems can regulate traffic by application, preventing unauthorized or covert use of the network
REFERENCES
www.sans.org
http://en.wikipedia.org/wiki/OSI_model
E-booksApplying-osi-layer-network-model-information-security_1309
osi-model-overview_543
understanding-security-osi-model_377