Networking

What is a network and why is it important to cyberscurity?

At its basic level, a network is a group of things that are connected and can work together. This does not have to be computers. Police, army, business connections.

For the duh moment: The dictionary definition of network is an openwork fabric or structure in which cords, threads, or wires cross at regular intervals. Hmm. Wires. Something resembling an openwork fabric or structure in form or concept, especially: A system of lines or channels that cross or interconnect: a network of railroads.

Networks can be connected to other networks and have sub-networks as in the Internet, which is a interconnection of networks. Originally, the interconnection of networks between different schools.

Computer networks are made up of wires, connecting, at regular intervals. The wires can be replaced with radio waves and made wireless but, the idea remains the same—a system of channels to connect and allow the flow of information between computers.

In building a network, the fundamental, physical material used to make the connections is referred to as the medium. This is the lowest level or layer of the network. Networks are conceptually described in 7 layers. This is model developed by ISO [International Standards Organization] and known as the OSI model (Open Systems Interconnection) ¹. It would be wise to familiar yourself with the model.

On a very physical level, every network has a layout and map. Mapping a network is important to those who have a network. If you know what you have and where it is, it is a lot easier to manage and fix, when things go wrong or break. Mapping a network is also very important to hackers.

Hackers want to know what equipment is on the network. Where is this equipment? What is running on these computers? What kind of operating systems are being used. Who is using what.

Maps are a double edged sword. They help with management and governance yet, provide enemies with tactical knowledge for infiltration. Early map-making was frowned upon by kings to prevent invasions.²

As to knowing what is where and what software is running, which includes operating systems, release and patch levels; this all facilitates network penetration. (This usually the illegal entry into a network or authorized test entry of defense simulating unauthorized entry into a network.) If you know the target is using an old version of Windows or Linux, which has not been updated and there is a security hole on that version…well, that may be the ticket to penetrating that network.

Since networks are have lots of connections that need to be managed and fixed, all the connections are labeled to make identification and location of connections easy. Quite often this is done with some kind of mnemonic. Connections are commonly a combination of building names, floors, room numbers, etc. Networks and sub-networks are likewise given mnemonic names.

For example, a school may have a network for a computer lab—CMPLAB; a science lab—SCILAB and; an English class ENGLAB. The computer lab has 12 computers number from 1-12. To be consistent and for sequential computer indexing³, the computers will be labeled from 01, 02, 03…09, 10, 11, 12. The computer will be named with a convention of network name and computer number, thus: CMPLAB01, CMPLAB02, CMPLAB03…CMPLAB09, CMPLAB10, CMPLAB11, CMPLAB12, CMPLAB13.

This is all quite sensible and logical. Just remember that you have now made everything easy for you to locate, it is now just as easy for an attacker to locate. Sometimes, obfuscation is used to mask how many computers are on the network by using extra numbers to label machines and skipping numbers in sequence. Instead of having 01-12, there is 01-16 and machines 04, 08, 09 and 13 are not present.

Also, each machine on a network has unique indentifiers. For one, there is a MAC address. A Media Access Control number is a hexadecimal number that is unique to each and every network device on the planet and regulated by convention and equipment manufacturers. The number is burned into chips but can be produced by software and spoofed.⁴

Machines may also have human language names. For example, Chuck Finnley CEO’s Machine or Joe Z. or SysAdmin Console. Yes, using names make machine identification easy. Yes, this makes social engineering attacks on users easier too. The CEO’s secretary is NOT just a secretary. She holds the keys to the kingdom and is a very influential person, important and powerful person in an organization. She is not stupid but, she is human, probably not a security expert and a real juicy target for a phishing attack. She is also much more accessible than a CEO and the easiest way to a CEO. Just ask any salesman. Spear-phising the CEO’s secretary is an easier attack than spear-phishing the CEO with almost the same results. Why work twice as hard for the same reults?

We have to work with maps, but we should be careful and take precautions in our mapping. We should not make it easy for people to gain unauthorized access.

Each connection on a network is referred to as a node. Who the nodes are connected is referred to as topology. This is term borrowed from mathematics. In mathematics, topology is the study of point sets. Think of each node as a point. How the nodes are connected is a topology.

There are several common kinds of topology used: star, bus and ring. All these terms refer to physical and conceptual appearance of the network. A star network will have a device at its center. All the nodes connect to this central device [router, server or centralized computer]. A bus network, such as Ethernet, has all devices attached to one cable – medium. All messages between all the computers on the network—traffic—travels on the bus. Since anyone can transmit at any time onto the bus, bus networks have the issue of signal collision.

Signal collision is when two computers transmit at once. The signals collide and become unintelligible. If the number of nodes and transmissions–traffic are small enough, this can be handled by simply waiting and transmitting again. This is referred to as collision detection collision avoidance.

In an effort to avoid the drawback of signal collision and build bigger and faster networks, IBM developed token ring technology, which later became an IEEE standard⁵. Instead of using a bus, which is conceptually and often physically, a straight wire with endcaps; a ring is a wire where both ends are conceptually and physically connected by being attached to a box that passes the token from machine to machine. When a machine has the token, it can transmit. After transmission, the machine relinquishes the token and the token is passed to the next machine. In this fashion, the token is passed round robin from machine to machine.

The exact rules for how networks work, are physically configured, messages past and other engineering aspects are known as a protocol. Understanding of protocols is necessary for hackers and cybersecurity professionals.

How do we get into a network?

To repeat history, we would like to capture a password. We would like to get some credentials, meaning a valid user id and their password. If a network is wired, we will need a physical connection to the network. If a network is wireless, it has to be within radio range to pickup. For example, Bluetooth⁶ ⁷ ⁸, a networking protocol, is designed to work only up to 30 meters (approximately 30 yards).

For a wired network, if we can gain physical access to the network, we can put a sniffer on the network, lie in wait for someone to login and capture their credentials. A sniffer can be a physical device that is attached to the wires and “bugs” the network just like telephones are bugged. You have to read the data stream, the traffic, to understand the messages. If the messages are not encrypted, voila! You will have someone’s credentials sooner or later.

A sniffer can also be software that reads all traffic and logs the traffic producing files that can be analyzed. Which means, if encryption was used, then, decryption programs can be used to decrypt the traffic.

This raises several security questions. How did an attacker gain physical access to your network? Physical is as important to network security as computer security. Only authorized people should have access. People who are given access should have i.d.s and be vetted. “Yeah, I’m here to repair the network. I just have to attach this little do-hickey right here.” What does that do-hickey do? Read and re-transmit all messages across the network?

Also, is your traffic encrypted? No. Why not? Why not just put up a big sign, “KEY UNDER MAT”? Encrypt your network with secure encryption and secure protocols. You have to pay attention and be on the lookout for security holes in network encryption or security as they are discovered.

Another method of capturing passwords is to use spoofing screens as one would for capturing a password to an operating system as described above. And, how did this person gain access to the network? Do you everyone who has access to the network? You should.

1 https://en.wikipedia.org/wiki/OSI_model

2The Story of Maps, by Lloyd A. Brown

3While people know that 1 comes before 10, a computer does not necessarily know that, especially when a number is treated as text. CMPLAB10 will come before CMPLAB2 in a computerized index because when mixing the letters and numbers, the computer can not different between the two and treats the numbers as letters. For a more detailed explanation read up on collation rules. https://en.wikipedia.org/wiki/Collation

4For further in depth reading on MAC addressing see https://en.wikipedia.org/wiki/MAC_address

5 http://docwiki.cisco.com/wiki/Token_Ring/IEEE_802.5

6 https://www.bluetooth.com/what-is-bluetooth-technology/how-it-works

7 https://www.bluetooth.com/specifications

8 https://www.bluetooth.com/specifications/protocol-specifications

Share this: