Networking Protocols and Terminology

networking image

Big Picture

Internet protocols are standardized rules and guidelines that are defined in organizations like RFC and specify how devices on a network should communicate with each other, regardless of the software/hardware that’s being used. It is very important to familiarize yourself with these protocol’s to better understand how different devices communicate. Here is some research I did into commonly used protocol’s and what they do. The two main types of connections over a network are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). This article will cover both, then go into some additional information about connection processes, security considerations, and Virtual LANs. Again thanks for reading and please enjoy!

Transmission Control Protocol (TCP)

TCP is a connection-oriented protocol that establishes a virtual connection between two devices before transmitting data by using a Three-Way-Handshake. This connection is maintained until the data transfer is complete, and the devices can continue to send data back and forth as long as the connection is active. When you enter a URL into your web browser, the browser sends an HTTP request to the server hosting the website using TCP, and the server responds by sending the HTML code back using TCP. This process relies on a TCP connection being established and maintained until the data transfer is complete. As a result, TCP is reliable but slower than UDP because it requires additional overhead for establishing and maintaining the connection.

Common TCP Protocols

  • Telnet (Port 23): A remote login service that allows users to connect to and control remote systems over a network. It transmits data in plain text, making it insecure for modern use.
  • Secure Shell – SSH (Port 22): A secure remote login service that provides encrypted communication between devices. It’s the secure replacement for Telnet and is commonly used for remote system administration.
  • Simple Network Management Protocol – SNMP (Ports 161-162): Used to manage and monitor network devices such as routers, switches, and servers. It allows administrators to collect information and configure network devices remotely.
  • Hyper Text Transfer Protocol – HTTP (Port 80): Used to transfer webpages and other content between web servers and browsers. It’s the foundation of data communication on the World Wide Web.
  • Hyper Text Transfer Protocol Secure – HTTPS (Port 443): The secure version of HTTP that uses SSL/TLS encryption to protect data during transmission. It’s essential for secure online transactions and private communications.
  • Domain Name System – DNS (Port 53): Translates human-readable domain names into IP addresses that computers use to identify each other on the network. It acts as the internet’s phone book.
  • File Transfer Protocol – FTP (Ports 20-21): Used to transfer files between systems over a network, with port 20 for data transfer and port 21 for commands. It’s widely used for uploading and downloading files to/from servers.
  • Trivial File Transfer Protocol – TFTP (Port 69): A simplified version of FTP used to transfer files between systems without authentication. It’s commonly used for booting diskless workstations and transferring configuration files.
  • Network Time Protocol – NTP (Port 123): Synchronizes computer clocks across a network to ensure accurate timekeeping. It’s critical for logging, security protocols, and distributed systems.
  • Simple Mail Transfer Protocol – SMTP (Port 25): Used for email transfer from client to server or between mail servers. It’s the standard protocol for sending outgoing emails.
  • Post Office Protocol 3 – POP3 (Port 110): Used to retrieve emails from a mail server to a local client, typically downloading and deleting messages from the server. It’s designed for users who access email from a single device.
  • Internet Message Access Protocol – IMAP (Port 143): Used to access and manage emails stored on a mail server, allowing synchronization across multiple devices. Unlike POP3, it keeps messages on the server for access from anywhere.
  • Server Message Block – SMB (Port 445): Used to share files, printers, and other resources between devices in a network, primarily in Windows environments. It enables network file sharing and printer access.
  • Network File System – NFS (Ports 111, 2049): Used to mount remote file systems and access files over a network as if they were local. It’s commonly used in Unix/Linux environments for distributed file access.
  • Bootstrap Protocol – BOOTP (Ports 67, 68): Used to bootstrap computers and assign IP addresses during the boot process. It’s the predecessor to DHCP and is used by diskless workstations.
  • Kerberos (Port 88): A network authentication protocol that uses tickets and symmetric-key cryptography to provide secure authentication. It’s widely used in Windows Active Directory environments.
  • Lightweight Directory Access Protocol – LDAP (Port 389): Used for directory services to access and maintain distributed directory information over a network. It’s commonly used for centralized authentication and user management.
  • Remote Authentication Dial-In User Service – RADIUS (Ports 1812, 1813): Provides centralized authentication, authorization, and accounting for network access. It’s commonly used for VPN and wireless network authentication.
  • Dynamic Host Configuration Protocol – DHCP (Ports 67, 68): Automatically assigns IP addresses and network configuration parameters to devices on a network. It eliminates the need for manual IP address configuration.
  • Remote Desktop Protocol – RDP (Port 3389): Allows users to connect to and control remote Windows systems with a graphical interface. It’s widely used for remote administration and support.
  • Network News Transfer Protocol – NNTP (Port 119): Used to access and distribute messages in newsgroups across the internet. It enables reading, posting, and transferring news articles between servers.
  • Remote Procedure Call – RPC (Ports 135, 137-139): Allows programs to execute procedures on remote systems as if they were local. It’s fundamental to distributed computing and many Windows services.
  • Identification Protocol – Ident (Port 113): Used to identify the user of a particular TCP connection by querying the remote system. It’s primarily used for logging and access control purposes.
  • Internet Control Message Protocol – ICMP (Ports 0-255): Used to send error messages and operational information about network conditions. Tools like ping and traceroute rely on ICMP to diagnose network connectivity issues.
  • Internet Group Management Protocol – IGMP (Ports 0-255): Manages multicast group memberships, allowing hosts to report their multicast group memberships to routers. It’s essential for efficient one-to-many communications like video streaming.
  • Oracle DB Listener – oracle-tns (Ports 1521/1526): The Oracle database listener service runs on the database host and receives connection requests from Oracle clients. It manages incoming connections and routes them to the appropriate database instance.
  • Ingres Lock – ingreslock (Port 1524): Associated with the Ingres database system, commonly used for large commercial applications. It has been exploited as a backdoor that can execute commands remotely via RPC.
  • Squid Web Proxy – http-proxy (Port 3128): A caching and forwarding HTTP web proxy that speeds up web server performance by caching repeated requests. It reduces bandwidth usage and improves response times.
  • Secure Copy Protocol – SCP (Port 22): Securely copies files between local and remote systems using SSH encryption. It provides both authentication and encryption for file transfers.
  • Session Initiation Protocol – SIP (Port 5060): A signaling protocol used for establishing, maintaining, and terminating real-time voice, video, and multimedia sessions. It’s the foundation of most VoIP communication systems.
  • Simple Object Access Protocol – SOAP (Ports 80, 443): A messaging protocol used for exchanging structured information in web services implementation. It relies on XML for message format and typically uses HTTP or HTTPS for transmission.
  • Secure Socket Layer – SSL (Port 443): Provides encrypted communication between clients and servers to protect sensitive data during transmission. It’s the predecessor to TLS and forms the foundation of HTTPS.
  • TCP Wrappers – TCPW (Port 113): Provides host-based access control for network services by filtering incoming connections. It allows administrators to permit or deny access based on IP addresses and other criteria.
  • Internet Security Association and Key Management Protocol – ISAKMP (Port 500): Used to establish security associations and cryptographic keys in VPN connections. It’s a framework for authentication and key exchange in IPsec.
  • Microsoft SQL Server – ms-sql-s (Port 1433): The default port used for client connections to Microsoft SQL Server database instances. It handles database queries and data management operations.
  • Kerberized Internet Negotiation of Keys – KINK (Port 892): A protocol that combines Kerberos authentication with IPsec key management. It provides a secure method for establishing IPsec security associations.
  • Open Shortest Path First – OSPF (Port 89): A link-state routing protocol that calculates the shortest path for data transmission within an autonomous system. It’s more efficient and scalable than distance-vector protocols like RIP.
  • Point-to-Point Tunneling Protocol – PPTP (Port 1723): Used to create VPN connections by encapsulating PPP frames into IP datagrams for transmission. While historically popular, it’s now considered less secure than modern VPN protocols.
  • Remote Execution – REXEC (Port 512): Executes commands on remote computers and sends the output back to the local computer. It requires authentication but transmits credentials in plain text, making it insecure.
  • Remote Login – RLOGIN (Port 513): Starts an interactive shell session on a remote computer similar to Telnet. It’s considered insecure due to lack of encryption and has been largely replaced by SSH.
  • X Window System – X11 (Port 6000): A computer software system and network protocol that provides a graphical user interface for networked computers. It enables remote display of GUI applications on Unix-like systems.
  • Relational Database Management System – DB2 (Port 50000): IBM’s enterprise database system designed to store, retrieve, and manage structured data. It’s commonly used for large-scale financial systems and customer relationship management applications.

User Datagram Protocol (UDP)

UDP is a connectionless protocol, which means it does not establish a virtual connection before transmitting data. Instead, it sends data packets to the destination without checking to see if they were received. When you stream or watch a video on platforms like YouTube, the video data is transmitted using UDP because the video can tolerate some data loss, and transmission speed is more important than reliability. If a few packets of video data are lost along the way, it will not significantly impact the overall quality of the video. This makes UDP faster than TCP but less reliable because there is no guarantee that the packets will reach their destination.

Common UDP Protocols

  • Domain Name System – DNS (Port 53): Resolves domain names to IP addresses, allowing users to access websites using memorable names instead of numeric addresses. While it can use TCP, UDP is preferred for its speed in most DNS queries.
  • Trivial File Transfer Protocol – TFTP (Port 69): A simplified file transfer protocol that operates without authentication, commonly used for network booting and transferring configuration files. It’s designed for simplicity and small file transfers.
  • Network Time Protocol – NTP (Port 123): Synchronizes computer clocks across networks to ensure accurate timekeeping for all connected devices. Precise time synchronization is critical for security protocols, logging, and distributed systems.
  • Simple Network Management Protocol – SNMP (Port 161): Monitors and manages network devices remotely by collecting status information and configuring devices. It uses a manager-agent model where the manager polls agents running on network devices.
  • Routing Information Protocol – RIP (Port 520): A distance-vector routing protocol that exchanges routing information between routers using hop count as its metric. It’s simple but limited to networks with a maximum of 15 hops.
  • Internet Key Exchange – IKE (Port 500): Establishes secure communication channels by negotiating and providing authenticated keying material for IPsec. It automates the security association setup process for VPN connections.
  • Bootstrap Protocol – BOOTP (Port 68): Automatically assigns IP addresses to diskless workstations during the boot process. It’s the predecessor to DHCP and is still used in some network booting scenarios.
  • Dynamic Host Configuration Protocol – DHCP (Port 67): Dynamically assigns IP addresses and network configuration parameters to devices when they join a network. It eliminates the need for manual IP configuration and manages address allocation efficiently.
  • Telnet – TELNET (Port 23): A text-based remote access protocol that can operate over UDP in some implementations. However, TCP is more commonly used for Telnet due to its reliability requirements.
  • MySQL (Port 3306): An open-source relational database management system widely used for web applications and data storage. While primarily using TCP, some MySQL cluster configurations utilize UDP for internal communication.
  • Terminal Server – TS (Port 3389): Used for remote access to Microsoft Windows Terminal Services, allowing multiple users to access a Windows server remotely. It’s primarily TCP-based but listed here for its network presence.
  • NetBIOS Name – netbios-ns (Port 137): Used in Windows operating systems to resolve NetBIOS names to IP addresses on a local area network. It facilitates network resource discovery and name resolution in Windows environments.
  • Microsoft SQL Server Browser – ms-sql-m (Port 1434): Used by the Microsoft SQL Server Browser service to provide SQL Server connection information to clients. It helps clients locate and connect to the correct SQL Server instance.
  • Universal Plug and Play – UPnP (Port 1900): Allows devices to discover each other on the network and establish functional network services automatically. It’s commonly used for automatic port forwarding and device configuration in home networks.
  • PostgreSQL – PGSQL (Port 5432): An advanced open-source object-relational database management system known for its reliability and feature set. While primarily TCP-based, some cluster configurations may use UDP for specific operations.
  • Virtual Network Computing – VNC (Port 5900): A graphical desktop sharing system that allows remote control of another computer’s display. It transmits keyboard and mouse events and receives screen updates over the network.
  • X Window System – X11 (Ports 6000-6063): Provides a graphical user interface framework on Unix-like systems that can operate over networks. Each port number corresponds to a different display number (6000 = :0, 6001 = :1, etc.).
  • Syslog – SYSLOG (Port 514): A standard protocol for collecting, storing, and forwarding log messages from network devices and systems. It centralizes logging for easier monitoring and troubleshooting across an organization.
  • Internet Relay Chat – IRC (Port 194): A real-time text messaging protocol that enables synchronous communication in channels or private messages. It’s one of the earliest forms of internet chat and is still used by various communities.
  • OpenPGP (Port 11371): A protocol for encrypting, decrypting, and signing data and communications using public-key cryptography. It’s commonly used for secure email communication and file encryption.
  • Internet Protocol Security – IPsec (Port 500): Provides secure, encrypted communication at the network layer by authenticating and encrypting IP packets. It’s the standard for creating secure VPN tunnels between networks.
  • Internet Key Exchange – IKE (Port 11371): Negotiates and establishes IPsec security associations by exchanging keys and authentication information. It automates the complex process of setting up encrypted connections.
  • X Display Manager Control Protocol – XDMCP (Port 177): A network protocol that allows users to remotely log in to computers running the X11 windowing system. It manages remote X11 sessions and provides graphical login screens over the network.

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol is used by devices to communicate with each other on the internet for various purposes, including error reporting and status information. It sends requests and messages between devices, which can be used to report errors or provide status information. ICMP has two different versions: ICMPv4 for IPv4 only, and ICMPv6 for IPv6 only. ICMPv4 is the original version and is still widely used, while ICMPv6 was developed for IPv6 and includes additional functionality to address some limitations of ICMPv4.

ICMP Request Types

  • Echo Request: Tests whether a device is reachable on the network by sending a packet that expects an echo reply in response. Tools like ping, tracert, and traceroute always send ICMP echo requests to diagnose connectivity.
  • Timestamp Request: Determines the current time on a remote device, which can be useful for time synchronization testing. It allows one device to query another for its system time.
  • Address Mask Request: Used to request the subnet mask of a device on the network. This helps devices determine their network configuration and understand their local subnet boundaries.

ICMP Message Types

  • Echo Reply: Sent in response to an echo request message, confirming that the destination device is reachable. It contains the same data as the request, allowing round-trip time calculation.
  • Destination Unreachable: Sent when a device cannot deliver a packet to its intended destination due to network issues, routing problems, or the destination being offline. It includes codes specifying the exact reason for failure.
  • Redirect: Sent by a router to inform a device that it should send its packets to a different router for more efficient routing. It helps optimize network paths dynamically.
  • Time Exceeded: Sent when a packet has taken too long to reach its destination, typically because the TTL value reached zero. Traceroute tools rely on this message to map network paths.
  • Parameter Problem: Sent when there is a problem with a packet’s header that prevents proper processing. It indicates malformed or invalid packet structure.
  • Source Quench: Sent when a device receives packets too quickly and cannot keep up with the processing demands. It’s used to slow down the flow of packets, though it’s rarely used in modern networks.

Time-To-Live (TTL) Field

Another crucial part of ICMP is the Time-To-Live (TTL) field in the ICMP packet header that limits the packet’s lifetime as it travels through the network. It prevents packets from circulating indefinitely on the network in the event of routing loops. Each time a packet passes through a router, the router decrements the TTL value by 1, and when the TTL value reaches 0, the router discards the packet and sends an ICMP Time Exceeded message back to the sender.

We can use TTL to determine the number of hops a packet has taken and the approximate distance to the destination. For example, if a packet has a TTL of 10 and takes 5 hops to reach its destination, it can be inferred that the destination is approximately 5 hops away. If we see a ping with the TTL value of 122, it could mean we are dealing with a Windows system (TTL 128 by default) that is 6 hops away.

It is also possible to guess the operating system based on the default TTL value used by the device:

  • Windows systems (2000/XP/2003/Vista/10): Typically have a default TTL value of 128
  • macOS and Linux systems: Typically have a default TTL value of 64
  • Solaris systems: Default TTL value of 255

However, it is important to note that users can change these values, so they should not be relied upon as a definitive way to determine a device’s operating system.

Voice over Internet Protocol (VoIP)

Voice over Internet Protocol (VoIP) is a method of transmitting voice and multimedia communications over the internet. It allows users to make phone calls using a broadband internet connection instead of a traditional phone line, as seen in services like Skype, WhatsApp, Google Hangouts, Slack, and Zoom.

The most common VoIP ports are TCP/5060 and TCP/5061, which are used for the Session Initiation Protocol (SIP). However, the port TCP/1720 may also be used by some VoIP systems for the H.323 protocol, a set of standards for multimedia communication over packet-based networks. Still, SIP is more widely used than H.323 in VoIP systems.

Session Initiation Protocol (SIP)

SIP is a signaling protocol for initiating, maintaining, modifying, and terminating real-time sessions involving video, voice, messaging, and other communications applications and services between two or more endpoints on the internet. It uses requests and methods between endpoints to manage communication sessions.

Common SIP Methods:

  • INVITE: Initiates a session or invites another endpoint to participate in a communication. It’s the primary method for establishing new calls or sessions.
  • ACK: Confirms the receipt of an INVITE request, completing the three-way handshake for session establishment. It ensures both parties are ready to communicate.
  • BYE: Terminates an active session and releases the resources associated with the call. Either party can send this method to end the communication.
  • CANCEL: Cancels a pending INVITE request before the session is fully established. It’s used when a user decides to abort a call attempt before it connects.
  • REGISTER: Registers a SIP user agent (UA) with a SIP server, making the user’s location known to the network. It’s essential for enabling incoming calls to reach the correct device.
  • OPTIONS: Requests information about the capabilities of a SIP server or user agent, such as supported media types and codecs. It’s used for capability negotiation and connectivity testing.

SIP presents security risks by allowing attackers to enumerate existing users through methods like SIP OPTIONS requests, which can probe servers for user information, availability, and capabilities that enable brute-force attacks. Additionally, Cisco Unified IP Phone configuration files (SEPxxxx.cnf) may be discovered during security analysis, exposing sensitive details such as phone models, firmware versions, and network settings that reveal information about the network infrastructure.

Wireless Networks

Wireless networks are computer networks that use wireless data connections between network nodes, allowing devices such as laptops, smartphones, and tablets to communicate with each other and the Internet without physical cables. These networks use radio frequency (RF) technology to transmit data between devices, where each device has a wireless adapter that converts data into RF signals and sends them over the air. Other devices receive these signals with their own wireless adapters, and the data is converted back into a usable form.

Wireless networks operate over various ranges depending on the technology used. A local area network (LAN) covering a small area like a home or office might use WiFi with a range of a few hundred feet, while a wireless wide area network (WWAN) might use cellular data (3G, 4G LTE, 5G) to cover entire cities or regions. To connect to a wireless network, a device must be within range and configured with the correct network settings, such as the network name and password.

WiFi Communication

Communication between devices occurs over RF in the 2.4 GHz or 5 GHz bands in a WiFi network. When a device wants to send data, it first communicates with the Wireless Access Point (WAP) to request permission to transmit. The WAP is a central device, like a router, that connects the wireless network to a wired network and controls access to the network. Once the WAP grants permission, the transmitting device sends the data as RF signals, which are received by the wireless adapters of other devices on the network.

The strength of the RF signal and the distance it can travel are influenced by factors such as the transmitter’s power, the presence of obstacles, and the density of RF noise in the environment. To ensure reliable communication, WiFi networks use techniques such as spread spectrum transmission and error correction to overcome these challenges.

WiFi Connection Process

The device must be configured with the correct network settings, such as the network name (SSID) and password. To connect to the router, the device uses the IEEE 802.11 wireless networking protocol, which defines how wireless devices communicate with each other and with WAPs. When a device wants to join a WiFi network, it sends a connection request frame (association request) to the WAP.

The connection request frame contains:

  • MAC address: A unique identifier for the device’s wireless adapter
  • SSID: The network name or Service Set Identifier of the WiFi network
  • Supported data rates: A list of data rates the device can use to communicate
  • Supported channels: A list of frequencies on which the device can communicate
  • Supported security protocols: A list of security protocols the device can use, such as WPA2/WPA3

The device uses this information to configure its wireless adapter and connect to the WAP. Once the connection is established, the device can communicate with the WAP and other network devices, accessing the Internet through the WAP as a gateway. The SSID can be hidden by disabling broadcasting, preventing devices from identifying it during searches, though the SSID can still be found in authentication packets.

WEP Challenge-Response Handshake

The challenge-response handshake establishes a secure connection between a WAP and a client device in wireless networks using the WEP security protocol. This process involves exchanging packets to authenticate the device and establish a secure connection:

  1. Client: Sends an association request packet to the WAP, requesting access
  2. WAP: Responds with an association response packet including a challenge string
  3. Client: Calculates a response to the challenge string using a shared secret key and sends it back
  4. WAP: Calculates the expected response using the same shared secret key and sends an authentication response packet

The Cyclic Redundancy Check (CRC) is an error-detection mechanism used in WEP to protect against data corruption in wireless communications. A CRC value is calculated for each transmitted packet based on the packet’s data to verify integrity. When the destination device receives the packet, the CRC value is recalculated and compared to the original value—matching values indicate successful transmission while mismatches indicate corruption requiring retransmission.

However, the CRC mechanism has a critical flaw that allows decryption of a single packet without knowing the encryption key. The CRC value is calculated using the plaintext data rather than the encrypted data, and since it’s included in the packet header, attackers can use it to determine the plaintext data even when encrypted.

Security Features

WiFi networks have several security features to protect against unauthorized access and ensure the privacy and integrity of transmitted data:

  • Encryption: Protects data confidentiality using algorithms like WEP, WPA2, and WPA3
  • Access Control: Requires authentication methods such as passwords or MAC addresses to identify authorized devices
  • Firewall: Controls incoming and outgoing network traffic based on predetermined security rules, blocking threats from the Internet

Encryption Protocols

Wired Equivalent Privacy (WEP)

WEP uses a 40-bit or 104-bit key to encrypt data, while WPA using AES uses a 128-bit key for stronger encryption. WEP is vulnerable to various attacks that can decrypt network data and is not compatible with newer devices and operating systems. It uses the RC4 cipher encryption algorithm, making it particularly vulnerable to attacks. WEP uses a shared key for authentication, meaning the same key is used for both encryption and authentication.

WEP versions:

  • WEP-40/WEP-64: Uses a 24-bit Initialization Vector (IV) and a 40-bit secret key
  • WEP-104: Uses a 24-bit IV and an 80-bit secret key

The IV is a small value included in the packet header along with the encrypted data and is used to create the key to ensure each key is unique. However, since the IV in WEP is relatively small, it can be brute forced by trying every possible combination of characters to determine the correct value, which can then be used to decrypt the data and potentially compromise the network’s security.

WiFi Protected Access (WPA)

WPA provides the highest level of security and is not susceptible to the same types of attacks as WEP. It uses more secure authentication methods, such as a Pre-Shared Key (PSK) or an 802.1X authentication server, which provide stronger protection against unauthorized access. WPA is compatible with most devices and operating systems, and all wireless networks, especially in critical infrastructure like offices, should implement at least WPA2 or WPA3 encryption.

Authentication Protocols

LEAP and PEAP

Lightweight Extensible Authentication Protocol (LEAP) and Protected Extensible Authentication Protocol (PEAP) are authentication protocols used to secure wireless networks by providing secure methods for authenticating devices. They are often used in conjunction with WEP or WPA to provide an additional layer of security. Both are based on the Extensible Authentication Protocol (EAP), a framework for authentication used in various networking contexts.

Key differences:

  • LEAP: Uses a shared key for authentication, meaning the same key is used for encryption and authentication, which can make it easier for attackers to gain access if the key is compromised
  • PEAP: Uses tunneled Transport Layer Security (TLS), establishing a secure connection between the device and WAP using a digital certificate, with the authentication process protected by an encrypted tunnel for stronger protection

TACACS+

In wireless networks, when a WAP sends an authentication request to a Terminal Access Controller Access-Control System Plus (TACACS+) server, the entire request packet is typically encrypted to protect the confidentiality and integrity of the request. TACACS+ is a protocol used to authenticate and authorize users accessing network devices like routers and switches. The authentication request typically includes the user’s credentials and other session information.

Encrypting the authentication request ensures that sensitive information is not visible to unauthorized parties who may intercept the request during transmission. It also prevents tampering with the request or its replacement with a malicious request. Several encryption methods may be used, such as SSL/TLS or IPsec, depending on the TACACS+ server configuration and WAP capabilities.

Disassociation Attack

A Disassociation Attack is a type of wireless network attack that aims to disrupt communication between a WAP and its clients by sending disassociation frames to one or more clients. The WAP uses disassociation frames to disconnect a client from the network, and when a client receives this frame, it disconnects and must reconnect to continue using the network.

The attack can be launched from within or outside the network depending on the attacker’s location and network security measures. The purpose is to disrupt communication between the WAP and its clients, causing disconnections and inconvenience to users. It can also be used as a precursor to other attacks, such as man-in-the-middle attacks, by forcing clients to reconnect and potentially exposing them to further attacks.

Wireless Hardening

There are many ways to protect wireless networks, and the following measures should be considered to dramatically increase security:

  • Disabling broadcasting: Disabling SSID broadcasting makes the network more difficult to discover by preventing the WAP from transmitting beacon frames, making the network invisible to devices not already connected
  • WiFi Protected Access: WPA provides strong encryption and authentication, with WPA-Personal designed for home and small business networks, and WPA-Enterprise designed for larger organizations using centralized authentication servers (RADIUS or TACACS+)
  • MAC filtering: Allows a WAP to accept or reject connections from specific devices based on their MAC addresses, preventing unauthorized devices from connecting to the network
  • Deploying EAP-TLS: A security protocol that uses digital certificates and PKI to verify client identity and establish secure connections, providing strong authentication and encryption for wireless communications

Virtual Private Networks

A Virtual Private Network (VPN) is a technology that allows a secure and encrypted connection between a private network and a remote device, enabling the remote machine to access the private network directly with secure and confidential access to network resources and services. For example, an administrator from another location can manage internal servers so employees can continue using internal services, even when companies limit server access to only the local network. The administrator connects to the VPN server via the internet, authenticates themselves, and creates an encrypted tunnel that prevents others from reading the data transfer. Additionally, the administrator’s computer is assigned a local (internal) IP address through which they can access and manage the internal servers.

VPN typically uses TCP/1723 for Point-to-Point Tunneling Protocol (PPTP) VPN connections and UDP/500 for IKEv1 and IKEv2 VPN connections. Administrators commonly use VPNs to provide secure and cost-effective remote access to a company’s network, allowing employees to access network resources such as email and file servers from remote locations like their homes or while traveling.

There are several important reasons why VPNs are widely adopted for network access:

  • Enhanced Security: VPNs encrypt the connection between the remote device and the private network, making it much more difficult for attackers to intercept and steal sensitive information, ensuring the entire communication is more secure
  • Remote Access: VPNs allow employees to access the private network and its resources remotely from anywhere with an internet connection, which is particularly useful for employees who travel or work from home
  • Cost-Effectiveness: VPNs can be more cost-effective than other remote access solutions such as leased lines or dedicated connections because they use the public internet to connect remote users to the private network
  • Network Integration: VPNs can connect multiple remote locations, such as branch offices, into a single private network, making it easier to manage and access network resources

There are several components and requirements are necessary for a VPN to work properly:

  • VPN Client: Software installed on the remote device used to establish and maintain a VPN connection with the VPN server, such as an OpenVPN client
  • VPN Server: A computer or network device responsible for accepting VPN connections from VPN clients and routing traffic between the VPN clients and the private network
  • Encryption: VPN connections are encrypted using various encryption algorithms and protocols, such as AES and IPsec, to secure the connection and protect the transmitted data
  • Authentication: The VPN server and client must authenticate each other using a shared secret, certificate, or another authentication method to establish a secure connection

The VPN client and server use specific ports to establish and maintain the VPN connection. At the TCP/IP layer, a VPN connection typically uses the Encapsulating Security Payload (ESP) protocol to encrypt and authenticate the VPN traffic, allowing the VPN client and server to exchange data securely over the public internet.

Internet Protocol Security (IPsec)

Internet Protocol Security (IPsec) is a network security protocol that provides encryption and authentication for internet communications. It is a powerful and widely-used security protocol that works by encrypting the data payload of each IP packet and adding an authentication header (AH), which is used to verify the integrity and authenticity of the packet.

IPsec Protocols

IPsec uses a combination of two protocols to provide encryption and authentication:

  • Authentication Header (AH): Provides integrity and authenticity for IP packets but does not provide encryption. It adds an authentication header to each IP packet containing a cryptographic checksum that can verify the packet has not been tampered with.
  • Encapsulating Security Payload (ESP): Provides encryption and optional authentication for IP packets. It encrypts the data payload of each IP packet and optionally adds an authentication header similar to AH.

IPsec Modes

  • Transport Mode: IPsec encrypts and authenticates the data payload of each IP packet but does not encrypt the IP header. This is typically used to secure end-to-end communication between two hosts.
  • Tunnel Mode: IPsec encrypts and authenticates the entire IP packet, including the IP header. This is typically used to create a VPN tunnel between two networks.

Required Protocols for IPsec VPN

For an administrator who places a firewall in between, to facilitate IPsec VPN traffic from a VPN client outside a firewall to a VPN server inside, the firewall would need to allow the following protocols:

  • Internet Protocol – IP (UDP/50-51): The primary protocol that provides the foundation for all internet communication. It routes packets of data between the VPN client and the VPN server.
  • Internet Key Exchange – IKE (UDP/500): A protocol used to establish and maintain secure communication between the VPN client and the VPN server. It is based on the Diffie-Hellman key exchange algorithm and is used to negotiate and establish shared secret keys that can encrypt and decrypt the VPN traffic.
  • Encapsulating Security Payload – ESP (UDP/4500): A protocol that provides encryption and authentication for IP datagrams. It encrypts the VPN traffic between the VPN client and the VPN server using the keys that were negotiated with IKE.

These protocols are necessary for facilitating IPsec VPN traffic because they provide the security and encryption required for secure communication over the public internet. Without these protocols, the VPN traffic would be vulnerable to interception and tampering.

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the creation of VPNs by establishing a secure tunnel between the VPN client and server, encapsulating the data transmitted within this tunnel. Originally an extension of the Point-to-Point Protocol (PPP), PPTP is supported by many operating systems and can tunnel protocols such as IP, IPX, or NetBEUI via IP.

However, due to its known vulnerabilities, PPTP is no longer considered secure and has been largely replaced by more secure VPN protocols like L2TP/IPsec, IPsec/IKEv2, and OpenVPN. Since 2012, the use of PPTP has declined because its authentication method, MSCHAPv2, employs the outdated DES encryption, which can be easily cracked with specialized hardware. Organizations should avoid using PPTP for any security-sensitive applications and instead implement modern VPN protocols that offer stronger encryption and authentication mechanisms.

Cisco IOS and VLANs

Cisco IOS is the operating system powering Cisco network devices like routers and switches, providing essential features for managing and operating network infrastructure. Available in multiple versions with varying capabilities, it supports modern networking requirements including IPv6, Quality of Service (QoS), security features like encryption and authentication, and virtualization capabilities such as Virtual Private LAN Service (VPLS) and Virtual Routing and Forwarding (VRF).

Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is a layer-2 network protocol enabling Cisco devices (routers, switches, bridges) to gather information about directly connected Cisco devices. This information discovers and tracks network topology, aiding network management and troubleshooting. CDP is typically enabled by default but can be disabled for security reasons. CDP messages contain device names, IP addresses, port names, functionality, operating system information, and hardware platform details.

Management and Protocol Support

Cisco IOS can be managed through command line interface (CLI) or graphical user interface (GUI). The system supports various protocols and services critical for network operations:

Routing protocols like OSPF and BGP handle data packet routing across networks. Switching protocols including VLAN Trunking Protocol (VTP) and Spanning Tree Protocol (STP) configure and manage switch operations. Network services such as DHCP automatically provision clients with IP addresses and network configurations. Security features like Access Control Lists (ACLs) control resource access and prevent security threats.

Cisco IOS employs different password types for various security purposes:

  • User Password – Controls login access to Cisco IOS and restricts device/feature access
  • Enable Password – Grants access to “enable” mode with advanced functions and settings
  • Secret – Secures access to specific functions and services, often restricting remote management tools
  • Enable Secret – Extra-secure encrypted password protecting “enable” mode access

Cisco IOS devices support SSH or Telnet for remote access, identifiable by the “User Access Verification” message upon connection.

Virtual Local Area Networks (VLANs)

VLANs are logical groupings of network endpoints connected to defined switch ports, enabling network segmentation by creating logical broadcast domains spanning multiple physical LAN segments. Administrators can segment networks by team, function, department, or application without considering physical endpoint locations. Broadcast packets sent within one VLAN never reach endpoints in other VLANs. Each VLAN operates as a broadcast domain requiring its own subnet. For example you could have Servers on a VLANs of 10 with an IP of 172.16.10.0/26 and Finance department on a VLAN 20 with IPs 172.16.20.0/24

VLAN Benefits:

  • Better Organization – Group endpoints by shared attributes
  • Increased Security – Network segmentation prevents unauthorized packet sniffing across VLANs
  • Simplified Administration – Physical endpoint location becomes irrelevant
  • Increased Performance – Reduced broadcast traffic frees bandwidth

Cisco switches support VLAN IDs 1-4094 (0 and 4095 are reserved). IDs 1-1005 are normal-range VLANs, with VLAN 1 as the default (cannot be altered or deleted). IDs 1002-1005 are reserved for Token Ring and FDDI. IDs 1006-4094 are extended-range VLANs. Normal-range VLAN customizations save to the VLAN database (vlan.dat file), while extended-range customizations don’t persist. VLANs 2-1001 in vlan.dat can store parameters like name, type, state, and MTU.

VLAN Memberships

Static VLAN Assignment – The simplest and most common method involves manually assigning each port to a VLAN using the switch’s network operating system. This must be done separately for all switches, and connected endpoints remain unaware of VLAN existence. Static VLANs are more secure since ports remain tied to specific VLAN IDs unless manually changed.

Dynamic VLAN Assignment – Automatically determines endpoint VLAN membership based on MAC addresses or protocols. Administrators register MAC addresses in centralized VLAN management services like VLAN Membership Policy Server (VMPS). Switches query the database to determine endpoint VLAN membership. While flexible, dynamic VLANs increase administrative overhead and security risks. Attackers could spoof MAC addresses using tools like macchanger to gain unauthorized VLAN access.

Access Ports – Belong to and carry traffic for only one VLAN (occasionally two when including voice traffic). All arriving traffic is assumed to belong to the assigned VLAN.

Trunk Ports – Carry multiple VLANs simultaneously. Trunk links connect two trunk ports on switches (or switch and router) allowing multiple VLAN information to traverse between devices.

VLAN Identification

Standard 802.3 Ethernet frames lack VLAN information, requiring mechanisms to track VLAN data as packets traverse VLAN-enabled devices. Two main trunking methods accomplish this:

Inter-Switch Link (ISL) – Cisco-proprietary trunking protocol predating 802.1Q. Now deprecated and rarely used in modern Cisco devices, which predominantly support 802.1Q. ISL encapsulated entire Ethernet frames, adding a 26-byte header and 4-byte trailer.

IEEE 802.1Q – Developed in 1998 for VLAN technology interoperability across vendors. Modified the 802.3 Ethernet frame by adding two 2-byte fields: TPID and TCI (containing PCP, DEI, and VID subfields).

Key 802.1Q components:

  • Tag Protocol Identifier (TPID) – 16-bit field set to 0x8100 identifying 802.1Q-tagged frames
  • Tag Control Information (TCI) – 16-bit field containing Priority Code Point (PCP), Drop Eligible Indicator (DEI), and VLAN Identifier (VID)
  • VLAN Identifier (VID) – Occupies 12 bits of TCI, allowing 4094 VLAN IDs (2^12 – 2)

VLAN Tagging is Inserting VLAN information into 802.1Q Ethernet headers. VLAN Untagging means removing VLAN information from 802.1Q frames before forwarding to destination ports. Double Tagging (802.1ad) is Inserting multiple 802.1Q tags within single packets.

VLAN-Capable NICs

Some network interface cards support VLAN tagging. Both Linux and Windows allow assigning VLAN IDs to NICs, with the NIC tagging outbound packets and untagging inbound packets. Linux uses tools like ip, nmcli, and vconfig (deprecated), requiring the 802.1Q kernel module. Windows supports VLAN assignment through Device Manager’s Advanced properties or PowerShell cmdlets like Get-NetAdapter and Set-NetAdapter (only succeeds if the NIC supports this functionality).

Analyzing VLAN Traffic

Wireshark enables identification and analysis of VLAN tagged traffic using the vlan filter. The vlan.id == [number] filter searches for specific VLAN IDs. Tools like tshark can enumerate used VLAN IDs from packet captures.

Security Implications and VLAN Attacks

Despite improving network security, VLANs introduce potential vulnerabilities that adversaries can exploit.

VLAN Hopping – Enables traffic from one VLAN to be seen by another without router assistance. Exploits Cisco’s Dynamic Trunking Protocol (DTP), which automatically negotiates trunk link formation. Adversaries configure hosts to mimic switches, taking advantage of automatic trunking on switch ports. By spoofing 802.1Q signaling and DTP packets, attackers can establish trunk links with their hosts, exposing network packets beyond their assigned VLAN. Tools like Yersinia facilitate VLAN hopping attacks.

Double-Tagging VLAN Hopping – More sophisticated attack embedding hidden 802.1Q tags inside already-tagged Ethernet frames, allowing frames to reach unintended VLANs. This attack only works when adversaries connect to ports in the same VLAN as the trunk port’s native VLAN. The attack involves sending double-tagged frames where the outer tag matches the native VLAN. The first switch strips the outer tag, forwarding the frame with the inner tag intact. The second switch reads the inner tag and forwards to the attacker’s target VLAN. Tools like Scapy and Yersinia can perform this attack.

VXLAN

The 12-bit VID field in 802.1Q headers limits networks to 4094 VLANs, insufficient for large data centers and cloud providers requiring extensive segmentation. Additionally, Spanning Tree Protocol (STP) prevents network loops but blocks links, reducing available ports and preventing multipath resiliency.

Virtual eXtensible Local Area Network (VXLAN), defined in RFC7348, solves these limitations by implementing a “Layer 2 overlay scheme on a Layer 3 network.” VXLAN addresses traditional Layer 2 constraints while meeting multi-tenant virtualized environment requirements. Each VXLAN overlay (VXLAN segment) isolates VMs, only VMs within the same segment can communicate. A 24-bit VXLAN Network Identifier (VNI) uniquely identifies each segment, enabling 16 million coexisting VXLAN segments within one administrative domain, providing unprecedented scalability for modern data centers.