NETW260

Understand the difference between a broadcast, unicast, and multicast address

A broadcast is to all devices in a subnet, a unicast is to one device, and a multicast is to some but not all devices.

All NGFWs must, at a minimum, include the following:

Be router and switch compatible (L2/L3) They must add packet filtering with IPS and Malware inspection capability Provide Network Address Translation (NAT) Permit stateful inspection Permit Virtual Private Networks (VPNs) Provide URL and Application filtering Implement QoS Third-party integration Support for REST API

Describe the functions of DNS and DHCP in the network

Dynamic Host Configuration Protocol (DHCP) provides network configuration information (including IP addresses) to hosts, eliminating the need to perform the configurations manually. Domain Name Service (DNS) resolves hostnames—both Internet names such as www.lammle.com and device names such as Workstation 2—to IP addresses, eliminating the need to know the IP address of a device for connection purposes.

Extending the Main Hub benefit

Extend the main hub because hubs don't segment a network; they just connect network segments. Basically, it's an inexpensive way to connect a couple of PCs, which can work for really simple home use and troubleshooting, but that's about it!

Identify the role of ICMP

Internet Control Message Protocol (ICMP) works at the Network layer and is used by IP for many different services. ICMP is a management protocol and messaging service provider for IP.

Identify Internet layer protocols

Internet Protocol (IP) is a connectionless protocol that provides network address and routing through an internetwork. Address Resolution Protocol (ARP) finds a hardware address from a known IP address. Reverse ARP (RARP) finds an IP address from a known hardware address. Internet Control Message Protocol (ICMP) provides diagnostics and destination unreachable messages.

UDP

Okay, web pages do the same thing, file sharing does the same thing. That's pretty cool. Okay, now, let's move on to this idea of the unreliable, okay? It says it's connectionless. Now, Aubri, this is more like not a telephone call, but essentially me using the intercom system and just shouting out there, Aubri, Aubri, Aubri. >> Yeah. [LAUGH] >> And if Aubri is listening, perfectly fine. If she's not, and I just continue the conversation, I'm just gonna continue the conversation. So Aubri may be listening, but may not be listening and I just continue to talk. And so, Aubri, you may catch pieces of it. You may not. You might catch all it, but you may not catch any of it as well. But that doesn't stop me from continuing just to broadcast it out it or just send it out. So here you have UDP. The neat thing about it, it is quicker because it doesn't rely on me and you having to kind of sink up or do anything. It just says I've got stuff to send, I've got stuff to talk about, Aubri, if you're there, hopefully you're listening. But if you're not yeah, I'm still gonna send, I'm still gonna start talking. So that's the way it goes. No windowing, no retransmissions, and that means it drops stuff, okay? And it doesn't care if it drops stuff. It just says, I'm just sending, and that's the way it's gonna be. Sequencing, no, we can't actually rebuild it if it's actually dropped. It's just gonna be dropped here. But notice its uses which is a little bit strange here, Aubri. Video streaming and voice dreaming. Why in the world would that be good? The reason why this is good in terms of UDP is because of the way that the voice transmission is at work, it'd be silly if all of a sudden I started retransmitting, and let's say a few seconds later you heard the same exact thing again because you said or you didn't actually say anything, it got lost. But if you just lose, let's say, one or two frames, you can deal with that. Our minds can kinda go yeah, I know what that was gonna be. We're just gonna adjust and we'll be fine. Same thing with voice. When you have a repeated conversation over and over again, and you still here new information, it becomes a bit more jumbled. So with UDP and the way that this streaming traffic and information goes is better to drop some stuff and allow for the smoothness or the flow or the stream of the conversation to continue on User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism. It's a protocol you use as the transport protocol for a video application. Very good stuff You can also specify TCP versus UDP ports. Not the only game in town, old TCP. Sometimes you do need to scan, and when I say sometimes, you should do it every time. It can be very helpful. Scan for those UDP ports as well, they can be on there. >> You might ask yourself well wait a second. Why would I distinguish the difference between the two, Dan, a SYN scan, right? We can't perform against a SYN scan against a UDP port, right? >> It doesn't make a whole lot of sense, right? >> We need other options. You have to say it is a UDP type of scan. We have to give it that option and let it know, I need to perform UDP on you. What we do with and we come over here. If I just wanted it to scan UDP, I can change this to /u like that. And come over here and leave my ports just as they are or whatever reason. Maybe I'm scanning EDP ports 21,22,23 and 80, right? 53 is a common one because DNS use it UDP. Any other service that uses UDP obviously if you wanted to discern that's happening, you need to add that SU. But what if I want to do UDP and TCP ports put together. Interesting thing, I have to designate the face that I want to do a UDP port scan. And the fact that I want to do some type of TCP port scan. So I can do ss, I can do st. Whatever one you're trying to do that is TCP in nature. All right so you gotta let them know I'm doing both. And then when you come over to your -p option to let them know what ports I have to put in at capital U: a list of ports. And then at the end of my list of UDP ports, I put a comma, T:21, 22, 23 and 80. Now it knows all right I'm gonna scan for these UDP ports because it's got a U and a colon and it tells me what ports are UDP. And I designate the PCP ports with a capital T and say here's a list of TCP ports. So if you want to do both there you go. And of course you would put your host so 10.0.0 of 165, like that, don't forget to ask cognitive form, right? >> Dan one of the things that I've noticed is that you mentioned things like TCP and UDP ports, right? >> Yes. >> And I know, and another thing, too, is you keep saying things like web. You say things like, maybe DNS, right? So I know why I might perform a scan against, with UDP and TCP right? >> Maybe cuz DNS uses both.

Understand the role of port numbers

Port numbers are used to identify the protocol or service that is to be used in the transmission.

layer 3 vs layer 2

Primarily, layer 3 machines, like routers, need to locate specific networks, whereas layer 2 machines like switches and bridges need to eventually locate specific devices. So, networks are to routers as individual devices are to switches and bridges. And routing tables that "map" the internetwork are for routers as filter tables that "map" individual devices are for switches and bridges.

Routers

Routers provide connections to wide area network (WAN) services as well via a serial interface for WAN connections—specifically, a V.35 physical interface on a Cisco router.

TCP

TCP for us is the idea that connection-oriented type of traffic or the idea that we're trying to communicate. Now, the other thing that it does is actually helps with what we call re-transmissioning. This can also happen in the telephone call, especially in today's cellular types of services as well. And the reason why this happens is because we actually experience this when we were on a road trip that we had, where we had to try and dial into a conference call at the end of the week. And somewhere along the line, the connection kind of broke up. We could hear part of it, but we couldn't. So when other people actually on the other end couldn't hear you. So that indicated to me, what, that I needed to retransmit the signal, okay? So in the reliable aspect or the idea of TCP, it has mechanisms that are actually there to help us say, I didn't get that. I need to send that back again. Now when we send that information back across a network the idea sequencing may be a little bit strange for most people. But when we send data, right, data can go any path that it wants. It temps to take the same path as the other ones it's gone before. But Sometimes we can have what we call network congestion. That path is not as reliable as we think so we might send it a different way thinking it's going to get around faster. So in theory sometimes data can arrive a little bit out of order. The sequencing here that TCP does is essentially puts a number on each of the packets. It says it when it arrives on your end, you can put them back together in the proper order that it's supposed to be received. Now, this is where my phone analogy falls apart a little bit more, Aubri. But we actually have done something and you might have actually done something like this where, Aubri, you sent multiple packages, let's say, to someone across the country or, actually no, people in other nations. And let's say you sent four or five different packages over there. Well, how do they know when they actually received box four of five instead of box one of five? Well, yeah. >> That's a good question. [LAUGH] >> Well, sometimes what we might have actually done is on the outside box said what one of four or two of four, three of four. Sequencing helps us do that so that so that when Aubri's sending something they know, okay, I should open one of four first, two of four, three of four, four of four, makes sense? >> Yeah. So in that information the same thing happens with this type of communication as well, okay? So the uses of this is the same idea. Downloads, whenever we do downloads, we do a connection-oriented type of thing. The idea that downloads, we can drop packets in between, what we need for that other side, right, the one that's downloading say well, wait a minute. I didn't get everything here. Please resend that if I need to. Transmission Control Protocol - provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing. provides reliable, ordered and error checked delivery of a stream of packets in the internet. So TCP/IP is a true networking model. All right, Netcat is awesome. It is what they call the Swiss Army knife of TCP, right? Now they say this because it'll make just about any dang connection you can think about when it comes to TCP, okay? It will just go yeah, I'll connect to that, why not? Let's give it a whirl. Which is why I call it the Swiss Army knife. If you need something to connect to a service that uses TCP, then Netcat is a great tool for that. Not only that, it's also a great tool for creating connections, exfiltrating data. It can do all sorts of stuff, you just gotta get a little creative with it. And it is a standard tool in the pentester's toolbox for doing some very necessary things like creating reverse or bind shells. That's the first things that comes to my head. That and exfiltrating data is probably the two biggies right? Other than that, banner grabbing, creating weird ad hoc connections that you need doing things like logging into SMTP. You never know when it'll come in handy to be able to create a remote connection or create some sort of ad hoc TCP connection, okay? with Ncat, I can say only this IP address is allowed to connect. Not only that, but I can also force the use of things like SSL. Right, so I can start telling you what type of connection I wanna make, not just a regular TCP connection. And now I can again remove my filter and start getting a look at maybe just HTTP traffic. So I can put a filter says HTTP.request, cuz I made a HTTP request. Hey look, there's all my HTTP requests and you can even see where it was going. And a lot of times you can right-click on one of these things and go to follow and follow TCP stream or UDP stream. And then it kind of recreates the conversation in red and blue based off of server and client, right? There we go, all right, so I've logged in. Guess what? I've captured that traffic. Not only that, but because of this I can go in here, I can clear out my filter and type in what? Telnet, show me telnet traffic. Now what happens if I right-click and I follow that TCP stream? Look at what I see. I see all sorts of good stuff. Let's go here. Does that look familiar? >> Hm. >> Look right here. Password, msfn, cuz it's plain text. I was on the wire, I was able to intercept that traffic. >> Brilliant. >> I now have elicited some username and password information, right? So working with Wiresharks, sniffing the wire is definitely a great idea, a lot of fun as well. I could do stuff and save or save without and quit without saving which is what I'm gonna do right now, cuz I don't want to save the file. I'll exit out of this. Not edit, Exit. There we go, Clear. And we can use tshark to capture from the command line. So it's basically like TCP dump on steroids. >> Which is the venerable command line version of gathering packets. Let me clear, and let's play a round with hping. Let me man it for you, man hping3. And it says, SYN almost Arbitrary TCP/IP packets to network hosts. And what we're doing, we're crafting packets. We can do a lot of cool stuff with it, let me scroll down here. Here's the description, hping3 is a network tool able to send customer TCP/IP packets and to display target replies like ping program does with ICMP replies. It handles fragmentation, arbitrary packet bodies, and size, and can be used in order to transfer files encapsulated in under supported protocols. Like I said, it is the bell of the ball here. Use HP3, you are able to test firewall rules, advanced port scanning, test network performance using different protocols, and the list goes on and on and on. A lot of stuff you can do with it. You've just gotta get creative. There's some typical things that you'll do with it, like try to ping a machine, change, do a port scan. You can actually use it to port scan with, right? So we'll do hping3 -v for verbosity, -s, which will give me the ability to, I'm setting the SYN flag in the pack, which is how you start a TCP conversation. Connected-Oriented/Flow Control=segment retransmission/Sequencing=Yes/Used for Webpages, Filesharing, DownloadingVoice Streaming, Video Streaming Connectionless/Flow Control=No windowing or retransmission/Sequencing=No/Used for Webpages, Filesharing, DownloadingVoice Streaming, Video Streaming

Compare and contrast UDP and TCP characteristics and features

TCP is connection-oriented, acknowledged, and sequenced and has flow and error control, while UDP is connectionless, unacknowledged, and not sequenced and provides no error or flow control.

Identify the private IP ranges

The Class A private address range is 10.0.0.0 through 10.255.255.255. The Class B private address range is 172.16.0.0 through 172.31.255.255. The Class C private address range is 192.168.0.0 through 192.168.255.255.

Collapsed Core (2-Tier)

The Collapsed core design is also referred to as 2-tier because it's only 2-layers. But in concept, it's like the 3-tier only less expensive and geared for smaller companies. The design is meant to maximize performance and user availability to the network, while still allowing for design scalability over time.

The three layers of hierarchy referred to as 3-tier network architecture

The Core Layer: The core layer is literally the core of the network. At the top of the hierarchy, this layer is responsible for transporting large amounts of traffic both reliably and quickly. The prime purpose of the network's core layer is to switch traffic as fast as possible. The traffic transported across the core is common to a majority of users, but user data is processed at the distribution layer, which forwards the requests to the core if needed. The Distribution Layer: The distribution layer is sometimes referred to as the workgroup or aggregation layer and is the communication point between the access layer and the core. The primary functions of the distribution layer are to provide routing, filtering, and WAN access and to determine how packets can access the core, if needed. The distribution layer must determine the fastest way that network service requests are handled—for instance, how a file request is forwarded to a server. After the distribution layer determines the best path, it forwards the request to the core layer if necessary. The core layer then quickly transports the request to the correct service. The Access Layer: The access layer controls user and workgroup access to internetwork resources and is sometimes referred to as the desktop layer. The network resources most users need are available locally because the distribution layer handles any traffic for remote services.

Differentiate between the DoD and the OSI network models

The DoD model is a condensed version of the OSI model, composed of four layers instead of seven, but is nonetheless like the OSI model in that it can be used to describe packet creation and devices and protocols can be mapped to its layers.

Define the Class A IP address range

The IP range for a Class A network is 1-126. This provides 8 bits of network addressing and 24 bits of host addressing by default.

Define the Class B IP address range

The IP range for a Class A network is 1-126. This provides 8 bits of network addressing and 24 bits of host addressing by default.

Define the Class B IP address range

The IP range for a Class B network is 128-191. Class B addressing provides 16 bits of network addressing and 16 bits of host addressing by default.

Define the Class C IP address range

The IP range for a Class C network is 192 through 223. Class C addressing provides 24 bits of network addressing and 8 bits of host addressing by default.

Identify what is contained in the TCP header of a connection-oriented transmission

The fields in the TCP header include the source port, destination port, sequence number, acknowledgment number, header length, a field reserved for future use, code bits, window size, checksum, urgent pointer, options field, and finally, the data field.

Identify what is contained in the UDP header of a connectionless transmission

The fields in the UDP header include only the source port, destination port, length, checksum, and data. The smaller number of fields as compared to the TCP header comes at the expense of providing none of the more advanced functions of the TCP frame.

Identify what is contained in the IP header

The fields of an IP header include version, header length, priority or type of service, total length, identification, flags, fragment offset, time to live, protocol, header checksum, source IP address, destination IP address, options, and finally, data.

There are two advantages to using routers in your network:

They don't forward broadcasts by default. They can filter the network based on layer 3 (Network layer) information such as an IP address.

leaf-and-spine topology

This design is still pretty old as of this writing, it's just not decades old! Here's how it works: Your typical data center has racks filled with servers. In the leaf-and-spine design, there are switches found at the top and end of each rack that connect to these servers, with a server connecting into each switch for redundancy. People refer to this as a top-of-rack (ToR) design because the switches physically reside at the top of a rack.

Things that commonly cause LAN traffic congestion

Too many hosts in a collision or broadcast domain Broadcast storms Too much multicast traffic Low bandwidth Adding hubs for connectivity to the network A bunch of ARP broadcasts

Identify Host-to-Host layer protocols

Transmission Control Protocol (TCP) is a connection-oriented protocol that provides reliable network service by using acknowledgments and flow control. User Datagram Protocol (UDP) is a connectionless protocol that provides low overhead and is considered unreliable

transparent bridging

What kind of bridge is it when devices on the network are unaware that the bridge is present? Name the type of bridging used on Ethernet networks. the learning of source addresses on incoming frames and adding them to the bridging table. After the table has been completed and when a frame is received on one of the bridge's interfaces, the bridge looks up the frame's destination address in its bridging table, and the frame is forwarded out the indicated port. If the destination is on a different segment, the frame can be transmitted only to that segment. This is called transparent bridging.

why breaking up a broadcast domain is so important

When a host or server sends a network broadcast, every device on the network must read and process that broadcast—unless you have a router. When the router's interface receives this broadcast, it can respond by basically saying, "no thanks," and discard the broadcast without forwarding it on to other networks. Even though routers are known for breaking up broadcast domains by default, it's important to remember that they break up collision domains as well.

Internetwork

You create an internetwork when you connect two or more networks via a router and configure a logical network addressing scheme with protocols like IP or IPv6.

Small Office Home Office Network (SOHO)

a network serving ~1-10 users

Layer 2 switching

considered hardware-based bridging because it uses specialized hardware called an application-specific integrated circuit (ASIC). ASICs can run up to high gigabit speeds with very low latency rates.

Next Generation Firewalls (NGFWs)

full layer-7 inspection, as though it's just a bump in the wire (meaning little delay), which is mostly true. However, it's totally true that every company, including Cisco, markets their devices like this. A basic firewall or NGFW can be placed to provide security in your network. Cisco has a Next Generation Firewall (NGFW) called Firepower that they acquired from a company called SourceFire in 2013. NGFWs are considered a third-generation firewall technology that provides full packet reassembly and deep-packet inspect up to and through layer 7. NGFW's are popular because they permit application visibility and control (AVC) as well as offer intrusion prevention system (IPS) policies, which help us look for attacks on known client vulnerabilities.

Latency

is the time measured from when a frame enters a port to when it exits a port.

Exam objectives

objectives themselves really only deal with comparing TCP to UDP, but I always want to make sure that we at least have a networking understanding of the OSI model. because a lot of times it's easy to just say, I can compare this to this and these are the only differences that I need. But to actually understand where they fit in is actually key. ou wanna make sure, of course, that you understand what the OSI model are in terms of the layers themselves, right? So whether it's backward or forward, you gotta make sure that you know them in the order that they actually appear. Now, also remember that this is a reference model. It means that we don't technically really apply this in terms of networking, but it's used in terms of describing how networking works. When we get dive into it, the true networking models that are out there are essentially TCP, okay, over IP. So TCP/IP is a true networking model, whereas this is a reference model for us. And it helps us to explain and learn more about networking. But saying that, right, and even though the exam itself is not focused in on the OSI model as much as it was in previous exams, it is something that you want to make sure that you already have underneath your belt. And now I can again remove my filter and start getting a look at maybe just HTTP traffic. So I can put a filter says HTTP.request, cuz I made a HTTP request. Hey look, there's all my HTTP requests and you can even see where it was going. And a lot of times you can right-click on one of these things and go to follow and follow TCP stream or UDP stream. And then it kind of recreates the conversation in red and blue based off of server and client, right? There we go, all right, so I've logged in. Guess what? I've captured that traffic. Not only that, but because of this I can go in here, I can clear out my filter and type in what? Telnet, show me telnet traffic. Now what happens if I right-click and I follow that TCP stream? Look at what I see. I see all sorts of good stuff. Let's go here. Does that look familiar? >> Hm. >> Look right here. Password, msfn, cuz it's plain text. I was on the wire, I was able to intercept that traffic. >> Brilliant. >> I now have elicited some username and password information, right? So working with Wiresharks, sniffing the wire is definitely a great idea, a lot of fun as well. I could do stuff and save or save without and quit without saving which is what I'm gonna do right now, cuz I don't want to save the file. I'll exit out of this. Not edit, Exit. There we go, Clear. And we can use tshark to capture from the command line. So it's basically like TCP dump on steroids. >> Which is the venerable command line version of gathering packets. Let me clear, and let's play a round with hping. Let me man it for you, man hping3. And it says, SYN almost Arbitrary TCP/IP packets to network hosts. And what we're doing, we're crafting packets. We can do a lot of cool stuff with it, let me scroll down here. Here's the description, hping3 is a network tool able to send customer TCP/IP packets and to display target replies like ping program does with ICMP replies. It handles fragmentation, arbitrary packet bodies, and size, and can be used in order to transfer files encapsulated in under supported protocols. Like I said, it is the bell of the ball here. Use HP3, you are able to test firewall rules, advanced port scanning, test network performance using different protocols, and the list goes on and on and on. A lot of stuff you can do with it. You've just gotta get creative. There's some typical things that you'll do with it, like try to ping a machine, change, do a port scan. You can actually use it to port scan with, right? So we'll do hping3 -v for verbosity, -s, which will give me the ability to, I'm setting the SYN flag in the pack, which is how you start a TCP conversation.

Switches

read each frame as it passes through the network. The layer 2 device then puts the source hardware address in a filter table and keeps track of which port the frame was received on. This information (logged in the bridge's or switch's filter table) is what helps the machine determine the location of the specific sending device.

creating an internetwork and breaking up broadcast domains for a growing network

to add more streets along with traffic control and even some basic security add routers because these convenient devices are used to connect networks and route packets of data from one network to another. By default, routers are basically employed to efficiently break up a broadcast domain