Chapter 4 - Communication and Network Security
Source Routing
Allows a sender of a packet to specify the route the packet takes through the network versus routers determining the path.
Honeypot
Network device that is intended to be exploited by attacker's with the goal of gaining information on attack tactics, techniques, and procedures. Usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of the actual production servers. Two or more honeypots is called a honey net.
Drive-by Download
Occurs when a user visits a website that is hosting malicious code and automatically gets infected. This exploits vulnerabilities in a user's browser or, more commonly, a browser plug-in. Most common and dangerous attack vector because it requires no user interaction besides visiting a website.
Crosstalk
Occurs when the signals of one wire affect the signals on an adjacent wire
Firewall "Shoulds"
1) A firewall should implicitly deny any packets not explicitly allowed 2) Any packet entering a network that has a source address of an internal host should be denied. 3) No traffic should be allowed to leave a network that does not have an internal source address (prevents zombies) 4) Reassemble fragmented packets before sending them on to their destination.
Three phases of Session Layer
1) Connection establishment 2) Data Transfer 3) Connection release
Intranet
Private network using web-based technologies only available inside its network.
IP Convergence
Allows various devices to communicate using IP technologies (e.g. VoIP).
Network Access Control (NAC)
Any set of policies and controls that are used to control network access. Should authenticate devices and ensure that endpoints are properly configured.
Reverse Proxy
Appears to clients as the original server. Commonly on the network that fulfills clients' requests; thus, it is handling traffic that is entering its network.
Session Initiation Protocol (SIP)
Application Layer protocol that can work over TCP or UDP. Used for voice over IP (VoIP). Two major components: User Agent Client (UAC) - Application that creates the SIP requests for initiating a communication session User Agent Server (UAS) - SIP server which is responsible for handling all routing and signaling involved in VoIP calls. Three types of servers: Proxy server - used to relay packets within a network between the UACs and the UAS. Registrar server - keeps a centralized record of the updated locations of all the users on the network. Redirect server - allows SIP devices to retain their SIP identities despite changes in their geographic location.
Gateway
Application Layer software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions.
End-to-End Encryption
Application Layer. The headers, addresses, routing, and trailer information are not encrypted. Advantages: Flexibility, higher granularity, each hop device doesn't need a key to decrypt each packet.
Endpoint
Any computing device that communicates through a network and whose principal function is not to mediate communications for another device.
Network Layer Encapsulation
Each protocol at a specific OSI layer on one computer communicates with a corresponding protocol at the SAME OSI layer on another computer.
Virtual LAN (VLAN)
Enable administrators to separate groups of computers logically based on resource requirements. VLAN Hopping: allows attackers to gain access to traffic in VLAN segments. Switch Spoofing: An attacker can have a computer act as a switch by understanding the tagging values and will have access to all traffic going back and forth. Double Tagging: An attacker can insert VLAN tags to manipulate the control of traffic at the Data Link Layer.
Synchronous Digital Hierarchy (SDH)
European fiber carrier standard equivalent to SONET. A gateway is required for SDH and SONET to communicate.
Routing Protocols
Used by routers to identify a path between the source and destination systems.
VoIP Security Measures
1) Keep patches updates on each network device 2) Identify unidentified or rogue devices (implement authentication) 3) Install and maintain stateful firewalls, VPNs, IDS 4) Disable unnecessary ports and services on routers, switches, PCs, and IP telephones 5) Employ real-time monitoring that looks for attacks, tunneling, and abusive call patterns.
Modem
A device that modulates outgoing signals and demodulates incoming signals. (Modulator-demodulator) Note: Dial-up connections take place over PPP.
Layer 2 Tunneling Protocol (L2TP)
A Data Link Layer VPN protocol the combines the features of PPTP and Cisco's Layer 2 Forwarding Protocol (L2F). Tunnels PPP traffic over various network types (IP, ATM, X.25, etc.). Inherits PPP authentication (through PAP, CHAP, or EAP-TLS) and integrates with IPSec to provide confidentiality, integrity, and potentially another layer of authentication. Does not actually secure data itself, it just extends PPP connections by providing tunneling through networks that don't understand PPP.
Simple Network Management Protocol (SNMP)
A TCP/IP protocol that exchanges management information between networked devices. It allows network administrators to have a holistic view of the network and to remotely monitor, manage, and configure devices on the network. Consists of managers and agents. The manager is the server portion, which polls different devices to check status information. The agent is the piece of software that runs on a network device. The agent has a list of objects that it is to keep track of, which is stored in a Management Information Base (MIB).
Internet Control Message Protocol (ICMP)
A TCP/IP protocol that is used by devices to communicate updates or error information to other devices. Basically IP's "messenger boy". E.g. "Ping" is an ICMP echo request.
Dynamic Host Configuration Protocol (DHCP)
A UDP-based protocol that allows properly configured client computers to obtain IP addresses automatically from a DHCP server. Four Stages 1) A client computer sends a request (DHCPDISCOVER) to a DHCP server upon booting. 2) The DHCP server checks for available IP addresses and assigns one to the client in its response (DHCPOFFER). 3) The client then responds with a DHCPREQUEST packet confirming its acceptance of the alloted settings. 4) The DHCP server then sends a DHCPACK packet with the validity period. DHCP considerably reduces the effort in maintaining large-scale IP networks.
Metro Ethernet
A WAN technology that sends Ethernet traffic across MAN connections.
Metropolitan Area Network (MAN)
A backbone that connects LANs to other LANs, WANs, the Internet, and telecom and cable networks. Typically SONETs or FDDI.
Transparent Bridging
A bridge learn about a network's environment when powered on. It does this by examining incoming frames.
SOCKS Firewall
A circuit-level firewall that requires a SOCKS client on the computers.
Denial of Service (DoS)
A compromise of the availability of a webserver. Results in a service or resource being degraded or made unavailable.
Screened Host (Firewall Architecture)
A firewall communicates directly with a perimeter router and the internal network. The router carries out filtering activities on the traffic before it reaches the firewall.
Open Proxy
A forwarding proxy that is open for anyone to use.
Extensible Authentication Protocol (EAP)
A framework of to enable many types of authentication techniques to be used when establishing network connections. It extends the authentication possibilities from the norm (PAP, CHAP) to other methods, such as one-time passwords, token cards, biometrics, Kerberos, digital certificates, etc. When a user connects to an authentication server and they both have EAP capabilities they negotiate between a longer list of authentication methods.
Routers
A layer 3 device that has two or more interfaces and a routing table so it knows how to get packets to their destination. It can filter traffic based on access control lists (ACL), and it fragments packets when necessary. A router splits up a network into collision domains an broadcast domains. Router gives more clear-cut divisions between network segments than repeaters or bridges. Routers should be used when an administrator wants to divide a network along the lines of a departments, workgroups, or other business divisions. A bridge divides segments based more on the traffic type and load. When a router receives a packet: 1) A packet is received on one of the interfaces of a router. The router views the routing data. 2) The router device retrieves the destination IP network address from the packet. 3) The router looks at its routing table to see which port matches the requested destination IP network address. 4) If the router does not have information in its table about the destination address, it sends out an ICMP error message to the sending computer indicating that the message could not reach its destination. 5) If the router does have a route in its routing table for this destination, it decrements the TTL value and sees whether the MTU is different for the destination network. If the destination network requires a smaller MTU, the router fragments the datagram. 6) The router changes header information in the packet so the packet can go to the next correct router, or if the destination computer is on a connecting network, the changes made enable the packet to go directly to the destination computer. 7) The router sends the packet to its output queue for the necessary interface.
DomainKeys Identified Mail (DKIM)
A means to assert that valid mail is sent by an organization through verification of domain name identity. When a DKIM-signed message is received the server requests the sending domain's certificate through DNS and verifies the signature.
Domain Name Service (DNS)
A method of resolving hostnames to IP addresses so names can be used instead of IP addresses. Many companies maintain their own DNS servers to resolve internal hostnames. DNS namespaces are split up administratively into zones. Host name to IP address mapping is stored locally in a HOSTS file. This file should be set to read-only.
Internet Group Management Protocol (IGMP)
A multicast protocol used between clients and routers to let routers know which of their interfaces has a multicast receiver attached.
Hub
A multiport repeater. Also referred to as a concentrator
Virtual Private Network (VPN)
A private data network that creates secure connections, or "tunnels," over regular Internet lines.
DHCP Snooping
A security feature on switches whereby DHCP messages on the network are checked and filtered.
Demilitarized Zone (DMZ)
A separate network located outside the organization's internal information system that permits controlled access from the internet. Isolation is created by multiple firewalls with differing configurations.
Dual Homed Firewall (Firewall Architecture)
A single computer with separate NICs connected to each network. Used to divide an internal trusted network from an external untrusted network. Must disable a computer's forwarding and routing functionality so the two networks are truly segregated.
Synchronous Data Link Control (SDLC)
A synchronous communication protocol used in networks that use dedicated leased lines with permanent physical connections. Developed for mainframes to communicate with remote locations.
Multipurpose Internet Mail Extensions (MIME)
A technical specification indicating how multimedia data and email binary attachments are to be transferred and handled at the destination.
Network Address Translation (NAT)
A technique that allows private IP addresses to be used on the public Internet. NAT hides internal addresses by centralizing them on one device. Any traffic leaving the network will have a source address of that device, not the actual sender This provides a security benefit: If an attacker infiltrates a network he cannot easily find out a company's address scheme.
Integrated Services Digital Network (ISDN)
A technology that enables data, voice, and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission. Uses the same wires and transmission medium used by analog dial-up technologies, but works in a digital fashion. Provides digital, point-to-point, circuit-switched medium and establishes a circuit between the two communicating devices. Provides two basic services: Basic Rate Interface (BRI) - Operates over existing copper lines at the local loop and provides digital voice and data channels. Uses two B channels and one D channel for a total bandwidth of 144 Kbps. Primary Rate Interface (PRI) - 23 B channels and 1 D channel for up to 1.544 Mbps.
Password Authentication Protocol (PAP)
A weak authentication protocol used to authenticate remote users over PPP. Requires users to enter a password. Passwords are sent in cleartext so can be easily sniffed. Also vulnerable to man-in-the-middle attacks. Has been replaced by the Extensible Authentication Protocol (EAP).
Proxy Servers
Act as an intermediary between clients that want access to certain services and the servers that provide those services.
Dedicated Links
Also called lease links or point-to-point links. A single link that is pre-established for the purposes of WAN communications between two destinations. Expensive and inflexible
Internet Message Access Protocol (IMAP)
An Internet protocol that enables users to access mail on a mail server. IMAP provides all the functionalities of POP, but has more capabilities. If a user is using POP, when he accesses his mail server all messages are downloaded automatically. With IMAP he can download all messages or leave them on the mail server.
Simple Mail Transfer Protocol (SMTP)
An Internet-standard protocol that sits on top of TCP and is used for sending email messages between servers on IP networks. Because SMTP is generally used to send messages from a mail client to a mail server, you should specify both the POP or IMAP server and the SMTP server when configuring an email application.
Distributed Denial of Service (DDoS)
An attack that uses many hijacked computers or zombies to perform a DoS attack. Mitigated by using CDNs to distribute Internet points of presence around a wide area. Also, in the case of a SYN flood, you can use delayed binding.
Sender Policy Framework (SPF)
An e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses.
Screened Subnet (Firewall Architecture)
An external router filters traffic before it enters the subnet. Traffic headed toward the internal network then goes through two firewalls. Typically, a DMZ created by two physical firewalls. This DMZ sits between the external screening device and the internal network with a firewall on each side.
X.25
An older WAN protocol that defines how devices and networks establish and maintain connections. o Like frame relay, X.25 is a switching technology that uses carrier switches to provide connectivity for many different networks. It also provides any-to-any connection, meaning many users use the same service simultaneously. Uses high-level data link connections (HDLC).
Application-level vs Circuit-level Proxy Firewalls
Application-level: 1) Each protocol to be monitor requires a unique proxy 2) Provides more protection than circuit-level 3) Requires more processing per packet so it's slower Circuit-level: 1) Doesn't require a proxy for every protocol 2) Doesn't provide deep packet inspection 3) Provides security for a wider range of protocols
Software Defined Networking (SDN)
Approach to networking that relies on distributed software to provide unprecedented agility and efficiency. It becomes easier to dynamically route traffic to and from newly provisioned service and platforms. Whereas traditional networking relies on network devices that coordinate with one another in a mostly decentralized manner, SDN centralizes the configuration and control of devices.
Sniffing
Attack on confidentiality through network eavesdropping.
ARP Table Cache Poisoning
Attacker inserts incorrect information into an ARP table. Goal is to receive packets intended for someone else.
Routing Protocol Attacks
Attacks are usually successful when routing protocol authentication is not enabled. In this environment a router can accept routing updates without knowing whether or not the sender is a legitimate router. Countermeasures to this involve authentication and encryption.
DNS Security (DNSSEC)
Authentication mechanisms for DNS servers which uses PKI and digital signatures which allows DNS servers to validate the origin of a message.
Three Levels of QoS
Best-effort Service: No guarantee of throughput, delay, or delivery. Traffic that has priority will go before other traffic. Most common classification for Internet traffic. Differentiate Service: More bandwidth, shorter delays, and fewer dropped frames than Best-effort. Guaranteed Service: Ensures specific data throughput at a guaranteed speed. For time-sensitive data.
High-Level Data Link Control (HDLC)
Bit-oriented link layer protocol used for serial device-to-device WAN communication.
Broadcast Storms
Bridges can forward all traffic, including broadcast packets. This can overwhelm the network.
Pressurized Conduit
Can be used in high-security environments. Any attempt to access cables will result in a loss of pressure, sounding an alarm.
Quality of Service (QoS)
Capability that allows a protocol to distinguish between different classes of messages and assign priority levels (higher priority to time-sensitive data).
Key Ring
In PGP, each user keeps a collection of keys from trusted users. Each key has a rating reflecting the degree of trust.
Next-Generation Firewall (NGFW)
Combines the best attributes of other firewalls and adds improvements (e.g. signature-based IPS engine). Can share signatures with a cloud-based aggregator and can connect to external data sources such as Active Directory, whitelists, blacklists, etc. Typically the cost of ownership makes this type infeasible for small and medium-sized companies
Switch
Combines the functionality of a repeater and a bridge. It amplifies electrical signals like a repeater and has the built-in circuitry and intelligence of a bridge. It is a multiport bridging device, and each port is provides dedicated bandwidth to the connected device. Switches send frames directly to a destination computer, reducing traffic. When switches are used, contention and collision are not issues. Switches work at the Data Link Layer and forward traffic based on MAC addresses
Switching Types
Circuit Switching: Sets up a virtual connection that acts like a dedicated link between two systems. 1) Connection-oriented virtual links 2) Traffic travels in a predictable and constant manner 3) Fixed delays 4) Usually carries voice-oriented data Packet Switching: Packets from one device can pass through a number of different devices instead of them all following one another. 1) Packets can use many different dynamic paths to get to the same destination 2) Traffic is usually bursty in nature 3) Variable delays 4) Usually carries data-oriented data
Classful vs Classless Addressing
Classful or classical IP addresses use traditional subnet masks. If an organization creates subnets that don't follow the traditional sizes then it uses classless IP addresses.
Time Division Multiplexing (TDM)
Puts several signals on one line by interleaving the time windows.
Multilayer Switches
Combine Data Link Layer, Network Layer, and other functionalities.
Multiservice Access Technologies
Combine several types of communication categories (data, voice, video) over one transmission line. Provides higher performance, reduced operational costs, greater flexibility, integration, and control for administrators.
Four Types of QoS
Constant Bit Rate (CBR): Connection-oriented channel that provides a constant data throughput for time-sensitive applications. Variable Bit Rate (VBR): Connection-oriented channel best used for delay-insensitive applications because throughput is uneven. Unspecified Bit Rate (UBR): Connectionless channel that does not promise a specific throughput. Available Bit Rate (ABR): Connection-oriented channel that allows the bit rate to be adjusted.
Kernel Proxy Firewalls
Creates dynamic, protocol-specific, customized network stacks when a packet needs to be evaluated. Scrutinizes packets at every layer. Faster than application-level proxy firewalls because all of the processing takes place in the kernel instead of being sent up to a higher software level in the OS.
Pretty Good Privacy (PGP)
Cryptographic protection of email and files. Can use RSA public key encryption and for key management and use the IDEA symmetric cipher for bulk encryption of data, although the user can pick different algorithms. PGP can provide confidentiality by using the IDEA encryption algorithm, integrity by using the MD5 hash algorithm, authentication by using public key certificates, and nonrepudiation by using cryptographically signed messages. Doesn't use CAs. Instead uses a "web of trust": Each user generates and distributes his or her public key, and users sign each others public keys, which creates a community of users who trust one another.
Link Encryption
Data Link and Physical Layers. Encrypts all the data along a specific communication path using hardware. Not only is the user information encrypted, but the header, trailer, addresses, and routing data that are part of packets are also encrypted. The only data not encrypted in this technology is the data link control messaging information. This offers traffic-flow security. Each hopping devices needs a key. Each hopping point is a point of vulnerability.
Point-to-Point Protocol (PPP)
Data Link protocol that carries out framing and encapsulation for point-to-point connections. Common protocol for telecom devices. Point-to-point line devices that connect individual systems to the internet don't understand IP, so the traffic that ravels over these links has to be encapsulated in PPP.
WAN Technology Summary
Dedicated Line: Connects two locations. Expensive. Secure because only two locations are using the connection Frame Relay: High-performance WAN protocol that uses packet-switching which works over public networks. Shared media among companies. Uses SVCs and PVCs. Fee based on bandwidth use. X.25: First packet-switching technology developed to work over public networks. Lower speed than Frame Relay because of extra overhead. Uses SVCs and PVCs. Basically obsolete. ATM: High-speed bandwidth switching and multiplexing technology that has a low delay. Uses fixed-sized cells. Very fast because of low overhead SDLC: Enables mainframes to communicate with remote offices. Provides a polling mechanism to allow primary and secondary stations to communicate. HDLC: Data encapsulation method for synchronous serial links. Point-to-point and multipoint communication PPP: Data encapsulation method for synchronous and asynchronous links. Point-to-point and multipoint communiation HSSI: DTE/DCE interface to enable high-speed communication over WAN links.
T-carriers
Dedicated lines that can carry voice and data information over trunk lines. Commonly T1 and T3 lines.
Copper Distributed Data Interface (CDDI)
Deployment of FDDI using UTP cabling. This reduces the maximum segment length to 100 meters and is susceptible to interference. Where FDDI is suitable for MAN, CDDI is suitable for LAN.
Distance-Vector vs Link-State
Distance-vector protocols make routing decisions based on the distance (or number of hops) and a vector (direction). Link-state protocols build a more accurate routing table because they build a topology database of the network. They use packet size, link speed, delay, network load, and reliability.
Dynamic vs Static Routing Protocols
Dynamic vs Static: A dynamic routing protocol can discover routes, build a routing table, and update the table based on network changes. A static routing protocol requires the administrator to manually configure the router's routing table.
E-Carriers
E1 and E3 lines, which are the European equivalents to T1 and T3.
Extranet
Extends outside of the bounds of the company's network to enable two or more companies to share common information and resources.
Dynamic Packet Filtering Firewall
Firewall that protects the dynamic ports (higher than 1023). It builds an ACL that allows external entities to communicate with internal entities via high-numbered ports. ACLs are dynamic so once a connection is finished it is removed from the list. Benefit is that you can allow any type of traffic outbound and only response traffic inbound.
Fishing vs Spear Phishing vs Whaling
Fishing: Social engineering attack that is carried out through maliciously crafted emails. Spear Phishing: Fishing on a specific group of individuals Whaling: Fishing on a C-level target.
DNS Hijacking
Forces the victim to use a malicious DNS server. Particularly useful for man-in-the-middle attacks.
Secure Shell (SSH)
Functions as a type of tunneling mechanism that provides terminal-like access to remote computers. Two computers go through a handshaking process and exchange (via Diffie-Hellman) a session key that will be used during the session to encrypt and protect data.
HTTP Secure (HTTPS)
HTTP running over SSL or TLS technologies which encrypt the HTTP traffic.
Layer 3 Switch
Has the intelligence of a router and can route packets based on their IP address. "Router on steriods" The difference between Layer 2, 3, and 4 switches is the header information they look at to make routing decisions. Switches make it more difficult for intruders to sniff network traffic because no broadcast and collision information in continually traveling throughout the network.
Digital Subscriber Line (DSL)
High-speed connection technology used to connect a home or business to the service provider's central office. If can provide 6 to 30 times higher bandwidth than ISDN. Uses existing phone lines and provides 24-hour connection at rates up to 52 Mbps. You must be within 2.5 mile radius of DSL service provider's equipment.
Optical Carriers
High-speed fiber-optic connections are measured in optical carrier (OC) transmission rates. The transmission rates are defined by rate of the bit stream of the digital signal and are designated by an integer value of the multiple of basic unit rate. OC-1 is 51.84 Mbps, OC-3 is 155.52 Mbps, etc.
Asynchronous Transfer Mode (ATM)
High-speed network topology that is used in WAN implementations by carriers, ISPs, and telephone carriers. Connection oriented. Sets up virtual circuits which act as dedicated paths between source and destination, providing guaranteed bandwidth and QoS. Encapsulates data in fixed cells which provide better performance and lower overhead. Used to deliver data over a SONET network. SONET is the highway, ATM is the cars.
Attacks Using ICMP
ICMP tunneling: Insertion of data into an ICMP packet Attackers can use ICMP to redirect traffic. This traffic can go to an attacker's dedicated system. ICMP is used by routers to update each other on network link status. Bogus information could make routers divert traffic. Mitigation includes proper firewall configuration which would only allow certain ICMP packets.
Router Heirarchy
If a router does not know the necessary path to a requested destination, that router passes the packet up to a router above it. The router above it knows about all routers below it.
Autonomous System (AS)
Individual networks on the Internet.
Spread Spectrum
Individual signals are distributed across the allocated frequencies.
Bridge
LAN device used to connect LAN segments. It works at the Data Link Layer and therefore works with MAC addresses. When a frame arrives at a bridge the bridge determines if the MAC address is on the local network segment, and if so forwards it to the necessary segment. Bridges are used to divide overburdened networks into smaller segments to ensure better use of bandwidth. Bridges can do simple filtering and separate collision domains, but not broadcast domains.
IEEE 802.1AR
Layer 2 (Data Link) Security Standard that specifies unique per-device identifiers (DevID) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers. 802.1AR defines a globally unique per-device secure identifier cryptographically bound to the device through the use of public cryptography and digital certificates. Authentication data consists of a digital certificate and a hardware identity associated with the device.
Three Types of Bridges
Local: Connects two or more LAN segments within a local area Remote: Connects two or more LAN segments over a MAN using telecom links Translation: Needed if two LANs being connected are different types and use different standards
Packet-Filtering Firewall
Makes access decisions based upon network-level protocol header values. Only capable of reviewing protocol header information at the Network and Transport Layers (e.g. source/destination IP addresses, source/destination port numbers, protocol types, inbound (ingress filtering) and outbound (egress filtering) traffic direction). Uses ACLs. Weaknesses: 1) Can only block attacks at the network protocol level. Ineffective against application level attacks. 2) Limited logging. 3) Typically don't support advanced user authentication. 4) Typically can't detect spoofed addresses. 5) May not stop packet fragmentation attacks.
Email Spoofing
Malicious users forge an email by modifying its header in order to make it appear to be from a legitimate source. This is caused by a lack of security features in SMTP. SMTP authentication (SMTP-AUTH) was developed to provide an access control mechanism.
Fiber Distributed Data Interface (FDDI)
Media Access Technology at the Data Link Layer ANSI standard based on IEEE 802.4. Transmission speeds up to 100 Mbps. High-speed, token-passing technology. Data transmission speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also provided fault tolerance. It can work at high speeds over long distances with minimal interference. Consists two rings. The primary ring has data traveling clockwise and is used for regular data transmission. The secondary ring transmits data in a counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. FDDI allows for multiple tokens to be present on the ring at a time, causing more communication to take place simultaneously.
Token Ring
Media Access Technology at the Data Link Layer Transmission speeds 4-16 Mbps. Uses token-passing technology with a star-configuration topology. Each computer is connected to a central hub called a Multistation Access Unit (MAU). Signals travel in a logical ring. An active monitor mechanism removes frames so they aren't continuously circulating on the network. With the beaconing mechanism, if a computer detects a problem with the network, it sends a beacon frame. This frame generates a failure domain, which is between the computer that issued the beacon and its neighbor downstream.
Proxy
Middleman. It intercepts and inspects messages before delivering them to intended recipients.
Frame Relay
Mostly obsolete WAN technology that operates at the Data Link Layer and uses packet-switching technology to let multiple companies and networks share the same WAN medium, devices, and bandwidth. Two equipment types: DTE - Usually a customer-owned device, such as a router or switch, that provides connectivity between a company's own network and the frame relay network. DCE - Service provider's device that does the actual data transmission and switching in the frame relay cloud. With frame relay users share bandwidth on the FR cloud. If traffic increases the available bandwidth decreases.
Content Distribution Network (CDN)
Multiple servers distributed across a large region, each of which provides content that is optimized for users closest to it. Provides protection against DDoS attacks.
MIME type
Multipurpose Internet Mail Extensions Description included in message header which details how a file should be decoded and opened.
MAC Address vs IP Address
One a TCP/IP network, each computer and network device requires a unique IP address and a unique physical address. Each Network Interface Card (NIC) has a unique physical address programmed into ROM. This physical address is called its Media Access Control (MAC) address. The network layer works with and understands IP addresses and data link layer works with and understands MAC addresses. Note: The first 24 bits of a MAC address represent the manufacturer and the last 24 bits represent the unique serial number assigned by the manufacturer.
Forwarding Proxy
One that allows the client to specify the server it wants to communicate with. Common on internal networks controlling traffic exiting the network.
OSI Definition and Layers
Open Systems Interconnection 7 - Application Layer 6 - Presentation Layer 5 - Session Layer 4 - Transport Layer 3 - Network Layer 2 - Data Link Layer 1 - Physical Layer "All People Seem To Need Data Processing"
Flooding
Overwhelm a target computer with packets until it is unable to process legitimate user requests. (e.g. SYN flooding which exploits the three-way handshake of TCP).
Tunneling Protocol Summary
PPTP: Works in a client/server model. Extends and protects PPP connections. Works at the Data Link Layer. Transmits over IP networks only. Used when PPP needs to be extended through an IP-based network. L2TP: Hybrid of L2F and PPTP. Extends and protects PPP connections. Works at the Data Link Layer. Transmits over multiple types of networks, not just IP. Combines with IPSec for security. Used when PPP needs to be extended through an non-IP-based network. IPSec: Handles multiple VPN connections at the same time. Provides secure authentication and encryption. Supports only IP networks. Focuses on LAN-to-LAN communication rather than user-to-user communication. Works at the Network Layer and provides security on top of IP. Used to protect IP-based traffic and is commonly used in gateway-to-gateway connections. TLS: Works at the Session Layer and protects mainly web and email traffic. Granular access control and configuration are available. Easy deployment since TLS is already embedded into web browsers. Can only protect a small number of protocol types, thus is not an infrastructure-level VPN solution. Used when a specific application layer traffic type needs protection.
Firewall Types
Packet Filtering: Network Layer. Looks at destination/source addresses, ports, and services. Routers use ACLs to monitor network traffic. Stateful: Network Layer. Looks at the state and context of the packets. Keeps track of each conversation using a state table. Application-level Proxy: Application Layer. Looks deep into packets and makes granular decisions. It requires one proxy per protocol Circuit-level Proxy: Session Layer. Looks only at header packet information. It protects from a wider range of protocols and services than application-level proxy, but does not provide the detailed level of control. Dynamic Packet Filtering: Network Layer. Allows any permitted type of traffic outbound and only response traffic inbound Kernel Proxy: Application Layer. Faster because processing is performed in the kernel. One network stack is created for each packet. Next-generation: Multiple Layers. Very fast and supportive of high bandwidth. Built-in IPS. Able to connect to external services.
Voice over IP (VoIP)
Packet-oriented switching technology for voice communication. Four components: IP telephony device, a call-processing manager, a voicemail system, and a voice gateway (carrier out packet routing).
Address Resolution Protocol (ARP)
Part of the TCP/IP protocol for determining the MAC address based on the IP address. The Data Link Layer doesn't understand IP addresses so it enlists ARP for help. ARP broadcasts a frame requesting the MAC address corresponding to a specific IP address. The computer matching the specified IP address responds with its MAC address. This mapping is stored in a table.
High-Speed Serial Interface (HSSI)
Physical Layer interface used to connect multiplexers and routers to high-speed communications service such as ATM and frame relay.
Private Branch Exchange (PBX)
Private telephone switch that is located on a company's property. Combines different types of data on the same lines (e.g. analog voice, digital voice, data).
Hypertext Transfer Protocol (HTTP)
Protocol of the Web. Sits on top of TCP/IP. Stateless. Sends requests to webservers.
Converged Protocols
Protocols that started off independent and distinct from one another but over time converged to become one.
Cable Modems
Provide high-speed access to the Internet through existing cable coax and fiber lines.
Public Switched Telephone Network (PSTN)
Regular phone system. Uses circuit switching instead of packet switching.
Network device summary
Repeater: Physical Layer. Amplifies the signal and extends networks Bridge: Data Link Layer. Forwards packets and filters based on MAC addresses; forwards broadcast traffic but not collision traffic Router: Network Layer. Separates and connects LANs creating internetworks; routers filter based on IP addresses Switch: Data Link Layer. Provides a private virtual link between communicating devices; allows for VLANs; reduces collisions, impedes network sniffing. Gateway: Application Layer. Connects different types of networks; performs protocol and format translations.
Repeater
Repeats electrical signals between cable segments. This enables it to extend a network. Repeaters work at the Physical Layer and can amplify signals.
CSU/DSU (Channel Service Unit/Data Service Unit)
Required when digital equipment is connected to a LAN or WAN. A CSU/DSU device sits between a router and a WAN. The DSU device converts digital signals from routers, switches, and multiplexers into signals that can be transmitted over the service provider's digital lines. The DSU devices ensures that the voltage levels are correct and that information is not lost during this conversion. The CSU connects the network directly to the service provider's line. The CSU/DSU provides a digital interface for data terminal equipment (DTE). CSU/DSU basically works as a translator and at times a line conditioner.
Interior Routing Protocols
Route traffic within the same autonomous system (AS). Routing Information Protocol (RIP): Outlines how routers exchange routing table information and is considered a distance-vector protocol Open Shortest Path First (OSPF): Uses link-state algorithms to send out routing table information. The use of these algorithms allows for smaller, more frequent routing table updates. This provides a more stable network than RIP, but requires more memory and CPU resources. Interior Gateway Routing Protocol (IGRP): Distance-vector routing protocol proprietary to Cisco Enhanced Interior Gateway Routing Protocol (EIGRP): Distance-vector routing protocol proprietary to Cisco. Allows for faster router table updates than IGRP and minimized routing instability. Virtual Router Redundancy Protocol (VRRP): Used on networks that require high availability where routers and points of failure cannot be tolerated. Intermediate System to Intermediate System (IS-IS): Link-state protocol that allows each router to independently build a database of a network's topology
Virtualized Networks
Routers and switches can be virtualized. Software products can be deployed to carry out routing and switching functionality. Biggest weakness is the hypervisor. If this is compromised an attack would have access to all virtualized devices and networks within.
Routers vs Bridges
Routers work at the network layer and filter packets based on IP addresses. Bridges work at the Data Link Layer and filter frames based on MAC addresses Routers usually don't pass broadcast information, but bridges do. If two LANs are connected with a bridge, the LANs have been extended because they are both in the same broadcast domain. A router separates broadcast domains, so if two LANs are connected with a router, an inter-network results.
IP Telephony Issues
SIP-based signaling suffers from a lack of encrypted call channels and authentication of control signals Toll fraud - where an attacker gets ahold of credentials and makes unauthorized calls.
Ping of Death
Sends a single ICMP Echo request, exploiting the fact that early network stacks didn't enforce the maximum ICMP packet length of 65,535 bytes.
Dialog Management
Session layer process providing session restart and recovery if necessary and provides the overall maintenance of the session.
Firewall Rules
Silent Rule: Drops "noisy" traffic without logging it. Saves log space for unimportant traffic. Stealth Rule: Disallows access to firewall software from unauthorized systems. Cleanup Rule: Last rule in rule base. Drops and logs any traffic that does not meet preceding rules Negate Rule: Used instead of the broad and permissive "any rules," provides tighter permission rights by specifying what system can be accessed and how.
Unified Threat Management (UTM)
Single network appliance that provides unified security functions (IDS/IPS, antimalware, antispam, etc.) Issues include: 1) Single point of failure for traffic. Needs redundancy. 2) Single point of compromise 3) Performance issues
Types of Devices on FDDI
Single-attachment stations (SAS): Attaches to only one ring through a concentrator Dual-attachment stations (DAS): Has two ports and each port provides a connection for both primary and secondary rings Single-attachment concentrator (SAC): Concentrator that connects a SAS device to the primary ring. Dual-attachment concentrator (DAC): Concentrator that connects a DAS, SAS, and SAC devices to the both rings
Synchronous Optical Network (SONET)
Standard for connecting fiber optic transmission systems. SONET is self-healing meaning that if a break in the line occurs it can use a backup redundant ring to ensure transmission continues. All SONET lines and rings are fully redundant.
Secure Multipurpose Internet Mail Extensions (S/MIME)
Standard for encrypting and digitally signing email and for providing secure data transmission by extending MIME and adding security features.
H.323 Gateway
Standard the deals with video, real-time audio, and data packet-based transmissions where multiple users can be involved with the data exchange.
Proxy Firewalls
Stands between a trusted and untrusted network. A proxy firewall breaks the communication channel; there is NO direct connection between the two devices. Session Layer: "Circuit-level proxy". Can only make decisions up to the Session Layer and can't perform "deep" packet inspection. Application Layer: "Application-level proxy". An application-level proxy firewall has one proxy per protocol Application-level Pros: 1) Extensive Logging capabilities 2) Can authenticate users directly 3) Can address spoofing Application-level Cons: 1) Not generally suited for high-bandwidth or real-time applications 2) Limited in terms of support for new network applications and protocols 3) Can create performance issues because of per-packet processing requirements.
Stateful Firewall
Stateful inspection. Keeps track of what packets went where until each connection is closed. Maintains a State Table keeping track of who said what to whom. Has a hard time keeping track of UDP traffic because UDP doesn't hold a state. Better protection but more complex.
NAT Implementations
Static Mapping: Each private address is statically mapped to a public address Dynamic Mapping: Assigns addresses on a first come first serve basis. Port Address Translation (PAT): Changes the source address to a given IP address and the port used maps to the actual private IP address.
Other Multiplexing Types
Statistical time-division multiplexing (STDM): Analyzes stats related to workload of devices and allocates timeslots accordingly. Frequency-division Multiplexing (FDM): Broadband channel is divided into subchannels for data transfer. Wave-division Multiplexing (WDM): Used in fiber-optic communication. Multiplexes optical carriers onto a single optical fiber.
Internet Protocol Security (IPSec)
Suite of protocols developed to specifically protect IP traffic. IPSec works at the Network Layer. Four main protocols make up IPSec: Authentication Header (AH) - Provides data integrity, data-origin authentication, and protection from replay attacks Encapsulation Security Payload (ESP) - Provides confidentiality, data-origin authentication, and data integrity Internet Security Association and Key Management Protocol (ISAKMP) - Provides framework for security association creation and key exchange Internet Key Exchange (IKE) - Provides authenticated keying material for use with ISAKMP IPSec stores VPN parameters in Security Associations (SA)
OSI Model Vs. TCP/IP Model
TCP consists of four layers: 1) Application 2) Host-to-host 3) Internet 4) Network Access The application layer of the TCP/IP model combines the application, presentation, and session layers of OSI. Host-to-host corresponds to the transport layer of OSI. Internet corresponds to the network layer of OSI. Network Access combines data link and physical layers of OSI.
Cookies
Text files that a browser maintains on a user's hard drive or memory segment. Cookies have different uses, and some are used for demographic and advertising information. Help HTTP (a stateless protocol) retain memory between connections. Cookies can have timestamps which can cause secure connections to timeout.
802.16
The IEEE standard for broadband wireless metropolitan area networking (MAN). Also known as WiMAX. This is referred to as broadband wireless access.
Internet vs Web
The Web is the collection of HTTP servers that holds and processes the websites we see. The Internet is the collection of physical devices and communication protocols used to traverse these websites.
Cyber Squatting
The act of registering a domain name that is the same as, or confusingly similar to, the trademark of another and then offering to sell that domain name back to the trademark owner.
Electronic Data Interchange (EDI)
The computer-to-computer exchange of business documents from a retailer to a vendor and back.
Wormhole Attack
This takes place when an attacker captures packets at one location in the network and tunnels them to another location in the network for a second attacker to use against a target system. Attacker A could capture an authentication token and send this token to attacker B. Countermeasures include using a leash, which is just data that is put into a header to restrict a packets transmission distance or lifetime.
TCP Handshake
Two hosts agree on certain parameters, data flow, windowing, error detection, and options. Host A sends a SYN (synchronization) packet Host B sends a SYN/ACK (acknowledge) packet Host A sends an ACK packet
Transmission Methods
Unicast: Packet goes from one source computer to one particular system Multicast: Packet goes from one source computer to a specific group of systems Broadcast: Packet goes from one source computer to all computers on a subnet
Relay Agent
Used by mail servers to send a message from one mail server to another. This agent needs to be properly configured to avoid being used for relaying spam.
Exterior Routing Protocols
Used by routers connecting to different ASs are referred to as Exterior Gateway Protocols (EGPs). The Border Gateway Protocol (BGP) enables routers on different ASs to share routing information to ensure effective and efficient routing between different ASs.
Firewall
Used to restrict access to one network from another network by enforcing a company's security policy. Packets are monitored coming into and out of the network it's protecting.
Challenge Handshake Authentication Protocol (CHAP)
Uses a challenge response mechanism instead of having a user send a password over the wire. The server sends a random number (challenge) which the user encrypts using a password as an encryption key and the encrypted challenge is returned. The server decrypts the challenge using the password and compares its value. Not vulnerable to man-in-the-middle attacks because the challenge/response activity continues throughout the session.
Secure Sockets Layer (SSL)
Uses public key encryption and provides data encryption, server authentication, message integrity, and optional client authentication. Client generates a session key and encrypts it with the server's public key. Lies beneath the Application Layer and above the Network Layer (consisting of two separate protocols, one upper and on lower). For the purposes of the CISSP exam, say it works at the Transport Layer. Proprietary in nature.
Virtual Circuits
Virtual connection for Frame Relay and X.25 frames. Types: Permanent Virtual Circuit (PVC): Programmed in advance. Works like a private line for a customer with an agree-upon bandwidth Switched Virtual Circuit (SVC): Circuit is quickly built when needed and torn down afterward.
Point-to-Point Tunneling Protocol (PPTP)
Was the de facto standard for VPN software. Data Link Layer protocol for authentication and encryption. Can only handle one connection at a time so it can be used for system-to-system communication but not gateway-to-gateway communication. Only works on IP networks. Does not actually secure data itself, it just extends PPP connections by providing tunneling through networks that don't understand PPP.
TCP Session Hijacking
When an attacker takes control of an existing TCP session. If the attacker can determine the TCP sequence number he can fool the host computer, send his own messages, and hijack the session
Control Plane
Where the internetwork routing decisions are made. Responsible discovering network topologies and maintaining a table of routes for outbound packet.
Forwarding Plane
Where traffic forwarding decisions are made. The control plane is the strategic planner of traffic routing and the forwarding plane is the fast executioner of those plans. The forwarding plane lives on network devices and the control plane lives in a centralized SDN controller.
Transport Layer Security (TLS)
Works at the Session Layer of the network stack and is used to protect HTTP traffic. Non-proprietary version of SSL (with security improvements).
Post Office Protocol (POP)
an Internet mail server protocol that supports incoming and outgoing messages. A mail server uses POP, apart from storing and forwarding e-mail messages, works with SMTP to move message between mail servers.
Best Practices for WLANs
1) Change the default SSID. Each AP comes configured with a preconfigured default SSID. 2) Implement WPA2 and 802.1X to provide centralized user authentication (e.g. RADIUS, Kerberos) 3) Use separate VLANs for each class of users. 4) If you support unauthenticated users (e.g. visitors) ensure they are connected to an untrusted VLAN the remains outside of your network's perimeter. 5) Deploy a wireless intrusion detection system (WIDS) 6) Physically put the AP at the center of the building. 7) Logically put the AP in a DMZ with a firewall between the DMZ and internal network. Allow the firewall to investigate the traffic before it gets to the wired network. 8) Implement VPN for wireless devices. 9) Configure AP to allow only known MAC addresses into the network. Allow only known devices to authenticate. 10) Carry out penetration tests on the WLAN.
Bluetooth Wireless
1- to 3-Mbps transfer rate and works in a range of 1, 10, or 100 meters. Works in the 2.4-GHz range.
Ethernet Types
10Base-T: Uses Cat3 UTP cables. 10 Mbps 100Base-TX, "Fast Ethernet": Uses Cat5 UTP cables. 100 Mbps. Uses CSMA/CD 1000Base-T, "Gigabit Ethernet": Uses Cat5 UTP cables. 1,000 Mbps 10GBase-T: Uses Cat6a UTP cables. 10,000 Mbps. Hasn't seen widespread adoption because of cost-to-performance ratio.
802.1X EAP-TLS Framework
802.1AR provides a unique ID for a device. 802.1AE provides data encryption, integrity, and origin authentication functionality. 802.1AF carries out key agreement functions for the session keys used for data encryption.
Multiprotocol Label Switching (MPLS)
A WAN technology popular among service providers. MPLS performs labels switching to forward traffic within an MPLS cloud by inserting a 32-bit header (which contains a 20-bit label) between a frame's Layer 2 and Layer 3 headers and making forwarding decisions based on the label within an MPLS header.
Internet Protocol (IP)
A connectionless network layer protocol that provides datagram routing services. IP's main task is to support internetwork addressing and packet routing. It envelops data passed to it from the transport layer and addresses it with source and destination IP addresses.
Collision Domains
A group of computers that are competing for the same shared communication medium. The more devices on a network, the higher likelihood of collisions which increases latency. Collision domains are broken up by bridges, which allow broadcast traffic to pass between different parts of a subnet but not collisions.
Fibre Channel over Ethernet (FCoE)
A high-speed storage network protocol that encapsulates Fibre Channel frames over Ethernet networks.
Distributed Network Protocol 3 (DNP3)
A multilayer communications protocol designed for use in SCADA systems, particularly those within the power sector, that does not include routing functionality.
Controller Area Network (CAN)
A multilayer protocol designed to allow microcontrollers and other embedded devices to communicate with each other on a shared bus.
Supervisory Control and Data Acquisition (SCADA)
A network that includes software, servers, and communication channels. SCADA is responsible for acquiring real-time data from a physical system and managing the physical system or presenting the data to humans, who monitor and manage the system through remote terminal units (RTUs). RTUs aggregate data from one or more devices and relay it to the SCADA master, which includes a human-machine interface (HMI) component.
Network Protocol
A standard set of rules that determines how systems will communicate across networks.
TCP/IP Model
A suite or protocols that governs the way data travels from one device to another
Very Small Aperture Terminal (VSAT)
A two-way data communications service performed by a satellite system in which the ground stations use non-shared satellite dishes.
SYN Flood
A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. When a server gets a SYN packet it has to allocate a certain amount of resources to manage the new connection. Mitigation: SYN caches which delays the allocation of a socket until the handshake is complete.
Temporal Key Integrity Protocol (TKIP)
Addresses deficiencies of WEP pertaining to static WEP keys by feeding keying material which can be used to make dynamic keys. This adds the ability to rotate encryption keys. Additionally it addresses the inadequate use of IV values by increasing the length of the IV value and ensures that every frame has a different IV value. This IV value is combined with the transmitter's MAC address and the original WEP key, so even if the WEP key is static the resulting encryption key will be different for each and every frame.
802.11j
Allows for better interoperability across borders.
Classless Inter-Domain Routing (CIDR)
Allows network administrators to expand the number of network nodes assigned to an IP address. Provides the flexibility to increase or decrease the class sizes as necessary. "Supernetting"
802.11f
An 802.11 amendment that addressed problems introduced when wireless clients roam from one AP to another, which means the station needs to re-authenticate with the new AP, which in some cases introduced a delay that would break the application connection. This amendment improves the sharing of authentication information between APs.
Wired Equivalent Privacy (WEP)
An IEEE 802.11 security protocol (Data Link Layer) designed to ensure that only authorized parties can view transmitted wireless information. WEP has significant vulnerabilities and is not considered secure. Devices on WEP can authenticate in two main ways: Open System Authentication (OSA) - no key involved. Typically the device just needs to provide the correct Service Set ID (SSID) value. Occurs in cleartext because no encryption is involved. Shared Key Authentication (SKA) - AP sends a random number. They wireless device encrypts the number with an encryption key and sends it back. The AP decrypts the number and compares it. Three main vulnerabilities: 1) Static encryption keys 2) Ineffective use of initialization (IVs are repetitive) 3) Lack of packet integrity assurance WEP uses the RC4 algorithm which is a stream-symmetric cipher. Additionally, WEP doesn't allow mutual authentication. The wireless device can authenticate to the AP, but the authentication server is not required to authenticate to the wireless device. This allows a rogue AP to steal user's credentials.
802.11e
An IEEE standard created to provide QoS and multimedia traffic in wireless transmissions. QoS provides the capability to prioritize traffic and affords guaranteed delivery.
Bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices.
802.11h
An extension of 802.11a developed to meet the requirements of European wireless rules.
Open network architecture
Architecture that no one owns
Code Division Multiple Access (CDMA)
Assigns a unique code to each voice call or data transmission to uniquely identify it from all other transmissions send over a cellular network. In a CDMA spread spectrum network, calls are spread throughout the entire frequency band. CDMA permits every user to simultaneously use every channel in the network. At the same time, a particular cell can simultaneously interact with multiple other cells. This technology for mobile cellular networks is currently dominating the wireless space. Used for 3G.
Synchronous vs Asynchronous
Asynchronous Communication: No timing component. Surrounds each byte with processing bits. Parity bit used for error control. Each byte requires three bits of instruction (start, stop, parity). Synchronous Communication: Timing component for data transmission synchronization (clock pulse). Robust error checking commonly through cyclical redundancy checking (CRC). Used for high-speed, high-volume transmissions. Minimal overhead compared to asynchronous transmissions Synchronization rules are embedded into a Data Link protocol. Synchronization is used for the transfer of large amounts of information in a predictable manner (e.g. mainframe environment). Asynchronous communication is used when data can be sent in a nonpredictable manner (e.g. Internet connections).
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
Authentication Framework. Each device that is compliant with IEEE 802.1AR comes with a single built-in initial secure device identity (iDevID). The iDevID is an instance of the general concept of a DevID, which is intended to be used with authentication protocols such as EAP, which is supported by 802.1X. EAP-TLS processes authentication data (digital certificate and device ID) from 802.1AR.
Frequency Division Multiple Access (FDMA)
Available frequency range is divided into sub-bands (channels) and one channel is assigned to each mobile subscriber. Used for 1G cellular networks.
Broadband vs. Baseband
Baseband uses the entire communication channel for its transmission. Broadband technology divides the communication channel into individual and independent subchannels.
Twisted-Pair Cable
Cables made of copper wires that are twisted around each other and are surrounded by a plastic jacket. If the twisted pair is surrounded by an outer protective jacket it is referred to as shielded twisted pair (STP), otherwise it is referred to at unshielded twisted pair (UTP). UTP is the least secure cable type because it is easier to sniff EM radiation compared to other cable types. UTP Cable Ratings: Category 1: Voice grade telephone cable. Up to 1 Mbps transmission rate. Not recommended for network use but modems can communicate over it. Category 2: Data transmission up to 4 Mbps. Used in mainframe and minicomputer terminal connections, but no recommended for high-speed networking Category 3: 10 Mbps for Ethernet and 4 Mbps for Token Ring. Used in 10Base-T network installations. Category 4: 16 Mbps. Normally used in Token Ring networks. Category 5: 100 Mbps; has high twisting thus low crosstalk. Used in 100Base-TX, CDDI, Ethernet, and ATM installations. Most widely used in network installations. Category 6: 1 Gbps. Used in new network installations requiring high-speed transmission. Standard for Gigabit Ethernet Category 7: 10 Gbps. Used in new network installations requiring high-speed transmission.
IP Address Classes
Class A: 0.0.0.0 to 127.255.255.255 - The first byte is the network portion and the remaining 3 bytes are the host portion. Class B: 128.0.0.0 to 191.255.255.255 - The first 2 bytes are the network portion and the remaining 2 bytes are the host portion. Class C: 192.0.0.0 to 223.255.255.255 - The first 3 bytes are the network portion and the remaining 1 byte is the host portion. Class D: 224.0.0.0 to 239.255.255.255 - Used for multicast addresses Class E: 240.0.0.0 to 255.255.255.255 - Reserved for research
Orthogonal Frequency Division Multiple Access (OFDMA)
Combination of FDMA and TDMA. Each of the channels is subdivided into a set of closely spaced orthogonal frequencies with narrow bandwidths (subchannels). Each of the different subchannels can be transmitted and received simultaneously. in a MIMO manner. The use of orthogonal frequencies and MIMO allows signal processing techniques to reduce the impacts of any interference between different subchannels and correct for channel impairments such as noise or selective frequency fading. Currently used in 4G.
Socket
Combination of protocol, port, and IP address.
Access Point (AP)
Component of WLAN. Connects the wireless and wired worlds.
User Datagram Protocol (UDP)
Connectionless transport layer protocol. "Best effort" Source and destination ports and source and destination IP addresses are contained within the header when a UDP message is formed. Faster and requires fewer resources. Used when high volumes of data need to be sent (e.g. streaming video).
Physical Layer
Converts bits into voltage for transmission. Specs for the physical layer include timing of voltage changes, voltage levels, and the physical connectors for electrical, optical, or mechanical transmission. Common standards: RS/EIA/TIA-422, RS/EIA/TIA-423, RS/EIA/TIA-449 10Base-T, 10Base2, 10Base5, 100Base-TX, 100Base-FX, 100Base-T, 1000Base-T, 1000Base-SX Integrated Services Digital Network (ISDN) Digital subscriber line (DSL) Synchronized Optical Networking (SONET)
Subnet
Created from the host portion of an IP address to designate a "sub" network. This allows us to further break the host portion of the address into two or more logical groupings. A network can be logically partitioned to reduce administrative headaches. This is particularly beneficial in keeping down routing table sizes because external routers can directly send data to the actual network segment without having to worry about the internal architecture of that network and getting the data to individual hosts. This job can be handled by internal routers, which can determine the individual hosts in a subnetted environment and save the external routers the hassle of analyzing all 32 bits of an IP address just to look at the masked bits.
Subnet Mask
Differentiates the groups of addresses that define the subnets of a network. Subnetting defines a smaller network inside a larger network. This allows larger IP ranges to be divided into smaller, logical, and more tangible network segments.
Digital vs. Analog Signals
Digital signals are more reliable than analog signals over long distance and provide a clear-cut and efficient signaling method because the voltage is either "on" or "off", compared to interpreting the waves of an analog signal. Extracting digital signals from a noisy carrier is relatively easy. It is more difficult to extract analog signals from background noise. Digital signals can implement compression mechanisms to increase data throughput, provide signal integrity through repeaters that "clean up" the transmissions, and multiplex different types of data onto the same transmission channel.
Application Layer
Does not include the applications but the protocols that support applications. Analogy: You (application) writes a letter (message) and hands it to assistant (application layer) who puts it in an envelope. Common protocols: File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Simple Network Management Protocol (SNMP) Telnet Hypertext Transfer Protocol (HTTP)
Noise
EMI from other devices. Can be caused by motors, computers, copy machines, fluorescent lighting, and microwave ovens.
IP Address Structure
Each address has a host portion and a network portion. Addresses are grouped into classes and then into subnets. For any given IP network, all nodes connected to the network can have different host addresses but a common network address. The host address identifies every individual node, whereas the network address is the identity of the network all the nodes are connected to; therefore, it is the same for each one of them. Any traffic meant for nodes on this network will be sent to the prescribed network address.
Internet Small Computer System Interface (iSCSI)
Encapsulates SCSI data in TCP segments. SCSI is a set of technologies that allow peripherals to be connected to computers. With iSCSI peripherals can be anywhere in the world and still appear as local to a computer.
Coaxial Cable
Has a copper core that is surrounded by a shielding layer and grounding wire which is then encased within a protective outer jacket. Compared to twisted-pair cable, coax cable is more resistant to electromagnetic interference, provides higher bandwidth, and supports the use of longer cable lengths. However it is more expensive and more difficult to work with.
IPv4 vs IPv6
IPv4: 32-bit addresses IPv6: 128-bit addresses IPv6 allows for scoped addresses, enabling administrators to restrict specific addresses for specific servers. IPv6 has IPSec integrated into the protocol stack, which provides end-to-end secure transmission, authentication, and data integrity (as well as optional confidentiality). IPv6 has more flexibility and routing capabilities and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions. IPv4 limits packets to 65,535 bytes of payload. IPv6 Extends this to about 4.3 billion bytes, called a jumbogram. Note: Some IDS/IPS/firewalls monitor only IPv4 traffic, meaning they would ignore all IPv6 traffic. IPv6 should be disabled if not needed.
Time Division Multiple Access (TDMA)
Increases the speed and efficiency of cellular networks by taking the radio-frequency spectrum channels and dividing them into time slots. At times multiple users can use the same channel by dividing it into time slots. Mobile systems like Global System for Mobile Communication (GSM) use TMDA.
IEEE 802.1AE - MACSec
Layer 2 (Data Link) Security Standard. Defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication Where VPN provides protection at higher layers, MACSec provides hop-by-hop protection at layer 2. MACSec integrates security protection into wired Ethernet networks to secure LAN-based traffic. Only authenticated and trusted devices on the network can communicate with one another. Unauthorized device are prevented from communicating via the network. When a frame arrives at a device that is configured with MACSec, the MACSec Security Entity (SecY) decrypts the frame and computes an integrity check value (ICV) and compares it to the ICV that was sent with the frame. If they match the device processes the frame.
Data Link Layer
Layer where the network stack knows in what format the data frame must be in order to transmit it properly. Data is translated into LAN or WAN technology binary format. Defines the compatible physical transmission type (e.g. Ethernet, ATM, FDDI). Note: Once this layer applies its headers and trailers it is referred to as a "frame". Common Protocols: Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP) Point-to-point Protocol (PPP) Serial Line Internet Protocol (SLIP) Ethernet (IEEE 802.3) Token Ring (IEEE 802.5) Wireless Ethernet (802.11)
Data Link Sublayers
Logical Link Control (LLC): Communicates with the above protocol. Defined in IEEE 802.2 and ISO/IEC 8802-2 Media Access Control (MAC): Will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer. Defined in IEEE 802.x where "x" refers to the network structure (i.e. 802.5 is Token Ring, 802.11 is Wireless Ethernet, etc.)
Attenuation
Loss of signal strength as it travels. Longer the cable the more deterioration.
Token Passing
Media Access Technology at the Data Link Layer A token is a 24-bit control frame used to control which computers communicate at what intervals. The token is passed from computer to computer and only the computer that has the token and put data on the wire.
Carrier Sense Multiple Access (CSMA)
Media Access Technology at the Data Link Layer In general Carrier Sense methods are faster than Token Passing but Token Passing doesn't have to worry about collisions. Two types: Carrier Sense Multiple Access / Collision Detection (CSMA/CD): A computer monitors transmission activity on the wire to determine the best time to transmit data. Each node continuously monitors the wire and waits until it is free (denoted by the absence of a carrier tone) to transmit data. A collision takes place when two or more computers sense the absence of transmit data and attempt to transmit at the same time. If a computer puts its frames on the wire and detects a collision, it will abort its transmission and alert all other stations that a collision just took place. All other stations will execute a random collision timer (called a back-off algorithm) to force a delay before they attempt to transmit data. Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA): Each computer will signal its intent to transmit data before anything is actually sent. After receiving this alert other computers will wait a period of time before attempting to transmit data in ensure collisions do not take place.
Polling
Media Sharing Technology (which is a subcomponent of Media Access Technology) Environment where some systems are configured as primary stations and others are configured as secondary stations. At predefined intervals the primary station as the secondary station if it has anything to transmit. This is the only time a secondary station can communicate. Mainly used in mainframe environments.
Data Terms in OSI Layers
Message or data: Information from an application Segment: Message that has been encapsulated at the Transport Layer. Packet: Segment that has been encapsulated at the Network Layer with routing and addressing information Frame: Packet that has received a header and trailer at the Data Link Layer Note: "Segment" is specific to TCP. If it is being transmitted via UDP it is called a "Datagram".
Message Moving Through OSI Layers
Messages are originated in the application layer and are passed down the network stack. Each layer adds its own information causing the message to grow in size. On the receiving computer the encapsulation is reversed and the message moves back up through that stack. Each layer strips off the layer-specific information and passes it to the layer above. Each layer can communicate with three other layers: The layers above and below through interfaces and the same layer in the interface of the target packet.
Direct Sequence Spread Spectrum (DSSS)
Physical Layer Specification Applied sub-bits (chips) to a message. The sequence of chips is called a "chipping code". The chips are used by the sending system to generate a different format of data before the data is transmitted. The receiving system uses the chips to reassemble the signal. The signal appears as random noise to anyone who does not know the chipping sequence. Sometimes called a psuedo-noise sequence. The chips provide error-recovery instructions. Uses all the available bandwidth continuously. DSSS spreads the signals over a wider frequency. Using DSSS, the 802.11 standard can provide up to 11 Mbps (much more than FHSS).
Orthogonal Frequency Division Multiplexing (OFDM)
Physical Layer Specification Digital multicarrier modulation scheme that compacts multiple modulated carrier tightly together, reducing the required bandwidth. The modulated signals are orthogonal (perpendicular) and do not interfere with one another.
Frequency Hopping Spread Spectrum (FHSS)
Physical Layer Specification Sending and receiver operate on one subchannel for some time before "hopping" to another subchannel according to the "hop sequence". The approach makes it much more difficult for eavesdroppers to listen in on and reconstruct the data unless they know the hop sequence. Only uses a portion of the total bandwidth available at one time. FHSS uses a narrow band carrier that changes frequently across a wide band. Using FHSS, the 802.11 standard can provide 1 to 2 Mbps (much less than DSSS).
802.1X
Port-based access control protocol that can be implemented on both wired and wireless networks. This means that a user cannot make a full network connection until he is properly authenticated. No traffic other than authentication traffic is allowed to pass. Provides USER authentication (as opposed to WEP which provides SYSTEM authentication). Framework consists of three main entities: wireless devices (supplicant), authenticator (AP), and an authentication server (usually RADIUS).
IP Protocol
Provides addressing, packet fragmentation, and packet timeouts. To ensure packets do not continually traverse networks IP provides a Time to Live (TTL) value that is decremented every time the packet is passed through a router. IP can also provide Type of Service (ToS) capability which means it can priotize different packets for time-sensitive functions.
Transport Layer
Provides end-to-end data transport services and establishes the logical connection between communicating computers Common protocols: Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Sequenced Packet Exchange (SPX)
Transmission Control Protocol (TCP)
Reliable connection-oriented transport layer protocol, which means that it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. TCP also supports packet sequencing, flow and congestion control, and error detection and correction. Source and destination ports and source and destination IP addresses are contained within the header when a TCP message is formed. Begins with handshaking. Full duplex. Requires a lot of overhead.
Session Layer
Responsible for establishing a connection between the two applications, maintaining it during the transfer of data, and controlling the release of this connection. Three phases: Connection establishment, data transfer, and connection release Common protocols: Network Basic Input Output System (NetBIOS) Password Authentication Protocol (PAP) Point-to-Point Tunneling Protocol (PPTP) Remote Procedure Call (RPC)
Network Layer
Responsible for inserting information into the packet's header so it can be properly addressed and routed, and then actually routing the packets to their proper destination. Protocols at this layer must determine the best path for the packet to take. Routing protocols build and maintain routing tables which are maps of the network. This information is added to the packet's header and send down the stack. Common protocols: Internet Protocol (IP) Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Internetwork Packet Exchange (IPX)
Network Topologies
Ring: A series of devices are connected by unidirectional transmission links. The links form a closed loop. Note: If one device experiences a problem it can negatively affect surrounding computers. Bus: A single cable runs the entire length of the network. Nodes are connected to the network through drop points on the network. Data communication transmits the length of the medium, and each packet can be viewed by all nodes. Bus topologies have two main types: linear (with a single cable with nodes attached) and tree (which has branches from the single cable) Note: If one device experiences a problem it can negatively affect surrounding computers. Also with a tree structure there are multiple single points of failure. Star: All nodes connect to a central device such as a switch through a dedicated link. Note: Central device can potentially bottleneck network traffic. Most common topology because it enables the network to be more resilient and not as affected if an individual node experiences problems. However, the central device is a single point of failure. Mesh: All systems and resources are connected to each other in a way that does not follow the uniformity of other topologies. Computers are connected to each other which provides redundancy but it requires more expensive cabling.
Session Layer vs Transport Layer
Session layer protocols control application-to-application communication whereas transport layer protocols handle computer-to-computer communication.
Ethernet
Set of technologies that enables several devices to communicate on the same network. Typically uses a star or bus topology. Considered a "chatty protocol" because it has collisions. Ethernet consists of the following characteristics: 1) Contention-based technology (i.e. all resources use the same shared communication medium) 2) Uses broadcast and collision domains 3) Uses CSMA/CD access method 4) Supports full-duplex communication 5) Can use coax, twisted-pair, or fiber-optic cabling 6) Is defined by standard 802.3
Broadcast Domains
Sets of computing nodes that all receive a Layer 2 broadcast frame. This is all nodes that are interconnected by switches, hubs, or bridges but with no routers between them.
Simplex vs Half/Full Duplex
Simplex: One way communication only Half Duplex: Two way communication but only one application can send info at a time Full Duplex: Two way communication and both applications can communicate at the same time
802.15.4
Standard dealing with Wireless Personal Area Network (WPAN). Operates in 2.4-GHz band, known as the Industrial, Scientific, and Medical (ISM) band. Devices are typically low -ost, low-bandwidth, and ubiquitous. Very common in industrial settings where machines communicate directly (<100 meters).
Automatic Tunneling Mechanisms
Technique where the routing infrastructure automatically determines the tunnel endpoints to that protocol tunneling can take place without preconfiguration. 6to4 tunneling method: The tunnel endpoints are determined by using a well-known IPv4 anycast address on the remote side and embedding IPv4 address data within IPv6 addresses on the local side. Teredo: Uses UDP encapsulation so that NAT address translations are not affected. Intra-site Automatic Tunnel Addressing Protocol (ISATAP): Treats the IPv4 network as a virtual IPv6 local link, with mappings from each IPv4 address to a link-local IPv6 address The first two are intersite tunneling mechanisms, and ISATAP is an intrasite mechanism.
Data Throughput
The actual amount of data that can be carrier over a connection. Measured in bits per second. Bandwidth is the size of the pipe. Data throughput is the rate at which water flows through that pipe.
Bandwidth
The number of electrical pulses that can be transmitted over a link within a second, and these impulses carry individual bits of information. Bandwidth is the data transfer capability of a connection and is commonly associated with the amount of available frequencies and speed of a link. Measured in bits per second.
Plenum Space
The space in the ceiling, under the floors, and in the walls through which cable runs. This space is usually used for ventilation so cables run in these areas must meet a specific fire rating because they can release harmful chemicals in the event of a fire. Nonplenum cables usually have a polyvinyl chloride (PCV) jacket covering while plenum-rated cables have jacket covers made of fluoropolymers.
Bluesnarfing
The unauthorized access of information from a wireless device through a Bluetooth connection.
Fiber-Optic Cable
Uses a type of glass that carries light waves. Glass core is surrounded by a protective cladding, which in turn is encased within an outer jacket. Offers higher transmission speeds that allow signals to travel over longer distances. Not affected by attenuation or EMI. Doesn't radiate signals like copper so it is the most secure cable type. It is expensive and difficult to work with.
Port Types and Ranges
Well-known ports: 0-1023, typically have standard protocols operating on specific port numbers. E.g. Telnet on port 23, SMTP on port 25, HTTP on port 80, SNMP on ports 161 and 161, FTP on ports 20 and 21, SSH on port 22, HTTPS on port 443 Registered ports: 1024-49151. Can be registered with the Internet Corporation for Assigned Names and Numbers (ICANN). Typically used by vendors to register their proprietary software. Dynamic ports: 49152-65535. Available to apps on an "as needed" basis.
802.11i (WPA2)
Wi-Fi Protected Access II - Data Link Layer Protocol Consists of three main components in two specific layers. The lower layer contains the improved encryption algorithm and techniques (TKIP and CCMP), while the upper layer contains 802.1X. If using RC4 encryption, WPA2 uses Temporal Key Integrity Protocol (TKIP), which is backward compatible with the WLAN devices based on the original 802.11 standard (i.e. WEP). Otherwise WPA2 provides encryption protection with the use of the AES algorithm in counter mode with CBC-MAC (CCM), which is referred to as the Counter Mode Cipher Block Chaining Message Authentication Code (CCM Protocol or CCMP). AES provides a higher level of protection compared to RC4. WPA2 defaults to AES but can switch to TKIP and RC4. 802.11i allows for mutual authentication using EAP.
802.11n
Wireless networking standard that can operate in both the 2.4-GHz and 5-GHz bands and uses multiple in/multiple out (MIMO) to achieve a theoretical maximum throughput of 100+ Mbps.
802.11b
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 11 Mbps. It uses DSSS and is backwards compatible with 802.11.
802.11g
Wireless networking standard that operates in the 2.4-GHz band with a theoretical maximum throughput of 54 Mbps and is backward compatible with 802.11b. It is basically a "speed extension" for 802.11b.
802.11ac
Wireless networking standard that operates in the 5-GHz band and uses multiple in/multiple out (MIMO) and multi-user MIMO (MU-MIMO) to achieve a theoretical maximum throughput of 1 Gbps. Supports beamforming and is an extension of 802.11n. Better able to maintain high data rates at longer distances than its predecessors.
802.11a
Wireless networking standard that operates in the 5-GHz band with a theoretical maximum throughput of 54 Mbps. It uses ODFM and is not backwards compatible with 802.11b or 802.11. Note: The 5-GHz range offers high speeds but lower range than 2.4-GHz.
Presentation Layer
Works as a translator. Provides a common means of representing data in a structure that can be properly processed by the end system. Puts data into a format any OS could read (e.g. PDF, JPEG, etc.). Adds MIME info in header. Only layer that doesn't have protocols.