D4 Communication and Network Security
Remote meeting technology
"Newer technology that allows users to conduct online meetings via the Internet, including desktop sharing functionality."
Circuit Switching
.- dedicated physical pathway is created between the two communicating parties. - Once a call is established, the links between the two parties remain the same throughout the conversation. - provides fixed or known transmission times, a uniform level of quality, and little or no loss of signal or communication interruptions. - The path is permanent throughout a single conversation. Once the path is disconnected, if the two parties communicate again, a different path may be assembled. - one path only for that one communication. It grants exclusive use of a communication path to the current communication partners.
IP header protocol field value for UDP
17 (0x11)
IP header protocol field value for TCP
6 (0x06)
Trivial File Transfer Protocol (TFTP)
A light version of FTP that uses a small amount of memory and has limited functionality. - This is a network application that supports an exchange of files that does not require authentication. - UDP Port 69
Virtual Private Network (VPN)
A private data network that creates secure connections, or "tunnels," over regular Internet lines. - is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary untrusted network. - can link two networks or two individual systems. They can link clients, servers, routers, firewalls, and switches. - are helpful in providing security for legacy applications that rely on risky or vulnerable communication protocols or methodologies, especially when communication is across a network. - provide confidentiality and integrity over insecure or untrusted intermediary networks. - do not provide availability
Is APIPA concerned with security?
APIPA is not usually directly concerned with security. - If you notice that a system is assigned an APIPA address instead of a valid network address, that indicates a problem. - It could be as mundane as a bad cable or power failure on the DHCP server, but it could also be a symptom of a malicious attack on the DHCP server. - You might be asked to decipher issues in a scenario where IP addresses are presented. - You should be able to discern whether an address is a public address, an RFC 1918 private address, an APIPA address, or a loopback address.
IPX and AppleTalk uses
Both IPX and AppleTalk can be used as IP alternatives in a dead-zone network implementation using IP-to-alternate-protocol gateways (a dead zone is a network segment using an alternative Network layer protocol instead of IP).
Reset (RST)
Causes immediate disconnect of TCP session
Managing collision domains and broadcast domains
Collision domains are divided by using any layer 2 or higher device, and broadcast domains are divided by using any layer 3 or higher device. When a domain is divided, it means that systems on opposite sides of the deployed device are members of different domains.
resolution attacks
DNS poisoning and DNS spoofing
Frame (OSI)
Data stream in Data Link layer (layer 2)
Packet (OSI)
Data stream in Network layer (layer 3)
ESN
Electronic Serial Number. Numbers used to uniquely identify mobile devices.
Push (PSH)
Indicates need to push data immediately to application
Urgent (URG)
Indicates urgent data
ISO
International Organization for Standardization
Sublayers of Data Link layer
Logical Link Control (LLC) sublayer and the MAC (Media Access Control) sublayer.
Attenuation
Loss of power in a signal as it travels from the sending device to the receiving device. - more pronounced as the speed of the transmission increases. - It is recommended that you use shorter cable lengths as the speed of the transmission increases. - It is often possible to use a cable segment that is longer than the cable is rated for, but the number of errors and re-transmissions will be increased over that cable segment, ultimately resulting in poor network performance.
Dynamic NAT
Maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses. The command, ip nat inside source list <access-list-number> pool <name> is used to map the access-list to the IP NAT pool during the configuration of Dynamic NAT. - Use it to grant multiple internal clients access to a few leased public IP addresses. Thus, a large internal network can still access the Internet without having to lease a large block of public IP addresses. This keeps public IP address usage abuse to a minimum and helps keep Internet access costs to a minimum. - maintains a database of mappings so that all response traffic from Internet services is properly routed to the original internal requesting client. - NAT is combined with a proxy server or proxy firewall to provide additional Internet access and content-caching features.
Data Stream
Message sent into the protocol stack at the Application Layer (layer 7). - It retains the label of data stream until it reached the Transpost Layer (layer 4).
NAT and IPsec
NAT is not directly compatible with IPSec because it modifies packet headers, which IPSec relies on to prevent security violations. However, there are versions of NAT proxies designed to support IPSec over NAT. - NAT-Traversal (RFC 3947) was designed to support IPSec VPNs through the use of UDP encapsulation of IKE. - IP Security (IPSec) is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.
Internetwork Packet Exchange (IPX)
Network layer protocol derived from Xerox Network Systems' IDP, It may act as a transport layer protocol as well, was very popular through the late 1980s into the mid-1990s because it was used by the Novell NetWare network operating system. Because of Novell Netware popularity became a prominent internetworking protocol. -
Unshielded Twisted Pair (UTP)
Networking cable that has four twisted pairs of copper wire and a flexible outer coating. - Commonly used for computer networks within a building - most often used to refer to 10Base-T, 100Base-T, or 1000Base-T, which are now considered outdated references mostly outdated technology. - several classes of UTP cabling: --
Finish (FIN)
Requests graceful shutdown of TCP session
Synchronization (SYN)
Requests synchronization with new sequencing numbers
Two modes of NAT
Static and Dynamic NAT
SIM
Subscriber Identity Module
IMAP Port
TCP Port 143
NFS Port
TCP Port 2049
SMTP port
TCP Port 25
LPD Port
TCP Port 515
POP3 port
TCP port 110
Two Tier Firewall Deployment Architecture
Two Tier: -- The DMZ is used to host information server systems to which external users should have access. The firewall routes traffic to the DMZ or the trusted network according to its strict filtering rules. This architecture introduces a moderate level of routing and filtering complexity. - two different design: 1. Two Tier 1: - uses a firewall with three or more interfaces. - the DMZ is located off one of the interfaces of the primary firewall. 2. Two Tier II: - uses two firewalls in a series. This allows for a DMZ or a publicly accessible extranet. - the DMZ is located between the two serial firewalls.
Thicknet or 10BASE5
Used in networks and operated at 10 Mb/s with a maximum length of 1640.4 ft. (500 m.) - provide throughput up to 10 Mbps (megabits per second).
beacon frame
What is the name for the special signal that contains information that a wireless node requires in order to associate itself with an access point? - In the context of wireless networking, a frame issued by an access point to alert other nodes of its existence. - The SSID is broadcast by the WAP via a special transmission called a beacon frame . This allows any wireless NIC within range to see the wireless network and make connecting as simple as possible. However, this default broadcasting of the SSID should be disabled to keep the wireless network secret.
Switching Technologies
When two systems (individual computers or LANs) are connected over multiple intermediary networks, the task of transmitting data packets from one to the other. - Types: Circuit and packet Switching
Local Area Network (LAN)
is a network typically spanning a single floor or building. This is commonly a limited geographical area
Channels
Within the assigned frequency of the wireless signal are subdivisions of that frequency known as channels.
Transmission error correction
a capability built into connection- or session-oriented protocols and services. If it is determined that a message, in whole or in part, was corrupted, altered, or lost, a request can be made for the source to resend all or part of the message.
Network monitoring attack
act of monitoring traffic patterns to obtain information about a network.
Impersonation or masquerading
act of pretending to be someone or something you are not to gain unauthorized access to a system. - implies that authentication credentials have been stolen or falsified in order to satisfy (i.e., successfully bypass) authentication mechanisms. - solution to prevent impersonation are using one-time pads and token authentication systems, using Kerberos, and using encryption to increase the difficulty of extracting authentication credentials from network traffic.
Wireless Networks
allow communication to take place using radio waves.
frequency of radio waves
between 3 Hz and 300 GHz
Screen Scraper/ Scraping
can be used in two different circumstances: 1. refer to remote control, remote access, or remote desktop services. The idea is that the screen on the target machine is scraped and shown to the remote operator. 2. that can allow an automated tool to interact with a human interface. For example, Google requires that all searches be performed through a Google web search form field. It can interact with the human friendly designed web front end to the search engine and then parse the web page results to extract just the relevant information.
Issues with NAT
can operate on a one-to-one basis with only a single internal client able to communicate over one of its leased public IP addresses at a time. This type of configuration can result in a bottleneck if more clients attempt Internet access than there are public IP addresses. - For example, if there are only five leased public IP addresses, the sixth client must wait until an address is released before its communications can be transmitted over the Internet.
synchronous and asynchronous communication
communications synchronized with some sort of clock or timing activity.
PEAP (Protected Extensible Authentication Protocol)
encapsulates EAP methods within a TLS tunnel that provides authentication and potentially encryption. Since EAP was originally designed for use over physically isolated channels and hence assumed secured pathways, EAP is usually not encrypted. So, PEAP can provide encryption for EAP methods.
Simple Key Management for Internet Protocol (SKIP)
encryption tool used to protect sessionless datagram protocols. - was designed to integrate with IPSec; - functions at layer 3. - It is able to encrypt any subprotocol of the TCP/IP suite. - was replaced by Internet Key Exchange (IKE) in 1998.
Service-specific remote access
gives users the ability to remotely connect to and manipulate or interact with a single service, such as email.
TCP Wrappers
is a program that monitors incomming packets. - It is considered open source. - TCP Wrappers can be used to control when UDP servers start, but it has no other control over the server once it is started. - UDP servers may continue to run after they've finished processing a legitimate request, and UDP's lack of a 3-way handshake makes it simple for attackers to trick UDP servers into processing illegitimate requests. - is an application that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs. Using TCP wrappers is a form of port-based access control.
transmission window
number of packets transmitted before an ACK packet is sent
Digital communications
occur through the use of a discontinuous electrical signal and a state change or on-off pulses.
Analog communications
occur with a continuous signal that varies in frequency, amplitude, phase, voltage, and so on. - The variances in the continuous signal produce a wave shape (as opposed to the square shape of a digital signal). - The actual communication occurs by variances in the constant signal.
bridge mode infrastructure
occurs when a wireless connection is used to link two wired networks. This often uses dedicated wireless bridges and is used when wired bridges are inconvenient, such as when linking networks between floors or buildings.
X.25 WAN Connections
older packet switching tech that was widely used in Europe. -uses permanent virtual circuits to establish specific point-to-point connections connections between two systems or networks -predecessor to frame relay operates in much the same fashion. - use is declining because of its lower performance and throughput rates when compared to Frame Relay or ATM.
Security concerns w.r.t. Packet Switching
places data from different sources on the same physical connection. - This could lend itself to disclosure, corruption, or eavesdropping. - Proper connection management, traffic isolation, and usually encryption are needed to protect against shared physical pathway concerns
Three way handshake process
process: 1. The client sends a SYN (synchronize) flagged packet to the server. 2. The server responds with a SYN/ACK (synchronize and acknowledge) flagged packet back to the client. 3. The client responds with an ACK (acknowledge) flagged packet back to the server.
Bots , zombies , or agents
remote-control tools installed on secondary victims. - at an appointed time or in response to a launch command from the attacker, they are used to conduct DoS attack against the victim. - user is usually not aware of these
preadmission philosophy of NAC
requires a system to meet all current security requirements (such as patch application and antivirus updates) before it is allowed to communicate with the network.
Pretexting
which is the practice of obtaining your personal information under false pretenses. - used to obtain personal identity details that are then sold to others who actually perform the abuse of your credit and reputation.
DISA (direct inward system access)
"security" improvement to PBX systems -designed to help manage external access and external control of a PBX by assigning access codes to users -vulnerability to phreaking, once phreaker has the access codes they can abuse the telephone network - must be properly installed, configured, and monitored in order to obtain the desired security improvement.
caching and broadcasting in ARP and RARP
- 1st step in resolving an IP address into a MAC address, or vice versa, is to check the local ARP cache. - If the needed information is already present in the ARP cache, it is used. - If the ARP cache does not contain the necessary information, an ARP request in the form of a broadcast is transmitted. - If the owner of the queried address is in the local subnet, it can respond with the necessary information. If not, the system will default to using its default gateway to transmit its communications. Then, the default gateway (i.e. a router) will need to perform its own ARP or RARP process.
Software Defined Networking (SDN)
- A broad and developing concept addressing the management of the various network components. - objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components - concept is based on the theory that the complexities of a traditional network with on-device configuration (i.e., routers and switches) often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to respond to changing physical and business conditions. - aims at separating the infrastructure layer (i.e., hardware and hardware-based settings) from the control layer (i.e., network services of data transmission management). - removes the traditional networking concepts of IP addressing, subnets, routing, and so on from needing to be programmed into or be deciphered by hosted applications. - SDN offers a new network design that is directly programmable from a central location, is flexible, is vendor neutral, and is open-standards based. - network virtualization: It allows data transmission paths, communication decision trees, and flow control to be virtualized in the SDN control layer rather than being handled on the hardware on a per-device basis. - aims at separating the infrastructure layer (i.e., hardware and hardware-based settings) from the control layer (i.e., network services of data transmission management). - also removes the traditional networking concepts of IP addressing, subnets, routing, and the like from needing to be programmed into or be deciphered by hosted applications.
User Datagram Protocol (UDP)
- A connectionless "best-effort" transport protocol. Connectionless transport protocols provide unreliable transport, in that if a segment is dropped, the sender is unaware of the drop, and no retransmission occurs. - An alternative to TCP that achieves higher transmission speeds at the cost of reliability. - It offers no error detection or correction, does not use sequencing, does not use flow control mechanisms, does not use a pre-established session, and is considered unreliable. - UDP has very low overhead and thus can transmit data quickly. However, UDP should be used only when the delivery of data is not essential. - often employed by real-time or streaming communications for audio and/or video.
Fibre Channel over Ethernet (FCoE)
- A lightweight encapsulation protocol and lacks the reliable data transport of the TCP layer. - a form of network data-storage solution (storage area network [SAN]) or network-attached storage [NAS]) that allows for high-speed file transfers at upward of 16 Gbps. - It was designed to be operated over fiberoptic cables; support for copper cables was added later to offer less-expensive options. - Fibre Channel typically requires its own dedicated infrastructure (separate cables). However, FCoE can be used to support it over the existing network infrastructure. - used to encapsulate Fibre Channel communications over Ethernet networks. - It typically requires 10 Gbps Ethernet in order to support the Fibre Channel protocol. - With this technology, Fibre Channel operates as a Network layer or OSI layer 3 protocol, replacing IP as the payload of a standard Ethernet network.
Network Address Translation (NAT)
- A mechanism for converting the internal IP addresses found in packet headers into public IP addresses for transmission over the Internet. - was developed to allow private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses. - NAT translates the IP addresses of your internal clients to leased addresses outside your environment.
Internet Group Management Protocol (IGMP)
- A multicast protocol used between clients and routers to let routers know which of their interfaces has a multicast receiver attached. - allows systems to support multicasting. Multicasting is the transmission of data to multiple specific recipients. (RFC 1112 discusses the requirements to perform IGMP multicasting.) - used by IP hosts to register their dynamic multicast group membership. - also used by connected routers to discover these groups. Through the use of IGMP multicasting, a server can initially transmit a single data signal for the entire group rather than a separate initial data signal for each intended recipient. - With IGMP, the single initial signal is multiplied at the router if divergent pathways exist to the intended recipients. - The IP header protocol field value for IGMP is 2 (0x02).
Address Resolution Protocol (ARP)
- A protocol in the TCP/IP suite used with the command-line utility of the same name to determine the MAC address that corresponds to a particular IP address. - used to resolve IP addresses into MAC addresses. (by polling using its IP address) - Traffic on a network segment (for example, cables across a hub) is directed from its source system to its destination system using MAC addresses. - ARP functions by broadcasting a request packet with the target IP address. The system with that IP address (or some other system that already has an ARP mapping for it) will reply with the associated MAC address. - operates at the Network layer (layer 3).
Packet Sniffing
- An attack on wireless networks where an attacker captures data and registers data flows in order to analyze what data is contained in a packet. - act of capturing packets from the network in hopes of extracting useful information from the packet contents. - Effective packet sniffers can extract usernames, passwords, email addresses, encryption keys, credit card numbers, IP addresses, system names, and so on.
Point-to-Point Protocol (PPP)
- A protocol that allows a computer to connect to the Internet over a phone line. - an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to point links. - allows for multivendor interoperability of WAN devices supporting serial links. - a full-duplex protocol used for transmitting TCP/IP packets over various non-LAN connections, such as modems, ISDN, VPNs, Frame Relay, and so on. - transport protocol of choice for dial-up Internet connections. - PPP authentication is protected through the use of various protocols, such as CHAP and PAP. - PPP is a replacement for SLIP and can support any LAN protocol, not just TCP/IP. - communication services: assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing, error detection, and feature or option negotiation (such as compression).
Simple Network Management Protocol (SNMP)
- A protocol used to monitor and manage network devices, such as routers, switches, and servers. - A TCP/IP protocol that exchanges management information between networked devices. - It allows network administrators to remotely monitor, manage, and configure devices on the network. - This is a network service used to collect network health and status information by polling monitoring devices from a central monitoring station. - uses UDP Port 161 (UDP Port 162 for Trap Messages)
WPA (Wi-Fi Protected Access)
- A security protocol introduced to address some of the shortcomings in WEP, WEP, WPA2, and WiFi. - an improvement over WEP in that it does not use the same static key to encrypt all communications. Instead, it negotiates a unique key set with each host. However, a single passphrase is used to authorized the association with the base station (i.e., allow a new client to set up a connection). If the passphrase is not long enough, it could be guessed. Usually 14 characters or more for the passphrase is recommended. - it was a temporary fix until the new 802.11i amendment was completed. - based on the LEAP and TKIP cryptosystems and often employs a secret passphrase for authentication. - Unfortunately, the use of a single static passphrase is the downfall of WPA. - An attacker can simply run a brute-force guessing attack against a WPA network to discover the passphrase. - If the passphrase is 14 characters or more, this is usually a time prohibitive proposition but not an impossible one. - both the LEAP and TKIP encryption options for WPA are now crackable. WPA no longer provides long-term reliable security.
Orthogonal Frequency Division Multiplexing (OFDM)
- A spread-spectrum broadcasting method that combines the multiple frequencies of DSSS with FHSS's hopping capability. - another variation on frequency use. - employs a digital multicarrier modulation scheme that allows for a more tightly compacted transmission. - The modulated signals are perpendicular (orthogonal) and thus do not cause interference with each other. - OFDM requires a smaller frequency set (aka channel bands) but can offer greater data throughput.
Virtual LAN (VLAN)
- A technology that allows scattered users to be logically grouped together even though they may be attached to different switches. - used for hardware-imposed network segmentation. - used to logically segment a network without altering its physical topology. - created by switches. By default, all ports on a switch are part of VLAN#1. But as the switch administrator changes the VLAN assignment on a port-by-port basis, various ports can be grouped together and be distinct from other VLAN port designations. Thus, multiple logical network segments can be created on the same physical network.
Voice over Internet Protocol (VoIP)
- A technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line. - a technology that encapsulates audio into IP packets to support telephone calls over TCP/IP network connections.
MPLS (Multiprotocol Label Switching)
- A type of switching that enables any one of several Layer 2 protocols to carry multiple types of Layer 3 protocols. - benefit: is the ability to use packet-switched technologies over traditionally circuit-switched networks. MPLS can also create end-to-end paths that act like circuit-switched connections. - A network technology defined by a set of IETF specifications that enable Layer 3 devices, such as routers, to establish and manage network traffic. - a high-throughput high-performance network technology that directs data across a network based on short path labels rather than longer network addresses. It saves significant time over traditional IP-based routing processes, which can be quite complex. - MPLS is designed to handle a wide range of protocols through encapsulation. Thus, the network is not limited to TCP/IP and compatible protocols. This enables the use of many other networking technologies, including T1/E1, ATM, Frame Relay, SONET, and DSL.
benefits of Multilayer protocols
- A wide range of protocols can be used at higher layers. - Encryption can be incorporated at various layers. - Flexibility and resiliency in complex network structures is supported.
Acknowledgement (ACK)
- Acknowledges synchronization or shutdown request - TCP uses this for error control; a host station that receives error-free application data returns an acknowledgement to its sender and if no acknowledgement sent, source host retransmits application data presuming there has been a transmission error
Frequency Hopping Spread Spectrum (FHSS)
- Allows the participants in a communication to hop between predetermined frequencies. - Security is enhanced because the participants can predict the next frequency to be used but a third party cannot easily predict the next frequency. - can also provision extra bandwidth by simultaneously using more than one frequency. - it transmits data in a series while constantly changing the frequency in use. - The entire range of available frequencies is employed, but only one frequency at a time is used. - As the sender changes from one frequency to the next, the receiver has to follow the same hopping pattern to pick up the signal. - was designed to help minimize interference by not using only a single frequency that could be affected. - Instead, by constantly shifting frequencies, it minimizes interference.
Simple Mail Transfer Protocol (SMTP)
- An Internet-standard protocol for sending email messages between servers on IP networks. - Because SMTP is generally used to send messages from a mail client to a mail server, you should specify both the POP or IMAP server and the SMTP server when configuring an email application. - TCP Port 25
Classless Inter-Domain Routing (CIDR) notation
- Another option for subnetting is to use Classless Inter-Domain Routing (CIDR) notation. - CIDR uses mask bits rather than a full dotted-decimal notation subnet mask. Thus, instead of 255.255.0.0, a CIDR is added to the IP address after a slash, as in 172.16.1.1/16, for example. - One significant benefit of CIDR over traditional subnet-masking techniques is the ability to combine multiple noncontiguous sets of addresses into a single subnet. - For example, it is possible to combine several Class C subnets into a single larger subnet grouping.
Twisted Pair Cabling
- Consists of several insulated copper wires protected by a sheath. The copper wires are twisted together to protect them from EMI and to balance the crosstalk between the individual wires. - e.g. network cable - extremely thin and flexible compared to coaxial cable. - It consists of four pairs of wires that are twisted around each other and then sheathed in a PVC insulator. - two types: shielded twisted-pair (STP) and unshielded twisted-pair (UTP). - small, thin copper wires that are twisted in pairs. The twisting of the wires provides protection from external radio frequencies and electric and magnetic interference and reduces crosstalk between pairs. -Crosstalk occurs when data transmitted over one set of wires is picked up by another set of wires due to radiating electromagnetic fields produced by the electrical current. - Each wire pair within the cable is twisted at a different rate (in other words, twists per inch); thus, the signals traveling over one pair of wires cannot cross over onto another pair of wires (at least within the same cable). - The tighter the twist (the more twists per inch), the more resistant the cable is to internal and external interference and crosstalk, and thus the capacity for throughput (that is, higher bandwidth) is greater.
drawbacks of multilayer protocols
- Covert channels are allowed. - Filters can be bypassed. - Logically imposed network segment boundaries can be overstepped.
electrical specifications, protocols, and interface standards in Physical Layer (layer 1)
- EIA/TIA-232 and EIA/TIA-449 - X.21 - High-Speed Serial Interface (HSSI) - Synchronous Optical Network (SONET) - V.24 and V.35
Data Link layer technologies
- Ethernet (IEEE 802.3), - Token Ring (IEEE 802.5), - Asynchronous transfer mode (ATM), - Fiber Distributed Data Interface (FDDI), - Copper DDI (CDDI)
802.1X/EAP
- Extensible Authentication Protocol - Enterprise authentication - it is a standard port-based network access control that ensures clients cannot communicate with a resource until proper authentication has taken place. - supported by WPA/WPA2 - allows for use of RADIUS, TACACS, certificates, smart cards, token devices, and biometrics etc across wireless networks. - allows for new authentication technologies to be compatible with existing wireless or point-to point connection technologies. - 802.1X is a hand-off system that allows the wireless network to leverage the existing network infrastructure's authentication services.
ICMP important details
- First, the IP header protocol field value for ICMP is 1 (0x01). - Second, the type field in the ICMP header defines the type or purpose of the message contained within the ICMP payload. There are more than 40 defined types, but only 7 are commonly used. - many of the types listed may also support codes. A code is simply an additional data parameter offering more detail about the function or purpose of the ICMP message payload. - One example of an event that would cause an ICMP response is when an attempt is made to connect to a UDP service port when that service and port are not actually in use on the target server; this would cause an ICMP Type 3 response back to the origin. Since UDP does not have a means to send back errors, the protocol stack switches to ICMP for that purpose.
Phreakers
- Hackers who specialize in committing telephone fraud. - able to gain unauthorized access to personal voice mailboxes, redirect messages, block access, and redirect inbound and outbound calls.
IP header protocol field value for
- ICMP - 1 (0x01) - IGMP - 2 (0x02) - TCP - 6 (0x06) - UDP - 17 (0x11)
IEEE 802.11
- IEEE standard for wireless network communications.
IP header protocol field value
- IP header protocol field value for TCP is 6 (0x06). - it is the label or flag found in the header of every IP packet that tells the receiving system what type of packet it is. - IP header's protocol field indicates the identity of the next encapsulated protocol (in other words, the protocol contained in the payload from the current protocol layer, such as ICMP or IGMP, or the next layer up, such as TCP or UDP).
Benefits of Virtualization
- Infrastructure Simplification - Improved Responsiveness - Organization Resiliency - Reduced attack exposure - Stable, safe configs - Segmentation - real-time scalability, - being able to run the exact OS version needed for the needed application. - recovery from damaged, crashed, or corrupted virtual systems is often quick. - easy backup
Registered Software Ports
- Ports 1024 to 49151. - These are ports that have one or more networking software products specifically registered with the International Assigned Numbers Authority (IANA) in order to provide a standardized port-numbering system for clients attempting to connect to their products.
Random, Dynamic, or Ephemeral ports
- Ports 49152 to 65535. - They are often used randomly and temporarily by clients as a source port. These random ports are also used by several networking services when negotiating a data transfer pipeline between client and server outside the initial service or registered ports, such as performed by common FTP.
secure communication protocols
- Protocols that provide security services for application-specific communication channels. - examples: Simple Key Management for Internet Protocol (SKIP), Software IP Encryption (swIPe), Secure Remote Procedure Call (S-RPC), Secure Sockets Layer (SSL), Transport Layer Security (TLS), Secure Electronic Transaction (SET), IPSec, SSH
network hardware devices that function at layer 3
- Routers and bridge routers (brouters) - Routers : determine the best logical path for the transmission of packets based on speed, hops, preference, and so on. Routers use the destination IP address to guide the transmission of packets. - Brouter, working primarily in layer 3 but in layer 2 when necessary, is a device that attempts to route first, but if that fails, it defaults to bridging.
Address Resolution Protocol (ARP) Spoofing
- Sending fake ARP messages to an Ethernet LAN. - often an element in man-in-the-middle attacks. - ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known. - ARP functions by broadcasting a request packet with the target IP address. The system with that IP address (or some other system that already has an ARP mapping for it) will reply with the associated MAC address. - countermeasures: defining static ARP mappings for critical systems, monitoring ARP caches for MAC-to-IP-address mappings, or using an IDS to detect anomalies in system traffic and changes in ARP traffic.
Ping Utility
- Sends "echo request" packets to a destination and hopes for "echo replies" indicating that the destination is responding and is on the network. - ping utility employs ICMP echo packets and bounces them off remote systems. Thus, you can use ping to determine whether the remote system is online, whether the remote system is responding promptly, whether the intermediary systems are supporting communications, and the level of performance efficiency at which the intermediary systems are communicating. - It includes a redirect function that allows the echo responses to be sent to a different destination than the system of origin.
protocols found within the Data Link layer
- Serial Line Internet Protocol (SLIP) - Point-to-Point Protocol (PPP) - Address Resolution Protocol (ARP) - Reverse Address Resolution Protocol (RARP) - Layer 2 Forwarding (L2F) - Layer 2 Tunneling Protocol (L2TP) - Point-to-Point Tunneling Protocol (PPTP) - Integrated Services Digital Network (ISDN)
Private IP Addresses
- Specific Class A, B, and C networks have been designed for private use. Although these networks are routable (with the exception of the 169.254.0.0-169.254.255.255 address range), within the organization, service providers do not route these private networks over the public Internet. - identify a particular device on a private network, usually on a LAN - They are as follows: 1. 10.0.0.0-10.255.255.255 (a full Class A range) 2. 172.16.0.0-172.31.255.255 (16 Class B ranges) 3. 192.168.0.0-192.168.255.255 (256 Class C ranges - private IP addresses are not routed by default. - defined in RFC 1918.
MIME Object Security Services (MOSS)
- Standard that provides authenticity, confidentiality, integrity, and nonrepudiation for email messages. - employs Message Digest 2 (MD2) and MD5 algorithms; RSA public key; and DES to provide authentication and encryption services.
protocols in the Network layer of the OSI model
- TCP - UDP - ICMP - IGMP
File Transfer Protocol (FTP)
- TCP Ports 20 and 21 - This is a network application that supports an exchange of files that requires anonymous or specific authentication.
Congestion Window Reduced (CWR)
- TCP header flag field value. - Used to manage transmission over congested links; see RFC 3168
ECE : ECN-Echo (Explicit Congestion Notification)
- TCP header flag field value. - Used to manage transmission over congested links; see RFC 3168
Bluebugging attack
- Taking control of someone else's phone to make or listen to calls, send or read text messages, connect to the Internet, forward the victim's calls, and call numbers that charge fees. - an attack that grants hackers remote control over the feature and functions of a Bluetooth device. - This could include the ability to turn on the microphone to use the phone as an audio bug. - it has a limited range of 30 feet, but some devices can function from more than 100 meters away. - Bluetooth devices sometimes employ encryption, but it is not dynamic and can usually be cracked with modest effort
OSI Functionality
- The layers are ordered specifically to indicate how information flows through the various levels of communication. - Each layer communicates directly with the layer above it as well as the layer below it, plus the peer layer on a communication partner system. " Please Do Not Take Sales Person's Advice" - botton to top mnemonic.
Internet Protocol (IP)
- The network protocol that deals with the routing of packets through interconnected networks to the final destination. - A communication standard that enables computers to route communications traffic from one network to another as needed. - A set of rules responsible for disassembling, delivering, and reassembling packets over the Internet. - operates at the Network layer of the OSI model. - IP provides route addressing for data packets. It is this route addressing that is the foundation of global Internet communications because it provides a means of identity and prescribes transmission paths. - connectionless and is an unreliable datagram service. - not offer guarantees that packets will be delivered or that packets will be delivered in the correct order, and it does not guarantee that packets will be delivered only once. Thus, you must employ TCP on IP to gain reliable and controlled communication sessions.
Line Print Daemon (LPD)
- This is a network service that is used to spool print jobs and to send print jobs to printers. - TCP Port 515
Post Office Protocol (POP3)
- This is a protocol used to pull email messages from an inbox on an email server down to an email client. - TCP Port 110
Internet Message Access Protocol (IMAP)
- This is a protocol used to pull email messages from an inbox on an email server down to an email client. - IMAP is more secure than POP3 and offers the ability to pull headers down from the email server as well as to delete messages directly off the email server without having to download to the local client first. - TCP Port 143
Ring Topology
- Topology where the computers are connected on a loop or ring. Data flows in one direction only. - connects each system as points on a circle. The connection medium acts as a unidirectional transmission loop. - Only one system can transmit data at a time. - Traffic management is performed by a token. A token is a digital hall pass that travels around the ring until a system grabs it. A system in possession of the token can transmit data. - Data and the token are transmitted to a specific destination. - As the data travels around the loop, each system checks to see whether it is the intended recipient of the data. If not, it passes the token on. If so, it reads the data. - Once the data is received, the token is released and returns to traveling around the loop until another system grabs it. - If any one segment of the loop is broken, all communication around the loop ceases. - Some implementations employ a fault tolerance mechanism, such as dual loops running in opposite directions, to prevent single points of failure.
Bootstrap Protocol (BootP)/ Dynamic Host Configuration Protocol (DHCP)
- UDP Ports 67 and 68 - This is a protocol used to connect diskless workstations to a network through auto assignment of IP configuration and download of basic OS elements. - BootP is the forerunner to Dynamic Host Configuration Protocol (DHCP).
Communications Assistance for Law Enforcement Act (CALEA)
- US law - mandates that all telcos, regardless of the technologies involved, must make it possible to wiretap voice and data communications when a search warrant is presented. Thus, a telco cannot provide customers with end-to-end encryption.
VLANs vs subnets
- VLANs work like subnets, but keep in mind that they are not actual subnets. - VLANs are created by switches. - Subnets are created by IP address and subnet mask assignments.
Dial-Up Protocols
- When a remote connection link is established, a protocol must be used to govern how the link is actually created and to establish a common communication foundation over which other protocols can work. - It is important to select protocols that support security whenever possible. - At a minimum, a means to secure authentication is needed, but adding the option for data encryption is also preferred. - examples: PPP and SLIP
WAP vs. WAP
- Wireless Application Protocol (WAP) vs Wireless Access Point (WAP). - Wireless Application Protocol is often confused with wireless networking (802.11) because the same acronym (WAP) is used for both. WAP stands for wireless access point when used in relation to 802.11. - difference between them: 1. With Wireless Application Protocol, portable devices use a cell phone carrier's network to establish communication links with the Internet. 2. With wireless networking, an organization deploys its own wireless access points to allow its wireless clients to connect to its local network.
TCP (Transmission Control Protocol)
- Works at both ends of most Internet communication to ensure a perfect copy of a message is sent. - provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing. - A connection-oriented, guaranteed-delivery protocol used to send data packets between computers over a network like the Internet. - operates at layer 4 (the Transport layer) of the OSI model. - It supports full-duplex communications. - is connection oriented because it employs a handshake process between two systems to establish a communication session.
NetBIOS Extended User Interface (NetBEUI, aka NetBIOS Frame protocol, or NBF)
- a Microsoft protocol developed in 1985 to support file and printer sharing. Microsoft has enabled support of NetBEUI on modern networks by devising NetBIOS over TCP/IP (NBT). - This in turn supports the Windows sharing protocol of Server Message Block (SMB), which is also known as Common Internet File System (CIFS). - NetBEUI is no longer supported as a lower-layer protocol; only its SMB and CIFS variants are still in use.
Asynchronous Transfer Mode (ATM)
- a cell-switching WAN communication technology - It fragments communications into fixed-length 53-byte cells. The use of fixed-length cells allows ATM to be very efficient and offer high throughputs. - can use either PVCs or SVCs. - As with Frame Relay providers, ATM providers can guarantee a minimum bandwidth and a specific level of quality to their leased services. - ATM is a connection-oriented packet-switching technology.
MAC filter
- a list of authorized wireless client interface MAC addresses that is used by a wireless access point to block access to all non-authorized devices. - While a useful feature to implement, it can be difficult to manage, and tends to be used only in small, static environments. - Additionally, a hacker with basic wireless hacking tools can discover the MAC address of a valid client and then spoof that address onto their attack wireless client.
virtual circuit (also called a communication path)
- a logical pathway or circuit created over a packet-switched network between two specific endpoints. - Within packet-switching systems are two types of virtual circuits: 1. Permanent virtual circuits (PVCs) 2. Switched virtual circuits (SVCs) - In either type of virtual circuit, when a data packet enters point A of a virtual circuit connection, that packet is sent directly to point B or the other end of the virtual circuit. - However, the actual path of one packet may be different from the path of another packet from the same transmission. - multiple paths may exist between point A and point B as the ends of the virtual circuit, but any packet entering at point A will end up at point B.
Packet Switching
- a mode of data transmission in which a message is broken into a number of parts that are sent independently, over whatever route is optimum for each packet, and reassembled at the destination. - occurs when the message or communication is broken up into small segments (usually fixed-length packets, depending on the protocols and technologies employed) and sent across the intermediary networks to the destination. - Each segment of data has its own header that contains source and destination information. - The header is read by each intermediary system and is used to route each packet to its intended destination. - Each channel or communication path is reserved for use only while a packet is actually being transmitted over it. - As soon as the packet is sent, the channel is made available for other communications. - does not enforce exclusivity of communication pathways. - seen as a logical transmission technology because addressing logic dictates how communications traverse intermediary networks between communication partners.
VPN Devices
- a network add-on device used to create VPN tunnels separately from server or client OSs. - The use of the VPN devices is transparent to networked systems.
Intranet
- a private network that is designed to host the same information services found on the Internet. - Networks that rely on external servers (in other words, ones positioned on the public Internet) to provide information services internally are not considered intranets. - Intranets provide users with access to the Web, email, and other services on internal servers that are not accessible to anyone outside the private network.
Network File System (NFS)
- a protocol that supports file sharing from a UNIX and Linux operating system. - This is a network service used to support file sharing between dissimilar systems. - TCP Port 2049
Secure Electronic Transaction (SET)
- a security protocol for the transmission of transactions over the Internet. - is based on Rivest, Shamir, and Adelman (RSA) encryption and Data Encryption Standard (DES). - It has the support of major credit card companies, such as Visa and MasterCard. - However, SET has not been widely accepted by the Internet in general; instead, SSL/TLS encrypted sessions are the preferred mechanism for secure e-commerce.
filters or access control lists
- a set of instructions that are used to distinguish authorized traffic from unauthorized and/or malicious traffic. Only authorized traffic is allowed to cross the security barrier provided by the firewall.
Virtual Software or virtual application
- a software product deployed in such a way that it is fooled into believing it is interacting with a full host OS. - A virtual (or virtualized) application has been packaged or encapsulated to make it portable and able to operate without the full installation of its original host OS. - A virtual application has enough of the original host OS included in its encapsulation bubble (technically called a virtual machine, or VM) that it operates/functions as if it was traditionally installed. - Some forms of virtual applications are used as portable apps on USB drives. - Other virtual applications are designed to be executed on alternate host OS platforms—for example, running a Windows application within a Linux OS.
Secure Sockets Layer (SSL)
- a standard security technology for establishing an encrypted link between a web server and a browser, ensuring that all data passed between them remain private. - This is a VPN-like security protocol that operates at the Transport layer. - SSL was originally designed to support secured web communications (HTTPS) but is capable of securing any Application layer protocol communications. - used to secure web, email, FTP, or even Telnet traffic. - It is a session-oriented protocol that provides confidentiality and integrity. - deployed using a 40-bit key or a 128-bit key. - is superseded by Transport Layer Security (TLS). - TCP Port 443 (for HTTP Encryption)
Token Ring
- a token-passing mechanism to control which systems can transmit data over the network medium. - The token travels in a logical loop among all members of the LAN. - can be employed on ring or star network topologies. - rarely used today because of its performance limitations, higher cost compared to Ethernet, and increased difficulty in deployment and management. - can be deployed as a physical star using a multistation access unit (MAU). - A MAU allows for the cable segments to be deployed as a star while internally the device makes logical ring connections.
Digital Subscriber Line (DSL)
- a type of nondedicated line - A type of Internet connection that uses phone lines but transmits signals digitally across an always-open connection. - provides high-speed digital data transmission over standard telephone lines using broadband modem technology, allowing both Internet and telephone services to work over the same phone lines. - a technology that exploits the upgraded telephone network to grant consumers speeds from 144 Kbps to 6 Mbps (or more). - There are numerous formats of DSL, such as ADSL, xDSL, CDSL, HDSL, SDSL, RASDSL, IDSL, and VDSL. - Each format varies as to the specific downstream and upstream bandwidth provided. - The maximum distance a DSL line can be from a central office (that is, a specific type of distribution node of the telephone network) is approximately 1,000 meters.
benefit of converged protocols
- ability to use existing TCP/IP supporting network infrastructure to host special or proprietary services without the need for unique deployments of alternate networking hardware. This can result in significant cost savings. However, not all converged protocols provide the same level of throughput or reliability as their proprietary implementations.
Physical Layer (Layer 1)
- accepts the frame from the data link layer and converts the frame into bits for transmission over the physical connection medium - also responsible for receiving bits and converting them into a frame to be used by the data link layer - manages synchronization, manages line noise, medium access, digital/analog/light pulses determination. - contains the device drivers that tell the protocol how to employ the hardware for the transmission and reception of bits. - Through the device drivers and these standards, the Physical layer controls throughput rates, handles synchronization, manages line noise and medium access, and determines whether to use digital or analog signals or light pulses to transmit or receive data over the physical hardware interface.
Network layer (layer 3)
- accepts the segment from the transport layer and adds info, creating a packet (includes source/destination IP) - responsible for providing routing or delivery information, but it is not responsible for verifying guaranteed delivery (that is the responsibility of the Transport layer). - also manages error detection and node data traffic (traffic control).
what reduces the effective throughput in wi-fi network
- adding layers of data encryption (WPA2 and IPSec VPN) and other forms of filtering to a wireless link can reduce the effective throughput by as much as 80 percent. - greater distances from the base station and the presence of interference.
Hyperlink Spoofing
- alteration of the hyperlink URL's in the HTML code of documents sent to clients -usually successful bc most users do not verify the domain name in a URL via DNS. - An attack used to redirect traffic to a rogue or imposter system or to simply divert traffic away from its intended destination, often through the malicious alteration of the hyperlink URLs in the HTML code of documents sent to clients. - can take the form of DNS spoofing or can simply be an alteration of the hyperlink URLs in the HTML code of documents sent to clients. - Protections: same precautions used against DNS spoofing as well as keeping your system patched and using the Internet with caution.
open relay (also known as an open relay agent or relay agent )
- an STMP server that does not authenticate senders before accepting and relaying mail. - are prime targets for spammers because they allow spammers to send out floods of emails by piggybacking on an insecure email infrastructure. - As open relays are locked down, becoming closed or authentication relays, a growing number of SMTP attacks are occurring through hijacked authenticated user accounts.
Terminal Access Controller Access-Control System (TACACS+)
- an alternative to RADIUS. - is available in three versions: original TACACS, Extended TACACS (XTACACS), and TACACS+. - TACACS integrates the authentication and authorization processes. - XTACACS keeps the authentication, authorization, and accounting processes separate. - TACACS+ improves XTACACS by adding two-factor authentication. TACACS+ is the most current and relevant version of this product line.
Problems with Tunneling
- an inefficient means of communicating because most protocols include their own error detection, error handling, acknowledgment, and session management features, so using more than one protocol at a time compounds the overhead required to communicate a single message. - it creates either larger packets or additional packets that in turn consume additional network bandwidth. - can quickly saturate a network if sufficient bandwidth is not available. - is a point-to-point communication mechanism and is not designed to handle broadcast traffic. - makes it difficult to monitor the content of the traffic in some circumstances, creating issues for security practitioners.
Remote Node Operation
- another name for dial-up connectivity. - A remote system connects to a remote access server. That server provides the remote client with network services and possible Internet access.
Secure Remote Procedure Call (S-RPC)
- authentication service - prevents unauthorized execution of code on remote systems
Channel Service Unit/Data Service Unit (CSU/DSU)
- border connection device - it provides all the interfacing needed between the network carrier service and a company's LAN. - convert LAN signals into the format used by the WAN carrier network and vice versa. - contains data terminal equipment/data circuit-terminating equipment (DTE/DCE), which provides the actual connection point for the LAN's router (DTE) and the WAN carrier network's switch (DCE) - acts as a translator, a store-and-forward device, and a link conditioner.
IP Security Protocol (IPSec)
- both a standalone VPN protocol and the security mechanism for L2TP, - it can be used only for IP traffic. - IPSec works only on IP networks and provides for secured authentication as well as encrypted data transmission. - IPSec has two primary components, or functions: 1. Authentication Header (AH) 2. Encapsulating Security Payload (ESP)
TCP/IP Vulnerabilities
- buffer overflows, SYN flood attacks, various DoS attacks, fragment attacks, oversized packet attacks, spoofing attacks, man-in-the-middle attacks, hijack attacks, and coding error attacks. - passive attacks via monitoring or sniffing.
how to combat eavesdropping
- by maintaining physical access security to prevent unauthorized personnel from accessing your IT infrastructure. - for protecting communications that occur outside your network or for protecting against internal attackers: using encryption (such as IPSec or SSH) and one-time authentication methods (that is, one-time pads or token devices)
Baseband technology
- can support only a single communication channel. - uses a direct current applied to the cable. - A current that is at a higher level represents the binary signal of 1, and a current that is at a lower level represents the binary signal of 0. - is a form of digital signal. - e.g. Ethernet
Baseband cables
- can transmit only a single signal at a time, and broadband cables can transmit multiple signals simultaneously. - Most networking cables are baseband cables. - However, when used in specific configurations, coaxial cable can be used as a broadband connection, such as with cable modems.
Coaxial cable vs twisted-pair
- coaxial cable offers longer usable lengths than twisted-pair. - coaxial failed to retain its place as the popular networking cable technology because of twisted-pair's much lower cost and ease of installation. - Coaxial cable requires the use of segment terminators, whereas twisted pair cabling does not. - Coaxial cable is bulkier and has a larger minimum arc radius than twisted-pair.
Endpoint Security
- concept that each individual device must maintain local security whether or not its network or telecommunications channels also provide or offer security. - aka "the end device is responsible for its own security". - a clearer perspective is that any weakness in a network, whether on the border, on a server, or on a client, presents a risk to all elements within the organization. - viewed as an aspect of the effort to provide sufficient security on each individual host. - Every system should have an appropriate combination of a local host firewall, anti malware scanners, authentication, authorization, auditing, spam filters, and IDS/IPS services.
TCP/IP model (also called the DARPA or the DOD model)
- consists of only four layers. 4. Application, 3. Transport (or Host-to-Host), 2. Internet (or Internetworking or Network Layer), 1. Link (Network Interface or Network Access or Data Link Layer). - TCP/IP protocol suite was developed before the OSI Reference Model was created. - not just a single protocol; rather, it is a protocol stack comprising dozens of individual protocols. - a platform-independent protocol based on open standards. - However, this is both a benefit and a drawback. TCP/IP can be found in just about every available operating system, but it consumes a significant amount of resources and is relatively easy to hack into because it was designed for ease of use rather than for security.
WEP (Wired Equivalent Privacy)
- defined by the IEEE 802.11 standard. - Benefits: --- It was designed to provide the same level of security and encryption on wireless networks as is found on wired or cabled networks. --- WEP provides protection from packet sniffing and eavesdropping against wireless transmissions. --- it can be configured to prevent unauthorized access to the wireless network. - uses a predefined shared secret key; however, rather than being a typical dynamic symmetric cryptography solution, the shared key is static and shared among all wireless access points and device interfaces. - This key is used to encrypt packets before they are transmitted over the wireless link, thus providing confidentiality protection. - A hash value is used to verify that received packets weren't modified or corrupted while in transit; thus WEP also provides integrity protection. - Knowledge or possession of the key not only allows encrypted communication but also serves as a rudimentary form of authentication because, without it, access to the wireless network is prohibited. - WEP was cracked almost as soon as it was released.
benefit of packet-switching networks
- not as dependent on specific physical connections as circuit switching is. - Thus, when or if a physical pathway is damaged or goes offline, an alternate path can be used to continue the data/packet delivery. - A circuit-switching network is often interrupted by physical path violations.
Automatic Private IP Addressing (APIPA), aka link-local address assignment
- defined in RFC 3927 - assigns an IP address to a system in the event of a DHCP assignment failure. - a feature of Windows. - assigns each failed DHCP client with an IP address from the range of 169.254.0.1 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0. - it allows the system to communicate with other APIPA configured clients within the same broadcast domain but not with any system across a router or with a correctly assigned IP address.
Retransmission controls
- determine whether all or part of a message is retransmitted in the event that a transmission error correction system discovers a problem with a communication. - can also determine whether multiple copies of a hash total or CRC value are sent and whether multiple data paths or communication channels are employed.
Kaminsky DNS Vulnerability
- discovered in 2008 by Dan Kaminsky - The vulnerability lies in the method by which local or caching DNS servers obtain information from root servers regarding the identity of the authoritative servers for a particular domain. - By sending falsified replies to a caching DNS server for nonexistent subdomains, an attacker can hijack the entire domain's resolution details. - solution to this DNS hijacking vulnerability is to upgrade DNS to Domain Name System Security Extensions (DNSSEC).
Reverse Address Resolution Protocol (RARP)
- discovers the identity of the IP address for diskless machines by sending out a packet that includes its MAC address. - used to resolve MAC addresses into IP addresses.
Carrier Sense Multiple Access (CSMA)
- does not directly address collisions. - If a collision occurs, the communication would not have been successful, and thus an acknowledgment would not be received. - This causes the sending system to retransmit the data and perform the CSMA process again. - CSMA Process: 1. The host listens to the LAN media to determine whether it is in use. 2. If the LAN media is not being used, the host transmits its communication. 3. The host waits for an acknowledgment. 4. If no acknowledgment is received after a time-out period, the host starts over at step 1.
Protected Extensible Authentication Protocol (PEAP)
- encapsulates EAP in a TLS tunnel. - preferred to EAP because EAP assumes that the channel is already protected but PEAP imposes its own security. - used for securing communications over 802.11 wireless connections. - can be employed by Wi-Fi Protected Access (WPA) and WPA-2 connections. - also preferred over Cisco's proprietary EAP known as Lightweight Extensible Authentication Protocol (LEAP).
ARP and Reverse ARP
- essential to the interoperability of logical and physical addressing schemes. - ARP is used to resolve IP addresses (32-bit binary number for logical addressing) into Media Access Control (MAC) addresses (48-bit binary number for physical addressing)-or EUI-48 or even EUI-64. - Traffic on a network segment (for example, cables across a hub) is directed from its source system to its destination system using MAC addresses. - RARP is used to resolve MAC addresses into IP addresses.
Carrier-Sense Multiple Access with Collision Detection (CSMA/CD)
- example: Ethernet networks - responds to collisions by having each member of the collision domain wait for a short but random period of time before starting the process over. - allowing collisions to occur and then responding or reacting to collisions causes delays in transmissions as well as a required repetition of transmissions. - results in about 40 percent loss in potential throughput. - Process: 1. The host listens to the LAN media to determine whether it is in use. 2. If the LAN media is not being used, the host transmits its communication. 3. While transmitting, the host listens for collisions (in other words, two or more hosts transmitting simultaneously). 4. If a collision is detected, the host transmits a jam signal. 5. If a jam signal is received, all hosts stop transmitting. Each host waits a random period of time and then starts over at step 1.
Polling
- example: Synchronous Data Link Control (SDLC) - performs communications using a master-slave configuration. - One system is labeled as the primary system and all others as secondary. - The primary system polls or inquires of each secondary system in turn whether they have a need to transmit data. - If a secondary system indicates a need, it is granted permission to transmit. - Once its transmission is complete, the primary system moves on to poll the next secondary system. - addresses collisions by attempting to prevent them from using a permission system. - Polling is an inverse of the CSMA/CA method. Both use masters and slaves (or primary and secondary), but while CSMA/CA allows the slaves to request permissions, polling has the master offer permission. - can be configured to grant one (or more) system priority over other systems. - For example, if the standard polling pattern was 1, 2, 3, 4, then to give system 1 priority, the polling pattern could be changed to 1, 2, 1, 3, 1, 4.
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
- examples: AppleTalk and 802.11 wireless networking - attempts to avoid collisions by granting only a single permission to communicate at any given time. - requires designation of a master or primary system, which responds to the requests and grants permission to send data transmissions. - process: 1. The host has two connections to the LAN media: inbound and outbound. The host listens on the inbound connection to determine whether the LAN media is in use. 2. If the LAN media is not being used, the host requests permission to transmit. 3. If permission is not granted after a time-out period, the host starts over at step 1. 4. If permission is granted, the host transmits its communication over the outbound connection. 5. The host waits for an acknowledgment. 6. If no acknowledgment is received after a time-out period, the host starts over at step 1.
Application-Level Gateway Firewalls or Proxy Firewall
- filters traffic based on the Internet service (i.e. the application) used to transmit or receive the data. Each type of application must have its own unique proxy server. Thus, it comprises numerous individual proxy servers. - it negatively affects network performance because each packet must be examined and processed as it passes through the firewall. - they operate at the Application layer (layer 7) of the OSI model. - 2nd generation firewalls
well-known ports or the service ports
- first 1,024 of these ports (0-1,023). - This is because they have standardized assignments as to the services they support.
Network Monitoring
- troubleshoot and watch over the network, informing network administrators of potential problems before they occur. - keeping track of the operation of network circuits and devices to ensure they are functioning properly and to determine how heavily they are used.
naming convention to label most network cable technologies
- follows the syntax XXyyyyZZ. - XX represents the maximum speed the cable type offers, such as 10 Mbps for a 10Base2 cable. - The next series of letters, yyyy, represents the baseband or broadband aspect of the cable, such as baseband for a 10Base2 cable. - ZZ either represents the maximum distance the cable can be used or acts as shorthand to represent the technology of the cable, such as the approximately 200 meters for 10Base2 cable (actually 185 meters, but it's rounded up to 200) or T or TX for twisted-pair in 10Base-T or 100Base-TX.
Remote-control remote access
- grants a remote user the ability to fully control another system that is physically distant from them. - The monitor and keyboard act as if they are directly connected to the remote system.
Social Engineering
- hackers use their social skills to trick people into revealing access credentials or other valuable information.
Flag field in TCP header
- indicate the function of the TCP packet and request that the recipient respond in a specific manner. - The flags field is 8 bits long. Each of the bit positions represents a single flag, or control setting. - Each position can be set on with a value of 1 or off with a value of 0. There are some conditions in which multiple flags can be enabled at once (in other words, the second packet in the TCP three-way handshake when both the SYN and ACK flags are set).
LEAP (Lightweight Extensible Authentication Protocol)
- is a Cisco proprietary alternative to TKIP for WPA. - This was developed to address deficiencies in TKIP before the 802.11i/WPA2 system was ratified as a standard. - An attack tool known as Asleap was released in 2004 that could exploit the ultimately weak protection provided by LEAP. - LEAP should be avoided when possible; use of EAP-TLS as an alternative is recommended, but if LEAP is used, a complex password is strongly recommended.
High-Speed Serial Interface (HSSI)
- is a DTE/DCE interface standard that defines how multiplexors and routers connect to high-speed network carrier services such as ATM or Frame Relay. - A multiplexor is a device that transmits multiple communications or signals over a single cable or virtual circuit. - defines the electrical and physical characteristics of the interfaces or connection points and thus operates at OSI layer 1 (the Physical layer).
content distribution network (CDN), or content delivery network
- is a collection of resource services deployed in numerous data centers across the Internet in order to provide low latency, high performance, and high availability of the hosted content. - type of geographic and logical load-balancing. - lower latency and higher-quality throughput. - e.g. There are many CDN service providers, including CloudFlare, Akamai, Amazon CloudFront, CacheFly, and Level 3 Communications. - While most CDNs focus on the physical distribution of servers, client-based CDN is also possible. This is often referred to by the term P2P (peer-to-peer). The most widely recognized P2P CDN is BitTorrent.
Proxies
- is a form of gateway that does not translate across protocols. Instead, proxies serve as mediators, filters, caching servers, and even NAT/PAT servers for a network. - performs a function or requests a service on behalf of another system and connects network segments that use the same protocol. - used in context of providing clients on a private network with Internet access while protecting the identity of the clients. - it accepts requests from clients, alters the source address of the requester, maintains a mapping of requests to clients, and sends the altered request packets out. This mechanism is commonly known as Network Address Translation (NAT). - Once a reply is received, the proxy server determines which client it is destined for by reviewing its mappings and then sends the packets on to the client. - Systems on either side of a proxy are part of different broadcast domains and different collision domains.
Firewalls
- is a network device used to filter traffic. It is typically deployed between a private network and a link to the Internet, but it can be deployed between departments within an organization. - capable of hiding the structure and addressing scheme of a private network from the public. - offer extensive logging, auditing, and monitoring capabilities as well as alarms and basic intrusion detection system (IDS) functions. - unable to block viruses or malicious code (i.e., firewalls do not typically scan traffic as an antivirus scanner would) transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passes out of or into the private network.
High-Level Data Link Control (HDLC)
- is a refined version of SDLC designed specifically for serial synchronous connections. - supports full-duplex communications and supports both point-to-point and multipoint connections. - uses polling - operates at OSI layer 2 (the Data Link layer). - offers flow control and includes error detection and correction.
LAN Extenders
- is a remote access, multilayer switch used to connect distant networks over WAN links. - This is a strange beast of a device in that it creates WANs, but marketers of this device steer clear of the term WAN and use only LAN and extended LAN . - same product as a WAN switch or WAN router.
Captive Portal
- is an authentication technique that redirects a newly connected wireless Web client to a portal access control page. - The portal page may require the user to input payment information, provide logon credentials, or input an access code. - also used to display an accessible use policy, privacy policy, and tracking policy to the user, who must consent to the policies before being able to communicate across the network. - often located on wireless networks implemented for public use, such as at hotels, restaurants, bars, airports, libraries, and so on. They can be used on cabled Ethernet connections as well.
Secure Multipurpose Internet Mail Extensions (S/MIME)
- is an email security standard that offers authentication and confidentiality to email through public key encryption and digital signatures. - Authentication is provided through X.509 digital certificates. - Privacy is provided through the use of Public Key Cryptography Standard (PKCS) encryption. - Two types of messages can be formed using S/MIME: signed messages and secured enveloped messages. - A signed message provides integrity, sender authentication, and nonrepudiation. - An enveloped message provides integrity, sender authentication, and confidentiality.
bastion host or a screened host
- is just a firewall system logically positioned between a private network and an untrusted network. - the bastion host is located behind the router that connects the private network to the untrusted network. - All inbound traffic is routed to the bastion host, which in turn acts as a proxy for all the trusted systems within the private network. - It is responsible for filtering traffic coming into the private network as well as for protecting the identity of the internal client.
Switched virtual circuits (SVCs)
- is more like a dial-up connection because a virtual circuit has to be created using the best paths currently available before it can be used and then disassembled after the transmission is complete. - is more like a shortwave or ham radio. You must tune the transmitter and receiver to a new frequency every time you want to communicate with someone.
dedicated line (also called a leased line or point-to-point link)
- is one that is indefinably and continually reserved for use by a specific customer. - is always on and waiting for traffic to be transmitted over it. - The link between the customer's LAN and the dedicated WAN link is always open and established. - connects two specific endpoints and only those two endpoints.
Transparency (characteristic of a service)
- is the characteristic of a service, security control, or access mechanism that ensures that it is unseen by users. - desirable feature for security controls. - The more transparent a security mechanism is, the less likely a user will be able to circumvent it or even be aware that it exists. - it may need to function more as a configurable feature than as a permanent aspect of operation, such as when an administrator is troubleshooting, evaluating, or tuning a system's configurations.
virtualized network or network virtualization
- is the combination of hardware and software networking components into a single integrated entity. - The resulting system allows for software control over all network functions: management, traffic shaping, address assignment, and so on. - A single management console or interface can be used to oversee every aspect of the network, a task requiring physical presence at each hardware component in the past. - allow organizations to implement or adapt other interesting network solutions, including software-defined networks, virtual SANs, guest operating systems, and port isolation.
Committed Information Rate (CIR)
- is the guaranteed minimum bandwidth a service provider grants to its customers. - significantly less than the actual maximum capability of the provider network. Each customer may have a different CIR established and defined in their contract. The service network provider may allow customers to exceed their CIR over short intervals when additional bandwidth is available. This is known as bandwidth on demand.
Media Access Control (MAC) address or hardware Address
- it is a 6-byte (48-bit) binary address written in hexadecimal notation (for example, 00-13-02-1F-58-F5). - used to identify network hardware. - The first 3 bytes (24 bits) of the address denote the vendor or manufacturer of the physical network interface. This is known as the Organizationally Unique Identifier (OUI). OUIs are registered with IEEE, which controls their issuance. The OUI can be used to discover the manufacturer of a NIC through the IEEE website. - The last 3 bytes (24 bits) represent a unique number assigned to that interface by the manufacturer. - No two devices can have the same MAC address in the same local Ethernet broadcast domain; otherwise an address conflict occurs. - if duplicate MAC addresses are present, then either the NIC hardware must be replaced or the MAC address must be modified (i.e., spoofed) to a non-conflicting alternative address. - they have been 48 bits for decades.
Three Tier Firewall Deployment Architecture
- it is the deployment of multiple subnets between the private network and the Internet separated by firewalls. - Each subsequent firewall has more stringent filtering rules to restrict traffic to only trusted sources. - The outermost subnet is usually a DMZ. - A middle subnet can serve as a transaction subnet where systems needed to support complex web applications in the DMZ reside. - The third, or back-end, subnet can support the private network. - It is the most secure; however, it is also the most complex to design, implement, and manage.
Software IP Encryption (swIPe)
- layer 3 security protocol for IP - provides authentication, integrity, and confidentiality using an encapsulation protocol
Permanent virtual circuits (PVCs)
- like a dedicated leased line; the logical circuit always exists and is waiting for the customer to send data. - is a predefined virtual circuit that is always available. The virtual circuit may be closed down when not in use, but it can be instantly reopened whenever needed. - is like a two-way radio or walkie-talkie. Whenever communication is needed, you press the button and start talking; the radio reopens the predefined frequency automatically (that is, the virtual circuit).
Phishing
- means fishing for information. - An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
Security risk with non-IP protocols
- most firewalls are unable to perform packet header, address, or payload content filtering on those protocols. Thus, when it comes to non-IP protocols, a firewall typically must either block all or allow all.
Multihomed Firewalls (dual-homed firewalls)
- must have at least two interfaces to filter traffic. - should have IP forwarding, which automatically sends traffic to another interface, disabled. - This will force the filtering rules to control all traffic rather than allowing a software-supported shortcut between one interface and another.
Network hardware devices that function at layer 1
- network interface cards (NICs), hubs, repeaters, concentrators, and amplifiers. - These devices perform hardware-based signal operations, such as sending a signal from one connection port out on all other ports (a hub) or amplifying the signal to support greater transmission distances (a repeater).
events logged in firewalls
- network traffic activity - A reboot of the firewall - Proxies or dependencies being unable to start or not starting - Proxies or other important services crashing or restarting - Changes to the firewall configuration file - A configuration or system error while the firewall is running
Primary Rate Interface (PRI)
- offers consumers a connection with multiple 64 Kbps B channels (2 to 23 of them) and a single 64 Kbps D channel. - it can be deployed with as little as 192 Kbps and up to 1.544 Mbps. However, remember that those numbers are bandwidth, not throughput, because they include the D channel, which cannot be used for actual data transmission (at least not in most normal commercial implementations).
Basic Rate Interface (BRI)
- offers customers a connection with two B channels and one D channel. - The B channels support a throughput of 64 Kbps and are used for data transmission. - The D channel is used for call establishment, management, and teardown and has a bandwidth of 16 Kbps. - Even though the D channel was not designed to support data transmissions, a BRI ISDN is said to offer consumers 144 Kbps of total throughput.
nondedicated line
- one that requires a connection to be established before data transmission can occur. - can be used to connect with any remote system that uses the same type of nondedicated line. - example: Standard modems, DSL, and ISDN
frame relay connections
- packet switching tech that also uses PVC's - supports multiple PVC's over a single WAN carrier service connection - operates at layer 2 (Data Link layer) of the OSI model as a connection-oriented packet-switching transmission technology. - committed information rate (CIR)- guaranteed minimum bandwidth a service provider grants to its customers. - cost is primarily based on the amount of data transferred. - is a shared medium across which virtual circuits are created to provide point to-point communications. - All virtual circuits are independent of and invisible to each other. - requires the use of DTE/DCE at each connection point. The customer owns the DTE, which acts like a router or a switch and provides the customer's network with access to the Frame Relay network. The Frame Relay service provider owns the DCE, which performs the actual transmission of data over the Frame Relay as well as establishing and maintaining the virtual circuit for the customer.
forms of bandwidth based denial of service attacks
- ping of death, smurf attacks, and ping floods. - Ping of death: sends a malformed ping larger than 65,535 bytes (larger than the maximum IPv4 packet size) to a computer to attempt to crash it. - Smurf attacks: generate enormous amounts of traffic on a target network by spoofing broadcast pings, and - ping floods: are a basic denial of service (DoS) attack relying on consuming all of the bandwidth that a target has available.
Single Tier Firewall Deployment Architecture
- places the private network behind a firewall, which is then connected through a router to the Internet (or some other untrusted network). - they are useful against generic attacks only. - offers only minimal protection.
device owned by an individual is called
- portable device, - mobile device, - personal mobile device (PMD), - personal electronic device or portable electronic device (PED), - personally owned device (POD).
why we need to move from EUI-48 to EUI-64?
- preparation for future worldwide adoption of IPv6 as well as the exponential growth of the number of networking devices and network software packages, all of which need a unique identifier. - A MAC-48 or EUI-48 address can be represented by an EUI-64. -- In the case of MAC-48, two additional octets of FF:FF are added between the OUI (first 3 bytes) and the unique NIC specification (last 3 bytes) - e.g, cc:cc:cc:FF:FF:ee:ee:ee. -- In the case of EUI-48, the two additional octets are FF:FE-e.g, cc:cc:cc:FF:FE:ee:ee:ee.
site survey
- process of investigating the presence, strength, and reach of wireless access points deployed in an environment. - It usually involves walking around with a portable wireless device, taking note of the wireless signal strength, and mapping this on a plot or schematic of the building. - It should be conducted to ensure that sufficient signal strength is available at all locations that are likely locations for wireless device usage, while at the same time minimizing or eliminating the wireless signal from locations where wireless access shouldn't be permitted (public areas, across floors, into other rooms, or outside the building). - It is useful for evaluating existing wireless network deployments, planning expansion of current deployments, and planning for future deployments.
Switched Multimegabit Data Service (SMDS)
- provides bandwidth on demand. - a connectionless packet-switching technology. - is used to connect multiple LANs to form a metropolitan area network (MAN) or a WAN. - was often a preferred connection mechanism for linking remote LANs that communicate infrequently. - supports high-speed bursty traffic and bandwidth on demand. - It fragments data into small transmission cells. - can be considered a forerunner to ATM because of the similar technologies used.
Encapsulating Security Payload (ESP)
- provides encryption to protect the confidentiality of transmitted data, but it can also perform limited authentication. - It operates at the Network layer (layer 3) and can be used in transport mode or tunnel mode. - In transport mode, the IP packet data is encrypted but the header of the packet is not. - In tunnel mode, the entire IP packet is encrypted and a new header is added to the packet to govern transmission through the tunnel.
data terminal equipment/data circuit-terminating equipment (DTE/DCE)
- provides the actual connection point for the LAN's router (DTE) and the WAN carrier network's switch (DCE). - part of Channel Service Unit/Data Service Unit (CSU/DSU)
Asynchronous communications
- rely on a stop and start delimiter bit to manage the transmission of data. - Because of the use of delimiter bits and the stop and start nature of its transmission, this is best suited for smaller amounts of data. - examples : Public switched telephone network (PSTN) modems.
Synchronous communications
- rely on a timing or clocking mechanism based on either an independent clock or a time stamp embedded in the data stream. - able to support very high rates of data transfer.
Session Layer (Layer 5)
- responsible for establishing, maintaining, and terminating comm sessions between two computers. - manages dialogue discipline or dialogue control (simplex, half-duplex, full-duplex). - establishes checkpoints for grouping and recovery, and retransmits PDUs that have failed or been lost since the last verified checkpoint. - re-transmits PDU's (packets) that have failed.
Data Link layer (layer 2)
- responsible for formatting the packet from the network layer into the proper format for transmission - adds the hardware source (MAC) and destination addresses to the frame - contains two sublayers: 1) LLC (logical link control) 2) MAC sublayer - within this layer resides the technology-specific protocols that convert the packet into a properly formatted frame. Once the frame is formatted, it is sent to the Physical layer for transmission.
Application layer (layer 7)
- responsible for interfacing user applications, network services or the OS with the protocol stack - allows applications to communicate with the protocol stack - determines whether a remote communication partner is available and accessible. - ensures that sufficient resources are available to support the requested communications. - the application is not located here, but the protocols and services required to transmit files, exchange messages, connect to remote terminals, etc. are found here.
Transport layer (layer 4)
- responsible for managing the integrity of a connection and controlling the session. - it accepts a PDU (i.e a Protocol Data Unit, Packet Data Unit, or Payload Data Unit) from the session layer and converts it into a segment. - controls how devices on the network are addressed or referenced - establishes communication between nodes (devices), and defines the rules of a session. - establishes a logical connection between two devices and provides end-to-end transport services to ensure data delivery. - it includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction, multiplexing, and network service optimization.
Presentation Layer (Layer 6)
- responsible for transforming data received from the application layer into a format that any system following the OSI model can understand. - imposes standardized structure and formatting rules onto the data - responsible for encryption and compression - it acts as an interface between the network and applications. - most file and data formats operate here (images, video, sound, documents, email, web pages, control sessions, etc)
topologies of the physical layout of a network
- ring Topology. - bus Topology, - star Topology, - mesh Topology.
Non-IP Protocols
- serve as an alternative to IP at OSI network layer - not common anymore - most firewalls are unable to perform packet header address, or payload content filtering bc the protocols are so rare, posing a sec problem - these protocols can be encapsulated in IP to be sent across the internet 1) IPX 2) AppleTalk 3) NetBEUI
Session Rules
- specify how much data each segment can contain, how to verify the integrity of data transmitted, and how to determine whether data has been lost. - Session rules are established through a handshaking process.
Network hardware devices that function at layer 2
- switches and bridge. - support MAC-based traffic routing. - Switches receive a frame on one port and send it out another port based on the destination MAC address. - MAC address destinations are used to determine whether a frame is transferred over the bridge from one network to another.
Eavesdropping
- the act of collecting packets from the communication medium. - listening to communication traffic for the purpose of duplicating it. - The duplication can take the form of recording data to a storage device or using an extraction program that dynamically attempts to extract the original content from the traffic stream. - can extract confidential information, such as usernames, passwords, process procedures, data, and so on. - requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software-recording tool onto the system. - facilitated by the use of a network traffic capture or monitoring program or a protocol analyzer system (often called a sniffer). - Eavesdropping devices and software are usually difficult to detect because they are used in passive attacks. - When eavesdropping or wiretapping is transformed into altering or injecting communications, the attack is considered an active attack. - Sniffers example: Wireshark and NetWitness and dedicated eavesdropping tools such as T-Sight, Zed Attack Proxy (ZAP), and Cain & Abel.
Logical security boundaries
- the points where electronic communications interface with devices or services for which your organization is legally responsible. - that interface is clearly marked, and unauthorized subjects are informed that they do not have access and that attempts to gain access will result in prosecution.
TCP header flag field values
- these eight flags are eight binary positions (i.e., a byte) that can be presented in either hex or binary format. - This specific byte layout indicates that the fourth and seventh flags are enabled. With the flag layout (using one letter per flag and leaving out CWR and ECE and replacing them with XX), XXUAPRSF is 000A00S0, or the SYN/ACK flag set. Note: the hex presentation of the TCP header flag byte is typically located in the raw data display of a packet capturing tool, such as Wireshark, in offset position 0x2F. This is based on a standard Ethernet Type II header, a standard 20-byte IP header, and a standard TCP header. - You can memorize this flag order using the phrase "*Unskilled Attackers Pester Real Security Folk,*" in which the first letter of each word corresponds to the first letter of the flags in positions 3 through 8.
security issue with cordless phones
- they are designed to use any one of the unlicensed frequencies i.e. 900 MHz, 2.4 GHz, or 5 GHz. - These three unlicensed frequency ranges are employed by many different types of devices, from cordless phones and baby monitors to Bluetooth and wireless networking devices. - The issue that is often overlooked is that someone could easily eavesdrop on a conversation on a cordless phone since its signal is rarely encrypted. - With a frequency scanner, anyone can listen in on your conversations.
Stateful inspection firewalls (also known as dynamic packet filtering firewalls )
- they evaluate the state or the context of network traffic. - By examining source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. - they operate more efficiently than application-level gateway firewalls. - third-generation firewalls, - they operate at the Network and Transport layers (layers 3 and 4) of the OSI model.
plenum cable
- type of cabling sheathed with a special material that does not release toxic fumes when burned, as does traditional PVC coated wiring. - Often plenum-grade cable must be used to comply with building codes, especially if the building has enclosed spaces that could trap gases. - Fire resistant and non-toxic; it must be used when wiring above ceiling tiles. PVC cable cannot be used to wire above ceilings because it is toxic when burned. - A grade of cable that does not give off noxious or poisonous gases when burned.
DNP3 (Distributed Network Protocol)
- used in the electric and water utility and management industries. - It is used to support communications between data acquisition systems and the system control equipment. This includes substation computers, RTUs (remote terminal units) (devices controlled by an embedded microprocessor), IEDs (Intelligent Electronic Devices), and SCADA master stations (i.e., control centers). - DNP3 is an open and public standard. - DNP3 is a multilayer protocol that functions similarly to that of TCP/IP, in that it has link, transport, and transportation layers.
LAN media access technologies
- used to avoid or prevent transmission collisions. - define how multiple systems all within the same collision domain are to communicate. - Some of these technologies actively prevent collisions, while others respond to collisions. - types: 1. Carrier-Sense Multiple Access (CSMA) 2. Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) 3. Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) 4. Token Passing 5. Polling
Remote Authentication Dial-In User Service (RADIUS)
- used to centralize the authentication of remote dial-up connections. - A network that employs a RADIUS server is configured so the remote access server passes dial-up user logon credentials to the RADIUS server for authentication. - This process is similar to the process used by domain clients sending logon credentials to a domain controller for authentication.
Thinnet or 10Base2
- used to connect systems to backbone trunks of thicknet cabling. - Thinnet can span distances of 185 meters and provide throughput up to 10 Mbps.
Bridges
- used to connect two networks together-even networks of different topologies, cabling types, and speeds-in order to connect network segments that use the same protocol. - It forwards traffic from one network to another. - Bridges that connect networks using different transmission speeds may have a buffer to store packets until they can be forwarded to the slower network. This is known as a store-and-forward device. - They operate at OSI layer 2. Systems on either side of a bridge are part of the same broadcast domain but are in different collision domains.
White boxes (phreaker tools)
- used to control the phone system. - It is a dual-tone multifrequency (DTMF) generator (that is, a keypad). - It can be a custom-built device or one of the pieces of equipment that most telephone repair personnel use.
Internet Control Message Protocol (ICMP)
- used to determine the health of a network or a specific link. - ICMP is utilized by ping , traceroute , pathping , and other network management tools. - Provides a means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network. - A TCP/IP protocol that is used by devices to communicate updates or error information to other devices.
Circuit-level gateway firewalls or circuit proxies
- used to establish communication sessions between trusted partners. - operate at the Session layer (layer 5) of the OSI model. - SOCKS (from Socket Secure , as in TCP/IP ports) is a common implementation of a circuit-level gateway firewall. - manage communications based on the circuit, not the content of traffic. They permit or deny forwarding decisions based solely on the endpoint designations of the communication circuit (in other words, the source and destination addresses and service port numbers). - called second-generation firewalls because they represent a modification of the application-level gateway firewall concept.
Virtualization
- used to host one or more operating systems within the memory of a single host computer. - This mechanism allows virtually any OS to operate on any hardware. - Such an OS is also known as a guest operating system. - From the perspective that there is an original or host OS installed directly on the computer hardware, the additional OSes hosted by the hypervisor system are guests. - It also allows multiple operating systems to work simultaneously on the same hardware. - example: VMWare, Microsoft's Virtual PC, Microsoft Virtual Server, Hyper-V with Windows Server 2008, VirtualBox, and Apple's Parallels.
Black boxes (phreaker tools)
- used to manipulate line voltages to steal long-distance services. - often just custom-built circuit boards with a battery and wire clips.
Blue boxes (phreaker tools)
- used to simulate 2600 Hz tones to interact directly with telephone network trunk systems (that is, backbones). - This could be a whistle, a tape recorder, or a digital tone generator.
Red boxes (phreaker tools)
- used to simulate tones of coins being deposited into a pay phone. - usually just small tape recorders.
repeaters, concentrators, amplifiers
- used to strengthen the communication signal over a cable segment as well as connect network segments that use the same protocol. - can be used to extend the maximum length of a specific cable type by deploying one or more repeaters along a lengthy cable run. - operate at OSI layer 1. - Systems on their either are part of the same collision domain and broadcast domain.
5-4-3 rule
- used whenever Ethernet or other IEEE 802.3 shared-access networks are deployed in a tree topology (in other words, a central trunk with various splitting branches). - defines the number of repeaters/concentrators and segments that can be used in a network design. - states that *between any two nodes (a node can be any type of processing entity, such as a server, client, or router), there can be a maximum of 5 segments connected by 4 repeaters/concentrators, and it states that only 3 of those 5 segments can be populated (in other words, have additional or other user, server, or networking device connections).* - NOT apply to switched networks or the use of bridges or routers.
Lightweight Extensible Authentication Protocol (LEAP)
- was Cisco's initial response to insecure WEP. - supports frequent reauthentication and changing of WEP keys (whereas WEP used single authentication and a static key). - is crackable using a variety of tools and techniques, including the exploit tool Asleap.
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
- was created to replace WEP and TKIP/WPA. - CCMP uses AES (Advanced Encryption Standard) with a 128-bit key. - CCMP is the preferred standard security protocol of 802.11 wireless networking indicated by 802.11i. - To date, no attacks have yet been successful against the AES/CCMP encryption.
UDP Header
-8 bytes (64 bits) long, divided into four sections/fields (each 16 bits long): 1) source port 2) destination port 3) message length 4) checksum
Synchronous Data Link Control (SDLC)
-Synchronous bit-oriented protocol developed by IBM -Uses bit stuffing (zero insertion) to overcome transparency problem - is used on permanent physical connections of dedicated leased lines to provide connectivity for mainframes, such as IBM Systems Network Architecture (SNA) systems. - uses polling, - operates at OSI layer 2 (the Data Link layer), - is a bit-oriented synchronous protocol.
WAN Switch (WAN Device)
-multiport internetworking devices used in carrier networks -operates at Data Link layer (layer 2) -switches are different depending on WAN type - a specialized version of a LAN switch that is constructed with a built-in CSU/DSU for a specific type of carrier network. - types of carrier networks, or WAN connection technologies, such as X.25, Frame Relay, ATM, and SMDS.
Common VPN Protocols
1) PPTP 2) L2F 3) L2TP 4) IPSec -operate at OSI 2 (data link) - PPTP and IPSec are limited for use on IP networks, whereas L2F and L2TP can be used to encapsulate any LAN protocol.
Private IP Address vs APIPA vs Loopback Address Range
1) Private IP Addresses: - full Class A range: 10.0.0.0-10.255.255.255 - 16 Class B range: 172.16.0.0-172.31.255.255 - 256 Class C Range: 192.168.0.0-192.168.255.255 2) APIPA (Automatic Private IP Addressing) Addresses: - 169.254.0.1 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0. 3) Loopback Addresses: - 127.x.x.x - mainly uses 127.0.0.1
Benefits of NAT
1) can connect an entire network to the internet using only a single (or just a few) leased public IP's 2) can use private IP's defined in RFC 1918 in a private network and connect to the internet 3) NAT hides the IP addressing scheme and network topography from the internet 4) restricts connections so that only traffic stemming from connections originating from the internal protected network -most intrusion attacks are automatically repelled
countermeasures against DoS or DDoS
1. Add firewalls, routers, and intrusion detection systems (IDSs) that detect DoS traffic and automatically block the port or filter out packets based on the source or destination address. 2. Maintain good contact with your service provider in order to request filtering services when a DoS occurs. 3. Disable echo replies on external systems. 4. Disable broadcast features on border systems. 5. Block spoofed packets from entering or leaving your network. 6. Keep all systems patched with the most current security updates from vendors. 7. Consider commercial DoS protection/response services like CloudFlare's DDoS mitigation or Prolexic. These can be expensive, but they are often effective.
format standards that exist within the Presentation layer
1. American Standard Code for Information Interchange (ASCII) 2. Extended Binary-Coded Decimal Interchange Mode (EBCDICM) 3. Tagged Image File Format (TIFF) 4. Joint Photographic Experts Group (JPEG) 5. Moving Picture Experts Group (MPEG) 6. Musical Instrument Digital Interface (MIDI)
Analog vs. Digital communications
1. Analog: reproduces an approximation of the sound wave -Digital: reproduces an approximation, then converts it into code; no degradation or generation loss during digital editing. 2. Digital signals are more reliable than analog signals over long distances or when interference is present. This is because of a digital signal's definitive information storage method employing direct current voltage where voltage on represents a value of 1 and voltage off represents a value of 0. These on-off pulses create a stream of binary data. 3. Analog signals become altered and corrupted because of attenuation over long distances and interference. 4. Since an analog signal can have an infinite number of variations used for signal encoding as opposed to digital's two states, unwanted alterations to the signal make extraction of the data more difficult as the degradation increases.
forms of denial of service (DoS) attack
1. Attacks exploiting a vulnerability in hardware or software. - cause a system to hang, freeze, consume all system resources, and so on. - end result is that the victimized computer is unable to process any legitimate tasks. 2. Attacks that flood the victim's communication pipeline with garbage network traffic: - called traffic generation or flooding attacks. - end result is that the victimized computer is unable to send or receive legitimate network communications. In either case, the victim has been denied the ability to perform normal operations (services).
two standard classes, or formats, of ISDN service
1. Basic Rate Interface (BRI) 2. Primary Rate Interface (PRI)
problems with coax cable
1. Bending the coax cable past its maximum arc radius and thus breaking the center conductor. 2. Deploying the coax cable in a length greater than its maximum recommended length (which is 185 meters for 10Base2 or 500 meters for 10Base5) 3. Not properly terminating the ends of the coax cable with a 50 ohm resistor
Attacks against Bluetooth or IEEE 802.15
1. Bluejacking attack 2. Bluesnarfing Attack 3. Bluebugging attack
what technologies determine how many destinations a single transmission can reach?
1. Broadcast technology supports communications to all possible recipients. 2. Multicast technology supports communications to multiple specific recipients. 3. Unicast technology supports only a single communication to a specific recipient.
potential attacks against a VoIP solution
1. Caller ID can be falsified easily using any number of VoIP tools, so hackers can perform vishing (VoIP phishing) or Spam over Internet Telephony (SPIT) attacks. 2. The call manager systems and the VoIP phones themselves might be vulnerable to host OS attacks and DoS attacks. 3. man-in-the-middle (MitM) attacks by spoofing call managers or endpoint connection negotiations and/or responses. 4. risks associated with deploying VoIP phones off the same switches as desktop and server systems. This could allow for 802.1X authentication falsification as well as VLAN and VoIP hopping (i.e., jumping across authenticated channels). 5. Since VoIP traffic is just network traffic, it is often possible to listen in on VoIP communications by decoding the VoIP traffic when it isn't encrypted.
guide or procedure to follow when deploying a Wi-Fi network
1. Change the default administrator password. 2. Disable the SSID broadcast. 3. Change the SSID to something unique. 4. Enable MAC filtering if the pool of wireless clients is relatively small (usually less than 20) and static. 5. Consider using static IP addresses, or configure DHCP with reservations (applicable only for small deployments). 6. Turn on the highest form of authentication and encryption supported. If WPA2 is not available, WPA and WEP provide very limited protection but are better than an unencrypted network. 7. Treat wireless as remote access, and manage access using 802.1X. 8. Treat wireless as external access, and separate the WAP from the wired network using a firewall. 9. Treat wireless as an entry point for attackers, and monitor all WAP-to-wired-network communications with an IDS. 10. Require all transmissions between wireless clients and WAPs to be encrypted; in other words, require a VPN link.
Types of Network Cables
1. Coaxial cable, also called coax, 2. Baseband and Broadband Cables 3. Twisted-Pair 4. conductor-based network cabling 5. fiber-optic cable.
traffic management functions by VLANs
1. Control and restrict broadcast traffic. Block broadcasts between subnets and VLANs. 2. Isolate traffic between network segments. By default, different VLANs do not have a route for communication with each other. You can also allow communication between VLANs but specify a deny filter between certain VLANs (or certain members of a VLAN). 3. Reduce a network's vulnerability to sniffers. 4. Protect against broadcast storms (floods of unwanted broadcast network traffic).
categories of routing protocols
1. Distance vector routing protocols : - maintain a list of destination networks along with metrics of direction and distance as measured in hops (in other words, the number of routers to cross to reach the destination). - Common examples of distance vector routing protocols are Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Border Gateway Protocol (BGP) 2. Link state routing protocols: - maintain a topography map of all connected networks and use this map to determine the shortest path to the destination. e.g., Open Shortest Path First (OSPF).
Control Modes of Communication
1. Simplex : One-way direction communication 2. Half-Duplex: Two-way communication, but only one direction can send data at a time 3. Full-Duplex: Two-way communication, in which data can be sent in both directions simultaneously
methods to disconnect the TCP session
1. First: is the use of FIN (finish) flagged packets instead of SYN flagged packets. Each side of a conversation will transmit a FIN flagged packet once all of its data is transmitted, triggering the opposing side to confirm with an ACK flagged packet. Thus, it takes four packets to gracefully tear down a TCP session. 2. Second is the use of an RST (reset) flagged packet, which causes an immediate and abrupt session termination.
types of spread spectrum
1. Frequency Hopping Spread Spectrum (FHSS) 2. Direct Sequence Spread Spectrum (DSSS) 3. Orthogonal Frequency-Division Multiplexing (OFDM)
IPv4 vs IPv6
1. IPv4: - Set of four bytes (or four 8 bit numbers) - 32-bit addressing scheme: 4 billion addresses; - four sets of numbers marked off by periods 2. IPv6: - More Addresses - Security Support Mandatory - Global Multicast Support - No Broadcasts - Mobility - 128-bit addresses, - able to handle up to 1 quadrillion addresses; almost unlimited number of addresses - scoped addresses: they give administrators the ability to group and then block or allow access to network services, such as file servers or printing. - autoconfiguration: removes the need for both DHCP and NAT. - Quality of Service (QoS) priority values: allow for traffic management based on prioritized content.
Layer 2 Forwarding Protocol and Layer 2 Tunneling Protocol
1. L2F: - developed by Cisco - a manual authentication tunneling mechanism. - not offer encryption. - not widely deployed and was soon replaced by L2TP. L2FP and L2TP: both operate at layer 2. Both can encapsulate any LAN protocol. 2. L2TP: - derived by combining elements from both PPTP and L2F. - creates a point-to-point tunnel between communication endpoints. - It lacks a built-in encryption scheme, but it typically relies on IPSec as its security mechanism. - supports TACACS+ and RADIUS. - commonly security mechanism: IPSec
protocols operate within the Session layer
1. Network File System (NFS) 2. Structured Query Language (SQL) 3. Remote Procedure Call (RPC)
OSI Layers
1. Physical 2. Data Link 3. Network 4. Transport 5. Session 6. Presentation 7. Application "Please Do Not Throw Special Pizza Away" — this works for bottom-to-top.
Common Features of SSL and TLS
1. Support secure client-server communications across an insecure network while preventing tampering, spoofing, and eavesdropping. 2. Support one-way authentication. 3. Support two-way authentication using digital certificates. 4. Often implemented as the initial payload of a TCP package, allowing it to encapsulate all higher-layer protocol payloads. 5. Can be implemented at lower layers, such as layer 3 (the Network layer) to operate as a VPN. This implementation is known as OpenVPN.
types of remote access techniques
1. Service Specific 2. Remote Control 3. Screen Scraper/Scraping 4. Remote Node Operation or dial-up connectivity
Types of Ports (based on numbers)
1. well-known ports or the service ports: first 1,024 of these ports (0-1,023). This is because they have standardized assignments as to the services they support. 2. registered software ports: Ports 1024 to 49151. These are ports that have one or more networking software products specifically registered with the International Assigned Numbers Authority (IANA) in order to provide a standardized port-numbering system for clients attempting to connect to their products. 3. random, dynamic, or ephemeral ports: Ports 49152 to 65535. They are often used randomly and temporarily by clients as a source port. These random ports are also used by several networking services when negotiating a data transfer pipeline between client and server outside the initial service or registered ports, such as performed by common FTP.
twisted-pair cabling problems
1. Using the wrong category of twisted-pair cable for high-throughput networking 2. Deploying a twisted-pair cable longer than its maximum recommended length (100 meters) 3. Using UTP in environments with significant interference
types of WAN links and long-distance connection technologies
1. dedicated line (also called a leased line or point-to-point link) 2. nondedicated line
Types of Class Subnets
1. full Class A subnet: supports 16,777,214 hosts; entire Class A network of 127 was set aside for the loopback address, although only a single address is actually needed for that purpose. 2. full class B subnet - supports 65,534 hosts; 3. a full Class C subnet supports 254 hosts. 4. Class D is used for multicasting, 5. Class E is reserved for future use.
Issues with cell phone wireless transmissions
1. not all cell phone traffic is voice; they are used to transmit text and even computer data. 2. communications over a cell phone provider's network, whether voice, text, or data, are not secure. 3. with specific wireless-sniffing equipment, your cell phone transmissions can be intercepted. network provider's towers can be simulated to conduct man-in-the-middle attacks. 4. using your cell phone connectivity to access the Internet or your office network provides attackers with yet another potential avenue of attack, access, and compromise.
The IEEE 802.11 standard defines two methods that wireless clients can use to authenticate to WAPs before normal network communications can occur across the wireless link.
1. open system authentication (OSA): - it means there is no real authentication required. - As long as a radio signal can be transmitted between the client and WAP, communications are allowed. It is also the case that wireless networks using OSA typically transmit everything in clear text, thus providing no secrecy or security. 2. shared key authentication (SKA): - SKA means that some form of authentication must take place before network communications can occur. - The 802.11 standard defines one optional technique for SKA known as Wired Equivalent Privacy (WEP). Later amendments to the original 802.11 standard added WPA, WPA2, and other technologies.
Antenna Types
1. standard straight or pole antenna or base antenna - an omnidirectional antenna that can send and receive signals in all directions perpendicular to the line of the antenna itself. - found on most base stations and some client devices. - also called a rubber duck antenna (due to the fact that most are covered in a flexible rubber coating). 2. directional antenna: - they focus their sending and receiving capabilities in one primary direction. -Some examples of directional antennas include Yagi, cantenna, panel, and parabolic. 3. Panel antennas: - flat devices that focus from only one side of the panel. 4. Parabolic antennas: - used to focus signals from very long distances or weak sources.
types of firewalls
1. static packet-filtering firewalls, 2. application-level gateway firewalls, 3. circuit-level gateway firewalls, 4. stateful inspection firewalls - hybrid or complex gateway firewalls: created by combining two or more of these firewall types into a single firewall solution
application-specific protocols are found within the Application layer
1.Hypertext Transfer Protocol (HTTP) 2. File Transfer Protocol (FTP) 3. Line Print Daemon (LPD) 4. Simple Mail Transfer Protocol (SMTP) 5. Telnet 6. Trivial File Transfer Protocol (TFTP) 7. Electronic Data Interchange (EDI) 8. Post Office Protocol version 3 (POP3) 9. Internet Message Access Protocol (IMAP) 10. Simple Network Management Protocol (SNMP) 11. Network News Transport Protocol (NNTP) 12. Secure Remote Procedure Call (S-RPC) 13. Secure Electronic Transaction (SET)
protocols operate within the Transport layer
1.Transmission Control Protocol (TCP) 2. User Datagram Protocol (UDP) 3. Sequenced Packet Exchange (SPX) 4. Secure Sockets Layer (SSL) 5. Transport Layer Security (TLS)
virtual desktop
3 different types of technology: 1. A remote access tool that grants the user access to a distant computer system by allowing remote viewing and control of the distant desktop's display, keyboard, mouse, and so on. 2. An extension of the virtual application concept encapsulating multiple applications and some form of "desktop" or shell for portability or cross-OS operation. This technology offers some of the features/benefits/applications of one platform to users of another without the need for multiple computers, dual-booting, or virtualizing an entire OS platform. 3. An extended or expanded desktop larger than the display being used allows the user to employ multiple application layouts, switching between them using keystrokes or mouse movements.
seven layers and the protocols supported by each of the layers of the OSI model
7. Application : HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI, POP3, IMAP, SNMP, NNTP, S-RPC, and SET 6. Presentation: Encryption protocols and format types, such as ASCII, EBCDICM, TIFF, JPEG, MPEG, and MIDI 5. Session: NFS, SQL, and RPC 4. Transport: SPX, SSL, TLS, TCP, and UDP 3. Network: ICMP, RIP, OSPF, BGP, IGMP, IP, IPSec, IPX, NAT, and SKIP 2. Data Link: SLIP, PPP, ARP, RARP, L2F, L2TP, PPTP, FDDI, ISDN 1. Physical: EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET, V.24, and V.35
Star Topology
A LAN configuration in which a central node (simple hub or switch) controls all message traffic. - Each system is connected to the central hub by a dedicated segment. - If any one segment fails, the other segments can continue to function. - central hub is a single point of failure. - uses less cabling than other topologies and makes the identification of damaged cables easier. - A logical bus and a logical ring can be implemented as a physical star. - Ethernet is a bus-based technology. It can be deployed as a physical star, but the hub or switch device is actually a logical bus connection device. - Token Ring is a ring-based technology. It can be deployed as a physical star using a multistation access unit (MAU). - An MAU allows for the cable segments to be deployed as a star while internally the device makes logical ring connections.
virtual SAN (storage area network)
A SAN is a network technology that combines multiple individual storage devices into a single consolidated network-accessible storage container. - A virtual SAN or a software-defined shared storage system is a virtual re-creation of a SAN on top of a virtualized network or an SDN.
Session Initiation Protocol (SIP)
A VoIP signaling protocol used to set up, maintain, and tear down VoIP phone calls.
Shielded Twisted Pair (STP)
A cabling for networks composed of pairs of wires twisted around each other at specific intervals. The twists serve to reduce interference (also called crosstalk). The more twists, the less interference. The cable has metallic shielding to protect the wires from external interference. - Copper network cable that has two or four pairs of twisted wires shielded by a braided mesh and covered with an outside coating. - A twisted pair cable that has an aluminum shield inside the plastic jacket that surrounds the pairs of wires.
Circuit Switching vs. Packet Switching
A circuit is an electronic closed-loop path among two or more points Packet switches are called routers Circuit switched networks typically bill by the minute Packet switched networks typically bill by the MB.
Collisions vs. Broadcasts
A collision occurs when two systems transmit data at the same time onto a connection medium that supports only a single transmission path. - A broadcast occurs when a single system transmits data to all possible recipients. - collisions are something to avoid and prevent, while broadcasts have useful purposes from time to time.
Integrated Services Digital Network (ISDN)
A communication standard for sending voice, video or data over digital telephone lines. - A type of Internet connection that uses standard circuit-switched phone lines to send digital data. - a fully digital telephone network that supports both voice and high-speed data communications.
WPA2 (Wi-Fi Protected Access 2)
A data encryption standard compliant with the IEEE802.11i standard that uses the AES (Advanced Encryption Standard) protocol. WPA2 is currently the strongest wireless encryption standard. - 802.11i is the amendment that defines a cryptographic solution to replace WEP. - a new encryption scheme known as the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is based on the AES encryption scheme. - has not been cracked.
Tunneling
A data transport technique in which a data packet is transferred inside the frame or packet of another protocol, enabling the infrastructure of one network to be used to travel to another network. - used by VPNs. - is the network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol. - The encapsulation is what creates the logical illusion of a communications tunnel over the untrusted intermediary network. This virtual path exists between the encapsulation and the de-encapsulation entities located at the ends of the communication. - example: to bypass firewalls, gateways, proxies, or other traffic control devices. - prevents the traffic control devices from blocking or dropping the communication because such devices don't know what the packets actually contain.
Gateways (protocol translators)
A device to connect two different networks, esp, a connection to the internet. - connects networks that are using different network protocols. - responsible for transferring traffic from one network to another by transforming the format of that traffic into a form compatible with the protocol or transport method used by each network. - can be stand-alone hardware devices or a software service (for example, an IP-to-IPX gateway). - Systems on either side of a gateway are part of different broadcast domains and different collision domains. - used to connect network segments that use different protocols. - types of gateways, including data, mail, application, secure, and Internet. - operate at OSI layer 7.
Wireless Cells
A division of wireless networks containing a certain range of frequencies that can be used. - the areas within a physical environment where a wireless device can connect to a wireless access point. - Wireless cells can leak outside the secured environment and allow intruders easy access to the wireless network. -
spread spectrum
A form of radio transmission in which the signal is sent over more than one frequency to discourage eavesdropping. - communication occurs over multiples frequencies at the same time. Thus, a message is broken into pieces, and each piece is sent at the same time but using a different frequency. - this is a parallel communication rather than a serial communication.
Switches or intelligent hub
A layer 2 device that used to connect two or more network segments and regulate traffic. - know the addresses of the systems connected on each outbound port. - Instead of repeating traffic on every outbound port, a switch repeats traffic only out of the port on which the destination is known to exist. - offer greater efficiency for traffic delivery, create separate collision domains, and improve the overall throughput of data. - also create separate broadcast domains when used to create VLANs. In such configurations, broadcasts are allowed within a single VLAN but not allowed to cross unhindered from one VLAN to another. - operate primarily at OSI layer 2. - When switches have additional features, such as routing, they can operate at OSI layer 3 as well (such as when routing between VLANs). - Systems on either side of a switch operating at layer 2 are part of the same broadcast domain but are in different collision domains. - Systems on either side of a switch operating at layer 3 are part of different broadcast domains and different collision domains. - used to connect network segments that use the same protocol.
Routers
A layer 3 device that used to connect two or more network segments and regulate traffic. - determine the best logical path for the transmission of packets based on speed, hops, preference, and so on. - use the destination IP address to guide the transmission of packets. - used to control traffic flow on networks and are often used to connect similar networks and control traffic fl ow between the two. - can function using statically defined routing tables, or they can employ a dynamic routing system. - dynamic routing protocols example RIP, OSPF, and BGP. - Systems on either side of a router are part of different broadcast domains and different collision domains. - used to connect network segments that use the same protocol.
Broadcast Domain
A logical area in a computer network where any node connected to the computer network can directly transmit to any other node in the domain without a central routing device. - a group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it. Any system outside a broadcast domain would not receive a broadcast from that broadcast domain.
Pretty Good Privacy (PGP)
A method of encrypting and decrypting e-mail messages. It can also be used to encrypt a digital signature. - is a public-private key system that uses a variety of encryption algorithms to encrypt files and email messages. - The first version of PGP used RSA, the second version, International Data Encryption Algorithm (IDEA), but later versions offered a spectrum of algorithm options. - It is not a standard but rather an independently developed product that has wide Internet grassroots support.
Extranet
A private electronic network that links a company with its suppliers and customers. - a cross between the Internet and an intranet. - It is a section of an organization's network that has been sectioned off so that it acts as an intranet for the private network but also serves information to the public Internet. - It is often reserved for use by specific partners or customers. It is rarely on a public network. - An extranet for public consumption is typically labeled a demilitarized zone (DMZ) or perimeter network.
Bluesnarfing Attack
A process in which attackers gain access to unauthorized information on a wireless device using a Bluetooth connection. - allows hackers to connect with your Bluetooth devices without your knowledge and extract information from them. - This form of attack can offer attackers access to your contact lists, your data, and even your conversations.
Transport Layer Security (TLS)
A protocol for managing the security of message transmissions on the Internet. - uses stronger authentication and encryption protocols than SSL. - can be used to encrypt UDP and Session Initiation Protocol (SIP) connections. (SIP is a protocol associated with VoIP.)
Internet Small Computer System Interface (iSCSI)
A protocol that enables the SCSI command set to be transported over a TCP/IP network from a client to an iSCSI-based storage system. iSCSI is popular with storage area network (SAN) systems. - a networking storage standard based on IP. - used to enable location-independent file storage, transmission, and retrieval over LAN, WAN, or public Internet connections. - a low-cost alternative to Fibre Channel.
Point-to-Point Tunneling Protocol (PPTP)
A protocol that works with PPP to provide a secure data link between computers using encryption. - an encapsulation protocol developed from the dial-up Point-to-Point Protocol. - operates at the Data Link layer (layer 2) of the OSI model. - used on IP networks. - creates a point-to-point tunnel between two systems and encapsulates PPP packets. - used on VPNs, but it is often replaced by the L2TP, which can use IPSec to provide traffic encryption for VPNs. - does not support TACACS+ and RADIUS. - offers protection for authentication traffic through the same authentication protocols supported by PPP: 1. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) 2. Challenge Handshake Authentication Protocol (CHAP) 3. Password Authentication Protocol (PAP) 4. Extensible Authentication Protocol (EAP) 5. Shiva Password Authentication Protocol (SPAP)
screened subnet vs screened host
A screened subnet is similar to the screened host (in other words, the bastion host) in concept, except a subnet is placed between two routers and the bastion host(s) is located within that subnet.
WAP with CALEA restrcitions
A secure link is established between the mobile device and the telco's main server using WAP/WTLS. - The data is converted into its clear form before being reencapsulated in SSL, TLS, IPSec, and so on for its continued transmission to its intended destination.
TKIP (Temporal Key Integrity Protocol)
A security protocol created by the IEEE 802.11i task group to replace WEP without requiring replacement of legacy wireless hardware. - implemented into 802.11 wireless networking under the name WPA (Wi-Fi Protected Access). - TKIP improvements include a key-mixing function that combines the initialization vector (IV) (i.e., a random number) with the secret root key before using that key with RC4 to perform encryption; a sequence counter is used to prevent packet replay attacks; and a strong integrity check named Michael is used.
DMZ (demilitarized zone)
A small section of a private network that is located between two firewalls and made available for public access. - All inbound traffic in a Multihomed Firewall is directed to the bastion host, and only traffic proxied by the bastion host can pass through the second router into the private network. This creates a subnet where some external visitors are allowed to communicate with resources offered by the network. This is the concept of a DMZ, which is a network area (usually a subnet) that is designed to be accessed by outside visitors but that is still isolated from the private network of the organization. The DMZ is often the host of public web, email, file, and other resource servers.
Direct Sequence Spread Spectrum (DSSS)
A spread-spectrum broadcasting method defined in the 802.11 standard that sends data out on different frequencies at the same time. - A wireless technology that spreads a transmission over a much larger frequency band, and with corresponding smaller amplitude. - employs all the available frequencies simultaneously in parallel. - This provides a higher rate of data throughput than FHSS. - uses a special encoding mechanism known as chipping code to allow a receiver to reconstruct data even if parts of the signal were distorted because of interference. - This occurs in much the same way that the parity of RAID-5 allows the data on a missing drive to be re-created.
Fiber Distributed Data Interface (FDDI)
A standard for transmitting data on optical fiber cables at a rate of around 100 Mbps. It uses the ring topology. - is a high-speed token-passing technology that employs two rings with traffic flowing in opposite directions. - used as a backbone for large enterprise networks. - Its dual-ring design allows for self-healing by removing the failed segment from the loop and creating a single loop out of the remaining inner and outer ring portions. - expensive but was often used in campus environments before Fast Ethernet and Gigabit Ethernet were developed. - A less-expensive, distance-limited, and slower version known as Copper Distributed Data Interface (CDDI) uses twisted-pair cables. CDDI is also more vulnerable to interference and eavesdropping.
Privacy Enhanced Mail (PEM)
A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. - an email encryption mechanism that provides authentication, integrity, confidentiality, and nonrepudiation. - uses RSA, DES, and X.509.
Subnet
A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to a subnet are addressed with an identical most-significant bit-group in their IP addresses.
Token Passing
A technique where an electrical token circulates around a network-control of the token enables the user to gain access to the network. - LAN media access technology that performs communications using a digital token. - Possession of the token allows a host to transmit data. Once its transmission is complete, it releases the token to the next system. - Token passing is used by Token Ring networks, such as FDDI. - prevents collisions since only the system possessing the token is allowed to transmit data.
Voice over IP (VoIP)
A technology that converts voice into data packets for transmission over a packet-switched IP network. Allows the use of the Internet for real-time voice and video traffic. - a tunneling mechanism used to transport voice and/or data over a TCP/IP network. - VoIP has the potential to replace or supplant PSTN because it's often less expensive and offers a wider variety of options and features. - VoIP can be used as a direct telephone replacement on computer networks as well as mobile devices. However, VoIP is able to support video and data transmission to allow videoconferencing and remote collaboration on projects. eg. Skype, or magicJack
Physical Topology
A topology that describes a network's physical layout and shape. - The actual layout of network devices, wires, and cables. - The physical arrangement of connections between computers.
logical topology
A topology that describes the data-flow patterns in a network. - A network's access method or the way in which data is transmitted between nodes. - is the grouping of networked systems into trusted collectives.
Static NAT (SNAT)
A type of NAT that maps a single routable IP address to a single machine, allowing you to access that machine from outside the network. - Use static mode NAT when a specific internal client's IP address is assigned a permanent mapping to a specific external public IP address. - This allows for external entities to communicate with systems inside your network even if you are using RFC 1918 IP addresses.
DNS spoofing AKA DNS Cache poisoning
Allows attacker to map a host name and domain to a IP address other than the legit IP address. - occurs when an attacker sends false replies to a requesting system, beating the real reply from the valid DNS server. This is also technically an exploitation of race conditions. - Protection: allowing only authorized changes to DNS, restricting zone transfers, and logging all privileged DNS activity.
loopback address
An IP address that indicates your own computer and is used to test TCP/IP configuration on the computer. - purely a software entity. - It is an IP address used to create a software interface that connects to itself via TCP/IP. - allows for the testing of local network settings in spite of missing, damaged, or nonfunctional network hardware and related device drivers. - Technically, the entire 127.x.x.x network is reserved for loopback use. However, only the 127.0.0.1 address is widely used.
Authentication Header (AH)
An IPSec component that provides connectionless integrity and the authentication of data. It also provides protection versus replay attacks. - provides authentication, integrity, and nonrepudiation
VLAN hopping attack
An attack in which the attacker generates transmissions that appear, to the switch, to belong to a protected VLAN. - caused by unbounded encapsulation support is the ability to jump between VLANs. - VLANs are networks segments that are logically separated by tags. This attack, known as VLAN hopping, is performed by creating a double-encapsulated IEEE 802.1Q VLAN tag: [ Ethernet [ VLAN1 [ VLAN2 [ IP [ TCP [ HTTP ] ] ] ] ] ] With this double encapsulation, the first encountered switch will strip away the first VLAN tag, and then the next switch will be fooled by the interior VLAN tag and move the traffic into the other VLAN.
Replay Attacks
An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access. - an offshoot of impersonation attacks and are made possible through capturing network traffic via eavesdropping. - prevent them by using one-time authentication mechanisms and sequenced session identification.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device. - occurs when an attacker alters the domain-name-to-IP-address mappings in a DNS system to redirect traffic to a rogue system or to simply perform a denial-of-service against a system. - Protection: allowing only authorized changes to DNS, restricting zone transfers, and logging all privileged DNS activity.
Distributed Denial of Service (DDoS)
An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets. - An attack that uses multiple zombie computers (even hundreds or thousands) in a botnet to flood a device with requests.
ARP cache poisoning
An attack where an attacker inserts bogus information into the ARP cache - the local memory store of discovered IP to MAC relationships.
Mail bombing (also a DoS)
An attacker routes large quantities of e-mail to target to overwhelm the receiver. - result: Legitimate messages cannot be delivered.
denial-of-service attack (DoS)
An attempt to make a computer or any of its resources unavailable to its intended users. - a resource consumption attack that has the primary goal of preventing legitimate activity on a victimized system. - renders the target unable to respond to legitimate traffic. - isn't a single attack but rather an entire class of attacks. - exploit flaws in operating system software, installed applications, services, or protocols including Internet Protocol (IP), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), and User Datagram Protocol (UDP) etc
Data Emanation
An electromagnetic (EM) field that is generated by a network cable or network device, which can be manipulated to eavesdrop on conversations or to steal data. - The U.S. government has been researching emanation security since the 1950s under the TEMPEST project.
Serial Line Internet Protocol (SLIP)
An older protocol designed to connect Unix systems together in a dial-up environment, and supports only serial communications. - to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial-up. - is rarely used but is still supported on many systems. - It can support only IP, requires static IP addresses, offers no error detection or correction, and does not support compression. - offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown. - replaced by PPP.
OpenVPN
An open source VPN software that is available for multiple platforms. OpenVPN requires more effort to set up than software embedded in the OS, but it is extremely adaptable and generally more secure than other options. - SSL and TLS can be implemented at lower layers, such as layer 3 (the Network layer) to operate as a VPN. This implementation is known as OpenVPN.
AppleTalk
An outdated suite of networking protocols used by early editions of the Apple Mac OS, and has been replaced by the TCP/IP suite of protocols.
Extensible Authentication Protocol (EAP)
Authentication wrapper that EAP-compliant applications can use to accept one of many types of authentication. - is a general-purpose authentication wrapper, but only used in wireless networks. - framework for authentication instead of an actual protocol. - allows customized authentication security solutions, such as supporting smart cards, tokes, and biometrics.
How many communications can occur simultaneously over a cable segment depends on ?
Baseband and Broadband
fiber-optic cable
Cable that uses light guided through thin glass tubes, instead of electrical signals, to transmit data. It is very fast but also expensive. - A cable that transmits data at close to the speed of light along glass or plastic fibers. - transmit pulses of light rather than electricity. - This gives fiber-optic cable the advantage of being extremely fast and nearly impervious to tapping and interference. - However, it is difficult to install and expensive; thus, the security and performance it offers come at a steep price.
UTP categories
Cat 1: voice only Cat 2: 4 Mbps Cat 3: 10 Mbps Cat 4: 16 Mbps Cat 5: 100 Mbps Cat 6: 1000 Mbps Cat 7: 10 Gbps - rate the quality of UTP cabling.
private circuit technologies and packet-switching technologies
Common private circuit technologies include dedicated or leased lines and PPP, SLIP, ISDN, and DSL connections. - Packet-switching technologies include X.25, Frame Relay, asynchronous transfer mode (ATM), Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC). - Packet-switching technologies use virtual circuits instead of dedicated physical circuits. - A virtual circuit is created only when needed, which makes for efficient use of the transmission medium and is extremely cost-effective.
Modem (Modulator-Demodulator)
Device that converts a digital bit stream into an analog signal (modulation) and converts incoming analog signals back into digital signals (demodulation). An analog communications channel is typically a telephone line, and analog signals are typically sounds. - it is a communications device that covers or modulates between an analog carrier signal and digital information in order to support computer communications of public switched telephone network (PSTN) lines. - replaced by digital broadband technologies including ISDN, cable modems, DSL modems, 802.11 wireless, and various forms of wireless modems.
Dynamic Host Configuration Protocol (DHCP)
Dynamically assigns IP address information (for example, IP address, subnet mask, DNS server's IP address, and default gateway's IP address) to network devices. - uses UDP Ports 67 and 68 - DHCP uses port 67 for server point-to-point response and port 68 for client request broadcasts. - It is used to assign TCP/IP configuration settings to systems upon bootup. - DHCP enables centralized control of network addressing.
types of LAN technologies
Ethernet, Token Ring, and FDDI.
Extended Unique Identifier (EUI)
Expanded 64 bit version of the 48-bit MAC address used at the end of an IPv6 address. - First 3 octets of MAC, constant FF:FE, last 3 bytes of the MAC. - used to identity other types of hardware as well as software.
sliding windows
For protocols such as TCP that allow the receiving device to dictate the amount of data the sender can send before receiving an acknowledgment—a concept called a window—a reference to the fact that the mechanism to grant future windows is typically just a number that grows upward slowly after each acknowledgment, sliding upward.
Covert channel attack with HTTP Tunnel tool
HTTP carries its own web-related payload, but with the HTTP Tunnel tool, the standard payload is replaced with an alternative protocol. This false encapsulation can even occur lower in the protocol stack. For example, ICMP is typically used for network health testing and not for general communication. However, with utilities such as Loki, ICMP is transformed into a tunnel protocol to support TCP communications. The encapsulation structure of Loki is as follows: [ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ] ] ] ]
Challenge Handshake Authentication Protocol (CHAP)
Like PAP, CHAP performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. - used over PPP links. - encrypts usernames and passwords. - It performs authentication using a challenge-response dialogue that cannot be replayed. - periodically reauthenticates the remote system throughout an established communication session to verify a persistent identity of the remote client. This activity is transparent to the user. - replaced by EAP
Do the protocols used to support email employ encryption?
NO. all messages are transmitted in the form in which they are submitted to the email server, which is often plain text.
Bus Topology
Network configuration wherein all computers connect to the network via a central bus cable. - connects each system to a trunk or backbone cable. - All systems on the bus can transmit data simultaneously, which can result in collisions. - A collision occurs when two systems transmit data at the same time; the signals interfere with each other. - To avoid this, the systems employ a collision avoidance mechanism that basically "listens" for any other currently occurring traffic. - If traffic is heard, the system waits a few moments and listens again. - If no traffic is heard, the system transmits its data. - When data is transmitted on a bus topology, all systems on the network hear the data. - If the data is not addressed to a specific system, that system just ignores the data. - Benefit: if a single segment fails, communications on all other segments continue uninterrupted. However, the central trunk line remains a single point of failure. - types of bus topologies: linear and tree - not used: it must be terminated at both ends and any disconnection can take down the entire network.
PGP vs GnuPG
PGP is a commercial product, while OpenPGP is a developing standard that GnuPG is compliant with and that was independently developed by the Free Software Foundation.
port isolation or private ports
Private VLANs that are configured to use a dedicated or reserved uplink port. The members of a private VLAN or a port isolated VLAN can interact only with each other and over the predetermined exit port or uplink port. A common implementation of port isolation occurs in hotels.
Authentication Protocols
Protocols used to provide the transport mechanism for logon credentials. examples: - Challenge Handshake Authentication Protocol (CHAP) - Password Authentication Protocol (PAP) - Extensible Authentication Protocol (EAP) - Protected Extensible Authentication Protocol (PEAP) - Lightweight Extensible Authentication Protocol (LEAP)
Record Sequence Checking
Similar to hash total checking, but instead of verifying content integrity, it involves verifying packet or message sequence integrity.
Hubs
Simple devices that connect network components, sending a packet of data to all other connected devices. - used to connect multiple systems and connect network segments that use the same protocol. - They repeat inbound traffic over all outbound ports. This ensures that the traffic will reach its intended host. - is a multiport repeater. - operate at OSI layer 1. - Systems on either side of a hub are part of the same collision and broadcast domains. - Most organizations have a no-hub security policy to limit or reduce the risk of sniffing attacks since they are an outmoded technology and switches are preferred.
Bluejacking attack
Some users with Bluetooth-enabled mobiles use this technology to send anonymous text messages to strangers. This has been nicknamed 'bluejacking'.
x window port
TCP Ports 6000-6063
Transport Layer Protocols of TCP/IP
TCP and UDP. - TCP is a full-duplex connection-oriented protocol, whereas UDP is a simplex connectionless protocol.
Telnet port
TCP port 23
SSL port
TCP port 443
HTTP port
TCP port 80
FTP Port
TCP ports 20, 21
X Window
The GUI interface available in Linux. - TCP Ports 6000-6063
OSI Model
The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. - open network architecture guide for network product vendors. This standard, or guide, provides a common foundation for the development of new protocols, networking services, and even hardware devices.
differences between PPP and SLIP
The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links. PPP includes a wide range of communication services, including assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing, error detection, and feature or option negotiation (such as compression). PPP was originally designed to support CHAP and PAP for authentication. However, recent versions of PPP also support MS-CHAP, EAP, and SPAP. PPP replaced Serial Line Internet Protocol (SLIP). SLIP offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown.
Stateful NAT
The ability or means by which NAT maintains information about the communication sessions between clients and external systems. - NAT operates by maintaining a mapping between requests made by internal clients, a client's internal IP address, and the IP address of the Internet service contacted.
How is the data communicated through a TCP session is periodically verified with an acknowledgement?
The acknowledgement is sent by the receiver back to the sender by setting the TCP header's acknowledgement sequence value to the last sequence number received from the sender within the transmission window.
Hypertext Transport Protocol (HTTP)
The communications standard used to transfer pages across the WWW portion of the Internet; defines how messages are formulated and transmitted. - TCP Port 80
virtual applications or virtual desktops
The idea is that the screen on the target machine is scraped and shown to the remote operator. Since remote access to resources presents additional risks of disclosure or compromise during the distance transmission, it is important to employ encrypted screen scraper solutions.
security boundary
The line of intersection between any two areas, subnets, or environments that have different security requirements or needs. - exists between a high-security area and a low-security one, such as between a LAN and the Internet. - Once you identify a security boundary, you need to deploy mechanisms to control the flow of information across those boundaries. - The distinction between classifications of objects.
What is the maximum distance a DSL line can be from a central office (that is, a specific type of distribution node of the telephone network)?
The maximum distance a DSL line can be from a central office (that is, a specific type of distribution node of the telephone network) is approximately 1,000 meters.
what does maximum length for each cable type define?
The maximum length defined for each cable type indicates the point at which the level of degradation could begin to interfere with the efficient transmission of data. This degradation of the signal is known as attenuation.
Converged Protocols
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Some common examples of converged protocols include FCoE, MPLS, iSCSI, and VoIP.
Password Authentication Protocol (PAP)
The oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext. - protocol for PPP. - offers no form of encryption; - it simply provides a means to transport the logon credentials from the client to the authentication server. - replaced by EAP
Collision Domain
The portion of an Ethernet network in which collisions could occur if two nodes transmit data at the same time. - a group of networked systems that could cause a collision if any two (or more) of the systems in that group transmitted simultaneously. Any system outside the collision domain cannot cause a collision with any member of that collision domain. - It causes one or both of the messages to be corrupted.
Wardriving
The practice of driving around and locating open wireless access points. - This activity involves using a wireless interface or a wireless detector to locate wireless network signals. Once an attacker knows a wireless network is present, they can use sniffers to gather wireless packets for investigation. With the right tools, an attacker can discover hidden SSIDs, active IP addresses, valid MAC addresses, and even the authentication mechanism in use by the wireless clients. From there, attackers can grab dedicated cracking tools to attempt to break into the connection or attempt to conduct man-in-the-middle attacks. The older and weaker your protections, the faster and more successful such attacks are likely to be.
Domain Name Resolution
The process whereby DNS translates a domain name into a corresponding numeric IP address. - Mapping computer and device names to IP addresses. - 3 basic layers of addressing and numbering as used on TCP/IP-based networks: 3. The third, or bottom, layer is the MAC address. The MAC address, or hardware address, is a "permanent" physical address. 2. The second, or middle, layer is the IP address. The IP address is a "temporary" logical address assigned over or onto the MAC address. 1. The top layer is the domain name. The domain name or computer name is a "temporary" human-friendly convention assigned over or onto the IP address.
routing protocols located at Network layer (Layer 3)
The routing protocols are located at this layer and include the following: 1. Internet Control Message Protocol (ICMP) 2. Routing Information Protocol (RIP) 3. Open Shortest Path First (OSPF) 4. Border Gateway Protocol (BGP) 5. Internet Group Management Protocol (IGMP) 6. Internet Protocol (IP) 7. Internet Protocol Security (IPSec) 8. Internetwork Packet Exchange (IPX) 9. Network Address Translation (NAT) 10. Simple Key Management for Internet Protocols (SKIP)
Telnet
This is a terminal emulation network application that supports remote connectivity for executing commands and running applications but does not support transfer of files. - TCP Port 23
SNMP port
UDP Port 161 (UDP Port 162 for Trap Messages)
Bootstrap Protocol (BootP)/Dynamic Host Configuration Protocol (DHCP) Ports
UDP Ports 67 and 68
DHCP Port
UDP Ports 67 and 68
TFTP port
UDP port 69
Port
When a communication connection is established between two systems, it is done using ports. - A port (also called a socket) is little more than an address number that both ends of the communication link agree to use when transferring data. Ports allow a single IP address to be able to support multiple simultaneous communications, each using a different port number. - Types of Ports: 1. well-known ports or the service ports: first 1,024 of these ports (0-1,023). This is because they have standardized assignments as to the services they support. 2. registered software ports: Ports 1024 to 49151. These are ports that have one or more networking software products specifically registered with the International Assigned Numbers Authority (IANA) in order to provide a standardized port-numbering system for clients attempting to connect to their products. 3. random, dynamic, or ephemeral ports: Ports 49152 to 65535. They are often used randomly and temporarily by clients as a source port. These random ports are also used by several networking services when negotiating a data transfer pipeline between client and server outside the initial service or registered ports, such as performed by common FTP.
Telecommuting
Working at home by using a computer terminal electronically linked to one's place of employment.
Multilayer Protocols example
[ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ] ] ] ] ] - HTTP is encapsulated in TCP, which in turn is encapsulated in IP, which is in turn encapsulated in Ethernet. - SSL/TLS encryption is added to the communication, inserting a new encapsulation between HTTP and TCP. - This in turn could be further encapsulated with a Network layer encryption such as IPSec.
PDU (Protocol Data Unit, Packet Data Unit, or Payload Data Unit)
a container of information or data passed between network layers.
Static Packet Filtering Firewall or screening routers or common routers
a firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall. - filters traffic by examining data from a message header. the rules are concerned with source, destination, and port addresses. - Using static filtering, a firewall is unable to provide user authentication or to tell whether a packet originated from inside or outside the private network, and it is easily fooled with spoofed packets. - operate at layer 3 (the Network layer) of the OSI model. - first generation firewalls
dead zone
a network segment using an alternative Network layer protocol instead of IP.
botnets or zombie networks
a set of computers that are penetrated by malicious software known as malware that allows an external agent to control their actions. - used in DDoS attacks
protocol
a set of rules and restrictions that define how data is transmitted over a network medium (e.g., twisted-pair cable, wireless transmission).
Ethernet
a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems. - a shared-media LAN technology (also known as a broadcast technology). - it allows numerous devices to communicate over the same medium but requires that the devices take turns communicating and performing collision detection and avoidance. - employs broadcast and collision domains. - support full-duplex communications (i.e. full two-way) and employs twisted-pair cabling. (Coaxial cabling was originally used.) - most often deployed on star or bus topologies. - based on the IEEE 802.3 standard. - Individual units of Ethernet data are called frames. - Fast Ethernet supports 100 Mbps throughput. - Gigabit Ethernet supports 1,000 Mbps (1 Gbps) throughput. - 10 Gigabit Ethernet support 10,000 Mbps (10 Gbps) throughput.
Spoofing
a technique intruders use to make their network or internet transmission appear legitimate to a victim computer or network. - falsifying information, which includes falsifying the relationship between a URL and its trusted and original destination.
Encapsulation/Deencapsulation in OSI model
addition of a header, and possibly a footer, to the data received by each layer from the layer above before it's handed off to the layer below. - Encapsulation occurs as the data moves down through the OSI model layers from Application to Physical. - The inverse action occurring as data moves up through the OSI model layers from Physical to Application is known as deencapsulation. - encapsulation/deencapsulation process is as follows: 1. The Application layer creates a message. 2. The Application layer passes the message to the Presentation layer. 3. The Presentation layer encapsulates the message by adding information to it. Information is usually added only at the beginning of the message (called a header); however, some layers also add material at the end of the message (called a footer), as shown in Figure. 4. The process of passing the message down and adding layer-specific information continues until the message reaches the Physical layer. 5. At the Physical layer, the message is converted into electrical impulses that represent bits and is transmitted over the physical connection. 6. The receiving computer captures the bits from the physical connection and re-creates the message in the Physical layer. 7. The Physical layer converts the message from bits into a Data Link frame and sends the message up to the Data Link layer. 8. The Data Link layer strips its information and sends the message up to the Network layer. 9. This process of deencapsulation is performed until the message reaches the Application layer. 10. When the message reaches the Application layer, the data in the message is sent to the intended software recipient.
Plan Remote Access Security
address the following issues: 1. Remote Connectivity Technology 2. Transmission Protection 3. Authentication Protection 4. Remote User Assistance
postadmission philosophy of NAC
allows and denies access based on user activity, which is based on a predefined authorization matrix.
How to check if you are using NAT?
at least three ways to tell: 1. Check your client's IP address. If it is one of the RFC 1918 addresses and you are still able to interact with the Internet, then you are on a NATed network. 2. Check the configuration of your proxy, router, firewall, modem, or gateway device to see whether NAT is configured. (This action requires authority and access to the networking device.) 3. If your client's IP address is not an RFC 1918 address, then compare your address to what the Internet thinks your address is. You can do this by visiting any of the IPchecking websites; a popular one is http://whatismyipaddress.com . If your client's IP address and the address that What Is My IP Address claims is your address are different, then you are working from a NATed network.
Modification Attacks
captured packets are altered and then played against a system -designed to bypass the restrictions of improved authentication mechanisms and session sequencing. - Countermeasures: using digital signature verifications and packet checksum verification.
Covert channels in multilayer protocol
covert channel communication mechanisms use encapsulation to hide or isolate an unauthorized protocol inside another authorized one. - For example, if a network blocks the use of FTP but allows HTTP, then tools such as HTTP Tunnel can be used to bypass this restriction. - This could result in an encapsulation structure such as this: [ Ethernet [ IP [ TCP [ HTTP [ FTP ] ] ] ]
Segment (TCP Protocol) or Datagram (UDP Protocol)
data stream that reaches the Transport Layer (layer 4).
Acceptable use policies for emails
define what activities can and cannot be performed over an organization's email infrastructure.
International Telecommunications Union-Radio communications sector (ITU-R)
defined the requirements for 4G in 2008
ISO 7498
defines the OSI Reference Model
Security guideline or a firewall guideline
deny by default; allow by exception
Mesh Topology
every computer connects to every other computer; no central connecting device is needed. - A full mesh topology: connects each system to all other systems on the network. - A partial mesh topology: connects many systems to many other systems. - provide redundant connections to systems, allowing multiple segment failures without seriously affecting connectivity.
Transmission logging
form of auditing focused on communications. - records the particulars about source, destination, time stamps, identification codes, transmission status, number of packets, size of message, etc.
network device (or service) that works at the Application layer
gateway: - it is a specific type of component. - It serves as a protocol translation tool. For example, an IP-to-IPX gateway takes inbound communications from TCP/IP and translates them over to IPX/SPX for outbound transmission. - Application layer firewalls also operate at this layer. - Other networking devices or filtering software may observe or modify traffic at this layer.
Coaxial cable (coax)
has a center core of copper wire surrounded by a layer of insulation, which is in turn surrounded by a conductive braided shielding and encased in a final insulation sheath. - The center copper core and the braided shielding layer act as two independent conductors, thus allowing two-way communications over a coaxial cable. - The design of coaxial cable makes it fairly resistant to electromagnetic interference (EMI) and makes it able to support high bandwidths (in comparison to other technologies of the time period), and it offers longer usable lengths than twisted-pair. - It ultimately failed to retain its place as the popular networking cable technology because of twisted-pair's much lower cost and ease of installation.
Network Access Control (NAC)
is a concept of controlling access to an environment through strict adherence to and implementation of security policy. - goals of NAC: 1. Prevent/reduce zero-day attacks 2. Enforce security policy throughout the network 3. Use identities to perform access control - goals of NAC can be achieved through the use of strong detailed security policies that define all aspects of security control, filtering, prevention, detection, and response for every device from client to server and for every internal or external communication. - NAC acts as an automated detection and response system that can react in real time to stop threats as they occur and before they cause damage or a breach. - Issues with NAC: client/system agent versus overall network monitoring (agent-less); out-of-band versus in-band monitoring; and resolving any remediation, quarantine, or captive portal strategies
DomainKeys Identified Mail (DKIM)
is a means to assert that valid mail is sent by an organization through verification of domain name identity
Callback
is a mechanism that disconnects a remote user upon initial contact and then immediately attempts to reconnect to them using a predefined phone number (i.e. the number defined in the user account's security database). - does have a user-defined mode. - not used for security - used to reverse toll charges to the company rather than charging the remote client.
SSID (Service Set Identifier)
is typically misused to indicate the name of a wireless network. - there are two types of SSIDs, 1. extended service set identifier (ESSID) : - An ESSID is the name of a wireless network when a wireless base station or WAP is used (i.e., infrastructure mode). 2. basic service set identifier (BSSID). - name of a wireless network when in ad hoc or peer-to-peer mode (i.e., when a base station or WAP is not used). However, when operating in infrastructure mode, the BSSID is the MAC address of the base station hosting the ESSID in order to differentiate multiple base stations supporting a single extended wireless network.
IP address is temporary because
it is a logical address and could be changed at any time, either by DHCP or by an administrator. However, there are instances where systems are statically assigned an IP address. Likewise, computer names or DNS names might appear permanent, but they are logical and thus able to be modified by an administrator.
why a bus topology is not used anymore?
it must be terminated at both ends and any disconnection can take down the entire network.
types of bus topologies
linear and tree. - A linear bus topology employs a single trunk line with all systems directly connected to it. - A tree topology employs a single trunk line with branches that can support multiple systems.
Wide Area Network (WAN)
long distance connections between geographically remote networks.
port address translation (PAT) or overloaded NAT
maps one internal IP address to an external IP address and port number combination. Thus, PAT can theoretically support 65,536 (232 ) simultaneous communications from internal clients over a single external leased IP address. - employ multiplexing techniques in which port numbers are used to allow the traffic from multiple internal clients to be managed on a single leased public IP address. - multiplexing form of NAT
infrastructure mode
means that a wireless access point is required, wireless NICs on systems can't interact directly, and the restrictions of the wireless access point for wireless network access are enforced.
ad hoc mode
means that any two wireless networking devices, including two wireless network interface cards (NICs), can communicate without a centralized control authority.
Frequency
measurement of the number of wave oscillations within a specific time and identified using the unit Hertz (Hz), or oscillations per second.
proxy
mechanism that copies packets from one network into another; the copy process also changes the source and destination addresses to protect the identity of the internal or private network.
MIN
mobile identification numbers
enterprise extended mode infrastructure
occurs when multiple wireless access points (WAPs) are used to connect a large physical area to the same wired network. Each wireless access point will use the same extended service set identifier (ESSID) so clients can roam the area while maintaining network connectivity, even while their wireless NICs change associations from one wireless access point to another.
wired extension mode infrastructure
occurs when the wireless access point acts as a connection point to link the wireless clients to the wired network.
stand-alone mode infrastructure
occurs when there is a wireless access point connecting wireless clients to each other but not to any wired resources. The wireless access point serves as a wireless hub exclusively.
Spamming
simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something. - Sending unwanted, inappropriate, or irrelevant messages
Firewall Deployment Architectures types
single tier, two tier, and three tier (also known as multitier)
Impersonation vs Spoofing
spoofing: an entity puts forth a false identity but without any proof (such as falsely using an IP address, MAC addresses, email address, system name, domain name, etc.). Impersonation: possible through the capture of usernames and passwords or of session setup procedures for network services.
types of infrastructure mode
stand-alone, wired extension, enterprise extended, and bridge.
broadband technology
technology that offers users a continuous connection to the internet and allows them to send and receive mammoth files that include voice, video, and data much faster than ever before. - can support multiple simultaneous signals. - uses frequency modulation to support numerous channels, each supporting a distinct communication session. - it is suitable for high throughput rates, especially when several channels are multiplexed. - a form of analog signal. - Cable television and cable modems, ISDN, DSL, T1, and T3 are examples of broadband technologies.
network topology
the layout of the computers and devices in a communications network. - Refers to the geometric arrangement of the actual physical organization of the computers and other network devices) in a network
Types of Coaxial Cables
thinnet and thicknet
Centralized remote authentication services
to add layers of security between remote clients and the private network. - such as RADIUS and TACACS+ - provide a separation of the authentication and authorization processes for remote clients that performed for LAN or local clients. The separation is important for security because if the RADIUS or TACACS+ servers are ever compromised, then only remote connectivity is affected, not the rest of the network.
Satellite connections
use dishes that provide television channels. - may offer high-speed solutions even in locales that are inaccessible by cable-based, radio-wave based, and line-of sightbased communications. - Satellites are usually considered insecure because of their large surface footprint: Communications over a satellite can be intercepted by anyone. - But if you have strong encryption, satellite communications can be reasonably secured.
VLAN Management
use of VLANs to control traffic for security or performance reasons.
Multimedia Collaboration
use of various multimedia supporting communication solutions to enhance distance collaboration.
how to prevent Impersonation or masquerading
using one-time pads and token authentication systems, using Kerberos, and using encryption to increase the difficulty of extracting authentication credentials from network traffic.
NAT vs PAT
with NAT, you must lease as many public IP addresses as you want to have for simultaneous communications, while with PAT you can lease fewer IP addresses and obtain a reasonable 100:1 ratio of internal clients to external leased IP addresses.
Bridge Routers (Brouters)
works primarily in layer 3 but in layer 2 when necessary, is a device that attempts to route first, but if that fails, it defaults to bridging. - are combination devices comprising a router and a bridge. - Systems on either side of a brouter operating at layer 3 are part of different broadcast domains and different collision domains. - Systems on either side of a brouter operating at layer 2 are part of the same broadcast domain but are in different collision domains. - used to connect network segments that use the same protocol.