Network+ (Messer)
arp (Address resolution protocol) (Command Line Tools)
• Determines a MAC address based on an IP address -You need the hardware address to communicate
GBIC - Gigabit Interface Converter (Network Transceivers)
• Gigabit Interface Converter (GBIC) was one of the earlier transceiver standards -Usually connected with an SC connector on to the GBIC itself • It is commonly used on gigabit networks and fiber channel networks -Copper and fiber support • They are relatively large compared to some of the newer styles of transceivers -And effectively replaced by Small Form-factor Pluggables (SFPs)
Absorption (Wireless Network Troubleshooting)
• If a wireless signal isn't reflecting off of an object, then it may be absorbed by the object -That means the wireless signal is going to pass through an object and lose a little bit of signal as it passes through -This can be a problem as the wireless signal goes through walls or windows and it has less signal as it passes through on the other side • Different objects will absorb differently as the frequencies change -You may find 2.4 GHz has a very different absorption rate than 5 GHz • This is one of the reasons we put wireless antennas on the ceiling -That way, the wireless signal can get to you or user(s) without going through or being absorbed by other objects -And avoids going through walls
More bit, more address (Binary Math)
• If there are a fewer number of bits available for a calculation, then there are a fewer number of representations of that value e.g. 2 bits = 0 through 3 00 = 0 01 = 1 10 = 2 11 = 3 3 bits = 0 through 7 4 bits = 0 through 15 5 bits = 0 through 31 6 bits = 0 through 63 7 bits = 0 through 127 8 bits = 0 through 255 • The number of binary bits available will determine what the range will be for the decimal equivalent
Ethernet cross-over cables (Copper Termination Standards)
• If you need to connect like devices to each other, you would not use a straight through cable • A crossover cable would be used to connect a workstation to a workstation, a switch to a switch -Connect MDI to MDI (workstation to a workstation) -Connect MDI-X to MDI-X (switch to a switch) • Pin outs on a crossover cable are a lot different than a straight through -Pins change from start to end • If you are connecting like equipment to each other, you may not need to perform the crossover inside of the cable -Crossover can be changed inside of the device being used -This is called Auto-MDI-X and available on most modern ethernet devices -Automatically decides by examining the incoming signal and make a determination on whether it should act as a straight through signal or as a crossover • You'll notice with the crossover cable is that one side is not 568A and the other side of this 568B -Ethernet crossover does not deal with 568B or 568A standards -Ethernet crossover is something very specific to the way ethernet connects to each other. -It is not related to a termination standard
Gigabit Ethernet over fiber (Ethernet Standards)
• If you need to run Ethernet pass the 100 meter limitation for copper cabling, then you'll probably want to connect equipment using fiber. -There are gigabit Ethernet standards for fiber optics • The 1000BASE-SX standard is gigabit ethernet running at 1000 megabits per second using what's called NIR or Near InfraRed light wavelength -Usually runs over multi-mode fiber as its physical medium -The ethernet connection can extend between 220 meters to 500 meters, depending on fiber type • The 1000BASE-LX standard is gigabit ethernet using a long wavelength laser for much longer ethernet connections -1000BASE-LX can extend up to 550 meters over MMF -1000BASE-LX can extend up to 5 kilometers over SMF
Wireless survey tools (Wireless Network Technologies)
• If you're doing any type of wireless communication on your network, you may need some way to provide a survey. • Signal coverage - may need to walk around with a mobile device to understand the wireless characteristics in the area • Potential interference - walking around can discover spots of interference from other access points or wireless devices • Built-in tools available in the OS • Can also use 3rd-party tools may provide you with some additional insight • A spectrum analyzer can give you a precise view of whats going on at every frequency of the 802.11 wireless range. -shows you details of every frequency
Troubleshooting interfaces (Wired Network Troubleshooting)
• If you're having problems with the cable or fiber and you think there's an issue at the physical layer, you'll see errors appear on the interface that's connected to that cable -This may indicate bad cable or hardware problem -For example, you can look at your interface and see if there are any frame check sequence errors; You can see if there are any oversized packets or late collisions -These might give you an idea that there is something happening with that physical layer • You might also look at the ethernet adapter configurations on both sides of the connection and make sure the speed and the duplex match. -If you're not communicating at all, you might also want to check the VLAN and make sure that both devices are configured to be on the same VLAN • Verify two-way traffic -It's very common to send traffic back and forth between those devices to see if any of these physical-level errors are going to increase as more traffic is sent over the connection
AAA framework (Authorization, Authentication, and Accounting)
• If you're logging into the network, you're connecting to a VPN, or you're gaining access to the command line of a switch, you're probably using a AAA framework -Authentication -Authorization -Accounting • The first step in using the AAA framework is to first identify yourself -Identification -We usually use a username to do this -Make sure you are who you claim to be • We need to provide some other type of authentication, some way that we can really prove that we are who we say we are -Authentication -Prove you are who you say you are -Usually a password and other authentication factors • Once the authentication process is approved, you now have authorization to the resources that would be appropriate for your username -Authorization -If you're logging in as an administrator, you'll have different authorization than someone who's logging in with a guest account • With the last of A of accounting, all the information is being tracked -Accounting -We know when you logged in. We know what data was sent back and forth. We may be tracking the different resources that you're gaining access to. And we're determining when the log out time might be
100 megabit Ethernet over copper (Ethernet Standards)
• If you're running 100 megabit Ethernet over twisted pair cables, then you are using 100BASE-TX -It is also referred to as "Fast Ethernet" -Uses category 5 or better twisted pair copper -Uses two of the pair to communicate -Maximum length of a cable run is 100 meters
Troubleshooting pin-outs (Wired Network Troubleshooting)
• If you're someone who crimps your own RJ45 connectors onto your ethernet cables, then you know it's very easy to switch cables around and have the incorrect pin-outs on these wires -When you plug in the wire, you may find that you're not able to go at the speeds you were expecting. Or there may be no communication at all across the wire -Test your cables prior to implementation • It also can be difficult to visually inspect the wire to see if you really did punch things down in the correct order -That's why it may be useful to get a cable tester/mapping device where you can simply plug in two sides of the tester to see exactly the pin-outs between one side and the other • And if you're someone who hasn't run a lot of cable or performed a lot of network terminations -You may want to bring in an expert who can efficiently install your network infrastructure -Cable installation is an art
Unresponsive service (Network Service Troubleshooting)
• If you're trying to communicate to a server and you're not getting any response, you know the problem isn't related to a filter or an ACL, and there may be a service that's simply not responding to your request. • You may want to check and make sure that you're accessing that service over the correct UDP or TCP port number -And if it's different, you need to make that change in your application. • You want to confirm that the device itself is up and running -You may want to run a ping or a traceroute to the device, and make sure that you're able to communicate to that server successfully. • If you are able to communicate to the server successfully, you might want to try telnetting to that particular port number itself and see if you're able to make the application talk back to you -If that application isn't responding -You may need to restart the application or restart the server where that application exists.
Loopback plug (Hardware Tools)
• If you're trying to perform some troubleshooting on a network connection, you may be required to loop the signal coming out of that device back into the device that it came from -This is so it can perform some tests sending some signals to see exactly what type of signals it's receiving -The way we would this back is with a loopback plug -This allows us to test WAN connections, ethernet connections, and anything else that needs to send traffic out and loop it back to itself -Useful for testing physical ports or fooling your applications • It's common to see loopback plugs used with serial connections or WAN connections -These could be RS-232 either 9 pin or 25 pin • They might be network connections for ethernet, a T1 connection -There's even fiber loopbacks that you can use with fiber connections • It's important to note that this is not a crossover cable -Crossover cables connect like devices to each other -The loopback plug only has one single plug on it -You can see the wires come out of the plug and then back in to loop the signal back to itself
NIC teaming (Availability Concepts)
• If you're trying to provide high availability for servers, you may want to look at NIC teaming -This is a network interface card teaming • It is often called Load Balancing / Fail Over (LBFO) -This provides aggregation of bandwidth because multiple network connections are in use, but you would also have redundant paths -If one path was to disappear, there would still be a way to communicate out of that server -This becomes more important in the virtual world • From a practical perspective, multiple interface cards are being used and teaming them together in the OS -To the OS, it looks like a single network interface card, but there really is multiple paths outside of that server and usually redundant paths so that if any one of those disappears, there is still connectivity -It integrates with switches •The network interface cards are constantly communicating to each other, usually across the network -They use multicast (not broadcast) to perform health checks of the other network interface cards in that server -If any of those network interface cards don't respond to these health checks, it's taken out of service, and the remaining network interface cards continue to provide connectivity.
Expired IP addresses (Network Service Troubleshooting)
• If you're using DHCP on your network, you know that most devices will be able to renew their IP address halfway through the lease time. -If you find that the DHCP assigned IP address of a device is expiring, this may indicate a problem with the DHCP server. • If a DHCP server is not available to renew that IP address, then the client will release that IP address at the end of the DHCP lease. -Then an APIPA address is assigned to the client -The client will check occasionally for a DHCP server • We know that if an IP address is starting with 169.254, then they have an automatic IP address assignment and they were not able to retrieve a DHCP assigned address. • Your first place to go then would be your DHCP server -Make sure that you have addresses available in the pool and that the DHCP server is working normally.
Taking snapshots (Backup and Recovery)
• If you're working in the virtual world, there are other options for providing backup and recovery -When working with cloud-based systems, these virtualized environments are constantly being built and torn down -The cloud is always in motion in cloud-based systems -Application instances are constantly built and torn down • You can take a snapshot of that system and it will save the configuration and/or the data at any point in time -Preserves the complete state of a device, or just the configuration • This means if there is a need to go back to a particular point in time, simply restore back to that snapshot and you'll have exactly that configuration from that point in time -You can fall back to a previous snapshot • This also allows you to roll back to a known good configuration where you might keep the data in place, but changing the configuration of the cloud-based system to an earlier point in time -Can rollback to known configuration -This doesn't modify the data, but you can use a previous configuration • You can also boot from a completely new system and restore that snapshot to another device, providing another option for recovery. -You can boot from a completely new system using Live boot media -You can run the operating system from removable media
Toner Generator / Probe (Hardware Tools)
• If you've been working with a patch panel or with a large number of wires that's coming into a room, and you're trying to determine where the other end of a particular wire is, then you'll want to use a tone generator • This tone generator will put an analog sound on the wire • Then we use a separate inductive probe to find out where the other end of the wire happens to be -We don't have to break the wire open or touch any copper -This inductive probe allows us to do this without changing anything with the wire -Can be heard though a small speaker
Exhausted DHCP scope (Network Service Troubleshooting)
• If you've ever managed a DHCP server, you know that you create a pool that has a certain number of available IP addresses in the pool. -But what if you run out of addresses? In those particular situations, you'll find the devices are not able to get an IP address from the DHCP server, and they'll assign themselves an APIPA address. -Local subnet communication only • If you find that devices are assigning themselves an APIPA address instead of assigning a DHCP address, you may want to check your DHCP server and that you have enough IP addresses available. -And if possible, you may want to add additional IP addresses to the pool. • Exhausting a DHCP scope can sneak up on you, so you may want to implement some IP address management, or IPAM -This would allow you to monitor and get notifications if your DHCP pool gets low • And if you have a lot of transient users that move in and out of the network every day, you might want to lower your lease time. -This would allow more IP addresses to be released faster, and would provide a larger pool for other users that might need them.
Rogue access points (Rogue Access Points)
• Imagine if someone could simply connect to your network without needing any special authentication -Imagine if they could do that while sitting in your parking lot -That's one of the challenges you have when there may be rogue access points on your network -This is significant potential backdoor and a huge security concern • It's so easy for someone to be able to simply plug-in one of these access points -you can certainly buy them relatively inexpensively. And they're so easy to configure and turn on or enable wireless sharing in your OS -It only takes a few minutes to plug into your network, and now suddenly your network is accessible to everyone • If you're someone who administers a wireless network, you might want to schedule a periodic survey -You can walk around your facility to make sure that nobody has plugged in an access point without permission -You can use some 3rd party tools such as a WiFi Pineapple that help you identify where wireless communication is coming from • Another important mitigation step might be to configure 802.1X on all of your network devices -This is Network Access Control, and it requires authentication for everybody who wants to use any resources on the network • Enable port security, limit MAC addresses per port
Trunking between switches (Network Segmentation)
• In a well segmented network, multiple VLANs can exist on multiple switches • Devices are able to communicate with other devices on the same VLAN located on different switches by communicating across their 802.1Q TRUNKS
Broadcast (Unicasts, Broadcasts, and Multicasts)
• Information is sent from one device to every device at once -One packet is sent and it is received by every device on the local network • The scope is limited to only that broadcast domain -This limits the number of devices that receive a broadcast sent onto a local subnet • Commonly used for routing updates or used with IPv4 for ARP requests • IPv6 was designed not to use broadcasts -It was designed to use multicast instead
Link-state routing protocols (Dynamic Routing Protocols)
• Information passed between routers is related to the current connectivity -It is less concerned about the number of hops and more concerned about the quality of the connection between those two devices -If the link is up, you are there. If not, you cant. • It also considers the speed of the link -A faster connection will have a higher priority than sending data over a slower bandwidth connection • Very scalable -Used most often in large networks • One example is OSPF -It is used in the largest networks in the world. -A scalable routing protocol & provides dynamic routing updates
Assigning IPv6 Addresses (IPv6 Subnet Masks)
• Internet Assigned Numbers Authority (IANA) provides address blocks to RIRs (Regional Internet Registries) • RIRs then assigns smaller subnet blocks of IPv6 addresses to ISPs (Internet Service Providers) • Then an ISP assigns an IPv6 address with a /48 subnet to the customer (End-user) -You'll be able to subnet it further from there • Starts with the Internet Assign Numbers Authority, who will be giving out ranges of IPv6 addresses to the different regional internet registries • e.g. -The ISP provided the following IP : 2A00:DDDD:1111/48 -Many IPv6 addresses can be built with the IP provided •We build IPv6 from the above into: 2600:DDDD:1111:0001:0000:0000:0000:0001 •First part of the IP address (2600:DDDD:1111) was provided by IANA/RIR/ISP -Also considered to be Global Routing Prefix which is 48 bits • 0001 is locally assigned by us (network admin) -Subnet is 16 bits -This can allow us to build out networks to 2600:DDDD:1111:0001, 0002, 0003, 0004, and so on • 0000:0000:0000:0001 are the remaining bits are the host IDs -Host is 64 bits • 16 subnet bits allows us to subnet out 65,536 total subnets • With 64 bits left in the host ID -2⁶⁴ hosts we can get about 18 million trillion hosts per subnet • The first half of the IPv6 address (first 64 bits) is the prefix OR the network address • The second half of the IPv6 address (second 64 bits) is the host ID of the address • To write out the subnet address: -In full notation 2600:DDDD:1111:0001:0000:0000:0000:0000 -In abbreviated (compressed) notation 2600:DDDD:1111:1::/64
ICMP (Introduction to IP)
• Internet Control Message Protocol -Think of this as "text messaging" for the network devices • It is another protocol carried by IP -Not used for data transfer • Devices can request and reply to administrative requests to make sure the machine is operating or not • Devices can use ICMP to send messages when things don't go well -Such as that network you're trying to reach is not reachable from here -Can let you know that the time-to-live expired for that device
Resolving network bottleneck (Wired Network Troubleshooting)
• It also helps if you know what the normal type of communication should be -If you know that there shouldn't be any more than 100 milliseconds of difference of your database communication and you notice that suddenly you're getting 500 to 600 milliseconds of delay, then you know the problem is somewhere with that particular communication -And by resolving that bottleneck, you'll find that the overall performance of the application is improved
IPv6 addresses - Internet Protocol version 6 (IPv4 and IPv6 Addressing)
• It is an 128-bit address -An update to IPv4 -One major difference between an IPv4 address and an IPv6 address is the total length • 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (340 undecillion) can be created -6.8 billion people could have 5,000,000,000,000,000,000,000,000,000 addresses each -More scalable than IPv4 • Example of IPv6 IP address : fe80:0000:0000:0000:5d18:0652:cffd:8f52 fe80 : 1111111010000000 0000 : 0000000000000000 0000 : 0000000000000000 0000 : 0000000000000000 5d18 : 0101110100011000 0652 : 0000011001010010 cffd : 1100111111111101 8f52 : 1000111101010010 • fe80 = 1111111010000000 = 2 octets -2 octets = 16 bits which = 2 bytes -All combined = 128 bits = 16 bytes • In IPv6, the DNS will become much more important so that you can reference these devices by name rather than having to remember an IP address.
NAT (Network Address Translation) (Network Address Translation)
• It is estimated that there are over 20 billion devices connected to the Internet (and growing) -IPv4 supports around 4.29 billion addresses • The address space for IPv4 is exhausted -There are no available addresses to assign to different orgs. • How would it all work given these restrictions that we have on IP addresses? -One of the ways is by using Network Address Translation • This isn't the only use of NAT -But it's one of the major uses of Network Address Translation in today's networks
Security incidents policies (Policies and Best Practices)
• It is important for the organization to have a set of policies and procedures for when a particular security incident occurs -For example, if someone receives an email with an attachment and clicks on that attachment and installs malware, there needs to be policies on how to handle that • What if it's something more broad, like a distributed denial of service attack/botnet attack -There needs to be a set of policies for that type of security incident • Sometimes confidential information is stolen or is made public -And sometimes the thieves of that information would like money to be able to keep that information secret • Or it may be that someone on the inside installed peer to peer software -And now someone who is external to the organization can easily gain access to your internal resources
66 block (Network Termination Points)
• It is primarily a patch panel used for analog voice and some older networking standards -And some digital links • Anything on the left side of the block is patched over to the right side of the block -Easy to follow the path • These are not modular connectors that you see if you're working on the phone's RJ11 or the networks RJ45 -A specialized punch down tool is needed that can take the wire and punch it down into the 66 block -No additional connectors required • Generally replaced by 110 blocks due to phones moving over to VoIP -But 66 block is still seen in many installations
The Switch (Network Switching Overview)
• It is responsible for forwarding or dropping frames -Based on the destination MAC address • It is constantly updating its list of MAC addresses -It builds a list based on the source MAC address of incoming traffic • Maintains a loop-free environment when switches are being connected to larger networks -Uses the Spanning Tree Protocol (STP)
Which routing protocol to use? (Dynamic Routing Protocols)
• It is the routers responsibility to decide which path is the best path from point A to point B. -What exactly is a route? -Is it based on the state of the link? -Is it based on how far away it is? • How does the protocol determine the best path? -Some type of formula is applied to the criteria to create a metric -Ranks and creates a list of the best and worst routes available • Consider the recovery after a change to the network -Convergence time can vary widely between routing protocols • If different routers are being connected from different manufacturers, you will need to choose between standardized protocols versus some that might be proprietary to a particular manufacturer -OSPF and RIP are standards -Some functions of EIGRP are Cisco proprietary
TCP and UDP (Introduction to IP)
• It is transported inside of IP -Encapsulated by the IP protocol • Two ways that data can be moved from place to place -Both have different features for different applications -Some apps work better with one, while other apps work better with the other • Both protocols operate at Layer 4 -The Transport Layer • Multiplexing -This allows both protocols to be used by many different applications at the same time across the network
Inventory Management (Network Documentation)
• It is useful to have documentation of what devices are on the network • A record of every asset -This includes routers, switches, cables, fiber modules, CSU/DSU's, etc.. -Or any other network equipment within the infrastructure • This is not only going to help understand what equipment you have and where it may be located -But it will help your accounting team understand how the depreciation of these devices will be handled -It is useful for financial records, audits, depreciation -Information such as make/model, configuration, purchase date, location, etc. • Some organizations will even add an asset tag to the device -Not only are you keeping a database of where this device is located -You can use a barcode, RFID, or a visible tracking number to know how it is associated back to the inventory database
Data graphing (Process Monitoring)
• It is very common to take all of the text-based log information and create a graphical representation of what is being stored -Many different data sources -Some of this information may come from raw logs. So it's up to you to parse through the information to find what you need -Or the data may be already summarized into a metadata form, which makes it very easy to graph • Some organizations will use SIEM software -SIEM stands for Security Information and Event Management -This allows you to consolidate data and create reports on the information that you've stored -Turns raw data into something visual • Graphing can require extensive resource utilization -Requires a machine to churn through terabytes of data -You need to make sure that you are building a machine that can handle the requirements for the information needed to be able to report on • It can also have some built-in graphing capability -Can use built-in graphs Or build custom reports -There may be very little that you would need to develop or program -Just simply tell the SIEM the type of graph you'd like over the particular frame, and it will create that graph and provide you with those details
Open Systems Interconnection Reference Model (Understanding the OSI Model)
• It's an overall guide (thus the term "model") -Don't get wrapped up in the details -Keep a broad view of the data as its flowing onto the network and back again • This is not the OSI protocol suite -Not really found on today's networks -Most of the OSI protocols didn't catch on but still continue to use the OSI Model • There are unique protocols at every layer • You'll refer to this model for the rest of your career -Possibly often
Vulnerability scanning (Process Monitoring)
• It's common to periodically monitor your devices to see if they may have any vulnerabilities -A way to do this is with a vulnerability scanner, which will look at an OS and be able to tell you if there's any components that may be vulnerable -Its usually minimally invasive -Unlike a penetration test • Vulnerability scanners are very good at finding unknown devices on the network -If you're looking to identify a server or a security device that's been added without your knowledge, a vulnerability scan may be a good way to find it • It's common to run these vulnerability scans not only from the inside of the network, but also from the outside of the network -It's useful to know what anyone outside of the organization may see when they try to access your systems through the internet • Vulnerability scanners are not 100% perfect, but they do give us a list of things to look through -It is used to gather as much information as possible -After running a vulnerability scan, it's common to step through all of the results and determine what may be a real vulnerability versus a false positive
RFID (Radio-Frequency IDentification) (Internet of Things Topologies)
• It's used everywhere in our daily life such as: -Access badges -Inventory/Assembly line tracking -Pet/Animal identification -Anything that needs to be tracked • Radar technology -RFID tags are usually not powered devices -It is powered by the radio energy that is transmitted to the tag -Radio Frequency powers the tag, and the tag transmits back an ID over the wireless communication -It is a bidirectional communication -There are some tags can be active/powered formats as well
Troubleshooting MTU (Protocol Data Units)
• MTU sizes are usually configured once -Based on the network infrastructure and it doesn't change often • It can have a significant concern for tunneled traffic (such as a VPN) -The tunnel may be smaller than your local Ethernet segment -Data will need to be fragmented to get through that VPN tunnel • What if you send packets with the Don't Fragment (DF) set? -Some applications dont like to have their data fragmented, those apps will turn on a special bit in the IP header called the DF bit which tells all the devices in its path not to fragment the data -Routers will respond back and tell you to fragment -Hope you get the ICMP message to the original station stating that this information was not able to be sent through this network because the DF bit was set. • Troubleshoot using the ping command to determine a good MTU size -Ping with DF and force a maximum size of 1472 bytes -Total is 1500 bytes. This includes the 8 byte ICMP header & the 20 bytes IP address -e.g : windows command: ping -f -l 1472 8.8.8.8 • If the ping doesnt work, we can lower the amount of sent data and try to resend again. -The amount can be lowered until the exact amount is found so that the largest data can be sent without requiring any fragmentation
Protecting against ransomware (Ransomware)
• Make sure you have a backup to recover from a disaster -And make sure that this backup is kept offline -A lot of the modern crypto-malware will find your backup systems if they're online, and encrypt the backups as well • One of the ways this crypto-malware embeds itself onto your computer is taking advantage of a known vulnerability -So Make sure that you are always updating your OS to keep the vulnerabilities patches -And make sure all of your applications are updated to the latest versions of security patches • One way to stop this malware from executing on your computer is to have your anti-virus already recognize the malware -For that to occur, keep your anti-virus/anti-malware software updated to the latest signatures • Keep everything up to date
Third-party DNS (An Overview of DNS)
• Managing DNS can be challenging -Especially in large environments • DNS can be outsourced -Cloud-based DNS services external to the organization -All DNS servers are running in the cloud -Multiple DNS instances available around the world -Can still provide the same internal functionality except it is using a cloud-based service external to your organization • Can provide features that are not normally available on a privately-hosted DNS server such as: -High-availability (DNS services available all the time) -Low latency servers (fast response times) -Scaling options available (it can scale up or down as needed)
5 GHz Spectrum for 802.11 - North America (Wireless Network Technologies)
• Many more blocks of 20 megahertz channel bandwidths available • Anything that is not red is available bandwidths that you can use in 5 gigahertz • You can group together and have 40 megahertz channel bandwidths, 80 megahertz, or in the case of 802.11ac you can use a 160 megahertz channels to be able to move data over that wireless network
Dual-stack routing (Configuring IPv6)
• Many network administrators are faced with also including IPv6 on their networks • Dual-stack configuration allows for IPv4 and IPv6 to run both at the same time with a particular workstation router or layer 3 device -This allows the workstation or layer 3 device to use either of the protocols to communicate -Interfaces will be assigned multiple address types • IPv4 -Configured with IPv4 addresses, Subnet Mask, DNS, and all other settings for IPv4 -Maintains an IPv4 routing table specific to IPv4 -Uses dynamic routing protocols specific to IPv4 if configured on a router **On that same device, we'd have a separate configuration area for IP version 6 • IPv6 -Configured with IPv6 addresses, Subnet Mask, DNS, and all other settings for IPv6 -Maintains a separate IPv6 routing table specific to IPv6 • Uses dynamic routing protocols specific to IPv6 if configured on a router • Most of our modern networks, our infrastructure devices understand both IPv4 and IPv6 -It is very common to configure this dual stack implementation.
Out-of-band management* (Remote Access)
• Many of our switches and routers and other infrastructure devices, we can access those over a terminal or from a web-based front end using the built in IP addresses that are on the network -But what if the network is suddenly not available, but you still need access to that infrastructure device -In those situations, you may want to take advantage of out-of-band management • Out-of-band management is a way to manage these devices without using the external network -Usually this is implemented as a USB interface or a serial interface where you can connect directly to the device to manage it • If this device is in another building or another state or another country -you may want to connect a modem to this serial interface so that you can dial in and connect to this device over phone lines • Some organizations may take advantage of a console router or a communication server -You may have a remote site that has a router, a firewall, and multiple switches, and you may connect all of those devices through out-of-band management to the COM server -You would then dial into the COM server, and from there you would specify which of these devices you'd like to communicate with over the out-of-band management interface (*STOP9)
Wireless encryption (Wireless Encryption)
• Many of the networking devices these days are using wireless to communicate, and of course, this wireless communication is going through the airwaves -Every device on the wireless network is both a radio receiver and a radio transmitter -This means if someone is listening in to those frequencies, they can listen in to all of the traffic going over this wireless network • To make sure that all of this wireless communication is protected, we will normally encrypt this data as it's going over the wireless network -Everyone would get their own password to use, or there would be a shared password for everyone to use on that wireless network • This means that only the people with the correct credentials would be able to communicate on this wireless network -If someone does capture this encrypted wireless communication going through the air, they wouldn't be able to view or understand any of that encrypted data • One of the most common ways of encrypting data on our wireless networks is using WPA2 -If you have older equipment, you may also see WPA encryption used
Upgrading firmware (Device Hardening)
• Many of these routers, switches, and firewalls that we're adding to a network are not using a traditional operating system -These aren't running a Windows or Linux operating system underneath and if need to upgrade those systems, we're usually having to perform an upgrade to the firmware of the system. •If you are planning to upgrade the firmware, make sure you check with the manufacturer that you're using a version of firmware that does not have any known vulnerabilities -You may find yourself upgrading to a version of firmware that already has another upgrade available to solve some of these security problems -The potential exists for security vulnerabilities -Upgrade the firmware to a non-vulnerable version • We're often upgrading this firmware to solve problems that we're having on the system, the new firmware could introduce an entirely new set of issues -It's always good to keep backups of all your previous firmware versions so that if you run into problems, you can easily downgrade to the previous revision -Plan for the unexpected & always have a rollback plan
Speed test analysis (Software Tools)
• Many of us are already familiar with the speed test sites that are available on the internet -A great resource if you need to quickly perform some bandwidth testing -These sites work by transferring a file and then determining how long it took for that file to be transferred -Many of them will perform download and upload tests, and they'll use different size files to be able to test different amounts of throughput • These can also be used if you're making any change to the network -You might want to run a speed test before you install a new firewall, and then run the speed test after you've installed the new firewall to see if there was any impact to the overall throughput • You might also want to try running speed tests at different times of the day -As the amount of utilization on the network changes, you'll be able to see the impact to the overall throughput to the internet -Can be automated or manual • You might want to try different speed test sites -Not every speed test site is built exactly the same -They might have a different number of servers (point of presence - POP) -They might have more/less bandwidth depending on the POP thats being used -The testing methodology may change depending on what service is being used
VLAN hopping (VLAN Hopping)
• Many organizations use VLANs to separate the network into different parts -This may be for organizational reasons or it might also be for security reasons -You might have a VLAN for the network engineering team, a VLAN for shipping and receiving, and a separate VLAN for the accounting department • This means if someone in the accounting department is accessing the network, then they have access to all of the other devices that are on the accounting VLAN -The best security practice is that you would only have access to the devices that are on your local VLAN • But there are some techniques that might allow someone to hop to another VLAN -This is something that should not be happening, and we want to be sure that we're protecting against somebody who's able to access a VLAN that's not their own • There are two primary methods that people are using to hop between VLANs this way -One is called switch spoofing -The other one is double tagging
Disaster Recovery Types (Recovery Sites)
• Many organizations use an external site for their disaster recovery • The types of disaster recovery sites are : -Cold Sites -Warm Sites -Hot Sites
Video surveillance (Physical Security)
• Many organizations will add physical security in the form of video surveillance • These are referred to as CCTV cameras, which are Closed Circuit Television -These are often coax-connected devices -It's more common to use IP-based cameras that can communicate across the network over Ethernet connections -These cameras can replace multiple people that may be stationed in different locations. -So instead of having multiple guards set up looking at a particular area, you can have all of those cameras come back to a single screen where one person can be monitoring all of those different areas • You want to get cameras with the proper specifications -For example, you may need cameras with a shorter focal length so that there is a wider angle that can be viewed from a single camera -Depth of field is also important, especially if the camera is looking at a very long distance. You want to be sure that that entire distance is in focus. -And if you're going to be using these cameras in a dark location or at night, then it's useful to have cameras with infrared features that are able to see even when it's dark outside • It is very common to have cameras posted inside and outside of buildings or around the campus -Then you can have all of those cameras networked and report back to a central video recording device • These cameras can also alert if someone happens to go into an area by using motion detection -That way if a certain room is off limits, you are notified immediately if anyone goes into that particular area
Circuit labeling (Network Documentation)
• Most organizations have a number of WAN circuits that may be coming into the building -So it's a good idea to also label all of those circuits as well • WAN circuits can operate normally, and then suddenly not operate at all -Not because of something that's inside of your building but with something that might be between your site and the other one -The problem is outside of your control • Document exactly which of those WAN circuits may be having a problem -Document the demarc interface for that circuit -The associated CSU/DSU that's connected to that demarc -And even the router that is connected to the CSU/DSU • The label information that you'll need to know is : -The WAN provider Circuit ID that is associated to that WAN connection -The WAN provider and the phone number for their helpdesk -An internal reference name that you can use when putting internal reports together (documenting purposes) • If you have a monitoring system, you may want to include all of this information with the monitoring system. And if an error or an alert is created, it will have all of the details you need to be able to communicate with the WAN provider
Application proxies (Advanced Networking Devices)
• Most proxies in use are application proxies -A proxy has to be specifically written to be able to understand how certain applications will operate • Very common for these application-level proxies to be able to understand, perhaps, one application -A proxy may only know one application, i.e., HTTP • Many proxies are multipurpose and may need to enable additional features or use additional proxies if additional types of applications need to be proxied -Applications such as HTTPS, FTP, and any other type of app.
Multi-mode fiber (Optical Fiber)
• Multi-mode fiber is commonly used for short-range communication -Up to 2 km or less in length • The type of light used to send the signal through the fiber is usually inexpensive -Uses inexpensive light such as LED • This is called Multi-mode fiber due to the core of the fiber being larger than the wavelength of the light being sent through the fiber
Multimeter (Hardware Tools)
• Multimeters are tools that any one should have in their tool bag -They allow you to test the AC voltage so you can see if you are getting power from a power outlet • They also have options to be able to look at DC voltage as well -You can check the voltage that's inside of the network devices that you're using -PC power supply output voltages -CMOS battery power • You also have continuity tests on here -For networking, you can use those continuity tests to see if you're getting connections between one end of a cable and another -If you don't have a cable tester, for example, you can use this multimeter to provide that continuity check against each pin of the cable, and build your own wire mapping using the multimeter -Fuse statuses
Time-Division Multiple Access (TDMA) (Cellular Network Standards)
• Multiple streams are combined (Multiplexer) into a single stream and then broken out again on the other side (Demultiplexer) - "Muxing" • Here's how Time Division Multiple Access- or TDMA- multiplexing works -You would have multiple streams -The multiplexer blends those together and gives everybody a certain timestamp that's available to them -On the other side that signal is demultiplexed and you would break out the stream so that they can be sent to their normal destinations
Four important addresses (Seven Second Subnetting)
• Network address / subnet address -The first address in the subnet • Broadcast address -The last address in the subnet -One that is used when a broadcast is sent on an IPv4 network • First available host address -One more than the network address -The IP that our workstations and devices will use on that network • Last available host address -One less than the broadcast address -To determine the exact range to use for all of our device
SDN (Software Defined Networking) (Software Defined Networking)
• Networking devices have two functional planes of operation -Control plane : responsible for the administration and ongoing servicing of that device -Data plane : responsible for transferring or forwarding data from one point to another. • SDN is directly programmable -Configuration (control) is different than forwarding (data) -Control plane and Data plane are separate processes from each other • SDN's are also agile -Changes can be made dynamically (on the fly) -Network can automatically and dynamically change itself to provide more capacity where it's needed • SDN can be managed from a central console -Gives a global view and centrally managed -Can be controlled behind a single screen, also know as "a single pane of glass type of management" • Can be programmatic configured • Can be orchestrated - No human intervention needed • e.g.: SDN is monitoring part of the network, and if the network becomes congested or needs more resources, those resources can be deployed automatically • Key point is that SDN is vendor neutral -Publicly available open standards -Can use a standard interface for the network (not proprietary)
Nmap (Network mapper) (Command Line Tools)
• Nmap finds other network devices and learns what services are running on the network • Nmap is probably best known as a port scanner -It will find open ports on a particular device, and tell you what those ports may be doing • It can also scan the operating systems of those devices without having to log into the device -Nmap will send very specific queries to a device. And depending on the response from those queries, Nmap will determine the operating system running on that computer • Nmap is also able to determine the type of services and the versions of services that may be running on devices in a very similar way -It doesn't have to log in or use that service, it simply sends some very specific queries and examines the responses to those queries • Nmap includes its own scripting language that allows you to extend the capabilities of this very popular port scanner -This is NSE or the Nmap Scripting Engine to extend its capabilities, functionality, and vulnerability scans
Platform as a service (PaaS) (Cloud Services and Delivery Models)
• No physical servers, no software maintenance , no maintenance team, no HVAC for the data center -Someone else handles the platform in the cloud -You handle the development processes • You don't have direct control of the data, people, or infrastructure -You're not responsible for keeping the systems running or maintaining the OS -Trained security professionals are watching over your systems and making sure everything is secured (choose carefully) • You are provided with a sandbox where you can build your own applications -They provide modular building blocks where you can put the building blocks together to build the perfect application for your use. -Develop your app from what's available on the platform -SalesForce.com is an example where they allow you to build your own custom app based on what is available.
Plenum space (Copper Cabling)
• No plenum above the celing due to dead/non-circulating airspace -Meaning air ducts provide the air for your air conditioning and also air ducts that are returning the air • In many environments, there may be air that is being supplied through air ducts, but the return air space is going into a shared area where you have all of your building air circulation along with all of your cabling -This area is called the plenum, this is where all of the buildings air circulation resides -There are a number of fire regulations associated with this plenum area, in case of fire, this open area will be providing air to help feed any type of fire that may be in the plenum -Air feeds into the fire • Concerns in the case of a fire in the plenum -Must think of what is being placed in the plenum and how it may react to fire, especially the types of smoke and any type of toxic fumes it might give off • Worst-case planning in case of fire -Important concerns for any structure -Make sure you're running the right cabling
Double tagging (VLAN Hopping)
• Normally, when a frame is sent across a trunk connection, there's a tag that's added to that frame -On the other side, that tag is evaluated and removed, and that data is sent to the correct VLAN on the other side -One way to get around this functionality is to include two tags with a particular frame going over VLAN -With double tagging, we're able to use the native VLAN of a particular switch to gain access to a VLAN that normally we would not have access to • This double tagging attack uses two different switches -The first switch removes the first native VLAN tag associated with the frame -And the second switch removes the second "fake" tag associated with the frame -The data is then forwarded to the target on the separate VLAN • This means that this particular kind of attack can only work in one direction -There's no way to put two tags on the return frame -So whenever you're sending information using this double tagging attack, you're sending it without ever receiving a response back from the other device -This limits some of the things that you might be able to do with this attack, but it certainly could be used for something like a denial of service • One way to avoid a double tagging attack is not to allow someone access to the native VLAN -You would change the native VLAN ID and force anyone going over the native VLAN to use tagging
Change management (Network Documentation)
• Nother remains the same in the world of information technology -Constant changes are always occurring -You may need to upgrade software, make a firewall change, or you may need to modify the configuration of a switch. • Any time a change is made to any piece of hardware or any piece of software, there is additional risk associated with that modification -One of the most common risks in the enterprise -Change occurs very frequently • There might be a change in a piece of software, but often overlooked or ignored is that changing something can break another thing -Changing a piece of software can cause another piece of software to break -Performing a simple upgrade can turn into a very significant change that can affect the entire org. • This is why many organizations will implement a formal change control process -No change of any type to any component can be done unless it goes through a formal committee -That particular change gets documented, it'll have a fallback plan if that particular change doesn't work properly, and everyone knows the change is going to occur. • In many organizations, this change control process is a normal part of business -Everyone knows about the change control process and nobody makes any changes until it's gone through the formal committee • In some organizations, change control processes is not part of the corporate culture. -It may be difficult to implement a formal change control process unless the whole org. buys in
SIEM logs (Event Management)
• Now that all of the log information has been consolidated in one place, you are able to go back over time and look at all of the events that you might need to see -You can see processes that have exited, you can see when someone has logged in, you can see when someone has logged off • Using the consolidated log information on the SIEM gives very detailed information about exactly what's happening on your network
Test the theory (Network Troubleshooting Methodology)
• Now that we have a list of theories on how to resolve this issue, we can now test those theories -We may want to go into a lab -And if we are able to recreate this problem in the lab, then we can apply each theory until we find the one that happens to resolve the issue • If you tried the first theory, you may want to reset everything and try the second theory or the third -If you run out of theories, you may want to go back and think of other things that might be causing this problem • This might be a good time to bring in an expert who knows about the application or the infrastructure, and they can give some theories and possible resolutions to test in the lab
Implement the solution (Network Troubleshooting Methodology)
• Now that you've documented your plan of action, you can take that to your change control team, and they can give you a window when you can implement that change -Implement during the change control window -The actual fixing of the issue is probably going to be during off hours during non-production times • You may need to bring in help from a 3rd party to assist, especially if your window is very small -Escalate as necessary
nslookup <ip address> (Command Line Tools)
• Nslookup is the utility you'll find in Windows, Mac OS X, Linux, and almost any other operating system -It can look up names and IP addresses from a DNS server -the use of nslookup is now deprecated, and it's preferable that you use the "dig" utility instead
Calculating subnets and hosts example 3 (Calculating IPv4 Subnets and Hosts)
• Number of subnets = 2ˢᵘᵇⁿᵉᵗ ᵇⁱᵗˢ • Hosts per subnet = 2 ʰᵒˢᵗ ᵇⁱᵗˢ - 2 • e.g.: -IP Address : 172.16.55.0/21 (Class B) -Written in binary notation: 11111111.11111111.11111000.00000000 -Network has 16 bits -Subnet has 5 bits -Host has 11 bits • To determine total subnets, we look at the borrowed bits -We borrowed 5 bits = 2⁵ = 32 possible networks • To determine total hosts per subnet, we look at the remaining bits -Remaining bits = 11 = 2¹¹-2 = 2,048-2 = 62 maximum hosts per subnet
Calculating subnets and hosts example 2 (Calculating IPv4 Subnets and Hosts)
• Number of subnets = 2ˢᵘᵇⁿᵉᵗ ᵇⁱᵗˢ • Hosts per subnet = 2 ʰᵒˢᵗ ᵇⁱᵗˢ - 2 • e.g.: -IP Address : 192.168.11.0/26 (Class C) -Written in binary form : 11111111.11111111.11111111.11000000 -Network has 24 bits -Subnet has 2 bits -Host has 6 bits • To determine total subnets, we look at the borrowed bits -We borrowed 2 bits = 2² = 4 possible networks • To determine total hosts per subnet, we look at the remaining bits -Remaining bits = 6 = 2⁶-2 = 64-2 = 62 maximum hosts per subnet
Calculating subnets and hosts example 1 (Calculating IPv4 Subnets and Hosts)
• Number of subnets = 2ˢᵘᵇⁿᵉᵗ ᵇⁱᵗˢ • Hosts per subnet = 2 ʰᵒˢᵗ ᵇⁱᵗˢ - 2 • e.g.: -IP address : 10.1.1.0/24 (Class A) -Written in binary notation : 11111111.11111111.11111111.00000000 -Network has 8 bits -Subnet has 16 bits -Host has 8 bits • To determine total subnets, we look at the borrowed bits -We borrowed 16 bits = 2¹⁶ = 65,536 possible networks • To determine total hosts per subnet, we look at the remaining bits -Remaining bits = 8 = 2⁸-2 = 256-2 = 254 maximum hosts per subnet
IPv4 addresses - Internet Protocol version 4 (IPv4 and IPv6 Addressing)
• OSI Layer 3 address -Since one byte is 8 bits, the maximum decimal value for each byte is 255 -Each grouping = 8 bits which = 1 byte which = 1 octet -Combined grouping = 32 bits which = 4 bytes e.g. IPv4 IP address : 192.168.1.131 192 = 11000000 168 = 10101000 1 = 00000001 131 = 10000011 11000000 = 8 bits = 1 byte = 1 octet all combined = 32 bits = 4 bytes
Connecting to the cloud (Cloud Services and Delivery Models)
• On an existing Internet connection -If using a browser-based application, its common to use SSL/TLS encryption. This provides an encrypted tunnel between the device and application • You can use a VPN (Virtual Private Network) if an entire site of people who need secure access into the cloud-based application -Provides an encrypted tunnel for all traffic between you and the cloud-based system -This will probably require some additional hardware on both ends such as firewalls and dedicated hardware for the VPN. The VPN connectivity will need to be coordinated with the 3rd-party cloud provider. • Having a Direct connection -Have the cloud-based instance inside of your own facilities If security is the utmost importance -Co-location, same shared data center -High speed 10 Gigabit direct connection -No external traffic (added security)
Signal loss (Wired Network Troubleshooting)
• On any network connection, whether you're using fiber or copper, the signal will begin to degrade as it goes farther and farther in distance -Signal strength diminishes graduall over distance • Signal loss is called attenuation -Loss of intensity as signal moves through a medium -If we have too much attenuation on a wire or fiber, we won't be able to hear that signal when it reaches the other side • On any of your networks, you'll have to consider attenuation when you begin engineering and troubleshooting these networks -Attenuation will occur in electrical signals as they move through copper -Attenuation will occur with light as it moves through fiber -Attenuation will occur with radio waves as it moves through the air and move farther away from the access point
Dual-power supplies (Power Management)
• On individual servers, power redundancy can be created if the server can support redundant power supplies • This is designed so that each power supply can handle 100% of the power load -It normally runs at 50% of the load when both are connected and running at the same time • These power supplies are usually also hot-swappable -You can replace a faulty power supply without having any impact to the system • In a properly configured dual-power supply, you would not only have the multiple power supplies -But you would be connecting one power source to one power supply and another live power source to the other -That way, if either one of these power supplies fails or someone happens to disconnect one of those power supplies, the other power supply will keep the system up and running
FIM (File Integrity Monitoring) (Mitigation Techniques)
• On these devices, there's some files that will be changing all the time -For example, the log files in a system will be constantly updated throughout the day -But there are some files on these systems that will never change -The operating system files and the internal files of these systems will probably never be updated • Since many security breaches can start by someone changing one of these files that normally would never change, you may want to enable File Integrity Monitoring, or FIM -This means that you can scan either in real-time or on demand to see if any of these files may have been changed -Monitor important operating system & application files and identify when if any changes occurred in real-time • In Windows, you might want to run SFC. -This is the System File Checker that will look at the Windows files and make sure that all of those files are exactly what they should be • In Linux, there's an agent you can add from Tripwire -And if any of your system files change, the Linux Tripwire agent will tell you that those have been modified • There's also a number of host-based IPS options that can monitor any of your systems and let you know if any of those important files may have changed
Jitter (Wired Network Troubleshooting)
• On today's networks, we have a lot of real-time applications -We're streaming real-time video or have voice over IP communication -All of this communication requires that there be a constant flow of traffic through the network -We expect these applications to send and receive traffic at regular intervals. -If there happens to be delays between those intervals, you have jitter • It's these real-time applications that are so sensitive to any excessive jitter -If you're on a voice over IP phone call, you don't have time to have information retransmitted back to you -If you miss a packet, there's no retransmission -If you don't receive the information in time, then it's dropped and you can't ever rewind the conversation to begin again • Jitter measurements are the time that we'll see between frames -There should be a regular interval between each of the frames that are going across the network as time proceeds -If you start to have excessive jitter between these frames, then you'll have choppy phone calls and you'll lose frames on your video
Local and cloud resources (Cloud Services and Delivery Models)
• On-premise resources (a traditional deployment model) -Your applications are on local hardware -Your servers are in your data center in your building -You had complete control of all hardware, software, and location of where all the information was located • Hosted resources -All hardware, data, and applications are running on a third party system that are located outside of your building -Your servers are not in your building -They may not even be running on your hardware -Usually a specialized application that is running on that system -Usually running on hardware provided by the 3rd party, and it's usually a specialized application that's running on that system • Cloud resources -Entire application instances can be created and torn down on-demand -You can simply request additional resources (CPU, Memory, Disk Space) from the cloud and allocate to the application
Baseline Review (Process Monitoring)
• Once all monitoring information has been collected to a central point, Baselines can be created -This allows you to understand what the normal operation of the network might be over time -If any of these reports indicate a change to the baseline, then additional investigation is needed to find out what is going on in the network
Verify full system functionality (Network Troubleshooting Methodology)
• Once you have executed on your plan of action, your job isn't done yet -We need to make sure that all of these changes actually resolved the problem -So now that the changes have been implemented, we now need to perform some tests -We may want to bring in the end users/customers who first experienced this problem so that they can run through exactly the same scenario to tell you if the problem is resolved or if the problem still exists • This is also a good time to implement preventive measures -That way, we can either be informed that the problem is occurring -Or we can provide alternatives that we can implement if that problem happens again
Graphing with SNMP (Event Management)
• Once you've queried a device over time and gathered all of these different metrics, you can create a reports showing information on uptime, response time details, the amount of traffic transferred, or anything else that may be collected by that SNMP agent.
Reflection (Wireless Network Troubleshooting)
• One challenge we have when designing wireless networks is dealing with reflection -Reflection is when a wireless signal bounces off objects -Some objects like desks or metal may bounce signals better than others, and the signal may bounce differently at 2.4 GHz than 5 GHz • If there's too much reflection, you may find that the signal is weaker than you might expect -But a little bit of reflection can actually be useful, especially if you are taking advantage of multipath interference with MIMO • This reflection may be something that you can work around by changing the direction of your antennas or where your antennas might be positioned -Again, reflection may not be as big of a problem if you're taking advantage of MIMO in 802.11n or MU-MIMO in 802.11ac
UPS (Uninterruptible Power Supply) (Power Management)
• One common power redundancy component is a UPS -UPS stands for Uninterruptible Power Supply -It is a short-term battery backup power -It keeps the power running when/if you are experiencing blackouts, brownouts, or power surges • There are generally three categories of UPS: -Offline/Standby UPS ; This type only switches over to battery only if the main power source is lost -Line-interactive UPS ; This type slowly brings the power up from the battery in case you are experiencing a brownout -On-line/Double conversion UPS ; This type is always running from the battery. No switchover is needed if you happen to lose power, it'll simply continue to use the battery until the power is restored • When looking at a UPS, take a look at the features: -Some have an auto shutdown. If the power goes out, it will still continue to run. But as the battery grows lower and lower, it will send a signal to your computer to automatically shut down so you don't lose anything in your system. -Some have additional battery capacity that will last much longer because they have much larger batteries -Some have additional outlets in the back -Some UPSs will even have interfaces on the back to use for your phone lines to prevent any voltages from coming through the phone line connection
File backups (Backup and Recovery)
• One common requirement for anyone in I.T. is to always have a good set of file backups -One way to manage the backup process is for the backup system to know what files have changed or which files have stayed exactly the same since the last backup -The way that it's able to make this determination is by looking at the archive bit that's associated with each file -If that archive bit has been turned on, then that particular file has been changed since the last backup -The archive attribute (bit) is set when a file is modified • A full backup -There's not much care if the archive bit is set or not -It is going to back-up every single file from the entire system -This is the backup you want first -This backup clears the archive attribute so you can tell which files have been changed -Useful for incremental backups • A incremental backup -This backup grabs all of the files that have that archive bit set since the last incremental backup -Backs-up all of the files that have changed since the last incremental backup • A differential backup -It backs-up all of the files that have the archive bit set since the last time the last full backup was done
Omnidirectional antennas (Wireless Network Technologies)
• One of the most common -Included on most access points • These antennas are called omnidirectional because they distribute the wireless signal evenly on all sides -Signal is evenly distributed on all sides -Omni=all • Good choice for most environments -Used if you need coverage in all directions -Can place the wireless access point in a central location and have the same signal strength on all sides • No ability to focus the signal -A different antenna will be required such as a directional antenna
Something you know (Multi-factor Authentication)
• One of the most common authentication factors is something you know -And one of the most common somethings that you know is a password -This would be a secret word or a secret phrase that you use along with your username to gain access to a resource • We might also use a PIN as something we know -Which is a Personal Identification Number -If you are getting money from an ATM or you are using a smart card, you're often asked to input a Personal Identification Number -Not typically contained anywhere on a smart card or ATM card • Unlock your mobile device using a swipe pattern or completing a series of patterns -That swipe pattern is a good example of something you know
IEEE 802.11 (Internet of Things Topologies)
• One of the most common internet of things technologies -Wireless networking (802.11) -Used at home, work, and everywhere else -A IEEE standard -Managed by the IEEE LAN/MAN Standards Committee (IEEE 802) • Has been updated over time -Check with IEEE for the latest • Look for the Wi-Fi trademark to make sure your Wi-Fi devices will be able to communicate with each other -Wi-Fi Alliance handles interoperability testing
Bluetooth (Internet of Things Topologies)
• One of the most popular Internet of Things typologies • High speed communication over short distances -Also called PAN (Personal Area Network) -Used to connect a lot of our personal devices together • Connects to our mobile devices ; -Smartphones -Tethering internet connections -Headsets and headphones -Health monitors -Automobile and phone integration -Smartwatches -External speakers
MPLS pushing and popping (WAN Technologies)
• One of the terms that'll be referenced with MPLS is pushing and popping as data is sent into the MPLS cloud • Labels are "pushed" onto packets as they enter the MPLS cloud so that the internal provider network will know what the destination will be for that data • Labels are "popped" off on the way out of the internal provider network so the data can be delivered to the customer
Load balancing (Load balancer) (Availability Concepts)
• One way to provide high availability with servers is to put them behind a load balancer -With many load balancers, you can configure certain servers to always be available and others to be on stand-by • If an active server fails, the passive server takes its place -The load balancer is always performing a health check to all of the servers -If a server suddenly is unavailable, the load balancer will recognize that scenario and begin using a separate standby server in its place -This way, if someone does need access to a resource, there is always a server available for that request
POE+ specs (Switch Interface Properties)
• POE+: IEEE 802.3at was updated in 2009 -The updated PoE specification -Now also part of 802.3 - 2012 -Power increased to 25.5 watts of DC power -And a maximum current of 600 mA
Fiber distribution panel (Network Termination Points)
• Patch and distribution panels are also available for fiber as well -This is for a permanent fiber installation -In an example of a fiber distribution panel, there is a patch panel on one side and we are extending this to another floor or another building where there is a similar fiber distribution panel at the other location • Fiber installations have gentle curves -Never bend a fiber past its bend radius -Breaks when bent too tightly • Often includes a service loop -May have extra loops of fiber inside of them in case you have to move this particular distribution panel -No need to rerun the fiber (inexpensive insurance) -Simply extend it using the service loop already inside
Phishing (Phishing)
• Phishing is a technique used by the bad guys to try to convince you to give up some personal information -This might be a username and a password -It might be some personal information like a credit card number or social security number -But it's all a mixture of social engineering and a little bit of spoofing • A good example of phishing would be a PayPal login screen, except this really isn't a login screen at PayPal. -It's one that the bad guys constructed to look exactly like a PayPal login page so that you would be enticed to provide your username and password -You usually end up on one of these pages by clicking on a link inside of an email or responding to a link that's been sent to you over instant messaging -This is something that when done well, it will look exactly like the legitimate page so be very careful about what sites you visit • One way to tell this is not the legitimate PayPal page is by looking at the URL • One way to tell this it is not the legitimate PayPal page is by looking at the URL -There might be graphics missing, sometimes there will be spelling/font errors or something not quite right with the page that might make you think that this is not the legitimate site • A type of phishing that is done over the phone is vishing -It stands for voice phishing -This is when somebody calls you up and says they're from the bank or they're from your credit card company -They call to ask you for your credentials but you might want to think twice before handing over such important information
OSI Mnemonics (Understanding the OSI Model)
• Please Do Not Trust Sales Person's Answers -Physical > Data Link > Network > Transport > Session > Presentation > Application • All People Seem To Need Data Processing -Application > Presentation > Session > Transport > Network > Data Link > Physical • Please Do Not Throw Sausage Pizza Away! -Physical > Data Link > Network > Transport > Session > Presentation > Application • Please Do Not Teach Students Pointless Acronyms -Physical > Data Link > Network > Transport > Session > Presentation > Application
Cloud deployment models (Cloud Services and Delivery Models)
• Private Cloud -Your own data center with your own cloud-based systems • Public Cloud -Available to everyone over the Internet -Provided by a 3rd party • Hybrid Cloud -A combination of public and private cloud • Community Cloud -Several organizations get together and as a community share the exact same resources in that single cloud
NAT example (Network Address Translation)
• Private IP's are used inside a single organization • NAT is used to translate the Private IP into a Public IP
RSTP (802.1w) (Spanning Tree Protocol)
• Rapid Spanning Tree Protocol (802.1w) -It is a much-needed update of STP -This is the latest standard • Faster convergence process -From 30 to 50 seconds down to 6 seconds • Backwards-compatible with 802.1D STP -Both can co-exist in your network • Very similar process between STP and RSTP -Not many differences between STP and RSTP -Easy for network admins to update to this version, not a wholesale change
ifconfig (Command Line Tools)
• Shows a Linux interface configuration
ipconfig (Command Line Tools)
• Shows a windows TCP/IP configuration
arp -a* (Command Line Tools)
• Shows the local ARP table • Pinging a device allows the ARP tablet to update with the IP address and MAC address (*STOP13)
SIEM Dashboard (Authorization, Authentication, and Accounting)
• Since we're collecting all of these log in events, we can determine exactly when someone may be logging on, or, for example, when a log in was unsuccessful -This might give us the information we need to prevent any unauthorized access to our network.
SFP and SFP+ (Network Transceivers)
• Small Form-factor Pluggable (SFP) -It is a lot smaller than the older style GBIC -Commonly used to provide 1 Gbit/s fiber connections -There are also 1 Gbit/s SFPs copper (RJ45) connectors available instead of having a fiber connector • Enhanced Small Form-factor Pluggable (SFP+) -Improved technology from SFP -Looks and has exactly the same form factor as the older style SFP -Supports much higher data rates -Supports data rates up to 16 Gbit/s -Common with 10 Gigabit Ethernet
Copper patch panel (Network Termination Points)
• Some patch panels will punch down cables to a 110 block on one side of the patch panel -Then have RJ45 connectors on the other • You connect your ethernet patch cable -Then you would run that cable down to your networking equipment -You can move a connection around to different switch interfaces • The run to the desk doesn't move if someone is added or removed from the organization or someone that is moving from desk to desk -We simply change the wire on the patch panel and the connector to where it's going on the switch
Hybrid routing protocols* (Dynamic Routing Protocols)
• Some routing protocols use a little bit of link-state and a little bit of distance vector and combine those together as the dynamic routing protocol -Not many examples of a hybrid routing protocol • An example of hybrid routing protocol is BGP (Border Gateway Protocol) -It determines which route is the best based on the paths, the network policies, or preconfigured rule-sets that were set inside the router (*STOP2)
Speed test sites (Software Tools)
• Some very common third party test sites are: -Speedof.me -Speedtest.net -Testmy.net • If you're on an ISP, they may ask you to perform speed tests on their local network -If you're on Comcast, you may be using speedtest.comcast.net -AT&T has att.com/speedtest
DHCP process (DHCP Addressing Overview)
• Step 1: Discover - Client to DHCP Server -A broacast message is sent to find all of the available DHCP Servers -Client sends a DHCP Discover broadcast message over UDP/67 -The broadcast message does not go past the router if the DHCP server lives on that subnet • Step 2: Offer - DHCP Server to client -It sends some IP address options to the client -DHCP Server sends a DHCP Offer message over UDP/68 offering an IP address -The broadcast message does not go past the router if the DHCP server lives on that subnet • Step 3: Request - Client to DHCP Server -Client chooses an offer and makes a formal request -Client sends a DHCP Request to the DHCP Server over UDP/67 requesting the IP address offer -The broadcast message does not go past the router if the DHCP server lives on that subnet • Step 4: Acknowledgment - DHCP Server to client -DHCP server sends a DHCP Acknowledgment to the client over UDP/68 acknowledging the IP address lease -Device will automatically configure itself with the correct IP address that was provided in the acknowledgment.
Port Numbers (Introduction to IP)
• TCP and UDP ports can be any number between 0 and 65,535 • Most servers (or services) use non-ephemeral (non-temporary/permanent) port numbers -This isn't always the case since it's just a number -Servers can choose to use any # between 0 thru 65,535 • Port numbers are for communication, not security • Service port numbers need to be "well known" • TCP port numbers aren't the same as UDP port numbers (they are different) -There's no conflict between TCP/UDP protocols
Building the IPv6 address (Assigning IPv6 Addresses)
• The 64-bit IPv6 subnet prefix -Subnet prefix can be found by sending a neighbor discover protocol to the routers on the local subnet and the routers will respond with the local subnet prefix 2600 : dddd : 1111 : 0001 • Once we have the subnet prefix, we need the final 64 bits, the EUI-64 address. -This was created from a combination of the modified MAC address (8e:2d:aa ¦ 4b:98:a7) and the FFFE that goes into the middle Creating the IPv6 Address : -The 64-bit IPv6 subnet prefix = 2600 : dddd : 1111 : 0001 -The 3-byte MAC with the changed 7th bit = 8e2d : aa -Missing 16 bits in the middle : ff : fe -Last 3-bytes of unchanged MAC address = 4b : 98a7
Layer 2 - Data Link Layer (Understanding the OSI Model)
• The basic network "language" -The foundation of communication at the data link layer • Data Link Control (DLC) protocols -On an ethernet network, this layer is referencing the MAC (Media Access Control) addresses that are communicating on the network • The "switching" layer where the MAC addresses are communicating with each other • e.g. : the switching layer (Frame, MAC address, EUI-48, EUI-64, Switch)
The Hypervisor (Virtual Networking)
• The component that provides the link between the virtual world and the physical world is the hypervisor -It is also referred to as the Virtual Machine Manager -It manages the virtual platform and guest OS • It requires a CPU that supports virtualization within the hardware of the CPU for improve performance -Intel calls it Virtualization Technology (VT) -AMD calls it AMD-V for the virtualization • The hypervisor is the component in this virtual system that maintains all of the virtual CPUs to all of the devices -It allows you to set up separate networking components -Also provides security for all the virtual machines
The MAC address (Introduction to Ethernet)
• The ethernet Media Access Control address -The "physical" address of a network adapter -It is unique to each networked device • The MAC address is 48 bits / 6 bytes long -Usually displayed in hexadecimal and separated into 2 pieces • *e.g : 8c:2d:aa:4b:98:a7* -First half : 8c:2d:aa -Is an Organizationally Unique Identifier (OUI) -It is associated to the manufacturer -Second half : 4b:98:a7 -It is Network Interface Controller-Specific -The serial number of the device
NDP (Neighbor Discovery Protocol) (Configuring IPv6)
• There are no broadcasts in IPv6 -Operates using multicast over ICMPv6 • Neighbor MAC Discovery -Uses the same function as ARP in IPv4 -But replaces the IPv4 ARP • SLAAC (Stateless Address Autoconfiguration) -Another function of IPv6 that uses NDP -Allows all of your devices to automatically configure themselves with IP addresses without having to access a DHCP server • DAD (Duplicate Address Detection) -Also uses Neighbor Discovery Protocol -Makes sure that duplicate IPs are not being used on the network • Router Solicitation (RS) and Router Advertisement (RA) -The ability to find routers that might be on the network -Also uses Neighbor Discovery Protocol
Non-ephemeral ports (Introduction to IP)
• These are permanent port numbers -They are non-temporary • Ports 0 through 1,023 -Commonly used by applications or services that are running on a server
Ephemeral ports (Introduction to IP)
• These are temporary port numbers • Ports 1,024 through 65,535 -Port usage/selection in this range is determined in real-time by the clients
Near Field Communication (NFC) (Internet of Things Topologies)
• Two-way wireless communication -Builds on RFID, which is mostly one-way -Commonly integrated into mobile phones • One way it is used as a way to provide payment -Used in payment systems such as online wallets and major credit cards • Can be used as a bootstrap for other wireless -NFC can help with Bluetooth pairing process • NFC can be used as an access token, identity "card" -Short range with encryption support -A mobile phone can be used to allow you access into a room with an electronic lock
Tunneling IPv6 (Configuring IPv6)
• Used for networks not upgraded to IPv6 -Used for the need to tunnel IPv4 to IPv6 or IPv6 to IPv4 • 6to4 addressing -Allows you to send IPv6 between different devices even if the connection between those devices happens to be an IPv4 network -Sends IPv6 over an existing IPv4 network -Creates an IPv6 based on the IPv4 address -Requires relay routers on both ends and uses IP protocol 41 (a transition technology) to identify these special packets that contain IPv6 information -Does not support Network Address Translation -Might only apply to very specific network configurations. • 4in6 -Tunnels IPv4 traffic on an IPv6 network to bridge the gap between different IPv4 networks.
Virtual LANs (Network Segmentation)
• Virtual Local Area Networks -Separated logically instead of physically -Networks can be segmented on 1 physical switch -Devices now are on different broadcast domains -Devices still not able to communicate with one another due to the logical separation between VLANs
The seven second subnetting process (Seven Second Subnetting)
• We can convert IP address and subnet mask to decimal -Can use the chart to convert between CIDR notation and decimal notation -Same chart also shows the number of devices per subnet • Can determine network/subnet address -Second chart shows the starting subnet boundary • Can determine broadcast address -Chart below shows the ending subnet boundary • We can calculate first and last usable IP address -Add one from network address, subtract one from broadcast address
SNMP v3 (Event Management)
• We got the security we were waiting for in SNMP version 3 -This allows for message integrity, authentication, and encryption of the requests and the responses
T568A and T568B termination Graph (Wired Network Troubleshooting)
• You can see the 568A has white and green, green, white and orange, blue, white and blue, orange, white and brown, and brown as numbers 1 through 8. • The only differences between the A and B are on pins 1 and 2, and 3 and 6. Notice that pins 4 and 5, and 7 and 8, are exactly the same between these two standards
Binary to CIDR-Block notation example 1 (IPv4 Subnet Masks)
• e.g.: 11111111.11111111.00000000.00000000 • Add up the number of 1's (bits) in the subnet mask -This is 8 + 8 + 0 + 0 • This equals a /16 subnet mask -Network is going to be 16 bits long -Host is going to be 16 bits long
SSH - Secure Shell (Common Ports)
• tcp_22 • Looks and acts the same as Telnet • Only this one is an encrypted communication link
SIP - Session Initiation Protocol (Common Ports)
• tcp_5060 • tcp_5061 • The Voice over IP (VoIP) signaling protocol • Setups and manages VoIP sessions -Sets up the call, Rings the call on the other end, & Hangs up the call when the call is over • Can extend voice communication to video conferencing, instant messaging, file transfer, etc.
Modifying the MAC (Assigning IPv6 Addresses)
8c : 2d : aa ¦ 4b : 98 : a7 (universal address) • Convert the byte "8c" and put it in binary form: 10001101 • Here, change the 7th bit, it goes from a 0 to a 1 which then turns into : 10001110 • The new MAC is : 8e : 2d : aa ¦ 4b : 98 : a7 (local addresss)
IP - Internet Protocol example (Introduction to IP)
Ethernet network example: • Ethernet Header <> Ethernet Payload <> Ethernet Trailer -Contains ethernet header, payload, and trailer • Ethernet Header <> IP <> IP Payload <> Ethernet Trailer -Inside the ethernet payload contains the IP and the IP payload • Ethernet Header <> IP <> TCP/UDP <> TCP/UDP Payload <> Ethernet Trailer -Inside the IP payload contains either TCP/UDP data and TCP/UDP payload • Ethernet Header <> IP <> TCP/UDP <> HTTP Data <> Ethernet Trailer -Inside of the TCP/UDP payload would contain the data -E.g HTTP Data
Seven second subnetting example 4 (Seven Second Subnetting)
e.g. IP 165.245.12.88/20 1) Convert address and mask to decimal - IP Address = 165.245.12.88 -We convert /20 to 255.255.240.0; /20 is in the 3rd column of the chart, so it falls into that octet 2) Calculate the network address: -If the mask is 255, bring down the address -If the mask is 0, use the 0 -For any other number, refer to the chart Network address = 165.245.0.0 3) Calculate the broadcast address: -If the mask is 255, bring down the address -If the mask is 0, use 255 -For any other number, refer to the chart Broadcast address = 165.245.15.255 4) Find first IP and Last IP -First IP is network address + 1 -Last IP is broadcast address -1 First IP = 165.245.0.1 Last IP = 165.245.15.254
Basics of Binary Math (Binary Math)
• A bit is either a zero or a one -One digit. Off or on. 0 or 1. • A byte equals Eight bits -Often called an "octet" to avoid ambiguity
ARP Poisoning example (Spoofing)
• A legitimate response to an ARP request is received from the default gateway -The ARP response is cached on the local device. • An attacker sends an ARP response that spoofs the IP address of the router and includes the attacker's MAC address. -The malicious ARP information replaces the cached record, completing the ARP poisoning.
How I Lost My $50,000 Twitter Username (Social Engineering)
• One very frightening example of social engineering happened to Naoki Hiroshima -He has the Twitter username @N -And as you can imagine, that is a pretty nice -https://medium.com/cyber-security/24eb09e026dd • This happened because the bad guy talked to PayPal -Did not talk to Mr. Hiroshima -Instead, called PayPal and used social engineering to learn what the last four digits of his credit card were • He then called GoDaddy because that's where Mr. Hiroshima had all of his websites and told him he lost his credit card, but he can validate himself with the last four digits -GoDaddy said he also needed to know the first two digits of the card. And for some reason, GoDaddy allowed him to guess until he got it right -This obviously was not very good security from GoDaddy's perspective, but it was very good social engineering from the bad guy • At that point, the bad guy owned all of Mr. Hiroshima's domains, had access and control over everything • And then told him, how about we swap? -Bad guy said he'll return access to the domains again. All you have to do is give me the @N username -And at that point, there was nothing else that he could do. He says, yes, I agree to this swap • He then went to Twitter and said, this was a problem. This is what happened. This was taken from me illegally -It took about a month, but, eventually, Twitter gave him access again to his @N username • This is social engineering that involved multiple organizations. But ultimately, the bad guy was able to get exactly what he wanted just by using these social engineering techniques
ISDN - Integrated Services Digital Network (WAN Services)
• One very popular type of digital wide-area network service is ISDN. -ISDN stands for Integrated Services Digital Network -ISDN can be delivered in two different ways, BRI and PRI. • BRI stands for Basic Rate Interface -It is also referred to as 2B+D network -The 2B stands for two 64 kilobit per second bearer channels or B channels -The data is sent over these 2 channels -The other channel is called the D channel -It is a 16 kilobit per second signaling channel -The D channel is responsible for setting up the call and breaking down the call -Once the call is established, we can send all of our data over one or both of the two bearer channels • For larger ISDN implementations, you would use a PRI connection -PRI stands for Primary Rate Interface -It is Usually brought into an organization over a T1 or an E1 line -A T1 line can support 23 bearer channels and one single D channel -An E1 line would support 30 bearer channels and a D channel along with a separate alarm channel -These days, ISDN is not usually installed as a sole wide-area network connection -ISDN is commonly used to support traditional public switched telephone network to the large phone systems (PBX) inside of an organization; Also used in radio/broadcasting services where they need to connect two locations very easily
Seven second subnetting example 5 (Seven Second Subnetting)
e.g. IP 18.172.200.77/11 1) Convert address and mask to decimal -IP Address = 18.172.200.77 -We convert /11 to 255.224.0.0; /11 is in the 2nd column of the chart, so it falls into that octet 2) Calculate the network address: -If the mask is 255, bring down the address -If the mask is 0, use the 0 -For any other number, refer to the chart Network address = 18.160.0.0 3) Calculate the broadcast address: -If the mask is 255, bring down the address -If the mask is 0, use 255 -For any other number, refer to the chart Broadcast address = 18.191.255.255 4) Find first IP and Last IP -First IP is network address + 1 -Last IP is broadcast address -1 First IP = 18.160.0.1 Last IP = 18.191.255.254
VLANs on multiple switches (Network Segmentation)
e.g. • Ethernet Switch 1 has VLAN 100 and VLAN 200 • Ethernet Switch 2 has VLAN 100 and VLAN 200 • One way to connect the VLANs to each switch is to run a cable for VLAN 100 and another cable for VLAN 200 between the switches • This is not scalable (what if 10 VLANs are shared, or 100's). Not enough interfaces on the switch to connect all those VLANs to each other • Instead, a TRUNK is created -It is a single physical connection between the 2 switches -Multiple VLANs can transmit data across that TRUNK
Port Forwarding (Network Address Translation)
• 24x7 access to a service hosted internally -Such as a web server, gaming server, security system, etc. -Allows someone on the outside to gain access to the devices that you might have on the inside of your network • To do this, you need to configure an external IP/port number that maps to an internal IP/port -Does not have to be the same port number • This is also called Destination NAT or Static NAT -The Destination address is translated from a public IP to a private IP -Does not expire or timeout
Spanning Tree Protocol (Spanning Tree Protocol)
• 3 types of interfaces that are configured automatically through STP: -Root Port -Designated Port -Blocked Port • STP only has 1 root switch on any STP network -On all other switches, the 1 interface closest to the root switch is designated as the Root Port -The Root Port allows traffic to traverse through this particular interface -The other interfaces on the switch where traffic can traverse are called the Designated Ports -Any port on any switch that STP has decided to disable to prevent a loop, it is designated as the Blocked Port -Some traffic may take a longer path to get to its destination due to how the switches are configured by STP to prevent loops • When a switch fails or a link is disconnected, STP will reconfigure itself -It sends messages to the different bridges and reconfigures the links so that the communication can now exist on other parts of the network while still maintaining a loop-free environment
Cloud access security broker (CASB) (Cloud Services and Delivery Models)
• 4 main characteristics of a CASB • Provides a method of visibility -Determines what applications people are using in the cloud -Be sure that the right people have the right authority to use those applications • Provides a method of compliance -Are users complying with HIPAA? PCI? -Make sure to have CASB in place • Provides threat prevention -Allow access to only authorized users to prevent attacks -Make sure that only authorized users gain access to this application and this data • Provides data security -Ensure that all data transfers are encrypted -Protect the transfer of Personally Identifiable Information (PII) with Data Loss Prevention (DLP)
802.11 management frames (Wireless Deauthentication)
• 802.11 wireless includes a number of management features -Frames that make everything work; Connect and disconnect you from network -You never see them • Important for the operation of 802.11 wireless -Helps find access points, manage QoS, associate/ disassociate with an access point, etc. • Original wireless standards did not add protection for management frames -Sent in the clear across the network -No authentication or validation from where the data is coming from
802.11 channel bandwidths (Wireless Network Technologies)
• 802.11a - 20 MHz • 802.11b - 22 MHz -Both use very similar bandwidths -Modulation used for these two standards was slightly different • 802.11g - 20 MHz -Uses the same frequencies as 802.11b -Change in the modulation also changed the bandwidth for that particular standard which it used in the 2.4 gigahertz range • 802.11n -20 MHz or 40 MHz (two contiguous 20 MHz bonded channels) -Indicates with 802.11n running at 2.4 gigahertz, a 40 megahertz channel would use 80% of the available frequencies in the 2.4 gigahertz range. • 802.11ac -40 MHz channel bandwidth for 802.11n stations -It can increase to 80 MHz required for 802.11ac stations -160 MHz optional (contiguous channels or non-contiguous bonded channels)
WLAN - Wireless LAN (Common Network Types)
• A 802.11 technologies • Wireless LAN (WLAN) is usually inside of a building or a limited geographical area • Coverage can be expanded with additional access points to be in a single wireless LAN within a downtown area or large campus
Hub (Networking Devices)
• A Hub was available for early users of Ethernet over twisted pair cabling -Also referred to as a "Multi-port repeater" -Any traffic going in one port is automatically repeated to every other port -Makes for a very simple forwarding mechanism -Operates at OSI Layer 1 since there are no forwarding decisions to be made inside • Everything is half-duplex by default since all connected devices are sharing this network -You can't really have a full duplex connection to any other device on this network • As more devices are communicating more often there will be an increasing number of collisions on this half duplex network -This means the more traffic increases, the less efficient this network will be • Hubs are only available if you are running 10 megabit ethernet network or 100 megabit ethernet network • Difficult to find today -Not really designed for today's high speed networks -No longer manufacturered
Using a TDR/OTDR (Hardware Tools)
• A TDR or an OTDR can be an expensive investment -These are thousands of dollars to have a piece of equipment that's able to perform these particular functions -Costly, especially for fiber • you're probably going to need additional training so that you know how to operate the equipment and understand the results that it's providing -Contains many features, and has many metrics • But if you need some way to certify that your cables and your fibers are working as expected, this would be exactly the tool that you would use -Resolves your layer 1 issues quickly • You can validate everything about your installation and certify that all of your network connections will be working exactly to spec -Certifies your cable plant & validates the cable installation
VPN concentrator (Advanced Networking Devices)
• A VPN concentrator is a device we would install onto our network that would allow us to support VPNs, or Virtual Private Networks -This allows users on the outside of our network to communicate over the public internet but send that communication in encrypted form -When it's received by the VPN concentrator, it is decrypted and then put onto our local internal network • The VPN concentrator can be a standalone device -Encryption/decryption access device -Can also be integrated into most firewalls -The firewall is not only providing the security gateway to your network, but also acting as the endpoint for these VPN tunnels • For smaller implementations, you could create a VPN concentrator using software on an individual server instead of using dedicated hardware -You can use specialized cryptographic hardware -Or software-based options available • You also need client software on the end station so that it can communicate to the VPN concentrators -Sometimes VPN software is built into the OS
Bridge (Networking Devices)
• A bridge was available in the early days of networking -It had a network on one side of the switch and you had a network on the other side of the switch -Imagine a switch with two to four ports -It made forwarding decisions in software based on the MAC addresses of both sides of that bridge • Bridges would be commonly used to connect two separate physical networks -The networks could be different typologies, we might be connecting an Ethernet network to a token ring network by putting a bridge in the middle -We could also use these bridges to connect similar typologies, we could take a very large Ethernet network and split it into two to minimize the number of collisions • This is an OSI Layer 2 device -Distributes traffic based on MAC address -Makes forwarding decisions based on the destination MAC address inside of a frame • An example of a modern bridge that would be connecting different types of networks would be today's wireless access points -You would have a wireless network on one side of this access point and a wired Ethernet network on the other -These two types of topologies are being bridged
Cable broadband (WAN Services)
• A broadband wide-area network connection is where you are using different frequencies to send data through that connection -Could even be using different frequencies for different data types • We commonly use broadband when we're connecting a cable modem to our traditional cable television networks -Data on the "cable" network -A standard known as DOCSIS or Data Over Cable Service Interface Specification • High-speed networking -It is common to see throughputs of 4 Mbits/s through 250 Mbits/s -Gigabit speeds are possible in some areas • It can run multiple services -Supports data and voice over the same cable broadband connection
Text Records (TXT)* (DNS Record Types)
• A common resource record found in DNS is a Text Record, or a TXT Record • Contains human-readable text information -Useful for public information -Valuable for 3rd party services that are accessing your DNS • SPF protocol (Sender Policy Framework) is one example of a TXT Record -This TXT Record prevents spoofing of your domain name as emails are sent out over the internet -Other mail servers can check the text record and determine if incoming mail really did come from an authorized host • DKIM (Domain Keys Identified Mail) is an example of a TXT Record -Allow for mail servers to digitally sign your outgoing mail -Validated by the mail server to confirm that it was digitally signed by your mail server; not usually seen by the end user -Adds your public key in the DKIM TXT Record *see image for example* (*STOP5)
DSL (WAN Services)
• A common type of wide-area network connection that we might find in our home is DSL, or more appropriately called ADSL -ADSL stands for Asymmetric Digital Subscriber Line -A wide-area network that allows us to use our existing telephone lines as high-speed digital connections • The reason that DSL is asymmetric is because the download speed is faster than the upload speed (asymmetric) -There's also a distance limitation associated with DSL ; You can't go much farther than about ~10,000 ft away from the central office (CO) connection -Faster speeds may be possible if you are closer to the CO -It's common to see DSL advertised as having speeds of 52 Mbit/s downstream and 16 Mbit/s upstream but those speeds vary depending on how far away you are from the central office
UDP - User Datagram Protocol (Introduction to IP)
• A connection-less protocol -No formal open or close between devices to start the connection • An "unreliable" mode of communication -There is no error recovery -Does not reorder the sent data or perform any re-transmissions of the lost data • No flow control -Sender determines the amount of data to be transmitted
TCP - Transmission Control Protocol (Introduction to IP)
• A connection-oriented protocol -It makes a formal connection between devices to setup the data transfer -Once the transfers completes, the connection between devices is formally terminated -TCP Data to begin, TCP Ack to end • It is a "reliable" mode of communication -Can recover from errors -Manages out-of-order messages or does re-transmissions of lost data -Manages flow control • Flow Control -The receiver can manage how much data is sent -It speeds up or slows down the traffic flow
Denial of service (Denial of Service)
• A denial of service is when the bad guys are taking a service that's normally available, and they're now making it unavailable for you and everyone else -They're causing a particular service to fail -Overloading the service • There's lots of ways to do this. One way is to take advantage of a vulnerability, maybe a design failure that's in a particular piece of software -This is why we always tell you to patch your applications and patch your OSs -Because if there's a problem in that OS that can cause it to crash, the bad guys could take advantage of that and cause a denial of service • Sometimes a denial of service is just an overwhelming of a service -The service is working normally. There's no vulnerabilities. There's no security patches required -It's just so many people hitting a site all at once caused the service to be denied -Causing a system to be unavailable could be for a competitive advantage • This could also be a smokescreen for other problems or exploit -For example, someone could cause a denial of service to a DNS server -And that way the bad guys can create their own DNS servers to control where people are going • This doesn't have to be a complicated method -It could be something as simple as turning off the power to a building. That would certainly cause a denial of service
Differential Backup (Backup and Recovery)
• A differential backup -A full backup is taken first -Subsequent backups contain data changed since the last full backup -These usually grow larger as data is changed -A restoration requires the full back and the last differential backup • An example of a differential backup -Perform the full backup Monday • On Tuesday, we take a differential backup of everything that's changed since the last full backup • On Wednesday, we take another backup of everything that's changed since the last full backup • On Thursday, we'll take another backup of everything that's changed since the last full backup • With each differential backup, we are backing up everything that's happened since the last full backup -We are backing up everything on Wednesday that was also backed up on Tuesday. And on Thursday, we'll back up everything that was also backed up on Wednesday and Tuesday -There is a little bit of redundancy in these differential backups • The benefit is when you have to recover the system -Instead of taking all of the differential backups throughout the week, you simply need the full backup that was created on Monday and the last differential backup that contains all of the differences since the last full backup -In this case, Thursday's differential backup
DNS Amplification DDoS (Denial of Service)
• A distributed denial of service attack is usually going to start with someone in command of a botnet -They're going to send a message in to the botnet. Usually this is in some type of centralized messaging service -All the botnets are listening in to see if there's any commands to be run. When they send those commands in, the botnets will receive the commands. And then they'll begin to act • This particular DNS amplification denial of service is going to send a request to open DNS resolvers that might be out on the internet -But it's going to spoof the person who's sending the request -Instead of coming from the botnet, they're going to spoof it and say that the request really came from the web server • They're going to send those requests in. They might go to multiple DNS resolvers. -Since we're asking for the DNS key or some other large piece of information, that very small request ended up being a very large response. -And now we can see that that large response- since it was spoofed from that web server, the response is going to go to the web server. -And now they were able to send a little bit of information into a DNS server, get a relatively large response, and easily bring down this web server with a distributed denial of service attack.
Distributed Denial of Service (DDoS) (Denial of Service)
• A distributed denial of service is one where the service is being denied and it's being denied because the attack is coming from many places all at the same time -There could be an army of botnets that have been programmed to take down a website -And it becomes almost impossible to stop all of these, because there are so many different places that they're coming from -Uses all the bandwidth/resources - such as a traffic spike • This is why the bad guys have spent so much time infecting these computers with these botnets -so they can then control them and tell them exactly where they'd like them to go -Thousands or millions of computers at their command -At its peak, Zeus botnet infected over 3.6 million PCs -An attack can be coordinated • An asymmetric threat is one characteristic of a DDoS attack is that the people that are doing the attacking often don't have anywhere close to the resources of the person who's being attacked -But because so many different devices are all doing this at the same time, they're taking advantage of their strength in numbers to cause a problem with the person that's being attacked.
VLAN Trunking example (Network Segmentation)
• A frame starts off on VLAN 200 on Switch 1 -It needs to communicate to a device located on Switch 2 -Frame is sent to the .1Q interface on Switch 1 -The frame then gets the VLAN information added into the frame and its sent across its particular TRUNK to Switch 2 -Switch 2 then receives and removes the VLAN tag from the frame -It is then placed back on the network and sent to the appropriate VLAN
File hashing (Device Hardening)
• A hash is a short string of text that's created by running an algorithm against a data source -We call this short string of text a message digest -If anything is changed with the original data, the message digest will also change • Another important characteristic of the hash is that the message digest is unique to the data -We know that if the data changes, that the message digest will change -But we also know that no other combination of data will create the same message digest • This allows us to perform some integrity checks of data that we may have downloaded -For example, you can go to the Ubuntu site and download a Linux distribution -On the Ubuntu site, they provide the name of the file that you're downloading and a hash that's associated with that file. -You can then download that file, run the same hashing algorithm on your computer, and compare it to what's posted on the website. -If those values are identical, then you know that you've downloaded an exact duplicate of what exists on the website • Can be used to verify a downloaded file (integrity) -Hashes may be provided on the download site -Compare the downloaded file hash with the posted hash value
Collision Domains (Broadcast Domains and Collision Domains)
• A historical footnote -It's difficult to find a collision these days because we use full-duplex ethernet -The word "collision" is misleading, this is expected on half-duplex ethernet networks • The network is one big segment -Everyone hears everyone else's signals -Similar to one big conference call, only one can talk at a time • Only one station could "talk" at a time -Carrier Sense Multiple Access (CSMA) is the process of stations listening to the network to see if they communicate • When two people spoke at the same time, there was a collision -Collision Detection (CD) would send the jam signal and attempt to re-transmit again
Hot site (Recovery Sites)
• A hot site is the more expensive of these options -It is an expensive recovery option -This is an exact replica of everything -There's a duplication of servers, of software, and of data • It would be completely stocked with an exact representation of the live systems -It would always be updated with the latest software and all of the latest data -You are effectively buying two of everything -When you buy it for the existing data center, you would also buy it for the hot site • In many hot sites, there's an automatic replication that occurs -Automated replication • If there was a sudden need to send everybody over to the hot site -All of the data would be updated & all of the software would be at the latest version -You would need to flip a switch and everything would move to the hot site -Customers would have no idea there was any type of change to the hot site
Copper (WAN Transmission Mediums)
• A large percentage of our wide area networks use copper as the communications medium -It is relatively inexpensive -Very easy to install and maintain • Copper does come with a bandwidth limitation when compared to fiber -Limited bandwidth • Many wide area networks such as cable modems, DSL, a T1, and a T-3 all use copper for that local loop or final mile to the user. • For most wide area network connections it's a combination of fiber and copper -Copper may be provided to you as the end user but there may be fiber communication within the backbone of the network provider
Logic Bomb (Logic Bombs)
• A logic bomb is a very specific kind of malware that's waiting for an event to occur -When that event occurs, it's usually something devastating that happens -That's why it is called a bomb, because it usually deletes or removes information from systems -This is something that's often left by somebody who has a grudge. -Maybe it's someone who was fired from an organization or somebody that would like to do harm to another organization • These are often time bombs where you're waiting for a particular date and time to occur. -And that's when the bomb goes off • Or it may be based on something that a user does -e.g. it'll be waiting for a backup process to occur and then the bomb goes off • This is very difficult to identify, because it won't match a known signature that might be an anti-virus or anti-malware software -It's usually installed by somebody who has administrative access to the system -Difficult to recover if it goes off
Configuring IPv6 with a modified EUI-64 (Assigning IPv6 Addresses)
• A method that would allow all devices on the network to automatically configure themselves with a static IPv6 address -Static addressing can be useful to communicate worldwide -The IP address never changes • This process is based on the other address of the workstation that never changes -The MAC address of the Network Interface Card • This requires the modification of the MAC address to create a static IPv6 address -This is called Extended Unique Identifier (a 64-bit value) • This will combine a 64-bit IPv6 prefix and the MAC address (with the MAC address being 48-bits long) -This will require the need of some extra bits -And a minor change to the MAC address to create the 64-bit EUI
Real-world logic bombs example 2 (Logic Bombs)
• A more dangerous logic bomb occurred on December 17th, 2016 at exactly 11:53 PM -It was in the Ukraine at a high voltage substation where a logic bomb began turning off the electrical circuits in the electrical system • It got into the systems that were controlling whether power was being provided to particular parts of the Ukraine -And began disabling those power systems at a pre-determined time • This logic bomb was specifically written for the Ukraine SCADA networks -These are the Supervisory Control and Data Acquisition Networks that control the infrastructure for electricity • Normally those types of systems are completely disconnected from anything else -So this became a very difficult problem to solve and prevent any type of logic bomb from occurring in the future
MPLS - MultiProtocol Label Switching (WAN Technologies)
• A much more modern wide area network technology is MPLS -MPLS stands for MultiProtocol Label Switching • The best was taken from frame relay and ATM typologies to build MPLS -Learned from ATM and Frame Relay -Kept the advantages, ditched the disadvantages • In a method similar to frame relay, MPLS data (packets) is placed onto the WAN with a label that designates the destination -This makes routing decisions easier for the provider to route that traffic through the core of the network • Many types of traffic can be sent over MPLS -Any transport medium, any protocol inside -They can be IP packets, older ATM cells, or even ethernet frames • MPLS has become a very common way of providing wide area network connectivity -Ready-to-network -Easy to find services and hardware that can support an MPLS network
Multilayer switches (Advanced Networking Devices)
• A multilayer switch can provide multiple functions on a network -It can act as a switch (Layer 2) and forward traffic based on MAC addresss -Can also act as a router (Layer 3) and forward traffic based on the layer 3 addresses in the same physical device -This function is often bundled together and marketed together as a single device -It is often referred to as a Layer 3 switch • The two functions are working independently inside this individual chassis -Switching still operates at OSI Layer 2, routing still operates at OSI Layer 3 -We've effectively taken two different devices- a switch and a router- and simply combined them within the same chassis
Canonical Name Records (CNAME) (DNS Record Types)
• A name is an alias of another, canonical name -Can have one physical server with multiple services -This is where you would add the alias to something that already exists -You may want to associate a number of different names with an existing device. In those situations, you may want to use a canonical name record or see CNAME record • DNS server will recognize that this is a canonical name -It will associate it with the primary name of this device and then perform the proper lookup *see image for example*
MAN - Metropolitan Area Network (Common Network Types)
• A network in your city -Connects two locations in a large city -Larger than a LAN, often smaller than a WAN • Locations these days are connecting through Metro Ethernet -The end stations would simply receive an ethernet connection on both sides of the connection • Common to see government ownership since they "own" the right-of-way -It is easy to put fiber in the ground and connect all of their locations together using MAN
LAN - Local Area Network (Common Network Types)
• A network inside a building or in a group of buildings -High-speed connectivity • 2 common types are Ethernet networks and 802.11 wireless networks -If you are using a network with slower bandwidth than Ethernet or 802.11 network , then it isn't a local area network
Jumbo frames (Network Storage)
• A normal ethernet frame can support 1,500 bytes of a payload -If we are sending and receiving so much traffic to a storage area network, then we might want to increase the size of these frames -A way to do this is to enable jumbo frames on the network • Jumbo frames are ethernet frames with more than 1,500 bytes of payload -It allows you to transfer 9,216 bytes of data within a single ethernet frame -Although it's common to configure 9,000 so it's more compatible with the 1,500 bytes of payload -It is increasing the amount of efficiency by six times due to being able to fit so much data within a single ethernet frame • This is going to increase the efficiency of the traffic we're sending through the network -The data within the packets are larger -Fewer switching or routing decisions due to sending fewer packets through the network • One catch is that all of the devices on the network between you and the storage area device have to support these jumbo frames -There is usually a configuration option within the switch and the operating system to turn on the ability -Not all devices are compatible with others
Managing DHCP in the enterprise (DHCP Addressing Overview)
• A number of challenges you have to deal with -Limited Communication range -Uses the IPv4 broadcast domain -Broadcasting stops at a router • A way is needed to have centralized DHCP servers -but still able to maintain DHCP requests for the different subnets on the network -Multiple servers will be needed for redundancy -To support across different locations • Scalability is always an issue -May not want (or need) to manage DHCP servers at every remote location -Common to have DHCP servers located on different IP subnets • You're going to need a little help(er) -Can send DHCP request across broadcast domains -Routers can be configured to allow DHCP Relay -Also known as IP Helper -This takes the broadcast that is normally stopped by the router and converts it to a unicast that can then be sent to the DHCP server
DMVPN - Dynamic Multipoint VPN (WAN Technologies)
• A popular Cisco WAN technology is the DMVPN -DMVPN stands for Dynamic Multipoint VPN • Commonly found on Cisco routers • Your VPN builds itself -Remote sites communicate to each other -It connects the network and it decides when and where it would like to connect to other locations -It effectively has all of the sites build their own VPNs as needed • These tunnels are built dynamically and on-demand -It all depends which locations need to speak with another location -Creates a dynamic mesh • e.g, It is common to have a main office and multiple remote sites and you might want to connect your main office to each individual remote site -But what if one remote site wanted to talk to another? -In this scenario, they would have to communicate to the main office and then back down to the remote site. -With DMVPN, those sites can dynamically build a connection between each other, send the communication they'd like to send, and then tear down the connection. -This means that any of the remote sites can send data to any of the other remote sites in the most efficient way possible
Proxies (Advanced Networking Devices)
• A proxy is a security device that sits in the middle of the communication between the users and the external network that they're accessing • The proxy receives the request that the users make and then make that request on their behalf to the service that's on the outside of the network -It then receives the response to that request, examines it and make sure there is nothing malicious inside of it -It then sends the response down to the users • It is common to use proxies for URL filtering, access control, and content scanning. -It can also be used to cache information to improve the overall performance of the network communication • If the organization is using an explicit proxy, then the applications have to know how to use that proxy to be able to communicate to the outside -Those applications have to be specially written so that they're able to take advantage of this proxy technology • A more common proxy is a transparent proxy -With a transparent proxy, the applications don't have to be written a certain way -The users don't even know the proxy is there -The users simply browse to the internet as usual, and the transparent proxy will intercept that communication. -The proxy then makes the request on their behalf and receives the response. It examines the response, and if everything looks good, it provides the response to the end user
Punch-down Tool (Hardware Tools)
• A punch-down tool is the device that pushes the cable into those sharp connections on the punch-down block and be able to lock those wires in place -It "punches" a wire into a wiring block -You would use this with a 66 block or a 110 block most commonly on today's networks • This can be very tedious to do, because you have to put every individual wire into each connection on the punch-down block -And then manually punch down every single one of those • While punching this wire into the block, you would not only push the wire into the block, but also trim off any excess -Trims the wires and breaks the insulation -As long as you have all of your wires lined up, you can very quickly punch down all eight connections for a single ethernet drop
Router (Networking Devices)
• A router forwards traffic between IP subnets -Makes forwarding decisions based on the destination IP Address within the IP Packet -If it's a switch, then we're making forwarding decisions based on a MAC address • An OSI layer 3 device -Routers inside of switches sometimes called "layer 3 switches" -That's why routers are referred to as Layer 3 devices and switches as Layer 2 devices • Routers will often connect different types of network typologies -LAN, WAN, copper, fiber -e.g. On one side, you might have an Ethernet network running over fiber. And on the other side of the router, it might be a wide area network that's running over copper
IGP (Interior Gateway Protocol) (IGP and EGP)
• A routing protocol used to route between internal networks -Used within a single autonomous system (AS) • Not intended to route between autonomous systems outside our control -That's why there's Exterior Gateway Protocols (EGPs) • IPv4 dynamic routing protocols for IGP are: -OSPFv2 (Open Shortest Path First) -RIPv2 (Routing Information Protocol version 2) -EIGRP (Enhanced Interior Gateway Routing Protocol) for Cisco Networks • IPv6 dynamic routing protocols for IGP are: -OSPFv3 -RIPng (Routing Information Protocol next generation) -EIGRP for IPv6
Opens and shorts (Wired Network Troubleshooting)
• A short circuit is two wires that are touching each other -If someone has bent an ethernet cable, you may find that there is a short inside of that bend • An open is when the cable has been broken completely -There's no signal that's going to be able to make it through an open circuit • With an open circuit, there's obviously no communication that can occur across that open -But if it is a bent cable that's constantly moving, you may find there's intermittent connectivity with that short circuit
Incorrect host-based firewall setting (Network Service Troubleshooting)
• A similar problem might occur if the application is being filtered on your device with a host space firewall -A firewall administrator may be able to configure not just a port number, but the application name itself to be able to filter that traffic. -Can be filtered based on the application in use and not necessarily the protocol and port • Check the host-based firewall settings if available but accessibility may be limited to an administrator only -In environments where the host-based firewall is managed from a central console, you may not have access to view firewall information. -So you may need to document exactly what application you need to use, and provide that information to the firewall administrator. • In these scenarios, you may want to perform a packet capture from an external device so you can see exactly the traffic that's leaving that computer and the traffic that's coming back -The traffic may never make it to the network or dropped by the operating system
Default route (Static and Dynamic Routing)
• A special kind of static route • A route configured inside the router that says when no other route matches, send the traffic this way -Also referred to as the "gateway of last resort" • A common configuration would be at a remote site where it only has one route to send traffic in and one route to send traffic out -The router does not make any forwarding decisions with the traffic. If the traffic is coming from the outside, it sends it to the inside. If traffic is coming from the inside, it sends it to the outside. • Can dramatically simplify the routing table process if your network has many external and internal routes -Instead of listing out all the external routes, you could simply add a default route and send all the traffic externally whenever it didn't match anything on the inside -Works in conjunction with all other routing methods
1000BASE-T Straight-through cable (Copper Termination Standards)
• A straight through cable for a 1000BASE-T (1Gb) is different -The straight through cable will use all four pairs inside of the cable -Does not have dedicated transmit and receive pairs -You are able to both send and receive traffic through a 1000BASE-T connection on the same wires at the same time -Much different than dedicating a transmit and receive pair. Instead, it is possible to send traffic in both directions simultaneously
IR (InfraRed) (Internet of Things Topologies)
• A technology that's been around for a very long time -And also integrating it into our smartphones, tablets, and smartwatches -Not really used for file transfers and printing (as in the past) • The common uses today are for controlling your entertainment center -Many IR options
Plenum-rated cable (Copper Cabling)
• A traditional cable will have a jacket around it made up of PolyVinyl Chloride (PVC) • If placing cable in a plenum you will have to use a fire-rated cable jacket -A cable made of Fluorinated ethylene polymer (FEP) -Or a low-smoke polyvinyl chloride (PVC) version • PVC is relatively flexible -Fire rated or plenum rated cable may not be as flexible -May not have the same bend radius • Worst case planning -If you are planning to put anything in an area where there could be a concern with fire, then you'll probably want to use a plenum rated cable
Circuit switching examples (Circuit Switching and Packet Switching)
• A traditional telephone service is an example of a circuit switched network • Often referred to as a POTS (plain old telephone service) line, or also as a PSTN (public switched telephone network) • Another type of circuit switching network is a T1 or a T3 or outside of the US as E1 / E3 -With these types of WAN connections it creates a circuit between two sites -It is always be there and available between the two connections • Integrated Services Digital Network (ISDN) is another example of circuit switching -An ISDN modem calls another ISDN modem -Uses a phone number to call another ISDN modem -Always available until the connection is cut-off.
Duplex communication (Network Transceivers)
• A traditional transceiver provides duplex communication • A particular transceiver can have two interfaces for two fibers -One fiber is to transmit and the other fiber is to receive
Transceiver (Network Transceivers)
• A transceiver is a device that is both a transmitter and a receiver -Usually in a single component • It is commonly used in networking as a modular interface -You can add a transceiver for additional interfaces on a switch • It could allow you to connect to the switch with fiber connections -they could be single mode or multi-mode fiber -You can choose exactly the type of interface that is needed when using these transceivers -There is many different types and designs
Packet filtering (Access Control Lists)
• A type of ACL -It is a way to allow or deny traffic flow to a certain part of the network -ACL's can work in conjunction with NAT to be able to determine what IP addresses need to be translated -Or maybe we're using ACL's with QoS so we can know exactly what type of traffic flows need to have what type of priority • Common to see ACL's configured on a router interface - ACL's can be configure to apply to ingress traffic, egress traffic, or both • Some ACLs can be very specific -You can evaluate on certain criteria to allow or deny that traffic -Criteria such as source IP address, destination IP address, TCP port numbers, UDP port numbers, ICMP, or anything else within that particular packet that may allow you to make a decision on whether you're going to allow or deny that traffic • Can deny or permit traffic through the router interface when the ACL criteria matches the traffic -This happens if the traffic happens to match that particular combination, we can decide to either deny or permit that traffic to flow through that router interface. • ACLs have evolved through the years -More options and features will be available for traffic filtering as these devices become more intelligent
Fibre Channel over the data network (Network Storage)
• A type of Fiber Channel network that does not require any specialized hardware -Does not require a Fiber Channel switch if you are planning to use Fiber Channel over Ethernet Fibre Channel over Ethernet (FCoE) -Uses Fibre Channel over an Ethernet network -No special networking hardware needed -Usually integrates with an existing Fibre Channel infrastructure -It is done at the ethernet frame level, this is not routable traffic -This does allow the use of ethernet card that's in the device rather than using a Fiber Channel adapter • If the storage and the devices that need access to that storage are located on different IP subnets, consider using Fiber Channel over IP (FCIP) -Encapsulates Fibre Channel data into IP packets -It effectively tunnels the Fiber Channel within existing IP packets -Geographically separates the servers from the storage
PDU (Protocol Data Unit) (Protocol Data Units)
• A unit of transmission that is sent by a protocol at a particular OSI layer -A different group of data at different OSI layers • A switch operates on the Ethernet PDU -Ethernet operates on a frame of data -The switch has no idea what's inside the data • Same rules apply if a router is forwarding traffic -IP operates on a packet of data -Inside is TCP or UDP, but IP doesn't know that • If working with TCP PDU, it would be called TCP segment • If working with UDP PDU, it would be called UDP datagram
pathping <ip address> (Command Line Tools)
• A utility that combines both ping and traceroute and adds some additional functionality -Included with Windows NT and later • There are two phases to pathping • First phase runs a traceroute -Builds a map between you and the other device • Second phase -Measures round trip time at every link along the way and packet loss at each hop • This takes a little bit of time to run -But the results provide you with a nice view of how traffic may be flowing between each individual path along the way
RADIUS (Remote Authentication Dial-in User Service) (Advanced Networking Devices)
• A very common protocol used for this triple-a service is RADIUS -Stands for Remote Authentication Dial-in User Service -One of the most popular authentication protocols that's used for much more than just dial-in -One of the more common AAA protocols -Supported on a wide variety of platforms and devices • The RADIUS protocol may be used to authenticate users: -To gain access to routers, switches, firewalls -To gain access to servers; used for server authentication -To gain access for remote VPN access -To gain access to 802.1X networks (Wireless) • RADIUS is one of the most popular authentication protocols, and you'll see it used across a number of different services and operating systems
Warm site (Recovery Sites)
• A warm site might give you just enough to get going -Somewhere between cold site and a hot site • There might be a big room with rack space -The hardware will need to be brought in -Or there may be hardware already ready to go • All that is needed is to bring all of the information in and load it onto existing systems to get up and running -You bring the software and data • You would still need to bring your own people -But at least you would have something to start with when recovering your systems
It started as a normal day (Wireless Deauthentication)
• A wireless deauthentication/disassociation attack is a bad one. -You're wandering along on your wireless network, you're using the network normally. And then suddenly the wireless network is gone. It's simply not there anymore, and your device is now looking for another wireless network • And then maybe you gain access to your wireless network again, and then you drop off of the network again. • It's very difficult to stop a wireless disassociation attack -There's (almost) nothing you can do -The only thing you can really do is to get a very long patch cable • This is obviously a very significant denial-of-service attack -And in the right situation, someone can keep you off the wireless network indefinitely
ATM - Asynchronous Transfer Mode (WAN Technologies)
• ATM stands for Asynchronous Transfer Mode -A common protocol transported over SONET -a way of communicating over a SONET network • ATM didn't use frames or packets -It used 53 byte cells -Every bit of data put onto an ATM network was 53 bytes in length spaced evenly apart -48-byte for data, 5-byte routing header • This provided high throughput, real-time communication, and very low latency because you knew exactly when the next 53 byte cell would come through the network -Data, voice, and video • The speeds of ATM had a maximum of OC-192 -Or about 10 gigabits per second -which were extremely fast communication speeds at the time -These speeds were often limited by the Segmentation And Reassembly that had to occur, or the SAR. -That's because our ethernet frames are much larger than the 53 byte cells -Ethernet frames had to be split into smaller pieces, placed inside the ATM network, and then re-assemble all the frames on the other side.
Incorrect ACL setting (Network Service Troubleshooting)
• Access Control Lists can provide extensive security options -You may find that they're blocking some traffic from getting through, but other traffic is able to flow properly. • If you were to look at the Access Control List, you can see there are a number of different filtering options -You can filter by IP address, port number, and many other options/parameters as well -And you can allow or deny traffic based on a combination of this criteria or by filtering packets • If you're trying to determine if an Access Control List may be blocking your traffic, you can perform a packet capture so you can see exactly what traffic you're trying to send and what traffic is being received -You might also want to use a traceroute utility that allows you to customize the TCP or UDP port number. This would allow you to send traffic into the network, and you'd be able to tell at exactly which hop the traffic is stopping.
Document findings (Network Troubleshooting Methodology)
• After the problem has been resolved, this is a perfect time to document the entire process from the very beginning to the very end -You'll of course want to provide as much information as possible, so if somebody runs into this issue again, they can simply search your knowledgebase, find that particular error that popped up, and know exactly the process you used to solve this last time -Don't lose valuable knowledge -Provide as much information as possible • Many organizations have a help desk with case notes that they can reference -Or you might have a separate searchable knowledge base or wiki that you create where all this important information is being stored for the future • A document that was created a number of years ago but still shows the importance of keeping this documentation over time is from Google Research -They documented the failure trends in a large disk drive population -And because they were keeping extensive data over a long period of time, they were able to tell when a drive was starting to fail based on the types of errors that they were receiving. -Being able to store all of this important information, being able to go back in time to see what happened, becomes a very important part of maintaining a network for the future. -http://professormesser.link/drivefail
Directional antennas (Wireless Network Technologies)
• Allows you to focus the signal in a particular direction -Increased distances • Send and receive in a single direction -Focused transmission and listening -Used in case you need to send information between buildings or you have an access point at one end of the hall and you need to provide signal across the rest of the hallway • Antenna performance is measured in dB -Double power every 3dB of gain • Yagi antenna A high-gain directional antenna is a Yagi antenna -It is a single antenna and multiple reflectors along the side that allow you to focus the signal • Parabolic antenna is another type of directional antenna -Focuses the signal to a single point -Allows you to reflect a signal off of a curved surface and reflect it into a single feed horn, allowing you a very good way to have a directional signal between two devices
Wireless networks everywhere (Advanced Networking Devices)
• Almost every organization has a wireless network -It is usually one that extends everywhere you go once inside the facility -There is usually many access points that are deployed within the organization, not just an access point itself • The access points may extend to multiple buildings and not even be in the same building -Might have one (or more) at every remote site • Wireless network configurations may change at any moment -Changes such as access policies, security policies, and the configuration access point itself • The wireless network should be seamless for the end users -They should be able to connect to the wireless network with their normal credentials -And be able to communicate to all of the services they need on your network -Seamless network access, regardless of the role
802.11b (802.11 Wireless Standards)
• Also an original 802.11 standard -Released in October 1999 • Operates in the 2.4 GHz frequency range • Runs at 11 megabits per second (Mbit/s) • Better range than 802.11a -Less absorption problems -2.4 GHz frequencies bounce off of objects, rather than being absorbed • More frequency conflict with 802.11b such as: -Baby monitors, cordless phones, microwave ovens, Bluetooth
NAT Overload / PAT (Port Address Translation) (Network Address Translation)
• Also called a source NAT, because it is performing a network address translation on the source IP address • An extension to Network Address Translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses. • Source NAT performs a NAT on the source IP address -It adds its own port # to the Source IP when leaving to the public network -It then adds it to its NAT table -The NAT table contains information from the private address, and the external NAT'ed public address
802.1Q trunking (Network Segmentation)
• Also known as its abbreviated form .1Q TRUNK •The way the TRUNK information works: -Takes a normal Ethernet frame : Preamble > SFD > Destination MAC > Source MAC > Type > Payload > FCS • It adds a VLAN header in the frame when sending information over a TRUNK to identify where the frame is coming from and where it is going -Preamble > SFD > Destination MAC > Source MAC > VLAN > Type > Payload > FCS • VLAN IDs - it is 12 bits long which allows us to come up with 4,094 possible VLANs on this particular TRUNK -Some devices like Cisco switches will separate them into a "Normal range" VLANs - 1 through 1005 or "Extended range" VLANs - 1006 through 4094 -Other devices will use all the number inclusive between 1 and 4094 -Know that 0 and 4,095 are reserved VLAN numbers, cannot be specified as separate VLANs on the switch • Before 802.1Q, there was and older protocol called ISL (Inter-Switch Link) -ISL is no longer used; everyone now uses the 802.1Q standard
Patch Management (Device Hardening)
• Although many of these infrastructure devices you are using have their own OSs, you probably still have management workstations and sims that are running Windows, Linux, or something else that's very common. -For those OSs, we want to be sure to provide all of the latest patches -This will not only keep your system more stable, but it will, of course, provide security patches/fixes for any known vulnerabilities. -Incredibly important • Sometimes in Windows, for example, you can get a service pack that would update a large number of patches at once • Or you can keep up with the monthly updates that Microsoft provides where all of the latest security patches are made available -Incremental (but just as important) • Sometimes security patches may be released outside of that normal monthly cycle -These emergency out-of-band updates usually are very important security issues that need to be resolved -These are zero-day and important security discoveries
802.11g (802.11 Wireless Standards)
• An "upgrade" to 802.11b -Released in June 2003 -Similar to 802.11b • Operates in the 2.4 GHz frequency range • Throughput was increased to 54 megabits per second (Mbit/s) • Similar to 802.11a (but a little bit less throughput) • It is backwards-compatible with 802.11b -If you installed an 802.11g access point, it could very easily also accommodate 802.11b clients • Also had the same frequency conflicts problems as 802.11b -Still communicates under the 2.4 GHz frequency range
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) (Advanced Networking Devices)
• An IDS or an IPS is an intrusion detection system or intrusion prevention system -These devices are placed on the network to monitor the communication going in and out of the network -It watches network traffic • These are specifically looking for instrusion security events -They are looking to see if someone is trying to perform an exploit against an operating system(s) or an application(s), etc.. -Or someone who might be trying to perform a buffer overflow(s), cross-site scripting, some type of data injection, or other vulnerabilities • There's two different flavors of these devices : Detection vs. Prevention -The intrusion detection system is designed to alert when these types of problems occur -Does not actively block traffic going through the network -An intrusion prevention system is designed not only to identify these security issues, but to also block them from entering the network
APIPA - Automatic Private IP Addressing (Assigning IPv4 Addresses)
• An IP address that gets assigned when no DHCP server is available • Also called a link-local address -This IP is not forwarded by any routers -A device cannot communicate through a router -It can still communicate to other devices on the same local IP subnet • IETF has reserved 169.254.0.1 through 169.254.255.254 -First and last 256 address block are reserved -The functional IP addresses that would be on a device are 169.254.1.0 through 169.254.254.255 • This IP address is automatically assigned -Uses ARP to confirm the IP address isn't currently in use on its subnet and assigns it when no one responds
TACACS (Terminal Access Controller Access-Control System) (Authorization, Authentication, and Accounting)
• An alternative to RADIUS would be TACACS -TACACS stands for Terminal Access Control or Access Control System • This is another remote authentication protocol very similar to RADIUS -This was created to provide access to dial up lines on the older ARPANET • Cisco took this TACACS configuration and created a customized version of it for Cisco devices called Extended TACACS or XTACACS -This extended a number of the features and TACACS to include additional accounting and auditing functions • If you're using TACACS to provide authentication, you're probably using TACACS+ -This is the latest version of TACACS and it's not backwards compatible with any of those other versions -More authentication requests and response codes -Released as an open standard in 1993 -You can find TACACS+ services for many OS's that work across many different services
Labeling (Network Documentation)
• An example of a standard layout -Could decide on different colors to use for different tags for your labels -Some that might be demarcation point cables. You have network connections that might be green, and you might have station termination colored as blue -Everything is tagged and labeled • You can also use a standard port labeling format so that you could reference an individual port that might be in a particular building -e.g : CB01-01A-D088 -CB01 is the abbreviation for the main facility -01A which is floor 1 space A -D088 would be the interface itself data port 88 -By having that entire label, it can referenced and handed to a third party and they know exactly what port you're referencing • It is very easy these days to document and keep a database of all of this information -If anybody needs to know the exact number of ports may be in a particular building or particular floor, that information can be available very quickly
802.11n (802.11 Wireless Standards)
• An update to 802.11g, 802.11b, and 802.11a -Released in October 2009 • It operates at 5 GHz and/or 2.4 GHz -40 MHz channel widths were much larger than previous versions of 802.11 • 802.11n can support throughputs of up to 600 megabits per second (Mbit/s) using the 40 MHz mode and 4 antennas sending multiple streams of data simultaneously • 802.11n was the first version to use Multiple-Input Multiple-Output (MIMO) -MIMO allows you to send multiple streams of information over the same frequency -This requires multiple antennas and radios to be able to send that data
Door access controls (Physical Security)
• And one of the oldest types of physical security is a door lock -This could be a conventional lock that uses a key to open and lock the door • This might include a deadbolt to provide even more physical security -Physical bolt • In many organizations, we're now using electronic locks with keyless entries -So we might put a code into a door that would then unlock that particular room • Many organizations are also using token-based locks -This may be a magnetic swipe card or proximity card, and the particular ID on that card determines whether that door is unlocked or it remains closed • And in some organizations, you can also use the same smart card you use to authenticate to your computers as a way to authenticate through a locked door -Using a smart card and pin
SSL VPN (Secure Sockets Layer VPN) (Remote Access)
• Another VPN type that's commonly used for end user VPN access is an SSL VPN -Instead of using IPsec to provide the encryption, we're using SSL, which commonly runs over TCP port 443 -Since SSL is such a common protocol, most firewalls allow this traffic to pass without any additional configurations -Avoids running into most firewall issues since SSL is a common protocol • SSL VPN clients are often built into your operating system -They are thin clients and usually don't require a lot of resources on your computer • SSL VPN's can also use a simple username and password to authenticate users -There's no requirement to set up shared passwords or digital certificates like you might see in IPsec • You can find support for SSL VPN's are in many different operating systems -And there are many implementations of SSL VPN's that can run from inside of a browser
Remote desktop access (Remote Access)
• Another common remote access technology is remote desktop -It's one where we can sit at our desk and be able to connect to and see the desktop of another device across the network • One common protocol for remote desktop is RDP -That stands for Microsoft's Remote Desktop Protocol -Not only are there clients for Microsoft Windows, there are also RDP clients for Mac OS, Linux, and other OSs as well • VNC (Virtual Network Computing) is another remote desktop technology -It uses Remote Frame Buffer (RFB) protocol -There are VNC clients for many different OSs -Many of those clients are free and open source • The remote desktop functionality is very useful if you need to troubleshoot and maintain devices across the network -But we've also seen this remote desktop technology used by scammers who will connect to your system, look into your computer, tell you that there is a problem and then ask for your credit card number -But of course, no problem would exist on your system. But their remote desktop efforts make it appear as if there are problems with your computer.
Disabling unused TCP and UDP ports (Device Hardening)
• Another good best practice for application hardening and system hardening is to only allow network communication to the applications that require it -One way to do this is to provide some type of content filtering of the packets going back and forth -Control traffic based on data within the content • A common way to do this is to restrict the data based on a TCP port number or a UDP port number -TCP and UDP filtering -Use a firewall to allow or restrict port numbers -This way, another application couldn't suddenly be installed in your system and be able to communicate over a port number that you're not using • It's very common to add this network filtering on a system using the personal firewall or software-based firewall that's already installed in that operating system -Or you may have an appliance that's on the network and examining all traffic going through to be able to make these filtering decisions for all devices
Baselines (Network Documentation)
• Another good piece of ongoing documentation is a baseline of how the network is operating • With this baseline we're able to understand the normal utilization for the network -What the normal application response times might be -And what type of normal network throughput we would see at certain times of the day • From this point , we can look at what's happening now and compare it to what happened in the past -It can be used as a point of reference ; Accumulated knowledge -We can plan when we're going to hit certain thresholds based on the activity we've seen in the past ; Examine the past to predict the future -Useful for planning ; might help with the budgeting process -Can view accesses by day, week, month, or year which can give you an idea to how to adjust resources accordingly ; may not want to increase the overall bandwidth available on a network connection and pay the extra money until exactly the point it's needed by the org.
Network / port scanner (Software Tools)
• Another good software tool for any network administrator is a good port scanner -It will actively scan IP addresses or a range of IP addresses and find all of the open ports that may be available on those devices -More advanced scanners can tell you what type of operating systems, services, etc. are running on the device • You can pick a range of addresses to see who might respond to the scans that you're running • Some of these port scanners can build graphical representations of the results and can visually see exactly what the port scanners found -Visually maps the network -Gathers information on each device -IP, operating system, services, etc. • These port scanners are very good at finding and querying devices -if you're concerned that there may be a rogue device on the network, these port scanners are very good at locating it -It's difficult to hide from a layer 2 ARP • One of the most popular port scanners in the world is Nmap and the graphical Zenmap that works along with it or you can also download other port scanners like Angry IP scanner to find all of these different devices, operating systems, and services on your network
Something you have (Multi-factor Authentication)
• Another good way to authenticate access is to require that a user have something with them -This is something you have -A good example might be a smart card -You would plug a smart card into a computer and provide a Personal Identification Number -Obviously, you would be the only person who happens to have that smart card • Some organizations might put a certificate on a USB key -That certificate is something that only you would have -And you would have to use that USB key during the authentication process • Another good example of something you have is a pseudo random code that could be provided on a piece of hardware or software token -Such as getting the random code from the hardware token once the username and password is entered correctly -Or obtaining the random code from the software-based token on your mobile device • Another example of having your mobile phone as something you have would be an SMS message or a text message sent to your phone that might have that code inside of it that you would use during that login process
route (Command Line Tools)
• Another important piece of information when you're troubleshooting is knowing where traffic will be routed -In Windows, we can view this with the route print command • View the device's routing table -Find out which way the packets will go • route print - shows the Windows routing table
Port security (Access Control)
• Another method to control access is with a function called port security -This would allow someone unauthorized from connecting to an enabled port on your switch and gaining access to your network -This can alert you or disable the port and immediately prevent anyone from using that particular interface • This port security is based on the MAC address of the device that's connecting -Even if that MAC address is being forwarded from another switch, we're still looking at the MAC address to be able to make this port security decision • You can set up each port on your switch with a different set of configurations that would allow or disallow certain MAC addresses from the network -Unique rules for every interface
Spectrum analyzer (Hardware Tools)
• Another nice tool to have, especially for wireless networks, is a spectrum analyzer -This allows you to examine all of the different frequencies that happen to be in a particular range all at once, and you'll be able to tell exactly where most of the signal is in that particular frequency range -Managing wireless access points can be a challenge • For example, if you're connecting a wireless access point for the first time, and you're wondering if there's anything else in the area that might be causing interference to slow down this network, you'll be able to see that with the spectrum analyzer -If file transfers are slow, is it the server or the wireless network? Allows you to examine everything • It views everything communicating in the wireless frequency spectrum -So if the problem is a conflict with another wireless access point, you'll be able to see that in the spectrum analyzer -If there are other devices in your environment that are causing interference on those same frequencies, it will also show up with the spectrum analyzer -You can visually see any conflicts or interference
Asset tracking tags (Physical Security)
• Another physical security technique used by many organizations is to put the company's own asset tag on the different components -If you have routers, switches, servers, CSU/DSUs, or any other component, you can associate that particular component with an internal tracking number that's specific to your organization • This asset tag will then be associated with that particular device. -So you'll now have a database of the exact make & models of the devices in your organization, how they're configured, maybe purchase data information, and where they might be located -Can also be used for financial records, audits, depreciation • Methods of tagging the asset -A barcode which makes it easy to check in or check out a particular asset -RFID built into the tag itself so that you can easily track exactly where this particular device is going -A visible tracking number
PEAP (Protected Extensible Authentication Protocol) (Wireless Authentication and Security)
• Another popular EAP type is PEAP -This is the Protected Extensible Authentication Protocol, or Protected EAP • This was created by Cisco, Microsoft, and RSA Security • This Encapsulated EAP in a TLS tunnel, one certificate on the server -Combined a secure channel and EAP • This was commonly implemented on Microsoft devices as PEAPv0 -You might also see it referred to as EAP-MSCHAPv2 because it authenticated to the Microsoft CHAP version two databases
PPP (Point-to-point protocol) (WAN Technologies)
• Another popular WAN technology is PPP -PPP stands for Point-to-Point Protocol -It creates a network connection between two devices so you can send other types of protocols over that WAN link -Communicates using many different protocols -OSI layer 2 / Data Link Protocol • PPP is commonly used for dial-up connections, serial links, also for mobile phones -Also used for DSL connections for home or business • Some of the advantages of PPP are: -It can be used for authentication of the network -Data can be compressed through PPP -The ability to detect errors -Build multiple PPP connections and multi link those together for larger bandwidths
Access Control Lists (ACLs) (Access Control)
• Another popular method of controlling traffic is with an Access Control List, or an ACL -ACLs are looking at the packets themselves to be able to allow or disallow traffic through the network -ACLs are also commonly used to determine what traffic needs to have Network Address Translation, Quality of Service, and other network features • ACLs are usually applied to router or switch interfaces -usually assign the ACL to either the ingress or the egress of a particular interface -Incoming or outgoing • Because we're looking into the packet itself, we can make some relatively complex filtering decisions with these ACLs -For example, you can filter on source IP address, destination IP address, TCP port numbers, UDP port numbers, or ICMP • If the traffic going through the network then matches the rule that you've configured in the ACL -You can decide whether that traffic is allowed through the network or if it's denied
SSH (Secure Shell) (Remote Access)
• Another popular remote access technology is SSH, or Secure Shell -This allows us to have a console screen where we can work at the command line -Commonly, we would use SSH to connect to routers, switches, firewalls, and other devices where we need this terminal session • This is something you would use to encrypt communication over the network -SSH replaces the technology we use with Telnet, which of course provided a very similar terminal screen -But all of the communication with Telnet is in the clear and all of the communication with secure shell is encrypted - tcp_22
DDoS amplification (Denial of Service)
• Another technique that the DDoS attackers like to use is amplification -They can send a very small attack, but by the time it reaches you it has become very, very large -They're usually reflecting this attack off a third party service to increase the total size of the attack when it gets to you • This is becoming a very common technique that we're seeing with distributed denial of service attacks • These amplification attacks are able to work because some of these older protocols were not created with any type of security in mind -So protocols like network time protocol, DNS, ICMP, those are protocols that people have been able to abuse and amplify these attacks against a third party
iSCSI (Network Storage)
• Another type of storage area network is iSCSI. This stands for Internet Small Computer Systems Interface -This simply extends the SCSI capability across the network -Created by IBM and Cisco, now an RFC standard • This would make these remote drives on the storage area network look and feel as if they are local to the computer -Very similar to how Fiber Channel works • SCSI is well-supported in software and operating systems, and there are drivers already available for iSCSI in many existing OS's -No need for any proprietary topologies, switches, or adapter cards -And since you are using IP, you are using an easily routable iSCSI protocol over an existing ethernet network
Somewhere you are (Multi-factor Authentication)
• Another useful authentication factor might be a geographical location of where someone happens to be -This factor is somewhere you are -We would need some way to determine where you happened to be during that login process -The transaction only completes if you are in a particular geography • One way to find out where someone might be is to look at their IPv4 address -We know that the IPv4 addresses aren't a perfect representation of geography, but they might get you a little closer to knowing what country someone might be in -Unfortunately, the large address space with IPv6 doesn't give you the granularity you might have with IP version 4 • Many of the devices we're carrying around have a GPS, which means we can get very detailed information of where someone might be -You need to be in an area that can at least receive the communication from the GPS satellites, or at least you need to be able to triangulate against ground-based systems or 802.11 network -This triangulation may not provide an exact location of where a user happens to be, but it might be close enough to make a decision for authentication purposes
netstat (Command Line Tools)
• Another utility that's available on many different operating systems is netstat -You can find netstat on Linux, on Unix, on Windows, and many others -Netstat stands for Network Statistics, and it provides you with many different views of what the statistics are for network communications on that particular device -Displays Network Statistics
SNMP (Simple Network Management Protocol) (Event Management)
• Another way to monitor the network and all of the devices is to proactively query those devices for more information -We would normally use SNMP to provide that query -SNMP stands for Simple Network Management Protocol -It allows you to use a standardized information base to be able to query devices and return details about how that device may be performing -A database of data (MIB) - Management Information Base • You normally set up a management station to perform -That management station would be configured with the name or IP address of the remote device that you wanted to monitorthese queries -And then you need to specify the version of SNMP that is supported by that remote device • The SNMP agents that are running in your infrastructure devices are collecting a wide range of information -So you want to be sure the people that are querying these devices through SNMP are only the ones that need access to that information -Access should be very limited
Root guard (Switch Port Protection)
• Another way to protect your switch interfaces is to enable root guard -On any spanning tree network, one of those switches is going to be the root switch, or the root bridge -And you can manually determine what that root bridge might be by setting a root bridge priority to 0 in the configuration of the switch -But if any other device also happens to have a root bridge priority of 0, it's going to choose the one that has the lowest MAC address • Root guard is a feature that you'll find in Cisco switches that allows you to administratively set which particular bridge is going to be the root bridge -This means if someone does connect another switch that's configured with a root bridge priority of 0 and has a lower MAC address, it still would not be able to become the root bridge • So if you have administratively defined which switch is going to be the root and you've configured route guard, if that switch happens to receive a higher priority spanning tree protocol BPDU on that interface, it will turn that interface into listening status -You'll see a message show up as "root inconsistent" and that it is "listening" -This is effectively going to disable any traffic from coming inbound from that interface -This may also create connectivity problems for anyone else that happens to be on that link, but it also prevents someone else from taking over the root status on that network
PDU data types in the OSI model (Protocol Data Units)
• Application, Presentation, & Session layer contains the DATA PDU -Layer 7,6,5 = DATA • Transport layer contains the SEGMENTS PDU -Layer 4 = SEGMENTS • Network layer contains the PACKETS PDU -Layer 3 = PACKETS • Data Link layer contains the FRAMES PDU -Layer 2 = FRAMES • Physical layer contains the BITS PDU -Layer 1 = BITS
iptables (Command Line Tools)
• As a linux user, you have many options for firewall in the Linux operating system, and one of the more popular versions is iptables -This allows you to provide stateful filtering in the kernel of the Linux operating system (a stateful firewall) -Linux iptables filters packets in the kernel -It is common to see on workstations, servers, and any other device where you want to control the inbound and outbound network traffic • Some organizations will use iptables as the primary firewall between the inside of their network and the internet • Firewall functions -You can do advanced filtering by by IP address, port, application, content, and other criteria -Usually located on the ingress/egress of a network -Some organizations place them between internal networks -Some Linux distributions prefer firewalld or similar host-based firewalls over iptables
Network Access Control (NAC) (Access Control)
• As a network administrator, you'll probably want to keep people off of the network until they've provided the correct authentication -One way to do this is by using port-based Network Access Control, or NAC -The most common type of NAC is using a standard called IEEE 802.1X • When we say port-based access control, we are referring to physical interfaces or physical access to the network -This is not describing a way to restrict access to TCP or UDP ports • If you're using 802.1X for your network access control, then you're probably using a type of EAP to provide the authentication -This is Extensible Authentication Protocol, and there's a triple-a server that's running TACACS or RADIUS that usually verifies that authentication • Although it's good to use network access control, you should also disable any interfaces on a switch that are not in use -Administrative enable/disable unused ports • You might also want to enable any MAC address checking functions in your switch to make sure that no one is trying to get around some of the functionality of NAC by spoofing a MAC address
OC (Optical Carrier) (WAN Services)
• As carriers moved away from the circuit switch networking of T1 and T3, they moved into more packet-switch networking with SONET • SONET stands for Synchronous Optical NETworking -Often implemented by carriers as rings in a large geographical area -SONET networks have a number of different line rates -These are usually referenced by optical carrier number or OC number • SONET: OC-3 -Line Rate: 155.52 Mbit/sec • SONET: OC-12 -Line Rate: 622.08 Mbit/sec • SONET: OC-48 -Line Rate: 2.49 Gbit/sec • SONET: OC-192 -Line Rate: 9.95 Gbit/sec
Managing your cables (Network Documentation)
• As network professionals, we deal with a lot of different network cables. And it may not surprise you to know there is a standard for administering this on the ANSI/TIA/EIA 606 -This is the Administration Standard for the Telecommunications Infrastructure of Commercial Buildings -It will provide information on how to document the network. -There'll be sample reports, how you would draw out the network, and how work orders might look. • There are many different cables going many different places on your network -These might be in a pathway or in a space. -There's grounding cables that would be used -And a way is needed to identify and label all of these different cables that might be used • Identifiers would be used on the cables such as labels, some color coding, and bar coding -This could help anybody who walks in the door understand everything they need to know about your cable infrastructure
Tamper detection (Physical Security)
• As the organization gets larger, it becomes impossible for any single person to be able to keep track of all of the different assets in your organization -You need some way for these devices to monitor themselves in case anybody tampers with the equipment, you'll be immediately notified • For example, many servers and other type of desktop components have case sensors built into the device that identifies case removal -If anyone removes the cover from that device, an alarm is immediately sent from the BIOS -This way, you're able to know exactly when a particular component may have been altered or modified by someone else -Firewalls, routers, etc. • And if you have identification tags or asset tags associated with a device, you may want to get a tag that provides tamper notification such as foil asset tags -If someone removes that tag, there will be a message left behind on the device that identifies the tampering
Latency and Jitter (Wireless Network Troubleshooting)
• As with wire troubleshooting, we should always be concerned about latency -This is a problem also for our wireless networks -The latency is the delay between transmitting information and receiving the response • We might also be concerned about jitter on our wireless networks -Jitter would be a deviation from a predictable data stream, very commonly associated with realtime communication, like voiceover IP • Whenever you get on a wireless network, there is additional opportunity for interference and signal issues, because anything could be conflicting or interfering with that wireless signal -This would cause lower data rates, and it will cause retransmissions and loss of data • You might also run into challenges with latency and jitter if the network is very busy -If you're over capacity and have many different devices communicating, there may be slowdowns as more and more people join that wireless network
Loop protection (Switch Port Protection)
• At the MAC address level, there's no counters or any other way to tell if a frame has been seen before by a particular device -There's no "counting" mechanism at the MAC layer -That means if you create a connection between two switches, and then you create another connection between those same two switches, you will have created a loop -That loop will cause traffic to constantly be sent back and forth between those two switches until you're able to sever that loop -They'll send traffic back and forth forever • As more traffic is added to the network, more traffic will begin to loop throughout the network, and very quickly you'll find the network is brought to its knees -This is a very easy way to bring down anyone's network -It is relatively easy to resolve if you happen to know where the loop is -But on today's complex networks, it may be difficult to know troubleshoot exactly where the loop happens to be and it may take some time until you're able to find out where that is and disconnect it • Fortunately, we have a standard method to prevent any loops on a switch network -This method is the IEEE standard 802.1D -IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990) -It's the Spanning Tree Protocol -It was created in 1990 by Radia Perlman, and now it's used on all switching devices that you might find
AS (Autonomous System) (IGP and EGP)
• Autonomous -Something that exists as an independent entity • In this case, it is an independent network -It might be a group of IP routes under common control • RFC 1930, Section 3: Defines autonomous system as "a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy." -If you are a network administrator at your company, you are in control of an autonomous system • It is an important point of reference for discussing Interior Gateway Protocols (systems under our control) and Exterior Gateway Protocols (systems out of our control)
Bus Topology (Network Topologies)
• Based in early local area networks -Coaxial was the bus and all devices were connected to that cable to communicate to each other • Simple to implement but prone to errors -One break in the link disabled the entire network • A place to find a modern bus is in the automobile called Controller Area Network -CAN bus type of network -All internal devices inside the car are able to connect to a single bus and communicate between each other
BNC connector (Copper Connectors)
• Bayonet Neill-Concelman (BNC) -Created by Paul Neill (Bell Labs) and Carl Concelman (Amphenol) -A common bayonet connector used for networking is the BNC connector • The connector needs to push in and twist to connect -This connector is one where you push in and twist to be able to lock into place -Commonly used in DS3 WAN links • It is a coaxial cable connector -The cables themselves are rigid and bulky which can be difficult to work with
Troubleshooting opens and shorts (Wired Network Troubleshooting)
• Because these opens and shorts may be inside the cable itself, it's very difficult to find exactly where that may be -You may just find that moving the cable a certain way causes the intermittent connection • These are also very difficult or impossible to repair -It's usually easier and less expensive to simply run a new cable and use that one instead of the one that has the short circuit -Replace the cable with the short or open • This is another example of where the TDR can help you find exactly the location where this particular open or short happens to be. -By simply connecting to the wire, the TDR can tell you exactly how many feet away from the TDR this particular open or short happens to be.
MIMO and MU-MIMO (Wireless Network Technologies)
• Before 802.11n (802.11a,b,g), there was one antenna on the access point and one antenna on the client. -Communication occurred over a single frequency from one device to the other • When MIMO was introduced with 802.11n it introduced a new way to communicate -A way was needed to bounce the signal off of other devices and make its way to the other side -Data on the other end is reconstructed using digital signal processing -Allows you to send multiple streams of info between devices and done over the same frequency -You can increase the amount of throughput between devices if both devices support multiple streams; More data can be sent the devices -MIMO in 802.11n can only send grouping one device at a time (not simultaneously) • In 802.11ac, we were provided with multi-user (MU-MIMO) -Can send multiple streams to send data over the same frequency to multiple clients simultaneously
Biometrics (Physical Security)
• Biometrics is a way to provide authentication that is tied specifically to you as an individual -This could be a fingerprint, it could be an iris, or it could be a mathematical representation of your voice print • Most biometric systems are not storing your actual fingerprint or an actual picture of your iris -It's storing a mathematical representation of that -So it may be sampling different areas of your fingerprint and storing that information to identify as you • You can see that these biometrics are a very good way for you to authenticate that you are really who you say you are -It's very easy to change your password, but it's extremely difficult for you to change a fingerprint or some other physical part of yourself • We commonly use biometrics in very specific situations -Biometrics aren't foolproof, but they are a very good factor to use in conjunction with other authentication methods
Broadcast Domains example (Broadcast Domains and Collision Domains)
• Broadcast domains are separated by router interfaces • A modern switch with full-duplex is its own broadcast domain -If one device sends a broadcast frame, it will be redirected to all other devices on that switch network • To limit the number of broadcast domains, a router will need to be placed in-between each network switch • e.g. Switch 1 <> Router <> Switch 2
Security logs (Authorization, Authentication, and Accounting)
• By combining these authentication logs with access and resource logs from other servers, we can begin to build a picture of exactly what's happening on our network -We can understand when a successful log in has occurred, we know when users log off of the network -And when they log in, we can determine if new processes or applications are being used
CSMA/CA (Introduction to Ethernet)
• CA - Collision Avoidance -Common on wireless networks • Collision detection isn't possible -A sending station is unable to "hear" other stations • It is common to see RTS/CTS function -Ready To Send (RTS) -Clear To Send (CTS) • Solves the "hidden node" problem in wireless networks -Station A can hear the access point -Station B can hear the access point -Station A cannot hear station B -RTS/CTS allows them to communicate on the same wireless network even though both of those devices cannot hear the wireless communication from each other (*STOP1)
CSMA/CD (Introduction to Ethernet)
• CS - Carrier Sense -Is there a carrier available? Is anyone communicating? -Is there a signal available that can be used to send some data? • MA - Multiple Access -More than one device on the network • CD - Collision Detect -Collision occurs when two devices communicate simultaneously -This is identified when that data does not get through to the other end -A random back-out function is performed and tries to communicate that traffic across the network again • CSMA/CD is usually referenced when referring to half-duplex ethernet communication -Not used any longer
Copper Cable categories (Copper Cabling)
• Cable Category : Category 3 -Max. Supported Ethernet Standard : 10BASE-T -Max. Supported Distance : 100 meters -No longer available • Cable Category : Category 5 -Max. Supported Ethernet Standard : 100BASE-TX, 1000BASE-T -Max. Supported Distance : 100 meters -No longer available • Cable Category : Category 5e (enhanced) -Max. Supported Ethernet Standard : 100BASE-TX, 1000BASE-T -Max. Supported Distance : 100 meters • Cable Category : Category 6 -Max. Supported Ethernet Standard : 10GBASE-T -Max. Supported Distance : 37 to 55 meters • Cable Category : Category 6A (augmented) -Max. Supported Ethernet Standard : 10GBASE-T -Max. Supported Distance : 100 meters • Cable Category : Category 7 -Max. Supported Ethernet Standard : 10GBASE-T -Max. Supported Distance : 100 meters
Address Records (A) (AAAA) (DNS Record Types)
• Called A Records or Quad A Records -Defines the IP address of a host -This is the most popular query -Used to associate the name with an IP address • A Records are for IPv4 addresses -Modify the A record to change the host name to IP address resolution -A Records are used to associate an IPv4 addresses with the name of a device • Quad A Records are for IPv6 addresses -The same DNS server, different records -Quad A Records are used to associate IPv6 addresses with the name of a device • See image for example -A Record for IPv4
Acceptable use policies (AUP) (Policies and Best Practices)
• Can end users send personal email messages from your corporate email account? What types of websites are appropriate for someone to visit when they're using a corporate laptop? -This type of information should be detailed and well documented in your AUP, or your Acceptable Use Policies -It may be documented in the Rules of Behavior • The AUP doesn't just cover a laptop or desktop computer, but it covers every type of device a user may have access to -Could be the telephones that are in the organization, computers, laptops, mobile devices, tablets, and anything else that is touching the network • Every organization has a different philosophy when it comes to what is acceptable on the network, which is why it's important that all of this information is documented -If this ever comes up in a third party environment, like a court system, you'll be able to document that this user knew that this particular thing that they were doing was inappropriate on this network -And if someone happens to be dismissed from the organization by violating these acceptable use policies, there is documentation that proves that the user knew exactly what they were doing was unacceptable to the organization
IP Address Management (IPAM) (DHCP Addressing Overview)
• Can manage all IP addressing & DHCP Servers -Plan, track, configure DHCP • Can report on IP address usage -Time of day it is being used -User-to-IP mapping -Know exactly what's happening with your DHCP services • Can control DHCP reservations -You can identify problems and shortages • You can manage IPv4 and IPv6 on one console -A single console can give you a perspective across both of those protocols
Captive portal (Access Control)
• Captive portals are another good way to provide access to a network -We commonly see these on wireless networks • When you connect to this network, your device is checked against a list of devices that are allowed access to the network -If you don't happen to be in that list, you're presented with a login screen • From there, you can provide username & password -And any other required authentication factors • Once your authentication is validated, you have access to the network and there's usually a log out button to log out of the network -Or the access point may log you out automatically after a certain amount of time
Coaxial Cable (Copper Cabling)
• Center/Wire conductor • Dielectric (insulator) • Foil shield • Braided/Metal shield • Plastic/Outer jacket
Layer 6 - Presentation Layer (Understanding the OSI Model)
• Character encoding is performed at this layer • Application encryption/decryption occurs at this layer • An application working at layer 6 can also be working in layer 7. -It often combines with the Application Layer (Layer 7) • e.g. : encoding and encryption (SSL/TLS) occurs at this layer
EAP types (Wireless Authentication and Security)
• Cisco was an early adopter of wireless technologies -On some of their first access points that used WEP encryption, they used LEAP, or Lightweight EAP, to provide authentication • When WEP was replaced with more advanced encryption methods, Cisco updated their authentication to EAP-FAST -FAST stands for Flexible Authentication via Secure Tunneling -This provided a lightweight authentication method -It also increased the security we needed for our wireless networks -Cisco's proposal to replace LEAP (Lightweight EAP - previously used with WEP) • As wireless technology became more popular, there was an authentication method that also gained wide adoption -This was EAP-TLS -TLS stands for Transport Layer Security -This is the same security that we use for our web servers and we're using that now, also, for our wireless authentication • Some organizations needed additional options for authentication -So EAP-TTLS was created -TTLS stands for EAP Tunneled Transport Layer Security -This allowed us to tunnel other types of authentication methods through the existing encrypted EAP communication
Classful Subnetting (Classful Subnetting)
• Class A = 255.0.0.0 -There are 8 bits available for the networks -There are 24 bits available for the hosts • Class B = 255.255.0.0 -There are 16 bits available for the networks -There are 16 bits available for the hosts • Class C = 255.255.255.0 -There are 24 bits available for the networks -There are 8 bits available for the hosts • Very specific subnetting architecture -Not used since 1993 -But still referenced in casual conversation such as class A, B, or C. • Used as a starting point if we ever want to provide any additional subnetting to a particular IP address range -Standard values
Managing cloud security policies (Cloud Services and Delivery Models)
• Clients are at work but data is in stored externally in the cloud -How would you keep everything in the cloud secured? -The organization already has well-defined security policies • How do you make your security policies work in the cloud? -You can Integrate a CASB (Cloud Access Security Broker) -Can be implemented as client software, local security appliances that site between the clients and the cloud, or cloud-based security solutions
Coaxial cables (Copper Cabling)
• Coax cable is also used for some of our copper cabling -It has a wire conductor in the middle of the cable -It has insulation around that conductor, a metal shielding around that, and a plastic jacket to protect the entire cable • Two or more forms share a common axis • RG-6 used in television/digital cable -And high-speed Internet over cable -Used to bring in television or an internet modem • RG-59 used as patch cables -Not designed for long distances -They do make very good patch cables
CDMA (Code Division Multiple Access) (Cellular Network Standards)
• Code Division Multiple Access (CDMA) -Uses a different method of multiplexing data -Everyone communicates over the same frequency but each call uses a different code -The codes are used to filter out all of the information that it doesn't need to hear on the receiving side • A standard used by Verizon and Sprint -All of those handsets were controlled by that network provider -In the United States there wasn't much adoption outside of Verizon and Sprint for CDMA
DHCP pools (Configuring DHCP)
• Common to provide a grouping of IP addresses that'll be leased out by the DHCP server -This is called a DHCP pool -Each subnet has its own scope -192.168.1.0/24 -192.168.2.0/24 -192.168.3.0/24 -etc. • A scope is generally a single contiguous pool of IP addresses -DHCP exceptions can be made inside of the scope -Certain IP addresses can be excluded from this pool
Configuring NTP (An Overview of NTP)
• Configuring an NTP client -You may specify an IP address or the domain name of a particular NTP server -You may specify the NTP server address (internal IP or hostname) -You can use multiple NTP servers (if available) for redundancy • NTP server on the internal network -You will need at least one NTP server to act as the clock source -You can also specify in the configuration of that NTP server the stratum layer of the clock -If there's a choice for the client to sync itself between two stratum's, It will choose the lower stratum layer
Incorrect time (Network Service Troubleshooting)
• Configuring the date and time on all of the devices on your network become very important when you're trying to implement security. -For example, the default tolerance for Kerberos is a five-minute window. -You have to have very tight tolerances on the time and date on all of your devices -Some cryptography is very time sensitive such as Active Directory requiring clocks be set within five minutes of each other • This is because Kerberos is assigning you a ticket, and that ticket has a time stamp associated with it -If that time stamp is too old, Kerberos considers that ticket to be invalid -Which then causes issues for the client not being able to log in • That's why one of the first things we do when there's a problem with Kerberos or being able to log in is to check the time stamp on the device that's trying to gain access to the network -Check the timestamp of the client and the server • The easiest thing to do, of course, is to configure all of your devices with the network time protocol, or NTP -This makes it so that every device can automatically update its clock and stay in sync with one another -Automate the clock setting
WAN - Wide Area Network (Common Network Types)
• Connectivity spanning the globe -Can connect devices that are within the same state, the same country, or even between different countries • Much larger area than a local area network or metropolitan area network -But you also usually have slower bandwidths available • Generally connects LANs across a distance -And generally much slower than the LAN • Many different ways to provide wide area network connectivity such as: -A point-to-point serial, MPLS, etc. -OR a satellite communication for non-terrestrial links
APC - Angle-Polished Connectors (Optical Fiber)
• Connectors have an 8 degree difference between the two ends of a APC • As light passes through, it will be reflected off at an angle rather than being reflected directly back to the source
Mesh Topolgy (Network Topologies)
• Contains multiple links to the same place -Can have all of the different locations connected to every other location -Or partially connected whereas some locations are connected to other locations • This method is implemented if you are looking for : -Redundacy -Fault-tolerance -Load balancing between multiple links • Mesh is often used in Wide Area Networks (WANs) -In case a link goes down, you would have redundancy and a way to route around the problem -Can be fully meshed and partially meshed
Optic Fiber characteristics picture 1 (Optical Fiber)
• Contains narrow strands of optic fiber that are sent from one end to the other -There's a larger coating around the outside to help protect it • At the end of the optic fiber where it is plugged into the networking equipment often contains ceramic ferrule -This helps to protect the very delicate fiber optic that is on the inside
The Subnet Mask (IPv4 Subnet Masks)
• Contiguous series of ones -Ones on the left -Zeros on the right • e.g. 11111111.11111111.11111111.00000000 <-binary notation 255. 255. 255. 0 <-decimal notation • Can also be written as /24, indicating that there are 24 bits in this subnet mask in the first 3 octets -The /24 notation is also called a CIDR block notation (Classless Interdomain Routing) -Also referred as prefix notation or slash notation because we use the / to specify the number of bits • In the case above, /24 -Network is using 24 bits -Host is using 8 bits
UPC vs. APC (Optical Fiber)
• Controlling the light -The physics of dealing with optic fiber are very different than the physics we had with copper cables • Return loss -We have to worry about light that we're sending out -Also have to worry about the light that may be reflected back to the original source • There is two different kinds of connectors that can help control the reflected light -UPC (Ultra-polished connectors) -APC (Angle-polished connectors) • UPC (Ultra-polished connectors) -Has a zero degree angle between the end of the ferrule and the device that we're plugging into -Usually a very high return loss • APC (Angle-polished connectors) -Ferrule end-face radius polished at an eight degree angle -The ferrules connect to each other at a slight angle, and so the reflection is a little bit different -Lower return loss, generally higher insertion loss than UPC -There is a lower amount of light returned to the source, but we're also losing a little bit more light on the connector itself
CAN - Campus Area Network (Common Network Types)
• Corporate or Campus Area Network • It is a limited geographical area -Consists of a group of buildings close enough to extend network connections so that all of the buildings would be on the same network • LAN technologies -Common to connect these buildings with fiber and be able to run high speed Ethernet • Your can run your own conduit and fiber in the ground -No third-party providers -No monthly cost -Simply connect the two switches at the end of the fiber
Crosstalk (XT) (Wired Network Troubleshooting)
• Crosstalk is one signal that's going across one pair of wires is affecting the signal on another pair of wires • This leaking of information from one wire to the other causes interference -And it may affect the overall performance of a connection • One good way to measure how much crosstalk you're having on a particular pair of wires is with a time-domain reflectometer (TDR) -You may want to plug that in and get specific readings of crosstalk -Some training may be required • One of these readings may be Near End Crosstalk, or NEXT -This is how much crosstalk is occurring as the signal is at the near end -It's the side that is transmitting that signal • You can also understand how much crosstalk you're seeing as it goes through the network on the other side by measuring at the destination -This is Far End Crosstalk, or FEXT -Interference measured away from the transmitter • This means that you can look at the near end crosstalk to see how much crosstalk is introduced when the signal is at its strongest. -And then you can look at the far end crosstalk to see how much crosstalk was introduced as the signal went through the cable
Turning dynamic into static (Assigning IPv4 Addresses)
• DHCP assigns an IP address from the first available from a large pool of addresses when the device is first turned on -Pool of available IP addresses will shrink and grow again based on how many people are on the network and how many may have left the network -Your IP address can and might change with whatever is available in the pool • You may not want your device(s) IP address to change -Devices such as servers, printers, or for personal preference -IP addresses can be assigned administratively (static) • Disabling the DHCP on the device allows you to keep the IP address from changing -This would require to you to configure figure the IP address information manually (also the subnet mask, DNS, etc...) -Would require additional administration (one by one) to keep these devices available on the network and whenever there is a change in the network • To avoid manual administration, keep DHCP enabled on the devices -Configure an IP reservation on the DHCP server -Associate the MAC address to the reserved IP address
Stateful DHCPv6 (Assigning IPv6 Addresses)
• DHCP can also be used in IPv6 -Very similar process to DHCPv4 -Communicates through Multicast using UDP/546 (client) and UDP/547 (server) • Every device with IPv6 already has an assigned link-local address starting with fe80 -Every interface configured with IPv6 will automatically have a link-local address associated with it
nslookup and dig (Command Line Tools)
• DNS is such an important part of our network communication, it's certainly important that you know how to perform troubleshooting with your DNS server • Two commands that can help you do this troubleshooting our nslookup and dig • Using either of these command line tools, we can query a DNS server and receive information back such as canonical name lookups, IP addresses, cache timers, and much more information that's contained on that DNS server
Service Records (SRV) (DNS Record Types)
• DNS records that can help you find specific services on your network -You can create Service Records (SRV) for windows devices to find the Windows Domain Controller -Where is the instant messaging server? You can add a SRV Record to find the IM server -You can add a SRV Record for VoIP devices can find the VoIP controller on the network • See image for example -Shows a Service Record used for Windows devices to find an Active Directory controller
Packet switching (Circuit Switching and Packet Switching)
• Data is grouped into packets and sent across a network -Could be sending Voice, data, video, etc. -The media is usually shared -Someone else can use it, even when you don't • Packet switching also supports QoS -One person that might be able to have a higher priority than someone else -One connection may have more bandwidth allocated than another -Depending if the other connection paid more for bandwidth
Layer 5 - Session Layer (Understanding the OSI Model)
• Deals with the way applications/devices communicate across the network • The communication management between applications/devices -It starts, stops, restarts the communication -Can be done in half-duplex or full-duplex • The layer where you'll see certain control protocols communicate between application endpoints -Or if it requires the tunneling protocol • e.g. : communication between applications/devices (Control protocols, tunneling protocols)
Multicast (Unicasts, Broadcasts, and Multicasts)
• Delivers information to interested systems -Can send data to multiple devices on the network, but not to every device -Can send to a specific set of devices • Commonly used for multimedia delivery such as sending a single stream of information or stock exchanges -Anyone interested in receiving that data can subscribe or connect to it • It is very specialized with a limited scope -Difficult to scale across large networks -Infrastructure devices have to understand how to deal with multicast -All end-devices need to know how to subscribe or view that multicast information
DMZ (Switch Interface Properties)
• Demilitarized zone -An additional layer of security between the Internet and you • Allows people access from the outside to certain resources on the network through a special interface -But still prevents anyone from accessing devices on the protected internal network • Larger enterprise firewalls might not have an interface label as DMZ -Instead, firewall administrators will configure one of the firewall interfaces to allow traffic from the outside and call it the DMZ interface
QoS (Quality of Service) (Prioritizing Traffic)
• Describes the process of controlling traffic flows • This prioritizes traffic performance -e.g. Voice over IP traffic has priority over web-browsing -Can be prioritize by maximum bandwidth, traffic rate, VLAN, etc. • Many different methods to apply QoS across many different topologies -But there are certain standards often used on most networks
Address Resolution Protocol (Network Switching Overview)
• Determines a MAC address based on an IP address across the network -The hardware address is needed to communicate • arp -a -Shows the local ARP table cached on your computer
traceroute <ip address> (Command Line Tools)
• Determines the route a packet takes to a destination -Maps the entire path (the route between your device and the remote workstation) -tracert is used in Windows -traceroute is used in lunix or Mac OS • Traceroute uses the ICMP time to live (TTL) exceeded message to be able to calculate what hop is the first hop, the second hop, the third hop, and so on -The time in TTL refers to hops, not seconds or minutes -TTL=1 is the first router, TTL=2 is the second router, etc... • Your device not only needs to be able to receive these ICMP time to live exceeded messages, the routers that these packets are going through have to send you the ICMP time to live exceeded message -Not all devices will reply with ICMP Time Exceeded messages -Sometimes, routers/firewalls either filter or disable the ICMP feature -ICMP is low-priority for many devices
802.11 technologies (Wireless Network Technologies)
• Differences between 802.11 standard are the frequencies used to communicate: -Either 2.4 GHz or 5 GHz -And sometimes both • The IEEE standards have grouped together these frequencies into channels -Groups of frequencies, numbered by the IEEE -Non-overlapping channels would be necessary so that multiple access points can communicate with each other • Different 802.11 standards will use different bandwidths in these 2.4 and 5 gigahertz frequency ranges -Amount of frequency in use at any particular time -20 MHz, 40 MHz, 80 MHz, 160 MHz
Flavors of traceroute (Command Line Tools)
• Different operating systems use different methods to be able to perform a traceroute -Not all traceroutes are the same -Minor differences in the transmitted payload • For example, Windows sends an ICMP echo request -We're looking to receive an ICMP time to live exceeded message and an ICMP echo reply from the final/destination device -You also have to make sure that none of those protocols are going to be filtered between you and that final device -ICMP is commonly filtered • Some operating systems give you more control over the traceroute -For example, Linux, Unix, and Mac OS allow you to change what protocol you'd like to use during the traceroute • If you're using a mobile device that runs iOS, it's going to send UDP datagrams over port 33434 -You may be able to change this port number with some of the extended options available in iOS
dig <ip address> (Command Line Tools)
• Dig is the Domain Information Groper, and it provides similar information to what you would see in nslookup -Looks up more advanced domain information -Should probably be your first choice -It is not native to any Windows version but can be downloaded at http://www.isc.org/downloads/bind/
ipconfig /all (Command Line Tools)
• Displays all IP configuration details on a windows system
Pointer Record (PTR) (DNS Record Types)
• Does the reverse where we provide the name server with an IP address and it will provide us with the name • The reverse of an A or AAAA record -Added to a reverse map zone file • In the DNS configuration, we would list out the IP addresses associated with these devices -It would specify that these are PTR or Pointer Records -Then provide the fully qualified domain name of these devices *see image for example*
PDU data type mnemonics (Protocol Data Units)
• Dont Some People Fear Birthdays! • Do Some People Fear Binary?
T568A and T568B Termination Standards (Copper Termination Standards)
• EIA/TIA-568-B is the standard for terminating cables -Shows exactly how to terminate an eight conductor 100-ohm balanced twisted-pair cabling -Exactly the cabling we use on today's networks • You have a choice of two different standards when terminating copper cables -Choice 1 : T568A -Choice 2 : T568B -Both are two different termination standards -You pick the one that you would like to use and stay with that termination standard throughout the installation of the cables -Some will use certain types of pin outs depending on how the cables are being ran -e.g. If you are running cables on a single floor, some people prefer to use T568A as the pin out for all the horizontal cabling -T568A and T568B are different pin assignments for 8P8C connectors • Many organizations have preferred to use 568B -Doesn't matter which one you use, as long as you stay consistent -Difficult to change in mid-stream • You do not want to terminate one end of the cable with 568A and the other with 568B -You will run into problems, especially on a gigabit network
Avoiding EMI and interference (Wired Network Troubleshooting)
• EMI is Electromagnetic Interference -Our cables are not indestructible, and we want to be sure that we're handling them properly and we're running them along areas where the EMI will be minimized • If you are running some new cables, you want to be sure not to twist them during the installation and minimize the amount of pulling or stretching that you would do to any set of cables -You also want to be sure that you don't have any sharp bends. Each cable will document the maximum bend radius allowed. You want to be sure not to extend over that bend radius -And of course, you don't want to use staples or any type of cable ties that might crimp the wires inside of those cables • You'll find electromagnetic interference anywhere there's a power source -So if you're running your copper cables near electrical outlets or near fluorescent lights, you'll find there may be an excessive amount of EMI on your ethernet network -Avoid power cords, fluorescent lights, electrical systems, and fire prevention components • One good way to test for EMI is to use a time-domain reflectometer -You can see exactly how much signal and how much noise happens to appear on that link. -You can find most of your problems before use
EAP (Extensible Authentication Protocol) (Wireless Authentication and Security)
• Encryption mechanisms were discussed that are used on our networks. But we also need to provide some way to authenticate onto the network -To do that, we use a framework called EAP -EAP stands for Extensible Authentication Protocol • This framework has many different methods that can be used to authenticate to a network • There are many RFC standards that use EAP as the authentication method • For our wireless networks, both WPA and WPA2 use five EAP types as authentication mechanisms to our wireless networks
The MAC Address review (Assigning IPv6 Addresses)
• Ethernet Media Access Control address -The "physical" address of the NIC on your ethernet network • Also referred to as the EUI-48 address -Extended Unique Identifier (48-bit) 8c : 2d : aa ¦ 4b : 98 : a7 • 8c:2d:aa = Organizationally Unique Identifier (OUI) -The first 3 bytes identifies the manufacturer for the NIC • 4b:98:a7 = Network Interface Controller-Specific -The last 3 bytes are unique to your NIC -The serial #
Wrong SSID (Wireless Network Troubleshooting)
• Every access point has at least one Service Set Identifier, or SSID, configured inside of that device -This designates the name of the wireless network that we would be connecting to -And if this is on your corporate network, it may be very obvious what SSID is associated with your particular network • But sometimes, this can be a challenge -You might bring up a list of available networks, and it may be the public WiFi internet, the Guest Internet, or the Internet SSID -Which one do you connect to? Some of them may be associated with your access points. Others may be associated with access points that are not part of your network • You may want to confirm what the correct SSID is and make sure that all of your users are connecting to the right wireless network -Should be listed in the current connection status
Internal operating procedures (Network Documentation)
• Every company is going to be a little bit different when documenting the internal processes and procedures for an organization -Organizations have different business objectives -Processes and procedures may be dramatically different from one organization to another -It is important to have documentation on how to handle internal operational procedures within the org. • e.g. When a system goes down, there may be a specific notification process -The downtime notifications can be an electronic notification or the need to call someone directly when a system goes down -If this is a facilities issue, documentation is needed showing a set of processes and procedures on how to handle that. • We can also create processes and procedures for very specific tasks such as software upgrades -May require a process to test the software upgrades -A process that needs to go through a formal change control process • It's important that all of this documentation is available to whoever might need it -That way everyone can review and understand the policies -You'll know exactly the process that will be followed to resolve that issue -Having documentation is the key
NTP (Network Time Protocol) (An Overview of NTP)
• Every device (switches, routers, firewalls, servers, workstations, etc...) has its own clock • Synchronizing the clocks is critical/important -Logging of file information can show the correct time -Authentication information needs to be well synced to authenticate to each other -Outage details shows the correct time -Allows you to compare log files across multiple devices • NTP automatically updates to the proper time and date -It allows us to configure devices with an NTP server -They can check in to that NTP server to update their clocks on a regular basis -No flashing 12:00 lights -Flexibility : You (as an administrator) control how clocks are updated • An extremely accurate way of updating the clocks -Accuracy is better than one millisecond when updating the clocks with an NTP server on the local network
Data Loss Prevention (DLP) Policies (Policies and Best Practices)
• Every organization needs to have a formal set of policies and procedures related to DLP, or Data Loss Prevention -These will be policies that dictate how your organization will be handling social security numbers, credit card numbers, or any other type of personally identifiable information • For example, if you're in an organization that works with medical data, you need to understand exactly how that sensitive information may be transferred across your network -Is encryption used to make sure that information is secure, and how is that encryption enabled for that data? -How is sensitive data transferred across the network? • Many organizations will also deploy data loss prevention technologies on their servers and their networks to watch for this data going across the network -This is another way to validate that your policies and procedures are being followed -And if someone goes outside the scope of the policies and procedures, that information can be blocked before it gets into the hands of someone else -DLP solutions can watch and alert on policy violations
F-connector (Copper Connectors)
• F-connector is used cable for cable television or cable modem • It is brought in through a RG-6 cable -It uses a threaded connector -Once you twist it on to the connector, it's not coming off of that connection unless you completely untwist the F-connector
High Availability (Availability Concepts)
• Fault tolerance and redundancy doesn't necessarily mean that you'll have 100% uptime -Redundancy doesn't always mean always available -May need to be enabled manually • Many organizations cannot afford to have any downtime. -In those scenarios, there needs to be a configuration that is highly available • An HA configuration is also referred to as High Availability -This is always on, always available • This means having installations of multiple devices that are always running and always working together -May include many components working together in different areas -Make sure there isnt any place in the entire path of communication that may be a single point of failure. -Watch for single points of failure • Higher availability almost always means higher costs -There's always another contingency than can be added -Such as upgraded power supply, higher-quality service components, or buying multiple devices instead of a single device at a time
Redundancy and fault tolerance (Availability Concepts)
• Fault tolerance is usually implemented by using redundancy -Such as having an additional device(s) either standing by or online -If the first device fails, It can failover to the secondary device -Having separate powers supplies within a single server -Or have two completely separate servers - one that is the primary device and the other one that's used for redundancy • Redundant Array of Independent Disks (RAID) is a common way to set multiple drives inside of a device -This provides redundancy should any one of those drives fail • Uninterruptible Power Supply (UPS) -To prepare for the disconnections such as losing the entire power circuit -This is a way to continue powering those systems • Creating a cluster of servers -In case any individual server fails, the other servers will still provide that function -A logical collective of servers • Load balancing where devices are always online -A shared service can load across multiple components -The load is distributed throughout all of them
Bi-Directional (BiDi) transceivers (Network Transceivers)
• Fiber is relatively expensive to run -And there is a limited number of interfaces on the networking equipment • Some of your networking equipment may be able to support bi-directional transceivers or BiDi transceivers -allows you to transmit and receive over a single strand of fiber -It effectively doubles the amount of use that you have for the fibers in your infrastructure -The transceiver uses two different wavelengths to perform its job • This reduces the number of fiber runs by half
Fiber (WAN Transmission Mediums)
• Fiber uses light to send digital signals instead of an electrical signal over copper -A high speed data communication -Uses frequencies of light • Fiber has a higher installation cost than copper -Equipment is more costly to purchase and more difficult to repair/maintain -But it does allow you to communicate over long distances using fiber connectivity • Very common to see fiber used in the core of provider networks -Large installation in the WAN core of network provider -Many customers can be connected over a single strand of fiber -Supports very high data rates -Usually supports SONET and wavelength division multiplexing using optic fiber • As bandwidth requirements have been increasing we're starting to see more fiber make its way to the premise itself -Fiber is slowly approaching the premise -We are beginning to see fiber installations in businesses and even fiber installations that are going through our neighborhoods and to our homes
Next-generation Firewalls (NGFW) (Advanced Networking Devices)
• Firewalls are much more than devices that can allow or disallow traffic based on a TCP or UDP port number -Modern firewalls are able to look at the applications that are flowing across the network -They are called Next Generation FireWalls, or NGFW -The OSI Application Layer -Layer 7 firewall • You might also see these next generation firewalls called : -An application layer gateways -A stateful multilayer inspection devices -A device(s) that perform deep packet inspection • The NGFW is looking at every bit, byte, frame that is passing through the network -Every packet must be analyzed, categorized, and it is making security decisions based on what happens to be within all of the data of that frame -e.g. it may allow communication to Facebook, allow communication to Twitter, but not allow someone to post to Facebook or post to Twitter -These firewalls can really understand all of the applications in use and in some cases understand the different functions of the applications in use
Troubleshooting IP configurations (Network Service Troubleshooting)
• First thing to do is check your documentation and make sure that you have the correct IP address for your subnet. -You'll want to check your computer's IP address, subnet mask, and default gateway. -And you want to make sure that matches what you show in your documentation. • If you think your switch is configured with the wrong VLAN information and you're on the wrong IP subnet, you should be able to capture packets and at least see some information appear from your local subnet. -That might give you some clues as to which subnet you're connected to. -Monitor the traffic at the switch -Examine local broadcasts to gain clues about which subnet you are connected on • If you're not on your network or you don't have access to the documentation, you may want to look at other devices around you that seem to be working. -You can look at their IP address, subnet mask, and default gateway, and see if that matches the subnet for your device. -Check devices around you to confirm your subnet mask and gateway • The problem may be associated with something else in your infrastructure. -So you might want to perform the ping cmd and traceroute cmd, and see just how far you're able to get outside of your local subnet. -Ping local IP, default gateway, and outside address
Flood guard (Switch Port Protection)
• Flood guard is a way that you, as the network administrator, can limit the number of devices that can communicate through any particular switch interface -For example, if one device is connected to an interface on a switch, you may set the flood guard to only limit this one MAC address -You could even specify the exact MAC address inside the configuration of the switch • If you were to disconnect that user's network connection and plug it into your own device the switch would recognize that a new MAC address was communicating across the network -And it would maintain the list of all of the different MAC addresses that it had seen on a particular interface • The default for flood guard is to then disable that interface so that no one can communicate over that connection from that point forward -Once you exceed the maximum, port security activates -Interface is usually disabled by default -You would then need to provide some additional investigation to determine why flood guard happened to activate on that particular interface and that may have allowed you to stop a security breach from occurring on that interface -This feature also prevents somebody from performing a denial of service by flooding the network with a number of different MAC addresses in order to overflow the switches index of addresses -By using flood guard, you can address a number of different security concerns
10BASE-T and 100BASE-T Crossover cable (Copper Termination Standards)
• For a 10 megabit and 100 megabit ethernet we're using two pair -The crossover cable would go from pin one to pin three and pin two to pin six
1000BASE-T Crossover cable* (Copper Termination Standards)
• For a 1000BASE-T, or gigabit ethernet, we maintain the pin one to pin three and pin two to pin six so that we have backwards compatibility. -But we are also crossing over pins four and five and pins seven and eight. (*STOP6)
Remote access VPN (Advanced Networking Devices)
• For a remote access VPN, we would have a VPN concentrator at our main location -Inside the network is all of our corporate resources • The VPN concentrator is connected to the internet, which means you could be anywhere needing access to the internal network -You start up the VPN software on the laptop which creates an encrypted tunnel into the VPN concentrator -Anything sent over the VPN tunnel would be encrypted between your laptop and the VPN concentrator -If anyone was listening in the middle, they wouldn't be able to make any sense of this communication • The VPN concentrator is in charge of decrypting that information and sending it into the local network -Any responses would also be re-encrypted by the concentrator and sent back to the user on their laptop • Very common these days to configure a VPN software to be always on -If it recognizes the user is on an external network, it will automatically build this tunnel back to the VPN concentrator -So when using this laptop from wherever the user happens to be, it will be using a secure channel back to the central office
Network Symbols (Network Documentation)
• For network documentation, we tend to use a standard set of symbols -Useful when sharing with others -Makes it easier when working with third party documentation because you can recognize exactly what icon is associated with which components
Switch operation (Spanning Tree Protocol)
• Forwarding decisions are made by MAC address -Keeps a big table of MAC addresses that have been seen -All forwarding decisions are filtered through this list • If the destination MAC is unknown, the frame is flooded -It is sent to every switch port in the local subnet/VLAN -Hopefully the destination station will respond • Flooding is hopefully a temporary process -Directed traffic resumes when the MAC is seen
What is IP Fragmentation? (Understanding the OSI Model)
• Fragments are always in multiples of 8 because of the number of fragmentation offset bits in the IP header • e.g. A packet is 44 bytes, some networks cannot support that size of a packet. -So, it fragments 44 bytes into smaller packets so that it can be sent through that network. • This is done at the Network Layer - OSI Layer3
Frame relay (WAN Technologies)
• Frame relay was one of the first cost-effective and popular WAN types in the late 1990's -This was the departure from circuit-switched T1's to a packet-based communication • This is where LAN traffic was encapsulated within frame relay frames and sent into the frame relay cloud • Inside of that cloud, the provider had their own method of getting the data to the other side -Frames are passed into the "cloud" -The end user never saw the process to the other side -User would put data into the frame relay cloud with a destination location and the provider will take care of delivering to the remote site • It was common to see frame relay installed on 64 kilobits per second, and you could have that speed range all the way up to DS3, which would be around 45 megabits per second • This has been effectively replaced with MPLS -And other WAN technologies -But you may still see a number of frame relay implementations used on legacy networks
CSU/DSU connectivity (WAN Termination)
• From the demarc we often connect with a RJ-45 light connection thats technically a RJ-48c -It might also connect through a 15 pin connector to a network interface on a CSU/DSU • There are a number of different ways to connect between the CSU/DSU and the router -The more common might use a v.35 connection, which is a larger blocky connection -Or a 25 pin (RS-232) serial connection between the CSU/DSU and the router • Some CSU/DSUs also include monitor jacks that allow you to connect diagnostic equipment without disrupting the connection that's already in place
The importance of cable (Copper Cabling)
• Fundamental to network communication -Foundation is incredibly important • You usually only get one good opportunity at building your cabling infrastructure when building a new area -Make sure cabling is done exactly to specification • The vast majority of wireless communication uses cables -Unless you're an amateur radio operator
Crimping best-practices (Hardware Tools)
• Get very good quality crimper -Also get a good pair of electrician's scissors. Might be called cable snips. They're perfectly sized to be able to work on these very small cables -And get a good wire stripper, especially if you work with a lot of coax -A number of crimpers will also include a wire stripper on the crimper itself • Make sure that you're using the appropriate type of modular connectors for the type of cable that you have -The type of connectors that go on a category 5 are just a little bit different than those that go on a category 6 cable, so make sure you match your connectors with your cables --Differences between wire types • Although this can be a little frustrating at first, you very quickly can get the feel for pulling out all of these individual wires, putting them onto the connector, and crimping them down into the perfect sized cable -Practice, practice, practice -It won't take long to become proficient
GSM (Cellular Network Standards)
• Global System for Mobile Communications -Mobile networking standard • 90% coverage of the market because it was a standard almost everywhere in the world -Originally an EU standard -Worldwide coverage • A standard used by AT&T and T-Mobile in the United States -Allowed you to move your SIM card (Subscriber Identity Module) from phone to phone • Original GSM standard uses a multiplexing called TDMA -Everyone on a particular frequency would get a little slice of time to complete that communication
IPv6 address compression (IPv4 and IPv6 Addressing)
• Groups of zeros can be abbreviated with a double colon :: -Only one of these abbreviations is allowed per address -Leading zeros are optional e.g. • 2600:DDDD:1111:0001:0000:0000:0000:0001 -Leading zeros can be removed to compress the IP address • 2600:DDDD:1111:1:0:0:0:1 -2+ groups of zeros can be abbreviated with double colons :: to further compress the IP address • 2600:DDDD:1111:1::1 e.g. • 2601:04C3:4002:BE00:0000:0000:0000:0066 -Remove leading zeros • 2601:4C3:4002:BE00:0:0:0:66 -Abbreviate 2+ groups of zeros with double colons :: • 2601:4C3:4002:BE00::66 • You should become accustomed to switching back and forth from a full IPv6 address and it's compressed version of an IPv6 address
Duplex (Introduction to Ethernet)
• Half-duplex -A device that cannot send and receive data simultaneously (can either received or send data but not both at the same time) -All LAN hubs are half-duplex devices -Switch interfaces can be configured as half-duplex, but usually only done when connecting to other half-duplex devices • Full-duplex -Data that can be sent and received at the same time from the switch -A properly configured switch interface will be set to full-duplex -Both the switch and end station are both configured for full-duplex
UPC - Ultra-Polished Connectors (Optical Fiber)
• Has a zero degree angle difference between these two ends of a UPC • Will have reflections that come back to the source from this zero degree angle connector.
Disabling unnecessary services (Device Hardening)
• One way to avoid all vulnerabilities that may be associated with a particular service on your computer is to simply disable that service -Every service has the potential for trouble -If a 0-day vulnerability was to appear, it would not be able to execute on your computer because that service is not running on your computer -The worst vulnerabilities are 0-day • Unfortunately, it may be difficult to determine which services are unnecessary and which services must be running on your system -The "Unnecessary" services isn't always obvious -For example, Windows 7 includes 130 services by default, and Windows 10 has over 240 services • You may have to do a lot of research to determine which of these services can be permanently disabled -Use many different sources -Don't rely on the manufacturer • You may have to perform some trial and error to see if turning off a particular service will affect the operation of that particular system -Testing and monitoring • Sometimes you'll know which services can be disabled by the name -For example, you may be using your system as a management workstation and you may find that any services associated with the Xbox Live can automatically be disabled -But other services may not be completely obvious. For example, remote registry or secondary login may be necessary for the services and applications to run properly on this computer.
Local authentication (Authorization, Authentication, and Accounting)
• Having everything in a centralized database and being able to have single sign ons is very convenient -But there may be times when you do not want to authenticate to a centralized database -In those cases, you may want to use local authentication -So if you're logging into a server, a router, a switch, you might want to use a set of credentials that are stored on that local device • Many devices that are installed into the infrastructure will have an initial local account configured -Many of them will require during the setup process that you change the password for that local account -That way you can be assured that no one can use default user names and passwords to gain access to these resources • Local accounts is probably not something that you'd want to use for all users who are logging into this device -If you need to make a change to someone's password, you would have to log in to every single device that needs to make that change and then manually perform those updates -It is difficult to scale local accounts with no centralized administration -This is different than using AAA, where there's a centralized server, and if you need to change your password, you simply change it on that single server • Most people are using local accounts to be able to gain access to these devices if the AAA server is no longer accessible -This means that if the AAA server had a problem, you would still be able to access your switches, routers, firewalls, and other infrastructure devices -Sometimes useful as a backup
Physical segmentation (Network Segmentation)
• Here's an example of physically separating the switches for customer A and customer B -You can see the customer A services are on their own physical switch -And customer B is on their own physical switch • There's no connection between either of those different networks. -This means for every single customer that we have, we may have to put a completely separate physical switch in our rack • So we may need to build out a separate infrastructure every time we bring in a new customer • One of the things you'll also notice about this is that customer A has 2 devices, but has a 24-port switch -Customer B also has only 2 devices, and, again, there's another 24-port switch. -So there's a lot of wasted real estate and interfaces that aren't being used on these two switches.
Example of a DNS record used in DDoS amplification attack (Denial of Service)
• Here's how an amplification attack would look from a DNS perspective. -There are DNS records that are associated with ISC.org. -And these records have DNS key records. These DNS keys are quite long, because these are keys used for security. • You can simply ask for the DNS key. And the response that you're getting for the DNS key is going to be quite large. -So the bad guys are able to take advantage of that. -They can ask for a very little piece of information on the inbound but end up with much more information coming back.
Gaining Access (Authorization, Authentication, and Accounting)
• Here's how the AAA framework operates for someone who might be authenticating to a VPN concentrator -From the client workstation, you would communicate across the network, and log in to that concentrator. In this case, it's also a firewall. -Because we have not provided any authentication yet to log in to this VPN, our username and often location information will be passed to a AAA server that's usually somewhere else inside of the network. • The AAA server will authenticate the information provided, and if those credentials match, you're approved to gain access to internal resources. -Now that the authentication has been approved, the VPN concentrator will allow traffic to flow back and forth from your client to the rest of the network. • In this example, we could have chosen a number of different protocols to provide the authentication between the VPN concentrator and the AAA server
DHCP snooping (Switch Port Protection)
• One way to cause problems on a network is to install and launch your own rogue DHCP server that then starts handing out IP addresses that are completely different than what you would normally have on your official DHCP server • To be able to prevent this, we can enable DHCP snooping on your switch -This means your switch effectively becomes a DHCP firewall -This allows you to configure certain interfaces on your switch as trusted interfaces, and you would put your DHCP server, or router, or any other device that would act as a DHCP server, on that particular interface -IP tracking on a layer 2 device (switch) -You would then define other interfaces on your switch as untrusted interfaces. Such as other computers or unofficial DHCP servers • This allows your switch to now begin watching for DHCP conversations and it will begin adding a list of trusted devices to an internal table of the switch • If your switch happens to see static IP addresses, rogue DHCP server responses, or other invalid traffic, it can filter that information from those untrusted interfaces
Identification badges (Physical Security)
• One way to keep track of who may be authorized to be in a particular area is to require the use of an ID badge -The ID badge will probably have a picture and the name of a person and other details about that person's employment -Must be worn at all times • This ID badge may also be integrated with your door access -Not only is it a way to identify yourself, it also allows you to gain access through locked doors in your facility -It's more than just a visual identification -This could also be a smart card where the user slides the card into the computer as an additional form of authentication • ID badges commonly use a standard format in the organization -It would allow you to quickly identify people who may be employees and who may not be employees -A standardized format to identify employees, vendors, contractors -Also training all of the employees that if they see anyone without an ID badge, they should immediately start asking questions
Double tagging example (VLAN Hopping)
• Here's how this double tagging works. We have an attacker's computer, and a victim computer. -The attackers on are VLAN 10, and the victim device is on VLAN 20. • Normally, these two devices would not be able to communicate directly with each other -They would have to go through a router at the very least -But by using double tagging, we can hop through both of these switches and have our data end up on a different VLAN • A frame is sent from the attacker side to the victim side -It's an Ethernet frame that has two tags inside of it -One tag for VLAN 10, and one tag for VLAN 20 -That frame will be sent to the first switch, and that switch is going to evaluate the first tag associated in this frame. That will be the tag for VLAN 10 • It removes that tag, and that frame that's leftover still has a tag for VLAN 20 -So it will send it across this trunk to VLAN 20, where this switch will perform the normal removal of the tag and send this data down to the victim's workstation -Obviously, any data that comes from VLAN 10 should not suddenly appear on VLAN 20 -This double tagging attack allows this attacking device to send information directly to this victim
DNS Poisoning example (DNS Poisoning)
• Here's how this might work -You've got a couple of users that will need access to professormesser.com -There's a bad guy who's going to want to poison the DNS server -And you've got the DNS server itself, which has professormesser.com and the IP address for the web server 1) User number one is going to make a request to the DNS server and get the appropriate IP address for that particular domain -It will register and keep that information in its cache 2) Before the second user is able to make the exact same request -The bad guy is going to take control of the DNS server and make changes so that the professormesser.com address is now pointing to a completely different IP address 3) Now, each subsequent user to the DNS server will still get a response from professormesser.ccom, but it will contain a completely incorrect IP address -The bad guy now has control of where people will be going every time they type in professormesser.com.
Logical segmentation with VLANs (Network Segmentation)
• One way to maintain this separation but have an efficiency in the number of devices is to separate these two customers by the VLAN -This is Virtual Local Area Networks • Instead of physically separating these customers, we're logically separating these customers -There's still a separation of networks on this single switch -But customer A is on one VLAN and customer B is on the other VLAN • And even though these two customers are on the same physical switch, these two VLANs cannot communicate to each other • If you do need to enable communication between two separate VLANs, you would use a router or some other layer 3 device -In high-security environments like this one, you may put a firewall in between these VLANs and have the firewall act as a layer 3 device -That would allow customer A and customer B to communicate to each other, but only using the very specific security rules that you're configuring in the firewall
Decibels (dB) (Wired Network Troubleshooting)
• One way to numerically quantify the signal strength or loss of a signal is to use decibels -A decibel is literally 1/10 of a bel -dB is the abbreviation of decibel -the B is capitalized in honor of Alexander Graham Bell • Decibels are measured logarithmically -Add and subtract losses and gains • If you were to measure twice the amount of signal across a line, you would say that it had increased 3 decibels (3 dB = 2x the signal) • If you increase the signal 10 times, the difference is 10 dB (10 dB = 10x the signal) • If you increase the signal by 100 times, then the difference is 20 dB (20 dB = 100x the signal) • If the signal increases by 1,000, you would say that the increase was 30 decibels (30 db = 1000x the signal)
Packet shaping (Prioritizing Traffic)
• One way to provide this prioritization is through packet shaping -Also known as traffic shaping • This is used to apply certain bandwidth usages or data rates to a particular type of application • Certain important applications can be set to have higher priorities than other apps • There are different ways to implement the higher priority -May be provided in a firewall, in a router, or inside of a switch
ipconfig and ifconfig (Command Line Tools)
• One way you can determine the IP address of a Windows workstation is to use the ipconfig command -on a Linux or OS X device, you would use an ifconfig command • Most of your troubleshooting starts with your IP address -You might need to ping your local router/gateway • Determines the TCP/IP and network adapter information -Also additional IP details such as subnet mask info., default gateway info., DNS info., and any other configurations that are specific to the IP stack • These two commands are very similar. There's only one letter difference between the two -ipconfig is used for Windows TCP/IP configurations -ifconfig is used for Linux interface configurations
Fiber communication (Optical Fiber)
• Optic fiber is communicates using wavelengths of light -The visible spectrum • Does not have Radio Frequency signal -Very difficult to monitor or tap on the outside whereas copper cables have an electrical signal that creates a radio frequency interference that can be heard outside the cable -Fiber optic communication does not have radio frequency or any type of signal that can be tapped from the outside • Signal is slow to degrade -Optic fiber can transmit over long distances -Copper cables communicate over hundreds of meters of distance, optic fiber can communicate over kilometers of distance • Immune to radio interference since there is none -Any external interference with radio frequencies will have no impact on the light that's going through optic fiber
Zero-day attacks (Vulnerabilities and Exploits)
• Our operating systems and the applications that we use on these operating systems are very complex -And undoubtedly, there are vulnerabilities that exist in those applications and in that operating system that we simply haven't found yet -There are researchers all over the world that are trying to find every possible vulnerability they can for every operating system and every application that may be out there • When someone does find that particular vulnerability, it's very common for that researcher to share that information with the developer of that application or the manufacturer of that operating system -There is usually a lot of development work that then takes place to be able to fix or resolve that particular vulnerability -At that point, the manufacturer will usually announce that the vulnerability exists, and they will provide a patch for that particular vulnerability. -For example, Microsoft provides a set of patches once a month, and those patches are designed to address a number of different vulnerabilities that have been found • If you're a bad guy, you don't want to go through the process of having the manufacturer close those particular vulnerabilities -You want to be able to take advantage of those vulnerabilities yourself to gain access to data or systems -Black hat researchers will identify these vulnerabilities that no one else has discovered yet, and they tend to collect them or trade them amongst themselves -They will then create an exploit that will take advantage of those vulnerabilities in order to gain data from those vulnerable systems • Sometimes a vulnerability will be discovered and then made public without the manufacturer having any opportunity to build a patch -We call these a zero-day vulnerability -And if somebody is taking advantage or exploiting that vulnerability, we refer to those as zero-day attacks -Zero-day exploits are increasingly common -We usually pay close attention when these zero-day attacks are occurring, because very often, there is not a patch available to close the vulnerability -In those cases, you'll need to contact the manufacturer of the application or the operating system to see if there's a workaround or patch that can be used against the zero-day attack • It's also a good idea to keep track of all of the different vulnerabilities that may be made public -A good index of these is at the Common Vulnerabilities and Exposure database, or the CVE - http://cve.mitre.org/
PPPoE (Point-to-Point Protocol over Ethernet) (WAN Technologies)
• PPPoE is an extension of PPP that encapsulates the PPP protocol within an Ethernet frame -PPPoE stands for Point-to-Point Protocol over Ethernet -The past with the present • Very common on DSL networks -Telephone providers know how to use PPP, so the PPPoE is a logical extension to that • Very easy to implement a PPPoE connection -It is supported in most operating systems -No complex routing decisions needed -The architecture of PPPoE is very similar to the operation of a dial-up network • PPPoE gives you some choices in your internet provider -PPPoE is used to connect to the network then decide which Internet Service Provider you'd like to use
Examples of Packet Switching Networks (Circuit Switching and Packet Switching)
• Packet switching would be associated with the network technologies that you probably already heard of : -Synchronous Optical NETworking (SONET) or Asynchronous Transfer Mode (ATM) -DSL at home -Older frame relay networks -Mutilprotocol Label Switching (MPLS) -Cable modem -Satellite -Wireless
CoS (Class of Service) -Managing QoS (Prioritizing Traffic)
• Part of a standard to managing QoS -Can be configured on a OSI Layer 2 network -Prioritization is performed inside the ethernet frame header in an 802.1q trunk -Usually applied in the intranet (not from an ISP) since we don't commonly have a trunk connection to our ISP • Some environments allows you to run both CoS and DiffServ to be able to set the proper priorities for the applications and devices inside of the network
DiffServ (Differentiated Services) -Managing QoS (Prioritizing Traffic)
• Part of a standard to managing QoS -This standard is used if quality of service at layer 2 inside of a trunk is a bit confining -Can be configured at OSI Layer 3 -QoS bits are modified in the IPv4 header -Bits are set outside of the application -A device on the network would recognize the application and then set the proper bits inside of the header -Normally done inside of routers or firewalls that have the DiffServ capability • The values that are applied in the IP header are DSCP (Differentiated Services Code Point) or DSCP Values. -These are set in the IP header in a very specific field called DS (Differentiated Services) • Some environments allows you to run both CoS and DiffServ to be able to set the proper priorities for the applications and devices inside of the network
Physical network maps (Network Documentation)
• Physical network maps will show individual components inside of the network -It will identify specific interfaces on devices -May show IP Addressing • May give you an idea of exactly where wires and cables may be running between different devices -This follows the physical wire and device • Some physical network maps will show the physical layout of the rack in the data center -You can show the rack diagram to a third party who has never seen the rack before, and they'll know exactly which component you are referencing
Ping (Command Line Tools)
• Ping is the tool that you would use the most for your network troubleshooting -A way to test the reachability from your machine to another somewhere on the network -It gives you an idea of the round-trip time between you and this other device -Uses Internet Control Message Protocol (ICMP) to be able to send these messages across the network • One of your primary troubleshooting tools -Ping is usually the first thing you try to make sure that you can access a device across the network -And it's usually the last thing that you try after troubleshooting to make sure that the device is now available • Ping utility was written by Mike Muuss in 1983 -Named after the sound made by sonar -Not an acronym for Packet INternet Groper (a backronym)
PoE specs (Switch Interface Properties)
• PoE: IEEE 802.3af - 2003 -The original PoE specification • Included in 802.3at - 2009 -Now part of 802.3 - 2012 -Provides 15.4 watts of DC power -A maximum current of 350 mA (Milliamps)
ARP poisoning (spoofing) example (Man-In-The-Middle)
• Here's how this process works. -We have two devices on the network - there's a workstation, a laptop that is 192.168.1.9, and we also have a router on this network that is 192.168.1.1 and each one has their own MAC address. -Now normally, when the workstation needs to communicate out to the router, it needs its MAC address. So it sends an ARP request asking who out there has the MAC address for 192.168.1.1? -That sends a broadcast to everybody on the subnet, which means this router will see that request and it will respond back saying, oh, I'm 192.168.1.1, and here is my MAC address 00:09:5b:d4:bb:fe. -When that information gets to the workstation, it will store that information so that it doesn't have to constantly ask over and over for that MAC address. -It stores it, makes a note that if I need to get to 192.168.1.1, I'll use this MAC address to communicate. • It's this ARP information the bad guys will take advantage of. -We have a bad guy inbetween both of those devices -His IP address is 192.168.1.14 and the associated MAC address is aa:bb:cc:dd:ee:ff, which should be something easy to look for. -What the bad guy will do is send its own ARP request to the workstation, saying that I am 192.168.1.1, and here is my MAC address. -The end station sees that and puts into the ARP cache the updated information. -So now the ARP has changed, and any time this workstation is going to send information to the router, it's going to send it to this device first, who will then forward it on. -He is now the man-in-the-middle.
Extending the math (Binary Math)
• Power of two's -This will be useful for binary calculations and subnetting 2¹² = 4,096 2¹¹ = 2,048 2¹⁰ = 1,024 2⁹ = 512 2⁸ = 256 2⁷ = 128 2⁶ = 64 2⁵ = 32 2⁴ = 16 2³ = 8 2² = 4 2¹ = 2 2⁰ = 1
Power over Ethernet (PoE) (Switch Interface Properties)
• Power provided on an Ethernet cable -One wire for both data and power -Used for VoiP Phones, cameras, wireless access points -Useful in difficult-to-power areas • Some switches provide power from the switch itself -This is called an Endspan Power over Ethernet (built-in power) -If the switch itself does not provide Power over Ethernet, then this is called a Midspan (in-line power injector) • Two power modes that are provided over PoE -Mode A - provides power on the same wires that provides data -Mode B - provides power on the spare wires that are not running on gigabit speeds and has no data
Port security operation (Access Control)
• Here's how this works -You would configure your switch with a maximum number of MAC addresses that would be allowed on a particular port on that switch -You get to decide whether it's a single MAC address or whether there may be more addresses associated with that particular switch port • The switch will then monitor all of the devices that connect to that port -And it will keep a list of all of the MAC addresses • If the number of MAC addresses seen on a particular interface exceeds what's configured inside of the switch -The default is to disable the interface completely • That means if someone has a computer on their desk and they're connecting to the switch -You might configure port security to only allow one single MAC address for that particular interface • If someone wants to disconnect the network interface from that desktop computer and plug it into their own device, the number of MAC addresses seen on that particular interface would now be two -That would exceed the port security that was configured for that particular interface -That means for the default configuration, the interface would be disabled, and you would have two administratively re-enable the device to gain access again to that particular port
Cable tester (Hardware Tools)
• How would you know that the crimp is actually working after performing a crimp? • One way to tell is to put a cable tester on the wire -It is relatively simple -This is performing a continuity test across the wire, so you can very quickly see if pin 1 is connecting to pin 1, if pin 2 is connecting to pin 2, and so on •If something did go wrong, this cable tester can also tell you if pin 3 isn't connecting to anything on the other side, or if any wires may have been crossed between any of the pins • These cable testers are relatively simple devices -These usually have just about eight lights on them -It will tell you if the light turns on then you have continuity, and if the light doesn't turn on, something's gone wrong with your crimping -Not usually used for frequency testing -If you need more advanced analysis of the cable, like crosstalk information or signal loss across the wire, then you'll probably want to bring in a TDR, or a Time Domain Reflectometer -A TDR is used for testing for crosstalk, signal loss, etc...
Finding Router (Configuring IPv6)
• ICMPv6 adds the Neighbor Discovery Protocol •e.g. On this network, we have a workstation, and we have a local router. But at this point, the workstation doesn't know where that router happens to be. -Router Solicitation (RS) sends an IPv6 multicast to all IPv6 routers -All routers are listening for all multicast -If they receive a router solicitation, they'll send back a unicast frame that is a Router Advertisement (RA) that is advertising the MAC address of that local router • IPv6 routers will occassionally send unsolicited router adverstisements -It is sent to the multicast destination of ff02::1 • RA's are also used to transfer IPv6 address information, prefix value, and prefix length, etc. -It is sent as a multicast
Subnetting the network example 1.3 (Seven Second Subnetting)
• IP Address 192.168.1.0 • Subnet Mask 255.255.255.0 • We can use the power of 2's for faster subnetting • IP is already in /24, so the first 24 bits are taken 11111111.11111111.11111111.00000000 • Power of 2's shows 2² equals 4 Subnets, so we have to borrow 2 bits 11111111.11111111.11111111.11000000 11111111.11111111.11111111 is the network (24 bits) 11 is the subnet (2 bits) 000000 is the host (6 bits) • Total subnets = 2 bits = 2² = 4 • Hosts per subnet = 6 bits = 2⁶ = 64-2 = 62 This equals 4 subnets with 62 hosts per subnet
Subnet Calculations example 1 (Classful Subnetting)
• IP Address : 10.74.222.11 -Find the Subnet Class: -Class A ; The range of the Subnet mask is 255.0.0.0 -Network IP = 10 -Host IP = 74.222.11 • To calculate the Network address, all host bits are set to 0 -It is IP 10.0.0.0 for this subnet • To find the first host address, you add one to the network IP address = 10.0.0.1 -This is the first host address you can use = 10.0.0.1 • To find the broadcast address, all host bits are set to 1 in binary -Broadcast IP address = 10.255.255.255 • To find the last available host address, you subtract 1 from the broadcast IP address (10.255.255.255) - Broadcast IP address minus 1 = 10.255.255.254
Subnet Calculations example 2 (Classful Subnetting)
• IP Address : 172.16.88.200 -Find the Subnet Class: -Class B ; The range of the Subnet mask is 255.255.0.0 -Network IP = 172.16 -Host IP = 88.200 • To calculate the Network IP address, all host bits are set to 0 -It is IP 172.16.0.0 for this particular subnet • To find the first host address, you add one to the Network IP address = 172.16.0.1 -This is the first host address you can use = 172.16.0.1 • To find the broadcast address, all host bits are set to 1 in binary -Broadcast IP address = 172.16.255.255 • To find the last available host address, you subtract 1 from the broadcast IP address (172.16.255.255) - Broadcast IP address minus 1 = 172.16.255.254
Subnet Calculations example 3 (Classful Subnetting)
• IP Address : 192.168.4.77 -Find the Subnet Class: -Class C ; The subnet mask range is 255.255.255.0 -Network IP = 192.168.4 -Host IP = 77 • To calculate the Network IP address, all host bits are set to 0 -It is IP 192.168.4.0 for this particular subnet • To find the first host address, you add one to the Network IP address = 192.168.4.1 -This is the first host address you can use = 192.168.4.1 • To find the broadcast address, all host bits are set to 1 in binary -Broadcast IP address = 192.168.4.255 • To find the last available host address, you subtract 1 from the broadcast IP address (192.168.4.255) -Broadcast IP address minus 1 = 192.168.4.254
Networking with IPv4 (IPv4 Addresses)
• IP Address, e.g., 192.168.1.165 -Every device needs a unique IP address • Subnet mask, e.g., 255.255.255.0 -Used by the local device to determine what IP subnet it belongs on -The subnet mask isn't (usually) transmitted across the network • You'll have to ask for the subnet mask all the time • With just the IP address and the subnet mask, you're able to communicate to other devices on your local network -But if you ever want to communicate outside of your local IP subnet, then you'll need the default gateway or router IP address. • Default gateway, e.g., 192.168.1.1 -The router that allows you to communicate outside of your local subnet -The default gateway must be an IP address on the local subnet • To communicate to other devices on the local subnet and communicate devices outside of my local subnet, I'll need to provide the IP address, the subnet mask, and the default gateway
Defining Subnets example 1 (Calculating IPv4 Subnets and Hosts)
• IP address : 10.0.0.0 -Class A, subnet mask is 255.0.0.0 -"Classful" addressing -Binary Notation: 11111111.00000000.00000000.00000000 -Decimal notation : 255. 0. 0. 0 -CIDR notation : /8 -Network = 8 bits -Host = 24 bits • Very unusual to have millions of hosts on a single subnet • If we borrowed 16 bits after the network to create different subnets and left 8 bits for the host. -This is referred to as "Classless" addressing since we are using our own subnet -Binary notation : 11111111.11111111.11111111.00000000 -Decimal notation : 255. 255. 255. 0 -CIDR notation : /24 -Network = 8 bits -Subnet = 16 bits -Host = 8 bits
DHCP Leases (Configuring DHCP)
• IP address leases -It's only temporary since there is a lease time -Once the IP address is received, the lease begins to count down -But it can seem permanent • Allocation -A lease time is assigned by the DHCP server -The lease time is usually made on the DHCP server configuration • Reallocation -Reboot your computer to regain the same lease (if available) -The lease is confirmed and the lease timer is reset •Workstations can also manually release the IP address -By moving to another subnet -You don't have to wait for the timer to expire to give up that IP address -IP address will now be available to others in the pool
RFC 1918 Private IPv4 Addresses (Network Address Translation)
• IP address range : 10.0.0.0 - 10.255.255.255 -Number of addresses : 16,777,216 -Classful description : single class A -Largest CIDR block (subnet mask) : 10.0.0.0/8 (255.0.0.0) -Host ID size : 24 bits • IP address range : 172.16.0.0 - 172.31.255.255 -Number of addresses : 1,048,576 -Classful description : 16 contiguous class Bs -Largest CIDR block (subnet mask) : 172.16.0.0/12 (255.240.0.0) -Host ID size : 20 bits •IP address range : 192.168.0.0 - 192.168.255.255 -Number of addresses : 65,536 -Classful description : 256 contiguous class Cs -Largest CIDR block (subnet mask) : 192.168.0.0/16 (255.255.0.0) -Host ID size : 16 bits • Not routable on the internet -Used inside the organization
IP address spoofing (Spoofing)
• IP address spoofing is very similar to MAC address spoofing -Except with IP address spoofing, you're taking the IP address of another device -Or you are pretending to be a device that isn't even on the network • This may be something completely legitimate -Maybe you're using multiple spoofed IP addresses to perform load balancing or to perform testing of that load • But sometimes a spoofed IP address is done for malicious/illegitimate reasons -It may be performed during the ARP poisoning -Or you often see spoofed IP addresses used for things like DNS amplification for a distributed denial of service attacks • Since only a certain range of IP addresses should be associated with a particular IP subnet -It's a lot easier to detect a spoofed IP address than it is to detect a spoofed MAC address -It can be very easy to configure rules and a firewall to help prevent unwanted traffic or traffic that might be spoofed with a fake IP address
DHCP (DHCP Addressing Overview)
• IPv4 address configuration used to be manual -Required the IP address, subnet mask, gateway, DNS servers, NTP servers, etc. • In October 1993, The bootstrap protocol (BOOTP) was created -BOOTP didn't automatically define everything, some manual configurations were still required -BOOTP also didn't know when an IP address might be available again • Dynamic Host Configuration Protocol (Successor to BOOTP) -Initially released in 1997 and has been updated through the years -Primary and automatic configuration protocol for IPv4 -Provides automatics address / IP configuration for almost all devices
DHCP (Assigning IPv4 Addresses)
• IPv4 address configuration used to be manual -Such as configuring IP address, subnet mask, gateway, DNS servers, NTP servers, etc. • In October 1993, the bootstrap protocol (BOOTP) was created • BOOTP didn't automatically configure everything that was needed -Some manual configurations were still required -BOOTP also didn't know when a lease was up and an IP address might be available again • Dynamic Host Configuration Protocol -Initially released in 1997, has been updated through the years -Provides automatic address / IP configuration for almost all devices
Calculating subnets and hosts (Calculating IPv4 Subnets and Hosts)
• Powers of Two 2¹⁶ = 65,536 2¹⁵ = 32,768 2¹⁴ = 16,348 2¹³ = 8,192 2¹² = 4,096 2¹¹ = 2,048 2¹⁰ = 1,024 2⁹ = 512 2⁸ = 256 2⁷ = 128 2⁶ = 64 2⁵ = 32 2⁴ = 16 2³ = 8 2² = 4 2¹ = 2 • To use this chart, we would look at the number of subnet bits that we've borrowed and perform 2 to that value to determine the total number of subnets that might be available to us • Number of subnets = 2ˢᵘᵇⁿᵉᵗ ᵇⁱᵗˢ • Hosts per subnet = 2 ʰᵒˢᵗ ᵇⁱᵗˢ - 2 • To determine the number of hosts available per subnet, we would use 2 to the host bits power, and then subtract 2 from that. -One of those will be the subnet address, and the other will be the broadcast address -Everything left is the available number of hosts on each individual subnet
Z-Wave (Internet of Things Topologies)
• Primarily used for home automation networking -Can control lights, locks, garage doors, etc. • It communicates through wireless mesh networking -These nodes can hop through other nodes on the way to the destination • Commonly communicates over the 900 MHz ISM band (the Industrial, Scientific, and Medical band) -No special license required to use those frequencies -The 900 MHz band does not conflict with the 802.11 band that runs in your home
Protocol analyzer (Software Tools)
• Protocol analyzer is used to troubleshoot network slowdowns or application traffic flows -Used to solve complex application issues -This allows you to get into the details of the issues • It captures every frame going back and forth between devices across the network, or captures traffic as it is going through your wireless networks • A protocol analyzer can be software that runs on the computer -Or built into the device such as routers, switches, or other devices in your network • Using these protocol decodes, we can see a frame-by-frame representation of exactly what's gone through the network. -We can see the hexadecimal breakdown of the data within those frames, and we can get a protocol decode that gives us a plain English explanation of exactly what's inside of that frame -Used to view traffic patterns -Can Identify unknown traffic -Verifies packet filtering and security protocols • These protocol analyzers are not only good for providing information about network troubleshooting -Bbut if you're storing large amounts of these packets on large scale you can also find security issues that may be hiding in those frames -Can be used for big data analytics
Quad Small Form-factor Pluggable (QSFP) (Network Transceivers)
• Quad Small Form-factor Pluggable is for very high speed networking -It has four SFPs put into a single transceiver -This means a 4-channel SFP can support Four 1 Gbit/s connections which = 4 Gbit/s • For higher speed, we can use a QSFP+ -This is a four-channel SFP+ which has Four 10 Gbit/sec connections which = 40 Gbit/sec • There is a cost savings in fiber and equipment by combining the four individual transceivers into a single transceiver -Not only saving money on fiber but also on the amount of equipment that needs to be supported • QSFP and QSFP+ is available in Bi-Directional (BiDi) -By combining the bidirectional features available in transceivers, very high speeds can be supported over a single strand of fiber optic -Additional efficiency over a single fiber run
Subnetting the network example 1.1 (Seven Second Subnetting)
• Question: -We need an IP addressing scheme with more than one network address that can support 40 devices per subnet. -4 different networks are provided • Here is your IP address assignment: -Network : 192.168.1.0/24
RJ11 connector (Copper Connectors)
• RJ11 connector is called a 6 position, 2 conductor cable or 6P2C -six different types of positions that can be on these cables but only two conductors are in use • If it is a RJ14 cable, that means it may be using dual lines -It may fill in two more of these wires to be a six position, four conductor cable -RJ14 uses 6P4C for dual-line use -4 connectors are being used • RJ stands for Registered Jack • Used for telephones, modem connections, Public Switch Telephone Networks (PSTN), Plain Old Telephone System (POTS) -Should be familiar with RJ11 connector
RJ45 connector (Copper Connectors)
• RJ45 connector is a modular connector that is bit larger than RJ11 for Ethernet -It is an 8 position, 8 conductor (8P8C) cable -All eight of those conductors for our gigabit Ethernet -If you're connecting an Ethernet network over copper then you're using an RJ45 connector • RJ stands for Registered Jack
ipconfig /release (Command Line Tools)
• Releases the DHCP lease on a windows system
Distributed switching (Software Defined Networking)
• Removes the physical segmentation of the network -This virtualizes the networking, so that individual services can be grouped together into their own VLAN, regardless of where the actual server resides. • When a VM moves, the network configuration doesn't change -Servers will always connect to the right VLAN -No impact to any type of communication or connectivity • This groups together the different resources into their own individual VLANs • e.g. : -We have a physical switch -Connected to the physical switch are physical virtualization platforms -Within the physical virtualization platforms, we have virtual server software -Then we have a layered distributed switch which is grouping together the different resources into their own individual VLANs
Spear phishing (Phishing)
• If a Phisher is really good, they're going to direct their efforts towards a very narrow group of people and try to customize the email or the messages that they present in front of them -This is called spear phishing -It's a way to really focus in on a narrow group of people and try to construct a front-end and a message that would seem very legitimate to the end user -Phishing with inside information makes the attack more believable • If somebody is going after a CEO or somebody at a very high level within a company, that type of spear phishing is called whaling -This is a more direct phishing method • A good example of phishing occurred in April of 2011 at Epsilon -This was a very focused attack were less than 3,000 email addresses were sent as a phishing attack -100% of emails were received by operations staff -Users did click on the links inside of the email that downloaded an anti-virus disabler, installed a keylogger, and installed a remote administration tool • If you really want to customize your phishing attack and make it seem legitimate, then you might want to make the emails appear that they come from the human resources department -That's what happened in April of 2011 at the Oak Ridge National Laboratory -There were only 530 employees targeted, but 57 people clicked and ultimately infected two devices -Those two devices ended up having data downloaded from them and infected the servers with malware just from those two people clicking this very focused spear phishing attack
STP port states (Spanning Tree Protocol)
• If a port on a switch has been configured to used STP, there are certain set of states that port can be in: • Blocking state -It is not forwarding data to prevent a loop -Administratively blocks traffic from going through the port • Listening state -Not forwarding data and cleaning the MAC table -Listening to other STP devices that might be on the network • Learning state -Not forwarding data and adding addresses to the MAC table -Will start adding STP devices to an STP table • Forwarding state -Data passes through and is fully operational • Disabled state -Administrator has turned off the port -No data passing through
Balancing the load (Advanced Networking Devices)
• If a service is being provided to end users then the biggest concern is to make sure that the service remains available and responsive when people try to use it -One way to provide efficiency with the application with both uptime and availability is to implement some type of load balancing -Load balancing is an invisible process to the end-user • Load balancers are often used for large scale implementations of web servers, database servers, and other major services on the network • When we're implementing these load balancers for fault tolerance, we're usually putting multiple servers behind the load balancer -Server outages have no effect as other servers are available -If one server fails, all of the other servers are still available to provide that service to the end user -A very fast convergence when 1 server fails
Patch management (Process Monitoring)
• If a vulnerability is discovered on a device, then it may be time to patch -You can always apply patches when they're released to provide additional stability or a security fix to an operating system or an application -Incredibly important • With Microsoft Windows, a number of patches can be combined together to create a service pack -It makes it very easy to apply a large number of patches at a single time to bring the OS up to a particular state -Patches are applied all at once • Microsoft and other organizations will release patches every month -These are monthly updates and incrementally update your OS -Look through all of the notes associated with that monthly update and make sure that all of your systems are patched • On rare occasions, you may find that a patch does not follow the monthly update and it's more of an emergency patch that needs to be pushed out immediately -The zero-day patches are usually created to address a very significant security concern/discovery -If an emergency or out-of-band update appears, find out more information about that immediately
Names not resolving (Network Service Troubleshooting)
• If domain name services aren't working, then you're going to have a difficult time resolving an IP address from a fully-qualified domain name -Web browsing and other applications aren't going to work, and it will seem as if the entire internet is down -A difficult time resolving an IP address to a FQDN • You may want to try pinging IP addresses instead of a fully-qualified domain name to see if you're at least able to have connectivity to the network -if you are able to ping these other devices by IP address, then you don't have a network connectivity issue • Of course, our applications commonly use fully-qualified domain names instead of IP addresses -If you're not able to make that resolution, your applications are not going to be able to function -Applications might not be communicating if they are not able to make the DNS resolution -They often use FQDN and not IP addresses
CSU/DSU - Channel Service Unit / Data Service Unit (WAN Termination)
• If its a traditional T1 or T3 connection, your customer premises equipment may first be a CSU/DSU -This is a Channel Service Unit/Data Service Unit -It sits between the router and the circuit that was just installed from the demarc • The CSU part of this device connects to the network provider side • The DSU part of this device connects to your Data Terminal Equipment or DTE -This is commonly a router that you might have in your environment -It provides the conversion between the providers digital WAN and a serial connection that can be understood by the router • A CSU/DSU can be an external device but often see the CSU/DSU functionality built directly into a router -It comes directly from the demarc and connects immediately into a router, the internal CSU/DSU then performs the same functions as it would have in an external device
Light meter (Hardware Tools)
• If running your own cable and crimping RJ45 connections, it's very common to use a cable tester to make sure there's continuity for all eight of those pins • If you're running fiber connections, you may want to perform similar tests on the fiber -On fiber, we're not checking for continuity -For fiber, we want to see just how much light is making its way from one side of the fiber to the other -Sometimes you just need to know how much light is getting through -One of the most important things to know when installing fiber equipment -In those cases, we use a light meter that will be able to tell us exactly how much of our signal is making it through that fiber run • These light meters will send the light from one side -This may be a laser or an LED, depending on the light meter and the type of fiber that we're using -And then we'll have a device that's going to measure how much of that light we're able to receive on the other side • If you have a very long fiber run and you're concerned that your equipment may not be able to see all of the light coming through, it's useful to use a light meter to be able to see exactly what the results will be once you connect your production equipment
The DNS Resolution Process (An Overview of DNS)
• Resolver (laptop) will attempt to find the IP address of www.professormesser.com • Device is configure for a local name server -The local name server might be within the organization or it might be a 3rd-part name server -A request is sent to local name server for the IP address • If the local name server does not have the IP address cached, it starts to ask other name servers for the IP -The name server then queries the root server • The root server responds with anything with a .com will need to go to the .com name server -A root response is sent to local name server • The local name server will then talk to the .com DNS server -The name server queries the .com name server • This server will have a list of the local DNS server for professormesser.com -This is the .com response that is sent to local name server -This information is provided to the local name server • The local name server will then query directly to the professormesser.com name server -The name server queries the specific domain server -It will contain the IP address associated to professormesser.com -The domain server responds to name server • The local name server will let the resolver know what the IP address is for the site -The name server provides the result to the local device • The results are now cached locally on the local name server -It caches the results so others can get the information from the local cache instead of going through all of those queries over again
ARP - Address Resolution Protocol (Common Ports)
• Resolves IP addresses to MAC addresses
Dynamic routing (Static and Dynamic Routing)
• Router(s) sends the routes/updates to other router(s) -Routing tables are updated in (almost) real-time • Advantages -No manual route calculations or management -New routes are populated automatically -Very scalable • Disadvantages -Some router overhead is required (CPU, memory, bandwidth) -Requires some initial configuration to work properly between all the different routers
Log management (Process Monitoring)
• Routers, firewalls, switches, servers, and other devices on the network can gather an enormous amount of information -It is usually provided to you by the way of a log file -It is very common to collect all of this log data so you are able to understand exactly what may have happened in the past • There's usually a central point where all of this log file is consolidated -It's usually sent from all of these different devices using a standard syslog protocol -You are going to be collecting a lot of log files in this consolidated server -You need to make sure you have as much storage space as possible • As a better way to manage this storage space, some people will roll up the data into larger sections as time goes on -As an example, you may be gathering performance information across all of your devices every minute. This allows you to create a very detailed graph of exactly what happened every 60 seconds at the end of the day -But after 30 days, the granularity of that 1-second data point may not be as important to you. So at the end of 30 days, you may roll up the information into 5-minute samples. This means you no longer have to store that 1-minute interval, and can simply store the 5-minute break down -Then at the end of 30 days, you can take an average of the entire period for an hour and simply store a single hourly value for that period.
SC - Subscriber Connector (Optical Fiber Connectors)
• SC connector is commonly referred to as a: -Subscriber connector -Standard connector -Or visually as a square connector • The square connector is very different than the rounded connector on the ST connector -Contains plastic keys on the sections of the square so that it is connected the right way to the networking equipment -Still has the round ferrule in the middle that contains the fiber optic • These push into a connection, and then pull out -Very different than the bayonet connector on the ST connector
SIP (Session Initiation Protocol) trunking (WAN Technologies)
• SIP is the Session Initiation Protocol -One of the more popular control protocols that is used for Voice over IP communication • With a traditional business PBX you bring in T1 lines or ISDN connections to bring in voice channels -You would also have a separate wire going to every desk that would be used for the telephone that's on everyone's desktop -23 voice channels, 1 signaling channel -When you fill up all of those 23 voice channels, people calling in would get a busy signal • With SIP trunking: -It uses SIP/VoIP connection to an IP-PBX provider that allows you to communicate using Voice over IP • This is a more efficient use of bandwidth -You can control the compression being used on the VoIP calls -Can support much more capacity than a traditional ISDN or T1 connection -It's Less expensive than ISDN lines -And you have many more options available on your digital Voice over IP communication
SNMP v1 (Event Management)
• SNMP version 1 was the original version of SNMP -It allowed the management station to send a single query to the device and get a single response from that device -That response was also sent over the network in the clear -There was no encryption associated with SNMP version 1 -Structured tables
SNMP v2 (Event Management)
• SNMP version 2 added a number of additional enhancements -One of those was that the management station could request many different items at one time and receive a bulk response in return -But like SNMP version 1, there was no encryption associated with SNMP version 2
System labeling (Network Documentation)
• Same thing can apply for the servers that are in use -With a physical device in the data center, there needs to be some way to tell someone else exactly which component you are referencing -There needs to be a standard reference • That can be done by creating a Unique system ID for every device -Associate an asset tag to the system -A system name and a serial number • It'll need to be clearly visible on those devices -Especially in a data center -This make it easy to find in the rack when you hand someone else the documentation of exactly what you need to have performed on that exact device
Satellite networking (WAN Transmission Mediums)
• Satellite communication is communication to space -Communication to a satellite -A non-terrestrial communication • It has a high cost relative to terrestrial networking -Obviously it is going to be slightly more expensive than a traditional terrestrial connection -It'll give throughputs of 50 Mbit/s down & 3 Mbit/s up which is common -It is common to have satellite networks installed as the WAN in locations that might be difficult-to-network or they dont have access to a cable modem or a DSL connection • It needs to send signals up to a satellite and down to earch again which will have a high latency compared to terrestrial networks -Some of the best cause latency response times might be 250 ms up, 250 ms down • Commonly uses high frequencies to communicate, usually in the 2 GHz range -It require a line of sight to communication and nothing to be in the way of you and the satellite -It is common to get rain fade when rain clouds come in -This causes the connection between you and the satellite to be disrupted by all the water and clouds that is in between you and the satellite -You will need to wait for the clouds to leave to re-establish the network communication again
Counting antennas (Wireless Network Technologies)
• Sending data also changed -Prior to 802.11n, we would simply send a single stream of information between point A and point B • 802.11n and 802.11ac introduced a new to send data -Being able to send multiple streams of information over the same frequency at the same time -802.11n introduced MIMO - Multiple-Input and Multiple-Output -802.11ac improved to MU-MIMO - Multi-user MIMO • The ability to provide MIMO is very dependent on the number of antennas that you might have available on a particular device -Used to determine the number of available streams -(Antennas on the access point) x (antennas on the client): number of streams -noted as as 2x2:2, 3x3:2 -e.g 2x2:2 = 2 antennas on the access point, 2 antennas on the client, & can support a max number of 2 streams -On higher end equipment, you may see 4x4:4 = 4 antennas on AP, 4 antennas on client, & supports up to four simultaneous streams
Routing (Static and Dynamic Routing)
• Sends IP packets across the network through different routers -These routers make forwarding decisions based on the destination IP addresses • Each router only knows the next step -The packet asks for directions at every hop along the way -The list of directions is held inside every single router called a routing table • Different topologies use different data link protocols -Ethernet, HDLC, etc. -Each router rewrites the frame to add its own data-link header -The IP packet remains intact
Collision Domains example (Broadcast Domains and Collision Domains)
• Separated by switch/bridge interfaces • One side of the network can be its own collision domain and the other side a different collision domain • Collision domains can be segmented as networks grow larger and larger, this limits the impact collisions will have on a particular group of devices • Modern networks contain a switch in the middle of the network that removes collision domains and supports full-duplex -Everyone can send/receive simultaneously
Physical network maps (Network Topologies)
• Shows what devices are on the network -Shows the physical cable connections from one interface to another • Common to create a map to where devices might be installed in a particular rack -Makes it easy to enter a data center, go to a specific rack, and identify exactly the piece of equipment that is listed in the documentation • Follows the physical wire and device -Can include physical rack locations
Preventing a logic bomb (Logic Bombs)
• Since it's difficult to identify a logic bomb using traditional anti-virus or traditional anti-malware signatures -One way that you can stop a logic bomb is by implementing a process and a procedure for change process and procedures -Formal change control • You know that this system is not going to change unless someone has gone through the process for change control -Then you have to monitor that nobody has made any changes. -If a file changes inside a SCADA system, it should alert and inform you that changes have been made. • If there is a host-based intrusion detection - for instance, tripwires, a very common piece of software for that -It can identify the administrators that somebody has changed something on that computer • And of course constant auditing of these systems -So that you may perform your own tests to make sure that nothing has changed with the operating system or any of the applications that are running on any of those devices -An administrator can circumvent existing systems
Security type mismatch (Wireless Network Troubleshooting)
• Since our wireless signals are going through the air, it's always import that we encrypt all of the communication we send over these wireless networks -And whenever we're connecting a client to the wireless network, the client's encryption must match what's set on the access point • This isn't usually a problem, because most of our devices these days are using WPA2 as the encryption type • If you have any legacy equipment that does not recognize WPA2, those devices may have problems connecting to our modern wireless networks -If you change the access point, you may not be able to support it • Because of security issues associated with earlier encryption types, you may want to make sure that everyone is using at least WPA2 on both their devices and your access points -Migrate all of your WEP to WPA2 due to security issues -And any WPA
Single-mode fiber (Optical Fiber)
• Single mode fiber is commonly used for long-range communication -Can go up to 100 kilometers without having to reprocess that signal • Single-mode fiber comes at a financial cost since it uses a more expensive light source -Laser beam • The core of single-mode fiber is much narrower than MMF allowing it to send that single mode from one end to the other
Interface monitoring (Event Management)
• If setting up a monitoring system on the network, then one of the key components you're going to monitor will be interfaces -You need to know whether an interface is up or whether the interface is down -This can often be one of the most important things to know about that particular device -If an interface has been available and suddenly changes to an unavailable state, then you'll probably want to open some tickets, and have someone investigate -The monitoring of an interface doesn't require any special rights or any special permissions -Simply ping the interface to see if it's still running. Green would obviously designate that the interface is up and running and a red interface would be one that is no longer responding to our queries. • These are commonly automated functions -They continue to run all day, every day, periodically -If an interface is suddenly unavailable, you'll probably want to create some alarms and alerts checking to see if an interface is available -You want to notify the proper team should that particular device no longer respond -Send notifications such as opening a ticket in the helpdesk system, via email, via text, or both email & text • Since these interfaces are being queried so often, you can create short-term and long-term reports that show the uptime and availability of these devices • This interface monitoring may provide only a basic up or down statistic -If you want to gather more details about what is happening with that interface, then you may want to implement Simple Network Management Protocol and constant queries against very specific management information base details.
IP configuration issues (Network Service Troubleshooting)
• If the IP configuration on your device is not correct, you may see a number of different symptoms occur • One of these might be that you can communicate to local IP addresses, but you're not able to communicate to IP addresses on a different subnet • Or you may find that there's no IP communication at all, and you can't communicate devices on your local subnet or a remote subnet • Or you may find that some IP addresses on your local subnet are accessible, but others are not accessible from your machine
UTM / All-in-one security appliance (Advanced Networking Devices)
• If the environment is relatively small, you may be able to combine the functions of routers, intrusion detection systems, firewalls, proxies, VPN concentrators, and more into a single security device • The device will be called a Unified Threat Management (UTM) -Also referred to as web security gateway • A UTM can be used for/as : -URL filter / Content inspection -Malware inspection -Spam filtering -CSU/DSU hardware can be intergrated in the same chassis if its connecting to a WAN -Can provide Layer 3 routing and even Layer 2 switching on certain UTMs -Firewall functionality -IDS/IPS functionality -Bandwidth shaper to prioritize certain applications that are communicating to the internet -VPN concentrator • All of these functions can run at the same time within the same chassis with a UTM
Hardware failure (Network Service Troubleshooting)
• If the server that is hosting that application is having a problem, the issue may be similar to the service not responding -The application wouldnt respond either • We're going to first confirm the connectivity -So if we do have a hardware failure, we're probably not going to receive a response to this ping. -Without a ping, you're not going to connect • We can also confirm with a traceroute -We can see exactly what hops we're going through to get to that server, but we can also see that the server is not responding to that traceroute -We can see if you're being filtered -Should make it to the other side, the server might not respond • At that point, we want to check the physical server ourselves -Or we'll need to contact the help desk or server administrator to see if they can find out why that server is not responding (END)
InfiniBand (Network Storage)
• If there is a need for very high speeds with your storage area network, you'll need InfiniBand -It is a high speed storage topology -It is very focused on speed, and it has its own switches and adapter cards, very similar to the way that something like Fiber Channel might be implemented -This is an alternative to Fibre Channel • We can connect to the storage area network with both copper and fiber -Using QSFP connectors • Commonly used in research and supercomputers -This is designed for high speeds and low latency -100 Gbit/sec and 200 Gbit/sec speeds are common with InfiniBand networks -Links can be aggregated for higher throughputs; such as 4x, 8x, 12x links
Straight-through cables (Copper Termination Standards)
• If we are connecting a workstation to a switch, then we are usually using a straight through cable -Also called patch cables -One of the most common ethernet cable -Connects workstations to network devices (such as a switch) • All pins connect straight through from one side to the other
Something you are (Multi-factor Authentication)
• If we extend these authentication factors down to a person themselves, we're using a factor of something you are, a biometric authentication -This could be something like a fingerprint, an iris scan, or a voiceprint • Biometrics is not usually storing a picture of your fingerprint or your iris -But are instead creating a mathematical representation of what you happen to be -And they're storing that information to be able to reference later • These types of authentication factors would be very difficult to physically change -The password is an authentication factor we can change often -But our fingerprint is a type of authentication factor that should rarely change • When these types of authentication factors are working properly, they can provide very high security -Because no one else has your iris and no one else has your fingerprint -But these biometric readers are not always foolproof so they should not be considered the only factor you would use for authentication -Use only in very specific situations
10BASE-T and 100BASE-T Straight-through cable (Copper Termination Standards)
• If we need a straight through cable for 10BASE-T (10Mb), or a 100BASE-T (100Mb), this straight through cable only needs two pairs. -Only four wires inside of the cable that are used for these specific ethernet standards -Pins one and two on a network interface card are your transmit pairs. And if you're looking at the network switch, pins one and two are the receive pairs. -And its running straight through from transmit to receive for those two devices.
Circuit switching (Circuit Switching and Packet Switching)
• If we're setting up a circuit switched network communication, then we're establishing a connection between two endpoints before we ever send data between those two devices -Similar to using your telephone. You dial a phone number, the other end picks up the phone, and after that circuit has then been established, both of you can talk to each other. • Once the circuit is established and there is a connection between those two phones, the connection may go through a number of different phone switches in the phone providers network -If both are on the phone but really not saying anything, the circuit would still be established and those resources are still being used -Nobody else can use the circuit when it's idle -Resources are still being used within the provider • An advantage is having the circuit connection always there -Circuit can be brought up between both sites -Network is available when sending data to the other remote site -Capacity is guaranteed & not shared with anyone else
Privileged user agreement Policies (Policies and Best Practices)
• If you are responsible for servers, network, security, or almost anything else in I.T., then you probably have access to all of the data associated with your organization -Just because you could have access to the data, doesn't mean that you should access that data -Network/system administrators have access to almost everything -With great power comes great responsibility -Use the highest ethics when protecting the data • There are expectations on you as a technology professional to use the highest ethics when it comes to protecting this data -This means if you are managing a server or a database, that you will normally use the non-privileged methods to be able to perform whatever functions are required • There will be times when you do need to use privileged access to get into that data -But this means that you will only be doing this for job related functions -Use privileged access only for assigned job duties • Because your access to this data is so different than anyone else's in the organization -You may be asked to sign a privileged user agreement -This means that you will maintain the highest levels of professionalism and maintain the confidentiality of the company's data -Make sure you understand the policies
Dictionary attacks (Brute Force Attacks)
• If you are trying to reverse engineer someone's password, one of the best ways to do this is with a dictionary attack -People tend to use common words as their passwords -If you could get the most common words and try those first, you've got a better chance of finding those passwords very quickly • Many lists can be found on the internet that have the most common passwords that people have used -If you're using brute force, you should start with the easy ones, words such as password, ninja, football -Those tend to be in the top five or top 10 of passwords that people will use • Many common wordlists are available on the 'net -Some are customized by language or line of work -If you're someone who is trying to audit your own passwords, you may want to have a look at some of those lists and try a brute force yourself • This will catch people that are using common words -It will catch the people that aren't putting a lot of thought into their password -But you'll still need to use other types of password attacks if you plan on catching people who are very secure with their passwords -You'll need some smarter attacks for the smarter people
Avoid common passwords (Device Hardening)
• If you do change the password from the defaults, you want to be sure to use a password that isn't completely obvious -There are very common passwords that people tend to use and the bad guys know to try those passwords first -Use passwords that cannot be found in the dictionary • You want to avoid passwords such as password, or ninja, or football -Those are three of the most popular passwords you'll find on any system -Brute force attackers start with the easy ones • There are a number of databases on the internet where you can download the most popular passwords that people are using -Many common wordlists are available online -A bad guy can run through the first 1,000 or 10,000 most popular passwords to see if it happens to match the one that you've chosen for that device -Some are customized by language or line of work • Most network administrators are already familiar with this problem -So you're probably not using one of these very common passwords -Make sure you're not using something that can be found in the dictionary and make sure it's something that's very unique that wouldn't be found anywhere else -This will catch the low-hanging fruit -You'll need some smarter attacks for the smarter people
Secure protocols (Device Hardening)
• If you don't have a VPN connection and you want to be sure that all of your traffic is going to be encrypted, then you should make sure your applications are using secure protocols • For example, instead of using Telnet, you'll want to use SSH, or Secure Shell -Allows you to perform a terminal, but in an encrypted form • Or if you're transferring files, make sure you're using SFTP, which is the Secure File Transfer protocol over SS -Instead of using something that's not encrypted such as FTP • SNMP is a very common protocol used to query routers switches, servers, and other infrastructure devices -So if you want to make sure all of that data is encrypted, you'll want to use SNMP version 3 instead of version 1 or 2 • Use HTTPS over HTTP -When using HTTPS, you're using TLS or SSL -This is transport layer security or secure sockets layer and that will make sure that all of this browser-based communication will all be encrypted • And ultimately, you may want to create a VPN connection and simply send all of the traffic through -It's common to have VPNs that may run using SSL or TLS, but we can also have VPN using IPsec, or Internet Protocol SECurity -This will encrypt all layer 3 traffic going through that encrypted tunnel
IPS signature management (Mitigation Techniques)
• If you have an intrusion prevention system on your network, then you're probably familiar with the management of those signatures -There are many different signatures, and each one will have a different disposition • You get to decide what happens if any of these signatures happen to match the traffic going through your network -Do you block the traffic or allow the traffic? -Do you also send an alert? Or does the message simply show up in your logs? • There are thousands of different rules in an IPS -You'll need to determine what the outcome is for every single one of those rules • You can certainly go through every single rule and determine what the distribution might be for that particular rule -But this will take a lot of time to go through thousands and thousands of different IPS rules -Instead, we generally group these rules together by different functions and then define the disposition for this larger group -Rules can be customized by group or as individual rules • And you'll probably be making changes to find the right balance with the dispositions as you become more comfortable with the IPS -Security -There may be a number of false positives -You may get a lot of alert noise -You may need to hone down exactly what you need immediate notification and what type of notifications might arrive in an email or a larger report
Interface configuration problems (Wired Network Troubleshooting)
• If you have problems with the configurations of the interfaces used on your network, you may see symptoms such as poor throughput -This would be constant poor throughput through any connection that you're using on your network -Very consistent, easily reproducible • Or you may find some devices have no connectivity at all -You're not able to see any link lights appear on the ethernet adapter -Or there may be a link light but no activity light on the ethernet adapter • All of these situations might be easily resolved by checking the interface configuration of the ethernet adapters
Incorrect cable type (Wired Network Troubleshooting)
• If you look at the statistics for your ethernet interface, you notice a lot of physical errors or CRC errors. -You may want to check and make sure that you're using the right kind of cable -Check your layer 1 first • One way to tell is to simply look at the outside of the cable -Usually printed on the outside of the sheath -May also have length marks printed -You might also want to get a TDR and run your own tests on this cable -Confrm the specifications of what you're seeing on your TDR match what you're seeing on the outside of the cable -The advanced cable tester can identify damaged cables
Generators (Power Management)
• If you need a long-term power source if the power goes out, then you want to look at a generator -This will require a storage for fuel • The generator is an engine that will use fuel to create a power source for the components in your building -This may include every electrical outlet in your building -Or there may be certain outlets that are specifically tagged as being associated with the UPS power. • A generator is usually not running when the power is available to your building -It may take a few minutes to get the generator up to speed -There is usually a set of batteries that's able to provide power for the building until the generator is up and running
Metro Ethernet (WAN Services)
• If you need to connect locations within a single city, you might want to consider using metropolitan-area networks such as Metro Ethernet -These would be connections that would be in a relatively close geographical area -A contained regional area • Instead of connecting a T1 line or a T3 line, you can simply have the provider give you an ethernet connection on both ends -And be able to connect to your normal ethernet equipment -This is a common standard -But not your typical WAN connection • Inside of your provider's network, the transport is probably not going to be ethernet -The Ethernet is usually running over a different topology inside your providers network -You may be running Ethernet over SDH or MPLS -Or even Ethernet over DWDM
TX/RX reversal troubleshooting (Wired Network Troubleshooting)
• If you plug in a connection and you get no connectivity at all, you may want to look at the wire map and see if there was a reversal -If your ethernet adapter supports auto-MDIX, you may want to enable that and see if you're able to get a signal across the wire then • If you have identified a reversal, it's probably on the punchdown block or at the end device -So you may want to start with the patch panel and then work out from there to see if you can find where the reversal might be
Untrusted SSL certificate (Network Service Troubleshooting)
• If you're communicating to a web server over an encrypted channel, and you receive a pop-up message in your browser, and this error says that the certificate is not trusted by your computer's operating system, then you may have a problem communicating securely to that web server. -This means that your browser received the certificate from the web server, but the certificate authority that signed that certificate is not in the browser's configuration -So the browser doesn't trust that certificate • This could be that the certificate itself has not been signed by a certificate authority OR the certificate authority that has signed the certificate is not part of the trusted certificate authorities that are listed in your browser OR Certificate Authority is Invalid -Browsers trust signatures from certain CAs • Look at the certificate details itself -It will tell you what the issuing CA happens to be -Compare to the CA list on your computer • If you're communicating to an internal web server on your company's network, then you may need to add your company's certificate authority to your browser -Normally this internal certificate is added by your workstation administration team, but you could manually add that certificate as well
Unencrypted 802.11 wireless traffic (Wireless Deauthentication)
• So how is your system suddenly removing itself from the wireless network? • This all comes back to a series of management frames that are used on 802.11 network -These are the frames that are all running behind the scenes that connect you to the network, disconnect you from the network, and perform a number of other management functions -You never really see any of these frames going back and forth -It's not something you can identify on your screen. -It's all happening behind the scenes on your wireless network • These management frames are important for the overall operation of your 802.11 wireless network -You wouldn't be able to use wireless network without these frames. -They're used to help find an access point, connect to an access point, configure quality of service configurations -And many other requirements to be able to operate on that wireless network -It shows SSID, data rates, power capabilites, supported channels, etc... • Here is where we run into problems, especially when we're considering these disassociation attacks -These management frames, at least in the original wireless standards, were not required to be encrypted -That means they're sent in the clear across the network, there is no protection of the data, and there's no authentication or validation of where the data is coming from -That's where the biggest problems occur when we look at disassociation attacks.
Effective social engineering (Social Engineering)
• Social engineering is a very low-tech form of a security attack. -In fact, it doesn't involve any technology at all -It involves someone else who's trying to gain access by using social engineering techniques -You never know exactly what the bad guys are going to come up with next. They're always using different stories and different ideas to try to gain information from you using these techniques • Social engineering may involve one person trying to gain access or maybe multiple people and multiple organizations acting simultaneously -They're all coordinating their efforts and hoping that you'll drop your shield and allow them access to anything that they might need • This might be done in person, over the phone. It might be somebody who's sending you an email -Sometimes it's somebody who's being very aggressive on the phone and putting you in a very difficult situation. • This is where social engineering becomes very unique. -Another example of social engineering that you might not be expecting are the bad guys taking advantage of the situations where there might be a funeral and sending funeral notifications to people that are inside of your company. -These are ways that the bad guys are using to try to gain access without us even realizing that it's happening.
Duplicate IP addresses (Network Service Troubleshooting)
• Some network administrators prefer to manually configure/assign the IP addresses on all of their devices. -The site might not have a DHCP server, so they have to be very careful that they're not duplicating any IP addresses between devices • DHCP doesnt guarantee you are not going to have duplicate IP addressing -You may find a combination of static IP addresses and an overlap with the DHCP pools -Or you may have multiple DHCP servers, and you've accidentally configured duplicate IP addresses on both of those servers -Or someone may turn on their own DHCP server without your knowledge, and now a rogue DHCP server is handing out IP addresses • If two devices manage to connect to your network with the same IP address, you'll find that they'll fight with each other. -One device will have connectivity and then the other device has connectivity, and it'll switch back and forth between the two devices. -This causes intermittent connectivity • On most modern operating systems, the OS performs a check of that IP address before it connects to the network. -If it finds that IP address is already in use, the OS blocks your system from creating a duplicate.
T1 / E1 (WAN Services)
• Some of the more traditional wide-area network connections may be brought in over a T1 or an E1 line -T1 stands for T-Carrier Level 1 -A way to connect 2 locations using time-division multiplexing -Commonly implemented in North America, Japan, South Korea -There are 24 channels on a T1 line -Each channel can support 64 kbit/s -For a total of 1.544 megabits per second of a line rate over T1 • A similar wide-area connection in Europe is the E1 -E1 stands for E-Carrier Level 1; E is for Europe -The E1 is slightly different -It has 32 channels -Each channel can support 64 kbit/s -Which gives them a total of a 2.048 megabits per second line rate over E1.
Honeypots (Mitigation Techniques)
• Some organizations use honeypots as a way to attract the bad guys and have them stuck in their own virtual world of trying to hack systems that in reality don't really exist • Since a lot of the inbound traffic from the bad guys is a script or some other automated process -You can have that inbound automated process talking to your honeypot automated processes to see exactly what they might do if they were to hit an actual machine • Sometimes a honeypot is a single device -But you could set a virtual world of multiple devices and networks together into a honeynet • More information available about honeypots at projecthoneypot.org. -Or you can download and run Honeyd on your own systems • This is a constant battle to try to make sure that your honeypots look as real as possible. -The bad guys are very good at determining whether they're accessing a real system or whether it may be a honeypot -So you want to be sure that you're running the latest types of honeypots on your systems so that you know you're going to be able to attract the bad guys
Insider threat research (Insider Threats)
• Some practical statistics on insider threats have been compiled by Carnegie Mellon CERT -CERT stands for Computer Emergency Response Team -This is insider threat research from 2017 U.S. State of Cybercrime Survey -http://www.cert.org/insider_threat/ • They found that 20% of attacks on organizations are being caused by people who are on the inside of the organization -And 43% said that these attacks were more damaging than someone who was on the outside -This makes sense since we know that people on the inside tend to have more access than people who are on the outside • Interestingly, 76% of these insider incidents were handled without any type of legal action, and ostensibly without any type of knowledge on the outside. -This is because companies know that these types of attacks could be very harmful to their reputation, so they tend to handle things internally rather than involve third parties
Tokens and cards (Physical Security)
• Some types of physical security require that you have something with you -For example, you may have a smart card -You can slide the smart card into a computer, provide your personal identification number, and that might gain you access to that resource • Another type of component you would have with you is a USB token -A certificate is usually stored on the USB drive, and you would plug that into a device to use as another authentication method • You might also see hardware tokens or key fobs -Sometimes, these are built into software that's on a mobile device, and these create a pseudo-random code that you would provide along with other authentication methods • And your phone itself can be a good way to have a physical device used during authentication -You can have a code text messaged to your phone during authentication, and you can provide that along with your username and password as something you might have physically with you to use during authentication
A "friendly" DoS (Denial of Service)
• Sometimes a denial of service isn't something that's happening maliciously, but it is causing problems for people trying to gain access to that service -An unintentional DoS • One might be something like a network-based denial of service with someone creating a network loop -There's no spanning tree enabled on the switches. -And now nobody can communicate on your network -This would be a Network DoS where a layer 2 loop created without STP • Maybe it's a denial of service because you don't have enough bandwidth and now everybody's trying to download something all at once -Everything slows to a crawl, and nobody's able to get anything done -A bandwidth DoS
Infrastructure as a service (IaaS) (Cloud Services and Delivery Models)
• Sometimes called Hardware as a Service (HaaS) -The equipment is outsourced -You're provided all the hardware -But it's up to you to make everything else happened • Hardware is provided to you -But you are still responsible for the handling of the OS's, management of the devices, and the security of your data • All of your data is out there in the cloud but more within your control about how that data is used • An example is web server providers -They provide the system and maybe an OS -You are responsible to load all other software and applications that are needed
The native VLAN (Mitigation Techniques)
• If you're configuring a network switch, one of those configuration settings for an interface that you're connecting to someone's laptop or desktop computer will be assigned to a particular VLAN -If you don't specifically assign an interface to a VLAN, then that interface will use the default VLAN -The default VLAN is the VLAN assigned to an interface by default • There's another type of VLAN called the native VLAN -This is used when you're trunking different switches together -If you're sending traffic across a trunk and that particular traffic belongs to the native VLAN, then a .1Q header will not be added to any of that traffic as it goes across the trunk -Also referred to as non-trunked frames • If you look at the default configuration of a Cisco switch, for example, the native VLAN is defaulted to VLAN 1 -One of the challenges with this is that a number of Cisco management protocols are also using VLAN 1 to communicate -So you may have management protocols and other type of user traffic using exactly the same length without having any type of a 802.1Q header • To separate out any of your user traffic from your network management traffic, you may want to change the native VLAN number to be some other value -For example, you could use VLAN 999 as the native VLAN. And your management traffic will still continue to run over VLAN 1 -Management protocols will continue to use VLAN 1 (even if it's not formally configured on the trunk) -Non-trunked traffic will use the native VLAN number (VLAN 999)
Kerberos (Authorization, Authentication, and Accounting)
• If you're managing a group of switches or routers, and you're using TACACS or RADIUS to provide that authentication -You know that you have to provide a user name and password each time you log in to a separate device -On today's networks, we want to log in one time, and then automatically have access to all of the resources associated with our login • To enable that functionality, we use Kerberos -Kerberos is a network authentication protocol where you can authenticate one time and then you're trusted by the entire system -Kerberos can also provide mutual authentication, where you would authenticate to the server, and the server would also authenticate to you -Kerberos also takes advantage of extensive asymmetric encryption, which means it can prevent man-in-the-middle or replay attacks from occurring • Kerberos was created at the Massachusetts Institute of Technology -A standard since the 1980s -RFC 4120 • Microsoft then started using Kerberos in their server operating systems starting with Windows 2000 -Based on Kerberos 5.0 open standard -Compatible with other operating systems and devices -When you log into a Windows domain, it's Kerberos that's providing that single sign on in the background
Disabling unused interfaces (Device Hardening)
• If you're managing a large number of switches or routers, one of the things you can do to prevent unauthorized access is to disable any interfaces that aren't currently in use -So if you have conference rooms or break rooms that don't need to have access to the switch, it's a good best practice to disable them and prevent anyone from walking into that conference room and gaining access to your network • You may have to do a little bit of research to determine what interfaces on that particular switch should be enabled and which should be disabled -you may have additional administration as new devices are added to the network and other devices are removed from the network to make sure that all of these disabled ports remain up-to-date -More to maintain, but more secure • And of course, you can take advantage of Network Access Control -This is 802.1x and it allows you to require authentication from a user before they ever gain access to any interfaces on your switch -You can't communicate unless you are authenticated
Transceiver mismatch (Wired Network Troubleshooting)
• If you're using transceivers in your network switches, you may want to check and make sure that those transceivers are matching the fiber or the connection that you're plugging in to them -Single mode transceiver connects to single mode fiber -For example, if this is a fiber transceiver, then the transceiver needs to match the wavelength of the fiber -So if you have 850-nanometer fiber, you need an 850-nanometer transceiver -850nm, 1310nm, etc. • You also want to check across the entire link that you're using the correct transceivers and the correct optic fiber -Use the correct transceivers and optical fiber • If you don't use the correct fiber or the correct transceivers, you'll see signal loss, dropped frames, missing frames, or other physical-layer problems • This is an easy mistake to make because transceivers all look very similar to each other. -They have exactly the same format, the same connectors on the end -But if you look closely at these two transceivers, you'll notice one is designed for a 1,310-nanometer connection and the other is designed for 850
Converting media (Networking Devices)
• Sometimes media needs to be converted between different types of network media -No forwarding decisions need to be made based on a Layer 2 MAC address or a Layer 3 IP address -Really just looking to change communication from running over a copper network to a fiber, and perhaps back again • A media converter is used to convert media -This operates at OSI Layer 1 -It is a physical layer signal conversion -It is simply changing the physical layer from a copper network to a fiber network or vise versa • Media converters are used if there is a need to extend the communication over a very long distance. -Knowing that ethernet can only support up to 100 meters of communication, SMF can support 5 km. -If the need was to extend the connection by kilometers, we would use a media converter to convert the communication to fiber, extend it over that long distance, then convert it back to copper on the other end if needed. • Can also use a media converter if you've been provided with fiber connections, but ther switch only supports copper connections -You can convert from fiber to copper to provide that connection to the switch • Media converters always need to be powered -Since there is an active conversion occurring -These devices dont generally work without a power source • It is not uncommon to see rack-based media converters to have a central power supply that provides power to all of the different media converters
Rollback options (Process Monitoring)
• Sometimes the installation of a security patch can unfortunately create other problems with your OS or an applications -Most OSs will provide you with a list of all of the patches that have been installed -You can choose a particular patch to uninstall or rollback to a previous configuration
Smartjack (WAN Termination)
• Sometimes the wide area connection at the demarc is a bit more intelligent, and instead of having just a cable handoff, we would have a Smart Jack -Also commonly called a Network Interface Unit or NIU -The device that determines the demarc -Network Interface Device, Telephone Network Interface • The Smart Jack is more than just a simple cable handoff -This can be a circuit card in a chassis -These are inside the providers side of the communication -You don't usually have access to the equipment that's inside of the smart jack -Can be a circuit card in a chassis • The smart jack is a way for your WAN provider to perform some additional functions -e.g. They could set up a loopback and provide diagnostics directly from this interface at the demarc • Can also provide the following : -Alarm information -Reconfiguration details for the WAN provider -They can make a number of changes on the Smart Jack without having to visit your location
The Ethernet Frame (Introduction to Ethernet)
*Inside the ethernet frame* • Field : Preamble -Bytes : 7 -Description : 56 alternating 1's and 0's used for synchronization (101010...) • Field : SFD (Start Frame Delimiter) -Bytes : 1 -Description : designates the end of the preamble (Specific set of 10101011) • Field : Destination Mac Address -Bytes : 6 -Description : Ethernet MAC address of the destination device •Field : Source MAC Address -Bytes : 6 -Description : Ethernet MAC address of the source device • Field : EtherType -Bytes : 2 -Description : Describes the data contained in the payload (could say its IPv4 or IPv6 traffic) • Field : Payload -Bytes : 46 - 1500 -Description : Layer 3 and higher data • Field : FCS (Frame Check Sequence) -Bytes : 4 -Description : CRC checksum of the frame, confirms if the frame was received correctly • Ethernet frame : Preamble > SFD > Destination MAC > Source MAC > Type > Payload > FCS
Real-World to OSI Model (Understanding the OSI Model)
*START FROM BOTTOM TO TOP* • Layer 7 (Application Layer) -What we see when using applications • Layer 6 (Presentation Layer) -Handles encryption/decryption of the application (SSL/TLS) • Layer 5 (Session Layer) -Control and tunneling protocols occur at this layer • Layer 4 (Transport Layer) -Deals with TCP or UDP transmit protocols -TCP segment or UDP datagram • Layer 3 (Network Layer) -Deals with IP Addresses and routing decisions -Routers -Packets • Layer 2 (Data Link Layer) -Where we find Frames of communication and MAC addresses -Extended Unique Identifier : EUI-48 (MAC address) or Extended Unique Identifier : EUI-64 (IPv6) -Switches • Layer 1 (Physical Layer) -Here we have cables, fiber optics, and the signal itself
ping -t <ip address> (Command Line Tools)
- Continous ping until stopped with Ctrl-C
netstat -n (Command Line Tools)
- Does not resolve names and only provides IP addresses
ipconfig /flushdns (Command Line Tools)
- Flushes the DNS resolver cache on a windows system
ping -a <ip address> (Command Line Tools)
- Ping command that resolves the IP address to a hostname
ipconfig /renew (Command Line Tools)
- Renews the DHCP lease on a windows system
ping -n <count> <ip address> (Command Line Tools)
- Sends a # of echo requests to an IP address
ping -f <ip address> (Command Line Tools)
- Sends ping command with "Don't Fragment" flag set
netstat -b (Command Line Tools)
- Show all active connections and the binary used to create that connection (Windows) • On a Windows machine, you could combine the netstat-a with the netstat-b, which would not only show you the number of active connections, it would tell you exactly the Windows binary that was used to create that connection across the network
ping <ip address> (Command Line Tools)
- Tests the reachability to a TCP/IP address
DHCP Renewal (Configuring DHCP)
-2 timers are associated when an IP address is assigned to a device • The first timer is the T1 timer -The device checks in with the lending DHCP server to renew the IP address -The timer is 50% of the lease time (by default) • The second timer is the T2 timer -If the original DHCP server is down, it will try to rebind the IP address with some other available DHCP server -The timer is 87.5% of the lease time (7/8ths)
FTPS - File Transfer Protocol Secure (Common Ports)
-More secure than FTP -Uses FTP over SSL (FTP-SSL) -This is not SFTP • Uses port tcp_21
DHCP Relay (DHCP Addressing Overview)
-The router needs to be configured to point to the DHCP server on a different subnet for DHCP Relay to function • Step 1: Discover with DHCP Relay - Client to DHCP Server on a different subnet -Client sends a DHCP Discover broadcast message over UDP/67 -As it reaches the router with the IP Helper address, it converts the broadcast message into a unicast -The source IP Address changes to the router address and modifies the destination address as the IP Helper IP Address thats on the router • Step 2: Offer - DHCP Server to client -DHCP Server sends a DHCP Offer message over UDP/68 offering an IP address back to the IP Helper IP Address -Once the unicast arrives back to the router, the router then changes the destination address from IP Helper IP Address to a broadcast message • Step 3: Request - Client to DHCP Server -Client sends a DHCP Request to the DHCP Server over UDP/67 requesting the IP address offer -The source and destination address continues to change to the IP Helper IP Address • Step 4: Acknowledgment - DHCP Server to client -DHCP server sends a DHCP Acknowledgment to the client over UDP/68 acknowledging the IP address lease -Again, going through the routers IP Helper change on the source and destination addresses
netstat -a (Command Line Tools)
-To see all of the active connections that were on an individual machine -Shows all active connections • On a Windows machine, you could combine the netstat-a with the netstat-b, which would not only show you the number of active connections, it would tell you exactly the Windows binary that was used to create that connection across the network
Subnet masks - binary to decimal chart (IPv4 Subnet Masks)
Binary : 00000000 Decimal : 0 Binary : 10000000 Decimal : 128 Binary : 11000000 Decimal : 192 Binary : 11100000 Decimal : 224 Binary : 11110000 Decimal : 240 Binary : 11111000 Decimal : 248 Binary : 11111100 Decimal : 252 Binary : 11111110 Decimal : 254 Binary : 11111111 Decimal : 255
Subnet Classes (Classful Subnetting)
Class : Class A Leading Bits : 0xxx (IP range 1 thru 126) Network Bits : 8 Remaining Bits : 24 Number of Networks : 128 Hosts per Network : 16,777,214 Default Subnet Mask : 255.0.0.0 Class : Class B Leading Bits : 10xx (IP range 128 thru 191) Network Bits : 16 Remaining Bits : 16 Number of Networks : 16,384 Hosts per Network : 65,534 Default Subnet Mask : 255.255.0.0 Class : Class C Leading Bits : 110x (IP range 192 thru 223) Network Bits : 24 Remaining Bits : 8 Number of Networks : 2,097,152 Hosts per Network : 254 Default Subnet Mask : 255.255.255.0
TDR (Time Domain Reflectometer) / OTDR (Optical Time Domain Reflectometer) (Hardware Tools)
• If you're working with copper cables, it's a TDR -If you're working with fiber, then it's an Optical Time Domain Reflectometer, or OTDR • These will be able to provide you with a lot of information about your copper cable or your fiber -For example, you can plug it into a connection, and it will estimate the entire length of the cable -Even if the cable's going into the ceiling and you're not able to see exactly how long it is, connecting the TDR will give you a very accurate representation of the length • If your cable has a cut or splice -You can plug in the TDR, and it will tell you exactly how far down the cable that particular problem exists -Can identify the location of a cut/splice in the cable • If you're simply trying to understand what type of cable it is, you want to understand the impedance on the cable -You can plug in the TDR and it will tell you that information as well -Can provide the type of cable it is • TDRs and the OTDRs are commonly used when we're first installing a cable infrastructure, because you can plug these devices in and see just how much signal we're losing between one side of the cable and the other -This is especially good for fiber, where you want to be sure over very long distances that you're minimizing the amount of light loss over that run • These TDRs often work with software that allows you to log every single connection that you're testing, so at the end you can create a report that verifies that everything on the network is working as expected -Certify cable installations • Or if you're concerned that there's a cut in your fiber or copper, you can plug in a TDR and know exactly how far down that run you have the break
Man-In-The-Browser (Man-in-the-Middle)
• In an ARP poisoning, the bad guys are usually on the same local subnet where these devices are located -But the bad guys are not usually on the local network • Instead what they'll do is perform a man-in-the-middle, but they'll do it from inside the browser -We call this a man-in-the-browser attack -They create a proxy on your system, and simply send all the communication in and out of the proxy on the same computer that you're using -Malware/Trojan does all of the proxy work • There's obviously huge advantages for the bad guys to do this -They see all the traffic that normally would be encrypted across the network because they're on your local machine where the traffic is not encrypted -Everything to the end user looks the same as it always does • Of course, they don't need to be on your local network -The man-in-the-browser can, for example, wait for you to log into your bank, capture those bank credentials, and then send that information off to the bad guys who can then later on log in to the bank and perform their own functions • This obviously requires that the bad guys first install this proxy through malware/trojan onto your machine that acts as the middleman -Once it's inside the browser, it simply waits for you to log into your bank -At that point on the same machine, they can begin performing their own functions behind the scenes that you don't even see. -But because they already have your credentials and they're part of your browser, they can now access your bank account and perform any number of functions because they now have all the credentials and all of the capabilities as if they were you sitting in front of your computer
tcpdump (Command Line Tools)
• In many network troubleshooting situations you're going to need a packet capture -Gathering packets from the network is going to provide you with a lot of detail of exactly what's happening across the network -One very common way to capture packets at the command line of a device is to use tcpdump • Tcpdump is usually included with many Linux distributions and OS X -For Windows, you can download a Windows version of this called WinDump • Tcpdump has a number of different options that you can include at the command line -You can apply filters and you can watch the packets go by in real time -Quickly identify traffic patterns • You can choose to save all of the packets you've collected into a pcap-formatted file -This is a file format that's easily readable by many different protocol analyzers such as Wireshark • The amount of information that you're gathering, and the detail included in these packets can be overwhelming -If you spend a bit of time to learn the formats and be able to filter out what you don't need, you'll find there's a lot of valuable information stored in those packets -Takes a bit of practice to parse and filter
VoIP technologies (Advanced Networking Devices)
• In most organizations, everyone has a phone on their desk -We used to accomplish this by using a PBX (Private Branch Exchange) -You effectively have your own private phone switch within your company -That phone switch then connects to your phone provider network and you're able to send and receive phone calls -This meant that additional telephone lines had to be ran to everyone's desk -It would be very common to run two wires for every desk. One wire for the telephone, and another wire for the LAN • Today, Voice over IP PBX is being used -This integrates all of your different VoIP devices such as VoIP handsets, VoIP software that's in your mobile devices and in the browser -This allows you to make phone calls using those devices over your existing LAN -With VoIP PBX, there is no need to run multiple cables to every desk. These devices will simply plug in to the existing Ethernet connections • Not everything in the world is communicating using these VoIP protocols and technologies -In some case you need a VoIP Gateway -A VoIP gateway converts the VoIP communication into something your traditional public switch telephone network can understand -This is often built-in to the VoIP PBX
Lots of Ports (Introduction to IP)
• In summary (IPv4 sockets) it will contain: -A server IP address where the data is being sent from the client, a TCP/UDP protocol, and a server application port number -We also have a client IP address, a TCP/UDP protocol, and a client port number where the server will return the data
Non-Dsclosure Agreement (Policies and Best Practices)
• In your technology career, at some point you may be asked to sign an NDA, this is a Non-Disclosure Agreement -It is a confidentiality agreement between two parties that says that you're not going to tell anyone else about this confidential information. -It is a confidentiality agreement / Legal contract -This prevents the use and dissemination of confidential information • This may be an NDA that you're signing with the company that you're employed by to make sure that all of the information that you're learning as an employee is not going to be provided to anyone outside the organization -It is an internal NDA that protects the organization's private and confidential information -This is part of employee security policies • Or this might be an NDA that you sign with a third party that you're working with -Perhaps you're setting up a partnership with an external organization and you want to be sure that anything learned is part of that partnership is not made public to anyone else -An external (3rd party) NDA where two parties cannot disclose private information or company secrets about the other party
Incremental Backup (Backup and Recovery)
• Incremental backup -A full backup is performed -Subsequent backups contain data changed since the last full backup and last incremental backup -These are usually smaller than the full backup • A restoration requires the full backup and all of the incremental backups •An example of an incremental backup -On Monday a full backup is performed. -Every file from the file system is backed up. -This would clear all of the archive bits. • On Tuesday, we perform an incremental backup, which will only backup the files that have changed since the last full backup. • On Wednesday, we backup all of the files that have changed since Tuesday's backup. • On Thursday, we backup all of the files that may have changed since Wednesday's backup. • If we performed a full recovery of this system, we will need the full backup from Monday -And the incremental backups from Tuesday, Wednesday, and Thursday.
Wireless topologies (Network Topologies)
• Infrastructure topology -All devices communicate through an access point -The most common wireless communication mode • Ad hoc networking topology -Devices communicate directly with each other -No pre-existing infrastructure (no access points) -Devices communicate amongst themselves -Simply configure both end stations to communicate to each other over the wireless frequency • Mesh -Internet of Things wireless networks often use mesh networking -Individual devices that are able to discover each other and use each other as a large cloud of devices -These devices not only to self-form into this mesh cloud, they can also self-heal -If a device is disabled, they can simply use this large number of devices to route around the problem and enable communication using a different path.
Interference (Wireless Network Troubleshooting)
• Interference on a wireless network means that something else is using the same frequencies that we're trying to use to communicate on this wireless network • Can be predictable interference -It may be such as florescent lights, microwave ovens, cordless telephones, or high-power sources -We could easily turn off the light or turn off the microwave oven, and the interference will go away • Sometimes the interference is something that we can't predict -Such as an office building with many other companies, and all of those companies have their own wireless networks which there is no way to manage their access points so that there is no interference with yours • One way to look at interference statistics is to view them on your Linux or Mac OS 10 workstation with the netstat command -Use netstat -e in Linux or MacOS -Or you may want to use Performance Monitor in Windows to monitor those statistics over time
Internal vs. External DNS (An Overview of DNS)
• Internal DNS (managed on internal servers) -Usually installed and maintained by the local network team -Contains DNS information about internal devices, such as servers, that do not need to be out in public DNS -Common to run a DNS service on Windows Server to keep up with all windows devices on the internal private network • External DNS (managed by a third-party) -Used if the organization does not require DNS -Does not have internal device information -An example are those managed by Google DNS or Quad9 -You are able to use and maintain those external resources without having to run your own DNS server
Licensing restrictions policies (Policies and Best Practices)
• It can be a challenge maintaining a set of licenses in your organization -There may be separate licensing for OSs in use, for applications that are in use, or even for individual pieces of hardware that are in use. -And each one of these different types of services has a completely different method of performing licensing • One reason we want to have all of these licenses up to date is we could run into problems with availability if this license was to expire -For example, some applications will work perfectly normally until the date the license expires and at that point, the application might not work at all -Some devices may work after a licensing period expires, but possibly with a subset of functionality • So if you want all of your systems running exactly the way they are today -Make sure to document and have a process available for updating those licenses • Sometimes a license expiration means that certain important features of an application are suddenly no longer available -For example, if the license expires for your malware scanning gateway, it may still allow traffic to pass through that gateway, but of course, there's no checks at that point for any malicious software -Valid licenses maintains the integrity of the application -A missing/bad license may cause problems with data integrity
Troubleshooting excessive Jitter (Wired Network Troubleshooting)
• It can be challenging to troubleshoot excessive jitter on your network -The first thing you might want to look at is how much bandwidth is available. -If you're using an excessive amount of bandwidth on your internet connection, then it will be challenging to receive real-time information at regular intervals • Your switches and routers can also contribute to this jitter. -Make sure the infrastructure is working as expected such as routers and switches -We want to be sure that none of those devices are queuing up information or have excessive congestion -And we want to be sure that those devices aren't dropping any frames as they're coming through the network. • In many environments, you're applying Quality of Service (QoS) to the applications -This is if somebody is performing a very large file transfer, it won't affect any of your real-time communication -Prioritizes real-time communication services
Frame Switching (common network configuration) (Network Switching Overview)
• It involves a switch, Switch A, in the middle of the network -Switch A contains fast ethernet interfaces denoted by "F" -It also contains a particular card where these interfaces are located, card 0, labeled as "F0" • Each individual interface on this card is numbered -This example, Switch A contains 5 interfaces -These interfaces are called Fast Ethernet on slot 0 / interface 1 - 5 -They are labeled as F0/1; F0/2; F0/3; F0/4; F0/5 • 5 Devices are plugged into the switch with their own MAC address -Inside of the switch is a table that contains the info. that it gathers over time -This table contains the MAC addresses that it has seen and their associated interfaces. User : Sam MAC Address : 1000:1111:1111 Output Interface : F0/1 User : Jack MAC Address : 1000:2222:2222 Output Interface : F0/2 User : Daniel MAC Address : 1000:3333:3333 Output Interface : F0/3 User : Teal'c MAC Address : 1000:4444:4444 Output Interface : F0/4 User : SGC Server MAC Address : 1000:5555:5555 Output Interface : F0/5 e.g. • If Sam wants to send information to the SGC server, Sam will put a frame on the network with the Destination MAC 1000:5555:5555. • This information is sent to the switch, the switch then looks through its MAC address table and tries to find the place where the Destination MAC matches • Once the match is made, the switch will know to send the information to the correct interface. -In this case, it'll be on "F0/5"
Configuring an ACL* (Access Control)
• It's very common to configure ACLs on routers, and in this particular example, we have Sam, Jack, and Telc. And you can see there's a number of switches and routers between all of these different devices. We can put an ACL on any of these routers, and of course, we can put ACLs on either the ingress or the egress of a particular interface. If Sam is sending information to Jack, we have a number of spots through the network where we might be able to install an access control list. We can put it on the gigabit side of router one or the serial side of router one. We could also put an ACL on the serial side of router two or the gigabit side of router teo. • Let's say that we would like to prevent Sam from sending any communication to Jack. We might want to create an ACL. This happens to be an ACL that's configured in a Cisco router, and it defines an access list- in our case, there's only a single access list, or Access List One. We're going to choose a rule that is going to deny any traffic coming through that happens to have a source IP address of 192.168.10.10. And if we look, that happens to be the subnet 192.168.10, and Sam is the .10. We also have another rule in this access list that says, if there is any other traffic going through this particular interface, all of that traffic is permitted. That means that the only traffic that would be denied through this particular gigabit interface is Sam communicating to any other device on this particular subnet. (*STOP10)
Attenuation (Wireless Network Troubleshooting)
• Just as we have attenuation on copper and fiber networks, we also have attenuation on wireless networks -As we move farther away from our access point, the signal gets weaker and weaker -You can usually measure this by looking at the signal strengths on your device or using a WiFi analyzer • Control the power output on the access point to avoid excessive attenuation -This is not always an option as not all access points have this option • To help avoid excessive attenuation, you may be able to boost the signal strength on the access point itself by controlling the power output -Not all access points have this option, but this may allow you to get a larger range out of your existing wireless access point • If the device you're on supports an external antenna, you may be able to use one with a higher gain. -This will allow you to capture more of the signal, so even if there is attenuation, you're still able to receive and transmit on that network • Of course, the closer you are to the access point, the less attenuation you're going to have -So you may find that moving closer to your access point greatly improves the performance of your network connection
Off-boarding Policies (Policies and Best Practices)
• Just as we have on-boarding processes when someone joins the organization, we also need formal processes and procedures when someone is off-boarded when they leave the organization • These should be processes that have already been laid out and are very well documented -So you know exactly what to do when someone leaves the company • For example, there needs to be a process when someone turns in their hardware -You need some type of documentation to show that the hardware was received and that you're able to process that hardware for the next person • Also a process on what happens to the user's data -We don't want to simply delete everything associated with their account as it might have important company data that we want to keep • This is why it is very common to deactivate a user's account and not delete everything associated with a user's account -It might have important encryption keys that is associated with that user, and by maintaining that account, we will still have access to all of those important encryption keys
LC - Lucent Connector (Optical Fiber Connectors)
• LC connector is referred to as: -Lucent connector -Local connector -"Little connector" • It is a smaller type of interface -Manufacturers would like to put as many interfaces as possible in their networking equipment -A smaller fiber connector means that they can put more interfaces on a single card • Both sides of the fiber, the transmit and the receive are molded into the same connector itself -Contains a locking mechanism similar to an RJ45 connector • Can also be used as individual fibers -Size is a bit smaller than the ST and the SC connectors
X.500 Distinguished Names (Authorization, Authentication, and Accounting)
• LDAP pairs together an attribute and a value, and uses multiples of those attributes to be able to define a particular object in the database -Attribute = Value pairs • For example, you can have a number of descriptors for an object that might show that the common name is WIDGETWEB in an organizational unit of marketing -It happens to be an organization called Widget in a locality of London, in a state of London, in the country of Great Britain. And then you can have domain components that would be associated with this. For example, widget.com would be described as DC=widget and DC=com -Most specific attribute is listed first e.g. (Attribute = Value ) CN=WIDGETWEB ; OU=Marketing ; O=Widget ; L=London ; ST=London ; C=GB ; DC=widget ; DC=com Attribute : CN (WIDGETWEB) Field : Common Name Usage : Identifies the person or object Attribute : OU (Marketing) Field : Organizational Unit Usage : A unit or department within the organization Attribute : O (Widget) Field : Organization Usage : The name of the organization Attribute : L (London) Field : Locality Usage : Usually a city or area Attribute : ST (GB, Great Britain) Field : State Usage : A state, province, or county within a country Attribute : C (London) Field : Country Usage : The country's 2-character ISO code (such as C=US or C=GB) Attribute : DC (Widget, com) Field : Domain Component Usage : Components of the object's domain
Frame switching between switches (Network Switching Overview)
• Larger networks may contain multiple switches. -e.g. Switch A and Switch B • Not only could the switches have Fast Ethernet (F) interfaces but also Gigabit interfaces (G) • These switches contain 2 separate MAC address tables, one for Switch A and one for Switch B -Switch A doesnt know whats inside Switch B's MAC address table and Switch B doesnt know whats inside Switch A's MAC address table. -They work independently from each other. e.g. • Two switches, Switch A and B, are connected at the following interfaces: -Interface G0/2 on Switch A connects to Interface G0/4 on Switch B <Switch A MAC Address Table> User : Sam MAC Address : 1000:1111:1111 Output : F0/1 User : Jack MAC Address : 1000:2222:2222 Output : F0/2 User : Daniel MAC Address : 1000:3333:3333 Output : F0/3 User : Teal'c MAC Address : 1000:4444:4444 Output : G0/2 User : SGC Server MAC Address : 1000:5555:5555 Output : G0/2 <Switch B MAC Address Table> User : Sam MAC Address : 1000:1111:1111 Output : G0/4 User : Jack MAC Address : 1000:2222:2222 Output : G0/4 User : Daniel MAC Address : 1000:3333:3333 Output : G0/4 User : Teal'c MAC Address : 1000:4444:4444 Output : F0/4 User : SGC Server MAC Address : 1000:5555:5555 Output : F0/5 e.g. • Sam is sending a frame on the network that has a Destination MAC address 1000:5555:5555 which is the SGC Server. • This frame arrives at Switch A, it crosschecks its own MAC address table and finds a match for that destination MAC address on output interface is G0/2. -This leads to Switch B. • Switch B then receives that frame and crosschecks its own MAC address table. -It finds the destination MAC address on output interface F0/5 for the SGC Server
Scope properties (Configuring DHCP)
• List of IP address range that will be available for a subnet -And excluded addresses • Can include subnet mask information • You can specify the lease durations • Or configure other scope options such as: -DNS server -Default gateway -WINS server -And other IP Address configuration details
CSMA/CD operation (Introduction to Ethernet)
• Listens for an opening -Does not transmit if the network is already busy • It'll send a frame of data when the network is clear -You send data whenever you can -There is no queue or prioritization -Devices will send information if the signal is clear • If a collision occurs -Devices will transmit a jam signal on the network to let everyone know a collision has occurred -Devices will then wait a random amount of time and then retry the transmission
Dynamic routing protocols (Dynamic Routing Protocols)
• Listens for subnet information from other routers -Sent from router to router • Provides subnet information to other routers -informs other routers what it knows • The best path is determined based on the gathered information -Every routing protocol has its own way of doing this • When network changes occur or a link goes down, available routes are updated -Different convergence process for every dynamic routing protocol
LANs (Network Segmentation)
• Local Area Networks -A group of devices in the same broadcast domain -Separate switches, no vlans are configured at this level -Network design is simple, segmentation is done at the physical level -Minimizes broadcast effects -Security is improved since devices cannot reach one another since they are connected on a physically separate switch • One of the problems with the design is to difficult to scale -Difficult to manage 1000's of switches in a data center
4G and LTE (Cellular Network Standards)
• Long Term Evolution (LTE) -A "4G" technology -A converged standard (no longer have to worry about receiver a GSM and CDMA phone) -Based on GSM and EDGE (Enhanced Data Rates for GSM Evolution) which allows us to completely and seamlessly communicate with voice and data simultaneously over the same network -Original standard supports download rates of 150 Mbit/s • LTE Advanced (LTE-A) -Standard supports double download rates of 300 Mbit/s
Special IPv4 addresses (IPv4 Addresses)
• Loopback address -An IP address that all devices happen to have internal to those devices -This is an address to yourself -No configuration or setup required -Ranges from 127.0.0.1 through 127.255.255.254 -An easy way to self-reference by pinging 127.0.0.1 • Reserved addresses -Set aside for future use or testing and will never be used on any Layer 3 device -Ranged from 240.0.0.1 through 254.255.255.254 • Virtual IP addresses (VIP) -Not associated with a physical network adapter -VIP's in a Virtual machine, or a router with VIP's assign to a virtual interfaces inside that router
MT-RJ - Mechanical Transfer Registered Jack (Optical Fiber Connectors)
• MT-RJ is referrred to as: -Mechanical Transfer Register Jack -OR Media Termination - Recommended Jack • Smallest form factor of connector -Can fit the transmit and receive fibers into a form factor that is about the same size as an RJ45 copper connector
Managing Network Traffic (Prioritizing Traffic)
• Many different devices are being used in today's networks -Such as desktops, laptops, VoIP phones, mobile devices • Many different applications also exists on these devices -Such as mission critical applications, VoIP application, streaming video, streaming audio • All these different apps have different network requirements -Voice communication requires real-time data flows -Recorded streaming video has a buffer -Database applications have interactive input and you're expecting an output within a certain amount of time • Some applications might need priority over others -Some applications are "more important" than others -e.g. Voice over IP traffic having priority over someone who may be watching YouTube videos or transferring files
Latency (Wired Network Troubleshooting)
• Many of the applications we use are very sensitive to latency -Latency is the difference between the request and the response -Long latency may cause problems with your application • Some latency is expected and normal -There's going to be a little bit of latency across the network because it takes time for the electrical signals to go down the wire and the electrical signals to come back the other direction -Laws of physics apply -So there will be a bit of delay • It's when that delay becomes excessive that you start to have problems with your applications -You may want to use some measurement tools to be able to understand the exact latency that you're seeing for this application -Examine the response times at every step along the way when the delay becomes excessive and applications begin to experience issues • It's very common to use packet captures and a protocol analyzer so that you can get very specific timestamps of when you send traffic across the network and how long it takes to receive a response to those requests -Get captures from both sides of the network -Packet captures can provide detailed analysis
Switch spoofing (VLAN Hopping)
• Many trunks allow you to set up an automatic configuration mode -This is called trunk negotiation -It allows you to plug in a device to a switch, and that switch will determine if the device you plugged in is a normal access device - such as a laptop or a computer OR if the device you're plugging in might be another switch • This automatic configuration doesn't have any type of authentication associated with it -So if you wanted to pretend that you were a switch, you could use specialized software and connect to a switch that had this automatic configuration, and instead of the switch thinking of you as a laptop or a desktop, it would then consider that you were another switch on the network • At that point, you would negotiate the trunks that were required across this particular link, just as if you were connecting two switches to each other -And now you're able to send information to any of the VLANs that would be supported over that trunk connection -This switch spoofing would effectively give anyone access to VLANs that were supported on that remote switch • This is why a switch administrator would normally disable this particular automatic trunk negotiation -The administrator should instead manually define which interfaces on a switch are for a trunk, and which interfaces on a switch are for access devices
Cellular networks (Cellular Network Standards)
• Mobile phones and mobile devices are used to communicate over these separate cells of communication • Separates land into "cells" -Antennas can cover a cell with certain frequencies so you can move from "cell" to "cell" and still maintain communication wherever you happen to be • 2G networks were the primary standards in the early days -GSM - Global System for Mobile Communications -CDMA - Code Division Multiple Access • These standards had poor data support -Designed for voice communication (limited data functionality) -Originally used circuit-switching to be able to set up a call, send data, and it had to emulate that same circuit switching to be able to send data -Minor upgrades for some packet-switching
Switch (Networking Devices)
• Modern switches are an evolution from the older style bridges -We now have devices with hundreds of interfaces on the front, rather than the bridge's two or four -A traditional bridge makes all of its forwarding decisions in software whereas switches does it forwarding decisions in the hardware -Forwarding decisions in switches is done using a techonology know as Application-Specific Integrated Circuits (ASIC) • An OSI layer 2 device -The forwarding decisions on modern switches are exactly the same as the forwarding decisions that were made on the older style bridges -It is looking at the destination MAC address and forwarding the frame depending on where that MAC address needs to go -Forwards traffic based on data link address -Based on the MAC address • Modern switches also have a number of additional ports and features available to them -The core of an enterprise network -May provide Power over Ethernet (PoE) • Some switches include the option to enable a routing functionality within exactly the same chassis. -We call this functionality multi-layer switching. Also referred to as a Layer 3 switch. -Includes Layer 3 (routing) functionality -The switch contains a portion that is performing the normal Layer 2 switching functions -And another portion of the switch that is able to route between the different VLANs that are connected to that switch
Interface monitoring (Performance Metrics)
• Monitoring the interface can tell you if the interface is up or down -If the interface is up, then everybody should be able to access that device, but if the interface is down, the problem may be with that interface or with any other component between you and that particular interface -May be a problem on the other end of the cable • We can also monitor interfaces for errors -We can look at those error rates over time, and we can see exactly the specific error that may be occurring -We can see how many CRC errors may be occurring on Ethernet or a WAN connection or we may be looking at detailed Ethernet metrics like run frames or giant frames • Another good monitoring statistic is to evaluate how much traffic is going through a particular interface and gather utilization details on every single interface on our network -Gathering this bandwidth information over time would also allow you to create some trends, so you could see exactly what direction the bandwidth may be going and if you need to plan to create additional resources for that particular service • Another set of metrics to monitor may be related to discards or packet drops -These errors occur when the problem isn't associated with the packet, but instead is associated with the system's ability to process that packet • You might also want to monitor or log information to know if that interface is ever reset -This would give us an idea that that particular interface may go into an offline mode where packets are not being processed -If we do find an interface that has been reset and has not come back into an online state, we might try to reset that interface and see if we can begin the process of communicating again to that device • The monitoring functions may also allow us to view the configuration of that interface -For example, we could see the exact speed and duplex that that particular interface card is configured with -You could then compare that speed and duplex with the device that's on the other end of that connection and make sure that both of those are the same -If the speed and duplex are not the same between the two, you'll probably see throughput problems or late collisions occurring in your monitoring statistics.
Network requirements* (Virtual Networking)
• Most client-side virtual machine managers (hypervisors) have their own virtual (internal) networks -They can communicate to all of the local vm's without using an external network • A shared network address is used to communicate outside of the vm -Contains a single Ethernet card on the VM platform and the hundreds of VMs inside of this device will use that single IP address -The VMs are sharing the same IP address as the physical host -A private IP address is used internally -It performs the network address translation function to be able to use and share that single IP address -Uses NAT to convert to the physical host IP • A virtual machine can be configured to have its own IP address rather than sharing a single natted address -This is called a bridged network address -This allows the VM to have its own unique addressing • Some virtual machines can be configured with a private address that doesn't communicate to anyone Private address -The VM does not communicate outside of the virtual network • There are certainly advantages and disadvantages to all of the different configurations. -When you're working with a virtual environment, you have the flexibility to build the environment exactly with the resources and requirements that you need. (*STOP7)
Multi-factor authentication (Multi-factor Authentication)
• Most of us are very familiar with logging in to a device and using our username and password -But what if we wanted to provide additional security and require more authentication factors than simply a password? -We can do that by using multi-factor authentication • If someone is using two factors, you'll sometimes see this called two-factor authentication, or 2FA -Some of these authentication factors might be something you are, something you have, something you know, somewhere you are, or something you do • These authentication factors would provide additional security during the authentication process, but they could be expensive to implement -For example, having separate hardware tokens that people can use during the login process -Or maybe installing biometric equipment so someone can scan a fingerprint to gain access to a room. • Some of these multi-factor authentications are inexpensive -For example, it could be an app that runs on a smartphone, which would be very easy to install and use the additional authentication factors
NAS vs. SAN (Network Storage)
• NAS stands for Network Attached Storage -It allows you to take a storage device and connect it to an ethernet network -This connects a shared storage device across the network -It provides file-level access which means if a single character inside of an entire file changes, then the entire file gets rewritten onto that NAS device • SAN stands for Storage Area Network -A type of storage that is a bit more efficient than network attached storage -Looks and feels like a local storage device -Uses block-level access which means if a single byte within a file is changed, only that block of data is changed. The entire file does not have to be rewritten to the device -It is very efficient in reading and writing • Regardless whether you are using a NAS or a SAN, alot of information is going to be sent across the network -This will require a lot of bandwidth -These would be commonly connected to high-speed networks that can support the bandwidth required for the data that is being transferred back and forth
NTP clients and servers (An Overview of NTP)
• NTP server is in charge of the clock for all of the devices that need to get updates -Responds to time requests from NTP clients that require updates -Does not modify its own time • NTP client is a device that will request time updates from the NTP server and update its clock(s) accordingly • Sometimes a device can be both an NTP client and server -It can update its time based on the time that may be available on a more accurate NTP server -Then it can provide those updates to other NTP clients on the network • Important to plan your NTP strategy -Will need to decide what devices will be NTP clients -Which will be NTP servers -And which devices may be both an NTP client and an NTP server
NAS vs. SAN (Common Network Types)
• Network Attached Storage (NAS) -Connects to a shared storage device across the network -A type of storage that allows us to store files across the network on this remote storage device referred to as File-Level Access -File-level access - If part of a file needs to be changed, then the whole file will be changed on the NAS • Storage Area Network (SAN) -A more advanced type of storage over the network -That remote storage device is more of an extension of your computer referred to as block-level access -Block-level access - If part of a file needs to be changed, you simply change the blocks that have been changed rather than rewriting the entire file -Very efficient reading and writing • Both required a lot of bandwidth to support both reading and writing of data across the network -May use an isolated network and high-speed network technologies -Very common to connect these types of storage systems over high speed network topologies
The construction of a subnet (Classful Subnetting)
• Network address -It is the first IP address of a subnet -Setting all the host bits to 0 (0 decimal) allows you to calculate the network address • The first usable host address -It is one number higher than the network address -Just add 1 to the Network IP address • Network broadcast address -The last IP address of a subnet -Set all host bits to 1 (255 decimal) • Last usable host address -One number lower than the broadcast address -Just subtract 1 from the network broadcast IP address
Configuring VLANs (Network Segmentation)
• Not uncommon to configure many different VLANs on a single switch • Same switch can have : -VLAN 1 - Gate room -VLAN 2 - Dialing room -VLAN 3 - Infirmary • Devices can only communicate within their VLAN -Only way for devices to communicate to the other VLANs is to route traffic between the different VLANs
Establish a theory of probable cause (Network Troubleshooting Methodology)
• Now that you've collected as much information as possible, you can examine all of these details to begin establishing a theory of what you think might be going wrong -Since the simpler explanation is often the most likely reason for the issue, that may be a good place to start -Start with the obvious after collecting as much information as possible (Occam's razor applies) • Consider every possible thing that might be causing this issue -Start with things that aren't completely obvious -You could start from the top of the OSI model with the way the application is working and work your way to the bottom -Or you may want to start with the bottom with the cabling and wiring in your infrastructure and work your way up from there • Make a list of all possible causes -Your list might start with the easy theories at the top -But include all of the more complex theories in this list as well
Interface configuration (Wired Network Troubleshooting)
• On many networks, the ethernet cards are configured to automatically configure themselves when they connect to the network (Auto vs. Manual configuration) -They'll determine what's on the other end, and they'll make sure that the configurations match on both sides -Automatic configuration does not work 100% of the time -So you may find that some network administrators prefer setting all of their connections up manually so they know that both sides are going to match • The first thing you'll want to check for is a link light -That means you at least have connectivity between your device and the switch -If there's no light, then there is no connection -If no light then no connection -So there might be a cabling problem or an interface configuration issue • The speed of the ethernet connection also needs to match on both sides -If you have 100 megabits on one side, it needs to be 100 megabits on the other -If there's a mismatch in those speeds, you'll have no connectivity across the network • A more challenging problem to troubleshoot is when the duplex is mismatched between two devices -This is when one side is configured as half duplex and the other side is configured as full duplex -You'll have connectivity between the devices, but you'll notice the throughput is slower than you would expect -You'll also see an increase in the late collision counter on these devices, which might give you an indication that there is a duplex mismatch
Blocked TCP/UDP ports (Network Service Troubleshooting)
• On today's networks, we're adding many different security devices. -And we may find that certain application flows may be blocked due to filters • The security choke points can be caused by firewall filters or an ACL configuration on a router -This restricts the access for an application to travel through that network device -These security checkpoints are usually configured with very conservative rules, and it's not uncommon for these rules to block new applications from working on the network • One of the first things you can confirm then is that there is some type of communication problem -If you perform a packet capture, you can see the application request, and then you can see that no response is received • From there, you may want to run a traceroute tool that allows you to customize the TCP or UDP port number that's used. -Run a TCP- or UDP-based traceroute tool -This would allow you to see just how far the traffic is able to go -Then you can provide that traceroute information to a network administrator who can then determine where the filtering is occurring
Create a plan of action (Network Troubleshooting Methodology)
• Once you've tested a theory and found that the theory is going to resolve this issue, you can then begin putting together a plan of action (Build the plan) -This is how you would implement this fix into a production network -You want to be sure that you're able to do this with a minimum amount of impact to the production network -Sometimes you have to do this after hours when nobody else is working on the network • You want to be able to implement this with a minimum amount of impact to production traffic. -So often, you'll have to do this after hours. • A best practice is to document the exact steps that will be required to solve this particular problem -If it's replacing a cable, then the process will be relatively straightforward -But if you're upgrading software in a switch, a router, or a firewall, there may be additional tasks involved in performing this plan of action • You'll also want some alternatives if your plan doesn't go as designed -For example, you may run into problems when upgrading the software in a firewall -So you may need an additional firewall or way to roll back to the previous version -Every plan can go bad -Have a plan B if the plan doesnt go as designed and a plan C
Real-world logic Bombs example 1 (Logic Bombs)
• One example of a real world logic bomb occurred on March 19th of 2013 in South Korea -An email was sent to people inside of media organizations and banks -This email posed as a bank email -It looked legitimate, people clicked the links that were inside that email and malware was installed onto those systems. -Trojan installs malware • Then a day later, on March the 20th at 2:00 PM local time exactly, the malware logic bomb exploded -It effectively deleted the boot records and rebooted the systems on those devices -This meant that when those systems rebooted at 2:00, it showed that a boot device was not found and that you needed to install an operating system on the hard disk • Many computers and ATM's were affected -This prevented anyone from accessing any of their funds through any of those ATMs.
Signal to noise ratio (Wireless Network Troubleshooting)
• One good overall statistic to see just how much interference may be occurring on your wireless network is your signal-to-noise ratio • The signal is the normal communication that you want from your wireless network -What you want • The noise is interference that you might get from other devices and other wireless networks -What you dont want • You would like to have a very large ratio between the signal and the noise. -You would like to have much more signal than you're having of noise on your network. -If you had as much signal as you had noise, it would be a one-to-one (1:1) ratio, and it would be very difficult to communicate over that wireless network. -The same amount of signal to noise (1:1) would be bad
Basic Interface Configuration (Switch Interface Properties)
• One of the basic interface configurations on a ethernet connection would be the speed and duplex of the connection -Speed could be 10 / 100 /1,000 or faster -Duplex can be either set to Half / Full -Can be set automatically and/or manually -Either way, the settings need to match on both sides • You might also need to manage an IP address for this particular interface -Could be Layer 3 interface that sits on a router -Or a VLAN interface to gain access on a particular VLAN on a switch -It is common to add IP addresses for management interfaces -Workstations will need a minimum an IP address, subnet mask/CIDR block, default gateway, & DNS (optional)
DTLS VPN (Datagram Transport Layer Security) (Remote Access)
• One of the challenges with SSL or TLS is that it is a TCP-based protocol -That means you'll get the benefits of TCP, such as reordering of packets if they come in out of order -Also if any data is lost along the way, TCP will retransmit that data • A number of the applications we use these days don't require any type of packet reordering or retransmission -For example, streaming technologies and Voice over IP don't require the use of TCP -In those situations, you may want to use a DTLS VPN, which is a datagram transport layer security -It uses UDP packets instead of TCP • DTLS would be a good choice for these real-time streaming or Voice over IP protocols -If any data is lost along the way, it will be too late to back up and recover that information
BPDU guard (Switch Port Protection)
• One of the challenges with spanning tree is that it may take some time for this network convergence to occur -Spanning tree has to examine all of the traffic that's going by, and then finally make a decision on what ports need to forward traffic and what ports need to be blocked -On the older, original spanning tree protocol, this could take 20 to 30 seconds from the time someone connects to the network to the time they're ever able to send any traffic to that network -On some switches, you have the option to bypass that entire process -This is called BPDU guard -On Cisco switches it's called PortFast -This is a way to bypass that listening and learning state so that devices can immediately begin communicating on the network • BPDU is the Bridge Protocol Data Unit -It's the protocol that spanning tree uses to communicate between all of the different switches -An end device, like a laptop or desktop computer, will never send BPDU frames -These are only sent between switches that are participating in spanning tree. -So instead of having these end stations participate in the entire convergence process, the switch will simply allow the device access to the network • If that switch happens to see a BPDU frame from that end station, it will shut down that interface -BPDU frames don't normally come from these end devices, and if a BPDU frame happens to occur on an interface, that means there must be a switch on the other side and there could potentially be a loop -To prevent that from happening, the interface is completely disabled -You would obviously only enable this BPDU guard on interfaces that you knew would only be used by end station devices
DMZ (Network Segmentation)
• One of the common uses of a firewall is to sit between the internet and our internal network -This is going to keep anybody from the internet from directly accessing any of the resources that are on the inside of our network -But we may have certain servers and services that we would like to make available to the internet, but we still want to prevent anyone from coming into our internal network • In those cases, we would create a DMZ -This comes from the military term "demilitarized zone" -This adds an additional layer of security between two different points • So instead of having these externally accessible services on our internal network -We would create a completely separate segmented network for those services. -We'll add our server to the DMZ. And then we'll create rules in our firewall that will allow people access from the internet to the DMZ -But prevent any access from the internet to our internal network
RADIUS (Remote Authentication Dial-in User Service) (Authorization, Authentication, and Accounting)
• One of the more common/popular AAA protocols is RADIUS -RADIUS stands for Remote Authentication Dial In User Service -Supported on a wide variety of platforms and devices -Used for many purposes in the network, not just for dial-in as mentioned in the name -It can be used to authenticate anyone who happens to be on your network • For example, all authentication can be centralized using RADIUS -So if you're logging in to a router, or a switch, or a firewall -you can use your same credentials to log into a server, to log in to the remote VPN access, or to log into your wireless network with a 802.1X • One of the reasons RADIUS has become so popular is that you can find RADIUS services for almost any operating system -So if you're running Windows, or Linux, or MAC OS 10, you can find a RADIUS service that will run on those operating systems, and many others
dB loss symptoms (Wired Network Troubleshooting)
• One of the most obvious symptoms associated with the dB loss is no signal at all -This means you're going to have no connectivity from a particular device -In those particular cases it's relatively easy to troubleshoot because there's no signal coming through the line • Sometimes the problem is intermittent -Sometimes there's just enough to get the link up and running and maybe send some traffic across that network link -But not enough to for the link to complete the sync -You may find at other times that the network traffic is either not performing as you would expect or it's not able to communicate at all • If you are finding there's poor performance, you should look at the statistics associated with that network interface card -Check if the signal is too weak -If you see a number of CRC errors or other types of errors on that connection, it may be related to a loss of signal • This is where it would be very useful to have a TDR or an OTDR -These advanced testing instruments can be connected to provide you with very detailed information of exactly how much signal you're able to put through a particular medium -you can test the distance and signal loss
IPSec (Internet Protocol Security) (Remote Access)
• One of the most popular remote access protocols is IPsec or Internet Protocol Security • IPsec provides security of information at OSI Layer 3 -It gives you an option for authentication and encryption for every packet sent across the network • IPsec includes the ability to encrypt and sign each packet -it is effectively providing both confidentiality and integrity/anti-replay -This prevents anybody from replaying the traffic through the network in order to gain unauthorized access • IPsec is very popular -You can find implementations of IPsec in many vendor's products -Very standardized -This means you could have one vendor on one side of the WAN and another vendor on the other side of the WAN, and they'll still be able to communicate with each other using IPsec • You may also see the two core protocols that are used in IPsec: -One of them is the Authentication Header or AH -The other one is the Encapsulation Security Payload or ESP
802.11ac (802.11 Wireless Standards)
• One of the most recent versions of 802.11 -Approved in January 2014 -Significant improvements over 802.11n • Operates in the 5 GHz frequency band exclusively -There is no requirement to communicate in the very crowded 2.4 GHz band, so you can use the much larger bandwidths within 5 GHz (less crowded, more frequencies) -Supports up to 160 MHz channel bandwidth -Some 802.11ac routers will communicate in both 5 GHz and 2.4 GHz, but all of the 2.4 GHz communication is using 802.11n standard • This version can also bond together individuals channels -Thus creating larger channel bandwidth • Also a denser signaling modulation -For faster data transfers • Has 8 Multi-User MIMO streams -Twice as many streams as 802.11n -Theoretically, you can support nearly 7 gigabits per second of throughput
The big phish (Phishing)
• One of the most well-known phishing attacks in recent history occurred on March 19th, 2016 -This occurred with John Podesta, who was a former White House Chief of Staff and the former counselor to the President of the United States • At the time, he was serving as the chairman of the 2016 Hillary Clinton United States presidential campaign -So this would definitely be a whaling attack. Someone who was going after someone at a very high level with this phishing attack • Mr. Podesta used a Gmail account to handle all of his email, like many of us do -This email account had information and messages in it ranging from the years 2007 up through current times of 2016 • Podesta used the bit.ly link in the email to "reset" his password -This wasnt the Google reset link • Ten years of personal emails were unlocked and downloaded to the bad guys • Every email was made available on Wikileaks -The good, the bad, and the ugly • Don't underestimate the effects of phishing -It can have significant repercussions
802.11a (802.11 Wireless Standards)
• One of the original 802.11 wireless standards -Released in October 1999 • Operates in the 5 GHz frequency range -Or other frequencies with special licensing • Runs at 54 megabits per second (Mbit/s) • Has a smaller range than 802.11b -The higher frequency is absorbed by objects in the way -The lower 2.4GHz frequency tends to bounce off other objects -Many rules-of-thumb calculate 1/3rd the range of 802.11b or 802.11g • Today, only seen in very specific use cases -802.11a is not commonly seen today
Insider threats (Insider Threats)
• One of the reasons that insider threats are such a significant security concern is that our users have a lot of access to the resources that are connected to our networks -We often will provide people with access without considering what the least privilege might be for that particular role -Because of that, people tend to have more access to the network than they probably should • One of the reasons for this is we tend to trust people who are working for the same organization as us -But many places have specific policies and procedures to protect everybody from gaining access to sensitive data -For example, there may be certain policies on how documents are handled, or there may be requirements for encrypting certain information when it's stored on a server • If an insider does cause a problem, this can be a significant security issue -It can bring down systems and make services unavailable -There may be a loss of data, especially proprietary or confidential information -And of course, having an insider cause this problem could harm your reputation with customers and stockholders • Sometimes the people on the inside may be coerced into causing these problems -For example, phishing scams and hacking scams can cause somebody to perform certain functions on the network thinking they're doing the right thing, but in reality, they're being guided by the bad guys • Or maybe someone who understands your policies and procedures, but they're careless at how they apply them, a careless employee -For example, if someone is using a laptop for personal use, some of your company's private information could fall into the hands of someone else • Of course, sometimes an employee really is out to get you -If there is a disgruntled employee who has access to data, they may be able to cause outages, make that data available to others, and harm the reputation of the organization • This is one of the reasons that defense in depth is so important -There needs to be a layered approach to security not only to protect you from people who are on the outside of your organization -but to also protect you from the people that are on the inside -Cover all possible scenarios
Penetration testing (Mitigation Techniques)
• One of the ultimate ways to protect against somebody hacking into your system is for you to try hacking into your system yourself -You can do this by performing penetration testing (Pentest) -You're going to simulate attack with actual exploits to see if you can take advantage of some vulnerabilities • This, of course, is the next step above doing vulnerability scanning -A vulnerability scanning may tell you where a vulnerability might exist, but it won't actually try to take advantage of it -With penetration testing, we're trying to see if we really can gain access to the system -And we would see exactly what the bad guys would see if they were running the same exploit • In some environments, you might be required periodically/often to perform a penetration test as compliance mandate -This maybe something that you're able to do internally, or it may be required that you bring a third party in to perform these pen tests • A good overview of penetration testing can be found in the National Institute of Standards and Technology report -This is the Technical Guide to Information Security Testing and Assessment -A guide can be found at http://professormesser.link/800115
Port scanning (Process Monitoring)
• One of the ways to monitor what's happening on the network is to proactively monitor the devices that are connected -One way to do this is by using a piece of software called Nmap -Nmap stands for Network mapper • One of the more popular features of Nmap is a port scanner -Nmap will query a device and tell you exactly what ports may be open and what ports may be closed • Nmap can analyze what operating system a device may be using without having to authenticate or log in to any component that's on that particular server • Nmap can also query a device to determine exactly what services may be running -Nmap can determine the name, version number, and other details about the application running on that server. • Additional scripting -Nmap includes the NSE, or the Nmap Scripting Engine -This allows you to create your own scripts to extend its capabilities and vulnerability scans
Overcapacity (Wireless Network Troubleshooting)
• One problem we really have with wireless networks is there's only so much capacity available -Only so many devices can be communicating over these very narrow frequency ranges that we have for wireless networks -So if you have too many devices on the same wireless network, you may run into problems with device saturation -If you have the option of using 5 GHz frequencies, you have many more frequencies available to use, and you may find that overcapacity isn't as big of a problem • You might also run into problems on wireless networks with bandwidth saturation -This might be many people trying to transfer many files all at once, and you find that the wireless network simply doesn't have the bandwidth to support all of those transfers simultaneously -Large data transfers • When we're managing our own wireless network on the floor of a building, we don't usually run into overcapacity problems -But when you get into very large environments, such as conference centers, airports, and hotels, you may often find the wireless network is not running as efficiently as you might have hoped
Wireless evil twins (Rogue Access Points)
• One security concern higher than a rogue access point would be a wireless evil twin -Someone can buy an access point and plug it into the network • What they do is configure it exactly the same way as your existing access points -It has the same SSID, it has the same security encryption, and perhaps the same passwords configured in the access point • If they're able to even put this closer to the users, the signal from the evil twin could overpower the existing access points -All the users may instead be connecting to the evil twin instead of connecting to your legitimate access points -Does not require the same physical location are the legitimate access point • This wireless evil twin maybe something difficult to configure in an environment where you're using 802.1X -But what about open networks at hotels and coffee shops? -Those Wi-Fi hotspots are very easy to fool. And because they're wide open, you can suddenly become the controller of this network • One thing that you may want to do, regardless of where you happen to be, is to make sure that you're always encrypting communication -That way, if somebody is configuring a wireless evil twin and capturing your data, at least they won't be able to see any of your traffic inside of those data streams -Use HTTPS and a VPN
Duplicate MAC addresses (Network Service Troubleshooting)
• One type of duplicate address you don't see very often is a duplicate MAC address. -MAC addresses are burned into the network interface card. -It's very unusual to see two interface cards with exactly the same MAC address, not a common occurrence -If you do see a duplication of MAC addresses, it could be something innocuous, like someone had misconfigured a manual MAC address configuration. -Man-in-the-middle attacks can sometimes spoof existing MAC addresses, so you may want to check and make sure there are no security concerns on your network. • Mistakes can happen -The issue may be related to a locally-administered MAC address that has been misconfigured in a system -Or sometimes you will run into a manufacturing error where two different interface cards have the same burned-in address • If you do see multiple MAC addresses on your network, you may find that those devices have intermittent connectivity. -The switch is going to be confused about exactly where that MAC address happens to be on the network -Confirm with a packet capture, should see ARP contention • If you're trying to confirm the MAC address of a device, you may want to ping the IP address of that device and then look at your ARP cache to see exactly what MAC address is associated with that IP -Use the ARP command from another computer to confirm the MAC matches the IP
Cold site (Recovery Sites)
• One type of site is a completely cold site -This is an empty building that might have racks but not much else -It is effectively waiting for the equipment, the software, and all of your data to be brought in • It also doesn't have any people available to staff this building -You'll need to bring in your own people to get everything up and running
MAC spoofing (Spoofing)
• One very common type of spoofing is Media Access Control address spoofing, or MAC spoofing. -Every device has a burned-in hardware address that comes from the factory -This means that most devices have a MAC address that's unique to that device -Although this address is burned into the device at the factory, most drivers allow you to change the MAC address of your device if you'd like to • The spoofing on this MAC address may be something completely legitimate -For example, your Internet Service Provider may be expecting a certain MAC address to be connecting to their network -And there might be certain applications you are using that are expecting to communicate to a device that has a particular MAC address • But the spoofing of the MAC address may not be legitimate -It may be a device that trying to circumvent an existing MAC-based access control list or trying to fake out a filter that's on a wireless network It might not be legitimate -To circumvent MAC-based ACLs -To fake-out a wireless address filter • One of the challenges as a security administrator is that it's very difficult to know when a device is using a spoofed MAC address or when it's the original built-in address
Watching the network (Device Hardening)
• One very easy place for the bad guys to gather information is from the airwaves -Our wireless networks are putting a lot of information over the air and it's very easy to use a network analyzer to be able to see what's going on across the network -There's a wealth of information in the packets -Some of it is very sensitive information • You could be at an industry event or a coffee shop, using the wireless network, and someone may be able to gather information from the traffic flows coming from your computer • That's why it's very common for someone outside of the building to use a VPN that will encrypt all of the information going to and from their computer -Or you may want to make sure that your browser is always using HTTPS, or that your email client is always communicating to the email server over an encrypted channel -Use encrypted protocols and technologies
Quick conversions examples (Assigning IPv6 Addresses)
MAC Address : 8c : 2d : aa : 4b : 98 : a7 EUI-64 : 8e2d : aaff : fe4b : 98a7 MAC Address : 18 : b4 : 30 : 10 : 7b : 61 EUI-64 : 1ab4 : 30ff : fe10 : 7b61 MAC Address : a0 : 21 : b7 : 63 : 40 : 3f EUI-64 : a221 : b7ff : fe63 : 403f MAC Address : 34 : 62 : 88 : dc : 85 : 2f EUI-64 : 3662 : 88ff : fedc : 852f • Now you can combine the EUI-64 with your IPv6 subnet prefix for a static IPv6 address • No need for a DHCP Server or the need to manually configure static address on all devices -They can be configured automatically using this process with IPv6
T1 / E1 / T3 / E3 Summary (WAN Services)
Network: T1 Channels: 24 channels at 64 kbit/s each Line Rate: 1.544 Mbit/s Network: E1 Channels: 32 channels at 64 kbit/s each Line Rate: 2.048 Mbit/s Network: T3 Channels: 28 T1 circuits ; 672 channels Line Rate: 44.736 Mbit/s Network: E3 Channels: 16 E1 circuits ; 512 channels Line Rate: 34.368 Mbit/s
Full-duplex Ethernet example* (Introduction to Ethernet)
Sam's PC is connected to Switch A which is connected to Switch B which is connected to SGC server • Sam's PC creates and sends an ethernet frame to the SGC Server -Sam's MAC address is the source -The SGC server MAC address is the destination -The frame goes to Switch A first -Switch A will examine the destination for the server and knows the only way to get there is to send it to Switch B -The frame is then sent to Switch B from Switch A • Switch B then examines the frame and forwards it to the interface on the switch that matches the destination MAC address -The destination device will then receive the frame and identify & match the destination MAC -The destination device will then accept the frame • Full-duplex -Can send and receive data simultaneously -No way frames can possibly collide with each other
WiFi Chart (802.11 Wireless Standards)
WLAN : 802.11a Frequency : 5GHz Max. MIMO Streams : Not Supported Theoretical Throughput (per stream) : 54 Mbit/s Theoretical Throughput (Total) : 54 Mbit/s WLAN : 802.11b Frequency : 2.4GHz Max. MIMO Streams : Not Supported Theoretical Throughput (per stream) : 11 Mbit/s Theoretical Throughput (Total) : 11 Mbit/s WLAN : 802.11g Frequency : 2.4GHz Max. MIMO Streams : Not Supported Theoretical Throughput (per stream) : 54 Mbit/s Theoretical Throughput (Total) : 54 Mbit/s WLAN : 802.11n Frequency : 5GHz and/or 2.4GHz Max. MIMO Streams : 4 Theoretical Throughput (per stream) : 150 Mbit/s Theoretical Throughput (Total) : 600 Mbit/s WLAN : 802.11ac Frequency : 5GHz Max. MIMO Streams : 8 MU-MIMO Theoretical Throughput (per stream) : 866.7 Mbit/s Theoretical Throughput (Total) : ~6.8 Gbit/s
What is the IP Class? (Classful Subnetting)
What is the IP Class? IP Address : 17.22.90.7 Class = A IP Address : 220.10.77.40 Class = C IP Address : 165.245.0.1 Class = B IP Address : 128.90.10.2 Class = B IP Address : 191.77.24.250 Class = B IP Address : 192.1.12.5 Class = C
Transferring files (Remote Access)
• Sometimes you don't need to manage a device from the front end, you simply need to transfer a file. And for those file transfers, you have a number of options available • FTP - File Transfer Protocol -Designed for file transfers between systems -Requires authentication with a username and password to gain access -It provides file system functionality so you can delete files, rename files, add folders, etc... -Does not have built-in encryption • FTPS - File Transfer Protocol Secure -A more secure form of FTP because it is using FTP over SSL -You may see this also referred to as FTP-SSL -It is a very good way to transfer data without sending information in the clear -This is not SFTP (make sure you know that there is a difference between those two protocols) -FTPS is FTP over SSL ; SFTP is FTP using SSH for the encryption • SFTP - SSH File Transfer Protocol -This is the same protocol that we're using to encrypt our terminal sessions we can use to also encrypt our file transfer sessions -SFTP is also full feature which has access to the file system to add, rename files and directories as needed -It provides file system functionality -Can resume interrupted transfers, show directory listings, or do remote file removal -FTP uses SSH for the encryption • TFTP - Trivial File Transfer Protocol -Another method of basic file transfers -a very simple method of transferring files from one place to the other (read files and write files) -No authentication needed to transfer a file -TFTP is commonly used when turning on something like a voice over IP phone that needs a configuration -The phone will transfer the initial configuration file over TFTP, so no special logins or authentications needed to get that phone up and running
Protocol analyzers (Process Monitoring)
• Sometimes you need to get into the details of what an application may be doing over the network -There's nothing more detailed than a protocol analysis • A protocol analyzer is going to capture every frame going through the network and then provide a decode that gives you more information about the network and the application performance -It is used to solve complex application issues • These protocol analyzers can capture data from an Ethernet connection Or they can capture directly from your wireless network -Some of the infrastructure devices and security components on your network can also capture packets -And then you can open those packet captures in a protocol analyzer • These protocol decodes make it very easy to see everything that's happening across the network -You can view and identify unknown traffic patterns -You can see the application performance of traffic across the network -You can create packet filters and security controls to narrow down the search • Some large-scale protocol analyzers allow you to capture information over days of time -That allows you to then perform some big data analytics and be able to determine more information about what's really happening with the applications on your network -This will require large storage
Logical Network Maps (Network Topologies)
• Specialized software can be used to create the logical network maps -Software such as Visio in Windows, OmniGraffle in MacOS, or a 3rd party website such as Gliffy.com • These maps can provide a high level view of how the network connects together -Such as how a WAN layout is connected -Or show the logical communication of an application as it goes from a web server into middleware and then the database backend. • Useful for planning and collaboration when working with a 3rd party -You can show how an application data flow is working -How the network is laid out across a large area -A good starting point as the collaboration goes along
Spoofing (Spoofing)
• Spoofing is a technique used extensively in attacks -This is when one device pretends to be something it's not. Very often it pretends to be someone who is real -This might be someone pretending to be a fake web server, pretending to take the place of an existing web server, or pretending to be a fake DNS server -There are so many different ways spoofing can be implemented • One type of spoofing recognized from the email inbox is email address spoofing -This is when a piece of email is received which appears to be from a recognized name -In reality, that email was sent from someone completely different -That email address was spoofed to make it appear as if it came from a trusted source • There is a lot more caller ID spoofing these days -This is obviously done over the telephone -You see an incoming call and it appears that that call is coming from a phone number that's in your local area -But in reality, it's probably a solicitation that's coming from someone well outside your geography • Another type of spoofing is often done on man-in-the-middle attacks -ARP spoofing is a very good example of this where a device can sit in the middle of a conversation between two devices
Broadcast Domains (Broadcast Domains and Collision Domains)
• Spreads the word! Everyone must know! A necessary evil. • An example of a broadcast is: -ARP requests -An operating system may be notifying other devices of its OS functions -Some dynamic routing protocols advertising the routes that are available on the network • How far can a broadcast go? -Everyone who is on a switch network will be able to see that broadcast as its sent across the network -A switch/bridge will pass these broadcasts to every other interface that is connected • Only way to stop a broadcast is to place a router on the network -Broadcasts cannot go through a routed connection • This is important to keep networks at a convenient size -More devices on the network equals more broadcasts
Network Address Subnet Boundaries (Seven Second Subnetting)
• Starting addresses for each network 128 = 0 , 128 64 = 0 , 64, 128, 192 32 = 0 , 32, 64, 96, 128, 160, 192, 224 16 = 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240 8 = 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, ... 4 = 0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52, 56, 60, ...
The DHCP Process (IPv6) (Assigning IPv6 Addresses)
• Step 1 : DHCPv6 Solicit -A DHCPv6 client sends a message through multicast looking for DHCPv6 Servers through port UDP/547 • Step 2 : DHCPv6 Advervtise -A response from the DHCPv6 server to the DHCPv6 client message with an IP address through port UDP/546 • Step 3 : DHCPv6 Request -The DHCPv6 client receives a list of all the different advertisements (IP addresses) from all the DHCPv6 servers on that subnet. It will choose one of them and send back a request message through UDP/547 • Step 4 : DHCPv6 Reply -The DHCPv6 server will respond with a reply message. At that point, the DHCPv6 client can configure itself with the IPv6 address that was assigned by the DHCPv6 server
The DHCP Process (IPv4) (Assigning IPv4 Addresses)
• Step 1: Discover - Client to DHCP Server -To find all of the available DHCP Servers • Step 2: Offer - DHCP Server to client -Server sends some IP address options to the client • Step 3: Request - Client to DHCP Server -Client chooses an offer and makes a formal request • Step 4: Acknowledgement - DHCP Server to client -DHCP server sends an acknowledgement to the client
ST - Straight Tip (Optical Fiber Connectors)
• Straight Tip Connector -Has a bayonet connector -To lock it in, you push in and twist -To release, you untwist and then pull -Has a rounded connector at the end -Has a long ferrule sticking out
Troubleshooting a network summary* (Network Troubleshooting Methodology)
• Summarizing the troubleshooting methodology • Identify the problem -Gather as much information as possible -Identify symptoms -Question users / Ask them what they are seeing -Document any specific error messages -Determine if anything has changed • Establish a theory of probable cause -Question the obvious • Test the theory to determine cause -Once the theory is confirmed determine the next steps to resolve the problem -If the theory is not confirmed, re-establish a new theory or escalate (3rd party) -Test each one of these theories until we find the one that actually resolves the issue • Establish a plan of action to resolve the problem and identify potential problems that might occur • Get a time to implement the issue and put it into our production environment -Escalate as necessary • Verify full system functionality and, if applicable, implement preventative measures -Verify and test and make sure that the entire system is now working as expected • Document findings, actions and outcomes from the very beginning of the troubleshooting process all the way through the end (*STOP12)
Learning the MACs (Network Switching Overview)
• Switches are constantly examining incoming traffic -It makes a note of the source MAC address associated with that traffic • It adds unknown MAC addresses to the MAC address table -The MAC address table updates the output interface with the MAC address from the receiving interface on the switch e.g • Switch A contains interfaces F0/1 and F0/5 -F0/1 is connected to Sam = MAC 1000.1111.1111 -F0/5 is connected to SGC Server = MAC 1000:5555:5555 • Sam sends a frame to the switch with Source MAC : 1000:1111:1111 and Destination MAC : 1000:5555:5555 • Switch A will receive the frame and make a note of the Source MAC address in its table if its not already there. It will set the output interface on the MAC address table as F0/1 since this is the interface where the frame was received from. • Same process with the SGC Server will occur if it sends a frame and its MAC address does not exist in the MAC address table. -It will look at the Source MAC and set the output interface as F0/5 since this is where Switch A received the frame from.
Layer 4 - Transport Layer (Understanding the OSI Model)
• The "post office" layer -Takes many packets to build one screen in the browser • Most common protocols to transfer information uses either Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP) • e.g. : the "post office" layer (TCP segment, UDP datagram)
Layer 3 - The Network Layer (Understanding the OSI Model)
• The "routing" layer • The Internet Protocol (IP) layer • Frames are fragmented to traverse different networks • e.g. : the routing layer (IP address, router, packet)
10 Gig Ethernet over copper (Ethernet Standards)
• The 10GBASE-T standard pushes the throughput of copper cabling -A 2006 standard • Uses frequency of 500 MHz inside of the cable -Well above the 125 MHz for gigabit Ethernet -Because of that, we need a cable specifically designed to support the higher frequencies -You will need twisted pair copper cables to support the higher frequencies such as: -10BASE-T can go up to 55 meters in Cat 6 cable -10BASE-T can go up to 100 meters in Cat 6A (augmented) cable -If you need additional shielding from interferance, 10BASE-T can go up to 100 meters in Cat 7 that shields not only the entire cable itself, but each individual pairs of wire.
110 block (Network Termination Points)
• The 110 block is a wire to wire patch panel -No intermediate interface required • 110 block replaces the 66 block -Can plug in category 5 and category 6 cables -Can support higher speed networks • Incoming wires are "punched" into the block -First we punch down all the connections that are coming from the desks -Connecting block would be on top • The additional wires are punched into connecting block -We then patch the top to the bottom
Optic Fiber characteristics picture 2 (Optical Fiber)
• The Core is where light goes from one end to the other • Cladding is around the core that contains a lower index of refraction in which the light will reflect off of and stay inside the core • The coating protects both cladding and core
DB-9 and DB-25 (Copper Connectors)
• The D in DB-9 stands for D-subminiature or D-sub -It specifies this type of connector that looks like a D -Different sizes through DA through DE • DB-25 connector was the most popular serial connectors in early computing • Commonly used for RS-232 serial connection -Recommended Standard 232 -An industry standard since 1969 • This connection was a serial communications standard -Built for modem communication -Used for modems, printers, mice, networks, almost anything else that we needed to be able to send some type of signal over • These days we don't commonly see the 25-pin connection in use -Mostly used today is the 9-pin connector -The 9-ping connector is used as a serial console connection for a router, a switch, or some other type of infrastructure device
The secret behind the IP address (IPv4 and IPv6 Addressing)
• The IP address isn't really a single address. -The subnet mask helps turn the IP address into something more than a simple identifier • An IP address is a combination of a network ID and a host ID -The subnet mask allows you to determine which two pieces of the IP address is the network ID and the host ID -The subnet mask is just as important as your IP address! • When you start looking at subnet masks and IP addresses and trying to determine the network ID from the host ID, you usually perform a number of calculations in binary -The best way to see this work is in binary -This is the (very easy) math part
Speedy Delivery (Introduction to IP)
• The IP delivery truck delivers from an (IP) address to another (IP) address -For example, every house has an address, here every computer has an IP address • The boxes (the data) then arrive at the house (the IP address) -To know where these boxes would go, each box (data) would contain the name of a room (the port) • The port number would be written on the outside of the box -This allows the box to be dropped into the right room (the data being delivered to the right port)
Mail Exchanger Record (MX) (DNS Record Types)
• The MX Record or the mail exchange record is an extremely important record that allows third parties to be able to find your local mail servers • In the DNS configuration file, the MX record starts with the IN class for internet -It is an MX record, and then you put the name of the mail server -Later in the configuration, you'll find the name of that device is listed with an A record that will specify the IP address of that mail server. • Determines the host name for the mail server -This isn't an IP address; it's a name *see image for example*
Maximum Transmission Unit (MTU) (Protocol Data Units)
• The Size of the PDU to transmit will be determine by the MTU -It determines the maximum IP packet to transmit without having to fragment that data • Fragmentation has a negative impact on overall communication efficiency -It takes time to fragment the packet into smaller pieces and send it across the network -Losing a fragment along the way loses the entire packet and will need to be re-transmitted -This would require overhead along the path • Another problem with fragmentation, it is difficult to know the actual MTU from one end of the network to the other -Automated methods are often inaccurate when a session is established, especially when ICMP is filtered -It might require to configure the MTU values manually
The TDR (Hardware Tools)
• The TDR is able to determine where these breaks are because it's sending a ping of information down that wire, and it's listening for any reflections that are coming back from any problems -It sends an electrical pulse down the cable -Sends a radar "ping" • The TDR will then calculate the time that it took to send that signal from the time that it heard the reflection and tell you what the distance is between those two -Impedance discontinuities cause a reflection • The OTDR does exactly the same thing, except it's doing it with light -It sends the light down the fiber, and then it watches for any reflection to come back -Optical cable reflection
Ports on the network (Introduction to IP)
• The client chooses a random port number • The server maintains the well known port number • Web server - TCP/80 -Ethernet Header <> IP <> TCP <> HTTP data <> Ethernet Trailer -e.g: Client = 10.0.0.1 / Server = 10.0.0.2 -Source IP = 10.0.0.1 -Destination IP = 10.0.0.2 -TCP Source Port = 3000 (random port chosen by the client) -TCP Dest Port = 80 (the well known port) -Payload = HTTP data -When returning to the client, the source/dest port switches • VoIP server - UDP/5004 -Ethernet Header <> IP <> UDP <> VoIP data <> Ethernet Trailer -e.g: Client = 10.0.0.1 / Server = 10.0.0.2 -Source IP = 10.0.0.1 -Destination IP = 10.0.0.2 -TCP Source Port = 7100 (random port chosen by the client) -TCP Dest Port = 5004 (the well known port) -Payload = VoIP data -When returning to the client, the source/dest ports switch • Email Server - TCP/143 -Ethernet Header <> IP <> TCP <> Email data <> Ethernet Trailer -e.g: Client = 10.0.0.1 / Server = 10.0.0.2 -Source IP = 10.0.0.1 -Destination IP = 10.0.0.2 -TCP Source Port = 4407 (random port chosen by the client) -TCP Dest Port = 143 (the well known port) -Payload = Email data -When returning to the client, the source/dest port switches
Site-to-Site VPNs (Remote Access)
• The common implementation of IPsec is through a site-to-site VPN -Where you might have one corporate network on one side of the network, and perhaps a remote site on the other side of the network -You want to be able to communicate between both of these locations, which already have an internet connection, but you don't want to use the public internet for private company information -a private tunnel is built between both of these sites so that encrypted information can be sent across the internet • This is commonly done by having a VPN appliance installed on both ends of this connection -This is something that's integrated into an existing platform -For example, many firewalls will provide IPsec endpoint support within the firewall itself • At the corporate network, traffic is sent back and forth to the VPN appliance in the clear -There's no encryption associated with that -When the VPN appliance does receive that data, it's going to send it through the internet as an encrypted tunnel -On the other side, the VPN appliance will decrypt that information and make it available to the other site -Uses the existing Internet connection -No additional circuits or costs
Damaged cables (Wired Network Troubleshooting)
• The copper cables that we use are pretty rugged. And when we run cables through a wall or over a ceiling, we don't usually have a problem with those cables -But they aren't indestructible • But very often, we have cables that are used for patches from the wall that are plugging into printers and other devices. -And sometimes they can be stepped on, a cable can be pushed between a wall and a table. -Then you have shorts and opens and problems communicating • If you do run into a cable that looks like it's been stepped on, bent, or folded, you may want to check the physical layer and make sure that the cable is working as expected -You might also want to look at the device the cable is connecting to. Because if that cable has been pulled, it might have bent pins inside of the ethernet adapter -Cables should not be bent or folded • Check for any bent pins on the device • Sometimes it's easy to simply replace a patch cable and see if that resolves the problem -But other times, you may need a TDR to see if there's a short, open, or some other kind of damage inside of that cable -It's difficult to see inside of the cable so a TDR helps
Inventory Management Software* (Network Documentation)
• The database itself is probably going to be a formal inventory management software -A master database -Can also include all corporate assets • Can support other functions such as : -Helpdesk functionality & Reporting functionality • Can scale with the company -Asset database can grow as the organization grows -Can add all of the new assets into the database and know exactly where this inventory is located (*STOP8)
Sample Forward Lookup File (DNS Record Types)
• The database of a DNS server is simply a text file -This is where you would configure the DNS server -And where all the lookups will take place • Contains information of the DNS server itself -And information associated with the caching • Can see mail exchange records • Records specifying the names and IP's of other devices • Can also contain aliases -Allows us to use different names to associate to a single FQDN • One of the most important roles of a DNS is where it associaties an IP address with a fully qualified domain name
Protecting against disassociation* (Wireless Deauthentication)
• The deauthorization problem is a significant issue which is why the IEEE has already made changes to the 802.11 specification -802.11w was introduced in July 2014 • It addressed the problem by making sure that certain management frames were now going to be encrypted across the wireless network -This meant that frames that would disassociate, deauthenticate, switch between channels, and other import management frames would be protected from this type of attack • Some frames would still need to remain in the clear because you need access to those before device gains access to the encrypted wireless network -Frames such as beacons, probes, authentication frames, and association frames would still be sent in the clear over the wireless network • This update to 802.11 is required in 802.11ac compliance -You'll see that this protection on deauthentication will be included with all wireless versions going forward (*STOP11)
DNS poisoning (DNS Poisoning)
• The domain name services are a critical part of our IP networking -These are obviously the servers that are taking the names that we provide and give us IP addresses in translation • If you're able to modify the information in the DNS server, if you are able to manipulate the information inside of this DNS server -Then you could potentially send someone to an IP address that isn't necessarily where they thought they were going -This would require some crafty hacking • One way to do this is to modify the files that are on the workstations -For example, If you change the client's host file, it won't even make the request to a DNS server -You can simply direct someone to an IP address based on what you put in the host file of that person's machine -The host file takes precedence over DNS queries • Changing the contents of a single file across a large number of devices may be too difficult to manage -That's why many bad guys focus their efforts on changing what's in the DNS server -This way, every client does not have to be changed -Only make one change on the DNS server, and now the response to all of those clients has been updated with whatever the bad guy would like -This sends a fake response to a valid DNS request which requires a redirection of the original request or the resulting response • There's many different ways to do this, but most of them involve taking control of the DNS server
WPA2 and CCMP (Wireless Encryption)
• The encryption protocol that became our long term solution for wireless security is WPA2 -WPA2 uses CCMP to be able to encrypt the traffic going through our wireless networks -Instead of using RC4 as the encryption algorithm, WPA2 use uses AES, or the Advanced Encryption Standard -CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol -That effectively replaced the TKIP that we had in WPA • CCMPs block cipher mode uses a 128-bit key and a 128-bit block size -WPA2 was using a more advanced encryption algorithm, there were additional resources required by our wireless devices -AES was used for data confidentiality -Many organizations had to upgrade their access points to be able to take advantage of WPA2 • But the CCMP security services in WPA2 were well worth the upgrade -We're able to have data confidentiality with AES encryption -We have authentication features built into WPA2 -And access control is also a feature in the WPA2 protocol.
Troubleshooting DNS issues (Network Service Troubleshooting)
• The first thing you may want to check is the IP address of your local device -If you're able to ping a device that's on another subnet, then you know you have the correct IP address, subnet mask, and default gateway -But you may want to check the IP configuration for your DNS servers -Make sure that IP addresses are listed under your DNS server configuration and make sure they are the right IP addresses for your DNS servers • You can open a command prompt and use nslookup or dig to perform queries against that DNS server -Use nslookup or dig to test -You want to see if you're able to receive responses from the services that you would like to access • If those DNS servers are not responding, you may want to try a different DNS server -Google's DNS servers are 8.8.8.8 and 8.8.4.4 -Or you can try the servers at Quad9, which are 9.9.9.9
Identify the problem (Network Troubleshooting Methodology)
• The first thing you want to do is identify the problem -We first need to collect as much information as possible about the issue that's occurring -In the best possible scenario, you'll be able to duplicate this problem on demand -This will help later as we go through a number of testing phases to make sure that we are able to resolve this issue • When a problem happens on the network, it usually affects more than one device, and sometimes it affects those devices in different ways -You want to be sure to document all of the symptoms that may be occurring -Even if they are very different between different devices, you may find that a single problem is causing all of these different systems across these different devices • Many times, these issues will be identified by the end users, so they may be able to provide you with a lot more detail of what's really happening -You should question your users to find out what they're seeing and if any error messages are appearing -Your best source of details • The importance of the change control process and knowing exactly what is changing in your environment -Someone may be able to make an unscheduled change that would affect many different people -Determine if anything has changed in the environment -When an error or network problem occurs, you may want to find out what was the last thing that changed on this network that could have affected all of these users • There's also going to be times when you're examining a number of different problems that may not actually be related to each other -It's always best to separate all of these different issues out so that you can approach and try to resolve each issue individually -Approach multiple problems individually -Not all problems have the same source -Separate problems into smaller pieces
Temporal Key Integrity Protocol (Wireless Encryption)
• The key information that was sent across the network with the TKIP would change constantly, because it combined the secret root key with the initialization vector • There was also a sequence counter added with TKIP so that no one could perform a replay attack on our wireless networks • There's also a 64-bit message integrity check on these WPA encrypted networks -This meant that no one could tamper with the packets as they were going through the wireless network • Unfortunately, TKIP came with its own set of vulnerabilities and eventually it was deprecated from the 802.11 standard
Something you do (Multi-factor Authentication)
• The last authentication type is something you do -This would be something that you do that is very unique to you -No one else would be able to duplicate • For example, a signature is something that's very unique to a person, and we have handwriting analysis that can examine the technique between two signatures to determine if it's the same person • Or perhaps our typing style itself is something that is examined -To see if the same type of style is being used between different logins • This is very similar to biometrics, which is something you are, but something you do is external to the person -So if we're signing something or typing on our keyboard, this would be something that we do
Layer 7 - Application Layer (Understanding the OSI Model)
• The layer that we see -A browser window (HTTP, DNS) -A file transfer (FTP) -Downloading an email (POP3) • The layer we see (Google Mail, Twitter, Facebook)
Modem (Networking Devices)
• The modem is named after the modulator/demodulator function occuring inside the device -Very common to have modems, e.g. on traditional phone lines -If devices in two locations need to communicate, a modem can be placed on each side and communicate over traditional phone lines -Converts analog sounds to digital signals • Phone lines have limited available frequencies -Uses standard phone lines -And have a limited amount of bandwidth that you could send between the two locations • Modems are sometimes used as a backup or secondary system of communication -It uses the POTS system to communicate when all other forms of communication are unavailable • Examples of modems: -ADSL modems which are used for internet access -Cable modems as well, although it is more of a bridge than it is a modem
Ethernet (Ethernet Standards)
• The most popular network technology in the world -Standard, common, nearly universal -They have some flavor of Ethernet that they're using in their environment • There are many different types of ethernet -And are running different speeds, different types of cabling, different types of connectors and different types of network switches • These days most modern Ethernet networks will be using twisted pair cabling or fiber optic
Your data is valuable (Ransomware)
• The most valuable asset associated with your computers, whether they're at home or at work, is your data -Data is the most important asset on there -The computer at home will probably have family pictures, videos of trips that you've taken and important documents that you've scanned -They're all on these storage devices at home • The computer at work might have a broader set of data -It might have planning information, employee personally identifiable information (PII), financial information, and possibly company proprietary private data • There's a lot of valuable information here, and there's probably a certain amount of money that you would be willing to pay if all of this data disappeared tomorrow and somebody offered to give it back to you.
T3 / DS3 / E3 (WAN Services)
• The next step up from a T1 is a T3 -T3 stands for T-Carrier Level 3 -Also referred to as DS3 or Digital Signal 3 -It is usually brought into the facility over coax connections that are connecting to the T3 equipment using BNC connections • DS3 is the data carried on a T3 • T3 provides: -Twenty-eight separate T1 circuits -For a total line rate of 44.736 Mbit/s • E3 (Europe) provides: -Combines Sixteen E1 circuits -For a total line rate of 34.368 Mbit/s
Restricting access via ACLs (Mitigation Techniques)
• The only people who should be logging in to your switches and routers are probably your network management team, your security team, and maybe access when you happen to be at home -You may be able to set up access control lists, or ACLs, so that anywhere else on the network would not have access to those particular infrastructure devices -Only admins should be able to login • You can set up your ACL so that only the people who are on the network management or network security subnets would have access to the management interface of those devices -All other traffic that would be inbound to those devices would be dropped before anyone had a chance to log in • This is a little bit different than setting ACLs for how an application might work -These are ACLs that you're configuring on a router or another infrastructure device that would drop the traffic on the network as it's traversing a particular interface -This would mean that you would have to be on one of the approved IP addresses to gain access to those management interfaces -You're dropping traffic for non-authorized users
Patch panel labeling (Network Documentation)
• The patch panels that are in the network closets have a number associated with a port that's somewhere out on the floor. -We want to somehow associate and document those port numbers on the patch panels themselves -So you can know exactly what port on the floor is associated with which port on the patch panel -There isnt much real estate for labeling purposes -You'll have to fit enough info. into a small space • These numbers are usually unique -They usually increment in a particular area -They may be geographically descriptive such as an east or west designation -Some IDF's/MDF's might have a blueprint of the floor that documents the exact number of every cube in every office
Layer 1 - The Physical Layer (Understanding the OSI Model)
• The physics of the network -Where everything begins and ends on the network -Could be the signal, cabling, connectors -This layer isn't about protocols • If someone says "You have a physical layer problem." -You'll need to fix your cabling, punch-downs, etc. -Will need to also run loop-back tests, test/replace cables, or swap adapter cards • e.g. : signaling, cabling, connectors (Cable, NIC, Hub)
T568A and T568B termination (Wired Network Troubleshooting)
• The pin-outs that we use for our ethernet networks are an international standard -They come from the EIA/TIA-568-B standard -This specifies the eight conductor 100-ohm balanced twisted-pair cabling • And you'll find that there are two popular ways of performing pin-outs on an ethernet cable -There's the T568A and the T568B for 8P8C connectors -You may even see on different punch blocks and connectors that there may be different colors that will tell you, these colors are for A, and these colors are for B -These standards will show that most people will use 568A for horizontal cabling- that would be cabling that's on the same floor • But many organizations have used 568B -It is difficult to change in mid-stream -And as long as you've chosen one or the other and you stay consistent, you're not going to have a problem • If you do punch down one side of the cable with the 568A standard and the other side of the cable with 568B, you're not going to have a straight-through cable
TIA/EIA 568A and 568B Termination (Copper Termination Standards)
• The pins at the bottom of the connector are numbered 1 through 8 • Each standard uses slightly different pin outs -The 568A standard, pin one is white and green and pin two is green -The 568B standard, it's white and orange, and orange for pins one and two -Green and the orange are different between the 568A and the 568B -Pins four and five, which are blue and white and blue and pins seven and eight, which are white and brown and brown, are identical between 568A and 568B • Pins 1 & 2 and 3 & 6 change • Pins 4 & 5 and 7 & 8 remain the same
Why subnet the network? (Calculating IPv4 Subnets and Hosts)
• The problem - we cannot connect the entire world directly to each other -Not enough bandwidth and resources available to do that -Not enough technology to connect billions of devices on the same local network • Subnetting a network allows segmentation and the ability to add additional security -Adding a firewall to a specific segment with servers for additional security whereas a segment with workstations would not need one
Resource Records (RR) (DNS Record Types)
• The records of a DNS server are the Resource Records -A local database that contains the associations between a fully qualified domain name and an IP address -Consists of a text file that contains all the information needed to perform DNS look-ups • Over 30 different record types that may be found inside of a DNS server -IP addresses, certificates, host alias names, etc.
Wireless LAN controllers (Advanced Networking Devices)
• The requirements for a large organization are much different than the wireless networks we have at home -You might have a wireless LAN controller in these large companies -This allows you to have a centralized management of all WAPs behind a single console -Also referred to as a single "pane of glass" • From this single console, you can: -Deploy new access points -Monitor performance and also do security monitoring -Make changes to the configurations and deploy those changes to all the sites -Create reports on access point usage and by whom • These wireless LAN controllers are often proprietary -They are specific to the brand of AP's that are being used in the network -The wireless controller is paired to the access points
Static routing (Static and Dynamic Routing)
• The routes are administratively defined -A network administrator adds the routes to the routing table manually • Advantages -Easy to configure and manage on smaller networks -No overhead from routing protocols (CPU, memory, bandwidth) -Commonly done at remote sites where there is only one way to send data -Easy to configure on sub networks (with one way out) -More secure - no routing protocols to analyze • Disadvantages -Difficult to administer on larger networks and contains more routes associated with them -No automatic method to prevent routing loops -If there's a network change and one of those links goes down, you have to manually update the routes -No automatic rerouting if an outage occurs
Firewall rules (Access Control Lists)
• The rule-based inside a firewall can also be considered an ACL -Allow or disallow traffic based on tuples -Tuples are a combination of variables such as: Source IP, Destination IP, port number, time of day, application, etc. used to create a specific access control rule • Checks through the logical path -Checks the 1st rule. If it matches that rule, then it does not continue to the 2nd rule -If it doesnt match the first rule, it'll go to the 2nd rule, 3rd rule, and so on. -Usually top-to-bottom • Rules can be very general or very specific -As a rule of thumb, we usually put the most specific rules at the top of the rule base • Implicit deny -Means if you've gone through every single rule in this access control list and none of them have matched, the default option is to deny this traffic going through the network -Most firewalls includes a deny at the bottom (Even if you didn't put one) -Most default options are to provide this denial implicitly without you having to put a specific rule in the access control list
Incident response policies (Policies and Best Practices)
• The security policies that are looking for these incidents should first start with how you would identify one of those incidents in the organization -For example, there should be an automated monitoring system that is constantly looking for these types of security issues -You want to be able to alarm if an issue is discovered and alert all of the appropriate people that need to react to that particular security incident • Each type of attack will obviously need a different type of response. -Your processes and procedures should already know how to handle different categories of attacks -An email issue, for example, may be handled very different than a brute force attack • You should also have a set of policies that determines who gets contacted for these types of attacks -If it's something relating to email, it may be a very small group of people that are contacted -If this is a distributed denial of service attack, there may be a much larger group of people in your organization who need to respond • All of these procedures need to be created well before an incident occurs -Everyone needs to understand what these processes and procedures are, and there needs to be training and exercises so that everyone knows exactly what to do when a security incident happens
SSO with Kerberos (Authorization, Authentication, and Accounting)
• The single sign on functionality of Kerberos is enabled using cryptographic tickets -These tickets are granted to someone who is logged in properly, and then that ticket can be shown to other resources on the network to gain access -Authenticates one time • This means authentication credentials are provided only one time -And from that point on all of the other devices can accept your credentials • This only works if all of the devices were able to communicate with these Kerberos protocols -If you are trying to authenticate to a switch that doesn't understand Kerberos, then you'll have to find a different authentication method -Not everything is Kerberos-friendly
Gigabit Ethernet over copper (Ethernet Standards)
• The standard for Gigabit Ethernet that most are using is 1000BASE-T -Uses category 5 twisted pair cable or better -Cat. 3, 4, 5 is deprecated from TIA-568 so the minimum cable found to run 1000BASE-T is Cat 5e -Requires all four pairs to communicate -Maximum length of a cable run is 100 meters
Flooding for unknown MACs (Network Switching Overview)
• The switch doesn't always have the MAC listed in its table • When in doubt, it will send the frame to everyone -In this case, it will flood the network with that particular traffic -The switch then sends the frame to all the workstations hoping it finds its way once it is seen by all devices. • The ethernet adapter will drop the frame if the workstations does not match the frame information of the destination MAC • When the destination MAC replies to the source MAC and the frame passes through the switch, the switch will update its output interface on its MAC address table with the incoming MAC address -No flooding was done due to the output interface being updated by the source MAC at the initial frame
Vulnerabilities (Vulnerabilities and Exploits)
• The term "vulnerability" and the term "exploit" are sometimes incorrectly used interchangeably. • A vulnerability is a weakness -This weakness might be in an application or operating system. -Or the weakness may be in the process that you follow that somehow allows someone to circumvent the security that you have in place • What's interesting about these vulnerabilities is that some of them are never discovered on your systems -Sometimes we find these problems after years have gone by and that vulnerability has been on our system that entire time • There are many different categories of vulnerabilities -On your computer, there might be data injection, such as a SQL injection -You may find that your authentication process is broken and someone may be able to log in with a higher level account than what they normally would have access to -Perhaps your system unintendedly only allows people to see sensitive data -Or perhaps you've simply misconfigured the security on your system and people could gain access to areas where normally they would not have access • These are just a few of vulnerability categories -Normally, when you're providing a patch to one of these vulnerabilities, the organization that's providing the patch will tell you the type of vulnerability that this patch resolves
Wiring Standards (Copper Termination Standards)
• The type of copper cables used on the network is important -But also the termination of those cables is important -Test your cables prior to implementation to confirm the cables have been terminated correctly • Cable testers are relatively inexpensive -Make sure you have a good cable mapping device -They can quickly show the way the cable is mapped from one end of the connector to the other end • If you're not familiar with running cables and terminating the ends, look into getting a professional who really knows the nuances of making your cable installation work perfectly
Incorrect antenna type (Wireless Network Troubleshooting)
• The type of wireless antenna that you use will depend on the reach and the scope of your wireless network -If you're trying to cover wireless networks on a single floor of a building, you'll be using a different antenna than if you're trying to connect two buildings to each other -The antenna must fit the room -Or the distance between sender and receiver • For example, we could use an omnidirectional antenna -Can be placed on the ceiling, and it has an equal amount of signal that goes in every direction -Not very useful between buildings • If we're trying to connect two buildings, though, we might want to use a directional antenna -all of the wireless signal will be directed in one single direction, and you'll have the best chance of connecting those two buildings together -Used often between two points (buildings) -Or on a wall-mounted access point • You might also find that your access point allows you to connect different types of antennas -The access point may provide options -Allows you to choose exactly the right antenna for the type of network that you happen to have
BYOD Policies (Policies and Best Practices)
• The use of mobile devices is blending together these days between our personal life and our professional life, and an organization needs to have a set of policies and procedures on how to handle the BYOD, which is bring your own device. You may also see this referred to as bring your own technology • With BYOD, the company doesn't own the mobile device -Since the end user owns this device, there will certainly be personal email messages, personal pictures and other data on that device -Since it is also used for business, there may be company information on this device, as well. -That's why it's important to establish a policy early on on exactly how the company data is managed • For example, you may require that the user set the lock screen to lock the device and contain certain type of password to protect both their data and the company's information. -There also needs to be a change process in place if this particular device is traded in, upgraded, or sold to someone else. -All of your end users should be aware of these processes and know exactly what to do if any one of these situations occurs.
Network cabling standards (Copper Cabling)
• There are a number of different groups that set standards for these network cables that we use • Electronic Industries Alliance (EIA) -Alliance of trade associations -Develops standards for the industry -This standard starts with RS-# (Recommended Standard) or EIA-# -Website : http://www.eia.org • Telecommunications Industry Association (TIA) -Standards, market analysis, government affairs, etc. -One of the larger sets of standards that we use for cabling is ANSI/TIA/EIA-568 - This is the Commercial Building Telecommunications Cabling Standard -Website : http://www.tiaonline.org • International ISO/IEC 11801 cabling standards -Defines classes of networking standards -Sets standards for everyone in the world
On-boarding Policies (Policies and Best Practices)
• There are a number of important processes that have to be followed during the on-boarding process -This is when hiring someone new from outside the organization, or it might be somebody that's transferring from one part of the organization to another • From an IT perspective, you may require that someone understand the policies that are outlined in the employee handbook -Or a completely separate acceptable use policy that needs to be signed by everyone during the on-boarding process -IT agreements/policies need to be signed • There are also a number of processes that need to happen behind the scenes during the on-boarding process -Needs such as creating user account information, associating the user to a particular group(s) or department(s), and to make sure they have email access and creating any other required accounts for that user • We also need to make sure users have all the hardware required to do their job -A process to provide them with a preconfigured desktop or laptop computer -And also process provide them with a mobile device, or adding their mobile device to the mobile device manager
Social engineering principles (Social Engineering)
• There are a number of principles associated with social engineering • The first time we'll talk about is authority -The social engineer is the person who's trying to gain access -They're going to pretend that they have some type of authority that allows them access to this information -They may say that they're calling from the help desk, that they're with the police department. They might be with the office of the CEO -It might make us think that we need to instantly provide this information to them • Another principle used in social engineering is intimidation -It may not be something that is directly focused on you. It may instead be a situation that is intimidating -They might say that bad things will happen if you don't help -Or it could be something as simple as saying, the payroll checks aren't going to go out unless I get this information from you • Another principle that's commonly used is called consensus. You might also hear this referred to as social proof -They're using other people and what they've done to try to justify what they're doing -They might tell you that your coworker was able to provide this information last week. The coworker is not not in the office now, so it's something that maybe you could provide for them • Social engineers also like to have a clock that's ticking -There needs to be scarcity Scarcity -This particular situation is only going to be this way for a certain amount of time. -We have to be able to resolve this issue before this timer expires. • If the person doing the social engineering can inject some type of urgency, then they can make things move even faster and can work alongside scarcity -They might say that this needs to happen quickly. Don't even think about it. Just provide this information right now so that we can solve this problem • Another technique that they use is one of familiarity -They act your friend and Might mention someone you know -They talk about things that you like. And by doing that, they make you familiar with them on the phone and make you want to do things for them -Or they'll say "we have common friends" • And, of course, the social engineer is going to try to create trust between you and him -He's going to try to tell you that he's going to be able to solve all of your problems. He's going to be able to fix all of these issues, act as someone who is safe -You just need to trust him and provide the information he's asking for -E.g. : I'm from IT, and I'm here to help
DHCP address allocation methods (Configuring DHCP)
• There are different ways For a DHCP server to allocate IP addresses to these remote devices -Dynamic allocation -Automatic allocation -Static allocation • Dynamic allocation -DHCP server has a large pool of IP addresses to give out -Addresses are reclaimed after a lease period -If the device returns to the network, it might or might not receive the same IP -A different IP address is simply chosen from the pool • Automatic allocation -Similar to dynamic allocation -A device that receives an IP address will always have that IP address associated with that device -DHCP server keeps a list of all of the MAC addresses -You'll always get the same IP address to that MAC address • Static allocation -Administratively configured DHCP to assign IP addresses once devices start up such as servers, routers, switches, etc... -This can be done by associating the MAC address of that device with the IP address -Also referred to as Static DHCP Assignment, Static DHCP, Address Reservation, IP Reservation
Identification technologies for IDS/IPS (Advanced Networking Devices)
• There are many different ways that an IDS or an IPS can identify these security anomalies • One way is through a signature-based match -It is looking for a very specific signature -It is looking for an exact match of this information -If it finds the match, it will then perform the alerting or blocking function configured in the IDS or IPS. • Many modern IDS or IPS devices are anomaly-based --It monitors the network over time and determines what is normal on your network -If something happens that is outside the norm or is an anomaly, it will then give you the option to either allow or not allow that traffic through the network • These devices can also be configured to look for a certain type of behavior -Can observe and report -Looks for a certain type of behavior -e.g If somebody accesses a file in a certain, it may decide to flag that and allow you to make the decision on whether that's allowed or not • Some of these devices use heuristics which is a very broad description of malicious activity -Instead of having a specific signature, heuristics uses artificial intelligence to determine if a particular traffic flow seems to be malicious, and then can take action based on that
Dialup (WAN Services)
• There are some places where installing a DSL or cable modem connection may not be available -You can use the existing voice telephone lines and connect a modem to be able to send digital signals over analog voice communication lines -Analog lines with limited frequency response • These dial-up modems communicate up to 56 kbit/s -And internally, the modem can compress data up to 320 kbit/s • Obviously a much slower transmission rate than what you find with the DSL or cable modem connections -Difficult to scale ; If you need more connections, you need to bring in more phone lines and more modems • Today, dial-up modems are generally used for very specific-use case -Used in legacy systems or for a network utility -May be difficult to find a modem
IEEE 802.1X example (Access Control)
• There are three devices that communicate during this 802.1 authentication process -We have the supplicant, that's usually a software client that's running on your device; so this could be on a laptop -You have the authenticator, which is usually inside of a switch -and usually there's a AAA server used for authentication in the back-end • When you first connect to the network and try to access an interface, you'll find there's no communication -The authenticator will then communicate to you and say, is there someone new here? -You'll need to provide some type of authentication • The authenticator will then send a message back saying, is someone new here? -It will send a request for an EAP -The supplicant will then provide a response with the authentication information • The authenticator will take that authentication information and pass it through to the authentication server -The authentication server will say that that's a valid log in, but let's find out if we have the right credentials to gain access -The authenticator then requests that information from the supplicant, and the credentials are then provided • If those credentials match what's on the authentication server -Then the authentication server will let the authenticator know that all of the credentials looked fine and that particular device is allowed access to the network.
SIEM dashboard (Event Management)
• There are times where you don't need that level of detail -You rather have a broader view of what may be happening -A SIEM dashboard can be used to take all of the information that has been gathered through the logs and provide it in a broader much more graphical form • E.g. : You can see alerts on the network that may have been related to an unsuccessful Windows login or a virus -Or you may be able to see security events related to logins and logouts • All of this is available at a glance, and you are able to tell very easily exactly what may be happening on the network at any particular time
Safety procedures and policies (Policies and Best Practices)
• There should also be well-established safety procedures and policies at the organization -The server, the printers, and the other pieces of hardware that are being used will use a lot of electricity, so we need to make sure that we have safety policies in place for all of this electrical equipment. • We also need to think about the safety of the employees -If they're working around manufacturing equipment, we may have a very specific jewelry policy. -If they're working with cables, there may be cable management policies -And of course, it's important that everyone use proper lifting techniques and have fire safety procedures in place. • IT professionals also handle a lot of toxic waste -There's acid inside of batteries and printer toner can be dangerous if it's not disposed of properly -All of the different components in your organization have a Material Safety Data Sheet or what's now called a Safety Data Sheet. -The SDS will tell you exactly how these components should be handled, how they should be disposed of, and they'll provide first aid information if that's required. • There is also local government regulations associated with safety procedures and policies in the organization -Make sure you understand what the local safety laws are, what the building codes are required for your organization. -And of course, all of the environmental regulations associated with the products and the equipment that you use.
Recovery (Backup and Recovery)
• There will be business decisions made about how long it takes to restore to a particular point in time • A good value to know would be the MTTR, which is the Mean Time to Restore -Can also be called "Mean time to repair" a system • You also might be concerned about how often these failures might occur -So you may want to have some way to calculate the mean time between failures, or MTBF -This might give you an idea of when you might predict the next outage that would occur • Or if you're working with a third party or you have a contract to maintain systems, you may have a pre-defined service level agreement, or SLA -Recovery has a predefined service level agreement (SLA) -There is contractual recovery expectations that the outage will be resolved within a certain amount of time. -May include penalties for not meeting certain service levels if those systems happen to be out for longer
Wireless (WAN Transmission Mediums)
• There's also wide use of wireless wide area networks being used over a mobile provider's network -Wireless WAN -A mobile phone or external hotspot can be used to provide wireless connectivity for all the devices that we happen to use every day • We commonly see these wireless WAN's used for very specific purposes such as security systems or point-of-sale reporting • You also see wireless used for travel or field service operations where there isnt a way to plug-in to a physical network connection -A type of roaming communication • This is limited by the coverage for that wide area network provider -It might have differences in speed depending on the location and the distance away from the provider's antenna. -Remote areas can be a challenge
Troubleshooting crosstalk (Wired Network Troubleshooting)
• There's always going to be a little bit of crosstalk in a copper connection. -But if you have excessive crosstalk values, you may want to look more at the cable • One good place to start is the crimp that you added to the end of the cable. • You want to make sure that you maintain the twists as they're going into the RJ45 connector -The twist helps to avoid crosstalk -If there are other types of connections along the way, patch panels, for example, you want to be sure you're maintaining the twists on those as well • You might also want to consider using a different cable -You could use a shielded cable that is shielding between the different pairs -Or you might want to try a category 6A cable, which increases the cable diameter. And that means that you'll have a larger distance between those pairs • This is why it's very common after you've installed a new cable infrastructure to always go through and perform an analysis of each connection -That way, you'll be able to find any problems with crosstalk or any other cabling issues before you plug in any other devices -Test and certify your installation after having cable installed -Solve problems before they are problems
Howdy Neighbor (Configuring IPv6)
• There's no ARP in IPv6 like in IPv4 -So in order to perform that same function, we have a Neighbor Solicitation (NS) and a Neighbor Advertisement (NA) • Neighbor Solicitation (NS) is used by one workstation trying to find the MAC address of another workstation -Sent as a multicast when searching for a the MAC address of a specific IPv6 address • Neighbor Advertisement (NA) -The device that owns that specific IPv6 address from NS will then send back a direct frame with its MAC address to allow them to communicate • NS is also used to test for duplicate IPv6 addresses -If no response is received, then the IPv6 address is available to use
Syslog (Event Management)
• These SIEMs are gathering data from many different kinds of devices made by many different manufacturers -There may be a VPN concentrator from one manufacturer, a switch and a router from another manufacturer, and a firewall from a third manufacturer • There is a standard way to collect all of the log files from those devices. And that standard is called syslog -Syslog is a standard way to transfer log information from all of these different kinds of devices • It's very common to have all of these devices report back to a centralized SIEM using the syslog protocols -Usually a central logging receiver -It is integrated into the SIEM • A lot of information is going to be gathered from a lot of different devices -It's very common that the SIEM is equipped with a lot of storage space to be able to gather and maintain all of that log information over an extended period of time
Distance-vector routing protocols (Dynamic Routing Protocols)
• These are dynamic routing protocols that use a formula based on distance (not speed) to determine the best route -Information passed between routers contains routing tables -Each router determines how many routers are between your location and the destination • The number of routers is called the number of hops that a connection might be away from you -How many "hops" away is another network (router)? • The deciding "vector" is the "distance" (Lowest number of hops) • This routing protocol is relatively simple to get up and running -Usually automatic and very little configuration -Good for smaller networks • Doesn't scale well to very large networks -Might be difficult to manage • Examples are RIP, RIPv2, EIGRP
X.500 Directory Information Tree (Authorization, Authentication, and Accounting)
• These attributes create a hierarchy -And if we were to map out this hierarchy, you can see that it creates a tree of information • Mapping out the tree you would get the country, an organization, an organizational unit, and then within that organizational unit, you can have other items in the tree. -Container objects such as country, organization, organizational units • We call these devices at the end of the tree the leaf objects -These might be users, computers, files, printers, and other devices that you might need access to
The IP address of a device (IPv4 and IPv6 Addressing)
• These days, TCP/IP is the protocol of choice on our networks, which means all of the devices on your network will be assigned a unique IP address -Example of an IP address, e.g., 192.168.1.165 -Every device needs a unique IP address • It is combined with a subnet mask, e.g., 255.255.255.0 -It is used by the local workstation to determine what IP subnet it happens to live on -The subnet mask isn't (usually) transmitted across the network -If you've been tasked with configuring an IP address for a workstation, it's very common to ask for the IP address that will be assigned and the subnet mask associated with that IP address.
Content filtering (Advanced Networking Devices)
• These days, a lot of the malicious software and data leakage is occurring within the data of our applications -To control that, we may want to implement some type of content filtering on the network -This allows us to look into the data going back and forth and determine if somebody may be transferring sensitive information into or out of our network -Can also look for inappropriate content -If we wanted to provide parental controls on our network, we would commonly use a content filter • Can also be used to look for malware -So usually the anti-malware and anti-virus is built in to the content filtering system we have on the network
Crypto-malware (Ransomware)
• These days, however, there is an entire new generation of malware called crypto-malware -This is ransomware that encrypts all of the data on your computer and holds that data for ransom -Your data is unavailable until you provide cash • It is going to encrypt all of your data files -Pictures, documents, music, movies, etc. -it encrypts everything except the OS -It wants your system to continue working so that it can present a message to you saying that all of your files have been encrypted, and this is the process that you should go through to send the bad guys some bitcoin so that your computer can then have a decryption key applied to all of these files and you can regain access to your data • This has become a very lucrative and very successful business model for the bad guys where you must pay the bad guys to obtain the decryption key -They know that they're using a payment system that is untraceable, so you have no idea who you're sending the money to, or where they happen to be -And it is using public key cryptography. So it's using a very strong encryption, and there's no way to decrypt the data -An unfortunate use of public-key cryptography
Half-duplex Ethernet example (Introduction to Ethernet)
• These devices are connected to a Hub -The traffic is received on one interface and repeated to all other interfaces with devices -If two devices communicate simultaneously, those frames will create a collision • If a collision occurs -Devices will transmit a jam signal to let everyone know a collision has occurred -Devices then wait a random amount of time and then retry the transmission
MAC filtering (Access Control)
• This MAC address is the Media Access Control address -It's the hardware address associated with a network interface card • You can use this address as a filtering mechanism -You can decide exactly which MAC addresses may be allowed or disallowed through particular interfaces on your switch -Limit access through the physical hardware address • One way to find these MAC addresses is to perform a packet capture and examine exactly what MAC addresses are communicating through the network -Because of this, it's very easy to identify and then to spoof particular MAC addresses on a network -Easy to find working MAC addresses through wireless LAN analysis -MAC addresses can be spoofed using free open-source software -You cannot use a MAC filter as your single method of security -If someone knows the working MAC address, they can easily circumvent the filter, making this method more a security through obscurity
Overlapping channels (Wireless Network Troubleshooting)
• This can be a challenge with 2.4 GHz networks, because there's only so many non-overlapping channels available • For example on a network, you could see someone on channel 6 and another access point is on channel 11 -Those two access points are not overlapping with each other -But then someone else may turn on another access point at channel 8, and now you have a frequency conflict with both channel 6 and channel 11, and now no one's network is going to be running at the best efficiency because of all the interference that's been introduced
Subnetting Chart (Seven Second Subnetting)
• This chart is going to be one that will help us convert from a CIDR block notation to a dotted decimal notation • Masks /1 /9 /17 /25 /2 /10 /18 /26 /3 /11 /19 /27 /4 /12 /20 /28 /5 /13 /21 /29 /6 /14 /22 /30 /7 /15 /23 /31 /8 /16 /24 /32 • Last Subnet Octet 128 192 224 240 248 252 254 255 • Networks 2 4 8 16 32 64 128 256 • Available Addresses in a subnet 128 64 32 16 8 4 2 1 • To obtain the last subnet octet, you add the address above it to get the value
Software as a service (SaaS) (Cloud Services and Delivery Models)
• This is On-demand software -No local installation required -You can simply use a 3rd party software for your own email distribution or payroll functionality • Central management of data and applications are running on external servers -All data is located in the cloud • A complete application offering -No development work required -Simply log on to the system, and all of it is available for you to use -An example is Google Mail
Client-to-Site VPNs (Remote Access)
• This is a common configuration to use as an SSL VPN -This is also referred to as a client-to-site VPN or a remote access VPN • This requires software to be installed on the end-user device -VPN software may be already be built into the OS -The client device will be connecting to a VPN concentrator, which is often a firewall installed on the remote location • E.g. : The user starts their VPN software and authenticates to the VPN concentrator -From that point forward, everything between the remote user and the VPN concentrator is using an encrypted channel -Once it hits the VPN concentrator, the data is decrypted and provided in the clear over to the corporate network -When information is sent back to the user from the corporate network, it hits the VPN concentrator where it is again encrypted across the internet and then decrypted down at the remote user's workstation
Load balancer (Advanced Networking Devices)
• This is how the load will be configured using multiple servers -Servers A, B, C, D are brought up and all are placed behind a load balancer -The users are coming in from the other parts of the network and simply connecting to the load balancer • The load balancer decides which servers will handle a particular request -The load is configurable across all servers -Manages load requests across servers -It is monitoring the responses from the servers, if one server begins to slow down, it can balance the load across the remaining servers • Load balancer helps with the TCP offload -If we are communicating to a device with TCP, it comes with the normal three way TCP handshake for every session -The load balancer handles the TCP overhead by handling the 3-way TCP handshake -The 3-way TCP handshake is handled between the load balancer and the end user -The communication to the servers behind the load balancer uses a session that is already up and running (No TCP handshake) • Load balancer helps with SSL offload -Instead of doing encryption/decryption process on the server, the load balancer manages to be an endpoint for SSL communication • Caching on load balancers -Load balancers can also be configured to cache client requests -If a user makes a request to any server, the load balancer caches that information and provides those results to that user -If another user requests the same information, the load balancer will simply pull from the cache and send it back to the user without ever querying the servers behind it -This is for a faster response • Prioritization in load balancers -Load balancers can support multiple protocols and may prioritize certain protocols over others -QoS • Content switching in load balancers -Load balancers can provide prioritization at the application level -Certan applications on the servers can have a higher priority than other applications running on the same servers -Application-centric balancing
Ransomware (Ransomware)
• This is the business model for ransomware -It's one where the bad guys want your money, and the best way to get the money from you is to take the data away from you -The entire computer becomes unusable and everything that is important suddenly becomes encrypted • In some cases, ransomware is not even legitimate -It's simply a fake message that's put on your screen -They might use the Department of Justice logo or mention the FBI, and they've told you that the police have locked your computer • If this is ransomware that is not real, then the fake ransom may be avoided -You may be able to take it to a security professional and have them retrieve the files from your computer without damaging or losing any data
Troubleshooting a network (Network Troubleshooting Methodology)
• This is the flowchart of the network troubleshooting methodology, and we're going to step through each section of this flow and describe how it can help you solve those really difficult problems
Physical destruction (Policies and Best Practices)
• This is why it's common for many organizations to physically destroy these devices instead of having that data somehow find its way outside the building • You might have a shredder or a pulverizer that destroys the equipment -Heavy machinery - complete destruction • Some people will simply drill through storage devices or use a hammer to make sure that they could never be used again -Quick and easy - platters, all the way through • Some type of storage media, like magnetic tapes, can have everything deleted by using a degausser • And of course, some components and documentation can be permanently destroyed through the use of incineration
Using the tone generator / probe (Hardware Tools)
• This makes it very easy to find an individual wire -Even when you're in a data center where there are hundreds of cables coming in to a single connection • You first connect this tone generator to the wire -These usually have modular jacks and coax connections that can fit on to almost any type of cable -Can be modular jacks, coax cable, punch down connectors • Then you go to the other end and start using the probe to try to find the wire that's connected to this tone generator -Use the probe to locate the sound -The two-tone sound is easy to find the wire connected to the tone generator
2.4 GHz Spectrum for 802.11 - North America (Wireless Network Technologies)
• Three channels that don't overlap with each other- channels 1, channel 6, and channel 11 • They range with these 20 megahertz blocks for each
Generating new keys (Device Hardening)
• To be able to send traffic over these encrypted channels, there's always going to be an encryption key that's used -If you're using HTTPS, or SSH, or almost any other encryption mechanism, this key will be able to encrypt that data, and on the other end, decrypt the information so that it can be seen by the other device • These encryption keys are usually managed on these servers and clients -For example, SSL or TLS keys for HTTPS are usually stored on the web server itself -The same applies for SSH keys you may be using for an encrypted terminal connection • It's important to protect these keys and be sure no one else gains access to these keys -they could potentially decrypt information that they may have gathered over an encrypted channel -Anyone with the key can potentially decrypt administrative sessions -Or gain access to the device • Sometimes these infrastructure devices and web services may ship to you with a default key -You want to be sure that that key is changed -Usually you're prompted during the installation process to build your own key -But it's useful to have a formal policy and set of procedures in place that will always make sure that a device is always given a unique key for your organization
Converting EUI-48 to EUI-64 (Assigning IPv6 Addresses)
• To create the EUI-64 from the 48-bit MAC address, we need to split the MAC into 2 pieces -Two 3-byte (24 bit) halves • We will place FFFE in the middle -This is the missing 16 bits • We then make a change to the original MAC address -We invert the seventh bit -Changes the address from globally unique/universal -Turns the burned-in address (BIA) into a locally administered address called the U/L bit (universal/local) -It changes from universal to locally administered
Shortcut for flipping the 7th bit (Assigning IPv6 Addresses)
• To quickly convert the MAC address -Create a chart to make the process much simpler • Count from 0 to F in hex - two columns, groups of four 0 1 ⭿ ⭿ 2 3 4 5 ⭿ ⭿ 6 7 8 9 ⭿ ⭿ A B C D ⭿ ⭿ E F •These groups of numbers and letters will be the conversions that are used to convert between a universal address and a locally assigned address -Quickly convert the second character of the first hex byte -Change it to the other value • Using the previous example of 8c : 2d : aa ¦ 4b : 98 : a7 -MAC 8c would convert to 8e using the chart above -The rest of the MAC address remains unchanged
Troubleshooting duplicate IP addresses (Network Service Troubleshooting)
• To troubleshoot these duplicate IP addresses, you can start with the devices that are being manually configured. -Check the IP address, subnet mask, and default gateway for your specific workstation, and make sure it matches your documentation • Before bringing that station online, use a third station to be able to ping that IP address and see if another device responds. -If another device does respond, you know that IP address should not be manually configured on another device. • If you are manually configuring the IP address and you know it's the right address, but some other device is already using it, you can use that third party device to ping that IP address, find the MAC address of that device, and then locate that MAC address in your switch. -That should tell you what interface that device is connected to. -Ping the IP address, check your ARP table -Then find the MAC address in your switch MAC table • If you think you're getting this duplicate IP address from a DHCP server, you may want to capture the packets associated with the DHCP process -You'll be able to tell exactly which DHCP the server is providing you that duplicate IP address.
An Overview of DNS (An Overview of DNS)
• Translates human-readable names into computer-readable IP addresses -You only need to remember www.ProfessorMesser.com • A Hierarchical system -Follows a path to find the exact server you are trying to locate • A very distributed database -Many DNS servers around the world -13 root server clusters at the core of DNS -You often find hundreds of generic top-level domains (gTLDs) such as : .com, .org, .net, etc. -You'll also find country code top-level domains (ccTLDs) such as : .us, .ca, .uk, and other countries.
Wireless packet analysis (Software Tools)
• Troubleshooting a wireless network can be a challenge -Wireless is going to be sending signal to whoever might be in the vicinity -Any device that wants to listen in to your network is able to do that because everything is going through the air -Wireless networks are incredibly easy to monitor • If you're going to use software that's listening in to this network -Then that software needs to disable the transmission function of your wireless card because if you're transmitting, you won't be able to hear anything else on the wireless network • You want to be sure you have the right kind of wireless interface card that's able to perform these analysis functions -You may need a specific adapter card or wireless chipset to be able to put the card into this wireless analysis mode -Some network drivers won't capture wireless information • But once you have the right adapter card, you're able to gather a lot of wireless-specific data -You can see the IP traffic going across the wireless network, you can see the wireless protocols, the signal-to-noise ratio, channel information, and other wireless details • Using Wireshark on a wireless network can provide much of this information -And a number of third party tools can also gather these details from a wireless network -http://www.wireshark.org
Teredo/Miredo (Configuring IPv6)
• Tunnels IPv6 through NATed IPv4 -Allows you to use IPv6 end-to-end and you wouldn't have to do any special configurations on your IPv4 routers -End-to-end IPv6 through an IPv4 network -No special IPv6 router needed -Designed for temporary workaround until IPv6 can be used natively on the network -Teredo is commonly used with Microsoft operating systems • Can also use this same type of functionality using Miredo -Miredo is an Open-source version of Teredo for Linux, BSD Unix, Mac OS X, and other operating systems -Full functionality
Twisted pair copper cabling (Copper Cabling)
• Twisted pair cabling uses balanced pair operation -This is two wires with equal and opposite signals -One of those signals will be positive and one of those signals will be negative -Transmit+, Transmit- / Receive+, Receive- • It is the twist that allows us to receive information over this cable, even when there might be interference -The twist keeps a single wire constantly moving away from the interference as the signal goes through the wires -The opposite signals are compared on the other end to see what the value should be • Pairs in the same cable will have different twist rates -It will have a different set of values across different pairs even if they are subject to the same interference as the signal is going through
Backup types (Backup and Recovery)
• Type : Full -Data Selection : Backs up all selected data -Backup/Restore Time : High/Low (one tape set) -Archive Attribute : Cleared • Type : Incremental -Data Selection : New files and files modified since the last full backup or the last incremental backup -Backup/Restore Time : Low/High (multiple tape sets) -Archive Attribute : Cleared • Type : Differential -Data Selection : All data modified since the last full backup -Backup/Restore Time : Moderate/Moderate (No more than 2 sets) -Archive Attribute : Not cleared
Unshielded and Shielded cable (Copper Cabling)
• UTP (Unshielded Twisted Pair) -The most common/popular twisted pair cabling -No additional shielding around either all the pairs or individual pairs • STP (Shielded Twisted Pair) -Additional shielding that protects against interference -Shielding done around each pair and/or the overall cable -Includes a grounding wire so that the cable is properly grounded -Abbreviations of the specifications of the cable -U = Unshielded -S = Braided shielding -F = Foil shielding • (Overall cable) / (individual pairs) TP -If Braided shielding is around the entire cable and foil around the individual pairs, then you should see S/FTP on the side of the box and/or cable • If it has foil around the cable and no shielding around the individual pairs, then you should see F/UTP on the side of the box and/or cable
Wrong passphrase (Wireless Network Troubleshooting)
• Unless a wireless network is completely open to the public, you usually have to provide some type of authentication to gain access to a wireless network -There are many different ways to provide that authentication • If you're finding that you're not connecting to the wireless network, it may be related to this authentication process -Make sure that you're using the correct credentials to gain access to the wireless network • Sometimes, this is simply a shared passphrase -Everyone is given the same phrase, and they use that phrase to connect to the wireless network -This is very common in a small office or home office, but it's not very common in a large enterprise environment • In the enterprise environments, we prefer using technologies like a 802.1X -This is where you would configure your workstation to authenticate using your normal credentials -And those would be credentials that you would only know -Everyone would use their individual credentials, and that gives them access to the wireless network -This means there's no shared passphrase that you would pass around, and you could be sure that if somebody is gaining access to the network, that they used the correct credentials for your organization • If you do have a 802.1X being used for authentication to your wireless network and someone is not able to gain access, you may want to check the client configurations for their wireless device and make sure their wireless device is using a 802.1X as well
Ring Topology (Network Topologies)
• Used in many popular topologies -Token Ring Networks are no longer used • Still used in many Metro Area Networks (MANs) and Wide Area Networks (WANs) -Common to have rings implemented as dual-ring networks -Built-in fault tolerance in case there is a break in the network. -It can loop onto itself to maintain uptime.
Star Topology (Network Topologies)
• Used in most large networks and small networks -Common network type used in today's switched networks -All devices are connected to a centralized device (switch) • Switch Ethernet networks -The switch is in the middle -Everybody else connects to it over its ethernet links
A Series of Moving Vans (Introduction to IP)
• Used to efficiently move large amounts of data -A shipping truck will be use as an example of moving data • The road will be used as the example of the network topology -The network topology could be Ethernet, DSL, coax cable, fiber • The truck storage will be the Internet Protocol (IP) -The roads (network) was designed for the truck • The boxes inside the truck storage will be holding the data -These boxes contain TCP and/or UDP information • Inside those boxes will contain more information -Usually information about the application
Port mirroring (Switch Interface Properties)
• Used to examine a copy of the traffic -Port mirror (SPAN*), network tap • It is not used to block (prevent) traffic • An analyzer or monitoring device can be connected to the network, it takes data going between other stations, makes a copy, and sends it to the monitoring device • e.g. -If an IPS** is configured to be a port mirror/SPAN port, it is creating a tapped connection -As its going through the switch, a copy of that data is created, that copy is then sent to both the destination station and the IPS * Switch Port ANalyzer (SPAN) ** Intrusion Prevention Switch
EGP (Exterior Gateway Protocol) (IGP and EGP)
• Used to route between internal autonomous systems -Provides the communication between autonomous systems -Leverages the IGP at the AS to handle local routing • BGP (Border Gateway Protocol) is the dynamic routing protocol that is used to connect to the internet -Many organizations use BGP as their EGP -BGP allows IGP autonomous systems to communicate with each other
VLSM (Variable Length Subnet Masks) (Calculating IPv4 Subnets and Hosts)
• Using class-based networks is inefficient -The subnet mask is based on the network class -Unable to customize exact network size -Ended up with a lot of leftover IP addresses that wouldn't be used for anything • Giving the network administrator the ability to customize the size of the subnet mask allows them to define their own masks -Can customize the subnet mask to specific network requirements • Using VLSM, we can use different subnet masks in the same classful network • e.g.: - Subnet 10.0.0.0/8 is a traditional class A network - Using subnet 10.0.1.0/24 and 10.0.8.0/26 would be VLSM -Those differences in the subnet masks and the ability to design our network in a way that makes sense for what we're doing. -Rather than designing it around limitations of an IP address or, what we call, variable length subnet masks
Power level controls (Wireless Network Technologies)
• Usually a configuration change that you could make inside the software configuration of a wireless access point or wireless router -Consider setting it as low as you can • How low is low? -This might require some additional site surveys while walking around with a mobile device -Maintain speeds across required distances • Consider the receiver -High-gain antennas can hear a lot -Location, location, location
VLANs (Switch Interface Properties)
• VLAN assignment : When configuring an interface on a switch, you'll need to determine what VLAN the interface needs to be a member of -Each device port should be assigned a VLAN -Will need to assign the VLAN # on the switch interface that is connected to that device • Some switch interfaces will be the designated TRUNK interfaces -These interfaces are configured to specify what VLANs can communicate through that trunk -This connects switches together -Multiple VLANs in a single link interface • Tagged VLANs -It is common across a trunk port to have the switch tag a VLAN # and have that tag removed from the frame on the other end then placed on the proper VLAN • Untagged VLANs -You can also send untagged information over this link -Common to send management frames across this connection -A non-tagged frame is on the default VLAN (a.k.a the native VLAN) -No additional tag is added as it goes across the trunk • Trunk ports will tag the outgoing frames -And remove the tag on incoming frames
Network virtualization (Virtual Networking)
• Virtualization has changed our modern data centers -Data centers used to have 100 individual servers in them -Big farms • All those individual servers were connected together with enterprise switches -All the separate VLANs were connected together with enterprise routers -These multiple switches and multiple routers were connected with redundancy to ensure there was up time to these services. • Then the data center was then virtualized -100 physical devices were removed and they were all created virtually within one single large physical system -One physical server contains 100 virtual servers inside • What happens to the network? -How are switching and routing services provided for all of those networks and all of those VLANs? -Communication to the physical world is still required
VoIP endpoint (Networking Devices)
• Voice communication continues to be something we use even today -We use different ways to communicate over these voice type networks by using Voice over IP telephones or other types of software-based voice over IP endpoints • The device can be anything -Voice over IP can be used instead of using the traditional plain old telephone service or POTS lines -We can also use different types of platforms to be able to send the VoIP communication such as a traditional physical handset, a desktop application (software based), or a mobile device app
Exploits (Vulnerabilities and Exploits)
• Vulnerabilities that may be on your system don't necessarily mean that someone has taken advantage of those vulnerabilities -When somebone does take advantage of a vulnerability, we say that they are exploiting that particular vulnerability -They're gaining control of a system -They're modifying the data that might be on your computer -Or they're disabling or enabling certain services • There are many different ways to exploit a vulnerability -Someone may have to write a script or build an application to take advantage of a buffer overflow or a SQL injection -Or perhaps someone is simply accessing an area of the computer that was not properly secured • That may be very simple to exploit that kind of vulnerability
Vulnerability scan results (Process Monitoring)
• Vulnerability scans are very good at pointing out when security doesn't exist -When a device is scanned and it says a firewall isn't running, there's no anti-virus and no anti-spyware, you can then address that with the results of your vulnerability scan • There may be also situations where a device is misconfigured. -For example, there may be a share that is open on that device without any type of security. -Or perhaps someone has turned on guest access to a particular system unintentionally -A vulnerability scan will identify that and provide those details in the report. • OSs and applications have vulnerabilities that are found all the time -Vulnerability scanners are usually updated constantly with the latest set of signatures -You'll be able to find even the newest vulnerabilities that may be associated with your services
WPA (Wi-Fi Protected Access) (Wireless Encryption)
• WPA stands for Wi-Fi Protected Access -It was created in 2002 -It was created, because there was a serious problem with an encryption method used prior to this called Wireless Equivalent Privacy, or WEP -A cryptographic vulnerability was found in WEP that effectively allowed all of our traffic to be decrypted -Don't use WEP • There was a need for something that would allow us to bridge the gap between the broken WEP encryption and something that would be the successor or more permanent encryption type on these networks -Something that could run on existing hardware • The short term bridge was WPA -WPA used TKIP, which was the Temporal Key Integrity Protocol, which took advantage of the RC4 stream cipher • With WPA, we got away from some of the problems we had with WEP -For example, we made sure that the initialization vector was much larger and used an encrypted hash along with the IV -Every packet would effectively get a unique 128-bit encryption key to make sure all of the communication remained secure
Password policies (Policies and Best Practices)
• We all know that it's important to make sure that our passwords are constantly being updated -Many organizations have a formal password policy -This formal policy will require users to update their passwords after a certain amount of time -E.g. every 30 days, or 60 days, or 90 days • In organizations where there is a high level of security associated with this data/critical systems -you may see password policies that require a change even more frequently -E.g. every 15 days or every week • This change process for updating the password should be relatively straightforward for the end user • But if someone locks themselves out and they need to recover an account, there should be a formal process -This process should require an absolute identification of that user before resetting the account for access -This makes for a great opportunity for someone to use social engineering to gain access to someone's account -So you want to be sure the entire process is well documented and secure
Building an HA network (Availability Concepts)
• We are going to build a highly available network using the earlier configuration of an ISP, a firewall, router, switch, and web server -In the earlier configuration, our firewall had a problem, and connectivity was lost -So one way to provide high availability is to include a separate firewall that can work in conjunction with the original • We might also want to provide redundancy with our router and include a separate router and have them up and running all the time using high-availability protocols to allow traffic to flow through either one or both of the routers if they are available. -We can also provide redundancy and high availability with our switch and add a separate switch for network connectivity -We can also provide redundancy and high availability with our load balancer and add a separate load balancer to provide high availability to our web servers. • We could even take this further and include a separate internet provider in case one internet provider suddenly is unavailable -This process can continue to build out the high availability with multiple devices until you find the right configuration that makes sense for the business requirements
Certificate-based authentication (Authorization, Authentication, and Accounting)
• We can also use certificates to gain authentication -With public and private keys, we can create a certificate that would be private to you, and no one else would have access to that particular certificate • Many people will put these certificates on a smart card -you would have to slide the smart card into your computer, usually provide a personal identification number, and then you would gain access to that system -Private key is on the card • The US federal government uses a PIV card -This is a Personal Identity Verification card -It has the smart card information (picture and identification) is the ID card itself -You simply slide your ID card in to be able to read the certificate that's on that card • If you work for the US Department of Defense, then you're probably using a CAC -Which is a Common Access Card -US Department of Defense smart card -Contains picture and identification • You don't have to use a card to have access to these certificates -You could store the certificate on a laptop, or maybe store the certificate on a USB drive, and you would access that certificate during the log in process -IEEE 802.1X -Gain access to the network using a certificate -On device storage or separate physical device
NTP stratum layers (An Overview of NTP)
• We can associate a value with an NTP server that designates how far it is away from the original time source -These are stratum layers in NTP -Some clocks are better than others • Stratum 0 Server -The original reference clock -This could be an atomic clock or a GPS clock -Very accurate • Stratum 1 Server -Next server away from stratum 0 -Synchronized to stratum 0 servers -Primary time servers • Stratum 2 Server -Sync'd to stratum 1 servers
Frequency mismatch (Wireless Network Troubleshooting)
• We have a number of different 802.11 wireless standards, and some standards might use different frequencies than another standard -One thing that we have to make sure is that the devices that we're using are going to be matching the frequencies available on that access point -Devices have to match the access point frequencies -Either 2.4 GHz or 5 GHz • Sometimes you may run into problems where a client on the network is communicating to the access point, but over a slightly different frequency -You may want to check and see if someone may have manually configured a channel on their wireless device instead of having it set to the default, which is to automatically match what's on the access point -Verify the client is communicating over the correct channel -This is normally done automatically -May not operate correctly if manually configured • And you may also find that mixing different standards on the same wireless network may cause the network to not be as efficient as possible -Older standards may slow down the newer network -For example, if you have an 802.11n network, and you've configured it to allow legacy 802.11b devices, you'll have additional information in the frame and additional frames that have to be sent, which will lower the overall efficiency of the network
Fault Tolerance example (Availability Concepts)
• We have an internet provider -That internet provider is connecting to our firewall -That firewall is then connecting to our internal router -The router is connecting to our internal switch -And finally, the switch is connected to our web server • But what if we have a problem with that firewall? -Perhaps the power supply fails or the software is having a problem -That single device being down affects the entire flow between the internet and that web server • A fault-tolerant configuration was planned should an event such as a firewall outage occurred -A spare firewall was purchased and on standy-by to prepare for this type of scenario. • The firewall gets turned on -Make sure it's up to date -And then slide it into place to get the network up and running again
SIEM (Security Information and Event Management) (Event Management)
• We mentioned the importance of a SIEM -This is a security information and event management platform -This is usually a device that is consolidating log files from all of your different devices -It allows you to monitor and create reports on all of that logged information • Since the SIEM is gathering so many different details from so many different parts of the organization, it can also perform real-time monitoring of the information it receives -if an alarm state suddenly occurs, you can send out security alerts or other messages so that people are getting real-time information about what's happening on the network • This device is gathering so much information and storing all of that information over such an extended period of time -You can create some very interesting short- and long-term reports -There are advanced reporting functions within these SIEMs that may include built-in reports or it may also allow you to build your own custom report • This wealth of data that has been collected may also allow you to create some correlation between all of these different very diverse data types -e.g. : You could look at detailed log information from a VPN where someone logs in, you can see switch information when they were assigned a VLAN, you can identify firewall details, and then you can track exactly what application was accessed on a server • If a security event does occur, the SIEM will contain very valuable information for forensic analysis -It will allow you to rewind over time and access all of the details from all of your different components to determine exactly what may have happened
MAC filtering (Wireless Authentication and Security)
• We previously learned about performing MAC filtering on a wired network. -But you can also perform filtering on a Media Access Control address on a wireless network as well • You would normally define all of the allowed device's MAC addresses in your access point -This, of course, would prevent any other MAC addresses from joining the network -Would require additional administration with visitors • You can use a wireless analyzer to easily view all of the MAC addresses communicating on your wireless network -So you may find that MAC filtering does not have the level of security that you would need -MAC addresses can be spoofed using free open-source software • This is commonly refer to this as security through obscurity, which, of course, is no security at all
Man-In-The-Middle (Man-in-the-Middle)
• We usually consider our network communication to be private. -We're communicating to a server, and we're assuming that everything between our workstation and the server is not going to be seen by other people -The reality, of course, is far from that. -The bad guys would love to get into the middle of that conversation, and they do this using a technique called man-in-the-middle -They're able to sit between you and that other device and be able to watch all of the traffic going between Point A and Point B • The bad guy acts as the middleman -It's receiving information from one device, looking at what's inside of it, and forwarding it on to another device -Neither end-station realizes that there's someone in the middle who is sitting between that conversation, and that's the secret of man-in-the-middle, is that it is completely invisible to the end stations • There's a technique that the bad guys use called ARP poisoning -They're able to use some of the functions of ARP because there is no security built into the Address Resolution Protocol -By taking advantage of that lack of security, it's very easy for the bad guy to create a man-in-the-middle when they're sitting on the same IP subnet as two other devices
Device hardening (Mitigation Techniques)
• We want to have all of our infrastructure devices hardened against any security issues -There are usually default configurations and default usernames and passwords -We want to be sure that all of our systems are not using the defaults -No system is secure with the default configurations • Fortunately, manufacturers of these switches, routers, firewalls, and other devices will often provide a hardening guide -You can use their recommendations to make sure that your system is as secure as possible • You might also find a number of guides online that go beyond the manufacturer's requirements so that you can really tighten down the security of these devices -Other general-purpose guides are available online
Geofencing (Wireless Authentication and Security)
• We're starting to see more mobile device managers take advantage of geofencing -This is using the GPS functionality in a mobile device to determine whether someone gets access to the network or not -It restricts or allows features when the device is in a particular area • You can also integrate this into cameras -If the information inside of the building is very sensitive, the camera can be disabled when someone happens to be at work • You could also use this for authentication -Someone might have to be at least in your regional area to be able to log in to your wireless network -And if someone's GPS shows them to be outside of a particular area, you can restrict that access to your network.
LDAP (Lightweight Directory Access Protocol) (Authorization, Authentication, and Accounting)
• We've been using directories to associate information for a very long period of time -A good example is a phone book that might associate your name and your address with a phone number -We have similar directories on our networks. -And one way that we can access those directories is with the protocol named LDAP, for Lightweight Directory Access Protocol -A protocol that allows us to read and write information to a directory over an IP network • LDAP uses a standard called X.500 -A standard that was written by the International Telecommunications Union, or the ITU -This means if you create an LDAP database, then other devices can use the standard X.500 to be able to read and write information • Early versions of LDAP were called DAP -This was the Directory Access Protocol that ran on the older OSI protocols -LDAP is a lightweight version of this DAP protocol that uses tcp/389 and udp/389 to communicate • If you have a directory that's in Windows Active Directory, Apple Open Directory, or Open LDAP -You can use this X.500 standard to communicate to any of these directory types -LDAP is the protocol used to query and update an X.500 directory
Internet of Things (Internet of Things Topologies)
• Wearable technology -Such as watches, health monitors, glasses -Can track our location and provide mapping data -The real question is where is that data and how is it stored? • Can also do Home automation -Connecting video doorbells -Internet-connected garage door openers -Can control heating and cooling -These devices can also know when you are home (and when you aren't)
System life cycle (Policies and Best Practices)
• What happens to all of your technical assets when they reach the end of their usable life? -There needs to be a set of policies and procedures that helps with understanding how to manage the disposal of these assets -Assets such as : desktops, laptops, tablets, mobile devices • This may not only be technical procedures, but there may also be legal procedures, as well. -Your type of business may have certain requirements on how data is stored, so you may find that certain devices may have to be stored for a certain amount of time before you would ever consider disposing of them -Some information must not be destroyed -Good to consider offsite storage to preserve data • And on the technical side, you need to make sure that anything that is disposed or provided to a third party has all of its important confidential company information deleted from that device before it ever leaves your building. -You don't want critical information in the trash -People really do dumpster dive -Recycling can be a security concern
Rogue DHCP server (Network Service Troubleshooting)
• What if someone happens to install a DHCP server on your network and starts handing out IP addresses to anyone who might need them? -This would be a rogue DHCP server -And because there's no security inherent to DHCP, this might be something very easy for someone to configure and put on your network. • This could mean that someone might be assigned an invalid or duplicate IP address. -And that, of course, would affect many devices on the network and would probably prevent many clients from being able to communicate to other devices. -Can cause intermittent connectivity, no connectivity • One way to disable this rogue DHCP server is to enable security on your switch. -There's a function called DHCP snooping that may be able to identify rogue DHCP devices, and you may be able to authorize DHCP devices in Microsoft's Active Directory -And only those devices would be allowed to hand out DHCP addresses • To resolve this problem, you would first have to identify the rogue DHCP server and disable it. -You would then need to find all of the devices that received an IP address from that server, have them release that IP address, and then renew with the normal DHCP servers
Binary to Decimal example 1 (Binary Math)
• What is binary 00000010 in decimal? 128 ¦ 64 ¦ 32 ¦ 16 ¦ 8 ¦ 4 ¦ 2 ¦ 1 0 ¦ 0 ¦ 0 ¦ 0 ¦ 0 ¦ 0 ¦ 1 ¦ 0 • Add all values that has a 1 -Only the # 2 has a 1. • This equals 2 in decimal
Binary to Decimal example 2 (Binary Math)
• What is binary 10000010 in decimal? 128 ¦ 64 ¦ 32 ¦ 16 ¦ 8 ¦ 4 ¦ 2 ¦ 1 1 ¦ 0 ¦ 0 ¦ 0 ¦ 0 ¦ 0 ¦ 1 ¦ 0 • Add all values that has a 1 -The # 128 and 2 have a 1 • This equals 130 in decimal
Binary to Decimal example 3 (Binary Math)
• What is binary 11111111 in decimal? 128 ¦ 64 ¦ 32 ¦ 16 ¦ 8 ¦ 4 ¦ 2 ¦ 1 1 ¦ 1 ¦ 1 ¦ 1 ¦ 1 ¦ 1 ¦ 1 ¦ 1 • Add all values that have a 1 -The #'s 128+64+32+16+8+4+2+1 have a 1 • This equals 255 in decimal
Decimal to Binary example 1 (Binary Math)
• What is decimal 154 in binary? • Enter a 1 or a 0 until the decimal adds up to 154 -Use 1 to turn on the bit, 0 to keep the bit off 128 ¦ 64 ¦ 32 ¦ 16 ¦ 8 ¦ 4 ¦ 2 ¦ 1 1 ¦ 0 ¦ 0 ¦ 1 ¦ 1 ¦ 0 ¦ 1 ¦ 0 • Decimal 154 equals 10011010 in Binary
Subnetting the network example 1.2 (Seven Second Subnetting)
• What is needed: 4 networks that can support 40 devices • We can write a chart that shows Subnet Mask in Decimal, Subnet Mask in Binary, CIDR Notation, Networks, Hosts per Network: Subnet Mask in Decimal : 255.255.255.0 Subnet Mask in Binary : 11111111.11111111.11111111.00000000 CIDR Notation : /24 Networks : 1 Hosts per Network : 254 Subnet Mask in Decimal : 255.255.255.128 Subnet Mask in Binary : 11111111.11111111.11111111.10000000 CIDR Notation : /25 Networks : 2 Hosts per Network : 126 Subnet Mask in Decimal : 255.255.255.192 Subnet Mask in Binary : 11111111.11111111.11111111.11000000 CIDR Notation : /26 Networks : 4 Hosts per Network : 62 Subnet Mask in Decimal : 255.255.255.224 Subnet Mask in Binary : 11111111.11111111.11111111.11100000 CIDR Notation : /27 Networks : 8 Hosts per Network : 30 Subnet Mask in Decimal : 255.255.255.240 Subnet Mask in Binary : 11111111.11111111.11111111.11110000 CIDR Notation : /28 Networks : 16 Hosts per Network : 14 Subnet Mask in Decimal : 255.255.255.248 Subnet Mask in Binary : 11111111.11111111.11111111.11111000 CIDR Notation : /29 Networks : 32 Hosts per Network : 6 Subnet Mask in Decimal : 255.255.255.252 Subnet Mask in Binary : 11111111.11111111.11111111.11111100 CIDR Notation : /30 Networks : 64 Hosts per Network : 2 Subnet Mask in Decimal : 255.255.255.254 Subnet Mask in Binary : 11111111.11111111.11111111.11111110 CIDR Notation : /31 Networks : 128 Hosts per Network : 1 • Drawback is that there is not enough time to write the chart during an exam
Wireless security modes (Wireless Authentication and Security)
• When configuring the authentication type on wireless ap's / routers, you'll have a number of options available • One configuration option may be to not require any type of authentication on the wireless network -This would be defined as an open system, where no password is needed • If at home, or working in a small office, the wireless network may be configured with WPA2-Personal -You might see this also called WPA2-PSK -The PSK is for Pre-Shared Key -This means that anybody who needs access to the network, needs to know that pre-shared key -If that pre-shared key is changed on the access point, you would also have to change all the configurations of the devices that connect to that wireless network -Everyone would use the same 256-bit key • If working in a much larger environment, you're not going to give everybody the same key and expect that particular key to remain secure -In that particular case, you would use WPA2-Enterprise -You may see this referred to as WPA2-802.1X -That's because we're going to use 802.1X to provide network access control to this wireless network • You log in using your normal username and password for your particular device -It will authenticate against a back-end AAA server -And then you'll gain access to the wireless network • If you leave the organization, then your access to all of the networks is also disabled -And if someone changes their own personal password, it doesn't change the authentication process for anybody else in the organization
Loop protection (Spanning Tree Protocol)
• When connecting two switches to each other with a second cable, it'll send traffic back and forth forever creating a loop -There is no frame "counting" mechanism at the MAC layer -Those Frames will continue to loop until one of those cables is removed from one of those switches • The loop is an easy way to bring down a network -This type of problem occurs almost immediately and it is somewhat difficult to troubleshoot -Relatively easy to resolve by backtracking your steps • The IEEE standard 802.1D prevents loops in bridged (switched) networks at the MAC layer -This was created by Radia Perlman in 1990 and it is practically used everywhere
Logical network maps (Network Documentation)
• When creating logical network maps, you are building out a broad perspective of the way the network might be configured -you can usually create this documentation with specialized software such as Visio, OmniGraffle, or third party websites (Gliffy.com) • Gives a high level perspective of how the network is connected at a broad level -It does not show specific components or exactly where the wires are going -But it does show the WAN layout and how an application flows such as what sites are connected and how they connect to each other • Useful for when planning and collaborating with a 3rd party that require a general understanding of how the network is designed. -If more details are required, you can move from a logical layout to a physical layout
Unicast (Unicasts, Broadcasts, and Multicasts)
• When one station sends information to another station • Information is sent between two systems -one to one relationship • Common to see when web surfing and your device is accessing a single web server -Or during file transfers from your device to another • May not be an efficient way to transfer data • Does not scale optimally for streaming media -e.g. Streaming a live event to multiple devices
Segmenting the network (Network Segmentation)
• When someone is talking about segmenting the network, they're usually talking about segmenting things into separate physical devices, perhaps separate VLANs or virtual networks -Segmentation could be physical, logical, or virtual • We might want to do this for performance reasons -If we can separate the network into smaller pieces, we may have the opportunity to increase the throughput of certain servers and other devices -High-bandwidth applications • There may also be a good security reason to keep the network segmented -For example, you might want to be sure that certain users aren't able to communicate directly to certain database servers -Or maybe certain applications should only communicate to each other, so we can segment those so that no other devices would be on that network -The only applications in the core are SQL and SSH • Or it might be a compliance reason -You may want to be sure that credit card information or health care information is segmented from other parts of the network -Mandated segmentation (PCI compliance) -Makes change control much easier
Remote access policies (Policies and Best Practices)
• When users are sitting at desks inside of the building, it's relatively easy to control the flow of data from one side of the network to the other, but of course, it is not easy when users leave the building -Many users will be working remotely, so there needs to be a series of policies that define how the data and the process of communication is managed when people are outside of the building • This policy is not only something that will apply to the employees, but it will also apply to third parties that may be connecting to a VPN to gain access to resources that are on the inside of the network • These policies usually have very specific technical requirements -For example, it may require you use an encrypted connection, and also specify the type of encryption that needs to be used -It may specify the type of credentials required when you log in -And it may dictate exactly how the network, the hardware, and the software should be used over this remote communication -It'll dictate the specific technical requirements
AAA framework (Advanced Networking Devices)
• When we are using network resources, we constantly need to identify ourselves. -We need to identify ourselves when we sit down at our computer, when we connect to a wireless network, or when we try to access a resource across the network. -To gain access to these resources, we need some way to validate that we are really who we say we are. -And in these cases, we would use a triple-a framework. This provides the authentication, the authorization, and the accounting to keep track of exactly what you've accessed and when on the network. • The authentication process is one required to confirm the access to the network -A username & password is provided to prove the user is really who they say they are -Password is provided and other authentication factors • It authorizes the user to gain access to resources -This is based on the rights and permissions associated with our username. • It keeps an accounting log of network activity -Keeps track of exactly when a user logged on, logged off, and exactly what information was sent and received over the network
Monitoring the interface (Performance Metrics)
• When we think about monitoring and interface, we often are thinking about whether the interface is available or not available -But of course, there are many other metrics that we could gather from these interfaces that might allow us to catch a problem when it's very small before it begins to impact the overall performance of a device • For example, an increasing number of CRC errors may indicate a problem with a cable or with an interface -or we may be able to see the type of congestion that's on the network and determine if the utilization may be getting too high • A lot of this can be viewed in the OS of the device itself -Details on the interface • If in a very large environment, you may want to take advantage of using SNMP -We can query the interface over time and gather metrics on these details -We can remotely monitor all devices on the network and get real-time access to its performance over time • There's a standardized management information base for SNMP called MIB-II, and almost every device supports gathering statistics from the standard MIB-II database -MIB stands for Management Information Database -Some devices also have a proprietary MIB that allows you to gather metrics and details that are very specific to that device
Demarcation point (WAN Termination)
• When working with a third party network provider, there needs to be some point where the hand-off is made between the provider's network and the internal network -This is called the demarcation point or the demarc -It's often a network interface on the outside of the building or it may be an interface location on the inside of the building -We commonly have wide area network demarcs in our businesses -We also have demarcs on the outside of our house where the phone provider or cable company will provide that handoff point to the rest of the devices in your home • In a business, there's probably a central point in the data center where all of the demarcs from all of the providers are brought in -In a home, there is probably a box on the side of the house that's providing an RJ-11 and RJ-45 or a coax connection for your internet connectivity -Usually a network interface device -Can be as simple as an RJ-45 connection • On your side of the demarc, you connect your CPE or your Customer Premises Equipment -You may hear this abbreviated as your "customer prem"
International export controls Policies (Policies and Best Practices)
• When working with equipment or software inside of your own country, it may be relatively straightforward to understand how all of that information is maintained -But if you ever need to send any of that information to another country, there may be specific rules and regulations in place on what happens with all of that hardware and software -Country-specific laws controlling export • These days these international export controls not only apply to the hardware that we might send to another country, they are also associated with the data that we might send -Many countries have created significant regulations associated with Personally Identifiable Information (PII) and what information may leave the country and what information must stay -This means the transfer of software or information • You may also find the components that could be used for both civilian and military use may have a different set of international export controls associated with them -For example, there may be a completely different set of export controls for something like a firewall, an intrusion prevention system, or a hacking tool -May have a different set of international export controls associated with security software, malware, or hacking tools • If you don't follow these international export controls, sometimes the penalties can be quite severe -It's important to check with your local legal team to make sure that the hardware and software you're sending to another country is complying with all of these regulations -Don't ship unless you're sure
Punch-down best-practices (Hardware Tools)
• When working with patch panels and punch-down tools, you want to make sure that you've got everything organized -Organization is key -You're going to have a lot of wires in one very small space -Cable management is big • On today's high speed ethernet networks, you also want to be sure to keep the twists in the wire as close as possible to where it's going into the punch-down block -Maintain the twists -Your category 6A cable will thank you later • once you're done connecting these patch panels, you usually want to document exactly which one of these interfaces is connecting with which desk that's out on the floor -Document everything -Written documentation, tags, or graffiti (if needed)
Fault tolerance (Availability Concepts)
• When working with technology, the question isn't if you're going to have a problem, it's when are you going to have a problem -A plan is needed in case there is some type of failure -Need to maintain uptime in the case of a failure -Being able to provide continuous uptime is an important consideration for any part of I.T. -It can degrade performance when services are down -There will be a need to have a fault-tolerant plan in place • Fault tolerance usually adds additional complexity -There are a number of processes and procedures that need to be followed -And it may add additional cost as you acquire additional components so that everything is fault tolerant • Adding fault tolerance for a single device -Such as adding storage devices, redundant NIC cards, redundant power supplies, or configuring RAID • Adding fault tolerance for multiple devices -Such as adding load balancing to server farms or having multiple network paths in case one device fails
Privileged accounts (Mitigation Techniques)
• When you first install a switch or a router or some other network device, you know that you are given access to that system as the administrator, or the root access to that system • This means that you have complete access to perform any configurations on that device -If you need to make a configuration change to that device or upgrade any of the software, the administrator login or root login gives you complete control • This obviously means that you need to control who would have access to these administrator logins -You may want to integrate this with an existing AAA server or enable two-factor authentication -Or you may want to make sure that the passwords that you're using are strong passwords and not something that could be easily guessed -And as a good best practice, you want to make sure that that password is occasionally changed to make sure that you're locking out anyone who may have previously gained access to that system • There is usually a separate login into these devices that has limited access -So if you simply need to log in and check the status of the system, you may be using a different login than someone who needs to log in and make configuration changes -Role separation with different access rights -More difficult for a single limited account to breach security
Changing default credentials (Device Hardening)
• When you first plug-in a router, a switch, a firewall, or any of these other network devices, there is usually a default username and password that you can use to gain access to that system -These default credentials are well known • For example, you can go to a website like RouterPasswords.com that list all of these different models of devices and they provide the username and the password for all of these different systems -Very easy to find the defaults for your WAP or router -http://www.routerpasswords.com • These default user names and passwords are usually providing full control or administrator access to these systems -So if you don't change these defaults, you'll find that someone else will come along and try to see if those defaults are available -You could unintentionally be providing administrator access to these new devices that you're adding to the network
VLAN mismatch (Wired Network Troubleshooting)
• When you're configuring the interfaces on your switch, you're assigning each interface with a VLAN -And if you happen to put the wrong VLAN in for an interface, you may run into some problems -Configured per switch interface • For example, a device may have a link light, which shows that it sees the switch on the other end, but it's not able to surf the internet or connect to any other devices -Or you may see an IP address that's assigned via DHCP, but it's not for the subnet that you thought you should be on -And if you configure the IP address manually, you still aren't able to connect to the devices on the network • The best way to check for a VLAN configuration is on the switch itself. -So you would SSH or connect to the switch and see what the VLAN setting is for the interface that's connected to that device. -VLAN 1 is usually the default for a switch. But many organizations will have many different VLANs. -So you may need to check your documentation to see exactly what VLAN that device should be a member of
Reversing transmit and receive (Wired Network Troubleshooting)
• When you're running cable for a business, there are many different places where you might run into problems with the wire map -It's very easy to reverse the transmit and the receives at the ends of the cable when you're putting on the RJ45 connectors (the cable ends) -And you could also make a wiring mistake at the punchdown block itself. • The reversing of transmit and receive are easy problems to catch -You can easily see the wire map on a cable tester -And sometimes you can visually see it by examining the two ends of a cable or looking at the punchdown block itself -Simple to identify • Some ethernet adapters will automatically adjust if they see that transmit and receive is reversed across a connection so that you're still able to communicate, even though the wire map isn't exactly the way it should be -Auto-MDIX
Bottlenecks (Wired Network Troubleshooting)
• Whenever someone says, the network is slow, what they're really saying is that any one of these many devices that are plugged into this network may be having some type of problem somewhere inside of them -There's never just one single performance metric that you need to examine. You need to look at every single step along the entire path -A series of technologies working together • This means you may need to examine the I/O bus of a server or the CPU speed -Or you may need to look at the storage access speed to a switch or examine what the router performance might be to really get an understanding of exactly the performance of the traffic going across the network -One of these can slow all of the others down • This means that you may find yourself examining a lot of different metrics on a lot of different devices to really get an understanding of the overall health of the network -This means you'll need to look at statistics in the server, in the routers, the switches, the networks, and the workstations -This may be more difficult than you might expect
Wireless access point (WAP) (Networking Devices)
• Wireless access points are available in many enterprise networks to connect people to a wireless network -This is different than the wireless router you have in a home office that has the router, the switch, the wireless access point, the firewall, and some other components within it as well -If just the wireless piece was pulled, it would only be a wireless access point • A WAP is a bridge between a wireless network and an ethernet network -It extends the wired network onto the wireless network -A WAP is a layer 2 device
Wireless Standards (802.11 Wireless Standards)
• Wireless networking (802.11) -Managed by the IEEE LAN/MAN Standards Committee (IEEE 802) • WiFi has been updated over time -Check with IEEE for the latest • The Wi-Fi trademark -Wi-Fi Alliance handles interoperability testing
Wireless range extender (Networking Devices)
• Wireless never seems to stretch far enough -We can't always choose where to install an access point -There might be a single room that has an ethernet connection, and that is the only place available to connect that wireless access point • A wireless range extender can increase the size of that wireless network -Think of this as a wireless repeater that is able to receive a wireless signal and then repeats that signal to a local area
ANT / ANT+ (Internet of Things Topologies)
• Wireless sensor network protocol -Uses the 2.4 GHz ISM band (industrial, scientific, and medical) -An "Internet of Things" ultra-low-power protocol -Commonly associated to fitness devices, heart rate monitors, etc. • A separate wireless service -Uses a completely different type of network than you 802.11 or Bluetooth -But they are using 2.4GHz • These frequencies can be jammed -With denial of service or spectrum jamming • Optional encryption -And no method to maintain integrity -Does not require encryption to communicate between all of these devices
Refraction (Wireless Network Troubleshooting)
• Wireless signals can also suffer from refraction -This is when the signal is passing through an object and it exits that object at a slightly different angle -Similar to light through water • This might affect data rates, especially on connections where you're dealing with very directional signals - Signal is less directional • For example, outdoorsbetween two buildings, where you have long-distance wireless links, and those links might have fog, water vapor, or temperature changes that might affect the refraction rates of those wireless signals
Brute force (Brute Force Attacks)
• With a brute force attack, you don't use a dictionary -Instead, you're using every possible combination of letters, special characters, and numbers to try to determine what someone's password might be • If you're trying to use a brute force attack online, it can be very difficult -It's a slow process -Most systems detect when somebody is using the wrong password over and over, and they either slow down or completely disable an account • Instead, it's much easier if you can gain access to that file that contains the hash passwords -That way, you can brute force the hash while offline -You can run it through an automated process where you don't have the slowdowns or any type of disabling of account that you have to deal with -You can calculate a hash, compare it to what's stored, and see if you can determine what those passwords might be -This may take a lot of computing power to calculate all of these hashes -But at least you know you're going through every possible combination and you will be able to determine what that password is
Web-based management console (Remote Access)
• With many devices, you don't need to use SSH and manage the device at the command line -Instead, you can use your browser and a web-based management console -The universal client • By using HTTPS, we can ensure that there is an encrypted connection between our browser and this remote device -We can use all of the management features that have been configured for this browser-based communication • In some cases, you may still need access to the command line to be able to run functions that aren't available in the web-based front end -But the web-based front end provides you with an easy way to gain access without having to go through the process of connecting through a command line
Physical segmentation example (Network Segmentation)
• With physical segmentation, we have completely separate devices -For example, switch A and switch B -These are physically separate devices and they are not connected to each other • The only way that these two devices would be able to communicate to each other is if you did connect them together in some way -Either directly to each other through another switch or through a router • You might use physical segmentation to completely separate devices from each other -For example, you may have all of your web servers in one rack and all of your database servers in another -And both of those are communicating on their own switches • This physical segmentation may also be based on the applications you're using -For example, you may have all of the application A servers segmented in their own rack with their own switch -Then have all of your application B servers segmented in a completely different rack with a completely different switch • Or this might help you keep customer information separated -You might have all of the customer A information on one physical switch -and all of the customer B servers and information on a physically separate switch -No opportunity for mixing data
Auditing (Authorization, Authentication, and Accounting)
• With these centralized authentication functions, we can gather a lot of information about who's using the network and when -We can see exactly who's logging in, where they're logging in from, and what resources they're accessing -Automate the log parsing -Log all access details such as OS logins, VPN, device access, etc... • With all of this information logged, we can then go back and provide audits of this information -We can make sure that right people are logging in from the right locations, and that everyone is accessing the correct resources for their particular login -We want to know exactly how these resources are being used after the authentication, and we want to be sure all of our systems and applications are secure • We can even start creating rules for our AAA server that are based on the time of day -For example, if there's a lab that no one should be accessing after normal working hours, we can create a rule in our AAA server -This would prevent access to those resources after a particular time of day -Set time-of-day restrictions -Create rules to prevent access to a particular resource
Mapping the network (Network Documentation)
• Within the networking world, most documentation is on the network -Contains many different components to the network and its not usually built all at once -Usually built over a long period of time through multiple phases • Once the network is built, you may not know exactly where the wires, the fibers, and the cables might be going -You wont be able to see most of the fiber and wires since its all inside the walls and ceiling -It'll take an additional effort to document all of that information • Different types of documentation could also be created -There may be a set of logical documents and a set of physical documents -Documentation is essential • One of the best things you can do is create and maintain documentation of the network from a networking perspective -Everyone can see and understand the layout of the network -Also nice to have documentation that can be shared with a 3rd party to perform whatever task may be required
Firewall (Networking Devices)
• You generally don't connect to any network these days without a firewall in place -Firewalls make decisions about whether traffic is allowed or not allowed through the network based on Layer 4 information -This might be a TCP or UDP port number • Modern firewalls can take it even higher and look into the application that's going across the network and make decisions on whether certain applications are allowed or not -Those are often referred to as Layer 7 firewalls, or next generation firewalls • Many firewalls provide other features such as configuring the firewall as a VPN endpoint at the main location and configure another firewall as a VPN endpoint at a remote site -This will encrypt all of the traffic that flows between the main location and any of the remote sites • Some firewalls can be configured as a proxy -It will stop the network communication, make the request on your behalf, receive the response, make sure the response is appropriate for you to receive, and then send that traffic down to your workstation -This is a common security technique • Many firewalls can also be configured as a Layer 3 device (as a router) -Traffic can be routed going in and out of the internet -Not only is it making security decisions based on Layer 4 UDP/TCP port numbers or Layer 7 applications -But also acts as a router to send traffic between different IP subnets -Usually sits on the ingress/egress of the network
Wardriving (Wardriving)
• You may not realize it, but people who are driving down the street could be gathering information about your network -This is called Wardriving -It is where you have a Wi-Fi monitoring system, a GPS, and you're using some type of system to get around and gather information about all of the wireless networks that are out there in the world • Since you're in a vehicle, you can gather a lot of information across a very large area in a relatively short period of time -You can passively begin monitoring what wireless networks may be between home and work, and you can examine those results to see exactly what networks may be out there • There are plenty of ways to gather this information for free -There are utilities that you can download and put onto a laptop or a mobile device -And a lot of this information can be consolidated in centralized databases -Utilities such as Kismet, inSSIDer and Wireless Geographic Logging Engine (http://wigle.net) • People have extended wardriving by putting monitoring systems on bicycles or even on drones that can fly over very large areas -Warflying(Drones) , warbiking (Bicycles)
Incorrect antenna placement (Wireless Network Troubleshooting)
• You might also want to make sure that you're putting these antennas in the right place -If you put access points too close to each other, you may find that those frequencies will interfere with each other -Overlapping channels • Or if the antennas are too far away from your users and there's other electrical devices causing interference, then you may find there's slower throughput than what's expected -Data fighting to be heard through the interference • You might also want to check all of your access points to see if they're using the frequencies and the channels that you're expecting -You want to be sure you have the best coverage for your network, but you also want to be sure that you don't have any conflicts with any of those channels -Check access point locations and channel settings -A challenge for 2.4 GHz -Much easier for 5 GHz
Cable crimper (Hardware Tools)
• You're going to need a good set of crimpers -It allows you to fasten the RJ45 connector to the end of the wire -It "pinches" the connector onto the wire -Some crimpers also provide other connections so you can crimp RJ11 or coax connections on this same crimping device -e.g. Coaxial, twisted pair, fiber • It is really useful if you're running your own cable -You can cut cable exactly to the length you need, and then put your own connectors onto the end of those cables -This is the final step of a cable installation • The crimper pushes these sharp metal prongs that are on the inside of the RJ45 connector into the insulation that's around each individual wire -It's also pushing a connection in on the back of the RJ45 connector that fastens it securely to the outside of the cable sheath -The metal prongs are pushed through the insulation -The plug is also permanently pressed onto the cable sheath to hold it in place
PAN - Personal Area Network* (Common Network Types)
• Your own private network connecting to devices using bluetooth, IR, NFC • Common to connect within an automobile -For audio output -A phone can be integrated into your car • Can connect your mobile phone to a wireless headset or earpiece • Can connect health monitoring devices such as workout telemetry and be able to get daily reports (*STOP4)
CIDR-block notation to decimal example 2* (IPv4 Subnet Masks)
• e.g. -Convert to decimal notation : /20 -Write in decimal form : 11111111.11111111.11110000.00000000 -Equals to 20 ones, 12 zeros -Subnet mask is 255.255.240.0 -Network = 20 bits -Host = 12 bits (*STOP3)
Seven second subnetting example 3 (Seven Second Subnetting)
• e.g. -IP 165.245.12.88/26 1) Convert address and mask to decimal -IP Address = 165.245.12.88 -We convert /26 to 255.255.255.192; /26 is in the 4th column of the chart, so it falls into that octet 2) Calculate the network address: -If the mask is 255, bring down the address -If the mask is 0, use the 0 -For any other number, refer to the chart Network address = 165.245.12.64 3) Calculate the broadcast address: -If the mask is 255, bring down the address -If the mask is 0, use 255 -For any other number, refer to the chart Broadcast address = 165.245.12.127 4) Find first IP and Last IP -First IP is network address + 1 -Last IP is broadcast address -1 First IP = 165.245.12.65 Last IP = 165.245.12. 126
Seven second subnetting example 2 (Seven Second Subnetting)
• e.g. -IP address 165.245.12.88/24 1) Convert the address and mask to decimal - IP Address = 165.245.12.88 -We convert /24 to 255.255.255.0; /24 is in the 3rd column of the chart, so it falls into that octet 2) Calculating the network address: -If the mask is 255, bring down the address -If the mask is 0, use the 0 Network address = 165.245.12.0 3) Calculating the broadcast address: -If the mask is 255, bring down the address -If the mask is 0, use 255 Broadcast address = 165.245.12.255 4) Find first IP and Last IP - First IP is network address + 1 - Last IP is broadcast address -1 First IP = 165.245.12.1 Last IP = 165.245.12. 254
DHCP Lease Process (Configuring DHCP)
• e.g. : Lease Time : 8 days • Renewal Timer (T1) : 4 days (50%) -It will try to perform a renewal timer after four days -The T1 timer, by default, is 50% -If the process is successful, the timer is reset and begins the countdown again • Rebinding Timer (T2) 7 days (87.5%) -It will try to rebind or use the T2 timer after seven days if the original DHCP server is no longer available -it will try to rebind itself with some remaining DHCP server on the network -If the process is successful, the timer is reset and begins the countdown again
Binary to CIDR-Block notation example 5 (IPv4 Subnet Masks)
• e.g.: -Convert to CIDR block notation : 11111111.11111111.11100000.00000000 • This adds up to 8 + 8 + 3 + 0 -Binary = 255.255.224.0 (subnet mask) -This is a /19 CIDR notation -Network = 19 bits -Host = 13 bits
CIDR-block notation to decimal example 1 (IPv4 Subnet Masks)
• e.g.: -Convert to decimal notation : /26 -Write in decimal form : 11111111.11111111.11111111.11000000 -Equals to 26 ones, 6 zeros -Subnet mask is 255.255.192.0 -Network = 26 bits -Host = 6 bits
Subnet masks and subnets patterns (Seven Second Subnetting)
• e.g.: -Network 192.168.1.X • Subnet 255.255.255.0 = 1 Subnet -Ranges from 0-255 • Subnet 255.255.255.128 = 2 subnets -Ranges from 0 - 127 , 128 - 255 • Subnet 255.255.255.192 = 4 subnets -Ranges from 0 - 63 , 64 - 127 , 128 - 191 , 192 - 255 • Subnet 255.255.255.224 = 8 subnets -Ranges from 0 - 31 , 32 - 63 , 64 - 95 , 96 - 127 , 128 - 159 , 160 - 191 , 192 - 223 , 223 - 255 • Subnets are being cut in half when borrowing a bit
Binary to CIDR-Block notation example 3 (IPv4 Subnet Masks)
• e.g.: 11111111.11110000.00000000.00000000 • Add up the number of 1's in the subnet mask -This is 8 + 4 + 0 + 0 • This equals /12 subnet mask -Network is going to be 12 bits long -Host is going to be 20 bits long
Binary to CIDR-Block notation example 2 (IPv4 Subnet Masks)
• e.g.: 11111111.11111111.11111111.11000000 • Add up the number of 1's in the subnet mask - This is 8 + 8 + 8 + 2 • This equals /26 subnet mask -Network is going to be 26 bits long -Host is going to be 6 bits long
Binary to CIDR-Block notation example 4 (IPv4 Subnet Masks)
• e.g.: -Convert to CIDR block notation : 11111111.11110000.00000000.00000000 • This adds up to 8 + 4 + 0 + 0 -Binary = 255.240.0.0 (subnet mask) -This is a /12 CIDR notation -Network = 12 bits -Host = 20 bits
Fibre Channel (FC) (Network Storage)
• popular type of storage area network is Fiber Channel or FC -A specialized high-speed topology specifically built for storage area networks -Built to connect servers directly to storage devices -It can support 2, 4, 8, and 16 gigabit per second rates -This traffic is supported over both fiber and copper connections • To use a Fiber Channel topology, the servers and storage connect to Fiber Channel switch Servers and storage connect to a Fibre Channel switch -A Server (the initiator) needs a FC interface -The Storage (the target) is commonly referenced by SCSI, SAS, or SATA commands to send data over the SAN
Duplex/speed match (Wired Network Troubleshooting)
• revisiting a speed and duplex setting for an ethernet connection -Ethernet Speed can be set to : 10Mbps / 100Mbps / 1000Mbps / or set to Auto -An interface can be configured to : Half duplex / Full duplex / or set to Auto • In many environments, the switch is configured to automatically negotiate the speed when a device is connected to it -But if there's a problem with the wiring of the cable or the end device is manually configured for 100 megabit, you may find that it's not the fast gigabit connection that you were expecting -Less than expected throughput • And duplex, of course, is also automatically negotiated between the switch and the device that's connecting -And again, it needs to match on both sides of that connection -If there's a mismatch, there'll be a significant slowdown -Often, we'll perform a bandwidth test to see exactly the throughput we're getting through that connection. And that might indicate that we have a duplex mismatch -You might also want to look at the ethernet statistics on that adapter and see if late collisions happens to be increasing -That may be another indication there is a duplex mismatch. -So check the ethernet connections on both sides to see what both the speed and the duplex are set to
POP3 - Post Office Protocol v3 (Common Ports)
• tcp_110 • Receives emails from an email server • Authenticates and transfers • Contains basic mail transfer functionality
IMAP4 - Internet Message Access Protocol v4 (Common Ports)
• tcp_143 • Mainly used for all mobile devices in use today • Manages email inbox from multiple clients • A newer mail client protocol
H.323 - Voice over IP (VoIP) signaling (Common Ports)
• tcp_1720 • ITU Telecommunication H.32x protocol series • Setups and manages VoIP sessions -Sets up the call, Rings the call on the other end, & Hangs up the call when the call is over • One of the earliest VoIP standards -Still in use today
FTP - File Transfer Protocol (Common Ports)
• tcp_20 (active mode data transfer) • tcp_21 (control) • Used to transfer files between systems • Uses username & password for authentication • Contains full-featured functionality (can list, add, rename, delete, etc.)
SFTP - Secure FTP (Common Ports)
• tcp_22 • Uses the SSH Protocol -Provides file system functionality -Encrypted communication (using SSH) • Has a full feature transfer protocol -Can resume interrupted transfers, provide directory listings, remote file removals, etc.
Telnet - Telecommunication Network (Common Ports)
• tcp_23 • Used for logging into devices remotely • Text-base console access • In-the-clear communication (non-encrypted) -Not the best choice for production systems
SMTP - Simple Mail Transfer Protocol (Common Ports)
• tcp_25 • Does server to server email transfer -Also used to send mail from a device to a mail server • Its commonly configured on mobile devices and email clients • Other protocols that clients use to receive email are IMAP and POP3
RDP - Remote Desktop Protocol (Common Ports)
• tcp_3389 • The ability to access/share a desktop from a remote location • Remote Desktop Services is available on many Windows versions • You can connect to an entire desktop or just an application • Remote desktop clients are available for Windows, MacOS, Linux, iPhone, and others
LDAP (Lightweight Directory Access Protocol) (Common Ports)
• tcp_389 • Stores and retrieves information in a network directory • Communicates with network directories
HTTPS - Hypertext Transfer Protocol Secure (Common Ports)
• tcp_443 • Web server communication with encryption -And by other applications • An encrypted protocol -Supported by nearly all web servers and clients
SMB - Server Message Block (Common Ports)
• tcp_445 • A protocol used by Microsoft Windows -Windows uses this protocol for file sharing and printer sharing between its systems -Also called CIFS (Common Internet File System) • Direct over tcp (NetBIOS-less) -Direct SMB communication over TCP without the NetBIOS transport -Can send SMB communication between devices using the IP protocol
LDAPS - LDAP Secure (Common Ports)
• tcp_636 • A non-standard implementation of LDAP over SSL
HTTP - HyperText Transfer Protocol (Common Ports)
• tcp_80 • Used for web server communication -And by other applications • In the clear communication (no encryption) -Supported by nearly all web servers and clients
NTP - Network Time Protocol (Common Ports)
• udp_123 • Every device (switches, routers, firewalls, servers, workstations, etc...) has its own clock • Synchronization of device clocks is critical -It is needed to show the correct time for log file information -Authentication information needs the time to be well synced to authenticate to each other -Allows for outage details to show the correct time • Automatically updates to the proper time and date -No flashing "12:00" lights like a VCR • It is flexible - You (as an administrator) can control how clocks are updated • This is a very accurate way of synchronizing device clocks -The accuracy is better than 1 millisecond on a local network with all devices
SNMP - Simple Network Management Protocol (Common Ports)
• udp_161 • Used to gather device statistics from networked devices • SNMP_v1 -The original -Used a set of structured tables -Information was sent/received through in-the-clear communication (no encryption) • SNMP_v2 -A good step ahead -Allowed data type enhancements & bulk transfers of data -Information was still sent/received through in-the-clear communication (no encryption) • SNMP_v3 -The new standard -Provides message integrity, authentication, & encryption -Information was sent/received with encryption
DNS - Domain Name System (Common Ports)
• udp_53 • Converts names to IP addresses -e.g: URL www.professormesser.com would convert to IP address 162.159.246.164 • This is a very critical resource -DNS makes it easier to remember a domain name instead of an IP address -There is usually multiple DNS servers in production
DHCP - Dynamic Host Configuration Protocol (Common Ports)
• udp_67 • udp_68 • Automates the configuration of IP address, subnet mask and other options • This protocol requires a DHCP server -Can be a standalone server, an appliance, or integrated into a SOHO router, etc... • Dynamic IP addresses are assigned based on the pool availability -IP addresses are assigned in real-time from a pool -Each device is given a lease on the assigned IP -The IP lease is renewed at set intervals • DHCP Reservations -This is where IP addresses can be reserved -Addresses can be assigned/reserved by MAC address (such for servers and other infrastructure devices that require static reservations) -IP addresses can be quickly managed from one location
TFTP - Trivial File Transfer Protocol (Common Ports)
• udp_69 • Very simple file transfer application -Read files and write files • Has no authentication • Contains no encryption -Not used on production systems
Name Server Records (NS) (DNS Record Types)
•Many DNS servers also contain configuration details for additional name servers on the domain -These are NS records or Name Server Records • List the name servers for a domain -NS records point to the name of the server • The format of a Name Server Record would specify the class of this record, which is internet. -This is the name server record, or NS. And then you'll list out the names associated with those name servers •Later in the configuration, you can find A, or Address Records that will associate the name of the name server to a specific IP address *see image for example*