CISSP, Secure Network Architecture and Components
Lightweight Extensible Authentication Protocol (LEAP)
A Cisco proprietary alternative to TKIP for WPA. Developed to address deficiencies in TKIP before the 802.11i/WPA2 system was ratified as a standard.
Bluesmacking
A DoS attack against a Bluetooth device that can be accomplished through transmission of garbage traffic or signal jamming
Fat access point
A base station that is a fully managed wireless system, which operates as a standalone wireless solution.
Distributed Network Protocol 3 (DNP3)
A communications protocol designed for use in SCADA systems, particularly those within the power sector, that does not include routing functionality.
Network Access Control (NAC)
A concept of controlling access to an environment through strict adherence to and enforcement of a security policy. The goals of this concept are to prevent/reduce zero-day attacks, enforce security policy compliance throughout the network, and use identities to perform access control.
Extranet
A cross between the internet and an intranet; a section of an organization's network that has been sectioned off so that it acts as an intranet for the private network but also serves information to outsiders or external entities. Often reserved for use by specific partners, suppliers, distributors, remote salesforce, or select customers.
Signal Protocol
A cryptographic secure communication protocol that provides end-to-end encryption for voice communications, videoconferencing, and text message services. It is nonfederated and is a core element in the messaging app named Signal.
Sensor
A device that collects information and then transits it back to a central system for storage and analysis.
Web security gateway
A device that is a web-content filter that also supports malware scanning.
Switch
A device that manages the transmission of frames via MAC address. Can create separate broadcast domains when used to create VLANs. Operates primarily at layer 2 but can operate at layer 3 with special features (such as routing among VLANs).
Bridge
A device used to connect two networks together - even networks of different topologies, cabling types, and speeds - in order to connect network segments that use the same protocol. Operate at OSI layer 2. Were used primarily to connect hub networks together and thus have mostly been replaced by switches.
Router
A device used to control traffic flow on networks. Often used to connect similar networks and control traffic flow between the two. Manage traffic based on logical IP addressing. Operate at OSI layer 3.
Wireless heat map
A diagram showing the wireless signal strength in a structure/building.
Internal Segmentation Firewall (ISFW)
A firewall deployed between internal network segments or company divisions. Its purpose is to prevent the further spread of malicious code or harmful protocols already within the private network.
Stateless Firewall
A firewall that analyzes packets on an individual basis against the filtering ACLs or rules. The context of the communication (any previous packets) is not used to make an allow or deny decision on the current packet.
Stateful Inspection Firewall
A firewall that evaluates the state, session, or context of network traffic.
Application-level Firewall
A firewall that filters traffic based on a single internet service, protocol, or application. Operates at OSI layer 7. One example is the Web Application Firewall (WAF).
Static Packet-Filtering Firewall
A firewall that filters traffic by examining data from a message header. Usually the rules are concerned with source, destination, and port addresses. Also known as a screening router.
Screened host
A firewall-protected system logically positioned just inside a network segment. All inbound traffic is routed to the screened host, which in turn acts as a proxy for all the trusted systems within the private network. It filters incoming traffic and protects the internal system's identity.
Fibre Channel over Ethernet (FCoE)
A form of network data-storage solution (SAN or network-attached storage [NAS]) that allows for high-speed file transfers upward of 128 Gbps. Operates at layer 2. Designed to be operated over fiber-optic cables. Used to encapsulate Fibre Channel communications over Ethernet networks.
Wireless site survey
A formal assessment of wireless signal strength, quality, and interference using an RF signal detector. Performed by placing a wireless base station in a desired location and then collecting signal measurements from throughout the area.
Broadcast domain
A group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it. Solved by using any layer 3 or higher device.
Multiprotocol Label Switching (MPLS)
A high-throughput, high-performance network technology that directs data across a network based on short path labels rather than longer network addresses. Saves significant time over traditional IP-based routing processes, which can be quite complex. Designed to handle a wide range of protocols through encapsulation so the network is not limited to TCP/IP and compatible protocols.
Wireless MAC filter
A list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all nonauthorized devices. Can be used on a WAP to limit or restrict access to only known and approved devices. Though potentially useful, it can be difficult to manage and tends to be used only in small, static environments.
ARP cache poisoning
A man-in-the-middle attack, where the attacker associates his MAC address with someone else's IP address (almost always the router), so all traffic will be sent to him first. The attacker sends out unsolicited ARPs, which can either be requests or replies.
Internet Group Management Protocol (IGMP)
A multicast protocol used between clients and routers to let routers know which of their interfaces has a multicast receiver attached.
Next-Generation Firewall
A multifunction device (MFD) or a unified threat management (UTM) system composed of several security features in addition to a firewall; integrated components can include application filtering, DPI, TLS offloading and/or inspection, domain name and URL filtering, IDS, IPS, web content filtering, QoS management, bandwidth throttling/management, NAT, VPN anchoring, authentication services, and more.
Ring topology
A network configuration in which all nodes are connected in a closed loop. Traffic management is performed by a token, which is a digital hall pass that travels around the ring until a system grabs it.
Mesh topology
A network configuration that connects systems to each other using numerous paths.
Star topology
A network configuration that employs a centralized connection device to which all systems are connected.
Bus topology
A network layout in which there is one main trunk, or backbone, that all the various computers and network devices are connected to.
Virtual SAN (VSAN)
A network technology that bypasses the complexities of a traditional SAN using virtualization.
Internet Small Computer System Interface (iSCSI)
A networking storage standard based on IP that operates at layer 3. This technology can be used to enable location-independent file storage, transmission, and retrieval over LAN, WAN, or public internet connections. iSCSI is often viewed as a low-cost alternative to Fibre Channel.
Intranet
A private network that is often designed to privately host information services similar to those found on the internet.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection for Voice over IP (VoIP) communications. Takes over after Session Initiation Protocol (SIP) establishes the communication link between endpoints.
Address Resolution Protocol (ARP)
A protocol in the TCP/IP suite used to resolve IP addresses into MAC addresses.
Protected Extensible Authentication Protocol (PEAP)
A protocol that encapsulates methods within a TLS tunnel that provides authentication and potentially encryption (EAP was originally designed to be used without encryption since it assumed secure pathways would exist over physically isolated channels).
Internet Control Message Protocol (ICMP)
A protocol used to determine the health of a network or a specific link. Utilized by ping, traceroute, and other network management tools.
Spread spectrum
A radio communications frequency whereby communication occurs over multiple frequencies.
Jumpbox
A remote access system deployed to make accessing a specific system or network easier or more secure.
Link state routing protocl
A routing protocol that gathers router characteristics, such as speed, latency, error rates, and actual monetary cost for use.
Distance vector routing protocol
A routing protocol that maintains a list of destination networks along with metrics of direction and distance as measured in hops (in other words, the number of routers to cross to reach the destination).
Storage Area Network (SAN)
A secondary network (distinct from the primary communications network) used to consolidate and manage various storage devices into a single consolidated network-accessible storage container. Often used to enhance networked storage devices such as hard drives, drive arrays, optical jukeboxes, and tape libraries so they can be made to appear to servers as if they were local storage.
Transport Layer Security (TLS)
A secure communication protocol that encrypts and operates at OSI layer 4 (by encryption the payload of TCP communications. Though it is primarily known for encrypting web communications as HTTPS, it can encrypt any Application layer protocol. Replaced SSL.
Secure Remote Procedure Call (S-RPC)
A secure communication protocol that is an authentication service for cross-network service communications and is simply a means to prevent unauthorized execution of code on remote systems.
Kerberos
A secure communication protocol that offers a single sign on solution for users and provides protection for login credentials.
Secure Shell (SSH)
A secure communication protocol that uses end-to-end encryption for numerous plaintext utilities, serves as a protocol encrypter (such as with SFTP), and functions as a transport mode VPN.
Internet Protocol Security (IPsec)
A secure communication protocol that uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP-based protocols. Primary use of this protocol is for VPNs, so it can operate in either transport or tunnel mode. Used as an add-on for IPv4 and integrated into IPv6.
Host-based firewall
A security application that is installed on client systems that provides protection for the local system from the activities of the user and from communications from the network or internet.
Wi-Fi Protected Setup (WPS)
A security standard for wireless networks. It is intended to simplify the effort involved in adding new clients to a well-secured wireless network. It operates by autoconnecting the first new wireless client to seek the network once the administrator triggered the feature by pressing the WPS button on the base station. It's important to disable it as part of a security-focused predeployment process for wireless networks.
Out-of-band pathway
A separate network segment for creating a separate and distinct network structure for traffic that would otherwise interfere with the production network or may itself be put at risk if placed on the production network.
Primary authoritative name server
A server that hosts the original editable zone file for the domain.
Rogue DNS Server
A server that listens in on network traffic for any DNS query or specific DNS queries related to a target site, then sends a DNS response to the client with false IP information.
Secondary authoritative name server
A server used to host read-only copies of the editable zone for the domain.
Screened subnet
A special purpose extranet that is designed specifically for low-trust and unknown users to access specific systems, such as the public accessing a web server. Can be implemented with two firewalls or one multihomed firewall.
Forward proxy
A standard or common proxy that acts as an intermediary for queries of external resources. Handles queries from internal clients when accessing outside services.
802.1X/EAP
A standard port-based network access control that ensures that clients cannot communicate with a resource until proper authentication has taken place. It is a handoff system that allows the wireless network to leverage the existing network infrastructure's authentication services.
Near-field communication (NFC)
A standard that establishes radio communications between devices in close proximity (like a few inches versus feet for passive RFID). It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within centimeters of one another.
Domain Name System Security Extensions (DNSSEC)
A suite of extensions that adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. It provides origin authority, data integrity, and authenticated denial of existence.
DNS over HTTPS (DoH)
A system for secure DNS that creates an encrypted session with a DNS server of TLS-protected HTTP and then uses that session as a form of VPN to protect the DNS query and response.
Bastion host
A system specifically designed to withstand attacks, such as a firewall appliance.
LiFi
A technology for wireless communications using light used to transmit both data and position information between devices.
Radio Frequency Identification (RFID)
A tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field.
Voice over IP (VoIP)
A tunneling mechanism that encapsulates audio, video, and other data into IP packets to support voice calls and multimedia collaboration.
Omnidirectional antenna
A type of antenna found on most wireless base stations and client devices.
Aggregator
A type of multiplexor. Numerous inputs are received or directed or transmitted to a single destination. MPLS is an example. Some IDSs/IPSs use these to collect or receive input from numerous sensors and collectors to integrate the data into a single data stream for analysis and processing.
Replay attack
A type of network attack where an attacker retransmits captured communications in the hope of gaining access to the targeted system.
Software-defined networking (SDN)
A unique approach to network operation, design, and management. Instead of traditional networking equipment such as routers and switches, an SDN provides the option to handle traffic routing using simpler network devices that accept instructions from the SDN controller. Frees an organization from having to purchase devices from a single vendor. It is effectively network virtualization.
Enterprise extended mode
A variant of wireless infrastructure mode where multiple WAPs are used to connect a large physical area to the same wired network. Each WAP will use the same extended service set identifier (ESSID) so that clients can roam the area while maintaining network connectivity, even while their wireless NICs change associations from one WAP to another.
Wired extension mode
A variant of wireless infrastructure mode where the WAP as a connection point to link the wireless clients to the wired network.
Bridge mode
A variant of wireless infrastructure mode where wireless connection is used to link two wired networks.
Standalone mode
A variant of wireless infrastructure mode which specifies that there is an access point connecting wireless clients to one one another but not to any wired resources (thus, the WAP is on its own).
Proxy server
A variation of an application-level firewall or circuit-level firewall. Used to mediate between clients and servers. Most often used to provide clients on a private network with internet access while protecting the identity of the clients.
Next-Generation Secure Web Gateway (NGSWG)
A variation of and combination of the ideas of a NGFW and a WAF. An SWG is a cloud-based web gateway solution that provides ongoing updates to filters and detection databases.
Classless Inter-Domain Routing (CIDR)
A way of allocating IP addresses and routing Internet Protocol packets. It was intended to replace the prior classful IP addressing architecture in an attempt to slow the exhaustion of IPv4 addresses.
Open system authentication (OSA)
A wireless authentication technology where no real authentication is required. As long as a radio signal can be transmitted between the client and WAP, communications are allowed. These networks typically transmit everything in plaintext.
Shared Key Authentication (SKA)
A wireless authentication technology where some form of authentication must take place before network communications can occur. The 802.11 standard defines one optional technique for SKA known as Wired Equivalent Privacy (WEP). Later amendments added WPA, WPA2, WPA3, and other technologies.
Infrastructure mode
A wireless network mode where a wireless access point (WAP) is required and restrictions for wireless network access are enforced. Includes several variations, including standalone, wired extension, enterprise extended, and bridge.
Ad-hoc mode
A wireless network mode where any two wireless networking devices can communicate without a centralized control authority (i.e. a base station or access point).
Virtual eXtensible LAN (VXLAN)
AN encapsulation protocol that enables VLANs to be strecthed across subnets and geographic distances.
Service Set Identifier (SSID)
An ID assigned to wireless networks to differentiate them from each other.
Wired Equivalent Privacy (WEP)
An IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information. WEP has significant vulnerabilities and is not considered secure.
loopback address
An IP address that indicates your own computer and is used to test TCP/IP configuration on the computer. It is any address in the class A subnet of 127.0.0.1-127.255.255.254, even though only the address of 127.0.0.1 is typically used.
Thin access point
An access point with limited functionality. It is little more than a wireless transmitter/receiver, which must be managed from a separate external centralized management console called a wireless controller.
TCP Wrapper
An application that can serve as a basic firewall by restricting access based on user IDs or system IDs
Evil twin
An attack in which a hacker operates a false access point that will automatically clone, or twin, the identity of an access point based on a client device's request to connect.
Disassociation attack
An attack that removes wireless clients from a wireless network.
Bluejacking
An attack that sends unsolicited messages to Bluetooth-enabled devices.
Extensible Authentication Protocol (EAP)
An authentication framework that allows for new authentication technologies to be compatible with existing wireless or point-to-point connection technologies.
Captive portal
An authentication technique that redirects a newly connected client to a web-based portal access control page. May require the user to input payment information, provide logon credentials, or input an access code. Most often located on wireless networks implemented for public use.
Remotely Triggered Black Hole (RTBH)
An edge filtering concept to discard unwanted traffic based on source or destination address long before it reaches the destination.
Firewall
An essential hardware or software component designed to protect one network segment from another. Deployed between areas of higher and lower trust, like a private network and public network, or between network segments with different security levels/domains/classifications.
Software-defined wide-area networks (SDWAN)
An evolution of SDN that can be used to manage the connectivity and control services between distant data centers, remote locations, and cloud services over WAN links.
Path vector routing protocol
An exterior routing protocol that makes next hop decisions based on the entire remaining path to the destination. This is distinct from interior routing protocols, which make next hop decisions based solely on information related to that next immediate hop. BGP is the primary example.
System on a Chip (SoC)
An integrated circuit or chip that has all of the elements of a computer integrated into a single chip. often includes the main CPU, RAM, a GPU, Wi-Fi, wired network, peripheral interfaces (such as USB), and power management.
Wi-Fi Direct
An upgraded version of ad hoc mode that can support WPA2 and WPA3 (ad hoc only supported WEP).
War driving
An wireless attack whereby someone uses a detection tool to look for wireless networking signals, often ones they aren't authorized to access.
Software-defined Storage (SDS)
Another derivative of SDN. A storage management and provisioning solution that is policy driven and is independent of the actual underlying storage hardware. It is effectively virtual storage.
Collector
Any system that gathers data into a log or record file.
OSI Reference Model
Application, Presentation, Session, Transport, Network, Data Link, Physical
Benefits of microsegmentation
BOOSTING PERFORMANCE: network segmentation can improve performance through an organizational scheme in which systems that often communicate are located in the same segment. REDUCING COMMUNICATION PROBLEMS: network segmentation often reduces congestion and contains communication problems, such as broadcast storms. PROVIDING SECURITY: network segmentation can also improve security by isolating traffic and user access to those segments where they are authorized.
Bluesniffing
Bluetooth-focused network packet capturing
IP classes
Class A range: 1-126 subnet mask: 255.0.0.0. Private: 10.x.x.x Class B range: 128-191 subnet mask: 255.0.0.0. Private: 172.16.0.0 - 172.31.255.255 Class C range: 192-223 subnet mask: 255.255.255.0 Private: 192.168.x.x Loopback is 127.0.0.1 APIPA is 169.254.x.x (also known as link-local) CIDR: Classless Inter-Domain Routing addresses use a prefix (example: 10.150.23.58/24). The /24 indicates a subnet mask of 255.255.255.0
Socket
Combination of an IP address and a port number.
Asynchronous communications
Communications that rely on a stop and start delimiter bit to manage the transmission of data. Best suiter for smaller amounts of data.
Synchronous communications
Communications that rely on a timing or clocking mechanism based on either an independent clock or a time stamp embedded in the data stream.
TCP/IP Model
Consists of only four layers, as opposed to the seven layers of the OSI model: Application (Process), Transport (Host to Host), Internet (Internetworking), Link (Network Interface and Network Access). Platform independent but relatively easy to hack because it wasn't designed for security.
North-south traffic
Directional term referring to the traffic flow occurring inbound or outbound between internal and external systems.
East-west traffic
Directional term referring to the traffic flow occurring within a specific network, data center, or cloud environment.
Circuit-Level Firewalls
Firewalls that are used to establish communication sessions between trusted partners. Focus on establishment of the circuit (or session) - not the content of the traffic - based on simple rules for IP and port. A type of stateless firewall.
OSI vs TCP/IP
Generally the same but TCP/IP combines steps 5-7 all into Application
Bluebugging
Grants an attacker remote control over the hardware and software of your devices over a Bluetooth connection
Protocol analyzer
Hardware or software that captures packets to decode and analyze their contents. Also called a sniffer, network evaluator, network analyzer, traffic monitor, or packet-capturing utility.
Beacon frame
In the context of wireless networking, a frame issued by an access point to alert other nodes of its existence.
Physical layer
Layer 1 - converts a frame into bits for transmission over the physical connection medium, and vice versa for receiving communications. Network hardware devices functioning at this layer are NICS, hubs, repeaters, concentrators, and amplifiers.
Data Link Layer
Layer 2 - responsible for formatting the packet for transmission. Format is determined by hardware, topology, and technology of the network, such as Ethernet (IEEE 802.3). Switches function at this layer.
Network layer
Layer 3 - responsible for logical addressing and routing. Packet header includes the source and destination IP addresses.
Transport layer
Layer 4 - responsible for managing integrity of a connection and controlling the session. Establishes communications between nodes and defines the rules of a session. Includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction, multiplexing, and network service optimization. TCP, UDP, and TLS operate in this layer.
Session layer
Layer 5 - responsible for establishing, maintaining, and terminating communication sessions between two computers. Manages dialog discipline/control (simplex, half-duplex, full-duplex), and retransmits PDUs that have failed or have been lost.
Presentation layer
Layer 6 - responsible for transforming data into a format that any system following the OSI model can understand. Encryption and compression.
Application layer
Layer 7 - responsible for interfacing user applications, network services, or the OS with the protocol stack.
Benefits of a thin access point
Management, security, routing, filtering, and more are centralized at a management console, whereas numerous thin access points simply handle the radio signals.
Packet
Name of the network container for layer 3 (network layer)
Segment
Name of the network container for layer 4 (transport layer)
Protocol Data Unit (PDU)
Name of the network container for layers 5, 6, and 7.
Frame
Nate of the network container for layer 2 (data link layer)
deencapsulation
On a computer that receives data over a network, the process in which the device interprets the lower-layer headers and, when finished with each header, removes the header, revealing the next-higher-layer PDU.
TCP Port 80
Port used for HTTP (cleartext)
TCP Port 443
Port used for HTTPS (TLS-encrypted version of HTTP). HTTPS with TLS does support TCP port 80 but only for server-to-server communications.
TCP Port 143
Port used for IMAP. Only use if encrypted with TLS to create IMAPS.
TCP Port 515
Port used for Line Printer Daemon (LPD), which is used to spool print jobs and send print jobs to printers. Consider enclosing in a VPN for use.
TCP Port 2049
Port used for Network File System (NFS). Used to support file sharing between dissimilar systems. Consider enclosing in a VPN for use.
TCP Port 110
Port used for POP3. Only use if encrypted with TLS to create POPS.
UDP port 1812
Port used for RADIUS AAA service.
TCP Port 25
Port used for SMTP. Only use if encrypted with TLS to create SMTPS.
UDP Port 161
Port used for Simple Network Management Protocol (SNMP), which is a network service used to collect network health and status information from a central monitoring station. Use the secure SNMPv3 only.
TCP port 49
Port used for TACACS AAA service.
UDP Port 69
Port used for TFPT (unsecure and should not be used)
TCP and UDP port 53
Ports for DNS. TCP is used for zone transfers (zone file exchanges between DNS servers), for special manual queries, or when a response exceeds 512 bytes. UDP is used for most typical DNS queries.
UDP Ports 67 and 68
Ports used for DHCP.
TCP Ports 20 and 21
Ports used for FTP
TCP Ports 6000-6063
Ports used for X Window, which is a GUI API for command line operating systems. Consider enclosing in a VPN for use.
Secure communication protocols
Protocols that provide security services for application-specific communication channels.
Non-IP protocols
Protocols that serve as an alternative to IP at the OSI Network layer (3). In the past, these were widely used. However, with the dominance and success of TCP/IP, these have become the purview of special-purpose networks. The three most recognized are IPX, AppleTalk, and NetBEUI.
Reverse proxy
Provides the opposite function of a forward proxy. Handles inbound requests from external systems to internally located services. Sometimes used on the border of a screened subnet in order to use private IP addresses on resource servers but allow for visitors from the public internet.
Ports 1024-49151
Registered software ports. They have one or more networking software products specifically registered with the International Assigned Numbers Authority (IANA).
LAN extender
Remote access multilayer switch; used to connect distant networks over WAN links. AKA Wan switch or WAN router.
Wireless Channel
Subdivisions of a wireless frequency. Can be thought of as lanes on the same highway.
Broadband technology
Supports multiple simultaneous signals. Uses frequency modulation to support numerous channels. Suitable for high throughput rates. Is a form of analog signal. Cable and TV modems, DSL, T1, and T3 are examples.
Baseband technology
Supports only a single communication channel. Uses a direct current applied to the cable. Ethernet uses this technology.
TCP Port 23
TCP port for Telnet protocol
Broadcast technology
Technology that supports communications to all possible recipients
Multicast technology
Technology that supports communications to multiple specific recipients.
Unicast technology
Technology that supports only a single communication to a specific recipient.
Basic Service Set Identifier (BSSID)
The MAC address of the base station, which is used to differentiate multiple base stations supporting an ESSID.
DNS poisoning
The act of falsifying the DNS information used by a client to reach a desired system.
Encapsulation
The addition of a header and possibly a footer to the data received by each layer from the layer above before it's handed off to the layer below.
Wireless cells
The areas within a physical environment where a wireless device can connect to a wireless access point.
Port security on the switch
The best defense against ARP cache poisoning
Zone file
The collection of resource records or details about the specific domain.8/
Antenna placement guidelines
The following are WHAT type of guidelines? - use a central location - Avoid solid physical obstructions - Avoid reflective or other flat metal surfaces - Avoid electrical equipment
Collision domain
The group of network systems that could cause a collision if any two or more of the systems in that group transmitted simultaneously. Solved by using any layer 2 or higher device.
Logical topology
The grouping of networked systems into trusted collectives.
DNS pharming
The malicious redirection of a valid website's URL or IP address to a fake website that hosts a false version of the original valid site.
Deep packet inspection (DPI)
The means to evaluate and filter the payload contents of a communication rather than only on the header values. Able to block domain names, malware, spam, malicious scripts, abusive contents, or other identifiable elements in the payload of a communication.
Converged protocols
The merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Some common examples include SAN, FCoE, MPLS, iSCSI, and VoIP.
Extended Service Set Identifier (ESSID)
The name of a wireless network when a WAP is used.
Wi-Fi Protected Access (WPA)
The original set of protections from the Wi-Fi Alliance in 2003 designed to protect both present and future wireless devices, designed as the replacement for WEP. A significant improvement over WEP, in that it does not use the same static key to encrypt all communications. Instead, it negotiates a unique key with each host. No longer considered secure.
Physical topology
The physical arrangement of connections between computers. Not always the same as the logical topology.
URL hijacking
The practice of displaying a link or advertisement that looks like that of a well-known product, service, or site, but when clicked redirects the user to an alternate location, service, or product
Microsegmentation
The process of dividing an internal network into numerous subzones, potentially as small as a single device, such as a high-value server or even a client or endpoint device. Any and all communications between zones are filtered, may be required to authenticate, often require session encryption, and may be subjected to allow list and block list control.
Ports 49152-65535
The random, dynamic, or ephemeral ports; often used randomly and temporarily by clients as a source port. However, most OSs allow for any port from 1024 to be used as a dynamic client source port as long as it is not already in use on that local system.
Content filtering
The security filtering function in which the contents of the application protocol payload are inspected. Often based on keyword matching.
Jamming
The transmission of radio signals to intentionally prevent or interfere with communications by decreasing the effective signal-to-noise ratio.
TCP and UDP
The two primary transport layer protocols. TCP is full-duplex and UDP is simplex/connectionless.
Bluesnarfing
The unauthorized access of data via a Bluetooth connection. Typically occurs over a paired link between the hacker's system and the target device.
FQDN components
Top-level domain (com in www.google.com) or TLD. Registered domain name (google in www.google.com). Subdomain(s) or hostname (www in www.google.com).
How to make IPv6 and IPv4 coexist
Use one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack means having systems operate both IPv4 and IPv6 and using the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) can be used to convert between IPv4 and IPv6 network segments, similar to how NAT converts between internal and external addresses.
Independent Service Set Identifier (ISSID)
Used by Wi-Fi Direct or ad hoc mode.
Simultaneous Authentication of Equals (SAE)
WPA3 authentication mechanism that still uses a password but it no longer encrypts and sends that password across the connection to perform authentication.
Ports 0-1023
Well-known ports or service ports, reserved exclusively for servers.
Wireless networking amendments
What are these?
Benefits and drawbacks of multilayer protocols
What does the following list describe?: Benefits: - A wide range of protocols can be used at higher layers - Encryption can be incorporated at various layers - Flexibility and resiliency in complex network structures is supported Drawbacks: - Covert channels are allowed - Filters can be bypassed - Logically imposed network segment boundaries can be overstepped
TCP Multilayer
What does this diagram describe? Keep in mind this is not the full extent of TCP/IP's encapsulation support. It is also possible to add additional layers of encapsulation such as TLS (would go between HTTP and TCP).
Wi-Fi Protected Access 3 (WPA3)
Wireless authentication technology launched in 2018 that uses 192-bit AES CCMP encryption. Replaced the preshared key authentication with Simultaneous Authentication of Equals (SAE).
Wi-Fi Protected Access 2 (WPA2)
Wireless authentication technology that replaced WEP and WPA. Implements AES-CCMP instead of RC4. To date, no successful attacks against it have been recorded.
Initialization Vector (IV)
a mathematical and cryptographic term for a random number.