1.

Network Architecture
1.1. Explain the Functions and Applications of various network devices
HIDS applications such as spyware or virus applications that are installed on individual network
systems.
Monitors and creates logs in the local system
Content Filter any software that controls what a user is allowed to peruse and is most often
associated with websites
Client-side filters on client machienes
Server-side filters on a proxy server on the network
ISP
Analog modem is a device that converts the digital signals generated by a computer into analog
signals that can travel over conventional phone lines
Can be internal add-in cards, on the motherboard, external devices, or proprietary devices.
Packet Shaper - Packet shaping is the mechanisms used to control bandwidth usage on the
network
Establishes priorities for data traveling to and from the internet within the network
Key functions: minitoring and shaping
Monitiroing where usage is high and time/day
Shaping customstomize the bandwith usage for the best needs on the network
VPN Concentrator is used to increase remote-access security by establishing a tunnel between
the sending and receiving devices
Can also authenticate users, encrypt the data, regulate data transfer and control traffic

1.2. Compare and Contrast the use of networking services and applications
IPSec protocol designed to provide secure communications between systems
Internal and external communications
Ecrypt and authenticate network transmissions
Two separate protocols
Authentication Header (AH) authentication and integrity checking for data packets
Encapsulating Security Payload (ESP) encryption services
GRE - is a tunneling protocol that can encapsulate many protocols inside IP tunnels
SSL VPN the process of using SSL to create a VPN
PTP/PPTP
PTP or PPP establish a connection between two nodes
PPTP creates a secure tunnel between two points on a network, over which PPP can be
used
Basis of VPNs
PPTP Control connection is required to create/maintain the communicatoin tunnel.
Uses user ID and password.
TACACS/RADIUS
RADIUS remote authentication dial in user service.
 Authentication and accounting service that verifies users over various links like dialup.
Must use a username/password.
Combines the user auth and authorization into one profile
Uses UDP
TACACS+ - terminal access controller access-control system plus
Alternative to RADIUS.
Seperates user auth and authorization into two profilse.
Uses TCP
RAS remote access solution within windows server products
Any system that used the appropriate dial-in protocols can connect
Connection can be made over standard phone line, modem, network or ISDN
Underlying technology is PPP (point to point protocol)
Web Services creating a connection to a websure using HTTP/HTTPS
Network Controllers - this normally reffers to a NIC.
Can also refer to a device that controls admission or access to a network like a NAC

1.3. Install and Configure the Following networking services/applications

Reservations The host will always receive the same IP address. Use this list if the router/server
is not statically assigned
Options (DNS Servicers, suffixes) -
IP Helper/DHCP Relay provide addresses from a DCHP server to hosts that arent on the same
LAN. Forwarding DCHP Requests
Configure the IP Helper to know where to send the relay to.
DNS Records
A gives you the IP address of a domain or host
MX used to translate mail records
Points to the mail exchanger for a host
You can list multiple and it will go down the list trying
AAAA also called quad-A. each name has an A record.
CNAME canonical name/alias record allows hosts to have more than one name
Ex: www.colton.com vs ftp.colton.com
PTR resolves the host name when you only have the address
IP address to name mapping. Reside in the reverse loopup zone.
NAT slow the depletion of IP addresses by allowing the use of a private/public address.
SNAT - Designed to allow one-to-one mapping between local and global addresses.
DNAT ability to map an unregistered IP address to a registered IP address from a pool.
PAT Also called NAT Overloading.
Connect thousands of users to the same global IP
Port numbers help the router identify which host should receive the return traffic

1.4. Explain the characteristics and benefits of various WAN Technologies

Fiber
SONET Synchronous optical network
 SDH Synchronous Digital Hierarchy
Transport protocol to replace PDH
Allows synchronized data transfer of multiple digital bit streams over fiber
Frame first, then payload.
Overhead instead of headers
CWDM Coarse Wavelength division multiplexing
Less than 8 wavelengths per fiber
Compact, cost effective, shorter range than DWDM
DWDM Dense Wavelength Division Multiplexing
More than 8 wavelengths per fiber
Frame relay
Utalizes Packet Switching
Organizes data into packet blocks so that multiple people can communicate on one line
at once
Cheaper than leased lines
Connect rural commercial locations to ISP backbones
outdated
Satellite
Broadband Cable
Around 60Mbps
Requires cable modem
DSL/ADSL Digital subscriber line
Successor of ISDN
Requires special telecom line
Up to 10Mbps
Requires DSL modem to convert high speed DSL into network friendly lanquage
ISDN Integrated Service Data Network
Used wires specially setup by phone companies
Two 64Kbs B channels
Circuit switched network for voice
Packet switched for data
Can be used for video
ATM - Asynchronous Transfer Mode
Utilizes fiber optic cabling
Typically business class or backbone data
Well over 600Mbps
Cell-oriented packet switching
48 Byte payload, 5 byte header means 53 byte cells!
PPP/multilink PPP
Uses two PPP nodes to increase bandwith
Uses two modems
 MPLS
Metro Ethernet
Leased Lines
T-1, T-3, T-1 E-3
OC3, OC12
Circuit Switch vs Packet Switch
Packet switched includes: Frame Relay and ATM
Multiple signals can go down a single channel by taking turns
Circuit switched includes POTS, T1, E1
The whole channel is taken up for a session-like communication

1.5. Install and properly terminate various cable types and connectors using
appropriate tools.
Copper Connectors
RJ-48C
Looks exactly like the RJ-45
Uses four wire pair, but are wired differently
RJ-48C t1 long distance
Typically shielded.
DB-9/RS-232, DB-25
Serial transmission of data
Old school cables
Low speed, low voltage swing
DB-25 25 pin connector
UTP coupler
BNC Coupler
Quick release, military and industrial usage
Composite signals.
BNC
Used by the ST fiber-optic connector, coax
F-Connector
110 Block
Replaced most telephone wire installations
25-500 wire pairs
punch downs
66 Block
Only can be used for old telephone connections
Copper Cables
Cat3
Three twists per foot
Transmissions up to 16MHz and up to 10Mbps
obsolete
CAT5
Rated for 100MHz
 Cant buy anymore
CAT5e
Rated for 100MHZ, can handle disturbance better
Transmits on all four pairs at the same time
Gb connection
CAT6
Rated for 250MHz
CAT6a
Up to 500MHz
Allows 10GBastT to run for 100m
RG-59 used in patch cables
Not for long distances
RG-6 used in TV/Digital Cable
And high speed internet over cable
Straight-through vs Crossover vs rollover
Straight-through
Pin 1 connects to pin 1, 2 to 2
Most common cable
Work stations to network devices
MDI to MDI-x
Transmit goes to receive to the other
Crossover
Connects MDI to MDI or MDI-X to MDI-X
Auto-Mdex - Most devices automatically device to crossover
Rollover
Cisco console cable
Serial cable standard

Fiber Connectors
ST straight tip
Bayonet connector (push and twist)
SC Subscriber connector, standard connector, square connector
Tab that ensures its connected properly
LC Lucent Connecot
Smaller form factor
Tabs on top used to lock in place (like RJ-45)
MTRJ
 Mechanical Transfer Registered Jack
Smallest form factor
Latch at top
FC - Field Assembly Conector (Ferrule Connector)
Threaded connector
Good for high-vibration envionments
Replaced by SC/LC
Fiber coupler
Extrended fiber connections, signal loss for each coupler
Can convert connectors
Fiber Cables
Tramission by Light, the visile spectrum
No RF Signal, hard to monitor or tap
Slow to degrate
Immune to radio interference
Single Mode
Long range communication, Up to 100km without processing
Expensive light source Laser beams
Light goes straight through the core
Multimode
Short rande communication, up to 2km
Inexpensive light source (LED)
Light is bouncing off the cladding to get to the other side
APC vs UPC
Controlling light, laws of physics apply
Return loss, the light reflected back to the source
Minimize the amount of the reflection
UPC Ultra-polished connectors
Ferrule end-face radius polished at a zero degree angle
High return loss

APC Angle-Polished Connectors

Ferrule end-face radious polished at an 8 degree angle
Lower return loss, higher insertion loss than UPC
 Media Converters
OSI Layer 1
Physical layer signal conversion
Extend a copper wire a long distance
Convert to fiber, then back again
Almost always powered
Single-mode fiber to ethernet/Multimode fiber to ethernet
Commonly used to extend distances
Powered converters, digital signal over copper requires power
Fiber to coaxial
Fiber to home
Single mode to multimode fiber
Long haul to short haul
Non powered converter!
Tools
Snips
Electricians scissors
OTDR/TDR Time domain reflectomete or Optical TDR
Estimate cable lengths
Splice locations
Cable impedance information
Signal loss
Used to certify an installation
Works by sending an electrical pulse down the cable and waits for a reflection back
This is what calculates time/distance
OTDR Does the same with light
Cable Certifier
1.6. Differentiate between common network topologies
Hybrid
Combining one or more physical topologies
Most networks are a hybrid.
Peer-to-peer
All devices are both clients and servers, everyone talks to everyone
Advantages: Easy to deploy, Low cost
Disadvantage: Difficult to administor, difficult to secure
Client-server
Clients talk to a central server
 Clients DO NOT talk to each other
Advantage: Preformance/administration
Disadvantage: Cost/Complexity
Mesh is one or more connections to the same place
Know the bus, ring, star, hybrid. (easy stuff)
1.7. Differentiate between network infrastructure implementations
PAN personal area network
Your own private network
Bluetooth, IR, NFC
SCADA/ICS Supervisory control and data acquisition system
Large scale, multi site industrial control system
ICS Server
DCS/Closed network
Real time information
System control
Remote Terminal Unit
Programmable Logic Controller
Medianets Cisco architecture for media application
VTC - Video teleconfrensing
ISDN
Circuit-switched, guaranteed bandwidth
IP/SIP
Session initiation protocol
Voice over IP
1.8. Given a scenario, implement, and configure the appropriate addressing schema.
Ipv6 128 bit address, 16 bytes
Auto configuration
EDI 64
DHCPv6
Doesnt require a DCHP server, can be done on the NIC
Done through SLACC using the NDP
Router solicitation (RS) and router advertisement (RA)
Very similar to DHCPv4
UDP/546 (client) and UDP/547 (server)
Sends with MULTICAST
Solicit, advertise, request, reply
Link Local
Will only work on the local subnet
Required on every IPv6 enabled interface
Typically many IP addresses per interface
Fe80::/10 with only one subnet allocated local IP
The last 64 bits are created with a modified ECI-64, based on the mac address
Address structure
Address compression
 Tunneling
6to4
Take IPv6 over and existing IPv4 network
Requires relay routers
IP Protocol 41 a transition technology
NO support for NAT (only on public IP addresses)
4to6
Tunnel IPv4 traffic on a IPv6 network
Terdo
Tunnel IPv6 through NATed IPv4
End-to-end IPv6 through an iPv4 network
Temporary use, no special router needed
Miredo
Open source teredo for Linux
Ipv4
Address structure
4 sections
64 bytes
4 bites
Subnetting
Every device needs a unique IP
Need the subnet mask
Used by the local workstation to determine what subnet its on
Default dateway
Allows the computer to talk outside the local subnet
IP address isnt a single address
Combination of network ID and host ID
APIPA automatic private IP address
A link-local address
no forwarding by routers
communicate with anyone on the same subnet as you who has been given the APIPA
address
cannot route outside the subnet!
169.254.0.1-169.254.255.254
First and last block have been set aside as reserved
Means you cannot connect to the DCHP server
Classful A, B, C, D
A 255.0.0.0
B 255.255.0.0
C 255.255.255.0
Not used since 1993

Classless
Created in 1993 to remove some of the restrictions created by classful subnet masks
cider block notation
CIDR dont have to express a subnet mask in the traditional 255.255.255.0
/24 is what designates the subnet mask
Each number is the number of ones in the subnet
Broadcast domain vs collision domains
Collision Domain
A historical footnote, difficult to find these days
The network was one big segment
Only one device could communicate at a time
Determined if it could communicate by using CSMA
When two people spoke at the same time, there was a collision
Collision detection (CD)
Cleared the wire with a jam signal, waited for a random time, then resent the
network
Broadcast Domain
Size of the network thats impacted when a broadcast is sent
Broadcast domain passes right through a switch
ONLY stops at a router
Placing a route in the middle of a network you can sepetate the broadcast domain
Dual stack uses both IPv4 and IPv6
1.9. Explain the basics of routing concepts and protocols
Loopback interface
IP address that we configure that always going to be avalible
Works the exact same as a physical interface
A permeant address
Management interface, SSL VPN Connection, Router ID
Routing Loops
Routing Tables
List of directions for your packets
A table with many routes for your destination
 Packets stop at every router and ask for directions
Default Route
First on the list if the default route
0.0.0.0
If its not listed on the routing table, go to the default route.
Distance vector routing protocols12
How far away a particular network is
How many hops to the other network?
Usually automatic
Good for smaller networks, doesnt scale very well
RIPv2, RIP, BGP
Uses hopcounts
Hybrid routing protocols
Some characterisics of link state and a little distance vector
EIGRP
Enhanced interior gateway routing protocol
Proprietary to cisco
Vector metrics are Bandwidth, load, delay, reliability, MTU and hop count
Link state routing protocols
Information passed between routers is related to the current connectivity
Consider how fast the link might be
Very scalable
OSPF, IS-IS
Large, scalable routing
Interior vs exterior gateway routing numbers
EGP
Protocols exterior to our AS
BGP , many organizations use BGP as their EGP
Many organizations route between eachother
IGN
Not intended to route between AS
Used with a single AS
OSPF
IS-IS
RIP, RIPv2
EIGRP
ASN (Autonomous system number)
Assigned by the IANA
Used extensively by GBP
Route between AS
Autonomous system (AS)
Entire network is under your control
Existing as an independent entity
 Route redistribution
None of these protocols can communicate to each other
Can redistribute the routes through one method and redistribute through another method
Advertise routes that dont appear in the autonomous system
High availability
A system that will always be available for us (99.999% uptime = 5 9s)
Higher availability almost always means higher cost
Fault tolerance
Maintain uptime in the case of failure
Adds additional devices which adds complexity
VRRP Virtual Router Redundancy Protocol
The default router isnt real
Devices use a virtual IP for the default gateway
If a route disappears, another one takes it place
Virtual IP
HSRP Hot standby router protocol
Cisco proprietary
Default gateway is assigned to a virtual router
Route aggregation
Optimize your routes
Taking a list and summarizing it down to one single route
Router efficiencies
Simplier router decisions, faster routing
Less memory utilization
Fewer routing advertisements
Routing Metrics
Hop counts
MTU, bandwidth
Costs
Latency
Administrative distance
SPB
1.10. Identify the basics elements of unified communication technologies
Real-time services
Presence
Your current status
Available, in a meeting, out of office, not connected
Communication adjusts based on presence
Avalible to everyone
Applications are now designed to use presence and communicate in the preffered way
Multicast vs unicast
Unicast one device sends information to all viewers
Separate stream for every user
Multicast one stream that all viewers can stream
Much more efficient way and scales better
 Not generally used on the internet
QOS
Prioritize certain traffic over others
Bandwidth requirements, traffic rate, VLAN
DiffServ
Differentiated Services
QoS bits are enabled in the IPv4 header
Bits are set external to the application
Routers have to play along
DSCP
Differentiated Services Code Point
DS field in the IP Header
Define how the traffic should flow through the network
COS
Class of Service
Ethernet frame header in an 802.1Q trunk
Usually applied in the intranet
Devices
UC Servers
Central coordination of UC Services
Connects users wherever they are
UC Devices
Combine UC functions into a single client
Voice/videl calls, IM, presence, persistent chat
UC Gateways
Connect diverse media systems
Collaborate with other UC systems outside of your network
1.11. Compare and contrast technologies that support cloud and virtualization
Storage area network
iSCSI
Internet Small Computer Systems Interface
Send SCSI commands over an IP network
Makes a remote disk look and operate like a local disk
Jumbo Frame
Ethernet frames with more than 1500 bytes of payload
Up to 9216 bytes (9000 is the accepted norm)
Increases transfer efficiency
Per packed size increases
Fewer packets to switch/route
Fiber Channel
Fibre channel over ethernet (FCoE)
User fibre over an ethernet network
Not routable
Fibre Channel over IP (FCIP)
Encapsulating fibre channel data into IP Packets
 Geographically separate the servers from storage
A specialized high-speed topology
Connect servers to storage
2, 4, 8, 16 GB per second rates
Supported over copper and fiber
Connect to a fiber switch
Server (initiator) needs FC Interface
Storage (target) is commonly refrenced by SCSI, SAS, or SATA
NAS vs SAN
NAS network attached storage
Connect to a shared storage device across the network
File level access
SAN
Storage Area network
Looks and feels like a local storage device
Block level access
Very efficient reading and writing
Require a lot of bandwidth
May use an isolated network and high speed tech
Cloud Concepts
PaaS Platform as a Service
No servers, no software, no maintenance, no HVAC
Someone else handles the platform, you handle the product
You have no control over the platform
SaaS Software as a Service
On demand software, no local installation
Central management of data and applications
IaaS Infastructure as a service
Sometimes called hardware as a service
Outsource our equipt
Youre responsible for the management and security of the hardware
Your data is out there, but more in your control
Private Iaas, SaaS, PaaS
Running in our own datacenter
Public IaaS, SaaS, PaaS
Avalible to anyone over the internet
Hybrid Iaas, Saas, PaaS
Mix of public and pribate cloud
Community IaaS, SaaS, PaaS
Several organizations share the same hardware/software
1.12. Given a set of requirements, implement a basic network
List of requirements
Not going to have the same infrastructure
Network, power management, environment
Financial tradeoffs
 Fewer features, less expensive
Devices types/requirements
Remote sites
No local IT Group
No high-speed network
Application access
Client-based
Web-based
VPN Requirement
Data sharing
Collaboration with other sides
Data management
Backups
May not have separate printer/ etc
DSL or Cable Modem
ISP Provides the equipment
IPsec site-to-site VPN
Common include build in wireless, content filtering, intrusion prevention
Managed or unmanaged switched based on the need for remote support
Environment limitations
Dont have control over the environment
Humidity
Power might need a UPS
Wireless to avoid conflicts on frequency
Equipment limitations
Performance limitations like speed
Redundancy limitations, no automated failover
Management limitations
No command line management
Compatibility requirements
It all has to work together perfectly, difficult to troubleshoot
Standards set by the corporate entity
Network must be standardized, every site is usually configured identically
Wired/wireless considerations
Wired
Small office you will typically have a third party do the wiring
Home office no structured cable, cat5/6 integrates with the rest of the home
Wireless
No cables needed, easy to set up
Security considerations
SSID name, encryption type
Router security
Firewall
Use both hardware firewalls and os firewalls
 Everything is password protected!

2. Network Operations
2.1. Given a scenario, use appropriate monitoring tools
Interface monitoring tools
Up or down
The most important statistic
Alarming and alerting
Notification should interface fail to report
Short term and long term views
Not focused on additional details
Port Scanner
Gather information across the network, no special permissions required
Determine up/down ping/arp
Check for open ports
Scan os
Top Talkers/listeners
SNMP Management software
Simple network management protocol
A database of data (MIB) management interface database
SNMP versions
V1 the original
Structured tables, in the clear
V2 a good step ahead
Data type enhancements, bulk transfers, still in the clear
V3 the new standard
Message integrity, authentication and encryption
Trap
Get
Walk
MIBS
SYSLOG
Standard for message logging
Diverse systems, consolidated log
Usually a central logging receiver
Youre going to need a lot of disk space
SIEM security information and event management
Security alerts real time information
Log aggregation and long term storage
Usually includes advanced reporting features
Data correlation
Link diverse data types
Forensic analysis
Gather details after an event
 Power monitoring tools
Device monitoring built into the BIOS and motherboard
SNMP
Custom MID for power details
Power outlet, UPS
Power distribution system
Wireless analyzers
Wireless networks are incredibly easy to monitor
You have to be quiet on the network
Some drivers work and others dont
You can often see the ethernet packets
But thats not what you need and you might be using a different chipset
Packet flow monitoring
Gather traffic stats
Metadata of actual traffic
NetFlow
Probe and Collector
Probe watches the network communication
Summary records are sent to the collector
Wireless Survey Tools
Signal coverage
Potential interference
Built-in tools
3rd party tools
Spectrum analyzer
2.2. Given a scenario, analyze metrics and reports from monitoring and tracking
performance tools.
Baseline
Broadly defined
What does it mean to you
Application response time? Network throughput? Etc?
Point of reference
Accumulated knowledge
Examine the past to predict the future
Useful for planning
Log management
Collect information, create charts
Challenge is that data is coming from very diverse log sources, and theyre quite large
Logs in about every device on your network
Usually sent via syslog
Stored in a central server
LOTS of storage requirements
Data rollup becomes important
Take samples every minute, 5-minute samples for 30 days
 Bottleneck
There is never just one performance metric
Limitations on how much traffic can go through the devices
Graphics
Data is stored in raw logs or summarized metadata (rollups)
Usually managed through a SIEM (security information and event manager)
Turn raw data into something virtual
Graphing can require extensive resource utilization
Churn through terabytes of data
Interface monitoring
Often your first sign of trouble
Local problems are easy to see
Can sometimes indicate a larger issue
Can monitor with SNMP
Remote monitoring of all devices
Most metrics are in MIB-II
Link status
Link up or down?
May be a problem on the other end of the cable
Errors
Problem with the signal CRC error, runt, giant
Utilization
Wireless channel
Performance of a wifi network is based on the utilization of the frequencies
Network device
CPU and memory two limiting factors
Difficult to increase may need an upgrade
Storage
A finite resource and valuable
Bandwidth
Consumed data communication resources
Usually measured over time
Discards, Packet drops
How well the device is handing the packets
No errors in the packet, but system could not process
Interface resets
Packets are queued, but arent sent
Connection is good, but line protocols arent talking
Reset and hope for the best
If its hardware this might not help
Speed and duplex
These should match on both sides (full and half duplex)
Auto speed and auto duplex isnt always the best option
2.3. Given a scenario, use appropriate resources to support configuration
management
NAC
Switch port security
Access to the physical interfaces on the switch
Administrative enable/disable
Disable your unused ports!
duplicate MAC address checking stop the spoofers!
IEEE 802.1X port based network access control - PNAC
You dont get access until you authenticate
Makes extensive use of EAP and RADIUS
Authenticator is usually running in the switch
Documentation
Network diagrams (logical/Physical)
You cant see most of it
Fiber and wires in the walls/ceilings
This is essential
Physical shows you exactly where the wires/fibers are
Follows the physical wire and device, can include physical rack locations
Logical how they are logically on the network
Specialized software visio, omnigraffle
High level views
WAN Layout, application flows
Useful for planning and configuration
Asset management
A record of every asset
Routers, switches, cables, fiber modules, CSU/DSU
Add your own asset tag for financial records, audits, depreciation
Generally you would tag the asset
Master database
May include all corporate assets
Helps the helpdesk and with reporting
IP Address utilization
DCHP Server scopes
A finite resource
How many IPs are assigned? Do you have free ones to assign?
Integrated into a management system or DHCP server reports
Vendor documentation
A fantastic source of information
Very helpful for managing and maintain the assets
internal operating procedures/policies/standards
organizations have different business objectives
Operational procedures
downtime notifications
facilities issues
 Software upgrades testing, change control
2.4. Explain the importance of implementing network segmentation
SCADA Systems/industrial control systems
PC manages equipment
Power generation, refining, water management, manufacturing equipment
Traditionally not built with security in mind
Huge emphasis on securing these, so they are placed on their own network
Legacy Systems
Older operating systems and equipment doesnt play well with modern systems
You segmenet off a section of the network for these applications
Separate a private network from a public network
DMZ is the middle ground
Testing Lab
Test patches or updates on a system of its own
Create a lot of problems in the lab and you would keep the explosions contained
Honeypot/honeynet
Trap the badguys in a fake works
Watch them hack
Can be used for security purposes where users shouldnt talk directly to database servers
Helps performance for high-bandwidth applications
Done by compliance (PCI-DSS)
Makes change control much easier
2.5. Given a scenario, install, and apply patches and updates
Major vs Minor updates
Different philosophy across manuafturers
Minor updates provide bug fixes for existing features
Major updates provide new features
Vulnerability patches
Important security updates
These are generally high priority
Preform testing and implement as soon as possible!
Time to patch
Keep your operating systems up to date
It is a constant process, and is never done. Updates typically are once a week
In a business environment you typically need to test the update before you apply the patches
Some patches break other things
Can be centrally managed
Patches
Operating system patch
Updates normally once a month
Provided by the manufacturer
Functionality and security
 Firmware update
Updated BIOS
Change in the software in embedded system
Not as often
Driver updates
Not often updates
Usually for fixing bugs when the OS updates
Feature changes/updates
2.6. Given a scenario, configure a switch using proper features
VLAN
Logically separate your switch ports into subnets
Devices can be on the same subnet but in different locations
Vlans cannot communicate to each other w/o a router
Router/firewall becomes the gatekeepter
Manages access, security, and changes
Grouped together by function
Is often integrated with the NAC (Network access control)
Move people automatically into their VLAN
VLAN ranges from 1-4096
Native VLAN/default VLAN
Not subject to tunneling or headers on the 802.1Q trunk
VTP
VLAN Trunking protocol
Manual configuration doesnt scale very well
Cisco proprietary that automates the process to configure a switch from one central
switch and pushes it down automatically
Also Multiple VLAN registration Protocol
Trunking
Multiple VLANS in a single wire
VLANS are tunneled inside of the trunk
Spanning tree (802.1d)/rapid spanning tree (802.1w)
Flooding
Ports
Root Port interfaces closest to the root
Designated Port used to send traffic over the network
Blocked Port ports where STP has blocked the traffic
Forwarding/blocking
Blocking not forwarding to prevent a loop
Listening not forwarding and cleaning the MAC table
Learning not forwarding and adding to the MAC table
Forwarding data passes through and is fully operational
Disabled administrator has turned off the port
Filtering
RSTP 802.1W
Rapid Spanning tree protocol
 Faster convergence
30-50 seconds down to 6
Backwards compatible with 802.1D STP
You can mix both on your network
Loop protection
Connect two switches to each other and they send traffic back and forth forever
No counting mechanism at the MAC layer
Easy to bring a network down by itself
Difficult to troubleshoot, easy to resolve
802.1D to prevent loops in bridged (switched) networks
Interface configuration
Speed and duplex
Speed: 10 / 100 / 1000
Duplex: Full/half
Automatic and manual
NEEDS TO MATCH ON BOTH SIDES
IP Address assignment
Layer 3 interfaces
Used for management
VLAN Interfaces can sometimes be configured
IP address, subnet mask/CIDR block, default gateway, DNS
Trunking/802.1q
Each packet is preceded by a 802.1 header the vlan tag
Connecting switches/vlans on a single link
Tag vs untag VLANS
Decides where the traffic will go based on 802.1Q
Non tagged frame is the devault also called the native VLAN
Trunk ports will tage the outgoing frames
Port bonding (LACP)
Multiple switches together with multiple links can think as them as a single interface
This speeds ups the speed between the switch
Port mirroring (local vs remote)
Copy traffic from one interface
Used for packet captures, IDS
Mirror traffic on the same switch from one port ot another
Mirror traffic from one switch to another.
VLAN Assignment
Each device port should be assigned to a VLAN
Default gateway
PoE and PoE+ (802.3af, 802.3at)
Power provided on an ethernet cable
One wire for both network and electricity
Phones, cameras, wireless access points
Power provided at the swtich
Built in power Endspans
 In-line power injector midspans
Power modes
Mode A data and power is on the same copper phantom power
Mode b power on separate pairs as date
802.3af-2003
The original PoE specification
No part of the 802.3-2012 standard
Originally provided 15.4 watts DC Power
Current of 350mA
POE+: 802.3at-2009
Also wrapped into the 802.3-2012
25.5 watts DC power
Current of 600mA
Switch management
User/passwords
Users can log in with locally configured credentials
Usually has a default login when you first get it
Local logins are generally disabled
AAA Configuration
Authentication, Authorization and Accounting
RADIUS, TACAS+
Usually uses a central database to authenticate
Permissions can be based on the group access
Disable the account on the AAA Server, you will disable it everywhere.
Console
Directly connect to the swtich
Serial interface
Need PHYSICAL access to the device
Virtual Terminals
Connect to the console over the network
SSH< terminal application, TTY, PuTTY, Terminal, SSH
In-band/out-of-band management
In-band manage on the same link as the data (same network)
Out-of-band a separate communication link for management
Managed vs unmanaged
Unmanaged
Very few configuration options
Figured configurations
No VLANS
Very little integration with other devices
Low price point
Simple is effective
Managed switches
VLAN Support
Traffic prioritization
 Redundancy support (STP)
External management SNMP
Port mirroring capturing packets
2.7. Install and configure wireless LAN infrastructure and implement the appropriate
technologies in support of wireless capable devices.
Wireless access points/ Wireless Bridge
Device density
Deployed throughout a campus or building
Hundreds or thousands of nodes
How many devices in an area are there
Roaming
Seamlessly move throughout the network
Aps use the same SSID
Same ecryption and authentication
Wireless controllers
Centralized management of wireless access points
Large server rack mountable appliance
Manage system config and performance
Makes it easier to manage the wireless APs
VLAN Pooling
Distribute wireless users into separate VLANS
Minimize broadcasts and congestion
Determined by MAC Address sometimes this is the criteria for separating the
devices
Automate the minimization of the subnet
Only a certain # on a subnet, then you deploy people to a different subnet
LWAPP
Lightweight access point protocol
Control many access-points at once
Will send the update to all the access points
Centralized policy enforcement
Connects wired network to wireless
No routing
Small Office/ Home office wireless router
Used in less populated environments
Smaller feature set
ISP Connectivity
Routing/NAT features
Site Survey
Determine existing wireless landscape
Sample the existing wireless spectrum
Identify existing access points
Heat Maps
Identify wireless signal strengths
Plan for ongoing site surveys things will change
 Frequencies
802.11 frequencies
IEEE Standards for wireless networking worldwide
2.4ghz
802.11b
Direct sequence spread spectrum DSSS modulation
Data is chipped and transmitted across different frequencies
In a predefined order
14 channels
22 MHz wide
Spaced at 5MHz intervals
US uses 11 of these
802.11g and 802.11n
Orthogonal frequency division multiplexing (OFDM)
Transmit multiple data streams over a given bandwith
Same frequencies as 802.11b
But usding OFDM
Uses same channels as 802.11b
Non overlapping channels 1,6,11 in the US
Uses DSS for slower speeds
802.11n uses a wider 40MHZ channel for faster speeds
Channel 3 using OFDM is the only non-overlapping frequency
5.0 Ghz
802.11a, 802.11n, 802.11ac
Not used for 802.11b or g
802.11a dynamic frequency selection (DFS)
Avoids interference with weather and radar and military satellites
OFDM (Orthogonal Frequencu Division Multiplexing)
Transmit multiple data streams over a given bandwith
23 non overlapping channels different channels used in different countries
802.11n adds MIMO (Multiple-input and multiple output)
One receiver with more than one antenna
802.11n supports 4 transmit and 4 receive, and sending/receiving 4 data streams
802.11ac adds MU-MIMO Multiuser MIMO
Up to four receivers with multiple antennas on each
Channels
Goodput
Defining how fast the application can transfer
Remove all network overhead for the maximum goodput
Connection types
802.11a-ht
Backwards compatibility
802.11g-ht
Antenna placement
Where do you put the access point?
Choose channels that are non-overlapping
 Antenna types
Omnidirectional
One of the most
Singal is evenly distributed on all sides
Good choice for most environment
No way to focus the signal
Unidirectional
Focus the signal
Send/listen in a single direction
Focused transmission and listening
Antenna performance is measured in dB
Yagi antenna
Very directional and high gain
Parabolic antenna
Focus the signal to a single point

MIMO/MU-MIMO
MIMO
4 transmit and 4 receive, and sending/receiving 4 data streams
MU-MIMO
Up to four receivers with multiple antennas on each
Signal strength
Coverage
Differences between device antennas
SSID management
Service Set Identifier
Change the SSID to something not to obvious
Disable the SSID broadcasting?
SSID is easily determined through wireless network analysis
Security through obscurity
Topologies
Ad hoc
No-preexisting infrastructure
Devices communicate amongst themselves - bluetooth
Mesh
Ad hoc devices work together to form a mesh cloud
Self form and self heal
Infrastructure
All devices communicate through an access point
This is the most common way to do things
3. Network Security
3.1. Compare and contrast risk related concepts
Disaster recovery
Small and large distaters you need to keep the business up and running
Often managed through a 3rd party
call a disaster is what starts the plan
Dispatched to the DR Facility
Need to be able to think on your feet
Business continuity
Keeping the business running
Business processes are interrelated
Almost everything relates to IT
Your plan needs to involve the ENTIRE company
Battery backups/UPS
UPS
Backup power
Provide with backup power for a certain amount of time
Protects against blockouts, brownouts, surges
Standby UPS not operating, and turns on when power is lost time delay
Line-interactive UPS cover brownouts and surges, adjust powerout that it sees
On-line UPS always on and available, constantly providing power and recharging.
First responders
Very specific tasks for the first person on the scene
Detailed in the incident response policy
Dont disturb the environment
Get the right people in place before poking around
Follow the escalation policy
Data breach
Data is valuable
Once data is stolen, its too late to recover
Copies will be made
Breached data must be identified
End user awareness and training
All of your policies myst be on the intranet but no one will read
In person mandatory training sessions
General security best practices
How to deal with viruses
Single point of failure
One problem can cause an outage
One bad link in the chain
Hardware failure, software patch, bade code
Critical nodes
Identify devices that are important to uptime(critical)
 Create redundancy and fail-over process
Critical assets
May include hardware and software for your fail over process
Redundancy
Keeping devices interconnected so if one goes down it will connect through a different
route
Adherence to standards and policies
Your security is only as strong as your policies
Security policies a set of policies that cover many areas of security
Vulnerability scanning
Try to find the systems that might be weak links
Can be interpreted as offensive attacks
Nessus, Nikto, nmap
Before you run a scan, update the database of the scanner
New vulnerabilities are discovered daily
Then you scan the device to determine application or service versions
Then compate the version number to the db
Does the application version have known vulnerabilities?
View the report of exceptions
Penetration testing
Almost always seen as an attack
Pentest an attack from the good guys
Actively trying to take advantage of the vunerability
Often a compliance mandate
Bypass security controls
Force your way in
3.2. Compare and contrast common network vulnerabilities and threats
Attacks/threats
DoS
Force a service to fail
Overload/crash the service (using all the resources/bandwith)
Sometimes its a smoakescreen for some other exploit
DoS doesnt have to be complicated
Distributed DoS
Launch an army of computers to bring down a service
Botnet
Coordinated attack
Machine is under the control of a 3rd party
Asymmetric threat
Attacker may have fewer resources than the victim
Traffic Spike
Reflective/amplified
Turn your small attack into a big attack
Often reflected off another device
Uses protocols with little authentication checks
 DNS
Botnet makes a query to open DNS resolver
Source is spoofed to the vicim IP Address
Small frame size
Open DNS resolver responds to vicim
Response size is often over 3000 bytes
This is the application part
NTP
Smurfing
Spoofing the ip of the ping sender so all the pings go to the victum device
Friendly/unintentional DoS
Network DoS
Layer 2 loop without STP
Bandwidth DoS
Downloading massive files
Can be related to the environment
Physical Attack
Permanent DoS
Packet/protocol abuse
WEP a broken security protocol, could not stop a replay attack
WPA
Was relatively secure but some vulnerabilities were found in TKIP
Very specific cases per packet decryption, very slow
WPA2 inkcludes signific security changes
CCMP AES-based cryptography with strong sescurity
No known cryptographic vulnerabilities
Not many options to hack a WPA2 nerwork
WPA-Personal / WPA-PSK
Everyone has a preshared key
The same 256 bit key
The only way to gain access to the network is a brute force / dictionary attack
WPA-Enterprise / WPA-802.1X
Authenticates users individually with an authentication server (ie RADIUS)
No practical attacks to these!
WPA Wifi protected setup
Originally called WIFI Simple config
Allows easy setup of a mobile device
Connect to ap in a number of ways
Pin configuration on access point
Push a button on the ap
NFC to connect
USB Method no longer used
First hack was in dec 2011
Pin is an eight-digit number
Really seven digits and a checksum
WPS process only validates each half of the pin
First half 4 digits, section half was 3 digits
 First half 10k possibilities, second half 1k
Takes about 4 hours to go through all iterations
No lock out function
Replay attack - recording the information that you are sending and when youre dont
replays it to another device in an attempt to gain access to that device
ARP Request replay attack
Cracking WEP requires thousands of IV packets
Wait all day to collect IV information
Or replay a ton of ARPs and collect the IV packets
Wireless
Evil twin - Access point to replicate your ap on the network to have people connect to it
Rogue AP - Significant backdoor - Easy to plug in a wireless AP
War driving - Driving around looking for unsecure networks
War chalking -Symbols written on the sidewalk to signify networks that are open,
unprotected, etc
Bluejacking - Sending of unsolicited messages to another device via bluetooth
Bluesnarfing - Access a Bluetooth-enabled device and transfer data
WPA/WEP/WPS attacks
Brute force
The password is the key secret phrase or stored hash
Try every possibly combination to a given username
Online brute force attacks
Keep trying the login process
Very slow
Most accounts will lockout after a number of attempts
Offline brute force the hash
Obtain the list of users and hashes
Calculate a password hash, compared to a stored hash
Larage computational resource equipment
Cannot reverse engineer the hash
Hash will be different across the operating systems, different has methods
Dictionary attack
People use common words as passwords
Badguys will only try words that are well known
This you typically start with the easy words
This will only catch the low-hanging fruite
Youll need some smarter attacks for smarter people
Hybrid attack
Combine a brute force attack with a dictionary attack
Ex: ninja9, 50cent
Takes longer to go through the iterations, but still faster
Session hijacking
When you visit a website on a browser your browser will generally store cookies
Not shared between websites
Used to track personalization, session management
Not executable, and not a security risk
Unless someone gets access to them
 Session ID is often stored in the cookie
Session ID - maintains sessions across multiple browser sessions
A well secured cookie will encrypt information
Obtain the information and then modify the header to gain access to the network
Tamper, firesheep, scapy modify headers
If the site is vunerable to cross site scripting you might be able to get information on the
web server itself
If its in the cookie itself you need to modify your cookies
Cookies manager+
Only works on sites that only check the session to allow access
Prevent session hijacking
Encrypt end-to-end
They cant capture your session ID if they cant see it
Additional load on the web server
Encrypt end-to-somewhere
Avoid capture over the network with a VPN
Session ID monitors will detect if someone is trying to take advantage of your session
ID
Social engineering
This is a major threat because its electronically undetectable
Suspicious telephone call
Look out for unattended persons badges, processes
Bypassing security controls
Force your way in
Tailgating
People inside the org may bypass security controls
Man-in-the-middle
Bad guy sits in the middle of your traffic and you have no idea
Redirects your traffic
Than passes it on to the destination
ARP Poisoning
Spoofing itself and pretending to be someone else
ARP are no security
Sends false ARP to have the ARP updated with the badguys information
Spoofing
Pretending to be someone you arent
Modify your MAC address
Easily can spoof different IP Addresses
se
VLAN hopping
You only have access to your VLAN
Good security best practice
hop to another vlan through mechanisms
Switch spoofing
Some switches support automatic configuration
Is the switch port for a device or is it a trunk?
There is no authentication for the autonegotiation process
 Pretent to be a switch
Send trunk notification
Switch admins should disable any automatic trunk negotiations
Double Tagging
Crafting a packet that includes two VLAN tags
Takes advantage of the native VLAN config
The first native VLAN tag is removed by the first switch
The second fake take is not visible to the second switch
Packet is forwarded to the target
This is a one-way trip
Responses dont get back to the source host
Good for a DoS
Dont put any devices on the native VLAN
Change the native VLAN ID
Force tagging of the native VLAN
Avoid the double tagging

Compromised System
Most of your security is on the perimeter of the network
Once youre on the inside, fewer security controls.
Difficult to get in, but easy to get out.
Bot, send spam, information gathering, display information to the users, ads, jumping off
point
Fixing the compromise
Do you have backups?
Make forensic image of the drive
Effect of malware on the network
Insider threat/malicious employee
We give people more access than they really need
Least privilege access to only what they need and no more
Significate security issues if someone can access the data
Harm the reputation
Critical system disruption
Loss of confidential or proprietary information
Zero day attacks
Many applications have vulnerabilities we just havent found them yet
Bad guys keep these yet-to-be discovered holds to themselves
Zero-day the vulnerability has not been detected or published
These are super common
Vulnerabilities
Unnecessary running services
Disable unnecessary services
Every service has the potential for trouble
The worst vulnerabilities are 0-day
this may require a lot of research
Hardening
 Making your OS harder
Increasing the security of the system
Constant maintenance
Open ports ports that are currently open and might/might not have running services
Services will open ports to allow access for others to come into the system
Unpatched/legacy systems
Change control process plan for an update and plan for problem
There is always a delay before the patch
Some systems wont be / cant be touched
Mission critical systems with no support
Need to identify these systems and create a plan for what happens
Unencrypted channels
Communication to/from a device should (ideally) be encrypted
This is easier said than done
In the clear information can be easily captured
Clear text credentials
Dont store important information without encryption
Credentials can be hashed with a salt?
Information added to the hash
Makes it harder to do a brute force padding
Unsecure protocols
TELNET , HTTP, SLIP, FTP , TFTP, SNMPv1 and SNMPv2 ,
TEMPEST/RF emanation
Emission security
Everything leaks emissions
Protect yourself
Shielding standards
Separation of classified vs unclassified wires
Cable filters
Equipment distance from walls
These protocols are generally not encrypted
3.3. Given a scenario, implement network hardening techniques
Anti-malware software
Host based
Anti-malware that runs on the computer
Each device manages its own protection
Updates must be completed on all devices becomes a scaling issue
Large orgs need enterprise management
Track updates, push updates, confirm updates, manage engine updates
Mobile adds to the challange
Cloud/server based
Expand the scope of anti-malware
All web requests are centrally controlled
Also manages email communication
Very fast updates
Can be driven by multiple users
 Small footprint
No additional software necessarily required
May be required for mobile devices
Fewer resource requierments
Network based
Anti-malware on network devices
Proxy, firewall
Completely invisible to the users
Usually signature based
Maintains high speed network speeds
Switch port security
DHCP Snooping
Way to prevent unauthorized DHCP servers or static ip devices from accessing your
network
IP tracking on a layer 2 device
The switch is the DHCP firewall
Trusted: routers, switches, DHCP Servers
Untrusted: other computers, unofficial DHCP Servers
Switch watches for DHCP conversations
Creates a list
Filters invalid IP and DHCP information
Static IPs
Devices acting as DHCP Serers
Physical port security
The inside of your network is relatively insecure
We often spend out time protecting against the outside
Inside the network its easy to connect to the network
Dynamic ARP Inspection (DAI)
Arp is powerful and no bult-in security
Used to prevent those man in the middle attacks
Stops ARP poisoning at the switch level
Relies on DHCP snooping for intel
Intercepts all ARP requests and responses
Only allows valid information, drops all other packets
MAC Address filtering
Collects the MAC devices of all devices
MAC addresses are easily spoofed
This will filter MAC devices that arent the correct ones on the network
VLAN Assignments
Network segmentation
Each segment provides an opp for more security
Local resources are on each VLAN
Separation depends on the application
Security policies
Usually very formal, security from the beginning to end
Policies are often set by management
 Protect from outside attack firewall, IPS
Policies against malware
Manage password security
User policies and training
Disable unneeded network services
Every network service opens a port
You have an open door somewhere
Each port if very specific
You should only have access to service-specific information
Use secure protocols
SSH
Secure shell
Terminal sessions, use instead of telnet
SNMPv3
SFTP Secure SSH file transfer ptotocol
File transfer using SSH instead of FTP
SNMPv3 simple network management protocol
V3 added encryption communication
TLS/SSL transport layer security / secure sockets layer
http instead of TLS is HTTPS
HTTPS
Secure version of HTTP
IPSec
- encrypt the IP packet level
Access lists
Web/content filtering
Set of access lists that determines what is allowed/blocked
Corporate control of outbound and inbound data
Parental controls
Protection against known bad websites
Port filtering
IP Filtering
Implicit deny
If there isnt a specific rule that allows the traffic through the firewall, it will be denied
URL Filtering
Allow/restrict based on URL
Managed by category
Broad categorizations
Can have limited control
Often invisible to encryption
Wireless security
WEP
Different levels of encryption key strength
64 bit keys or 128 bit keys
Cryptographic vulnerabilities identified in 2001
WPA
 RC4 with TKIP
Initalization Vector (IV) is larger and an encrypted hash than WEP
Every packet gets a unique key
A short-term work around
WPA2
Only people with the password can transmit and listen
AES replaced the RC4 in WPA
CCMP replaced TKIP
Enterprise
Enterprise adds 802.1x
RADIUS server authentication
Personal
MAC Filtering
Limit access through the physical hardware address
Keep neighbors out
Additional administration with visitors
Very easy to spoof a MAC address
Security through obscurity
User authentication
CHAP/MSCHAP
Challenge-handshake authentication protocol
Encrypted challenge sent over the network
If used on Microsoft it is MS-CHAP
3 way handshake
After linke is established, server sends a challenge message
Client responds with a password hash
Server compares received hash with stored hash
Challenge response continues
Normally the response is cashed on the system
By rechallenging it knows you are still who you are
PAP Password authentication protocol
A basic auth method
Used in legacy operations systems
PAP is un the clear
RARE to see it now adays
EAP Extensible authentican protocol
An authentication framework
Many different ways to authenticate based on RFC standards
Most commonly used with WPA and WPA2
PEAP protected extensible auth protocol
Created by Cisco, Microsoft and RSA Security
Encapsulated EAP in a TLS tunnel, one certificate on the server
Kerberos
Network auth protocol
Authenticate once, trusted by the sustem
No need to reauthenticate everything
Mutual authentication the client and the server
 Protects against man in the middle or replay attacks
Standard since 1980s RFC 4120
MS started using in windows 2000
Based on 5.0 open standard
Compatible with other operating systems and devices
Multifactor Authentication
Two-factor authentication
Single sign-on (SSO)
Authenticate one time and gain access to everything
Many different methods of this
Kerberos authentication and authorization
Dont see this in smaller environments
Ex: logging in with google, facebook, etc
SSO with Kerberos
Authenticate one time
Lots of back end tickets
Get a ticket from a ticket granting service
No constant username and password input saving time!
Only works with Kerberos
Not everything is Kerberos friendly
Authentication factors
Something you know, like user
Something you have, like a random number or physical dongle
Somewhere you are, like GEO Fencing
Something you are, biometrics
Something you do, preforming a function like signing something
This can be expensive
Separate hardware tokens
Can be inexpensive
Free smartphone applications
Hashes
Takes a group of data and represent it as a string of text (message digest)
NOT and encryption, but a way to represent the date
This is a one way trip, impossible to recover the original message
Used to store passwords
Confidentiality
Can be a digital signature
Authentication, non-repudiation and integrity
Will not have a collision (hopefully)
MD5
Designed by Ronald Rivest
First published in April 1992
Replaced the MD4
128 bit hash
1996 vulnerabilities found
Not collision resisting
SHA
 Developed by the NSA
Us federal information processing standard
SHA1
Widely used
160 bit digest
2005 collisions attacks published
SHA-2
Preferred SHA variant
Up to 512-bit digests
SHA1 is now retired for most govt use
SHA256
256 bits / 64 characters
3.4. Compare and contrast physical security controls
Mantraps
All doors are normally unlocked
Opening one door causes others to lock
Once you enter you have to close the door before you can enter and proceed
All doors normally locked
Unlocked one door prevents others from being unlocked
One door open / others locked
One at a time, controlled groups
Network closets
If you can touch a device you can gain access
Stuff is normally locked up in a network closet
Maximized uptime and availability
Secure network connections
Temperature and humidity controls
Control and auditing
Access is limited
Log all entry and exit
Video monitoring
IP Cameras/CCTVs
Can replace physical guards
Camera properties are important
Focal length shorter is wider andgle
Depth of field how much is in focus
Illumination requierments see in the dark
Most orgs have many different types of cameras
Networked together and recorded over time
Door access controls
Conventional lock and key
Deadbolt
Electric keyless locks
Token based magnetic swip card or proxy reader
Biometric hand or retnia
 Muli-factor smart card and pin
Security guard
Person that is posted providing physical protection
Validated information of existing employees
Provides guest access
ID badge
Picture, name or other details
Must be worn at all times
Access list
3.5. Given a scenario, install, and configure a basic firewall
Types of firewalls
Host based
Software that is running on the system
Included in many operatin systems
Stops unauthorized network access
Stateful firewalls stop unauthoried traffic
Blocks traffic by application
Network based
Filters traffic by port number
OSI layer 4 (TPC/UDP)
Some firewalls can filter through the application layer
VPN tunneling
Can encrypt traffic into/out of the network
Can proxy traffic
A common security technique
Firewall makes request to the internet on your behalf
Most firewalls can be layer 3 devices (routers)
Usually sits on the ingress/egresss of the network
Software vs hardware
Application aware/context aware
The OSI application layer
Can be called different names
Application layer gateway
Stateful multilayer inspection
Deep packet inspection
Requires some advanced decodes
Every packet must be analysed, categorized, and a security decision is determined
Can allow/disallow certain applications
Include an intrusion prevention system
Identify the application
Small office, home office (SOHO) firewall
Generally has reduced throughput requirements
Usually includes multiple functions
May not have advanced capabilities
Dynatic routing
Remote support
 All-in-one security appliance
Unified threat management (UTM) / Web security gateway
URL filter / Content inspection
Malware inspection
Spam filters built in.
CSU / DSU
Stateful
Stateless
Settings/techniques
ACL
#access-list 1 deny 172.15.5.2 0.0.0.0
Virtual wire vs routed
Virtual wire
Firewall doesnt act as a layer 2/3 device, its a repeater
Takes from one interface and puts it on another
Connect to network without changing the ip or configs
Layer 2 switched
Same as a physical switch on the network, but it is as a switched
Layer 3 routed
Dont even need an external router
DMZ
Demilitarized zone an additional layer of security between the internet and you
Separating a network from the internal network
Implicit deny
Deny anything not included in the access list or security policy
Block/allow
Outbound traffic
Blacklist allow all, stop only unwanted traffic
Whitelist block all, only allow certain traffic types
Inbound traffic
Extensive filtering and firewall rules
Only allows required traffic
Use a DMZ to prevent access to internal network
Protects against attacks
Firewall placement
Internal
Firewall is in the middle so if any traffic goes between switches, it goes through the
firewall
Segment off the core of the network
External
Inside the firewall to protect from things on the external network
3.6. Explain the purpose of various network access control models
802.1x
Port based NAC
You dont get access until you authenticate
Used in conjunction with acces database
 RADIUS
LDAP
TACAS+
Posture assessment
Your cant trust everyones computer
This started because of BYOD Devices
These devices might have malware infections / missing anti-malware
Before it can gain access you preform a health check
Find out what the device is running, what kind, virus, type of device?
Persistent agent that is always installed
Permantly installed onto a system
Periodic updates may be required
Some uses a non-persistent agent
No installation is required
Runs during the posture assessment
Termindates when no longer required
If the assessment fails you have a decision on what to do
Quarantine network
Just enough network access to fix the issue
Notify network administrators
Guest network
Network that allows you internet, but does not allow you to access the corporate network
Often wireless
Edge vs access control
Edge
Control at the edge of your network
Your internet link
Managed primarily through firewall rules
Firewall rules rarely change
Access control
Control from wherever you are
Inside or outside
Access can be based on many rules
Access can be easily revoked or changed
Change your security posture at any time
3.7. Summarize basic forensic concepts
First responder
Very specific tasks for the first person on the scene
Control the damage but DONT disturbed the environment
Follow the escalation policy
Keep everyone informed
Secure the area
All devices and data must be secured
Prevent changes, avoid damages
 Store all equipment in a secure room
Dont power cycle the device
Escalate when necessary
Document the scene
Information is everywhere, dont disturb anything.
Take photos and document where things are
Inventory everything
Computers, external drives, flash memory cards
Document everything you can
eDiscovery
electronic discovery
handled differently than physical materials
recover data from a device, hidden, deleted, or encrypted
recover documents
Evidence/data collection
A computing device is constantly writing data
The process can alter or corrupt data
Contact a digital forensic expert
Bit-precise imaging becomes increadly useful
An exact duplicate of a storage device
Chain of custody
Control evidence, maintains integrity
Everyone who contacts the evidence
Avoid tampering
Use hashes
Label and catalog everything
Data transport
Maintain data integrity
The validity of the data will be questioned
Data hasing to make sure nothing changed
Data encryption
Protect the data from others, transport without wory
Forensics report
Report will be provided to legal authrorities
Identifying information
Reporting org, case #, investigator
Inventory of information
Detailed examination process
conculsions
Legal hold
A legal technique to preserve relevant information
Prepare for impending litigation
Hold notification
Separate respositoty for electronically stored information (ESI)
 Ongoing preservation
Once notified, there is an oblication to preserve data

4. Troubleshooting
4.1. Given a scenario, implement the following network troubleshooting methodology
Identify the problem
Gather information
Get as many details as possible
Duplicate it if you can
Duplicate the problem, if possible
Question users
Your best source of details
Identify symptoms
May be one or more symptions
Determine if anything has changed
Formal change control?
Whos in the wiring closing?
Approach multiple problems individually
Break problems into smaller peaces
Establish a theory of probable cause
Question the obvious
Occams razor applies
Consider multiple approaches
Even the not-so-obvious
Top-to-bottom/bottom-to-top OSI Model
Start with easy theories
Divide and conquer
Test the theory to determine cause
Once theory if confirmed, determine next steps to resolve the problem
If theory if not confirmed, reestablish new theory of escalate
Determine the next steps
Theory didnt work?
Re-establish new theory or escalate
Establish a plan of action to resolve the problem and identify protentional effects
Build the plan
Correct the issue with minimum of impact
Some issues cant be resolved during production hours
Schedule a change control
Have multiple plans
Implement the solution or escalate as necessary
Fix the issue
Implement during the change control windows
Escalate as necessary
 Verify full system functionality and if applicable implement preventive measures
Its not fixed until its really fixed
Implement preventive measures
Lets avoid them in the future
Document findings, actions, and outcomes
Its not over until you build the knowledgebase
Dont lose the valuable informatin
Extremely important
Document problem/fix
Consider a formal database
Help desk case notes
Searchable database
4.2 Given a scenario, analyze, and interpret the output of troubleshooting tools

a. Command line tools

i. Ipconfig/ifconfig
Most of your troubleshooting starts with your ip address
IP = Windows
IF linux/unix
Determine TCP/IP and network adapter
ii. Netstat
Network statistics
a. On many different operating systems
Netstat -a
a. Show all active connections
Netstat -b
a. Show binaries
Netstat -n
a. Do not resolve names
iii. Pin/pin6/ ping -6
Uses ICMP
Determine if a device is reachable
Normally the first thing you would do
Written by pike muuss in 1983
iv. Tracert/tracert -6/traceroute6/traceroute -6
The exact route a packet takes between point a and point b
Takes advantage of the ICMP time to live exceeded error message
a. The time in TTL refers to hops, not seconds or minutes
b. TTL=1 is the first router, TTL=2 is the second router
c. Each time the message comes back you can identify the next router
Not all devices will reply with ICMP Time exceeded messages
v. Nbtstat
NetBIOS over TCP/IP
a. Windows NetBIOS traffic
 Windows utility for querying NetBIOS over TCP/IP
Nbtstat -n
a. List local netbios names
Nbtstat -A lists the remote server
Nbtstat -a gets the name
vi. Nsloopup and Dig
Lookup information from DNS servers
Canonical names, ip adds, cashe timers
Nslookup
a. Both windows and POSIX-based
b. Deprecated
Dig
a. More advanced domain information
b. Probably your first choice
c. Not automaticcaly on windows
Arp
a. Determine a MAC address based on the IP address
b. Arp -a
c. View local ARP table
Mac address lookup table
a. Your switch knows where the mac address lives
b. Every switch has a list of these addresses
c. Many third-party utilities can automate this
d. Good in big environments
Pathping
a. Combines the ping and traceroute
b. First phase runes a traceroute
c. Second phase
d. Measures round trip time and packet loss at each hop
vii. Physical Testing Tools
Multimeter
a. AC Voltage
i. Check wall outlet voltage
b. DC Voltage
i. Power supply output
c. Continuity
i. Cable connectivity
Cable tester
a. Simple continuity test
b. Can identify missing pins
i. Or crossed wires
c. Not used for frequency testing
TDR/OTDR
a. Costly
 b. Measuring light is a challenge
c. Very powerful tools
Light meter
Toner probe
a. Where does the wire go?
b. Tone generator
i. Puts an analog sound on the wire
c. Inductive probe
i. Doesnt need touch the copper
Line testers
Certifiers
viii. Web based trouble shooting
Speed test site
a. Test how much traffic you can push through an internet connection
b. Provide useful pre and post change analysis
c. Measure at different times of the day
d. Not all sites are the same
Looking glass sites
a. Routing table conf is a challenge
b. Routing tables between ISPs are complex
c. Finding the right person is impossible
i. Looking glass servers make it easier
d. Gives you access to their looking glass sites
Wi-Fi Analyzer
ix. Protocol analyzer
Wired network
a. Capture and display network traffic
i. Packet by packet
b. Need a physical tap or redirect switch traffic
i. Not supported on all switches
Wireless packet analysis
a. Wireless networks are easier to monitor
b. Your device has to be quiet
i. You cant hear if youre transmitting
c. Youll need a specialized adapter/chipset and driver
d. You may be able to pull the ethernet packets if you dont have the right
chipset
2. 4.3 Given a scenario, troubleshoot, and resolve common network issues
a. Troubleshooting wireless signals
i. Wireless signals
Just like any other radio signal
Susceptible to interference
a. External sources mainly
b. Man made interference
 Conflicts between other WAPs
ii. Single loss
Interference
a. Something else is using our frequency
Signal strength
a. Transmissing signal, transmissing antenna, receiving antenna
AP might be set to the incorrect channel
a. Can be auto; or look for manual settings
Look at bounce and latency
Incorrect access point placement
a. Locate close to the users to fix this
iii. Interference/signal loss
Predictable
a. Florescent lights
b. Microwave oven
c. Cordless telephone
d. High-power sources
Unpredictable
a. Multi-tenant building dont know quite know who is doing what
Measurements
a. Netstat -e
b. Performance monitor
iv. Overlapping channels
Mismatched channels
If someone starts transmitting on the frequency you are on it will cause
interference
v. Signal to noise ratio
There will always be some noise
Your goal is to have noise as low as possible
vi. Saturation
Device saturation
a. Too many devices on the network
Bandwidth saturation
a. Large data transfers
vii. Untested updates
Wireless firmware updates
a. Dont often happen
This can have dramatic changes on wireless performance
Compatibility with chipsets from other devices
b. Troubleshooting wireless configurations
i. Wrong SSID/SSID mismatch
You want them to connect to the correct AP
Avoid open networks
 Cant seamlessly move if SSID is different
ii. Incompatibilities
Not every device uses the same connection type
iii. Power levels
Set the powerlevel only as low as you need
iv. Rouge access point
Very easy to become your own network administrator
Someone can bring this in easily
v. Wrong antenna type
Do you need a unidirectional or directional?
vi. Wrong encryption
WPA, WPA2, WPA2 enterprise
Encryption needs to be the same across devices
vii. Bounce
viii. MIMO
The quality of signal is very important
Helps to refine the signal and helps with large landwidth
ix. AP Placement
x. AP Configuration
LWAPP
a. Cisco proprietary
b. Open source - CAPWAP is an RFC Standard, lased on LWAPP
c. Manage multiple Aps from one single place
Thin vs thick
a. Thick the wireless ap is handing a lot of the tasks itself
i. Switch is not wireless-aware
b. Thin
i. Just enough to be 802.11 wireless
ii. The intelligence is in the switch
iii. Much less expensive
xi. Environmental factors
Materials make a difference
Concrete walls
a. 2.4GHz goes through walls better than 5GHz
b. Might be a good thing/bad thing
Window film
a. Specialized film can attenuate (decrease) the signal
Metal studs
a. Reflects the studs and reduces coverage/range
xii. Wireless standard related issues
Throughput
a. Maximum theoretical throughputs
b. Actual throughput may vary
Frequency
 a. What frequencies are in use right now?
b. Which are the best?
Distance
a. A combination of antennas to give proper coverage
Channels
a. Make sure there are non-overlapping channels in use
3. 4.4 Given a scenario, troubleshoot, and resolve common copper cable issues
a. Copper Cables
i. Shorts/open
Short - Two connections are touching
Open - A break in the connection
May be difficult to find
a. Wire has to be moved in just the right way
b. Advanced troubleshooting with a TDR
Replace the cable with the short or open
ii. Wiring standards
Cables can foul up a good plan, test your tables
You need a cable mapping device to verify your pins on each side
Good idea to get a cable specialist
iii. T568A/B Termination
Pin assignments from EIA/TIA 568-
a. Eight conductor 100-ohm balanced twisted paid cabling
Generally you see T568A for horizontal cabling
Many orgs use only 568B
a. Difficult to change once implemented
Cant use different standards on one cable.

iv. Crosstalk
Leaking of signal
Measure this with a cable tester
a. Signal on one circuit affects another circuit
i. In a bad way
Near end Crosstalk (NEXT)
a. Interference measured at the transmitting end the near end
Far end (FEXT)
a. Interface measured at the far side away from the transmitter
 Related to the wiring normally
a. Maintain the twists in the wire
b. Cat 6a increases cable diameter, helps prevent crosstalk
b. Troubleshooting Signal Loss
i. Usually gradual signal strength dimishes over distance
ii. Attenuation/DB Loss - Loss of a signal as it moves through a medium
iii. Decibels (dB)
Signal strength ratio measurements
Logarithmic scal
3dB = 2x the signal
iv. Calculating signal loss
Addition and subtraction
v. dB loss symptoms
no connectivity
intermittent connectivity
poor performance
vi. Cable placement
Cables at the work station are in the ceiling or the floor
Cable between floors riser cables
Cables in the data center
a. Cable management is critical
Distance limitations must be considered
a. Follow the standards
Separate your fiber and copper
a. Copper bundles can crush the fiber
Install the highest category possible you can
a. Helps to future proof the cable
Centralize your wiring plan
vii. EMI/RFI
Cable handing
a. Dont twist
b. Dont pull/stretch
c. Watch your bend radius
d. Do not use staples or cable ties
e. EMI and interference with copper cables
i. Avoid power cords, flurescent lights, electrical cables, and fire
prevention components
f. Test after installation
c. Troubleshooting Network Cabling
i. No connection
Is the sable crimpted? Link light?
Is the cable crimpted or punched incorrectly?
Swap the cable or replace the cab connector
ii. Slow throughput, it works not not well
 You have a link light
Is the cable crimped or damaged
Swap the sable, SFP, GBIC
iii. Intermittent connectivity
Check for link lite flickering
Swap the cable
iv. Incorrect termination (mismatched standards)
Straight through
Crossover
v. Bad connector
vi. Bad wiring
vii. Split pairs
A wiring mistake common issue
A simple wire map would show its normal
Preformance will be impacted
a. Suffers from NEXT
Its all about the twist o the twisted paid
viii. TX/Rx reverse
Wiring mistake
Made a cross over cable
Easy to find with a wiremap
Auto-MDIX might connect
ix. Bad SFP/GBIC Cable or transceiver
4. 4.5 Given a scenario, troubleshoot, and resolve common fiber cable issues
a. Attenuation/DB Loss
i. Splices and terminations
Field terminated cables can have problems
Everytime you terminate you lose some singal
ii. No scratches, no dirt
iii. Clean or reterminate
b. SFP/GBIC - Cable Mismatch
c. Bad SFP/GBIC Cable or transceiver
d. Wavelength mismatch
e. Dirty connectors connector mismatch
f. Bend radius limitations
i. Fiber is glass
You can break it
ii. The bend radius varies
Different cable designs habe a different minimum bend radius
iii. Microbending
Deformations in the fiber
Pressure
iv. Macrobending
 Light leaks through the cladding
g. Distance limitations
i. Signal decreases over distance
Must have enough light left at the end
The amount of determined by the equipment
ii. Multi-mode fiber
Short distances
a. 600m
iii. Single mode fiber
Long distances
Many different communication methods
a. 100km
h. Troubleshooting fiber modules
i. Not all modules are created equally
ii. Check your fiber types
They all look the same
iii. Monitor your stats CRC Errors will be visible
i. Fiber mismatching
i. Core and cladding sizes are relatively standard
Fiber and frequencies must match equipment
j. Connector mismatch
i. A small difference will affect signal
5. 4.6 Given a scenario, troubleshoot, and resolve common network issues
a. Troubleshooting IP address Configuration
i. Incorrect IP Configuration/default gateway
Communicate to local IP addresses
a. But not outside subnet
No IP Communication
Communicate with some but not others
ii. Duplicate IP
Static address assignments can cause this
Intermittent connectivity
a. Two devices will fight with each other
Many OSs will block you if its a duplicate IP
Troubleshooting this
a. Check your IP Config
b. Ping an IP address before static addressing
i. Does it respond? Might be in use
c. Capture the DHCP Process
b. DNS and DHCP
i. DNS Issues
Web browsing doesnt work the internet is broken
Ping works, but browser doesnt
Applications are communications
 a. They often use names and not IP addresses
b. Troubleshooting
i. Check your IP Config
ii. Use nslookup or dig to test
ii. DHCP Issues
Its all automatic we rarely even think about it
You can access local resources but not the internet
Ip address shows the APIPA address
a. 169.254.X.X
Troubleshooting the DHCP Issues
a. Check the network connection
b. The DHCP Server may be having issues
i. The address pool may be full
c. DHCP Server may be down
i. Static IP addresses only
ii. Not likely
c. Broadcast storms/switching loops
i. Broadcast Storms
Some processes use broadcasts to communicate
Broadcast domain is like
a. A single VLAN
b. Broadcast domains are separated by routers
Large number of broadcasts can impact performance
Troubleshoot
a. Packet capture identify the source
b. Research the process thats broadcasting
i. There may be another option
c. Separate the network into smaller domains
i. If you cant prevent the devices from broadcasts
ii. Switch Loops
STP is used to prevent this
Determine traffic by the MAC address
a. Every device has its own address
Broadcasts and multicasts are sent to all
Nothing at the MAC address level to identify loops
a. IP has a TTL
d. Troubleshooting Interface Configurations
i. Poor throughput
ii. No connectivity
No link light
Link light and activity light
iii. Auto vs manual config
Instead of manually setting speed and duplex the card will choose this
a. Personal preference
 iv. Light Status
No light, no connection
Zero lights, no power
v. Speed setting might be mismatched, they might be the same
This being wrong will have the lights never light up
vi. Duplex
If mismatched, speed will suffer
vii. VLAN configuration
Link light, but no sending
viii. Troubleshooting interfaces
Interface errors
a. May indicate bad cable or hardware problem
Verify configurations
a. Speed, duplex, VLAN
Verify two way traffic
a. End to end connectivity
e. Troubleshooting VLAN Assignments
i. VLAN problems
Not completely obvious to trouble shoot
No connectivity
a. Link light but cant ping
IP address in the wrong subnet
a. At least you know DHCP is working.
ii. Troubleshooting
Checking your documentation
a. Compare the switch configuration
Verify IP Addressing
a. Is the IP address on the corrct subnet?
Confirm trunk configurations
a. Is the VLAN part of the trunk?
b. Is the switch port configured for a trunk on both sides?
f. Troubleshooting Network Connectivity
i. Simultaneous wired/wireless connections
A common configuration
Which connection should we be using?
Like using two wired connections, you can only use one
OS may prioritize internally
Check the routing table, it might not use the fastest connection
ii. Discovering neighboring devices/nodes
Useful for checking local connectivity
Check the default gateway
a. Always on your local subnet
Using ping to find other devices
 g. Troubleshooting Mismatched MTUs
i. MTU Maximum transmission unit
Maximum ip packet ot transmit without fragment
Fragmentation slows things down
a. Losing a fragment loses and entire packet
b. Requires overhead along the path
Difficult to know the MTU all the way through the path
a. Automated methods are often inaccurate
i. Filtered ICMP
ii. Troubleshooting MTU
MTU sizes are usually configured once
a. Cased on the network infrastructure and dont change often
A significant concern for tunneled traffic
a. The tunnel may be smaller than your local ethernet segment
What if you send packets with dont fragment (DF) set
a. Routers will respond back and tell you to fragment
b. You might not get ICMP Message
Troubleshoot using ping
a. Ping with DF and force a maximum size of 1472 bytes
i. 1500 bytes 8 byte ICMP header 20 byters IP address = 1472
1. Windows: ping -f 1472 8.8.8.8
h. Troubleshooting NIC Teaming
i. NIC Fault tolerance
Load balancing / Fail ober (LBFO)
a. Aggregate bandwidth, redundent paths
b. Becomes more important in the virtual world.
Multiple network adapters
a. Looks like a single adapter
b. Integrate with switches
NICs talk to each other
a. Usually a multicast instead of a broadcast
Link aggregation
a. Single device with multiple interfaces
b. Both interfaces connect the single switch
c. Sends traffic along both lines
Fault-Tolerance
a. Connect the two interfaces with multiple switches
b. Similar to a mesh network
i. end-to-end connectivity
j. Power failure/power anomalies
k. NIC Teaming misconfiguration
i. Active-active vs active-passive
ii. Multicast vs broadcast
6. 4.7 Given a scenario, troubleshoot and resolve common security issues
a. Trouble shooting Firewall Security Issues
i. Misconfigured firewall
Management interface
a. Check IP address, subnet mask, default gateway
Network configuration
a. Virtual wire, L2, L3
b. Confirm physical wiring
Routing tables
a. Always confirm the routes
Logging options
a. Local and syslog
b. Just as important
c. Where are the logs being written to?
ii. Misconfigured ACLs/applications
Traffic source and destination
a. Interface, IP address, Zone
NAT must be considered
a. Sometimes evaluated before the security policy
b. Sometimes after the security policy
Todays firewalls can control by application name
a. Twitter posting, outlook, sharepoint
iii. Misconfigured security policies
Translate business requirements to the firewall
Protect the data, but allow important applications
Firewall security rules
a. Top down
Check the logs if youre having a problem getting traffic through
a. Usually an entry Is made in the logs
Use you logical reasoning skills
a. Step through the security policies
b. Troubleshooting Operating System Security Issues
i. Patches
Incredibly important
a. System stability
b. Security fixes
Service packs
a. All at once
Happen in monthly updates
Emergency out-of-band updates
a. Zero-day and important security discoveries
ii. Update options
Windows update
Windows server update services (WSUS)
a. Centralized management for windows devices
 Mac OS-X software update
a. On the apple menu or the app store
Linux
a. Many different options
b. Yum, apt-get, rpm, gpus
iii. The patch process
Not always seamless
a. May need some planning and testing
May introduce other problems
a. The fix can cause another problem
You pick and choose what is more important
Often centrally manged
a. The update server determines when you patch
b. Efficiently manage bandwidth
iv. Malware
Malicious software can be very bad
Malware can gather information like keystrokes
Participates in a group (botnet)
a. Controlled over the internet
b. Under control of bot header
Adware just shows you advertising big money
Viruses and worms
a. Encrypt data, ruin you day..
How you get malware
a. A trojan takes advantage of a vulnerability
i. Embeds spyware that includes a backdoor
ii. Bot is installed later
b. To start the process the computer has to run an exe
i. Email link
1. Dont click links
ii. Web page pop-up
iii. Drive-by download
iv. Worm
c. Your computer is vulnerable
i. Operating systems need to keep updated
ii. Applications need to stay updated
c. Troubleshooting Denial of Service
i. DoS
Force a service to fail by overloading the service
Take advantage of a design failure or vulnerability
a. This is why you need to keep everything updated
Can cause a system to ne unavailable
a. Can be a competitive advantage
Create a smokescreen for some other exploit
 a. Precursor to a DNS Spoofing attack
Doesnt have to be complicated
ii. DDoS
Launched attack from an army of computers to bring down a service
a. Use all the bandwidth or resources
This is why the bad buys have botnets
Asymmetric threat
a. The attacker probably has fewer resources than the victum
iii. Wireless DoS
Frequency jamming
a. Disrupt the spectrum
b. Rouge devices
Protocol Vulnerabilities
a. Distrupt the 802.11 protocol
b. Flood the network with packets
c. Send 802.11 disassociation frames to everyone on the network
iv. Troubleshooting DoS
Difficult to prevent DoS
Stateful inspection can stop some traffic
Routers can drop traffic from the wrong interface
a. The source address should come from one particular place
Reputation-based filtering
a. Crowd-source you DoS migration
d. Troubleshooting ICMP and ARP
i. ICMP-related issues
Ping of death
a. Most normal pings are 64 bytes
i. Small and efficient
b. Send a ping greater than 65,536 bytes and crash the computer
i. Exploits a fragment reassembly bug
ii. Unreachable default gateway
An important local device
a. Always on your subnet
b. Should always be avail
Ping the gateway
a. If it responds, there is at least connectivity
b. If it dosesnt respond, check the IP
Ping the outside interface of the gateway
a. You should be able to route through the device
iii. ARP Issues
ARP will tell you who you are talking too
Local subnet devices only
a. ARP doesnt pass through routers
Arp -a windows ARP Cashe
 Compare the ARP cashe with the physical MAC address
a. If they dont match, there is a potential security issue.
e. Troubleshooting Malicious User Activities
i. Malicious users
Trusted
Untrusted users
Packet sniffing/analysis
a. There is valuable information in the packets
b. Relatively difficult to get this information on a wired network
i. Switched traffic, very specific paths
c. Very each to get on a wireless network
ii. Banner grabbing/OUI/TCP Ports
What service is running on a device
a. The banner might provide with more information
b. Can find out the service, versions, manufacturer, and other details
i. Can research for known vulnerabilities
c. Give as little information as possible
i. Some header information is required
ii. Most headers can be modified
f. Troubleshooting Authentication issues
i. TACAS/RADIUS misconfigurations
There are many authentication points
a. Domain login, VPN login , application login
b. Single user/passwprd
Single db to administer all these
a. Access via TACAS or RADIUS
This works or it doesnt
a. Most issues are resolved during the initial setup
Common misconfigs
a. Incorrect auth database
b. Incorrect, expired, or locked credentials
c. Firewall restrictions or packet filtering
ii. Domain/local group configs
Associate users into a common group
Usually a formal process to add/remove users from a grou
a. Formal tracking or change control process
b. The add/remove function may be limited
c. Part of the onboarding/offboarding process
Audit these groups constantly to make sure its only the people who only need
to be there
iii. Default passwords/settings
Every device has a default setting
Make sure people cannot use these
Change these defaults ASAP
 iv. Improper access/backdoor access
Access the device, but not through the normal authentication process
Often placed on your computer through malware
Some softwares include a backdoor
7. Given a scenario, troubleshoot and resolve common WAN Issues
a. Troubleshooting WAN Issues
i. Physical Problems
Loss of internet connectivity
a. WANs are outside of your immediate control
b. Provider hardware failure, fiber cut
Interface errors
a. Hardware issue, bad fiber
b. Provider can run a loopback test
Interference
a. Copper cables in an environment with lots of RF
Latency
a. Takes time to get up to the satellite and back down.
ii. Configuration problems
Split horizon
a. Prevent routing loops
b. Routing advertisements are not sent out
c. Routing advertisements are not sent out the interface where they were
originally learned
DNS Issues
a. DNS stops responding and the entire network cant resolve
b. A slow DNS resolver introduces delays
c. Always have multiple DNS options
Router configurations
a. WAN Speeds match on both sides
b. Routing tables determins how we will transfer from one side to the
other.
b. Troubleshooting Customer Premise Equipment
i. Smart jack/NIU
Network interface unit (NIU)
a. The device that determines the Demarc
Smartjack
a. More than just a simple interface
b. Can be a circuit card in a chassis
Built in diagnostics
a. Loop back tests
Alarm indicators
a. Configuration, status
ii. Demark
The point where you connect with the outside world
 a. WAN provider
b. ISP
They are used everywhere, even at home
Usually in a central location in a building
You connect you CPE
a. Customer premises equipment or customer prem
iii. Loopback
iv. CSU/DSU
Channel Service Unit / Data Service Unit
a. Sits between the router and the circuit
CSU connects to the network provider
DSU connects to the data terminal equipment (DTE)
Could be a physical device or built into the router
v. Copper line drivers/repeaters
Extend the range of copper wire
a. Well beyond normal ranges
b. An extender
Serial links, copper ethernet
Powered device
a. Regenerates the signal
Good for troubleshooting
c. Company security policy
i. Traffic blocking policies
A security policy, every one has a different philosophy
ii. Throttling
Allow traffic, but limit the speed
a. Controlled with firewalls, routers, QoS devices, etc
Allow youtube but prioritize important apps
a. Mission critical applications will continue to work
iii. Blocking
What to block, and how to block it
URL, Application, username / group
Block everything, only allow certain traffic types
a. Requires a lot of admin
Allow everything, block only certain traffic types
a. Very common, but not as secure
iv. Fair access policy/utilization limits
Service providers should provide fair access to everyone
There are a small percentage of users who use the bulk of the bandwidth