XFSC-7011

NETWORKING FOUNDATION

DAY 1 – BASIC NETWORK DESIGN

 COURSE OUTLINE
Day 1 Basic Network Design
OSI model
Switches
Routers
Firewalls
Day 2 Network Protocols
Protocols – UDP/TCP
DNS, ICMP
HTTP, SMTP
EVALUATION CRITERIA

CRITERIA % COMMENTS
FINAL EXAM 100 PASSING GRADE IS 50%

TOTAL 100
 1. BASIC NETWORK DESIGN
OSI Model
The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes
and standardizes the communication functions of a telecommunication or computing system
without regard to its underlying internal structure and technology. Its goal is the interoperability
of diverse communication systems with standard communication protocols.

Layer Name Description Examples

Layer 7 Application End-User Layer HTTP, FTP, IRC, DNS

Layer 6 Presentation Syntax Layer SSL, IMAP, SSH, FTP, MPEG, JPEG

Layer 5 Session Sync & Send to port API, Sockets, WinSock

Layer 4 Transport End-to-end Connections TCP, UDP

Layer 3 Network Packets IP, ICMP, IPSec, IGMP

Layer 2 Data link Frames Ethernet, PPP, Switch, Bridge

Layer 1 Physical Physical structure Coax, Fiber, Hubs, Repeaters

 OSI MODEL REVIEW – PHYSICAL LAYER – LAYER1
Layer Name Description Examples

Layer 1 Physical Physical structure Coax, Fiber, Hubs, Repeaters

• Defines the electrical and mechanical requirements use to transmit the

information to and from systems across a given transmission medium: cable,
fiber or radio waves
• Defines “how much” and “how long” information is sent but not what
information is transmitted
• Defines also how the information is sent: digital vs analog, base or
broadband, synchronous or asynchronous
• Security threats: Wiretapping, interception,
hardware hacking, lock picking, physical access attacks
OSI MODEL REVIEW – DATA LINK LAYER – LAYER 2
Layer Name Description Examples

Layer 2 Data link Frames Ethernet, PPP, Switch, Bridge

• Adds the ability to handle physical addresses, framing, error handling and
messaging
• Contains logical Link Control (LLC) and Media Address Control (MAC)
• Frame: a container where data is placed in order to be transported
• Flow control : makes sure that the information sent does not exceed the capabilities
of the physical connection
• Supports a mechanism known as Address Resolution Protocol (ARP) translates IPv4 to
known MAC addresses
• Security threats: Denial of Service (DoS), MAC Spoofing, WEP cracking, active and
passive sniffing
 OSI MODEL REVIEW – NETWORK LAYER – LAYER 3
Layer Name Description Examples

Layer 3 Network Packets IP, ICMP, IPSec, IGMP

• Handles the logical addressing and routing

• IPs are logical addresses, nonpersistent and assigned by software and
changed as needed
• Logical addresses are used to route traffic and to divide networks in segments
• Implemented mostly in software
• Security threats: Route poisoning, DoS, ARP poisoning, MAC flooding,
fragmentation attacks – overlap datagrams fragments to overlap
 OSI MODEL REVIEW – TRANSPORT LAYER – LAYER 4
Layer Name Description Examples

Layer 4 Transport End-to-end Connections TCP, UDP

• Offers the ability to have the data sent completely and correctly using error
recovery and flow control technics
• Complements Layer 2 ( Data link ) with the guarantee of the data delivery
• Responsible for communications between host computers and ensure both the
sender and receiver are ready to initiate the data transfer
• Protocols:
• Transmission Control Protocol (TCP) – connection oriented using handshaking ,
acknowledgements, error detection and session tear down
• User Datagram Protocol (UDP) – connectionless - speed and low overhead
• Security threats: SYN attacks, port scanning, Denial of service (DoS), service
enumeration, flag manipulation, buffer overflow
 OSI MODEL REVIEW – SESSION LAYER – LAYER 5
Layer Name Description Examples

Layer 5 Session Sync & Send to port API, Sockets, WinSock

• Responsible for creation, termination and management of a given

communication
• When a communication between two points occurs the Session Layer is
responsible for making sure the creation and destruction of the
connection occur properly
• Protocol : Remote Procedure Call (RPC), Secure Shell (SSH), Network file
transfer (NFS)
• Security threats: Session high jacking, Syncronized (SYN) attacks,
password attacks
 OSI MODEL REVIEW – PRESENTATION LAYER – LAYER 6
Layer Name Description Examples

Layer 6 Presentation Syntax Layer SSL, IMAP, SSH, FTP, MPEG, JPEG

• Responsible for taking data that has been passed up from lower levels and
putting it into a format that Application layer programs can understand
• These common formats include American Standard Code for Information
Interchange (ASCII), Extended Binary-Coded Decimal Interchange Code
(EBCDIC), and American National Standards Institute (ANSI)
• Gateway service will allow sending data between two networks that use
different protocols, otherwise incompatible
• Encryption and decryption happen at this layer
• Security threats: NetBIOS enumeration, clear text extraction, protocol attack
OSI MODEL REVIEW – APPLICATION LAYER – LAYER 7
Layer Name Description Examples

Layer 7 Application End-User Layer HTTP, FTP, IRC, DNS

• Supports several services used by application software- window

for application services
• Email programs, FTP, Telnet, web browsers, and office productivity
suites, as well as many other applications exists at this layer
Security threats: exploit code, application attacks, buffer overflows,
viruses, worms, Trojan horse programs and other malicious
applications
OSI MODEL REVIEW - ENCAPSULATION

Process of packaging information prior to transmitting from one location to another

Data passes from Application Layer to Physical Layer and across to the physical
medium, when received the data passes back up through each layer

Data Application
UDP header UDP data Transport
IP Header IP Data Internet

Frame Header Frame Data Frame Footer Link

 OSI MODEL REVIEW – PACKETS

How a packet of information

flows through the seven layers
as it travels from one computer
to another on the network.
 O MODEL REVIEW – COMMON PROTOCOLS
OSI Reference Model Layer Common Protocols and Applications

Layer 7 - Application DHCP, FTP, IMAP, MIME, NNTP, NTP, POP3, RADIUS, RDP, BitTorrent, SMTP, SOAP,
TELNET

Layer 6 - Presentation AFP, SSL, TLS

Layer 5 - Session L2TP, NETBIOS, NFS, RPC, SMB, SSH

Layer 4 - Transport BGP, ESP, TCP, UDP, SPX

Layer 3 - Network ICMP, IGRP, IPv4, IPv6, IPSec, GRE, OSPF, RIP

Layer 2 - Data Link ARP, FDDI, Frame Relay, L2TP, PPP, MAC, Token Ring, VLAN, Wi-Fi, X.25
Layer 1 - Physical Bluetooth, Ethernet physical layer, USB, Wi-fi Physical layer, DSL
TCP/IP: LAYER REVIEW

OSI Reference Model TCP/IP model

OSI Reference Model TCP/IP model

Layer 7 Application End-User Layer

Layer 7 Application End-User Layer
Layer 4 Application
Layer 4 Application
Layer 6
Layer 6
Presentation
Presentation
Syntax Layer
Syntax Layer

Layer
Layer5 5 Session
Session Sync & Send
Sync & Sendtotoport
port
Layer
Layer 33 Host-to-host
Host-to-host
Layer
Layer4 4 Transport
Transport End-to-end Connections
End-to-end Connections

Layer
Layer3 3 Network
Network Packets
Packets Layer
Layer 22 Network
Network

Layer
Layer2 2 Data
Datalink
link Frames
Frames
Layer 11
Layer Physical
Physical
Layer1 1
Layer Physical Physical structure
Physical Physical structure
 PHYSICAL OR NETWORK ACCESS LAYER – LAYER 1
• Physical or Network Access Layer uses the following devices: repeaters, hubs,
bridges, switches.
• Protocols: Address Resolution Protocol (ARP), Reverse Address resolution
Protocol (RARP), Neighbor Discovery Protocol (NDP), Invers Neighbor
Discovery (IND) Transport Layer Security (TLS), Layer 2 tunneling protocol
(L2TP), Point-to-point Protocol (PPP) and serial line Interface protocol (SLIP).
• arp – a – dynamic
• arp -s add static – no broadcast
• IPv6 doesn’t use arp – it’s using NDP – NS Neighbor Solicitation is sent and
receives NA Neighbor Advertisement – NDP is more secure than ARP but the
request is still in clear text.
 NETWORK OR INTERNET LAYER – LAYER 2

• The primary equipment is the router who work on protocols like Routing
Information protocol (RIP), and Open Shortest Path First (OSPF).
• Routers characteristics:
• Do not forward broadcast packets
• Forward multicast packets
• Highest latency
• Most flexibility
• Makes forwarding decision based on the destination IP
• Requires configuration

• Can be configured statically – routing table created by the administrator - or

dynamically – uses a combination of factors to determine the destination
(BGP, RIP, OSPF, EIGRP)
 NETWORK OR INTERNET LAYER – LAYER 2
• Header of IPv4 vs IPv6
 NETWORK OR INTERNET LAYER – LAYER 2
• The most import protocol is IP - central role in addresses and routing , adds also
information as Time To Live (TTL) so the packets can’t traverse the network forever –
if the destination can’t be found the packet is discarded
• IPv4 address are 4 byte (32 bits) numbers that are expressed in decimal with 5
classes:
• Class A 1-126
• Class B 127-191
• Class C 192-223
• Class D 224-239
• Class E 240-255

• Private addresses, non-routable:

• A 10.0.0.0 – 10.255.255.255 mask 255.0.0.0
• B 172.16.0.0 - 172.31.255.255 mask 255.255.0.0
• C 192.168.0.0 – 192.168.255.255 mask 255.255.255.0
 1. Request for
connection SYN

HOST-TO-HOST - LAYER 3 SYN - ACK 2. Response

3. Connection ACK
established

• The end-to-end delivery, segments data and adds checksums to make sure it was
transmitted with no corruptions. The delivery is done using TCP or UDP.
• TCP is a connection-oriented protocol provides reliable data transmission –
guarantee the data transmission process using sequence and acknowledgment
numbers.
• UDP is a connectionless transport protocol that doesn’t have any handshaking
processes – less reliable it’s very fast – DNS is using UDP.
• The host-to-host layer needs security: Secure Sockets Layer (SSL), Transport Layer
Security (TLS), SOCKS, Secure RPS
 APPLICATION LAYER - LAYER 4
• Maps to OSI layer 5-7 and each service uses a port to help directing traffic :
• Well known ports – 0-1023
• Registered ports – 1024-49151
• Dynamic ports – 49152- 65535
• Example:
• 21 FTP – Control
• 22 SSH Remote Login Protocol
• 23 Telnet
• 25 Simple Mail Transfer Protocol (SMTP)
• 53 Domain Name System (DNS)
• 80 HTTP
• 389 Lightweight Directory Access Protocol (LDAP)
• 443 HTTPS
TCP/IP
 TCP - SOCKETS
TCP Socket states
LISTEN - Waiting for a connection request from a remote TCP application. This is
the state in which you can find the listening socket of a local TCP server.
SYN-SENT - Waiting for an acknowledgment from the remote endpoint after
having sent a connection request. Results after step 1 of the three-way TCP
handshake.
SYN-RECEIVED - This endpoint has received a connection request and sent an
acknowledgment. This endpoint is waiting for final acknowledgment that the other
endpoint did receive this endpoint's acknowledgment of the original connection
request. Results after step 2 of the three-way TCP handshake.
 TCP - SOCKETS

ESTABLISHED - Represents a fully established connection; this is the normal state

for the data transfer phase of the connection.
FIN-WAIT-1 - Waiting for an acknowledgment of the connection termination
request or for a simultaneous connection termination request from the remote
TCP. This state is normally of short duration.
FIN-WAIT-2 - Waiting for a connection termination request from the remote TCP
after this endpoint has sent its connection termination request. This state is
normally of short duration, but if the remote socket endpoint does not close its
socket shortly after it has received information that this socket endpoint closed
the connection, then it might last for some time. Excessive FIN-WAIT-2 states can
indicate an error in the coding of the remote application.
 TCP - SOCKETS
CLOSE-WAIT - This endpoint has received a close request from the remote endpoint
and this TCP is now waiting for a connection termination request from the local
application.
CLOSING - Waiting for a connection termination request acknowledgment from the
remote TCP. This state is entered when this endpoint receives a close request from the
local application, sends a termination request to the remote endpoint, and receives a
termination request before it receives the acknowledgment from the remote endpoint.
LAST-ACK - Waiting for an acknowledgment of the connection termination request
previously sent to the remote TCP. This state is entered when this endpoint received a
termination request before it sent its termination request.
TIME-WAIT - Waiting for enough time to pass to be sure the remote TCP received the
acknowledgment of its connection termination request.
CLOSED - Represents no connection state at all.
TCP -
SOCKETS
 IP

Internet Protocol (IP) is a network layer protocol responsible for delivering

packets to network devices.
The IP protocol uses logical IP addresses to refer to individual devices rather
than physical (MAC) addresses. Address Resolution Protocol (ARP) handles the
task of converting IP addresses to MAC addresses.
Because IP addresses consist of a network part and a host part, IP is a routable
protocol. As a result, IP can forward a packet to another network if the host isn’t
on the current network.
The capability to route packets across networks is where IP gets its name. An
Internet is a just a series of two or more connected TCP/IP networks that can be
reached by routing.
 TCP
Transmission Control Protocol (TCP) is a connection-oriented transport
layer protocol. TCP lets a device reliably send a packet to another
device on the same network or on a different network. TCP ensures that
each packet is delivered, if possible, by establishing a connection with
the receiving device and then sending the packets. If a packet doesn’t
arrive, TCP resends the packet. The connection is closed only after the
packet has been successfully delivered or an unrecoverable error
condition has occurred.
TCP is always used for one-to-one communications. TCP allows a single
network device to exchange data with another single network device.
TCP isn’t used to broadcast messages to multiple network recipients.
UDP

User Datagram Protocol (UDP) is a connectionless transport layer

protocol used when the overhead of a connection isn’t required.
After UDP has placed a packet on the network (via the IP protocol),
it forgets about it. UDP doesn’t guarantee that the packet arrives at
its destination. Most applications that use UDP simply wait for any
replies expected as a result of packets sent via UDP. If a reply
doesn’t arrive within a certain period of time, the application either
sends the packet again or gives up.
 IP ADDRESSES
IP addresses are usually represented in a format known as dotted-decimal
notation. In dotted-decimal notation, each group of eight bits - an octet - is
represented by its decimal equivalent.
Consider the following binary IP address:
11000000 10101000 10001000 00011100
In decimal:
192 168 136 28
 IP ADDRESSES
The first four bits of the IP address are used to determine into which class a
particular address fits, as follows:
Class A: The first bit is zero.

Class B: The first bit is one, and the second bit is zero.

Class C: The first two bits are both one, and the third bit is zero.
IP ADDRESSES

Class D: The first three bits are all one, and the fourth bit is zero.

Class E: The first four bits are all one.

 SUBNETTING
Subnetting is a technique that lets network administrators use the 32 bits available
in an IP address more efficiently by creating networks that aren’t limited to the
scales provided by Class A, B, and C IP addresses. With subnetting, you can
create networks with more realistic host limits.
Subnetting is used:
• to allocate the limited IP address space more efficiently.
• even if a single organization has thousands of network devices, operating all those devices
with the same network ID would slow the network

For performance reasons, networks are usually segmented into broadcast domains
that are smaller than even Class C addresses provide.
 SUBNETTING

A subnet is a network
that falls within a
Class A, B, or C
network.
 SUBNET MASKS

The router must be told which portion of the host ID should be used for the subnet
network ID.
The IP address bits that represent the network ID are represented by a 1 in the
mask, and those bits that represent the host ID appear as a 0 in the mask. As a
result, a subnet mask always has a consecutive string of ones on the left, followed
by a string of zeros.
This is the mask for 144.28.0.0:
11111111 11111111 11110000 00000000
20 bits are ones, and the remaining 12 bits are zeros.
The complete network ID is 20 bits in length, and the actual host ID portion of the
subnetted address is 12 bits in length.
 SUBNET MASKS
This is how you find the network ID from an IP address:
144 . 28 . 16 . 17
IP address: 10010000 00011100 00010000 00010001
Subnet mask: 11111111 11111111 11110000 00000000
Network ID: 10010000 00011100 00010000 00000000
144 . 28 . 16 . 0
The operation is called a logical AND between the IP address and subnet in
order to extract the network ID. 0&&0 =0 0&&1 = 0 1&&1=1
The subnet is :255 . 255 . 240 . 0
NETWORK PREFIX NOTATION
Network prefix indicate how many bits of an IP address represent the network
ID. The network prefix is indicated with a slash immediately after the IP
address, followed by the number of network ID bits to use.
The IP address 144.28.16.17 with the subnet mask 255.255.240.0 can be
represented as 144.28.16.17/20 because the subnet mask 255.255.240.0 has
20 network ID bits.
Network prefix notation is also called classless interdomain routing notation
(CIDR, for short) because it provides a way of indicating which portion of an
address is the network ID and which is the host ID without relying on standard
address classes.
 IP BLOCK PARTIES
A subnet can be thought of as a range or block of IP addresses that have a
common network ID.
The CIDR 192.168.1.0/28 represents the following block of 14 IP addresses:
192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
192.168.1.5 192.168.1.6 192.168.1.7 192.168.1.8
192.168.1.9 192.168.1.10 192.168.1.11 192.168.1.12
192.168.1.13 192.168.1.14
 IP BLOCK PARTIES
What are the valid IP addresses for 192.168.1.100 when the subnet mask is
255.255.255.240? The first step is to determine the actual network ID. You can do that by
converting both the IP address and the subnet mask to binary and then extracting the network
ID:
192 . 168 . 1. 100
IP address: 11000000 10101000 00000001 01100100
Subnet mask: 11111111 11111111 11111111 11110000
Network ID: 11000000 10101000 00000001 01100000
192 . 168 . 1. 96
You calculate the allowable hosts in the subnet based on the network by subtracting the last
octet of the subnet mask from 254. The number of allowable hosts is 254 - 240 = 14.
The first IP address: add 1 to the network ID: 96+1=97 192.168.1.97
The last IP address: add number of hosts to network ID: 96+14=110 192.168.1.110
 SWITCHES
A switch is a device in a computer network that connects other devices together.
Multiple data cables are plugged into a switch to enable communication
between different networked devices. Switches manage the flow of data across
a network by transmitting a received network packet only to the one or more
devices for which the packet is intended. Each networked device connected to a
switch can be identified by its network address, allowing the switch to direct the
flow of traffic maximizing the security and efficiency of the network. A network
switch is a multiport network bridge that uses MAC addresses to forward data
at the data link layer (layer 2) of the OSI model. Some switches can also
forward data at the network layer (layer 3) by additionally incorporating
routing functionality.
 SWITCHES
Unmanaged switches have no configuration interface or options. They are plug and play. They
are typically the least expensive switches, and therefore often used in a small office/home
office environment.
Managed switches have one or more methods to modify the operation of the switch. Common
management methods include: a command-line interface (CLI) accessed via serial console, telnet
or Secure Shell, an embedded Simple Network Management Protocol (SNMP) agent allowing
management from a remote console or management station, or a web interface for management
from a web browser.
Smart switches are managed switches with a limited set of management features.
Likewise, "web-managed" switches are switches that fall into a market niche between
unmanaged and managed. They provide a web interface and allow configuration of basic
settings, such as VLANs, port-bandwidth and duplex.
Enterprise managed switches have a full set of management features, including CLI,
SNMP agent, and web interface. Enterprise switches have more features that can be customized
or optimized and are generally more expensive than smart switches. Enterprise switches are
typically found in networks with a larger number of connections, where centralized management
is a significant savings in administrative time and effort.
 SWITCHES - VLANS

Transitioning from hubs to switched networks was a big improvement. These are
a few benefits: control over collisions, increased throughput, and the additional
features offered by switches.
Extensive flat topologies can create congested broadcast domains and can
involve compromises with security, redundancy, and load balancing.
These issues can be mitigated through the use of virtual local area networks, or
VLANs.
 COLLISION DOMAIN
The Ethernet term collision domain refers to a network scenario wherein one
device sends a frame out on a physical network segment forcing every other
device on the same segment to pay attention to it.
 BROADCAST DOMAIN

Broadcast domain refers to a group of devices on a specific network segment

that hear all the broadcasts sent out on that specific network segment.
 SWITCHES - VLANS
All devices on a network (computers, printers, switching equipment, etc.)
generate broadcast and multicast frames that traverse the entire broadcast
domain, competing with data traffic for bandwidth. Much of this traffic is for
management of the network and includes protocols for address resolution (ARP),
dynamic host configuration (DHCP), spanning tree (STP), and an assortment of
Windows tasks.
 SWITCHES - VLANS

A virtual local area network (VLAN) is a logical grouping of ports which is

independent of location. A single VLAN (and the nodes connected in a single
VLAN) will behave in the same way as if it was a separate Layer 3 network.
 SWITCHES - VLANS

This is the output of

a show vlan
command
 SWITCHES - VLANS

A VLAN operates in the same way as a Layer 3 IP-based network. Nodes on

the 192.168.1.0 network must go to the router when trying to communicate with
nodes on the 192.168.2.0 network even though all of the computers are
connected to the same switch. In order to communicate between VLANs, routing
functionality must be part of the topology.
 SWITCHES - VLANS
Layer 3 functionality can now be leveraged on switches for additional security settings,
problem/traffic containment and load balancing.
Configuring a switch for multiple VLANs reduces the size of each broadcast domain.
Therefore the amount of overhead traffic is lower which reduces bandwidth competition
with data traffic. A node in a particular VLAN has less broadcast traffic. Since switch
forwarding behavior is based on MAC addresses stored in the source address table, the
following rules apply:
For known unicast destinations, the switch will forward the frame to the
destination port only.
For unknown unicast destinations, the switch will forward the frame to all active
ports except the originating port. This is called flooding.
For multicast and broadcast destinations, the switch will forward the frame to all
active ports except the originating port.
 SWITCHES - VLANS
The standard 802.1 Q often referred to as Dot1q, is the networking standard
that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network:
VLANs are supported over all IEEE 802 LAN MAC protocols, over shared
media LANs as well as point-to-point LANs.
VLANs facilitate easy administration of logical groups of stations that
can communicate as if they were on the same LAN. They also facilitate easier
administration of moves, adds, and changes in members of these groups.
Traffic between VLANs is restricted. Switches forward unicast, multicast,
and broadcast traffic only on LAN segments that serve the VLAN to which the
traffic belongs.
VLANs maintain compatibility with existing switches and end stations.
 SWITCHES - VLANS
VLAN’s good practices to follow that will help reduce exposure to security risk and protect
network resources:
Wireless should be in its own VLAN. Since wireless is a shared media, all broadcast
and much of the multicast traffic coming from the switch will be shared as well. In addition, any
flooded unicast traffic will be seen by all wireless nodes. Creating a VLAN for wireless nodes
narrows the traffic that they can see. In addition, a potential attack via wireless will have a
boundary to cross before reaching other portions of the network.
VoIP elements should also be in their own VLAN. This is as much for quality of service
as it is for protection. Anytime real time voice traffic has to compete for bandwidth, there is the
potential for performance degradation. Security concerns are to some extent relieved by the
VLANs as well. Tools such as Wireshark can not only capture but decode and play voice traffic
so it is important to keep voice traffic separated wherever possible.
Other important network devices such as servers or even users of sensitive data should
be placed in their own VLANs. In addition to the reasons already stated, many vendors have
features that allow the creation of VLAN specific security and QoS policies.
 SWITCHES - VLANS

To be able to connect multiple VLANs across multiple switches you have to use a trunk
line. The primary use of a trunk line in a data network is to convey VLAN information.

When a trunk line is installed, a trunking protocol is used to modify the Ethernet frames
as they travel across the trunk line.
 SWITCHES - VLANS
By default, all ports are called “access ports.” This describes a port used by a
computer or other end node to “access” the network.
When a port is used to interconnect switches and convey VLAN information, the
operation of the port is changed to a trunk.
On the trunk ports, a trunking protocol is run that allows the VLAN information to
be included in each frame as it travels over the trunk line. For configuration,
there are generally two steps: converting the port to trunk mode and
determining the encapsulation (trunking protocol) to be used.
 SWITCHES - SPANNING TREE
The basic problem is that at Layer 2, Ethernet does not have any ability to
remove continuously circulating frames or prevent loops. Unlike IP, which has a
time to live (TTL) field, Ethernet devices such as hubs and switches will simply
continue to forward frames even when a loop is present.
 SWITCHES - SPANNING TREE
Spanning tree requires that switches send out frames called bridge protocol data
units (BPDUs) and the information contained within these BPDUs is received and
processed by neighboring switches.
There are three sections to the BPDU: protocol details, fields specific to the
comparison algorithm, and the timer values. The spanning tree is to eliminate
loops by automatically blocking ports on the network. It figures out which ports to
block through the comparison algorithm. The comparison algorithm uses up to four
fields to make the comparison: root identifier, root path cost, bridge identifier
(transmitting bridge/switch), and the port identifier (transmitting port)
SWITCHES - SPANNING TREE
For a fresh powered on switch all ports start out in the “blocked” state. Movement between
states is governed by a forwarding delay timer.
Blocked
A port in this state can receive but not transmit BPDUs. It does not transmit or forward data
frames. A port in this state may actually begin forwarding depending on the STP information
received (or not received) from neighboring bridges.
Listening
This is the first transitional state and is entered when spanning tree detects that the port may
have to participate in data frame forwarding. The port will receive and process BPDUs but does
not forward data frames. In this state, ports begin sending BPDUs.
Learning
This state is similar to listening except that the port and switch now understand the topology and
are preparing to forward data frames. The port will continue to receive and process BPDUs.
 ARP

Communication on a network is accomplished by sending data at layer three

using a network layer address, but the actual transmission of that data occurs at
layer two using a data link layer address. This means that every device with a
fully-specified networking protocol stack will have both a layer two and a layer
three address. It is necessary to define some way of being able to link these
addresses together. Usually, this is done by taking a network layer address and
determining what data link layer address goes with it. This process is called
address resolution.
 ARP
The most important distinction between layer 2 and layer 3 types of addresses
is the distinction between layers two and three themselves: layer two deals with
directly-connected devices (on the same network) while layer three deals with
indirectly-connected devices (as well as directly-connected).
While we can virtually connect devices at layer three, these connections are
conceptual only. When you send a request using IP, it is sent one hop at a time,
from one physical network to the next. At each of these hops, an actual
transmission occurs at the physical and data link layers. When your request is
sent to your local router at layer three, the actual request is encapsulated in a
frame using whatever method you physically connect to the router, and passed
to it using the router's data link layer address.
ARP
The basic problem is that IP addresses are too high level for the physical
hardware on networks to deal with; they don't understand what they are. When
your request shows up at the router that connects to a web site, it can see the
web site server's IP address, but that isn't helpful: it needs to send to server's
MAC address. Even if the web server is located next to the client, the
communication is logically at the IP layer, but must also be accomplished at the
data link layer. This means we need a way of translating between the
addresses at these two layers and this address resolution.
ARP

Client access a
web server:
 ARP
Address resolution can be accomplished in two ways:
Direct Mapping: A formula is used to map the higher-layer address into the
lower layer address. This is the simpler and more efficient technique, but has
some limitations, especially regarding the size of the data link layer address
compared to the network layer address.
Dynamic Resolution: A special protocol is used that allows a device with only an
IP address to determine the corresponding data link layer address, even if they
take completely different forms. This is normally done by interrogating one or
more other devices on a local network to determine what data link layer
address corresponds to a given IP address. This is more complex and less
efficient than direct mapping but is more flexible.
ARP
Address Resolution Through Direct Mapping
Direct mapping chooses a scheme for layer two and layer three addresses so
that you can determine one from the other using a simple algorithm. This
enables you to take the layer three address, and follow a short procedure to
convert it into a layer two address. In essence, whenever you have the layer
three address you already have the layer two address.
As an example, we can set up an IP network on such a LAN by taking a class C
(or /24) network and using the data link layer as the last octet. So, if our
network were, for example, 198.168.33.0/24, we could assign the device with
#1 the IP address 198.168.33.1, the device with address #29 would be
198.168.33.29 and so forth.
ARP
Dynamic Address Resolution
Device A needs to send data to Device B but knows only its IP address ("IPB"),
and not its hardware address. A broadcasts a request asking to be sent the
hardware address of the device using the IP address "IPB". B responds back to
A directly with the hardware address.
There is no need for any specific relationship between the network layer
address and the data link layer address; they can have a completely different
structure and size.
 ARP
The most important address resolution protocol is the TCP/IP protocol bearing
the same name as the technique itself: the Address Resolution Protocol (ARP).
ARP is a full-featured dynamic resolution protocol used to match IP addresses to
underlying data link layer addresses. Originally developed for Ethernet, it has
now been generalized to allow IP to operate over a wide variety of layer two
technologies.
It works by allowing an IP device to send a broadcast on the local network,
requesting that another device on the same local network respond with its
hardware address.
ARP
This basic operation is supplemented by methods to improve
performance. Since it was known from the start that having to
perform a resolution using broadcast for each datagram was
inefficient, ARP has always used a cache, where it keeps bindings
between IP addresses and data link layer addresses on the local
network. Refinements and additional features, such as support for
cross-resolution by pairs of devices as well as proxy ARP, have also
been defined over the years and added to the basic ARP feature
set.
ARP
ARP Address Specification and General Operation
An Address Resolution Protocol transaction begins when a source device on an IP
network has an IP datagram to send. It must first decide whether the destination
device is on the local network or a distant network. If the destination is local, it
will send directly to the destination; if the destination is distant, it will send the
datagram to one of the routers on the physical network for forwarding. Either
way, it will determine the IP address of the device that needs to be the
immediate destination of its IP datagram on the local network. After packaging
the datagram it will pass it to its ARP software for address resolution.
 ARP

ARP
General Operation
ARP

Initial broadcast ARP packet

Source IP: 10.10.0.10
with MAC 0030:F2E7:8D40
broadcast to the switch
Target IP is 10.10.0.1
ARP

The switch sends the broadcast

across all active ports
ARP

The broadcast reached the

destination and the reply packet is
sent:
Source IP: 10.10.0.1
MAC 00:D0:5800:7C54
Destination IP: 10.10.0.10
MAC 0300:F2E7:8D40
 ARP
The check if the information was stored (cached):

On the switch:

On source PC :

On the destination:
 ARP
Using the arp Command
Using the arp command allows you to display and modify the
Address Resolution Protocol (ARP) cache, which is a simple mapping
of IP addresses to MAC addresses. Each time a computer’s TCP/IP
stack uses ARP to determine the Media Access Control (MAC)
address for an IP address, it records the mapping in the AP cache so
that future ARP lookups go faster.
ARP

Windows server Firewall

 ROUTING - ROUTING INFORMATION PROTOCOL

The Routing Information Protocol, or RIP, is an interior, distance vector protocol

for small networks. RIP is a routing protocol that uses table exchange to update
neighboring routers. Each router will send its own routing table out active
interfaces via the user datagram protocol (UDP). Routers receiving the
information decide whether or not to update their own tables. Routers use the
source IP address in the IP packet as the forwarding router. RIP internets are
limited in size to 15 hops. This means that as far as RIP is concerned, 16 is
infinity or unreachable. Each network that is crossed has a value of 1 hop. This
hop count is the “metric” used by RIP to measure distance.
 ROUTING - ROUTING INFORMATION PROTOCOL

Routing Information Protocol (RIP) Version 2 (RIPv2) supports authentication, key

management, route summarization, classless interdomain routing (CIDR), and
variable-length subnet masks (VLSMs). RIPv1 does not support authentication.
There are two modes of authentication on an interface on which RIP is enabled:
plain-text authentication and message digest algorithm 5 (MD5) authentication.
Plain-text authentication is the default authentication in every RIPv2 packet.
Do not use plain text authentication in RIP packets for security purposes, because the
unencrypted authentication key is sent in every RIPv2 packet.
 ROUTING

A router is a device that works at layer 3 of the OSI Reference

Model. Layer 3 is the network layer, which means that layer 3 is
responsible for exchanging information between distinct networks :
connecting two or more networks so that packets can flow between
them.
When a router receives a packet from one network that is destined
for a device on another network, the router determines the best way
to get the packet to its destination.
 ROUTING
A router provides several important functions in order to ensure proper packet
forwarding, and to do so in an efficient manner.
A router is a specialized computer that handles three primary functions:
Packet Forwarding: On receiving an incoming packet, a router checks
whether the packet is error free. After inspecting the header of a packet for the
destination address, it performs a table lookup function to determine how to
find the appropriate outgoing link.
Routing Protocol Message Processing: A router also needs to handle the
routing protocol packets, and determine if any changes are needed in the
routing table by invoking a routing algorithm, when and if needed.
Specialized Services : In addition, a router is required to handle
specialized services that can aid in monitoring and managing a network.
ROUTING
 ROUTING
For an operational network, it is important to have a network management
architecture where various functions can be divided into “planes”:
the management plane - router configuration and collection of various
statistics, such as packet throughput, on a link.
the control plane - the control plane exchanges control information
between routers, involved in identifying the path to be taken between the end
points of this virtual link that relies on the routing information exchange.
the data plane - data transfers
The routing-related functions are in the control plane , and the data transfers,
such as the web or email, are in the data plane . These two planes, as well as
the management plane, use IP for communication, so at the IP layer, there is no
distinction between these functional planes.
ROUTING
CONNECTING TO THE INTERNET

Your Internet service provider (ISP) delivers a high-speed connection to the

customer’s location and provides an Ethernet handoff, which is simply one or
more Ethernet ports that the customer can connect to. The Ethernet handoff
establishes what is called the demarcation point, usually called simply the
demark . The ISP is responsible for everything between the Internet and the
demark; the customer is responsible for everything on the private network side
of the demark.
A gateway router is used to connect the private network to the Ethernet handoff.
The external interface, often labeled WAN on the device, connects to the ISP’s
feed. The internal interface connects to the private network.
 CONNECTING REMOTE LOCATIONS
Another common use for routers is to connect geographically separated offices
to form a single network that spans multiple locations. You can do this by using a
pair of gateway routers to create a secure virtual private network (VPN)
between the two networks. Each network uses its gateway router to connect to
the Internet, and the routers establish a secure tunnel between themselves to
exchange private information.
SPLITTING UP LARGE NETWORKS
Large networks often have need for routers that are internal to the network
itself. Routers are used to manage the network by dividing it into smaller, more
manageable networks all connected with routers.
 ROUTING TABLES
Routers work by maintaining an internal list of networks that can be
reached via each of the router’s interfaces. This list is called a
routing table. When a packet arrives on one of the router’s
interfaces, the router examines the destination IP address of the
incoming packet, consults the routing table to determine which of its
interfaces it should forward the packet to, and then forwards the
packet to the correct interface.
 ROUTE
route Command
Using the route command displays or modifies the computer’s routing table. For
a typical computer that has a single network interface and is connected to a
local area network (LAN) that has a router, the routing table is simple. Besides
displaying the routing table, the route command also lets you modify it by
adding, deleting, or changing entries.
 NETWORK ADDRESS TRANSLATION

Network Address Translation (NAT) is the process where a network device,

usually a firewall, assigns a public address to a computer (or group of
computers) inside a private network. The main use of NAT is to limit the number
of public IP addresses an organization or company must use, for both economy
and security purposes.
It enables private IP networks that use private IP addresses to connect to the
Internet. NAT operates on a router, usually connecting two networks together,
and translates the private (not globally unique) addresses in the internal
network into public addresses, before packets are forwarded to another
network.
NETWORK ADDRESS TRANSLATION

There are 4 more common types of NAT:

Unidirectional NAT – outbound NAT
Bidirectional NAT – inbound NAT
Port-Based – NAPT or PAT
Overlapping NAT – Twice NAT
 NETWORK ADDRESS TRANSLATION
The existing IP version 4 (IPv4) uses 32-bit numbered IP addresses, which allows
for 4 billion possible IP addresses, which seemed like more than enough when it
launched in the 1970s.
However, the internet has exploded, and while not all 7 billion people on the
planet access the internet regularly, those that do often have multiple connected
devices: phones, personal desktop, work laptop, tablet, TV and now IoT.
The number of devices accessing the internet far surpasses the number of IP
addresses available. Routing all of these devices via one connection using NAT
helps to consolidate multiple private IP addresses into one public IP address.
This helps to keep more public IP addresses available even while private IP
addresses proliferate.
NETWORK ADDRESS TRANSLATION

The second reason of introducing NAT was internet security and

privacy. Because NAT transfers packets of data from public to
private addresses, it also prevents anything else from accessing the
private device. The router sorts the data, making it more difficult for
unwanted data to get traverse in the inside network.
NAT also allows you to display a public IP address while on a local
network, helping to keep data and user history private.
NETWORK ADDRESS TRANSLATION
Advantages of NAT
Public IP Address Sharing: A large number of hosts can share a small number of public IP
addresses.
Easier Expansion: It is easy to add new clients to the local network.
Greater Local Control All the benefits of control that come with a private network, but still
connect to the Internet.
Greater Flexibility In ISP Service: Changing the organization's Internet Service Provider (ISP) is
easier because only the public addresses change.
Increased Security: The NAT translation represents a level of indirection. Thus, it automatically
creates a type of firewall between the organization's network and the public Internet. It is more
difficult for any client devices to be accessed directly by someone malicious because the clients
don't have publicly-known IP addresses.
(Mostly) Transparent: NAT implementation is mostly transparent, because the changes take place
in one or perhaps a few routers. The dozens or hundreds of hosts themselves don't need to be
changed.
NETWORK ADDRESS TRANSLATION
Disadvantages of NAT
Complexity: NAT represents one more complexity in setting up and managing the network
Problems Due to Lack of Public Addresses: Certain functions won't work properly due to lack of
a "real" IP address
Compatibility Problems With Certain Applications: There are in fact compatibility issues with
certain applications that arise because NAT "tinkers" with the IP header fields in datagrams but
not in the application data.
Problems With Security Protocols: Protocols like IPSec are designed to detect modifications to
headers and commonly balk at the changes that NAT makes
Poor Support for Client Access: It protects against hackers trying to access a host but also makes
it difficult for legitimate access to clients on the local network.
Performance Reduction: Each time a datagram transitions between the private network and the
Internet, an address translation is required.
 NETWORK ADDRESS TRANSLATION

IP NAT Static and Dynamic Address Mappings

The NAT software in the router must maintain a translation table to tell it how to
operate.
Static Mappings : a permanent, fixed relationship is defined between a global
and a local representation of the address of either an inside or an outside
device.
Dynamic mappings: automatically generated by the NAT router, used as
needed, and then discarded. The most common way that this is employed is in
allowing a pool of inside global addresses to be shared by a large number of
inside devices.
 NETWORK ADDRESS TRANSLATION
IP NAT Unidirectional (Traditional/Outbound) Operation
Hosts are clients that initiate transactions, NAT was designed under the
assumption that a client/server request/response communication would begin
with a datagram sent from the inside network to the outside. Traditional NAT
only supports this sort of outbound transaction, which is started by a device on
the inside network. It cannot handle a device on the public Internet sending a
request to a private address.
NETWORK ADDRESS TRANSLATION
IP NAT Bidirectional (Two-Way/Inbound) Operation
This kind of NAT allows both the transaction initiated in the internal network and
also transactions initiated from the outside network. The network configuration
when using NAT is inherently asymmetric: the inside network generally knows the
IP addresses of outside devices, since they are public, but the outside network
doesn't know the private addresses of the inside network.
 NETWORK ADDRESS TRANSLATION
P NAT Port-Based (Overloaded) Operation: Network Address Port Translation
(NAPT) / Port Address Translation (PAT)
The real address and source port is translated to the mapped address and a
unique port. This means that one mapped address can be used for approximately
64,000 connections. Dynamic PAT also supports only unidirectional initiation of
traffic.
NETWORK ADDRESS TRANSLATION
IP NAT Overlapping - "Twice NAT" Operation
To cope with overlapping addresses, we must translate both the source address
and the destination address on each transition from the inside to the outside or
the other direction.
NETWORK ADDRESS TRANSLATION
IP NAT Compatibility Issues
TCP and UDP Checksum Recalculations - changing the IP addresses in the IP
header means the IP header checksum must be recalculated.
ICMP Manipulations - NAT must also look for certain ICMP messages and make
changes to addresses contained within them
Applications That Embed IP Addresses - some TCP/IP applications embed IP
addresses within the actual application data payload
Problems With IPSec - both the Authentication Header (AH) and Encapsulating
Security Payload (ESP) protocols use an integrity check that is based on the
value of the entire payload.
 FIREWALLS

A firewall is a network security device that monitors incoming and

outgoing network traffic and decides whether to allow or block
specific traffic based on a defined set of security rules.
They establish a barrier between secured and controlled internal
networks that can be trusted and untrusted outside networks, such as
the Internet.
 TYPES OF FIREWALLS
Proxy firewall
An early type of firewall device, a proxy firewall serves as the gateway from one network to
another for a specific application. Proxy servers can provide additional functionality such as
content caching and security by preventing direct connections from outside the network.
However, this also may impact throughput capabilities and the applications they can support.
Stateful inspection firewall
Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic
based on state, port, and protocol. It monitors all activity from the opening of a connection until
it is closed. Filtering decisions are made based on both administrator-defined rules as well as
context, which refers to using information from previous connections and packets belonging to
the same connection.
Unified threat management (UTM) firewall
A UTM device typically combines the functions of a stateful inspection firewall with intrusion
prevention and antivirus. It may also include additional services and often cloud management.
 TYPES OF FIREWALLS
Next-generation firewall (NGFW)
Firewalls have evolved beyond simple packet filtering and stateful inspection.
Most companies are deploying next-generation firewalls to block modern
threats such as advanced malware and application-layer attacks.
According to Gartner, Inc.’s definition, a next-generation firewall must include:
Standard firewall capabilities like stateful inspection
Integrated intrusion prevention
Application awareness and control to see and block risky apps
Upgrade paths to include future information feeds
Techniques to address evolving security threats
 TYPES OF FIREWALLS

Threat-focused NGFW
These firewalls include all the capabilities of a traditional NGFW and also provide
advanced threat detection and remediation. With a threat-focused NGFW you can:
Know which assets are most at risk with complete context awareness
Quickly react to attacks with intelligent security automation that sets policies
and hardens your defenses dynamically
Better detect evasive or suspicious activity with network and endpoint event
correlation
Greatly decrease the time from detection to cleanup with retrospective security
that continuously monitors for suspicious activity and behavior even after initial
inspection
Ease administration and reduce complexity with unified policies that protect
across the entire attack continuum
 TYPES OF FIREWALLS
Stateless or packet filtering firewalls inspect each packet
individually, without considering the trends of the data you're
receiving.
Stateful firewalls do what stateless firewalls do, and they also
consider the connection states of streams of data. Stateful firewalls
will collect a series of packets before it determines their connection
state, and then compares those findings to the firewall rules, rather
than applying the rules to each individual packet of data.
Application firewalls generally do everything that stateful firewalls
do, and they also analyze the actual data content of the packets,
not just the headers.
 FIREWALLS

A firewall can be hardware,

software, or both.
FIREWALLS
FIREWALLS
Firewalls filter network traffic so that you only receive data that you should be
getting. No firewall works perfectly, and a lot of a firewall's effectiveness
depends on how you configure it.
The data that your computer sends and receives over the internet or an internal
network is comprised of TCP packets and UDP packets. TCP packets can be
more effectively filtered by firewalls because they contain more information in
their headers.
 FIREWALLS

TCP Header
FIREWALLS
TCP packets contain information such as source and destination addresses,
packet sequence information, and payload. That information allows your
network interface to deliver data properly, and a firewall can compare that
information to the rules you configured it with.
UDP packets can be filtered by port, but their headers lack the information that
TCP packets have for more sophisticated filtering.
Firewall rules can be designed to block, allow, or filter specific TCP/IP ports,
block or allow specific IP addresses or address ranges.
 INTRUSION DETECTION SYSTEM
An intrusion detection system (IDS) is a device, or software application that
monitors a network or systems for malicious activity or policy violations. Any
intrusion activity or violation is typically reported either to an administrator or
collected centrally using a security information and event management (SIEM)
system. A SIEM system combines outputs from multiple sources and uses alarm
filtering techniques to distinguish malicious activity from false alarms.
When placed at a strategic point or points within a network to monitor traffic to
and from all devices on the network, an IDS will perform an analysis of passing
traffic, and match the traffic that is passed on the subnets to the library of
known attacks. Once an attack is identified, or abnormal behavior is sensed, the
alert can be sent to the administrator.
 INTRUSION DETECTION SYSTEM
IDS Detection Types
There is a wide array of IDS, ranging from antivirus software to tiered
monitoring systems that follow the traffic of an entire network. The most common
classifications are:
Network intrusion detection systems (NIDS): A system that analyzes
incoming network traffic.
Host-based intrusion detection systems (HIDS): A system that monitors
important operating system files.
 INTRUSION DETECTION SYSTEM
The most common variants are based on signature detection and anomaly detection.
Signature-based: Signature-based IDS detects possible threats by looking for specific
patterns, such as byte sequences in network traffic, or known malicious instruction
sequences used by malware. This terminology originates from antivirus software, which
refers to these detected patterns as signatures. Although signature-based IDS can
easily detect known attacks, it is impossible to detect new attacks, for which no pattern
is available.
Anomaly-based: a newer technology designed to detect and adapt to unknown
attacks, primarily due to the explosion of malware. This detection method uses machine
learning to create a defined model of trustworthy activity, and then compare new
behavior against this trust model. While this approach enables the detection of
previously unknown attacks, it can suffer from false positives: previously unknown
legitimate activity can accidentally be classified as malicious.
 INTRUSION DETECTION SYSTEM
Evasion Techniques
Fragmentation: Sending fragmented packets allow the attacker to stay under the radar,
bypassing the detection system's ability to detect the attack signature.
Avoiding defaults: A port utilized by a protocol does not always provide an indication to
the protocol that’s being transported. If an attacker had reconfigured it to use a different
port, the IDS may not be able to detect the presence of a trojan.
Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers, or
even allocating various ports or hosts to different attackers. This makes it difficult for the
IDS to correlate the captured packets and deduce that a network scan is in progress.
Address spoofing/proxying: attackers can obscure the source of the attack by using
poorly secured or incorrectly configured proxy servers to bounce an attack. If the source
is spoofed and bounced by a server, it makes it very difficult to detect.
Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight
adjust to the attack architecture, detection can be avoided.
INTRUSION PREVENTION SYSTEM
An intrusion prevention system (IPS) is an automated network security device
used to monitor and respond to potential threats. Like an intrusion detection
system (IDS), an IPS determines possible threats by examining network traffic.
Because an exploit may be carried out very quickly after an attacker gains
access, intrusion prevention systems administer an automated response to a
threat, based on rules established by the network administrator.
The main functions of an IPS are to identify suspicious activity, log relevant
information, attempt to block the activity, and finally to report it.
 INTRUSION PREVENTION SYSTEM
IPS’s include firewalls, anti-virus software, and anti-spoofing software. In
addition, organizations will use an IPS for other purposes, such as identifying
problems with security policies, documenting existing threats and deterring
individuals from violating security policies. IPS have become an important
component of all major security infrastructures in modern organizations.
An intrusion prevention system works by actively scanning forwarded network
traffic for malicious activities and known attack patterns. The IPS engine
analyzes network traffic and continuously compares the bitstream with its
internal signature database for known attack patterns. An IPS might drop a
packet determined to be malicious, and follow up this action by blocking all
future traffic from the attacker’s IP address or port. Legitimate traffic can
continue without any perceived disruption in service.
 INTRUSION PREVENTION SYSTEM
Intrusion prevention systems can also perform more complicated observation and
analysis, such as watching and reacting to suspicious traffic patterns or packets.
Detection mechanisms can include:
Address matching
HTTP string and substring matching
Generic pattern matching
TCP connection analysis
Packet anomaly detection
Traffic anomaly detection
TCP/UDP port matching
 INTRUSION PREVENTION SYSTEM
Intrusion Countermeasures
Many IPS can also respond to a detected threat by actively preventing it from
succeeding. They use several response techniques, which involve:
Changing the security environment – for example, by configuring a firewall to
increase protections against previously unknown vulnerabilities.
Changing the attack's content – for example, by replacing otherwise malicious
parts of an email, like false links, with warnings about the deleted content.
Sending automated alarms to system administrators, notifying them of possible
security breaches.
Dropping detected malicious packets.
Resetting a connection.
Blocking traffic from the offending IP address.
 INTRUSION PREVENTION SYSTEM
IPS Classifications
Intrusion prevention systems can be organized into four major types:
Network-based intrusion prevention system (NIPS): Analyzes protocol activity across the
entire network, looking for any untrustworthy traffic.
Wireless intrusion prevention system (WIPS): Analyzes network protocol activity across
the entire wireless network, looking for any untrustworthy traffic.
Host-based intrusion prevention system (HIPS): A secondary software package that
follows a single host for malicious activity, and analyzes events occurring within said
host.
Network behavior analysis (NBA): Examines network traffic to identify threats that
generate strange traffic flows. The most common threats being distributed denial of
service attacks, various forms of malware, and policy abuses. pattern matching to
detect attacks. By making slight adjust to the attack architecture, detection can be
avoided.
 INTRUSION PREVENTION SYSTEM
IPS Detection Methods
Most intrusion prevention systems use one of three detection methods: signature-based,
statistical anomaly-based, and stateful protocol analysis.
Signature-based detection: Signature-based IDS monitors packets in the network and
compares with predetermined attack patterns, known as “signatures”.
Statistical anomaly-based detection: An anomaly-based IDS will monitor network
traffic and compare it to expected traffic patterns. The baseline will identify what is
"normal" for that network – what sort of packets generally through the network and
what protocols are used. It may however, raise a false positive alarm for legitimate use
of bandwidth if the baselines are not intelligently configured.
Stateful protocol analysis detection: This method identifies protocol deviations by
comparing observed events with pre-determined activity profiles of normal activity.
 NETWORK PERIMETER
A network perimeter is the secured boundary between the private and locally
managed side of a network, often a company’s intranet, and the public facing side of
a network, often the Internet.
For most modern businesses, there is no single defensible boundary between a
company’s internal assets and the outside world.
Internal users are not simply connecting from inside an organization’s building, network,
or inner circle. They are connecting from external networks and using mobile devices to
access internal resources.
Data and applications are no longer housed on servers that businesses physically own,
maintain, and protect. Data warehouses, cloud computing, and software as a service
present immediate access and security challenges for both internal and external users.
Web services have opened a wide door to interactions outside of normal trust
boundaries. To serve multiple clients, or simply to communicate with other services, both
internal and external, insecure interactions on external platforms occur all the time.
 NETWORK PERIMETER
A network perimeter includes:
Border Routers: Routers serve as the traffic signs of networks. They direct traffic into, out of, and
throughout networks. The border router is the final router under the control of an organization
before traffic appears on an untrusted network, such as the Internet.
Firewalls: A firewall is a device that has a set of rules specifying what traffic it will allow or
deny to pass through it. A firewall typically picks up where the border router leaves off and
makes a much more thorough pass at filtering traffic.
Intrusion Detection System (IDS): This functions as an alarm system for your network that is used
to detect and alert on suspicious activity. This system can be built from a single device or a
collection of sensors placed at strategic points in a network.
Intrusion Prevention System (IPS): Compared to a traditional IDS which simply notifies
administrators of possible threats, an IPS can attempt to automatically defend the target without
the administrator's direct intervention.
De-Militarized Zones / Screened Subnets: DMZ and screened subnet refer to small networks
containing public services connected directly to and offered protection by the firewall or other
filtering device.
 NETWORK PERIMETER
Network Perimeter Guidelines
Strong authentication to allow controlled access to information assets. Two
factor authentication acts as an extra layer of security for logins, ensuring that
attempted intrusions are halted before any damage is done.
Hardening of mobile and IoT devices that connect to the network. Access
control policies define high-level requirements that determine who may access
information, and under what circumstances that information can be accessed.
Embedded security services inside devices and applications. Embedded
security solutions can help protect devices ranging from atm’s to automated
manufacturing systems. Features including application whitelisting, antivirus protection,
and encryption can be embedded to help protect otherwise exposed IoT devices.
Collecting security intelligence directly from applications and their hosts.
Maintaining an open communication line with cloud service providers like AWS can
greatly increase security protections.
 DMZ NETWORK

A DMZ Network (sometimes referred to as a “demilitarized zone”) functions as

a subnetwork containing an organization's exposed, outward-facing services. It
acts as the exposed point to an untrusted networks, commonly the Internet.
The goal of a DMZ is to add an extra layer of security to an organization's
local area network. A protected and monitored network node that faces outside
the internal network can access what is exposed in the DMZ, while the rest of
the organization's network is safe behind a firewall.
When implemented properly, a DMZ Network gives organizations extra
protection in detecting and mitigating security breaches before they reach the
internal network, where valuable assets are stored.
 DMZ NETWORK
The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts
usually involve services that extend to users outside of the local area network, the most
common examples being email, web servers, and DNS servers. Because of the
increased potential for attack, they are placed into the monitored subnetwork to help
protect the rest of the network if they become compromised.
Hosts in the DMZ have tightly controlled access permissions to other services within the
internal network, because the data passed through the DMZ is not as secure.
Communications between hosts in the DMZ and the external network are also restricted
to help increase the protected border zone. This allows hosts in the protected network
to interact with the internal and external network, while the firewall separates and
manages all traffic shared between the DMZ and the internal network. Typically, an
additional firewall will be responsible for protecting the DMZ from exposure to
everything on the external network.
 DMZ NETWORK
All services accessible to users on communicating from an external network can and should be
placed in the DMZ, if one is used. The most common services are:
Web servers: Web servers responsible for maintaining communication with an internal
database server may need to be placed into a DMZ. This helps ensure the safety of the internal
database, which is often storing sensitive information. The web servers can then interact with
internal database server through an application firewall or directly, while still falling under the
umbrella of the DMZ protections.
Mail servers: individual email messages, as well as the user database built to store
login credentials and personal messages, are usually stored on servers without direct access to
the internet. Therefore, an email server will be built or placed inside the DMZ in order to
interact with and access the email database without directly exposing it to potentially harmful
traffic.
FTP servers: These can host critical content on an organization's site, and allow direct
interaction with files. Therefore, an FTP server should always be partially isolated from critical
internal systems.
A DMZ configuration provides additional security from external attacks, but it typically has no
bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing via
email or other means.
 DMZ NETWORK
The two major methods are a single firewall (sometimes called a three-legged model),
or dual firewalls. Each of these system can be expanded to create complex
architectures built to satisfy network requirements:
Single firewall: A modest approach to network architecture involves using a single
firewall, with a minimum of 3 network interfaces. The DMZ will be placed Inside of this
firewall. The tier of operations is as follows: the external network device makes the
connection from the ISP, the internal network is connected by the second device, and
connections within the DMZ is handled by the third network device.
Dual firewall: The more secure approach is to use two firewalls to create a DMZ. The
first firewall (referred to as the “frontend” firewall) is configured to only allow traffic
destined for the DMZ. The second firewall (referred to as the “backend” firewall) is
only responsible for the traffic that travels from the DMZ to the internal network. An
effective way of further increasing protection is to use firewalls built by separate
vendors, because they are less likely to have the same security vulnerabilities. While
more effective, this scheme can be more costly to implement across a large network.
 URL FILTERING

URL filtering limits access to specific URLs by comparing addresses of sites that
users are attempting to visit against a database of either permitted or blocked
sites. The purpose of URL filtering is to prevent employees from accessing sites
that may interfere with the operation of the business – such as sites not related
to work, sites with objectionable or illegal content, or sites associated with
phishing attempts.
While unrestricted web access is useful for employees and can make them more
productive, it can also expose organizations to a wide range of security risks,
such as propagation of threats, data loss or seizure, or legal issues.
 URL FILTERING
URL filtering matches all web traffic against a defined database, and then permits or
denies access to a site based on whether it is found in the database. A URL filtering
database will assign catalogued websites a URL category, or group.
It will also define the conditions of access to that URL. For example, an address could
be:
Blocked: Defined on a site by site basis. This can apply to distracting sites, like
social media or local news, or sites known to host various forms of malware.
Allowed: SaaS websites, relevant to the organization and its workflow.
Attached to defined IT policies: Visits to a particular website could be logged
and organized, so that IT can see who visits certain sites, and at what time.
Blocked or allowed URL categories: When actions are determined not on a
site-by-site basis, but rather by the category encompassing multiple sites. This could
include categories for malware or phishing sites, innocent but distracting sites, or
questionable sites.
 URL FILTERING

A fully integrated URL filtering deployment allows enterprises to:

Enforce safe browsing practices: The browsing habits of employees can
be directly controlled. IT administrators don’t have to trust that employees will
know to avoid potentially harmful sites; instead, they can guarantee it.
Avoid malware: By blocking access to known malware and phishing sites,
the chance for a security breach is greatly reduced.
Customize policies: This includes setting permanent whitelists and
blacklists, as well lists customized by time of day or even user privileges.
Define whitelists: Controlling the sites that users have access to gives
administrators guarantees against accidental URL blocks by the filtering service.
 FIREWALLS
Iptables
Iptables is a firewall, installed by default on all official Ubuntu distributions, and
it allows all traffic by default. Ubuntu comes with ufw - a program for
managing the iptables firewall easily.
sudo iptables -L
 FIREWALLS
Iptables is used to set up, maintain, and inspect the tables of IP packet filter
rules in the Linux kernel. Several different tables may be defined. Each table
contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies
what to do with a packet that matches. This is called a 'target', which may be a
jump to a user-defined chain in the same table.
Targets
A firewall rule specifies criteria for a packet, and a target. If the packet does
not match, the next rule in the chain is the examined; if it does match, then the
next rule is specified by the value of the target, which can be the name of a
user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or
RETURN.
 FIREWALLS
Tables

There are currently the independent tables:

filter: This is the default table (if no -t option is passed). It contains
the built-in chains INPUT (for packets destined to local sockets),
FORWARD (for packets being routed through the box), and OUTPUT
(for locally-generated packets).
nat: This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins: PREROUTING
(for altering packets as soon as they come in), OUTPUT (for altering
locally-generated packets before routing), and POSTROUTING (for
altering packets as they are about to go out).
 FIREWALLS
mangle: This table is used for specialized packet alteration.
These built-in chains are supported: INPUT (for packets coming
into the box itself), FORWARD (for altering packets being
routed through the box), and POSTROUTING (for altering
packets as they are about to go out).
raw: This table is used mainly for configuring exemptions from
connection tracking. It provides the following built-in chains:
PREROUTING (for packets arriving via any network interface)
OUTPUT (for packets generated by local processes)
 FIREWALLS
COMMANDS
These options specify the specific action to perform. Only one of them can
be specified on the command line unless otherwise specified below.
-A, --append chain rule-specification - Append one or more rules to the
end of the selected chain. When the source and/or destination names
resolve to more than one address, a rule will be added for each possible
address combination.
-D, --delete chain rule-specification
-D, --delete chain [rulenum] Delete one or more rules from the selected
chain. There are two versions of this command: the rule can be specified
as a number in the chain (starting at 1 for the first rule) or a rule to
match.
 FIREWALLS
-I, --insert chain [rulenum] rule-specification Insert one or more rules in the
selected chain as the given rule number. So, if the rule number is 1, the
rule or rules are inserted at the head of the chain. This is also the default
if no rule number is specified.
-R, --replace chain [rulenum] rule-specification Replace a rule in the
selected chain. If the source and/or destination names resolve to multiple
addresses, the command will fail. Rules are numbered starting at 1.
-L, --list [chain] List all rules in the selected chain. If no chain is selected,
all chains are listed. As every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
 FIREWALLS

-F, --flush [chain] Flush the selected chain (all the chains in the table
if none is given). This is equivalent to deleting all the rules one by
one.
-Z, --zero [chain] Zero the packet and byte counters in all chains. It is
legal to specify the -L, --list (list) option as well, to see the counters
immediately before they are cleared.
-N, --new-chain chain Create a new user-defined chain by the given
name. There must be no target of that name already.
 FIREWALLS

-X, --delete-chain [chain] Delete the optional user-defined chain

specified. The chain must be empty, i.e. not contain any rules.
-P, --policy chain target Set the policy for the chain to the given
target. Only built-in (non-user-defined) chains can have policies, and
neither built-in nor user-defined chains can be policy targets.
-E, --rename-chain old-chain new-chain Rename the user specified
chain to the user supplied name.
 FIREWALLS
Types of Chains
Iptables uses three different chains: input, forward, and output.
Input - This chain is used to control the behavior for incoming connections.
For example, if a user attempts to SSH into your PC/server, iptables will
attempt to match the IP address and port to a rule in the input chain.
Forward - This chain is used for incoming connections that aren’t actually
being delivered locally. It is like a - data is always being sent to it but rarely
actually destined for the router itself.
Output - This chain is used for outgoing connections. For example, if you
try to ping bcit.ca, iptables will check its output chain to see what the rules are
regarding ping and bcit.ca before making a decision to allow or deny the
connection attempt.
 FIREWALLS
Connection-specific Responses
Accept - Allow the connection.

Drop - Drop the connection, act like it never happened. This is best if you don’t
want the source to realize your system exists.

Reject - Don’t allow the connection, but send back an error. This is best if you
don’t want a particular source to connect to your system, but you want them to
know that your firewall blocked them.
FIREWALLS
To check the status of iptables:

Block an IP:
 FIREWALLS

Clear an IP :
 FIREWALLS
To improve the security of your machine using iptables follow the rules:
# 1. Delete all existing rules
iptables - F
# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 3. Block a specific ip-address
BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
 FIREWALLS
# 4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 5. Allow incoming SSH only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 6. Allow incoming HTTP – if you run a web server
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# 7. Allow incoming HTTPS – if you run a web server
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
 FIREWALLS
# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS) – if required
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j
ACCEPT
# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 9. Allow outgoing SSH only to a specific network
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
 FIREWALLS
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 15. Allow packets from internal network to reach external network – router like
if eth1 is connected to external network (internet)
if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
 FIREWALLS
# 16. Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# 17. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
# 18. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
# 19. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
 FIREWALLS
# 20. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow POP3 and POP3S

iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
 FIREWALLS

# 23. Prevent DoS attack

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j
ACCEPT
# 24. Port forwarding 80 to 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet
Dropped: " --log-level 7
iptables -A LOGGING -j DROP
 FIREWALLS

Blocking null packets

iptables -A INPUT -p tcp - - tcp-flags ALL NONE -j DROP
We told the firewall to take all incoming packets with tcp flags NONE and just
DROP them. Null packets are, simply said, recon packets. The attack patterns
use these to try and see how we configured the VPS and find out weaknesses
 FIREWALLS
Block Fragmented Packet iptables -A INPUT -f -j DROP

Force SYN Packet Check iptables -A INPUT -p tcp -m state --state NEW -m
recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
 FIREWALLS
Don’t forget to save!