Exploring Network Technologies and Tools

OSI Model
The Open Systems Interconnection (OSI) model is a theoretical way to describe all the different
activities that happen on a network. The model has seven layers ranging from layer 1 (Physical)
through layer 7 (Application). The lower the layer number, the closer you are to the actual wires
and cabling of the network. The higher the layer number, the closer you are to the end user and
the software running on a computer system.

OSI Layer Description Examples

Layer 1: Basic equipment of networking: Ethernet cables, fiber optics, Wi-Fi

Physical copper wires, fiber optic cables, signals
and radio waves.

Layer 2: Data Formats data into frames and Network switches, MAC addresses
Link routes it on the local network
using MAC addresses.

Layer 3: Uses IP addresses to send Routers, IP addresses, Internet

Network information between different Protocol (IP)
local networks.

Layer 4: Provides end-to-end TCP (Transmission Control Protocol),

Transport communication services for UDP (User Datagram Protocol)
applications.

Layer 5: Manages sessions between Session initiation and termination,

Session applications on different devices. NetBIOS, RPC (Remote Procedure
Call)

Layer 6: Translates data into a standard SSL/TLS (Secure Sockets

Presentation format, providing encryption and Layer/Transport Layer Security), JPEG,
compression. ASCII

Layer 7: Provides network services to HTTP (Hypertext Transfer Protocol),

Application applications, allowing FTP (File Transfer Protocol), SMTP
communication over the network. (Simple Mail Transfer Protocol)

1
Memory Tricks to Remember OSI Layers:
● "Please Do Not Throw Sausage Pizza Away!"
● "All People Seem To Need Data Processing."
Example: Accessing a Website from a Laptop
OSI Layer What's Happening
Layer 7: You open your web browser (like
Application Chrome or Firefox) and type in the
URL of a website (e.g.,
www.example.com).
Layer 6: The data from the website is
Presentation encoded, encrypted (if using
HTTPS), and prepared for
transmission.
Layer 5: A session is established between
Session your web browser and the web
server hosting the website.
Layer 4: The data is broken into smaller
Transport packets, and each packet is given a
sequence number to be
reassembled later.
Layer 3: The packets are addressed with the
Network IP addresses of the sender (your
laptop) and the receiver (the web
server).
Layer 2: Data The packets are framed and
Link addressed with MAC addresses for
the local network delivery.
Layer 1: The data is transmitted over
Physical physical media, such as Ethernet
cables or Wi-Fi signals.
Explanation
The web browser is the application
that requests the website. The
browser uses the HTTP protocol to
make this request.
The data from the website might be
compressed and encrypted to ensure
it is secure and correctly formatted
for the application layer.
This layer manages the dialogue
between the two computers, ensuring
that the connection is established,
maintained, and terminated properly.
Protocols like TCP ensure that all
packets arrive correctly and in order.
If any packets are lost, TCP will
request them again.
Routers use these IP addresses to
determine the best path to send the
packets from your laptop to the web
server.
Switches use MAC addresses to
deliver frames to the correct device
on the local network. If you're using
Wi-Fi, this also involves your wireless
access point.
This is the actual transmission of raw
bits over a physical medium. It could
be through a cable or wirelessly via
radio waves.
2
WATCH THIS VIDE https://www.youtube.com/watch?v=vv4y_uOneC0

3
4
IP Address vs Ports

5
 Aspect Ports Protocols

Definition A logical construct that acts A set of rules and standards that defines how
as a communication endpoint data is transmitted and received over a
for networking within a network.
computer.

Purpose Identify specific processes or Enable devices and applications to

services on a device that can communicate with each other by providing
receive and send data. guidelines for data formatting, error handling,
compression, and addressing.

Range 0-65535 Various types operating across different OSI

layers.

Types - Well-Known Ports (0-1023) - Transport Layer Protocols

- Registered Ports - Application Layer Protocols
(1024-49151)
- Dynamic/Private Ports
(49152-65535)

Scope Operate at the transport Operate across various layers of the OSI
layer, providing specific model, including application, transport,
endpoints for network network, and data link layers.
connections.

Identification Identified by numbers Identified by names and functionalities (e.g.,

ranging from 0 to 65535. TCP, HTTP, FTP).

Examples - Port 80 (HTTP) - HTTP/HTTPS: Protocols for web browsing

- Port 443 (HTTPS) - FTP: Protocol for file transfers
- Port 21 (FTP) - SMTP/IMAP/POP3: Protocols for email
- Port 25 (SMTP) services
- TCP/IP: Suite of communication protocols
used for the Internet

Examples in Detail
Port Common Usage

80 HTTP (HyperText Transfer Protocol)

443 HTTPS (HyperText Transfer Protocol Secure)

21 FTP (File Transfer Protocol)

6
25 SMTP (Simple Mail Transfer Protocol)

Protocol Common Usage

HTTP/HTTPS Used for transmitting web pages

FTP Used for transferring files

SMTP/IMAP/POP3 Used for email services

TCP/IP The suite of communication protocols used for the Internet and
similar networks

Well-Known Ports

Port Number Protocol Description

20, 21 FTP (File Transfer Used for transferring files between

Protocol) computers on a network.

22 SSH (Secure Shell) Used for secure remote login and

other secure network services.

23 Telnet Used for unencrypted text

communications.

25 SMTP (Simple Mail Used for sending emails.

Transfer Protocol)

53 DNS (Domain Name Translates domain names to IP

System) addresses.

67, 68 DHCP (Dynamic Used for assigning IP addresses to

Host Configuration devices on a network.
Protocol)

69 TFTP (Trivial File A simpler version of FTP used for

Transfer Protocol) transferring files.

80 HTTP (Hypertext Used for transmitting web pages

Transfer Protocol) over the internet.

7
110 POP3 (Post Office Used for retrieving emails from a
Protocol version 3) mail server.

123 NTP (Network Time Used for clock synchronization

Protocol) between computer systems.

143 IMAP (Internet Used for retrieving and managing

Message Access emails from a mail server.
Protocol)

161, 162 SNMP (Simple Used for network management and

Network monitoring.
Management
Protocol)

389 LDAP (Lightweight Used for accessing and maintaining

Directory Access distributed directory information
Protocol) services.

443 HTTPS (Hypertext Used for secure web

Transfer Protocol communications.
Secure)

465 SMTPS (Simple Mail Used for sending emails securely.

Transfer Protocol
Secure)

993 IMAPS (Internet Used for securely retrieving and

Message Access managing emails from a mail server.
Protocol Secure)

995 POP3S (Post Office Used for securely retrieving emails

Protocol 3 Secure) from a mail server.

3389 RDP (Remote Used for remote desktop

Desktop Protocol) connections.

5060, 5061 SIP (Session Used for initiating, maintaining, and

Initiation Protocol) terminating real-time sessions that
include voice, video, and messaging
applications.

8
Common Networking Protocols
Protocol Description Example Use Cases Well- Potential
Know Attacks
n
Ports

Transmission Provides Reliable data None SYN Flood,

Control connection-oriented transmission, such as specifi TCP Reset
Protocol traffic (guaranteed web traffic c Attack
(TCP) delivery) using a (HTTP/HTTPS).
three-way handshake
process (SYN,
SYN/ACK, ACK).

User Provides Streaming media, online None UDP Flood,

Datagram connectionless gaming, VoIP. specifi Fraggle Attack
Protocol sessions (without a c
(UDP) three-way
handshake). Makes a
best effort to deliver
data without
guaranteed delivery.

Internet Identifies hosts in a Routing data across the None IP Spoofing,

Protocol (IP) TCP/IP network and internet. specifi Man-in-the-Mid
delivers traffic using IP c dle (MITM)
addresses. IPv4 uses Attack
32-bit addresses
(192.168.1.100), IPv6
uses 128-bit
addresses using
hexadecimal code
(FE80:0000:0000:000
0:20D4:3FF7:003F:DE
62).

Internet Tests basic Network diagnostics None Ping of Death,

Control connectivity and (ping, tracert). specifi Smurf Attack
Message includes tools like ping c
Protocol and tracert. Often
(ICMP) blocked by firewalls
and routers to prevent
network discovery by
attackers.

9
Address Resolves IPv4 Local network None ARP
Resolution addresses to MAC communication, specifi Poisoning,
Protocol addresses. Necessary identifying devices on the c Man-in-the-Mid
(ARP) for packet delivery same network. dle (MITM)
within a local subnet. Attack
Susceptible to ARP
poisoning attacks.

Hypertext Supports web traffic Accessing websites, 80 HTTP Flood,

Transfer by transferring web web-based applications. Cross-Site
Protocol pages from servers to Scripting
(HTTP) browsers. (XSS),
Man-in-the-Mid
dle (MITM)
Attack

Hypertext An encrypted version Secure web transactions, 443 HTTPS Flood,

Transfer of HTTP that provides online banking, and SSL Stripping
Protocol secure communication shopping. Attack
Secure over a computer
(HTTPS) network.

Simple Mail Used to send emails Sending email. 25 SMTP Relay,

Transfer from clients to servers Email
Protocol and between servers. Spoofing,
(SMTP) Spam Attacks

File Transfer Transfers files Downloading/uploading 20, 21 FTP Bounce

Protocol between computers files from/to a server. Attack, Brute
(FTP) on a network. FTP can Force Attack,
be used with Anonymous
authentication to FTP
ensure data is Exploitation
transferred securely.

Domain Translates domain Accessing websites 53 DNS Spoofing,

Name names (like using human-readable DNS
System www.example.com) to addresses instead of IP Amplification
(DNS) IP addresses (like addresses. Attack, Cache
192.168.1.1). Poisoning

10
Insecure Protocols
Protocol Description Port Notes

File Transfer Uploads and downloads files to/from 21 Insecure because it

Protocol (FTP) an FTP server. Transmits data in transmits data in cleartext.
cleartext.

Trivial File Used to transfer smaller amounts of 69 Not essential on most

Transfer data. Often disabled due to insecurity. networks and has been
Protocol used in many attacks.
(TFTP)

Secure Secures HTTP traffic as HTTPS and Various SSL is outdated and has
Sockets Layer can encrypt SMTP and LDAP. vulnerabilities like the
(SSL) Compromised and not recommended POODLE attack.
for use.

Secure Alternatives for Data in Transit

Protocol Description Port Notes

11
Transport Layer Replacement for SSL. Used to Various Recommended for
Security (TLS) encrypt many different browser-based connections
protocols, including HTTPS. and other protocols previously
using SSL.

Internet Used to encrypt IP traffic. Various Provides secure encryption

Protocol for IP traffic.
Security (IPsec)

Secure Shell Encrypts traffic in transit. Can 22 Used for secure remote
(SSH) encrypt other protocols like connections and to transfer
FTP. encrypted files (SCP).

Secure File Secure implementation of FTP 22 Preferred over FTP for secure
Transfer using SSH to transmit files in file transfers.
Protocol encrypted format.
(SFTP)

File Transfer Secure implementation of FTP 989/990 Another secure alternative

Protocol using TLS to encrypt FTP
Secure (FTPS) traffic.

SSL vs. TLS

Protocol Description Notes

SSL Was the primary method to secure Vulnerable to attacks like POODLE. No
HTTP traffic as HTTPS. longer maintained or patched.
Compromised and no longer
recommended for use.

TLS Designed to replace SSL. Used to Recommended for all implementations

encrypt many protocols, including that previously used SSL. Provides
HTTPS. better security and is maintained.

Important Ports for Secure Protocols

Protocol Port Description

SSH 22 Used to encrypt traffic and secure remote connections and file
transfers.

SFTP 22 Securely transfers files using SSH.

12
 FTPS 989/990 Uses TLS to encrypt FTP traffic, providing secure file
transfers.

HTTPS (using 443 Encrypts HTTP traffic to secure web communications.

TLS)

Email and Web Use Cases

Email and web traffic are some of the most common ways that people use the Internet today.
These services were originally built without security in mind. Later, secure alternatives were
introduced that provide encryption and other security services. Just like TLS replaced SSL with
a secure alternative, email and web protocols were also updated to add in security controls.
Below are the common email and web protocols and their secure versions.

Common Email Protocols and Their Secure Versions

Protocol Description Unencrypted Encrypted

Port Port

Simple Mail Transfer Transfers email between clients 25 587

Protocol (SMTP) and SMTP servers. (SMTPS)

Post Office Protocol Transfers emails from servers to 110 995

(POP3) end users.

Internet Message Stores email on a mail server, 143 993

Access Protocol allows users to manage email in
(IMAP) folders.

Common Web Protocols and Their Secure Versions

Protocol Description Unencrypted Encrypted

Port Port

Hypertext Transfer Transmits web traffic between 80 443 (HTTPS)

Protocol (HTTP) web servers and browsers.

Enhancing Email Security

Securing email is a complex task and there are controls other than encryption that you should
consider deploying to further protect email, such as preventing forged email messages. SPF,
DKIM, and DMARC are all email authentication methods that help prevent email fraud and

13
abuse by verifying the authenticity of the sender’s domain and ensuring that the email has not
been modified during transit.

Email Authentication Methods

Method Description

Sender Policy Framework (SPF) Uses DNS records to define which IP addresses are
authorized to send emails on behalf of a domain.

DomainKeys Identified Mail Uses public key cryptography to sign and verify an
(DKIM) email’s domain and content.

Domain-based Message Builds on top of SPF and DKIM by allowing domain

Authentication, Reporting, and owners to set policies for handling emails that fail
Conformance (DMARC) authentication checks and providing reporting
mechanisms.

Together, SPF, DKIM, and DMARC provide a robust framework for email authentication and
help protect users from spam, phishing, and other types of email-based attacks.

Email Gateways

Email gateways are network devices or software applications that act as a barrier between an
organization’s internal email system and the external internet, filtering incoming and outgoing
emails for spam, malware, and other types of threats.

Summary
Use Case Protoco Unencrypted Encrypted Security Enhancements
l Port Port

Email SMTP 25 587 SPF, DKIM, DMARC, Email

Transmission Gateways

Email Retrieval POP3 110 995 SPF, DKIM, DMARC, Email

Gateways

Email IMAP 143 993 SPF, DKIM, DMARC, Email

Management Gateways

Web Traffic HTTP 80 443 Use HTTPS for encrypted

web traffic

14
Network operating systems commonly use a directory service to streamline management and
implement secure authentication. For example, many organizations use Microsoft Active
Directory Domain Services (AD DS). AD DS is a database of objects that provides a central
access point to manage users, computers, and other directory objects.

Common Directory Protocols and Their Secure Versions

Protocol Description Unencrypted Encrypted

Port Port

Lightweight Directory Specifies the formats and methods 389 636

Access Protocol used to query directories, such as (LDAPS)
(LDAP) Microsoft AD DS.

LDAP Secure (LDAPS) Encrypts LDAP data with TLS. 636

Voice and Video Use Cases

It’s common for an organization to transport voice and video over a network. Some protocols
work better with voice and video than others. UDP is commonly used instead of TCP as the
underlying protocol with live voice and video streaming.

Common Voice and Video Protocols

Protocol Description Port

Real-time Transport Delivers audio and video over IP networks, including Various
Protocol (RTP) VoIP communications and streaming media.

Secure Real-time Provides encryption, message authentication, and Various

Transport Protocol integrity for RTP.
(SRTP)

Session Initiation Used to initiate, maintain, and terminate voice, video, 5060,
Protocol (SIP) and messaging sessions. 5061

Remote Access Use Case

There are many situations in which personnel need to access systems from remote locations.
For example, administrators commonly use SSH (Secure Shell) or RDP (Remote Desktop
Protocol) to remotely manage servers.

Common Remote Access Protocols

Protocol Description Port

15
 Telnet Sends data, including usernames and passwords, in 23
cleartext. Not recommended for use.

Secure Shell (SSH) Encrypts traffic in transit and provides secure remote 22
access to servers.

Remote Desktop Used by Microsoft for Remote Desktop Services and 3389
Protocol (RDP) Remote Assistance.

Virtual Private Network Provides secure access to a network over the internet. Various
(VPN)

Enhancing Email Security

Securing email is a complex task. SPF, DKIM, and DMARC are all email authentication methods
that help prevent email fraud and abuse by verifying the authenticity of the sender’s domain and
ensuring that the email has not been modified during transit.

Email Authentication Methods

Method Description

Sender Policy Framework (SPF) Uses DNS records to define which IP addresses are
authorized to send emails on behalf of a domain.

DomainKeys Identified Mail Uses public key cryptography to sign and verify an
(DKIM) email’s domain and content.

Domain-based Message Builds on top of SPF and DKIM by allowing domain

Authentication, Reporting, and owners to set policies for handling emails that fail
Conformance (DMARC) authentication checks and providing reporting
mechanisms.

OpenSSH

OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers
securely. It also supports the use of SCP and SFTP to transfer files securely.

Common OpenSSH Commands

Command Description

ssh Initiates an SSH connection to a remote server. Example: ssh root@gcga

16
 ssh-keygen Creates a public/private key pair for passwordless SSH login. Example:
ssh-keygen -t rsa

ssh-copy-id Copies the public key to the remote server. Example: ssh-copy-id
root@gcga

Summary
Use Case Protocol Unencrypted Encrypted Notes
Port Port

Directory LDAP 389 636 Used to query and manage

Services (LDAPS) directory services.

Voice and RTP Various Various Used for live audio and video
Video (SRTP) streaming.

Remote Access Telnet 23 22 (SSH) SSH provides secure remote

access; Telnet is insecure and
not recommended.

RDP 3389 Used by Microsoft for remote

desktop connections.

VPN Various Provides secure network

access over the internet.

Email SPF, DKIM, Prevents email fraud and

Authentication DMARC verifies the authenticity of the
sender’s domain.

Directory Use Cases

Network operating systems commonly use a directory service to streamline management and
implement secure authentication. For example, many organizations use Microsoft Active
Directory Domain Services (AD DS). AD DS is a database of objects that provides a central
access point to manage users, computers, and other directory objects.

Common Directory Protocols and Their Secure Versions

Protocol Description Unencrypted Encrypted

Port Port

17
 Lightweight Directory Specifies the formats and methods 389 636
Access Protocol used to query directories, such as (LDAPS)
(LDAP) Microsoft AD DS.

LDAP Secure (LDAPS) Encrypts LDAP data with TLS. 636

Windows domains use Active Directory, which is based on LDAP. Queries to Active Directory
use the LDAP format. Similarly, Unix realms use LDAP to identify objects. LDAP Secure
(LDAPS) uses encryption to protect LDAP transmissions. When a client connects with a server
using LDAPS, the two systems establish a Transport Layer Security (TLS) session, and TLS
encrypts all data sent between the two systems.

Key Points to Remember

● Directory services, such as Microsoft Active Directory Domain Services (AD DS), provide
authentication and authorization services for a network.
● AD DS uses LDAP, encrypted with TLS when querying the directory.

Voice and Video Use Cases

It’s common for an organization to transport voice and video over a network, and some
protocols work better with voice and video than others. UDP is commonly used instead of TCP
as the underlying protocol with live voice and video streaming.

Common Voice and Video Protocols

Protocol Description Port

Real-time Transport Delivers audio and video over IP networks, including Various
Protocol (RTP) VoIP communications and streaming media.

Secure Real-time Provides encryption, message authentication, and Various

Transport Protocol integrity for RTP.
(SRTP)

Session Initiation Used to initiate, maintain, and terminate voice, video, 5060,
Protocol (SIP) and messaging sessions. 5061

Securing Voice and Video Transmissions

18
Organizations often want to secure voice and video transmissions. The Secure Real-time
Transport Protocol (SRTP) provides encryption, message authentication, and integrity for RTP.

Metadata in SIP Messages

SIP uses request and response messages when establishing a session. These messages are
text, so it’s easy to read them if they are captured. After SIP establishes the session, RTP or
SRTP transports the audio or video. SIP messages don’t contain any data, but they do contain
metadata about sessions, including:

● Information on the equipment used

● Software used on the equipment
● Private IP addresses

SIP Logging

Many VoIP systems support SIP logging and can record these SIP messages. These logs may
be useful in detecting SIP-based attacks and can be used in forensic investigations when trying
to determine who is making certain calls and who they are calling.

Important Points

● RTP: Delivers audio and video over IP networks, commonly used for VoIP and streaming
media.
● SRTP: Secures RTP by providing encryption, message authentication, and integrity.
● SIP: Initiates, maintains, and terminates voice, video, and messaging sessions. SIP logs
can be useful in detecting attacks and forensic investigations.

Summary
Use Case Protocol Unencrypted Encrypted Notes
Port Port

Voice and RTP Various Various Used for live audio and video
Video (SRTP) streaming.

Session SIP 5060, 5061 Used to initiate, maintain, and

Management terminate sessions for voice and
video.

Remote Access Use Case

There are many situations in which personnel need to access systems from remote locations.
For example, imagine a server room hosts hundreds of servers, including domain controllers for

19
a Microsoft domain. If administrators need to create a user account or implement a change in a
Group Policy Object (GPO), they would rarely go to the server room. Instead, they would access
the server remotely and make the change from their desk computer.

Common Remote Access Protocols

Protocol Description Port

Telnet Sends data, including usernames and passwords, in 23

cleartext. Not recommended for use.

Secure Shell (SSH) Encrypts traffic in transit and provides secure remote 22
access to servers.

Remote Desktop Used by Microsoft for Remote Desktop Services and 3389
Protocol (RDP) Remote Assistance.

Virtual Private Network Provides secure access to a network over the internet. Various
(VPN)

Years ago, administrators often used Telnet when remotely administering systems. However,
Telnet sends data, including usernames and passwords, over the network in cleartext, and it
isn’t recommended for use. Today, administrators commonly use SSH instead of Telnet.

Administrators and clients often use Remote Desktop Protocol (RDP) to connect to other
systems from remote locations. Microsoft uses RDP in different solutions such as Remote
Desktop Services and Remote Assistance. RDP uses TCP port 3389. A common reason users
cannot connect to systems with RDP is that port 3389 is blocked on a host-based or network
firewall.

Another method of supporting remote access use cases is with a virtual private network (VPN).

Key Points to Remember

● Administrators connect to servers remotely using protocols such as Secure Shell (SSH)
and the Remote Desktop Protocol (RDP).
● In some cases, administrators use virtual private networks (VPNs) to connect to remote
systems.

Summary
Use Case Protoco Unencrypted Encrypted Notes
l Port Port

Telnet 23 Sends data in cleartext, not

recommended.

20
 SSH 22 Provides secure remote access to
Remote servers.
Access
RDP 3389 Used by Microsoft for remote
desktop connections.

VPN Various Provides secure network access

over the internet.

Overview of OpenSSH
OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers
securely. It also supports the use of SCP and SFTP to transfer files securely. While OpenSSH is
open source, many commercial products have integrated it into their applications.
Tool Description

OpenSSH A suite of tools to securely connect to remote servers using SSH, SCP, and
SFTP.

Example Usage of OpenSSH Commands

Command Description Example

ssh Initiates an SSH connection to a remote server using the ssh gcga
default SSH port (22).

Initiates an SSH connection using a specific user account ssh root@gcga

on the remote system.

ssh-keyg Creates a public/private key pair for passwordless SSH ssh-keygen -t

en login. rsa

ssh-copy Copies the public key to the remote server to enable ssh-copy-id
-id passwordless SSH login. root@gcga

Detailed Steps for Setting Up Passwordless SSH

Step Command Description

21
Generate key ssh-keygen -t rsa Creates a matched pair of a public and a
pair private key.

Public key file id_rsa.pub The file containing the public key. This file
can be shared.

Private key file id_rsa The file containing the private key. This
file must stay private.

Copy public key ssh-copy-id root@gcga Copies the public key to the remote
to server server.

Connect using ssh root@gcga SSH will automatically use the key pair to
SSH provide strong authentication without a
password.

Security Aspects of OpenSSH

Aspect Description

Encryption Encrypts traffic in transit, ensuring secure remote access to servers.

Authentication Supports passwordless login using public/private key pairs, enhancing

security by avoiding password entry.

Integration Integrated into many commercial products for secure remote connections
and file transfers.

Key Points to Remember

Key Point Details

OpenSSH Suite Simplifies the use of SSH to securely connect to remote servers and
transfer files using SCP and SFTP.

ssh-keygen Creates a public/private key pair for secure, passwordless SSH

Command authentication.

ssh-copy-id Copies the public key to the remote server, enabling passwordless
Command SSH login.

Private Key The private key (id_rsa) must always stay private and not be shared.
Security

Summary of OpenSSH Commands

22
 Command Description

ssh Initiates an SSH connection to a remote server.

ssh-keygen Creates a public/private key pair for passwordless SSH login.

ssh-copy-id Copies the public key to the remote server.

Time Synchronization Use Case

There are many instances when systems need to be using the same time (or at least a
reasonably close time). A common use case is to ensure systems have accurate time. For
example, Kerberos requires all systems to be synchronized and be within five minutes of each
other.

Time Synchronization Protocols

Protocol Description Port

Network Time Allows systems to synchronize their time to within tens of 123
Protocol (NTP) milliseconds.

Windows Time Used by domain controllers to locate a reliable Internet server N/A
Service running NTP for time synchronization.

Example Time Synchronization Setup

Step Description

Primary Domain Controller Uses Windows Time service to synchronize with an Internet
Sync NTP server.

Other Domain Controllers Periodically synchronize their time with the primary domain
Sync controller.

Domain Computers Sync Synchronize their time with one of the domain controllers.

Network Address Allocation Use Case

Network address allocation refers to allocating IP addresses to hosts within your network. This
is typically done using the Dynamic Host Configuration Protocol (DHCP) to dynamically assign
IP addresses to hosts.

Network Address Allocation Protocols

23
 Protocol Description Port

Dynamic Host Configuration Dynamically assigns IP addresses and other 67,

Protocol (DHCP) TCP/IP information to hosts. 68

IPv4 Addressing

Type Description Example

IPv4 Uses 32-bit IP addresses expressed in dotted 192.168.1.5

decimal format.

Public IP Tightly controlled and purchased or rented Assigned by ISP

Addresses from ISPs.

Private IP Allocated within private networks and not 10.0.0.0 -

Addresses routable on the Internet. 10.255.255.255

Private IP 172.16.0.0 -
Addresses 172.31.255.255

Private IP 192.168.0.0 -
Addresses 192.168.255.255

IPv6 Addressing

Type Description Example

IPv6 Uses 128-bit IP addresses fe80:0000:0000:0000:02d4:3ff7:003f

expressed in hexadecimal format.

Unique Local Allocated within private networks fc00::/7

Addresses and not assigned to systems on the
Internet.

Summary Tables

Time Synchronization Protocols

Protocol Description Port

Network Time Allows systems to synchronize their time to within tens of 123
Protocol (NTP) milliseconds.

Windows Time Used by domain controllers to locate a reliable Internet server N/A
Service running NTP for time synchronization.

24
Network Address Allocation Protocols

Protocol Description Port

Dynamic Host Configuration Dynamically assigns IP addresses and other 67,

Protocol (DHCP) TCP/IP information to hosts. 68

Private IPv4 Address Ranges

Range Description

10.0.0.0 - 10.255.255.255 Private IP address range specified by RFC 1918.

172.16.0.0 - 172.31.255.255 Private IP address range specified by RFC 1918.

192.168.0.0 - Private IP address range specified by RFC 1918.

192.168.255.255

Public IP Address Ranges

Public IP addresses are globally unique and assigned by the Internet Assigned Numbers
Authority (IANA) and regional internet registries (RIRs).

Class Range CIDR Notation Description

A 1.0.0.0 – 126.255.255.255 /8 Large networks

B 128.0.0.0 – 191.255.255.255 /16 Medium-sized networks

C 192.0.0.0 – 223.255.255.255 /24 Small networks

25
Private IP Address Ranges

Private IP addresses are used within private networks and are not routable on the internet.

Range CIDR Notation Description

10.0.0.0 – 10.255.255.255 /8 Large private networks

172.16.0.0 – 172.31.255.255 /12 Medium-sized private networks

192.168.0.0 – /16 Small private networks

192.168.255.255

IPv6 Addressing

Type Description Example

IPv6 Uses 128-bit IP addresses fe80:0000:0000:0000:02d4:3ff7:003f

expressed in hexadecimal format.

Unique Local Allocated within private networks fc00::/7

Addresses and not assigned to systems on the
Internet.

Overview of Domain Name System (DNS)

The primary purpose of the Domain Name System (DNS) is for domain name resolution. DNS
resolves hostnames to IP addresses. Systems are constantly querying DNS, though it is usually
transparent to users.

Function Description Example

Domain Name Resolves hostnames to IP Resolving

Resolution addresses. https://getcertifiedgetahead.com/
to an IP address

26
DNS Queries Systems constantly query Querying DNS to access a website
DNS, usually transparent to
users.

DNS Query Process

Step Description Example

User Action User enters URL or clicks a User enters

link in a web browser. https://getcertifiedgetahead.com/ in
the browser

DNS System queries a DNS System queries DNS server for

Server server for the site's IP getcertifiedgetahead.com
Query address.

Server DNS server responds with DNS server responds with 192.168.1.1 if
Response IP address if known, or known, otherwise queries other DNS servers
queries other DNS servers.

Caching Both DNS servers and DNS server and client cache the IP address
clients cache the answers to 192.168.1.1 for
avoid repeating the queries. getcertifiedgetahead.com

Types of DNS Records

Record Name Description Example
Type

A Host Holds the hostname getcertifiedgetahead.com ->

Record and IPv4 address. 192.168.1.1
Responds to forward
lookup requests with
IPv4 address.

27
AAAA Host Holds the hostname getcertifiedgetahead.com ->
Record and IPv6 address. fe80::1
(IPv6) Similar to A record but
for IPv6.

PTR Pointer Opposite of A record, 192.168.1.1 ->

Record used for reverse getcertifiedgetahead.com
lookups by providing
the name associated
with an IP address.

MX Mail Identifies a mail server mail.getcertifiedgetahead.com ->

Exchange used for email, linked to 192.168.1.2
A or AAAA records.

CNAME Canonical Allows multiple names fileserver.getcertifiedgetahead

Name to be associated with a .com ->
single IP address. server1.getcertifiedgetahead.co
m

SOA Start of Contains information getcertifiedgetahead.com SOA

Authority about the domain or record with TTL settings
zone and its settings,
including TTL (Time to
Live) for DNS records.

DNS Query Process Flow

Step Action Example

1. User Action User enters URL in web User enters

browser. https://getcertifiedgetahead.com/

2. Client-Side Check if the IP is already System checks local cache for

Cache Check in the cache. getcertifiedgetahead.com

3. DNS Server Query DNS server if IP System queries DNS server for
Query not found in cache. getcertifiedgetahead.com

4. Server Knows DNS server responds DNS server responds with 192.168.1.1
the Answer with IP address.

28
5. Server Does Recursive query to other DNS server queries other DNS servers for
Not Know DNS servers if IP not getcertifiedgetahead.com
known.

6. Recursive Query root, TLD, and Recursive queries to root, TLD, and
DNS Query authoritative DNS authoritative servers
servers.

7. Response Cache the response on DNS server and client cache 192.168.1.1
Caching DNS server and for getcertifiedgetahead.com
client-side.

8. Establish Client uses the IP Client connects to 192.168.1.1

Connection address to establish a
connection.

Detailed Description of DNS Records

Record Full Name Details Example
Type

A Host Holds hostname and getcertifiedgetahead.com ->

Record IPv4 address, most 192.168.1.1
used record in DNS
server. Responds with
IPv4 address in forward
lookup.

AAAA Host Holds hostname and getcertifiedgetahead.com ->

Record IPv6 address, similar to fe80::1
(IPv6) A record but for IPv6.

PTR Pointer Opposite of A record, 192.168.1.1 ->

Record used for reverse getcertifiedgetahead.com
lookups. Provides
hostname when queried
with an IP address.

MX Mail Identifies mail server for mail.getcertifiedgetahead.com ->

Exchange email, linked to A or 192.168.1.2
AAAA record of the mail
server. Primary mail
server has the lowest
preference number.

29
CNAME Canonical Allows multiple names fileserver.getcertifiedgetahead
Name for a single IP address, .com ->
useful for aliases. server1.getcertifiedgetahead.co
m

SOA Start of Contains domain or getcertifiedgetahead.com SOA

Authority zone information and record with TTL settings
settings, including TTL
for DNS records. Clients
use TTL to cache
results.

DNSSEC

DNS Poisoning
Term Description

DNS Also known as DNS cache poisoning, it involves modifying the DNS cache
Poisoning with a bogus IP address to redirect users to malicious websites.

Example An attacker modifies the A or AAAA record in the DNS cache for msn.com,
so users are sent to a malicious website instead of the legitimate msn.com
site.

DNSSEC
Term Description

DNSSEC Domain Name System Security Extensions, a suite of extensions to DNS

that provides validation for DNS responses.

Primary Prevents DNS cache poisoning by providing data integrity and

Function authentication for DNS replies.

Key RRSIG (Resource Record Signature): A digital signature added to each

Component DNS record, ensuring the authenticity and integrity of the response.

Example When a DNS server receives a DNSSEC-enabled response with digitally

signed records, it verifies the digital signature to ensure the response has
not been tampered with.

30
Detailed Example
Aspect Details

Attack Scenario An attacker aims to redirect users attempting to visit msn.com to a

malicious site by modifying the DNS cache.

Attack Method The attacker changes the A or AAAA record in the DNS cache for
msn.com, replacing the legitimate IP address with the IP address of the
malicious website.

Prevention Implementing DNSSEC to add digital signatures (RRSIG) to DNS

Method records, ensuring that any tampering with the DNS responses can be
detected and prevented.

Validation A DNS server receives a DNS response. If DNSSEC is enabled, the

Process server checks the digital signature (RRSIG) to verify the response's
integrity and authenticity.

Outcome with The server can determine if the DNS response has been altered and
DNSSEC discard any tampered responses, thus protecting users from being
redirected to malicious sites.

Basic Network Infrastructure

Term Description

Network Connects computing devices together so that users can share resources like
data, printers, and other devices.

Host Any device with an IP address, often referred to as clients or nodes.

Switch A device used to connect hosts together within a network.

Router A device used to connect multiple networks together to create larger networks.

IPv4 Addressing Methods

Method Description Example

Unicast One-to-one traffic. One host sends traffic to One computer sends an
another host using a destination IP address. Only email directly to another
the host with the destination IP address processes computer.
the packet.

31
Broadcast One-to-all traffic. One host sends traffic to all other A computer sends a
hosts on the subnet using a broadcast address network discovery
(e.g., 255.255.255.255). All hosts process the message to all devices on
traffic. the local network.

Use Cases for Network Devices

Device Primary Use Case

Switch Connects hosts together within a network, allowing them to communicate and
share resources.

Router Connects multiple networks together, enabling communication between different

networks and creating larger networks.

Detailed Example
Aspect Details

Switch A switch connects computers, printers, and other devices within the same
Usage network, allowing them to share files and printers.

Router A router connects a home network to the internet, enabling all devices on
Usage the home network to access external websites and services.

Unicast A computer sends a file directly to another computer using its unique IP
Traffic address.

Broadcast A computer sends an ARP (Address Resolution Protocol) request to all

Traffic devices on the local network to find the MAC address associated with an IP
address. All devices receive and process this request.

Switch Operations
Aspect Description

Switch Function Connects computers and other devices to its physical ports, creating
internal switched connections when two devices communicate.

32
MAC Address A table maintained by the switch, mapping MAC addresses to specific
Table ports.

Unicast Traffic Traffic sent from one host to another. The switch forwards this traffic only
to the specific port associated with the destination MAC address.

Broadcast Traffic sent from one host to all other hosts on the network. The switch
Traffic forwards this traffic to all ports.

Example Scenario
Step Description

Initial State The switch knows it has four physical ports but has no information
about connected devices.

33
First Packet (Lisa Lisa's computer sends a packet with Homer's MAC address. The
to Homer) switch doesn't know which port Homer is on, so it forwards the packet
to all ports.

Learning MAC The switch logs Lisa's MAC address with port 1. When Homer
Addresses responds, the switch logs Homer's MAC address with port 4.

Future Unicast Any unicast traffic between Lisa and Homer is now switched only
Traffic between ports 1 and 4.

Security An attacker on another port (e.g., port 3) cannot capture unicast traffic
Implication between Lisa and Homer. However, broadcast traffic will still be
forwarded to all ports.

Hub vs. Switch

Device Unicast Traffic Handling Security Implication

Hub Forwards unicast traffic to all ports. An attacker can capture all unicast traffic
using a protocol analyzer.

Switch Forwards unicast traffic only to the specific port An attacker cannot capture unicast traffic
associated with the destination MAC address. on other ports.

Hardening Switches
Aspect Description

Port Security Limits the computers that can connect to physical ports on a switch.

Disabling Unused Administrators disable unused ports to prevent unauthorized devices

Ports from connecting to the network.

MAC Filtering Restricts ports to accept traffic only from specific MAC addresses.

34
Detailed Examples
Aspect Description

Port Security Includes disabling unused ports and limiting the number of MAC addresses
per port.

MAC Filtering Simple implementation: The switch remembers the first one or two MAC
addresses connected to a port and blocks others. Advanced
implementation: Manually configure ports to accept traffic only from specific
MAC addresses.

Physical vs. Physical Port: Used by network devices like switches or routers to connect
Logical Ports cables. <br> Logical Port: Number embedded in a packet, identifying a
specific service, connection endpoint, process, or protocol.

Security Enhancements
Technique Description

Disabling Ports Administrators disable unused physical ports to prevent unauthorized

network access.

MAC Address Limits connectivity to specific devices by restricting each physical port
Filtering to known MAC addresses.

Remember This
Security Details
Measure

Port Includes disabling unused ports and limiting the number of MAC addresses
Security per port. Advanced implementations restrict each physical port to only a
single specific MAC address for higher security.

Port Security and MAC Filtering

Aspect Description

MAC Filtering A switch remembers the first one or two MAC addresses that connect
to a port and blocks others.

35
Manual Each port can be manually configured to accept traffic only from a
Configuration specific MAC address.

Benefits Provides a higher level of security but can be labor-intensive.

Example An administrator configures a port to accept only the MAC address of

a specific device to ensure only that device can connect.

Broadcast Storm and Loop Prevention

Aspect Description

Switching Occurs when a network has a loop, causing switches to continuously

Loop resend unicast transmissions, flooding the network.

STP/RSTP Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP)
prevent loops and broadcast storms.

Importance Necessary to protect against switching loop problems and maintain

network performance.

Example An attacker connects two RJ-45 ports together, creating a loop. STP/RSTP
detects and blocks the loop, preventing issues.

BPDU Guard
Aspect Description

BPDU Bridge Protocol Data Unit (BPDU) messages are used by STP to detect
Messages loops.

BPDU Guard A feature that disables ports if unwanted BPDU messages are detected,
blocking BPDU attacks.

Edge Ports Ports connected to end devices like computers and printers, which should
not generate BPDU messages.

Example BPDU Guard disables a port when a malicious actor tries to send false
BPDU messages to disrupt the network.

Router Functions
Aspect Description

36
Router Function Connects multiple network segments, routing traffic between them and
reducing broadcast traffic.

Broadcast Segments separated by routers to reduce collisions and improve

Domains performance.

Example A router connects a home network to the internet, managing traffic and
ensuring efficient communication.

Hardening Routers
Aspect Description

Router Access Control Lists (ACLs) are rules that control inbound and outbound
ACLs traffic based on IP addresses, ports, and protocols.

Implicit The concept that all traffic not explicitly allowed by ACL rules is denied by
Deny default.

Example An ACL rule allows HTTP traffic but blocks all other traffic by default (implicit
deny).

Route Command
Aspect Description

Route Used to display or modify a system’s routing table on Windows and Linux
Command systems.

Default The IP address of a router that provides a path to the internet or other
Gateway networks.

Route Security Ensures the routing table points to a known default gateway to prevent
malicious rerouting.

Example route print displays the routing table; route add adds a path to a
different network.

Key Points to Remember

Aspect Details

Port Security Includes disabling unused ports and limiting the number of MAC addresses
per port.

37
STP/RSTP Provides broadcast storm and loop prevention.

BPDU Guard Monitors and disables ports if unwanted BPDU messages are detected.

Router ACLs Identify what traffic is allowed and blocked based on IP addresses, ports,
and protocols.

Implicit Deny Blocks all access that has not been explicitly granted, acting as the last rule
in an ACL.

Simple Network Management Protocol (SNMP)

Aspect Description

SNMP Function Monitors and manages network devices like routers and switches.

SNMP Agents Installed on devices to send information to an SNMP manager via

notifications known as SNMP traps.

Versions - SNMPv1 and v2: Vulnerable, send passwords in cleartext.

- SNMPv3: Encrypts credentials before sending, uses UDP ports 161 and
162 for secure device management.

Example Use Using SNMPv3 to securely manage and monitor network devices.
Case

Firewall Types
Aspect Description

Firewall Function Filters incoming and outgoing traffic to ensure only specific types are
allowed into and out of a network.

Analogy Like a car's firewall, it provides protection against harmful elements

(e.g., attackers) from entering the network.

Basic Capability Includes packet filtering and use of an implicit deny rule.

Advanced Includes advanced content filtering beyond simple packet filtering.

Capability

Host-Based Firewalls

38
 Aspect Description

Function Monitors traffic going in and out of a single host (e.g., a server or
workstation).

Implementation Included in many operating systems (e.g., Microsoft Defender Firewall)

and available as third-party software.

Configuration Allows configuration of rules to allow or restrict inbound and outbound

traffic.

Benefit Provides protection against unwanted intrusions for individual systems.

Example Use Using host-based firewalls on each system as part of a

Case defense-in-depth strategy.

Network-Based Firewalls
Aspect Description

Function Protects an entire network by filtering traffic going in and out.

Form Factor Typically a hardware unit (network appliance) or a virtual appliance

running on a virtualization platform.

Network Interface Has two or more NICs through which all network traffic passes.
Cards

Implementation Often placed at the network border between the internal network
(intranet) and the Internet.

Example Use Case Using a network-based firewall to protect the organization's internal
network from external threats.

Key Points to Remember

Aspect Details

SNMPv3 Used to manage and monitor network devices securely, using UDP
ports 161 and 162.

Firewalls - Host-Based Firewalls: Provide protection for individual hosts.

- Network-Based Firewalls: Provide protection for an entire

network.

39
Defense-in-Depth Use both host-based and network-based firewalls together for
Strategy enhanced network security.

Stateless Firewall Rules

Aspect Description

Function Uses ACLs to identify allowed and blocked traffic, treating each network
packet as a new event without tracking previous traffic.

Implicit Blocks all traffic that is not explicitly allowed. Typically implemented with
Deny statements like deny any any or drop all.

40
Elements - Permission: PERMIT or ALLOW to allow traffic, DENY to block traffic.
of ACL - Protocol: TCP, UDP, IP, ICMP, etc.
- Source: Specifies the source IP address.
- Destination: Specifies the destination IP address.
- Port or Protocol: Specifies the port or protocol (e.g., port 443 for HTTPS).

Example ACL Rule

Permission Protocol Source Destination Port/Protocol

PERMIT TCP 192.168.1.100 192.168.1.200 443 (HTTPS)

DENY IP any any any

Stateful Firewalls
Aspect Description

Function Inspects traffic based on its state within a session, keeping track of established
sessions. Blocks traffic not part of an established session.

Operation Operates at the Transport layer (Layer 4) of the OSI model. Also known as
Layer 4 firewalls.

Example A stateful firewall detects TCP traffic without a corresponding three-way

handshake and blocks it as suspicious.

Web Application Firewall (WAF)

Aspect Description

Function Specifically designed to protect web applications, placed between the

web server and clients.

Protection Protects against web-based attacks such as cross-site scripting (XSS).

Implementation Can be a stand-alone appliance or software added to another device.

Example A WAF blocks malicious traffic targeting an e-commerce web server in a

screened subnet.

Next-Generation Firewall (NGFW)

Aspect Description

41
Function Adds advanced capabilities beyond first-generation (packet-filtering)
and second-generation (stateful) firewalls.

Deep-Packet Performs application-level inspection, identifying application

Inspection commands and detecting potentially malicious traffic.

Operation Analyzes information at all layers of the OSI model, up to Layer 7

(Application layer).

Example An NGFW performs content filtering and URL filtering by inspecting

HTTP and FTP traffic at the application level.

Key Points to Remember

Aspect Details

Stateless Firewall Uses ACLs to block traffic without tracking session state.

Stateful Firewall Inspects traffic based on session state, operating at the Transport
layer.

Web Application Protects web applications from attacks such as XSS, placed
Firewall between web servers and clients.

Next-Generation Adds deep-packet inspection and application-level inspection

Firewall capabilities.

Implicit Deny Strategy used by firewalls to block all traffic that isn't explicitly
allowed.

Failure Modes
Failure Description
Mode

Fail-Open Allows all traffic to pass through when the system fails. No security controls
are enforced, but there is no disruption to network activity.

Fail-Closed Blocks all traffic when the system fails. Security policies are maintained, but
there is significant disruption to network activity.

Preferred Fail-Closed: Security professionals generally prefer fail-closed systems

Mode because they limit risk by maintaining security policies even during a failure.

42
Security Zones
Security Zone Description

Intranet An internal network for communication and sharing content among users
within an organization. May include internal web servers.

Extranet Part of a network accessible by authorized external entities such as

business partners, customers, and vendors.

Network The boundary between the intranet and the Internet, often protected by
Perimeter multiple methods to limit connectivity and reduce the attack surface.

Screened Subnet (DMZ)

Aspect Description

Function A buffer zone between a private network and the Internet, providing a layer
of protection for Internet-facing servers while allowing client access.

Configuration Typically involves two firewalls: one between the Internet and the screened
subnet, and one between the screened subnet and the internal network.

Example Configuration

43
 Component Description

FW1 Firewall separating the Internet from the screened subnet.

FW2 Firewall separating the screened subnet from the internal

network.

Mail Server Located in the screened subnet, communicates through port 25

or 587 for email.

Web Server Hosts web pages, accessible through ports 80 and 443 from
the Internet.

Certificate Authority Validates certificates for Internet clients, communicates through

(CA) Server FW1.

Database Server Located in the intranet, accessible only by the web server
through port 1433, protected by FW2.

Use Cases

Use Case Description

E-commerce The web server in the screened subnet accesses the database server in
Site the intranet to serve web pages and manage e-commerce transactions.

Business The web server hosts a site for business partners, authenticated before
Partner Access granting access, effectively creating an extranet.

Other Examples FTP servers for file transfers, VPN servers for remote access, etc.

Key Points to Remember

Aspect Details

Fail-Open vs. Fail-open allows all traffic during failures, while fail-closed blocks all
Fail-Closed traffic. Security professionals prefer fail-closed systems.

Screened Subnet Acts as a buffer zone, allowing Internet clients to access certain
(DMZ) services while protecting the internal network.

Security Zones Intranet for internal use, extranet for authorized external access, and
network perimeter for boundary protection.

44
Network Address Translation (NAT) Gateway
Aspect Description

Function Translates public IP addresses to private IP addresses and vice versa.

Implementation Can be hosted on a NAT gateway or an Internet-facing firewall.

Common Form Port Address Translation (PAT), which allows multiple devices to share a
single public IP address.

Benefit - No need to purchase public IP addresses for all clients. <br> - Hides
internal computers from the Internet.

Drawback Not compatible with IPsec without workarounds.

Types of NAT

Type Description Example

Static NAT Maps a private IP address to a A server with a private IP of 192.168.1.10

single public IP address. maps to a public IP of 203.0.113.10.

Dynamic Uses multiple public IP Multiple users share a pool of public IP

NAT addresses in a one-to-many addresses, dynamically assigned based on
mapping. load.

Physical Isolation and Air Gaps

Aspect Description

Physical Ensures one network isn't connected to another, reducing attack risk.
Isolation

Air Gap A literal physical separation (gap of air) between an isolated system and
other systems.

Example Use Case

System Description

SCADA Systems Industrial control systems within facilities like power plants, often
isolated from other networks for security.

Government Classified and unclassified networks separated with an air gap to

Networks ensure no connectivity between them.

45
Logical Separation and Segmentation
Aspect Description

Router Segment traffic between networks using rules.

ACLs

Firewall Separate network traffic using basic packet-filtering and advanced methods.
Rules

VLANs Use switches to group computers into virtual networks based on logical
needs rather than physical location.

Example Use Case

Scenario Description

Project-Based Group users from different departments working on a project into the
VLAN same VLAN, regardless of physical location.

Traffic Separate voice and data traffic into different VLANs to improve
Separation performance and reliability.

Network Appliances
Appliance Description

Proxy Forwards client requests for services, can cache content, and filter access to
Server websites.

Jump Provides a controlled access point to another network or device, often used
Server for administrative purposes.

Example Use Case

Appliance Example

Proxy An organization uses a proxy server to cache web content and restrict
Server access to certain websites.

Jump Administrators access a sensitive network through a jump server to manage

Server devices securely.

Key Points to Remember

Aspect Details

46
NAT Translates public IP addresses to private IP addresses and vice versa.

VLANs Provide logical separation within a network, useful for both security and traffic
management.

Air Gap Ensures complete physical separation between networks, enhancing security for
isolated systems.

Proxy Server Functions

Function Description

Caching Stores Internet results temporarily to increase performance and reduce

Content bandwidth usage.

Content Examines user requests to ensure they meet security and content
Filtering policies, blocking inappropriate content.

Logging Records each site visited by users for monitoring and analysis purposes.

Caching Content Example

Scenario Description

Example Lisa retrieves a webpage, and the proxy server stores it in cache. Homer
requests the same page, which is then retrieved from the cache. This reduces
bandwidth usage.

Content Filtering
Aspect Description

47
Function Ensures user requests comply with security and content policies before
passing them to remote web servers.

Subscription Third-party companies provide lists for URL filtering, categorizing sites
Lists based on content and reputation.

User Users are presented with a warning page when attempting to access
Notification restricted sites, reminding them of acceptable use policies.

Logging Proxy servers log user activities, which helps identify frequently visited
sites and monitor web browsing.

Centralized vs. Agent-Based Filtering

Type Description

Centralized Proxy Sits on the network to intercept and analyze user requests.

Agent-Based Resides on each user's computer, enforcing policies directly on the

Filtering user's system.

Reverse Proxy
Aspect Description

Function Accepts requests from the Internet, forwards them to a web server, and
serves the returned pages.

Caching Caches web pages to improve performance, similar to a forward proxy

server.

Load Can distribute requests to multiple servers in a web farm using a

Balancing load-balancing algorithm.

Reverse Proxy Example

Scenario Description

Example Bart accesses a website through a reverse proxy server, which retrieves the
page from the web server and sends it back to Bart.

Key Points to Remember

Aspect Details

48
Proxy Server Forwards requests from clients, providing caching and content
filtering.

Transparent Proxy Accepts and forwards requests without modification.

Non-Transparent Uses URL filters to restrict access to certain sites and can log user
Proxy activity.

Reverse Proxy Acts as an intermediary for requests from the Internet to a web
server, enhancing performance and security.

Unified Threat Management (UTM)

Aspect Description

Function Combines multiple security controls into a single solution to simplify

management and improve security.

Benefits Reduces workload for administrators and integrates various security

functions.

Common URL filtering, malware inspection, content inspection, DDoS mitigation.

Features

Example UTM Features

Feature Description

URL Filtering Blocks access to sites based on URL, allowing configuration to

allow/block specific websites.

Malware Screens incoming data for known malware and blocks it.
Inspection

Content Monitors and blocks malicious content, spam, streaming media, and
Inspection specific file types.

DDoS Mitigator Detects and blocks Distributed Denial of Service (DDoS) attacks.

Jump Server
Aspect Description

49
Function A hardened server used to access and manage devices in different
security zones.

Connection Often accessed using passwordless SSH login for secure

Method connections.

Security Should be hardened and restrict connections to minimize attack

surfaces.

Example Jump Server Usage

Scenario Description

Access to CA Maggie uses a jump server to connect securely to a Certificate Authority

Server (CA) server in a screened subnet.

SSH Command ssh -J maggie@jump maggie@ca1 connects Maggie to the CA

server via the jump server.

Zero Trust Network Access (ZTNA)

Aspect Description

Function Implements strong authentication and policy-driven access

controls based on user identity rather than location.

Policy Enforcement The decision-making system that grants or denies access based
Point (PEP) on policy.

Adaptive Changes authentication requirements based on context, such as

Authentication location and device.

Example ZTNA Scenario

Scenario Description

Corporate User on a corporate computer accesses the network from a corporate

Office office and verifies with a password.

Coffee Shop User in a coffee shop on a personal device is subjected to multifactor

authentication.

Secure Access Service Edge (SASE)

Aspect Description

50
Function Integrates networking and security functions as a cloud service, building
upon zero-trust principles.

Additional Firewall, secure web gateway, anti-malware, intrusion prevention,

Services CASB, DLP.

Example SASE Features

Feature Description

Firewall Services Protects the network from unauthorized access.

Secure Web Filters internet-bound traffic to enforce security policies.

Gateway

Anti-Malware Detects and prevents malware infections.

Intrusion Prevention Monitors and blocks network-based threats.

CASB Services Provides security for cloud applications and services.

DLP Services Prevents data breaches by monitoring and protecting sensitive

data.

Key Points to Remember

Aspect Details

UTM Combines multiple security controls into a single appliance to simplify

management and enhance security.

Jump Server Provides secure access between different security zones, must be
hardened.

Zero Trust Focuses on user identity for access control rather than network location,
(ZTNA) implementing strong authentication.

SASE Combines networking and security functions as an integrated cloud

service, enhancing zero-trust principles.

51