CHAPTER 06: NETWORKING AND COMMUNICATIONS SECURITY:

1. The two main transport layer protocols are:

1.1 Transmission Control Protocol (TCP): Connection-oriented, guarantees delivery, used

for email and websites.
1.2 User Datagram Protocol (UDP): Connectionless protocol, doesn’t guarantee delivery,
voice and video apps uses this protocol.

2. TCP Flags:

2.1 SYN: Opens a connection.

2.2 FIN: Closes a connection.
2.3 ACK: Acknowledges a SYN or FIN flag.

3. TCP Handshake:

3.1 SYN: packet is sent to the destination system to request the opening of a connection.
3.2 SYN/ACK: The destination system receives the SYN flag and sends a SYN and ACK flag
acknowledging it has received the SYN flag and opening a connection to the original system.
3.3 ACK: The original system sends an ACK flag to the destination system verifying that it has
received the destination systems SYN flag.

4. Open Systems Interconnected (OSI) Model:

4.1 Physical Layer: Wires, radios and optics.

4.2 Datalink Layer: Data transfers between 2 nodes.
4.3 Network Layer: Internet Protocol (IP).
4.4 Transport Layer: TCP and UDP.
4.5 Session Layer: Exchanges between systems.
4.6 Presentation Layer: Data translation and encryption.
4.7 Application Layer: User programs.
5. EXAM TIP: KNOW THE SEVEN LAYERS OF THE OSI MODEL.

6. Network Address Translation (NAT): Your router or firewall takes care of translating your
private IP address (home or office) to public IP addresses when you communicate over the
internet. This takes place using NAT.

7. IPv6:

7.1 Because IPv4 only consists of 32 bit addresses we are running out of IPv4 addresses.
7.2 IPv6 consists of 128 bit addresses which allows for a lot more use of IPv6 addresses
rather than using IPv4.
7.3 IPv6 addresses consist of 8 groups of four hexadecimal numbers, for example:
2345:0425:2CA1:0000:0000:0567:5673:23b5.

8. There are two different ways IP addresses can be assigned to systems:

8.1 Static IPs: Static IPs are manually assigned to systems by an administrator. Servers are
typically configured with static IP addresses.
8.2 Dynamic Host Configuration Protocol (DHCP): Allows the automatic assignment of IP
addresses from an administrator- configured pool. End-user devices are typically configured
with DHCP IP addresses.

9. Domain Name System (DNS) Server: Translates between domain names and IP
addresses. Functions over UDP port 53.

10. Domain Name System Security Extensions (DNSSEC): Adds digital signatures to DNS.

11. Port Ranges Include:

11.1 0-1023: Well known ports.

11.2 1024-49151: Registered ports.
11.3 49152-65535: Dynamic ports.
12. Administrative Services:

12.1 File Transfer Protocol (FTP): Port 21.

12.2 Secure Shell (SSH): Port 22.
12.3 Remote Desktop Protocol (RDP): Port 3389
12.4 NetBIOS: Ports: 137, 138, 139.
12.5 Domain Name System (DNS): Port 53

13. Mail Services:

13.1 Simple Mail Transfer Protocol (SMTP): Port 25.

13.2 Post Office Protocol (POP): Port 110.
13.3 Internet Message Access Protocol: Port 143.

14. Web Services:

14.1 Hypertext Transfer Protocol (HTTP): Port 80.

14.2 Secure HTTP: Port 443.

15. Internet Control Message Protocol (ICMP): Performs a variety of important

administrative functions such as:

15.1 Ping: Identifies live systems.

15.2 Traceroute: Identifies network paths.
15.3 Destination unreachable messages.
15.4 Redirects messages.
15.5 Time exceeded messages.
15.6 Addresses mask requests and replies.

16. Network Relationships:

16.1 Client to server: Each computer on the network has a specific role, its either a client or
a server.
16.2 Peer to peer: Every device acts both as a client and a server.

17. Switches: Connect devices to networks.

17.1 Wireless Access Points (WAP): Connect to switches and create Wi-Fi networks.

18. SWITCHES WORK AT LAYER 2 OF OSI MODEL WHERE THEY ONLY WORK WITH
MAC ADDRESSES!!!
But some switches can operate at layer 3 of the OSI model where they now take on the
function of routers.

19. Routers: Connect networks to each other making intelligent packet routing decisions.

20. Bridges: Connect networks using simple forwarding (MAC addresses).

21. Firewalls connect three networks together: The internet, internal network and the
DMZ.

22. Demilitarized Zone (DMZ):

22.1 Contains systems that must accept direct external connections.

22.2 Isolates those systems due to risk of compromise.
22.3 Protects internal network from compromised DMZ systems.

23. Different Types of Firewalls:

23.1 Stateless Firewall: Evaluates each connection independently. These are how old
firewalls used to work and it was very inefficient.

23.2 Stateful Inspection: Tracks open connections.

24. Firewall Rule Contents Include:

24.1 Source system address affected by the rule.

24.2 Destination system address affected by the rule.
24.3 Destination port and protocol affected by the rule.
24.4 Action (Allow or deny). Action that the firewall should take when encountering traffic
matching the rule.

25. Implicit Deny: If the firewall receives traffic not explicitly allowed by the firewall rule, then
that traffic must be blocked.

26. Next Generation Firewalls (NGFW): Incorporate contextual information into their
decision making.

27. Proxy Server Benifits:

27.1 Anonymity.
27.2 Performance boosting.
27.3 Content filtering.

28. Forward Proxy: Works on behalf of client.

29. Reverse Proxy: Work on behalf of servers.

30. Transparent Proxy: Works without the clients or server’s knowledge.

31. Load Balancers: Distribute workload among multiple servers.

32. Autoscaling: Automatically adds and removes servers as needed.

33. Load Balancer Security Functions Include:

33.1 SSL certificate management.

33.2 URL filtering.
33.3 Other web application security tasks.

34. Round-Robin Scheduling: Each server gets an equal number of requests.

35. Advance Scheduling: Algorithms use servers based upon performance and available
capacity.

36. Session Persistence: Routes an individual user’s requests to the same server.

37. Load Balancers are a point of failure, this is how we can approach thos SPOF with
high availability:

37.1 Active-Active: Activate 2 load balancers that will both route traffic to different web
servers but if one load balancer fails the other one take all the work load this doesn;t impact
user experience but it does reduce capacity.
37.2 Active-Passive: One load balancer handles all the network traffic and if that one fails
the other load balancer takes its place.

38. VPN endpoints include:

38.1 Firewalls.
38.2 Routers.
38.3 Servers.
38.4 VPN concentrators.

39. Most VPNs used a protocol called IPsec (Internet Protocol Security):

39.1 Works at network (layer 3)

39.2 Supports the layer 2 tunneling protocol.
39.3 Provides secure transport.
39.4 Difficult to configure.
40. Remote user VPNs now rely on SSL/TLS, these work on the TCP port 443.

41. HTML5 VPNs: Work entirely within the web browser.

42. Remote Access VPN admins must choose 2 different tunneling approaches:

42.1 Full-Tunnel VPN: All network traffic leaving the connected device is routed through the
VPN tunnel regardless of its final destination.
42.2 Split-Tunnel VPN: Only traffic destined for the corporate network is sent through the
VPN tunnel. Other traffic is routed directly over the internet.

43. EXAM TIP: USERS ARE FILLED WITH A FALSE SENSE OF SECURITY BECAUSE
THEY CAN’T TELL THE DIFFERENCE BETWEEN FULL-TUNNEL VPNS AND SPLIT-
TUNNEL VPNS.

44. Always On VPN: Configured to automatically connect to VPN whenever they are
powered on.

45. EXAM TIP: ANOMALY DETECTION, BEHAVIOR-BASED DETECTION AND

HEURISTIC DETECTION ARE THE SAME THING.

46. IPS Deployment Modes:

46.1 In-Band(Inline) Deployments: Device sits in the path of the network communication
and it can block suspicious traffic from entering the network.
46.2 Out-Of-Band (Passive) Deployments: Device connects to a SPAN port on a switch and
can only react after suspicious traffic enters the network.

47. Protocol Analyzers: Allows deep inspection of traffic. Wireshark is a protocol analyzer.

48. Protocol Analyzer Uses:

48.1 Troubleshoot network issues.

48.2 Investigate security incidents.
48.3 Eavesdrop on confidential communications.

49. Wireshark and tcpdump are both built on the libcap (packet capture library) library.

50. tcpreplay: Allows editing and replaying traffic.

51. Content Delivery Networks (CDNs): Provide scalability and security.

52. CDNs provide a shared web infrastructure that satisfies demand for your content through
a network of dozens or hundreds of locations around the world, each of these locations
caches your web content. Point of Presence retrieve content from your web server and cache
it for nearby users.

53. CDN Benifits:

53.1 On-demand scaling.

53.2 Cost-efficiency.
53.3 Locality of content.
53.4 Security enhancements: DDoS prevention, web application firewalling.

54. Quality of Service (QOS) Technology: Allows administrators to provide network traffic
based upon protocol or IP addresses.

55. Wide Area Network (WAN) Optimization: Improves network efficiency.

56. WAN Optimization Techniques:

56.1 Deduplication: Avoids transmitting traffic multiple times.

56.2 Compression: Uses zip, rar to reduce size of data before sending it over wan link.
56.3 Caching: stores frequently used data on both sides of the network connection for later
reuse.
56.4 Latency Optimization: Uses technical tweaks to the network connection to optimize the
flow of network traffic.

57. More common security zones:

57.1 Network Border Firewall: This has 3 network interfaces because they connect 3
different security zones together:

57.1.1 Internet Zone: The interface between the protected networks and the outside world
5.7.1.2 Intranet Zone: The internal network where most systems reside, organization may
use additional fireworks to segment the networks inside the intranet (endpoint,wireless,guest
and data center networks).
5.7.1.3 DMZ Zone: Place systems that must accept connections from outside world.

58. Extra Networks Include:

58.1 Extranet: Intranet segments extended to business partners.

58.2 Honeynet: Decoy networks designed to attract attackers.
58.3 Ad Hoc Network: Temporary networks that may bypass security controls.

59. East-West Traffic: Network traffic between systems located in the data center.

60. North-South Traffic: Network traffic between systems in the data center and systems on
the internet.

61. VLANs: VLANs separate systems on a network into logical groups based upon function,
regardless of physical location.

62. To setup VLANs the configuration goes as follows:

62.1 Enable VLAN trunking: Allow switches from different locations on the network to carry
the same VLANs.
62.2 Assign the switch ports to the appropriate VLANs.
63. Network Traffic Collectors Include:

63.1 Intrusion detection and prevention sensors.

63.2 Network taps.
63.3 Port mirrors.

64. Aggregation Switch: Pulls together network traffic from the access switches deeper in
the network that are connected to user devices.

65. SPAN Ports: Provide a copy of all traffic that crosses the switch.

66. Port Mirroring: Allows the monitoring of traffic on a single switch port.

67. Security Information and Event Management (SIEM):

67.1 Gathers information using collectors.

67.2 Analyze information with a centralized aggregation and correlation engine.
67.3 Place collectors near the systems generating records.
67.4 Place the correlation engine in a secure location.

68. Proxy servers and content filters typically belong in the DMZ..

69. VPN Concentrators (HARDWARE DEVICES):

69.1 Aggregate remote user connections.

69.2 Often reside in their own VLAN, where access controls may restrict remote user activity.
69.3 Sophisticated designs may use multiple VLANs for different user roles.

70.Control Plane: Responsible for making routing and switching decisions.

71. Data plane: Responsible for carrying out the instructions of the control plane.
72. Software Defined Networks (SDN): Separate the control plane and data plane from
each other.

73. SDN makes the network programmable.

74. Encapsulation: Allows one protocol to carry traffic that uses another protocol.

75. SDN Security Benifits:

75.1 Allows granular network configuration.

75.2 Facilitates faster response to security incidents.

76. The most dangerous disadvantage of SDN is it increases network complexity.

77. Li-Fi technology replaces the radio waves of Wi-Fi with light.

78. How security professionals restrict access to networks:

78.1 Perimeter security

78.2 Network access control.

79. NAC uses the 802.1x authentication protocol.

80. NAC using 802.1x:

80.1 Supplicant: Device that wishes to connect to the NAC protected network, runs a special
piece of software called a supplicant.

80.2 Authenticator (Switch, wireless controller): Receives credentials from the end-user.

80.3 Authentication Server (Backend): Centralized server that performs authentication for
all of the authenticators on the network.
81. NAC Roles:

81.1 User and Device Authentication.

81.2 Role-Based Access: Once the authenticator learns the identity of the user from the
authentication server it also makes a decision about where to place the user on the network
based upon that users identity.
81.3 Posture Checking: Verify that the device is connecting to the network comply with
the organizations security policy before granting broader access, these checks
include:

81.3.1 Verifying antivirus software presence.

81.3.2 Validating current signatures,
81.3.3 Ensuring proper firewall configuration.
81.3.4 Verifying presence of security patches.

82. RADIUS (Remote Access Dial In User Service): Allow many diverse applications to rely
on the same authentication source.

83 EXAM TIP: RADIUS CLIENT IS USUALLY AN APPLICATION SERVER.

84. TACACS (Terminal Access Controller Access Control System): Alternative to

RADIUS. Current TACACS standard is TACACS+.

85. TACACS+:

85.1 Functions similarly to RADIUS but it uses TCP instead of UDP.

85.2 Encrypts the full authentication session.

86. Common configuration errors in firewall rule base:

86.1 Shadowed Rules: A rule base contains a rule that will never be executed because of its
placement in the rule base.
86.2 Promiscuous Rules: Allow more access than necessary (too much access).
86.3 Orphaned Rules: Allow access to decommissioned systems and services.

87. Flooding attack: Overwhelms network devices:

87.1 SYN Flood: Fills connection state tables on firewalls with half open connection entries.
87.2 MAC Flood: Fills switch’s MAC addresses table with many entries, causing it to flood
traffic on all ports. PORT SECURITY PROTECTS.

88. Spanning Tree Protocol: Prevents broadcast storms by implementing loop prevention.

89. BDPU Guard: Blocks malicious STP updates.

90. EXAM TIP: USE SIMPLE NETWORK MANAGEMENT PROTOCOL V3

jump boxes jump servers and jump hosts are all the same thing

Jump box: Allows administrative connections between security zones.

91. Wi-Fi Standards:

91.1 802.11 (1997): Allows 2mbs communication.

91.2 802.11b (1999): Allows 11 mbs communication.
91.3 802.11g (2003): Allows 22 mbps communication
91.4 802.11n (2009): Allows 600mbps communication.
91.5 802.11ac: (2014): Allows 1Gbps+ communication.

92. Different standards that encrypt wireless connections:

92.1 Wired Equivalent Privacy (WEP): The original wireless encryption standard. No longer
considered secure.
92.2 Wi-Fi Protected Access (WPA): Replaced WEP in 2003. Used the temporal key
integrity protocol (TKIP) to rapidly rotate encryption keys. No longer secure.
92.3 Wi-Fi Protected Access V2 (WPA2): Released in 2004 as upgrade to WPA. Encrypts
packets using AES encryption. Uses the CCMP protocol. Widely used and considered secure.
92.4 Wi-Fi Protected Access v3 (WPA3): Required on new wi-fi devices from 2020.
Supports CCMP. Uses Simultaneous Authentication of Equals (SAE) for key exchange.