Thor’s Quick Sheets – CISSP® Domain 4

Contents

Network Basics and Definitions ..................................................................................................................................2

The OSI Model and TCP/IP Model ...............................................................................................................................2
MAC Address (BIA) .....................................................................................................................................................4
Protocols ...................................................................................................................................................................4
Cables........................................................................................................................................................................9
LAN Technologies and Protocols ............................................................................................................................... 10
Legacy Lan Systems .................................................................................................................................................. 10
Physical LAN Topologies ........................................................................................................................................... 11
WAN (Wide Area Network) Technologies and Protocols ............................................................................................ 11
WLAN (Wireless LAN) Technologies and Protocols .................................................................................................... 14
Cellular Networks .................................................................................................................................................... 17
Secure Network Devices and Protocols ..................................................................................................................... 17
Network Performance and Traffic Management ....................................................................................................... 22
Secure Communications ........................................................................................................................................... 23

https://thorteaches.com/
 Thor’s Quick Sheets – CISSP® Domain 4
Network Basics and Definitions
Simplex: A one-way communication (One system transmits, the other listens).
Half-duplex communication: Only one system can send or receive at any time.
Full-duplex communication: Both systems can send and receive simultaneously.
Baseband networks have one channel and can only send one signal at a time. Ethernet is a baseband.
Broadband networks have multiple channels and can send and receive multiple signals at a time.
The Internet is a global collection of peered WAN networks; it really is a patchwork of ISPs.
An Intranet is an organization's privately owned network; most larger organizations have them.
An Extranet is a connection between private Intranets, often business partners' Intranets.
Circuit Switching: Expensive, but always available, used less often. A dedicated communications channel
through the network. The circuit guarantees the full bandwidth.
Packet Switching: Cheap, but with no capacity guarantee, very widely used today; data is sent in packets but
takes multiple paths to the destination. The packets are reassembled at the destination.
• QoS (Quality of Service): Gives specific traffic priority over other traffic. Most commonly, VOIP (Voice over
IP) or other UDP traffic needs close to real-time communication.
PAN (Personal Area Network): A personal area network is a computer network used for communication
among computers and other information technological devices close to one person (PCs, printers, scanners,
consoles …). It can be wired like USB and wireless Bluetooth or infrared.
LAN (Local Area Network): A network that connects computers and devices in a limited geographical area
such as a home, school, office building, or campus.
MAN (Metropolitan Area Network): A large computer network that usually spans a city or a large campus.
WAN (Wide Area Network): A computer network covering a large geographic area such as a city, country, or
intercontinental; combines many types of media (telephone lines, cables, and airwaves).
VPN (Virtual Private Network): A VPN network sends private data over an insecure network, most often the
Internet. Your data is sent across a public network but looks and feels private.
GAN (Global Area Network): A global area network is used to support mobile users across wireless LANs,
satellite coverage areas, etc. Moving from one to the next can be seamless.

The OSI Model and TCP/IP Model

The OSI Model (Open Systems Interconnect):
• A layered network model that standardizes the communication functions of a telecommunication or
computing system regardless of their underlying internal structure and technology.
• The model partitions a communication system into abstract layers; the model has seven layers.
• 1. Physical 2. Data Link 3. Network 4. Transport 5. Session 6. Presentation 7. Application.
○ 7-1 All People Seem To Need Data Processing.
○ 1-7 Please Do Not Throw Sausage Pizza Away.
• Know the PDUs (Data, Segments, Packets, Frames, Bits).
Layer 1 - Physical Layer:
• Wires, Fiber, Radio waves, hub, part of NIC, connectors (wireless).
• Cable types: Copper Twisted Pair Least secure, eavesdropping, interference, easy tap, cheap.
• Fiber is more secure, not susceptible to eavesdropping, and can break at a higher cost.
• Threats: Data emanation, theft, eavesdropping, sniffing, interference.

https://thorteaches.com/
2
 Thor’s Quick Sheets – CISSP® Domain 4
Layer 2 - Data Link Layer: Transports data between 2 nodes connected to the same network.
• MAC address (BIA): A unique identifier on the network card.
• It can be spoofed very easily, both for good and not-so-good reasons.
• 48-bit hexadecimal first 24 manufacturer identifier, last 24 unique.
• 64-bit hexadecimal first 24 manufacturer identifier, last 40 unique.
• Threats: MAC Spoofing, MAC Flooding.
• ARP (Address Resolution Protocol) Layer 2/3.
• CSMA/CD: Ethernet: minimized with switches vs. hubs. CSMA/CA: Wireless.
• Token passing: Like the talking stick, not really used anymore.
Layer 3 - Network Layer:
• Expands to many different nodes (IP) – The Internet is IP-based.
• Isolates traffic into broadcast domains.
• Protocols: IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX.
• Threats: Ping of Death, Ping Floods, Smurf – spoof source and directed broadcast, IP modifications, DHCP
attacks, …
• If the exam asks which layer a protocol with “I” is, and you do not remember, answer layer 3.
• IP, IGMP, IGRP, IPSEC, IKE, ISAKMP, … are all layer three except IMAP, which is layer 7.
Layer 4: Transport Layer:
• SSL/TLS Layer 4 to 7.
• UDP (User Datagram Protocol): Connectionless protocol, unreliable, VOIP, Live video, gaming, “real-time’’.
Timing is more important than delivery confirmation; it sends a message and doesn’t care if it arrives or in
which order.
• Attack: Fraggle attack: Works the same way as smurf but may be more successful since it uses
UDP and not ICMP.
• TCP (Transmission Control Protocol): Reliable, Connection orientated, Guaranteed delivery, three-way
handshake, slower/more overhead, data reassembled.
• Attacks: SYN floods: Half-open TCP sessions, the client sends 1,000s of SYN requests, but never
the ACK.
Layer 5 - Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.
Layer 6 - Presentation Layer: Only layer with no protocols; formatting, compressing, encryption (file level).
Layer 7 - Application Layer:
• Presents data to the user (applications/websites); HTTP, HTTPS, FTP, SNMP, IMAP, POP, …
• Non-Repudiation, certificates, application proxies, deep packet inspection, content inspection, AD
integration.
The TCP/IP Model (Internet Protocol Suite): A conceptual model that provides end-to-end data
communication, specifying how data should be packetized, addressed, transmitted, routed, and received.
TCP/IP Layer 1-4:
• The link layer: Containing communication methods for data that remains within a single network segment.
• The internet layer: Connecting independent networks, thus providing internetworking.
• The transport layer: Handling host-to-host communication.
• The application layer: Provides process-to-process data exchange for applications.

https://thorteaches.com/
3
 Thor’s Quick Sheets – CISSP® Domain 4

MAC Address (BIA)

• A unique identifier on the network card.
• It can be spoofed easily, for good and less good reasons.
• EUI/MAC-48 is 48bit, 24bits are the manufacturer identifier, and the last 24 is the host identifier.
• EUI-64 Mac Addresses use 24bit for the manufacturer but 40 for a unique ID.
• Both are widely used today and used by both IPv4 and IPv6. For 48bit MAC’s IPv6, modified it into 64bit
MAC’s by adding FF:FE to the device identifier.

Protocols
IP Addresses:
• First deployed for production in the ARPANET in 1983, ARPANET later became the internet. IP was
developed in the 1970s for secure closed networks; security was not built-in.
• IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best-effort delivery
model; it does not guarantee delivery, it also does not assure proper sequencing or avoidance of duplicate
delivery. We have added protocols on top of IP to ensure those.
• The move towards IPv6 is mainly dictated by IPv4 Addresses being depleted years ago.
• IPv4 has around 4.2 billion IP addresses, and of those, ~4 billion are usable internet addresses.
• Over 35 billion mobile devices are currently on the internet; 75 billion is predicted by 2025.
• All major cell phone carriers in the US use IPv6 for all cell phones.
• IPv4 has 4,294,967,296 addresses.
• IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
IP Addresses and Ports: When we send traffic, we use both the Source IP and Port and Destination IP and
Port; this ensures we know where we are going, and when the traffic returns, it knows where to return. The IP
addresses can be seen as the number of an apartment building.
• The Port number is your apartment number.
• If you have 50 browser tabs open, each tab has its own port number(s).
Well-known Ports: 0-1023 - Mostly used for protocols.
Registered Ports: 1024 to 49151 - Mostly used for vendor-specific applications.
Dynamic, Private, or Ephemeral Ports: 49152–65535 - Can be used by anyone for anything.

https://thorteaches.com/
4
 Thor’s Quick Sheets – CISSP® Domain 4
Common Ports:
20 TCP FTP data transfer.
21 TCP FTP control.
22 TCP/UDP Secure Shell (SSH).
23 TCP Telnet unencrypted text communications.
25 TCP Simple Mail Transfer Protocol (SMTP), can also use port 2525.
80 TCP/UDP Hypertext Transfer Protocol (HTTP), can also use port 8008 and 8080.

110 TCP Post Office Protocol, version 3 (POP3).

137 TCP NetBIOS Name Service, used for name registration and resolution.
138 TCP/UDP NetBIOS Datagram Service.
143 TCP Internet Message Access Protocol (IMAP).
443 TCP Hypertext Transfer Protocol over TLS/SSL (HTTPS).
3389 TCP/UDP Microsoft Terminal Server (RDP).
IP Addresses and Ports:
• A Socket: 1 set of IP and Port. UDP only uses one socket (connectionless); TCP uses 2 in a pair, two
individual sockets making the pair.
• Socket Pairs (TCP): 2 sets of IP and Port (Source and Destination). My pair for the top one is:
• Source pair: 192.168.0.6:49691
• Destination pair: 195.122.177.218:https
• Well-known ports are often translated; port 443 is HTTPS.
IPv4/IPv6 Address Space Management:
• IANA (Internet Assigned Numbers Authority): Governs the IP's address allocation.
• IANA is a department of ICANN (Internet Corporation for Assigned Names and Numbers).
• The world is divided into RIR (Regional Internet Registry) regions, and organizations in those areas delegate
the address space they have control over.
• AFRINIC: Africa.
• ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica.
• APNIC: Asia, Australia, New Zealand, and neighboring countries.
• LACNIC: Latin America and parts of the Caribbean region.
• RIPE NCC: Europe, Russia, Middle East, and Central Asia.

https://thorteaches.com/
5
 Thor’s Quick Sheets – CISSP® Domain 4
IP Address and Traffic Types:
Unicast, Multicast, and Broadcast Traffic:
• Unicast - One-to-one traffic (Client to Server): The traffic is from a client to a host or reversed. To capture
all unicast traffic on a network, we use promiscuous mode on specific clients' network cards (Network
IDSs/IPSs), and the switch port they are attached to has to be configured as a Span-port.
• Multicast - One-to-many (predefined): The traffic is sent to everyone in a predefined list.
• Broadcast - One-to-all (on a LAN network): The traffic is sent to everyone.
• Limited L3 Broadcast: Uses the 255.255.255.255 broadcast IP address; routers do not pass it.
• Limited L2 broadcast: Uses FF:FF:FF:FF:FF:FF broadcast MAC address, routers do not pass it.
• Directed broadcast: Sent to anyone logically connected to the same network. A 192.168.19.12/24
will send to all hosts on that network, regardless of whether it is physically behind the same router
or not; accounting could have a VLAN spanning three separate remote buildings; the broadcast
would be sent to them all.
IPv4 (Internet Protocol version 4) addresses: Are made up of 4 octets (dotted-decimal notation) and broken
further down in a 32bit integer binary. We use IP addresses to make it readable to normal people; it is easier
to read four sets of numbers than a 32 bits string of 0s and 1s. Similarly, websites are IP addresses translated
with DNS and then translated into binary. It is easier to remember google.com than it is to remember
66.102.12.231 or 2607:f8b0:4007:80b::200e.
• Public IP Addresses (routable addresses): Used to communicate over the internet between hosts.
• Private Addresses (RFC 1918 – Not routable on the internet):
• Other notable IP spaces:
• 10.0.0.0 10.255.255.255 16777216 127.0.0.0/8 Loopback IPs
• 172.16.0.0 172.31.255.255 1048576 169.254.0.0/16 Link-Local
• 192.168.0.0 192.168.255.255 65536 255.255.255.255 Broadcast
IPv4:
• NAT (Network Address Translation):
• Static NAT: Translates 1-1; we need 1 Public IP per Private IP we use, not practical/sustainable.
• Pool NAT: Also 1-1, but a pool was available to all clients not assigned to specific clients.
• PAT (Port Address Translation): PAT was introduced to solve that issue; it uses IP AND Port number, also
called One-to-Many or NAT Overload, since it translates One public IP to Many private IPs.
• Classful IP Networks were used early on the internet for public addresses. Networks were VERY large, some
with 16 million+ IPs—very inefficient use of IP addresses.
• CIDR (Classless Inter-Domain Routing) (also called slash notation): We used CIDR to break our addresses
into a smaller logical segment—this saves addresses. We can make suitable-sized IP ranges for our subnets.
It is easier to add security to our subnets if logically segmented; this would be the CIDR notation for our
earlier IP address: 172.16.254.1/24.

https://thorteaches.com/
6
 Thor’s Quick Sheets – CISSP® Domain 4
IPv6:
• A 128bit in hexadecimal numbers (uses 0-9 and a-f).
• Eight groups of 4 hexadecimal, making addresses look like this:
• fd01:fe91:aa32:342d:74bb:234c:ce19:123b
• The IPv6 address space is huge: 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
• 34 with 37 0s total or 79 with 27 0s as many addresses as IPv4.
• Every square foot on the planet can have 65000 IP addresses.
• IPSec is built-in, not bolted on like with IPv4.
• Mostly used behind the scenes today, many organizations do not have Dual-Stack equipment.
• Used by major US ISPs for cell phones.
• To make the address more manageable, 1 set of 0s can be shortened with ::, if your IP is
2001:0000:0000:00b8:20fa:22ff:fe52:888a
• Remove largest group of 0s, replace with ::, we get 2001::b8:20fa:22ff:fe52:888a
• Link Local address (only for local) fe80::b8:20fa:22ff:fe52:888a
ARP (Address Resolution Protocol): Translates IP Addresses into MAC Addresses. ARP is a simple and trusting
protocol; anyone can respond to an ARP request.
• ARP (cache) Poisoning: An attacker sends fake responses to ARP requests, often done repeatedly for critical
ARP entries (Default Gateway). A countermeasure can be hardcoding ARP entries.
• RARP (Reverse ARP): This is used by diskless workstations to get IPs.
ICMP (Internet Control Message Protocol): Used to help IP, for Ping (Echo request/reply) and TTL Exceeds in
Traceroute; often used for troubleshooting. An ICMP Echo Request is sent to the IP, which then sends an ICMP
reply (or not)—originally used (and still) to see if a host is up or down. Today if we get an Echo reply, we know
the host is up, but no reply does not mean it is down. Firewalls and routers can block ICMP replies.
Traceroute: Uses ICMP to trace a network route; traceroute uses the TTL value in somewhat reverse; we send
a message with TTL 1. The first router decrements the TTL to 0 and sends an ICMP Time Exceeded message
back, and First Hop is now identified. We send message 2 with TTL 2; the second router does the same. We do
that over and over until the destination is reached (maximum 30 hops).
Telnet: Remote access over a network; uses TCP port 23, all data is plaintext including usernames and
passwords, should not be used. Attackers with network access can easily sniff credentials and alter data and
take control of telnet sessions.
SSH (Secure Shell):
• Designed to replace or add security to unsecure protocols Telnet, FTP, HTTP, ...
• V1 had vulnerabilities long ago, and v2 has as well recently.
• Provides a 'secure' connection over an unsecured network (the internet).
• The Snowden leak in 2013 showed the NSA could 'sometimes' decrypt SSL and get access to the data.
• BothanSpy targets the SSH client program Xshell on the Microsoft Windows platform.
• Gyrfalcon targets the OpenSSH client on Linux platforms centos, Debian, rhel, suse, ubuntu.

https://thorteaches.com/
7
 Thor’s Quick Sheets – CISSP® Domain 4
FTP (File Transfer Protocol):
• Transfers files to and from servers:
• No confidentiality/Integrity checks; should not be used since the vast majority of what we
transport is over unsecured networks; uses TCP Port 21 for the control collection (commands);
uses TCP Port 20 for the data collection (actual data).
SFTP (SSH /Secure File Transfer Protocol): Uses SSH to add security to FTP.
FTPS (FTP Secure): Uses TLS and SSL to add security to FTP.
TFTP (Trivial FTP): Uses UDP Port 69. There is no authentication or directory structure; files are written and
read from one directory/tftpboot; used for "Bootstrapping" - downloading an OS over the network for diskless
workstations; used for saving router configuration.
DNS (Domain Name System): Translates server names into IP Addresses and uses TCP and UDP Port 53;
Google.com can get translated into 66.102.12.231 or 2607:f8b0:4007:80b::200e depending on the requester's
IP; uses gethostbyname() and gethostbyaddress().
• Authoritative Name Server: The authority for a given namespace.
• Recursive Name Server: Tries to resolve names it does not already know.
• Cache Name Server: Keeps previously resolved names in a temporary cache.
• DNS uses UDP for most requests and natively has no authentication.
• DNS Poisoning: Like ARP poisoning, an attacker sends a fake address/name combo to another DNS server
when asked, and the server keeps it in its DNS records until it expires.
DNSSEC (DNS Security Extensions): Provides Authentication and Integrity using PKI Encryption; does not
provide Confidentiality—think of it as a digital signature for DNS.
SNMP (Simple Network Management Protocol): Mostly used to monitor devices on our network (routers,
switches, servers, HVAC, UPS ...); an SNMP client agent is enabled or installed on the client; the device can
report port up/down, traffic utilization, temperature, memory use, HDD allocation, ...
• SNMPv1: Sends data in cleartext, many security flaws, should not be used.
• SNMPv2: Still widely used, slightly more secure, but still using cleartext, should be avoided.
• SNMPv3: Uses encryption to provide CIA; this should be the standard across any organization.
HTTP and HTTPS - Transport HTML data.
• HTTP: Uses TCP port 80 (8008 and 8080), unencrypted website data sent across the internet.
• HTTPS (HTTP Secure): Uses TCP Port 443 (8443), encrypted data sent over the internet.
• HTML (Hypertext Markup Language): The actual language webpages are written, not to be confused with
HTTP/HTTPS.
BOOTP (Bootstrap Protocol): Used for diskless workstations used to determine OS (Downloaded with TFTP)
and IP Address; most system BIOSs support BOOTP; they can then load the OS without a disk.
DHCP (Dynamic Host Configuration Protocol): The protocol we use to assign IPs; controlled by a DHCP Server
for your environment. Both BOOTP and DHCP use UDP Port 67 for the
BOOTP/DHCP Server and UDP Port 68 for the Client.

https://thorteaches.com/
8
 Thor’s Quick Sheets – CISSP® Domain 4
Cables
Networking Cables:
• Networking cables all have pros and cons; some are cheap, some are more secure, and some are faster, …
• They can also pose different security vulnerabilities depending on the cable and the environment.
• EMI (Electromagnetic Interference): Magnetism can disrupt data availability and integrity.
• Crosstalk: The signal crossing from one cable to another; can be a confidentiality issue.
• Attenuation is the signal getting weaker the farther it travels. Copper lines have attenuation; with DSL, the
farther you are from the DSLAM, the lower speed you get.
Twisted Pair Cables:
• UTP (Unshielded Twisted Pair): Pairs of twisted pairs of cable.
• Twisting them makes them less susceptible to EMI.
• One cable sends, and one receives data.
• The tighter the cables are twisted, the less susceptible to EMI.
• For example, CAT3 pairs (less tight) are more susceptible to EMI than CAT6 (tighter).
• STP (Shielded Twisted Pair): Has extra metal mesh shielding around each pair of cables, making them less
susceptible to EMI but also making the cables thicker, stiffer, and more expensive.
Coax Cables:
• Commonly used for cable TV and Internet services. Coax Cables have built-in layers:
• A Copper core in the middle.
• A plastic insulator around the middle core.
• A copper braid/shield around the insulator.
• A plastic outer layer.
• The braid/shield makes it less susceptible to EMI, and the thicker core can provide higher speeds.
Fiber Optic Cables: Uses light to carry data (vs. electricity for copper cables):
• Pros: Speed 1 Petabit per second, 35miles/50 km over a single fiber.
• Distance has no attenuation like copper; a single cable can be 150 miles+ (240km+) long.
• Not susceptible to EMI.
• It is more secure than copper since it can't be sniffed as easily as copper.
• Cons: Price, more difficult to use, you can break the glass in the cable if you are not careful.
• Single-Mode Fiber: A Single strand of fiber carries a single mode of light (down the center), used for long-
distance cables (Often used in IP-Backbones).
• Multi-Mode Fiber: Uses multiple modes (light colors) to carry multiple data streams simultaneously; this is
done with WDM (Wavelength Division Multiplexing).
• All cable measurements are in the metric system (m/km).

https://thorteaches.com/
9
 Thor’s Quick Sheets – CISSP® Domain 4
• Only three countries in the world do not use the metric system (Burma (Myanmar), Liberia, and the United
States).
• 1Kbps: Kilobits per second 1,000 bps (10³)
• 1Mbps: Megabit per second 1,000,000 bps (10⁶)
• 1Gbps: Gigabit per second 1,000,000,000 bps (10⁹)
• 1Tbps: Terabit per second 1,000,000,000,000 bps (10¹²)
• 1Pbps: Petabit per second 1,000,000,000,000,000 bps (10¹⁵)

LAN Technologies and Protocols

• Network topology describes the layout and topologies of interconnections between devices and network
segments.
• Ethernet and Wi-Fi are the two most common transmission technologies used for LANs.
• At the data link and physical layers, a wide variety of LAN topologies have been used, including ring, bus,
mesh, and star.
• At the higher layers, TCP/IP is the de facto standard; NetBEUI, IPX/SPX, and AppleTalk are legacy.
• Fiber-optic: commonly used between switches/servers and for backbone data transfers.
• Ethernet is a baseband and uses copper TP, coax, and fiber cables. Ethernet was also not built for how we
use networks today, so we bolt-on functionality we want.
• Wireless technologies are often built into Smartphones, tablets, and laptops. In a wireless LAN, users can
move unrestricted in the coverage area; the transfer from one wireless access point to another is often
completely seamless.
CSMA (Carrier Sense Multiple Access): Clients on a network check to see if the shared line is in use; if not,
they will send their data; if in use, they wait a random amount of time (milliseconds).
CSMA/CD (CSMA/Collision Detection): Used for systems that can send and receive at the same time, like
Ethernet; if two clients listen at the same time and see the line is clear, they can both transmit at the same
time, causing collisions, CD is added to help with that scenario; clients listen to see if the line is idle: If idle,
they send; if in use, they wait a random amount of time (milliseconds).
CSMA CA (CSMA/Collision Avoidance): Used for systems that can either send or receive like wireless; they
check if the line is idle: If idle, they send; if in use, they wait a random amount of time (milliseconds).

Legacy Lan Systems

ARCNET (Attached Resource Computer Network):
• Used network tokens for traffic, no collisions.
• Used a Star Topology.
• 2.5Mbps.
Token Ring:
• Used network tokens for traffic, no collisions.
• Used a Ring Topology.
• 16Mbps.

https://thorteaches.com/
10
 Thor’s Quick Sheets – CISSP® Domain 4
FDDI (Fiber Distributed Data Interface):
• Used token-bus for traffic, no collisions.
• Used a Ring Topology.
• Used fiber and not copper, so not susceptible to EMI.
• 100Mbps.

Physical LAN Topologies

Bus: All nodes are connected in a line; each node inspects traffic and passes it along. Not very stable; a single
break in the cable will break the signal to all nodes past that point, including communication between nodes
way past the break. Faulty NICs (Network Interface Card) can also break the chain.
Tree (Hierarchical): The base of the Tree topology controls the traffic; this was often the mainframe.
Ring: All nodes are connected in a ring.
Star: All nodes are connected to a central device; this is what we normally use for Ethernet; our nodes are
connected to a switch. Provides better fault tolerance; a cable break or a faulty NIC will only affect that one
node.
Mesh: Nodes are connected in either partial or full mesh.
• Partial Mesh: Nodes are directly connected to some other nodes.
• Full Mesh: All nodes are directly connected to all other nodes.
• More redundant but requires a lot more cables and NICs.
• Often used in HA (High Availability) environments, with cluster servers for keepalives.

WAN (Wide Area Network) Technologies and Protocols

The internet is built of 1000s of WAN ISPs (Internet Service Providers) and Long-Haul providers.
Legacy Connections:
• T1 (US): Dedicated 1.544 Mbps circuit carrying 24 64-bit DS0 (Digital Circuit) Channels; this was done
with 24 circuit-switched phone channels. Often also called DS1.
• T3 (US): 28 bundled T1 lines, creating a dedicated 44.736 Mbps circuit.
• E1 (Europe): Dedicated 2.048 circuit carrying 30 channels.
• E3 (Europe): 16 bundled E1 lines, creating a dedicated 34.368 Mbps circuit.
• Frame Relay: Packet-Switching L2 protocol has no error recovery and only focuses on speed. Higher-level
protocols can provide that if needed.
• PVC (Permanent Virtual Circuit): Always up, ready to transmit data. Form logical end-to-end links
mapped over a physical network.
• SVC (Switched Virtual Circuit): Calls up when it needs to transmit data, closes the call when done.
• Uses DLCI (Data Link Connection Identifiers) to identify the virtual connection; this way, the receiving end
knows which connection an information frame belongs to.
• X.25: Used to be a standard protocol suite for packet-switched WAN communication. An X.25 WAN
consists of Packet-Switching Exchange (PSE) nodes as the networking hardware and leased lines, plain old
telephone service connections, or ISDN connections as physical links; Uses error correction, which can
add latency.

https://thorteaches.com/
11
 Thor’s Quick Sheets – CISSP® Domain 4
• SONET (Synchronous Optical Networking): Carries multiple T circuits over fiber optics; Uses a physical
ring topology.
MPLS (Multiprotocol Label Switching):
• Directs data from one node to the next based on short path labels and not IP addresses.
• The labels identify virtual links/paths between distant nodes, not the endpoint.
• Encapsulate packets for other protocols/technologies (T1/E1, ATM, Frame Relay, and DSL).
• Packet-forwarding decisions are made on the label's contents, not by examining the packet.
• MPLS can create end-to-end circuits across any type of transport medium using any protocol.
• MPLS operates at a layer that is considered between the OSI models L2 and L3 (an L2.5 protocol).
• Used to connect geographically distant locations of an organization with MPLS VPN connections.
Software-Defined Wide Area Network (SD-WAN):
• 85%+ of surveyed companies have deployed or plan to deploy within two years (Cisco/FortiNet).
• Why we are seeing a move towards SD-WAN:
○ Higher cheaper bandwidth, flexibility/scalability of bandwidth allocation, and traffic
engineering.
○ Ability to utilize many different connection types (DSL, cable, fiber, satellite, 4G/5G,...).
○ Near real-time failover between connection types.
○ Centralized easier management, better insights, reporting, and statistics.
• Why we are seeing a move towards SD-WAN:
• Better performance with intelligent routing; it can choose the optimal network circuit for a given
application or type of traffic.
• Rapid deployment with pre-configured appliances or virtual appliances.
• Secure connectivity—IPSec and a next-generation firewall.
SDLC (Synchronous Data Link Control): A synchronous L2 WAN protocol that uses polling to transmit data;
combined nodes can act as primary or secondary but using NRM transmission only.
HDLC (High-Level Data Link Control): The successor to SDLC; adds error correction and flow control and two
additional modes (ARM/ABM).
The three modes of HDLC and the one of SDLC are:
• NRM (Normal Response Mode): Secondary nodes transmit when they get permission from the primary.
• ARM (Asynchronous Response Mode): Secondary nodes can initiate communication with the primary node.
• ABM (Asynchronous Balanced Mode): When nodes act as primary or secondary, initiating transmissions
without receiving permission; this is the most commonly used mode.
DNP3 (Distributed Network Protocol): A set of communications protocols used between components in
process automation systems, mainly used in utilities such as electric and water companies. It plays a crucial
role in SCADA systems, used by SCADA for communication between a Master Station (Control Centers) and
Remote Terminal Units (RTUs) and/or Intelligent Electronic Devices (IEDs).
Storage Protocols:
• SAN (Storage Area Network): Provide a cost-effective way that uses existing network infrastructure
technologies and protocols to connect servers to storage. A SAN allows block-level file access across a
network; it acts like an attached hard drive.

https://thorteaches.com/
12
 Thor’s Quick Sheets – CISSP® Domain 4
• FCoE (Fiber Channel over Ethernet): The fiber channel’s HBA (Host Bus Adapters) are unique cards to
interface with storage and can be combined with the network interface (NIC) for economies of scale. FCoE
uses Ethernet, not TCP/IP, and because of that, it is not routable.
• FCIP (Fiber Channel over IP): Encapsulates fiber channel frames via TCP/IP.
• VSAN (Virtual Storage Area Network): A collection of ports from a set of connected fiber channel switches
that form a virtual fabric. Ports within a single switch can be partitioned into multiple VSANs; despite
sharing hardware and multiple switches, they can join a number of ports to form a single VSAN.
• iSCSI (Internet Small Computer System Interface): Leverages existing networking infrastructure and
protocols to interface with storage. It uses the higher layers of the TCP/IP model for communication and
can be routed like any IP protocol (so can FCIP). It can be used for storage across a WAN; uses LUNs (Logical
Unit Numbers) to address storage across the network.
VoIP (Voice over Internet Protocol):
• A group of technologies to deliver voice communications and multimedia sessions over IP networks.
• The digital information is packetized and transmitted using UDP IP packets over a packet-switched
network.
• They transport audio streams using special media delivery protocols that encode audio and video with
audio codecs and video codecs.
VoIP (Voice over Internet Protocol):
• VoIP is commonly used on VoIP phones, smartphones, PCs, and Internet access devices; calls and text
messages can be sent over 3G, 4G, or Wi-Fi.
• The security concerns of VoIP telephone systems are similar to those of any Internet-connected device.
• Hackers who know about VoIP vulnerabilities can deploy denial-of-service attacks, harvest customer data,
record conversations, and compromise voicemail messages.
• The quality of internet connection determines the quality of the calls; where data traffic is more forgiving,
VoIP is UDP and needs real-time error-free connections.
• Where regular phones may work, VoIP phone service will not work if there is a power outage or when the
internet connection is down.
• We use many different VoIP protocols: SIP (Session Initiation Protocol), H.323, MGCP (Media Gateway
Control Protocol), Gateway Control Protocol, RTP (Real-time Transport Protocol), RTCP (Real-time Transport
Control Protocol), ...
SDN (Software-Defined Networking):
• We can initialize, control, change, and manage network behavior dynamically.
• Addresses the static architecture of traditional networks that doesn't support the dynamic, scalable
computing/storage needs of newer computing environments, such as data centers.
• This is done by separating the router's control plane from the data plane; the control plane makes routing
decisions, and the data plane forwards data through the router.
• Giving us the option to be hardware vendor agnostic.
Virtual eXtensible LAN (VXLAN): An encapsulation protocol allows VLANs to span subnets and physically
distant locations. VXLAN can support up to 16 million virtual networks; VLAN is limited to 4,096. To implement
micro-segmentation without restricting segments to only local entities.
Software-defined Wide Area Network (SD-WAN): Derived from SDN, used to connect distant data centers,
locations, and cloud services over WAN links.

https://thorteaches.com/
13
 Thor’s Quick Sheets – CISSP® Domain 4
SDx (Software-Defined Everything): Any function that can be performed by or automated by software; this
includes networking, storage, data center, compute, security, WAN, really anything.

WLAN (Wireless LAN) Technologies and Protocols

Wi-Fi Attacks:
• Rogue Access Points: An unauthorized access point that has been added to our network without our
knowledge; this can be malicious by an attacker or just an employee wanting Wi-Fi somewhere with bad
coverage. Without our security posture, they are a very big concern. It can be somewhat mitigated with
port security on the switches, and by scanning for rogue access points; can compromise confidentiality and
integrity.
• Jamming/Interference: Wi-Fi frequencies congestion or attackers to disrupt our network (DOS). If
interference is an issue, we can change to other channels or different frequencies if our equipment
supports it. The 2.4 GHz band is used by Bluetooth, microwaves, cordless phones, baby monitors, Wi-Fi,…;
can compromise integrity and availability.
• Evil Twin: When attackers try to create rogue access points to gain access to the network or access to
network traffic. It can be done on our network or not; the attacker names their access point the same as
ours, with no security, and user devices automatically connect to them; this can compromise confidentiality
and integrity.
802.11 Standards:
• The 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing
WLAN computer communication in the 2.4, 3.7, 5, and 6 GHz frequency bands.
• There are more 802.11 protocols but for the exam, know these.
• The 2.4 GHz frequency can be very crowded; wireless, Bluetooth, microwaves, cordless phones, and baby
monitors,... use that frequency.
• The 5 GHz frequency is normally less crowded and has less interference than 2.4 GHz.
• With the 6 GHz being available, one of its selling points is a completely non-crowded frequency.
• 5 and 6 GHz is a higher frequency with shorter waves; it does not penetrate walls, floors, and other
obstructions and the longer 2.4 GHz waves.
• It is easy to change your Wi-Fi channel to a less crowded one.
• Some access points management software can dynamically change the channels on individual access points
to find better channels and provide less overlap.
802.11 Wireless NICs:
• Operate in four different modes:
• Managed/Client Mode: A wireless access point is required. Clients connect to an access point in
managed mode; once connected, they only communicate with the access point; they can't directly
communicate with other clients.
• Infrastructure Mode: A wireless access point is required. The client must use the same SSID
(service set identifier) as the access point, and if encryption is enabled, they must share the same
keys or other authentication parameters.
• Ad-hoc Mode Network: The WNIC does not require an access point but can directly interface with
all other wireless nodes. All the nodes in an ad hoc network must have the same channel and SSID.

https://thorteaches.com/
14
 Thor’s Quick Sheets – CISSP® Domain 4
A computer connected to the Internet via a wired NIC may advertise an ad-hoc WLAN to allow
internet sharing.
• Monitor mode or RFMON (Radio Frequency Monitor) Mode: Enables a computer with a WNIC to
monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also
used for packet sniffing, monitor mode allows packets to be captured without associating with an
access point or ad hoc network first.
SS (Service Set): A set consisting of all the devices associated with an organization's WLAN (Wireless Local
Area Network).
SSID (Service Set Identifier): The name of the wireless access point you see when you connect.
• Clients must know the SSID before joining that WLAN.
• The SSID is a configuration parameter.
• SSIDs are normally broadcasted, but we can disable the broadcast in the access point configuration.
• It is a security measure we want to use, but it is easy to bypass.
• We can also use MAC address filtering on our wireless access points, another limited security feature.
• MAC addresses are sent in plaintext on 802.11 WLANs; it is easy to sniff and spoof.
WEP (Wired Equivalent Privacy) protocol, early 802.11 wireless security (1997).
• No longer secure; it should not be used because attackers can break any WEP key in a few minutes.
• It was designed to not conflict with the Wassenaar Arrangement’s 40bit limit on encryption, and because of
that, it was designed weaker than it should have been.
WEP (Wired Equivalent Privacy) protocol, early 802.11 wireless security (1997).
• Older access points may have a WEP option; most are preconfigured with WPA2/PSK or WPA3/SAE.
• WEP uses 10 or 26 hexadecimal digits (40 or 104 bits).
• Widely used years back, it was the first security choice presented to users by router configuration tools.
• WEP frames do not use timestamps and have no replay protection; attackers can inject traffic by replaying
previously sniffed WEP frames.
WPA (Wi-Fi Protected Access) (2003):
• Interim standards to address WEP issues should not be used.
• Uses RC4 and TKIP (Temporal Key Integrity Protocol).
• Neither are considered secure anymore.
• TKIP uses a per-packet key, meaning that it dynamically generates a new 128-bit key for each
packet and prevents the types of attacks that compromise WEP.
• WPA has been specifically designed to work with wireless hardware produced prior to introducing the WPA
protocol.
WPA2 (Wi-Fi Protected Access II):
• Also called RSN (Robust Security Network) (2004).
• Most commonly used but a slow move towards WPA3; the most secure form of WPA2 is WPA2-PSK (Pre-
Shared Key) using AES.
• AES provides confidentiality and CCMP (Counter Mode CBC MAC Protocol), a Message Integrity Check
(MIC), which provides integrity; it can be configured to use older, less secure protocols (TKIP).

https://thorteaches.com/
15
 Thor’s Quick Sheets – CISSP® Domain 4
WPA3 (Wi-Fi Protected Access III) (2020):
• The current standard, but the transition from WPA2 is slow.
• 192-bit key strength and WPA3 replaces the pre-shared key (PSK) exchange with Simultaneous
Authentication of Equals (SAE) exchange, uses AES-256 in GCM mode with SHA-384 as HMAC.
Bluetooth:
• A wireless technology standard for exchanging data over short distances using 2.4 GHz from fixed and
mobile devices and building personal area networks (PANs).
• Bluetooth has three classes of devices; while designed for short-distance networking, Class 1 can reach up
to 100 meters.
• Class 1: 100 meters, 2: 10 meters, 3: under 10 meters. Bluetooth implements confidentiality,
authentication, and key derivation with custom algorithms based on the SAFER+ block cipher.
• The E0 stream cipher encrypts packets granting confidentiality and is based on a shared cryptographic
secret, namely a previously generated link key or master key.
• Cryptanalysis of E0 has proven it to be weak; attacks show the true strength to be 38 bits or even less.
• Bluetooth key generation is generally based on a Bluetooth PIN which must be entered on one or both
devices.
• Bluetooth security is, to some extent, security through obscurity; it assumes the 48-bit MAC address of the
Bluetooth adapter is not known. Even when disabled, Bluetooth devices may be discovered by guessing the
MAC address. The first 24 bits are the OUI, which can be easily guessed; the last 24 bits can be discovered
with brute-force attacks.
• Attacks:
• Bluejacking: Sending unsolicited messages over Bluetooth, most often harmless but annoying.
• Bluesnarfing: Unauthorized access to information: phones, desktops, laptops, ...
• Bluebugging: The attacker gains total access and control of your device, which happens when
your device is left in a discoverable state—only older phones with outdated OSs.
• Countermeasures:
• Enable Bluetooth only when you need it.
• Enable Bluetooth discovery only when necessary and disable when your devices are paired.
• Do not enter link keys or PINs when unexpectedly prompted to do so.
• Remove paired devices when you do not use them.
• Regularly update firmware on all Bluetooth-enabled devices.
Li-Fi: Uses light to transmit data and position between devices. Can send high-speed data using visible light,
ultraviolet, and infrared spectrums. It can be used in areas prone to EMI (Electromagnetic interference), such
as aircraft cabins, hospitals, and nuclear power plants. Speeds (currently) up to 100 Gbit. Light can reflect off
walls and still reach 70 Mbit without requiring a direct line of sight.
• Pros: Not the same capacity as Wi-Fi (radio frequency exhaustion) and can be used in places where Wi-
Fi is prohibited.
• Cons: Short-range, not always reliable, and high cost of implementation.

https://thorteaches.com/
16
 Thor’s Quick Sheets – CISSP® Domain 4
Zigbee: Mesh wireless network with low power, low data rate, and close proximity. Simple and less complex
compared to other WPANs (Wireless Personal Area Networks) such as Bluetooth or Wi-Fi. It ranges from 10 to
100 meters, but it requires line-of-sight. Data rates vary between 20 kbit/s (868 MHz band) and 250 kbit/s (2.4
GHz band).
Satellite: Satellite internet was a relatively slow and expensive option for many years. You have a modem, as
with any other internet connection, as well as a satellite dish (2-3 ft. or 60-90 cm). Typical satellite connections
have had a latency of 500 ms and speeds ranging from 10 to 50 Mbps. Starlink is currently testing speeds
ranging from 20-200 Mbps down to 15-50 Mbps up, with latencies ranging from 15-40 ms.

Cellular Networks
3G: Bandwidth: 2 Mbps, latency: 100-500 ms, average speed 144 Kbps.
4G: Bandwidth: 200 Mbps, latency: 20-30 ms, average speed 25 Mbps, 16km (10 miles).
5G: Bandwidth: 5-20 Gbps, latency: <10 ms, average speed 200-400 Mbps, 500m (1500 ft).
• High frequency, short-range, and can be blocked by anything metal and even just solid objects.
• A lot more 5G towers are needed to get coverage.

Secure Network Devices and Protocols

We have different network devices through the OSI and TCP/IP models, and many have protocols specific to
those devices.
Layer 1 Devices:
• Repeaters: Receives a signal and retransmits it. It is used to extend transmissions over longer distances.
• Hubs: These are repeaters with more than two ports. All traffic is sent out all ports; no Confidentiality or
Integrity, half-duplex, and not secure at all.
Layer 2 Devices:
• Bridges: Two-port switches used to separate collision domains send traffic across the two domains, but
traffic from one domain is not seen on the other unless sent there.
• Switches: These are bridges with more than two ports. Each port is its own collision domain, fixing some of
the issues with collisions. It can range from 4 to 500+ ports. Use MAC addresses to direct traffic.
• Good switch security includes:
• Shutting unused ports down.
• Put ports in specific VLANs.
• Using the MAC Sticky command only allows that MAC to use the port, either with a warning
or shut command if another MAC accesses the port.
• Use VLAN pruning for Trunk ports.
Layer 2 Protocols:
• VLAN (Virtual LAN): A broadcast domain partitioned and isolated at layer 2.
• Specific ports on a switch are assigned to a certain VLAN.
• The Payroll VLAN is in 2 different buildings and spans multiple switches.
• VLANs use tags in network packets and tag handling in networking systems. It replicates the
appearance and functionality of traffic that is physically on a single network but logically is split
into separate networks.

https://thorteaches.com/
17
 Thor’s Quick Sheets – CISSP® Domain 4
• Allows networks and devices that must be kept separate to share the same physical devices
without interacting for simplicity, security, traffic management, and/or cost reduction.
• VLAN Trunks: Ports connecting two switches to span VLANs across them.
• VLANs share bandwidth; a VLAN trunk can use link aggregation, quality-of-service prioritization, or
both to route data efficiently.
• Virtual eXtensible Local Area Network (VXLAN): Widely used in cloud computing with
organizations that have mass tenants. (AWS, Google, …); solves the issue with a maximum of 4094
VLANs.
Layer 3 Devices:
• Routers:
• Normally has a few ports vs. a lot on switches.
• For our organizations, they are in the data centers.
• They are often combined with a switch and wireless in one box in your home.
• Forward traffic based on source and destination IPs and ports.
• Connecting our LANs to the WAN.
• Send traffic to the most specific route in their routing table.
• Static route is a pre-configured route that always sends traffic there for a certain subnet.
• Default gateway sends all non-local traffic to an ISP, for instance.
• Dynamic routes are learned from another routing via a routing protocol (OSPF, EIGRP, BGP, IS-IS).
• Metric is used to determine the best route to a destination.
• Routers have two operation planes:
• Control Plane: Keeps a routing table that lists which route should be used to forward a data
packet through physical interfaces. Uses internal pre-configured static routes or learns routes
using a dynamic routing protocol. Static and dynamic routes are stored in the RIB (Routing
Information Base). The control-plane logic then strips non-essential directives from the RIB and
builds a FIB (Forwarding Information Base) to be used by the forwarding plane.
• Forwarding Plane: The router forwards data packets between incoming and outgoing interface
connections. It routes them to the correct network type using the packet header's information. It
uses data recorded in the routing table control plane.
Layer 3 Protocols:
• We configure static routes for certain paths; it is not scalable and impossible to maintain manually. To
help with that, we use dynamic routes learned through routing protocols.
• Convergence: When a set of routers have the same routing information about the network they
are in. Routers converge when they have all available routes from each other via routing
protocols, all routers agree on what the network topology looks like. Any change in the network
that affects routing tables will break the convergence temporarily until this change has been
successfully communicated to all routers. All IGP (Interior Gateway Protocols) rely on convergence
to function right. When dynamic is enabled, every participating router will exchange what they
know about the network. How it is done and what is shared depends on the routing protocol. The
Exterior Gateway Routing Protocol BGP typically never converges; the Internet’s routing table is
too big to communicate changes fast enough.

https://thorteaches.com/
18
 Thor’s Quick Sheets – CISSP® Domain 4
• Distance vector routing protocols: Only focus on how far the destination is.
• Hops: How many routers are in between here and there? They do not care about bandwidth; they
use the shortest path.
• RIP (Routing Information Protocol): Uses UDP port 520 for transport protocol. One of the oldest
distance-vector routing protocols which use the hop count as a routing metric. Uses maximum hops to
prevent routing loops, maximum hops for RIP is 15, a hop count of 16 is considered an infinite distance,
and the route is considered unreachable; routes are updated every 30 seconds.
• Hold-down timers are started per route entry when the hop count changes from a lower value to
a higher value; this allows the route to stabilize during this time; no update can be done to that
routing entry.
• RIP (Routing Information Protocol):
• Route poisoning: Used to prevent a router from sending packets through a route that has is
invalid. Updates with unreachable hop count immediately to all the nodes in the network.
• Split-horizon: Route advertisement prevents routing loops by stopping a router from advertising a
route back onto the interface it learned the route from.
• Split-horizon routing with poison reverse: A variant of split-horizon route advertising where a
router actively advertises routes as unreachable over the interface over which they were learned
by setting the route metric to infinite.
• That immediately removes most looping routes before they can propagate through the network.
• Link-state routing protocols: Each node independently runs an algorithm to determine the shortest
path from itself to every other node in the network. The best paths will form the nodes' routing table.
It is based on a link cost across each path which includes available bandwidth, among other things.
Routing tables are synchronized at startup and only update when the topology changes.
• OSPF (Open Shortest Path First): Used within a single routing domain logically divided into areas.
It can be used on IPv4 (v2) and IPv6 (v3) networks and supports CIDR addressing model. Detects
changes in the topology, such as link failures, and converges on a new loop-free routing table
within seconds. It does not use a transport protocol (UDP/TCP) but encapsulates the data directly
in IP packets with protocol number 89.
• BGP (Border Gateway Protocol): The routing protocol used for the Internet. BGP routes between
AS (Autonomous Systems), which are networks with multiple Internet connections. It has some
distance vector properties but is considered a path-vector routing protocol. BGP makes routing
decisions based on paths, network policies, or rule sets. BGP routing tables are massive; some
routers can have 100,000s of routes.
Firewalls: A firewall typically establishes a barrier between a trusted, secure internal network and another
outside network, like the Internet.
• Packet filtering firewalls: OSI Layer 1-3.
• Packet filters act by inspecting the "packets" which are transferred between clients.
• If a packet does not match the packet filter's set of filtering rules, the packet filter will drop the
packet or reject it and send error responses to the source.
• Any packet that matches one of the Permits is allowed to pass.

https://thorteaches.com/
19
 Thor’s Quick Sheets – CISSP® Domain 4
• Stateful filtering firewalls: OSI Layer 1-4.
• Records all connections passing through and determines whether a packet is the start of a new
connection, a part of an existing connection, or not part of any connection.
• Static rules are still used; they can now contain a connection state as one of their criteria.
• Some DOS attacks bombard the firewall with thousands of fake connection packets, which
overwhelms it by filling its connection state memory.
• A proxy server: Can act as a firewall by responding to input packets in an application while blocking
other packets. A proxy server is a gateway from one network to another for a specific network
application in the sense that it functions as a proxy on behalf of the network user.
• Application layer firewalls: OSI Layer 7.
• The key benefit of application layer firewalls is that they can understand certain applications and
protocols.
• They see the entire packet; the packet isn't decrypted until layer 6; any other firewall can only
inspect the packet but not the payload.
• They can detect if an unwanted application or service is attempting to bypass the firewall using a
protocol on an allowed port or detect if a protocol is being used in any malicious way.
• Network firewalls: Filters traffic between two or more networks, either software appliances running on
general-purpose hardware or hardware-based firewalls.
• Host-based firewalls: Provides a layer of software security on one host that controls the network traffic in
and out of that single machine.
• Next-generation firewall (NGFW):
• NGFW combines traditional firewall technologies with deep packet inspection (DPI) and network
security systems (IDS/IPS, malware filtering, and antivirus).
• Packet inspection in traditional firewalls only looks at the protocol header of the packet DPI also
looks at the actual data the packet is carrying.
• Next-generation firewalls try to include more layers of the OSI model, improving network traffic
filtering that depends on the packet contents.
• DPI firewalls track the progress of web browsing sessions. When assembled with other packets in
an HTTP server reply, they can tell if a packet payload is a legitimate HTML-formatted response.
Firewalls Design:
• A Bastion Host: A special-purpose host designed/configured to withstand attacks.
• Normally hosts a single application, all other services are removed or limited to reduce the threat
to the host. It is hardened in this manner because of its location and purpose, either outside a
firewall or in a DMZ, and usually involves access from untrusted networks or computers.
• A Dual-Homed Host: Has two network interfaces, one connected to a trusted network and the other
connected to an untrusted network (Internet); the dual-homed host doesn't route; any user wanting to
access the trusted network from the outside needs to log into the dual-homed host and then access the
trusted network from there; no longer used, mostly used in premodern firewalls.

https://thorteaches.com/
20
 Thor’s Quick Sheets – CISSP® Domain 4
• Screened Host Architecture: An older flat network design using one router to filter external traffic to and
from a bastion host via ACLs; the bastion host can reach other internal resources, but the router's ACL
denies direct internal/external connectivity; the difference between dual-homed host and screened host
design is screened host uses a screening router, which filters Internet traffic to other internal systems;
screened host network design does not use defense-in-depth: a failure of the bastion host puts the entire
trusted network at risk; As a result of using network defense-in-depth and by using DMZs, screened subnet
architecture evolved.
• Screened Subnet Architecture: A screened subnet firewall is a variation of the dual-homed and screened
host firewall; it can be used to separate components of the firewall onto separate systems, achieving
greater throughput and flexibility, at some cost to simplicity. As each component system of the screened
subnet firewall needs to implement only one specific task, each system is less complex to configure. A
screened subnet firewall is often used to establish a DMZ (demilitarized zone).
• DMZs: Normal DMZs use two firewalls in a screened subnet, but they can also be three-legged DMZs that
only use one firewall. Physical or logical subnetwork that contains and exposes an organization's external-
facing services to an untrusted network, like the Internet. It adds a layer of security to our organization's
LAN; an external network node can only access what is exposed in the DMZ while the rest of the
organization's network is firewalled.
• Firewalls are designed to fail closed; if they crash, get flooded with traffic, or are shut down, they block all
traffic.
• To get some redundancy, we often use firewall pairs and have the firewall in a mesh topology; this way, one
firewall failure will just shift the traffic paths.
Modem (Modulator/Demodulator):
• Dial-up modems:
• Take binary data and modulate it into analog sound sent over phone networks.
• The receiving modem then demodulates the analog sound back into binary data.
• ADSL modems:
• TP telephone cable can carry signals with higher frequencies than the cable’s normal frequency
rating.
• The signal strength drops the longer the cable (Attenuation).
• Cable modems:
• Infrastructure was originally intended to carry television signals and designed from the outset to
carry higher frequencies.
• A single cable can carry radio, television, and broadband internet services without interference.
• Newer types of broadband modems are also available, including satellite and power line modems.
DTE (Data Terminal Equipment):
• An end device, often a desktop or a server (called tail circuits), converts user information into signals or
reconverts received signals.
• A DTE device communicates with the data DCE (Data Circuit-terminating Equipment).
DCE:
• Often a modem sits between the data terminal equipment (DTE) and a data transmission circuit.

https://thorteaches.com/
21
 Thor’s Quick Sheets – CISSP® Domain 4
• The DCE does the signal conversion, coding, and line clocking and may be a part of the DTE or intermediate
equipment.
• Interfacing equipment may be required to couple the data terminal equipment (DTE) into a transmission
circuit or channel and from a transmission circuit or channel into the DTE.
• The DCE is at the end of an ISP’s network; it connects to the customer DTE.

Network Performance and Traffic Management

Traffic Flows: Quantitative measures used to assess network performance.
• Throughput: The actual rate of successfully transferred data over the network, influenced by factors such
as traffic load, latency, packet loss, transmission protocols, physical medium, distance, and number of
users/devices.
• Latency: The time taken for a packet to travel from source to destination, measured in milliseconds and
influenced by physical distance, number of hops, and processing time on each node.
• Jitter: The variation in latency over time, caused by network congestion, queuing delays, or variable
processing times on nodes, and important for real-time communication.
• Packet Loss: The percentage of packets dropped or lost during transmission, caused by network congestion,
hardware failure, or software bugs, and can degrade performance and increase latency.
Types of traffic flows:
• North-South traffic: Flow between a client and server or between a network and the outside world,
traversing multiple network segments and subject to security controls like firewalls and intrusion
prevention/detection systems.
• East-West traffic: Data flows between servers and devices within the same network segment, often
occurring between virtual machines or containers on the same physical host, and may not be subject to the
same level of security scrutiny as North-South traffic.
Network Traffic Analysis:
• Tools for analyzing traffic flows:
• NetFlow: A Cisco-developed protocol that collects and exports data flows from network devices,
including source/destination IPs, protocols, port numbers, and packets/bytes transferred, used to
create visualizations and reports showing traffic distribution and bandwidth consumption.
• Deep Packet Inspection (DPI): Examines the content of individual packets to identify applications
and protocols in use, providing a more detailed and accurate picture than NetFlow but requiring
more processing power and raising privacy concerns.
Network Monitoring and Management: The process of continuously observing, analyzing, and controlling
network performance and security.
• Network Operations Center (NOC): A centralized location where network administrators monitor network
status, receive alerts, and coordinate responses to issues and incidents using various tools and systems.

https://thorteaches.com/
22
 Thor’s Quick Sheets – CISSP® Domain 4
Secure Communications
Authentication Protocols: Communications or cryptographic protocols designed to transfer authentication
data between two entities. They authenticate to the connecting entity (often a server) as well as to
authenticate themselves (often a server or desktop) by declaring the type of information needed for
authentication as well as syntax. It is the most important layer of protection needed for secure communication
between networks.
Authentication Protocols:
• PAP (Password Authentication Protocol): Authentication is initialized by the client/user by sending a packet
with credentials (username/password) at the beginning of the connection. One of the oldest authentication
protocols, no longer secure. The credentials are transmitted over the network in plain text, making it
vulnerable to simple attacks like eavesdropping and MITM attacks.
• CHAP (Challenge-Handshake Authentication Protocol): Provides protection against peer replay attacks by
the peer using an incrementally changing identifier and a variable challenge value. Requires that both the
client and server know the plaintext of a shared secret like a password; it is never sent over the network.
Providing better security than PAP, which is vulnerable for both these reasons—used by PPP (Point to Point
Protocol) servers to validate remote clients. Periodically verifies the identity of the client by using a three-
way handshake. The CHAP server stores plaintext passwords of each client, an attacker gaining access to
the server can steal all the client passwords stored on it.
• 802.1X: Defines the encapsulation of the EAP (Extensible Authentication Protocol); has three parties: a
supplicant, an authenticator, and an authentication server. The supplicant is a client device that wants to
access the LAN/WLAN; software running on the client provides credentials to the authenticator.
The authenticator is a network device, a switch, or a wireless AP. The Authentication server is typically a
host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server
software may be running on the authenticator hardware. EAP is widely used in 802.11 (Wi-Fi), the WPA,
and WPA2 standards; it was adopted with 100+ EAP Types as the official authentication mechanism.
• PEAP (Protected EAP): A protocol that encapsulates EAP within an encrypted and authenticated TLS
(Transport Layer Security) tunnel. It was developed by Cisco Systems, Microsoft, and RSA Security.
• EAP-MD5: Very weak forms of EAP. It offers client-to-server authentication only, whereas most others
provide mutual authentication. Vulnerable to man-in-the-middle attacks and password attacks.
• LEAP (Lightweight Extensible Authentication Protocol): Cisco distributed the protocol through the CCX
(Cisco Certified Extensions) as part of getting 802.1X and dynamic WEP adoption into the industry in the
absence of a standard. No native support of LEAP in the Windows OS.
• EAP-TLS (EAP-Transport Layer Security): Uses PKI, requiring server and client-side certificates; establishes a
secure TLS tunnel used for authentication. It is very secure but complex and expensive.
• EAP-TTLS (EAP Tunneled Transport Layer Security): Simpler than EAP-TLS by dropping the client-side
certificate requirement, allowing other authentication methods for client-side authentication, and making it
easier to deploy but also less secure.
• PANA (Protocol for Carrying Authentication for Network Access): This allows a device to authenticate itself
with a network to be granted access. EAP will be used for authentication protocol, key distribution, key
agreement, and key derivation protocols.

https://thorteaches.com/
23
 Thor’s Quick Sheets – CISSP® Domain 4
• SLIP (Serial Line Internet Protocol): An encapsulation of IP designed to work over serial ports and modem
connections. On PCs, it has been replaced by PPP, which is better engineered, has more features, and does
not require its IP address configuration to be set before it is established. On microcontrollers, SLIP is still the
preferred way of encapsulating IP packets (very small overhead).
• PPP (Point-to-Point Protocol): Used over many types of physical networks, including serial cable, phone
line, trunk line, cellular telephone,... PPP is used over Internet access connections. ISPs have used PPP for
customer dial-up access to the Internet since IP packets cannot be transmitted over a modem line on their
own without some data link protocol.
Authentication Protocols:
• VPN (Virtual Private Network): Extends a private network across a public network, and users can send and
receive data across shared or public networks as if they were on the private network; VPNs may allow
employees and satellite offices to access the organization's intranet securely; they are used to connect
securely; it can also be used to get around geo-restrictions and censorship or connect to proxy servers to
protect personal identity and location; created by establishing a virtual point-to-point connection using
dedicated connections, virtual tunneling protocols or traffic encryption.
• PPTP (Point-to-Point Tunneling Protocol): Obsolete method for implementing virtual private networks
because of many known security issues; PPTP uses a TCP control channel and a GRE tunnel to encapsulate
PPP packets; no built-in encryption or authentication and PPP being tunneled to implement security.
• L2TP (Layer 2 Tunneling Protocol): Tunneling protocol used to support VPNs or as part of the delivery of
services by ISPs; no built-in encryption or confidentiality, it relies on an encryption protocol that it passes
within the tunnel to provide privacy.
IPSEC (Internet Protocol Security):
• SA (Security Association): Simplex one-way communication can be used to negotiate ESP (Encapsulation
Security Payload) or AH (Authentication Header) parameters.
• If two systems use ESP to communicate, they need 1 SA for each direction (2); if AH and ESP, four
total.
• A unique 32bit SPI (Security Parameter Index) identifies each SA connection.
• ISAKMP (Internet Security And Key Management Protocol): Manages the SA creation process.
• Tunnel mode: Encrypts and authenticates the entire package (including headers).
• Transport mode: Only encrypts and authenticates the payload used for systems that speak IPSEC.
• IKE (Internet Key Exchange): IPsec can use different types of encryption (3DES or AES) and hashes (MD5,
SHA1, SHA2, …); IKE negotiates the algorithm selection process; the two sides of an IPsec tunnel will
normally use IKE to negotiate to the highest and fastest level of security.
• Can protect data flows between a pair of hosts (host-to-host), a pair of security gateways (network-to-
network), and a security gateway and a host (network-to-host).
• IPSec is an end-to-end security scheme operating in the Internet Layer of the TCP/IP model; only IPsec
protects all application traffic over an IP network. IPsec can automatically secure applications at the IP
layer.
SSL and TLS: Cryptographic protocols for the web that gives us Confidentiality and Authentication. You
download the server's digital certificate, including the site's public key.
• SSL (Secure Socket Layer): Currently on v3.0. Mostly used for web traffic.
• TLS (Transport Layer Security): More secure than SSL. Internet chat, email clients, and web traffic.

https://thorteaches.com/
24
 Thor’s Quick Sheets – CISSP® Domain 4
ISDN (Integrated Services Digital Network): OSI layer 1-3.
• Used for digital transmission of voice, video, data, and other network services over the traditional circuits of
the public switched telephone (POTS) network.
• A circuit-switched telephone network system provides access to packet-switched networks.
• It offers circuit-switched connections (for either voice or data) and packet-switched connections (for data)
in increments of 64 kilobit/s but could be higher with channel bonding.3
DSL (Digital Subscriber Line): A family of technologies used to transmit digital data over phone lines.
• Often used to describe ADSL (Asymmetric DSL), the most common DSL technology.
DSL (Digital Subscriber Line):
• DSL service can be delivered side by side with wired telephone service on the same line; this is possible
because DSL uses higher frequency bands for data.
• At the customer Demarc, a DSL filter on each non-DSL outlet blocks any high-frequency interference to
enable simultaneous use of the voice and DSL services.
Callback: A modem-based authentication system; mostly used for securing dial-up connections; the client
computer calls the server computer; the client identifies itself, usually with a username. The server
disconnects the call; by using a list of usernames and users' phone numbers, the server will establish a second
call back to the client computer; the client computer expecting this returned call will then answer, and
communications between the two computers will proceed normally.
Caller ID: Does the same, but the user must be calling from the right number; it can easily be faked. Many
phones or phone companies allow the end-user to pick their caller ID.
Remote Administration: This is controlling a computer from a remote location; we do this through software. A
remote location may refer to a computer in the next room or one across the world; any computer with an
Internet connection can be remotely administered.
RDP (Remote Desktop Protocol): A Microsoft proprietary protocol. The user uses RDP client software, and the
other computer must run RDP server software. Providing a user with a GUI (Graphical User Interface) by
default, the server listens on TCP and UDP 3389.
VNC (Virtual Network Computing): Non-MS proprietary and can run on most OSs (Using screen scraping). It
was first used for remote administration of computers but is also being used more and more now for Remote
Desktop Protocol for multi-user environments and helpdesk RDP access.
VDI (Virtualized Desktop Infrastructure/Interface):
• Thin Clients: Diskless Workstation (Diskless node) has all the normal hardware/firmware except the disk, it
has the lower-level OS (the BIOS), which performs the POST, and it downloads the kernel and OS. Thin
Client Applications - We use a Web Browser to connect to the application on a server on port 80 (HTTP) or
port 443 (HTTPS). The full application is housed and executed on the server vs. on your PC. Often stripped
of non-essentials like CD drives, most ports, ...
• Zero Clients: Popular for VDI because they are even slimmer and more cost-effective than thin clients.
These are client devices that require no configuration and have nothing stored on them. They are sold by
Dell, Fujitsu, HP, Pano Logic, ...

https://thorteaches.com/
25
 Thor’s Quick Sheets – CISSP® Domain 4
IM (Instant Messaging): Short messages are typically sent between two parties (one-to-one) or many-to-many
(group IMs). Some IM applications can use push technology to provide real-time text, which transmits
messages character by character as they are typed; others send when you hit enter. More advanced instant
messaging can add file transfer, clickable hyperlinks, Voice over IP, and video chat. Today's commonly used
chat protocols include IRC, Jabber, Lync, and still used but very limited ICQ and AIM. Today, most IM'ing is
embedded in other applications like Facebook, LinkedIn, Twitter, or WhatsApp. Many IM applications and
protocols are not designed with security in mind; they are designed for usability.
Web Conferencing: An umbrella term for different types of online collaborative services, including webinars,
webcasts, and peer-level web meetings. Commonly used ones are WebEx, Zoom, GoToMeeting, Google Meet,
TeamViewer,... Done over TCP/IP connections, services often use real-time point-to-point communications
and multicast communications from one sender to many receivers. It offers data streams of text-based
messages, voice, and video chat to be shared simultaneously across geographically dispersed locations:
meetings, training events, lectures, or presentations one-to-one or many-to-many like IMs. The use of web
conferencing should align with your organization's policies; if not implemented right, some may be a security
vulnerability. They can bypass some security by using SSL/TLS tunnels, and acceptable products should be
hardened.
CDN (Content Distribution Network): A geographically dispersed network of proxy servers and data centers.
The client is sent to the server node with the lowest latency in MS. The client's webpages, software download,
and video streaming are faster. The provider saves on cost by sending short traffic distances vs. long distances,
providing redundancy and DDOS protection. The idea is to distribute service spatially relative to end-users to
provide high availability and performance. Many different services can be provided over CDNs: video
streaming, software downloads, web, and mobile content acceleration, licensed/managed CDN, transparent
caching, and services to measure CDN performance, load balancing, multi-CDN switching and analytics, and
cloud intelligence.
Third-party Connectivity: Medium-sized enterprises typically have 20 or more third-party providers. I believe
the hospital where I worked in Hawaii had more than 200 third-party providers. How do we ensure they are
secure enough and conform to our policies and procedures? Many never have direct contact with IT or IT-
Security. We must conduct a thorough risk assessment to ensure that whatever they provide does not
jeopardize our security posture, or we must accept the risk. We should have MOUs/MOAs and ISAs
(Interconnection Security Agreement).
Network Access Control (NAC): Automatic detection and response to ensure our systems adhere to our
security policies. It can help us prevent or reduce 0-day and known attacks and ensure that security policies
are adhered to at all times.

https://thorteaches.com/
26