CISSP Summary V1.1
- 1. 2009
CISSP summary
Version 1.1
Maarten de Frankrijker
Revised by Christian Reina, CISSP
This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.
2009 ‐ Maarten de Frankrijker. Revised by Christian Reina, CISSP.
- 2. Concepts Security policies, standards and guidelines Legislative drivers
CIA Negative: (DAD disclosure alteration and destruction) Policies first and highest level of documentation FISMA(federal agencies)
Confidentiality prevent unauthorized disclosure Phase 1 categorizing, selecting minimum controls, assessment
Integrity no unauthorized modifications, consistent data Very first is called Senior management Statement of Policy, Phase 2: create national network of secures services to assess
Availability reliable and timely accessible Stating importance, support and commitment NIST
Types 8 elements reassessments owners have responsibilities. Benefits:
Identification user claims identity, used for user access control - Regulatory (required due to laws, regulations, consistent; comparable; repeatable
Authentication testing of evidence of users identity compliance and specific industry standards!) OECD
Accountability determine actions to an individual person - Advisory (not mandatory but strongly suggested) accountability, awareness, ethics, etc loads of one word things
Authorization rights and permissions granted - Informative to inform the reader
privacy level of confidentiality and privacy protections Risk Management
Information policy has classifications and defines level of access GOAL
Controls and method to store and transmit information Determine impact of the threat and risk of threat occurring
Prime objective is to reduce the effects of security threats and Security policies has Authentications and defines technology
vulnerabilities to a tolerable level used to control information access and distribution ACTIVITIES
Risk analysis process that analyses threat scenarios and SYSTEM security policy lists hard software to be used and steps Primary (risk assessment, mitigation methodology)
produces a representation of the estimated Potential loss to undertake to protect infrastructure Secondary (data collection and sources for risk analysis)
Types Physical, Technical and Administrative
Standards Specify use of specific technologies in a uniform way Types of Risk
Guidelines same as standards but not forced to follow Inherent chance of making an error with no controls in place
Information classification Procedures Detailed steps to perform a task Control chance that controls in place with prevent, detect or
WHY? Not all data has same value, demonstrates business Baseline Minimum level of security
Domain 1 Security Management
control errors
commitment to security, Identify which information is most
Detection chance that auditors won’t find an error
sensitive and vital Security planning Residual risk remaining after control in place
Criteria Value, age, useful life, personal association Security Planning involves security scope, providing security Business concerns about effects of unforeseen circumstances
Levels management responsibilities and testing security measures for Overall combination of all risks aka Audit risk
Government, military effectiveness. Strategic 5 years Tactical shorter than strategic
- Unclassified Operational day to day, short term
- Sensitive but unclassified (answers to test, Healthcare) Preliminary Security Examination (PSE): Helps to gather the
- Confidential (some damage) elements that you will need when the actual Risk Analysis takes
- Secret (Serious damage)
Roles and responsibilities
place.
Senior Manager ultimate responsibility
- Top Secret (Grave damage)
Information security Officer functional responsibility
Private sector ANALYSIS
Security Analyst Strategic, develops policies and guidelines
- Public Steps: Identify assets, identify threats, and calculate risk.
Owner
- Sensitive
- Responsible for asset Qualitative HAPPY FACES
- Private
- Determine level of classification - Higher level , brainstorming, focus groups etc
- Confidential
- Review and change classification Quantitative VALUES!!
- Can delegate responsibility to data custodian
- SLE (single Loss Expectancy) = Asset Value * Exposure
Security Awareness - Authorize user privileges
Technical training to react to situations, best practices for Security Custodian factor (% lost of asset)
and network personnel - Run regular backups/restores and validity of them - ALE (Annual loss expectancy) = SLE * ARO
Employees, need to understand policies then use presentations - Insuring data integrity and security (CIA) (Annualized Rate of occurrence)
and posters etc to get them aware - Maintaining records in accordance to classification Remedies: Accept, mitigate(reduce by implementing controls
- Applies user authorization calculate costs-), Assign (insure the risk to transfer it), Avoid (stop
Losses End-user business activity)
staff members pose more threat than external hackers - Uses information as their job
- Follow instructions in policies and guidelines Loss= probability * cost
loss of money stolen equipment,
loss of time work hours - Due care (prevent open view by e.g. Clean desk)
loss off reputation declining trusts and - Use corporation resources for corporation use Risk Based Audit approach
loss of resources bandwidth theft Auditor examines security controls - Planning and information gathering
- Access internal controls
- Compliancy testing
- Substantive tests
- Finalize the audit
- 3. Access control Controls Something a user knows
ACCESS is flow of information between a subject and an object Primary controls
CONTROL security features that control how users and systems Administrative PASSWORDS
communicate and interact with other systems and resources - Preventive: hiring policies, screening security cheap and commonly used
Subject is active entity that requests access to an object or data awareness (also called soft-measures!) password generators
within the object (user, program) - Detective: screening behavior, job rotation, review of user chooses own (do triviality and policy checking)
Object is a passive entity that contains information (computer, audit records
database, file, program) Technical (aka Logical) One-time password aka dynamic password used only once
access control techniques support the access control models - Preventive: protocols, encryption, biometrics Static password Same for each logon
smartcards, routers, firewalls Passphrase easiest to remember. Converted to a virtual
CIA - Detective: IDS and automatic generated violation password by the system.
Confidentiality reports, audit logs Cognitive password: easy to remember like your mother’s
assurance that information is not disclosure to Physical maiden name
unauthorized programs, users, processes - Preventive: fences, guards, locks
encryption, logical and physical access control, - Detective: motion detectors, thermal detectors video Hacking
The data needs to be classified cameras - access password file
Integrity - brute force attack (try many different characters) aka
- protecting data or a resource from being altered in an Operational controls exhaustive
unauthorized fashion Detective, Preventive (PASSWORDS TOO), Corrective(restore - dictionary attack (try many different words)
Availability controls), Restore control (restore resources) deterrents - Social engineering (convince an individual to give
- fault tolerance and recovery procedures access)
- depends on business and value to business - Rainbow Tables (tables with passwords that are already
Types in hash format
Domain 2 – Access Control
IAAA Mandatory access control
Identification Authorization depended on security labels which indicate password checker and password hacker
- ensuring that a subject is who he says he is clearance and classification of objects (Military). Restriction: need both programs that can find passwords (checker to see if its
- Unique user name, account number etc OR an issuance to know can apply. Lattice based is part of it! (A as in compliant, hacker to use it by the hacker)
(keycard) mAndatory!). Rule based access control. Objects are: files,
- must be non descriptive (you can’t see what someone directories and devices hashing and encryption
can do by the name) - On windows system with utility SYSKEY. The hashed
- First piece of credentials Discretionary access control passwords will be encrypted in their store LM hash and
Authorization Access through ACL's. Discretionary can also mean: Controlled NT Hash
- like password, phrase key token, pin access protection (object reuse, protect audit trail). User directed - some OS’s use Seed SALT or NONCE, random values
- looking at access control matrix or comparing security access control (identity based and hybrid based are also forms of added to the encryption process to add more complexity
labels discretionary) Identity Based AC
- Stacking of authorizations is called Authorization Creep, Something a user has
too much rights is called excessive privileges Non-discretionary access control Key, swipe card, access card, badge PASSWORDS.
- Granted privileges and system granted default access A central authority determines what subjects have access based tokens
- default no access, give only access that’s needed ( = on policies. Role based/task based. Also lattice based can be
NEED TO KNOW) applied (greatest lower, least upper bounds apply) Static password token owner authenticates to token, token
- Second piece of credentials authenticates to the information system
- Strong Authentication if you use 2 out of the three Synchronous (TIME BASED) dynamic, uses time or a counter
authentications (know, has, is)AKA 2-factor between the token and the authentication server, secure-ID is an
authentication example
- Something a person KNOWS, HAS, IS (knowledge, asynchronous (NOT TIME BASED) server sends a nonce
ownership, characteristics) (random value) This goes into token device, encrypts and delivers
Accountability a one-time password, with an added PIN its strong authentication
- each subject is uniquely identified and actions are Challenge/response token generates response on a
recorded system/workstation provided challenge
Logical Access Controls: tools used for IAAA
- 4. Access control methodologies
Something a user is KERBEROS Centralized access control
What you do: behavioral Kerberos addresses Confidentiality and integrity and RADIUS
What you are: physical authentication, not availability Remote connectivity via dial in (user dials in to access server,
BIOMETRICS Kerberos Is based on symmetric key cryptology (and is not a access server prompt for credentials, user enters credentials and
- Most expensive propriety control) forwards to radius server, radius server accepts or rejects). USES
- Acceptable 2 minutes per person for enrollment time Time synchronization is critical UDP. Incorporates an AS and dynamic/static password
- Acceptable 10 people per minute throughput time MIT project Athena DIAMETER= remote connectivity using phone wireless etc, more
- IRIS is the same as long as you live Kerberos is included in windows now (replaced NTLM=NT-LAN secure than radius
- TYPE 1 error: False rejection rate FRR Manager) CALLBACK; system calls back to specific location (danger in user
- TYPE 2 error: False Acceptance rate FAR Passwords are never exchanged only hashes of passwords forwarding number)
- CER Crossover Error Rate or EER Equal Error rate, Benefits: inexpensive, loads of OS’s mature protocol CHAP (part of PPP) supports encryption
where FRR = FAR. The lower CER/ERR the more Disadvantage: takes time to administer, can be bottleneck or TACACS: user-id and static password for network access via TCP
accurate the system. single point of failure XTACACS separates authentication, authorization and accounting
No sunlight in iris scanner The term realm indicates an authentication administrative domain. processes
zephyr chart = iris scans Its intention is to establish the boundaries within which an TACACS+: stronger through use of tokens
Finger print: stores full fingerprint (one- to-many authentication server has the authority to authenticate a user, host
identification), finger scan only the features (one to one or service. Decentralized access control
identification). Uses symmetric Key cryptography Databases
Finger scan most widely used today - KDC Key Distribution Center, grants tickets to client for Relational databases allow queries
Acceptability Issues: privacy, physical, psychological specific servers. Knows all secret keys of all clients and Object oriented databases do not support queries
servers from the network
- AS (Authentication server) 3 parts
TGS - Ticket granting server - Data structures called tables or relations
T YPES OF B IOMETRICS
- Integrity rules
Fingerprints: Are made up of ridge endings and bifurcations Working: - Operators on the data in tables
exhibited by the friction ridges and other detailed Client authenticates to the KDC. His passwords becomes an one
characteristics that are called minutiae. way hasted + time = secret key to the AS and gets a TGT Ticket Relation: basis of the database consists of a two dimensional
Retina Scans: Scans the blood-vessel pattern of the retina Granting Ticket, table
on the backside of the eyeball. Client then accesses the TGS with the TGT he has and gets a
Iris Scans: Scan the colored portion of the eye that ticket to service. ROWS are records of tuples. Number of rows is cardinality
surrounds the pupil. Then the user can use this ticket to service to use the service
Facial Scans: Takes attributes and characteristics like bone
Domain 2 – Access Control
COLUMNS are attributes. Number of columns is the degree
structures, nose ridges, eye widths, forehead sizes and chin SESAME
shapes into account. - Public Key Cryptology PRIMARY KEY: unique identifier in a table
Palm Scans: The palm has creases, ridges and grooves - European
throughout it that are unique to a specific person. - Needham-Schroeder protocol Foreign Keys: used to enforce relationship between two tables.
Hand Geometry: The shape of a person’s hand (the length Weakness: only authenticates the first block and not the complete This is also called referentional integrity, that you don’t have a
and width of the hand and fingers) measures hand geometry. message nonexistent reference.
Voice Print: Distinguishing differences in people’s speech Two tickets:
sounds and patterns. - One authentication, like Kerberos
- Other defines the access privileges a user has
Smart Cards
Signature Dynamics: Electrical signals of speed and time IEC 14443 = smartcards
that can be captured when a person writes a signature. - Works with PACS (Privileged Attribute Certificates)
- sesame uses both symmetric as asymmetric encryption The combi-card -- also known as a dual-interface card -- has one
Keyboard Dynamics: Captures the electrical signals when a smart chip embedded in the card that can be accessed through
person types a certain phrase. (thus improvement upon Kerberos)
either contact pads or an embedded antenna.
Hand Topology: Looks at the size and width of an - Smarter than storage cards
KRYPTOKNIGHT
individual’s hand and fingers. - Storage smart card holds RSA key pairs in memory
IBM – thus RACF
Peer-to-peer relationship between KDC and parties - RSA smart cards have processor that compute (sign
Single Sign On (SSO) and verify RSA certificates) and create RSA key pairs
Advantage: ability to use stronger passwords, easier SCRIPTING
administration, less time to access resources. scripts contain logon information that authenticates users
Disadvantage: once a key is compromised all resources can be
accessed. DIRECTORY SERVICE
Thin client is also a single sign on approach Hierarchical naming schema
active directory has sophisticated security resources (group
policy, user rights accounts, DNS services)
- 5. Identity management - Provisioning IPS Intrusion prevention system
Performs all of IAAA o user information taken from HR Detect attack and PREVENT that attack being successful
(authoritative source)
Directory based o Identity data put in an centralized directory Penetration testing
- hierarchical x500 standard protocol like LDAP for (identity repository) Blue team had knowledge of the organization, can be done frequent
allowing subjects to interact with the directory o manager will appoint new employees, and least expensive
- Organized through name spaces (Through accounts are created automatically Red team is external and stealth
Distinguished names ) o user provisioning refers to creation, White box ethical hacker knows what to look for
- Needs client software to interact maintenance and deactivation of user Black box ethical hacker not knowing what to find
- META directory gathers information from multiple objects and attributes on systems,
sources and stores them into once central directory and directories or application in response to 4 stages: planning, discovery, attack, reporting
synchronizes business processes. vulnerabilities exploited: kernel flaws, buffer overflows, symbolic
- VIRTUAL directory only points where the data resides Profile update links, file descriptor attacks
- collection of data associated with identity is called a other model: footprint network (information gathering) port scans,
Web Access Management profile vulnerability mapping, exploitation, report
- allows administrators to control what users can access - self service is it called when a user can update his scanning tools are used in penetration tests
when browsing enterprise assets own non-sensitive data flaw hypotheses methodology = operation system penetration testing
- mostly working as stateless HTTP, during session you - digital entity is made up of different attributes (like
are authenticated, once logged of you have to re- manager, sex height etc) has clearance level yyy etc Other things to know
indentify and authenticate - Federation = sharing identity and authentication Constrained user interfaces limit the functions that can be selected
- Can also work as Single Sign on by use of SSL where behind the scenes (like booking flight --> booking by a user
through the use of COOKIES the authentication is being hotel without re authenticating) by using a federate
held in memory (preferably) or text file identity so used across business boundaries threat: something that could happen to a system,
vulnerability: is a weakness or hole in the security
Password Management Network security
- Password Synchronization. Systems synchronize the NIST 800-42 = security testing Race Condition: when two or more processes use the same
Domain 2 – Access Control
passwords to multiple systems. User has one password War driving: driving a car with notebook to find open access resource and the sequence of steps within the software can be
but has to re-authenticate at every system. Danger: if point to a network carried out in an improper order, thus like force the authorization
one password is hacked, all resources can be
step to take place before the authentication step.
accessed. Differs from legacy sign on: Users IDS intrusion detection system
authenticates once then will gain access without re- NETWORK BASED TOC/TOU Attack is an asynchronous attack when an attacker
authentication - Detects intrusions on the local area network behind a interrupts a task and changes something to affect the result
- Self-Service password reset. Personal questions (pet’s firewall.
name, mother’s maiden name). Often done by question, - Is passive while it acquires data. The system key (SYSKEY) protects security information (including
then sending mail with link so identity tied to the answer - Reviews packets and headers password information) in the Active Directory database and other
- Assisted password reset. Help Desk authenticates you - Problem with network based is that it will not detect Local Security Authority (LSA) secrets against offline attacks by
by question and answer attacks by users logged into hosts encrypting their storage on a domain controller in a Windows server
Account management HOST BASED Hardening an operation system: disable services and remove
- life cycle management (creating, modifying and deleting - monitoring servers through EVENT LOGS AND unnecessary applications
accounts) SYSTEM LOGS
- Can be automatically or by tickets for technical - as good as the completeness of the host logging allowing downloads on a honey pot = illegal (entrapment)
administrators on request of the managers
- mainly for internal accounts Signature based method (AKA Knowledge based): compared Categories within a security label are used to enforce need to know
with signature attack database (aka misuse detector)
Statistical anomaly based: defines a ‘normal’ behavior and fault generation = getting the encryption key
detects abnormal behaviors.
Response box is a part of an IDS that initiates alarm or activity
Components: Information source/sensor, centralized monitor
software, data and even report analysis, database components
and response to an event or intrusion
- 6. Network Availability Network abuse FRAGGLE – similar to Smurf but uses UDP
Class A : unauthorized access by circumventing access controls. Countermeasures – disable broadcast at border routers; border
Legitimate users that gain higher access or pretends to be routers should not accept packets that originate within network;
Raid levels another user (masquerading) restrict UDP traffic; employ IDS; apply appropriate patches.
RAID 0 Striped, one large disk out of several –Improved Class B – unauthorized use of network for non business
performance but no fault tolerance properties
RAID 1 Mirrored drives –fault tolerance from disk errors and single Surfing internet, porn sites, private emails Land Attack - The attack involves sending a spoofed TCP SYN
disk failure, expensive Class C – Eavesdropping packet (connection initiation) with the target host's IP address and
Domain 3 – Telecommunications and Network
RAID 2 not used commercially. Hamming Code Parity Interception of network traffic. Tapping = physical interception like an open port as both source and destination.
RAID 3 Striped on byte level with extra parity drive –Improved clipping The reason a LAND attack works is because it causes the
performance and fault tolerance, but parity drive is a single point Passive eavesdropping: monitoring or listening to transmissions machine to reply to itself continuously.
of failure and write intensive. Active eavesdropping: tampering with an transmission to create
RAID4 Same as Raid 3 but striped on block level covert channels or actively probing the network
RAID 5 Striped on block level, parity distributed over all drives – SYN FLOOD - TCP packets requesting a connection (SYN bit set)
Class D – Denial of service or other service disruptions (see under
requires all drives but one to be present to operate hot- network attacks) are sent to the target network with a spoofed source address. The
swappable. Interleave parity Class E – Network intrusion target responds with a SYN-ACK packet, but the spoofed source
RAID 6 Dual Parity, parity distributed over all drives –requires all - Spoofing: giving out incorrect information to deliberately never replies. This can quickly overwhelm a system’s resources
drives but two to be present to operate hot- swappable induce a user or device while waiting for the half-open connections to time out. This
RAID 7 is as raid5 but all drives act as one single virtual disk - Piggy backing: User leaves session open or intruder causes the system to crash or otherwise become unusable.
notes credentials by looking over shoulder
Counter: sync cookies/proxies, where connections are created
0+1 –striped sets in a mirrored set (minimum four disks; even - Back-door attacks: intrusion via dial-up or external
networks later
number of disks)
Class F – Probing
Used to gain a road map of the network by using a sniffer. (mostly Teardrop - The length and fragmentation offset fields of
in promiscuous mode where all packages are intercepted in clear sequential IP packets are modified, causing the target system to
Server fault Tolerant Systems text). Manually by using tools like telnet to see what is listening on become confused and crash.
Redundant servers – applies raid 1 mirroring concept to servers. a remote sever. Automatic by software programs that do all the
On error servers can do a fail-over. This AKA server fault probing and scanning
tolerance Common Session Hijacking Attacks:
Server clustering – group of independent servers with are
managed as a single system. All servers are online and take part Session hijacking (Spoofing) - IP spoofing involves altering a
in processing service requests. On error on a server only Network attacks – Denial of Service TCP packet so that it appears to be coming from a known, trusted
performance is affected.AKA server farm Used to overwhelm a targets resources
- Filling up hard drive by using huge email attachments or source, thus giving the attacker access to the network.
file transfers
Single point of failures TCP sequence number attack – intruder tricks target to believe it
- Sends messages to reset targets host subnets masks
Cabling
- Using up all system resources is connected to a trusted host and then hijacks the session by
Coaxial many workstations, length.
Twisted pair to long. Cat 5 better than cat3 for interference predicting the targets choice of an initial TCP sequence number
DOS - performed by sending malformed packets to a system; can
Fiber optics immune to EMI, can be broken and high-
cost/expertise interrupt service or completely deny legitimate users of system
Topology failures resources
Ethernet twisted pair more resistant than coaxial DDOS – botnet, zombie, massive dos attack using multiple
Token Ring because a token is passed by every station, a NIC computers
that’s is set to wrong speed or error can take all network down
Fiber Distributed Data Interface form of token ring that has second SMURF – ICMP requires three players (attacker, victim and
ring that activates on error
amplifying network); attacker spoofs packet header to make it
Leased lines use multiple lines and/or multiple vendors
Frame Relay WAN over a public switched network. High Fault appear that it originated on the victim system with amplifying
tolerance by relaying fault segments to working. network broadcasting the message.
Countermeasures – disable broadcast at border routers; border
routers should not accept packets that originate within network;
restrict ICMP traffic (Hint IC = Its Smurf though spelled wrong)
- 7. Domain 3 – Telecommunications and Network Security Network layers OSI MODEL Network layers TCP/IP Model
(later succeeded by TCP/IP) Developed by Department of Defense in the 1970s to support the Telnet terminal emulation enables user to access resources on
HINT: All People Seems to Need Data Processing construction of the internet another machine. Port 23
It encapsulates data when going through the layers HINT: AHIN File Transfer Protocol FTP for file transfers. Cannot execute
Application – layer 4 (Application/Presentation/Session) remote files as programs. Authentication. Port 20 and 21
Application – layer 7 – C, AU, I, NR Applications and processes that uses the network Trivial File Transfer Protocol TFTP stripped down, can only
FTP, SMB, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, send/receive but not browse directories. No authentication thus
GOPHER, SNMP, NDS, AFP, SAP, NCP, SET. Technology: Host-to-Host – Layer 3 (Transport) insecure. Port 69
Gateways. User data End-to-end data delivery Network File System NFS protocol that supports file sharing
Presentation – layer 6 – C, AU, Encryption Protocols: TCP and UDP between two different file systems
Translations like EBCDIC/ANSI; compression/decompression and Simple Mail Transfer protocol SMTP email queuing. Port 25
encryption/decryption. Standards like JPEG, TIFF, MID. Internet – Layer 2 (corresponds to OSI network layer) Line printer daemon LPD for printing and spooling
Technology: Gateway. Messages Defines the IP datagram and handles routing of data across X Windows graphical user interface
networks Simple Networking Management Protocol SNMP collection of
Session -layer 5 -- None Protocols: IP, ARP, RARP, ICMP network information by polling the devices from a management
Inter-host communication, simplex, half duplex, full duplex. station. Sends out alerts –called traps- to an database called
Protocols as NSF, SQL, RADIUS, and RPC. Technology: Network access – Layer 1 (Data link, Physical) Management Information Bases (MIBs)
Gateway Routines for accessing physical networks and the electrical Bootstrap Protocol BootP when wireless workstation is on-lined
connection it sends out a BootP request with its MAC address to get an IP
Transport – layer 4 – C, AU, I address and the file from which it should boot. Replaced by DHCP
End-to-end data transfer services and reliability. Technology: Network Protocols DHCP: Dynamic Host Configuration Protocol
Gateways. Datagrams Transmission control protocol TCP – reliable, sequences and
Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBios, ATP works with acknowledgements. Provides a manageable data flow Security Enhancement Protocols
to avoid congestions overloading and data loss. (like having a TELNET: Remote terminal access and Secure Telnet
Network – layer 3 – C, AU, I telephone conversation with someone). Connection Oriented. REMOTE PROCEDURE CALL: Secure remote procedure call
Path selection and logical addressing. Technology: Virtual circuits User datagram protocol UDP – unreliable, scaled down version (SRA)
(ATM), routers. Packets of TCP, no error correction, no sequencing. Less overhead. (like
Message routing, error detection and control of node data are sending a letter to someone). Connectionless. Security Focused Protocols
managed. IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, Internet protocol IP all hosts have an IP address. Each data At application layer of OSI:
ZIP, DDP, X.25 and IGMP packet has an IP address of sender and recipient. Routing in Secure Electronic Transaction (SET) authentication for credit
network is based upon these addresses. Considered unreliable card transactions. Overtaken by SSL
Data Link – layer 2 - C datagram service because there’s no guarantee that the packet Secure HTTP S-HTTP) encrypting HTTP documents. Also
This layer deals with addressing physical hardware. will be delivered, not even that its delivered only once and no overtaken by SSL
Translates data into bits and formats them into data frames with guarantee that its delivered in the same sequence that its sent At Transport layer of OSI:
destination header and source address. Error detection via 32 bits long, IPv6 is 128 bits long Secure Shell (SSH-2) Authentication, compression, confidentiality
checksums. Address resolution protocol ARP: Used to match an IP address and integrity.
LLC: the Logical Link Control Sub layer. Flow control and error to a hardware MAC address. ARP sends out broadcast to a Uses RSA certificates for authentication and triple DES for
notification network node to reply with its hardware address. It stores the encryption
MAC: the Media Access Control layer. Physical addressing. address in a dynamic table for the duration of the session, so Secure Socket Layer (SSL) encryption technology to provide
Concerns frames, logical topologies and MAC-addresses ARP requests are only send the first time secure transactions like credit card numbers exchange. Two
Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, Reverse address resolution protocol RARP: When a hardware layered: SSL record protocol and handshake protocol. Same as
IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex address is known but the IP address has to be found. (like an SSH it uses symmetric encryption for private connections and
A, Annex D, HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token diskless machine) asymmetric or public key cryptography for peer authentication.
Ring, FDDI Internet control message protocol ICMP: sends messages Also uses message authentication code for integrity checking.
between network nodes regarding the health of the network. Also Simple Key Management for Internet Protocols (SKIP)
Physical – layer 1 - C informs about rerouting incase of errors. Utility PING uses ICMP provides high availability in encrypted sessions to protect against
Coverts bits into voltages or light impulses. Hardware and messages to check physical connectivity of the network machines crashes. Exchanges keys on a session by session basis.
software drivers are on this level. It sends and receives bits.
Physical topologies: BUS, MESH, STAR, TREE, RING
- 8. Firewalls Virtual Private Networks VPN DATA NETWORK TYPES
TYPES A VPN is created by dynamically building a secure Local Area Network LAN
Packet filtering firewall AKA screening router communications link between two nodes using a secret Limited geographically to e.g. a building. Devices are sharing
Examines source/destination address, protocol and ports of the encapsulation method via network address translation (NAT) resources like printers, email and files. Connected through copper
incoming package. Based on ACL’s access can be denied or where internal IP addresses are translated to external IP wire or fiber optics.
accepted. Is considered a first generation of firewall and addresses. CAN: campus area network, multiple building connected to fast
backbone on a campus
Domain 3 – Telecommunications and Network
operates at Network or Transport layer of OSI
Application level firewall AKA proxy server VPN Protocols MAN: metropolitan network extends over cities
While transferring data stream to another network, it masks the Hint: TP at end for Tunneling Protocols Wide Area network WAN
data origin. Second generation firewall operating at Application Point to Point tunneling protocol (PPTP) Connects LANS over a large geographical area
layer of OSI - Works at data link layer of OSI Internet intranet and extranet
Stateful inspection firewall - Only one single point-to-point connection per session Internet is global, intranet local for use within companies and
All packages are inspected at the Networking layer so it’s faster. - Point To Point protocol (PPP) for authentication and extranet can be used e.g. by your customers and clients but is not
By examining the state and context of the data packages it helps tunneling public.
to track connectionless protocols like UDP and RPC. Third - Dial-up network use
generation firewall. Analyzed at all OSI Layers. Layer 2 tunneling protocol (L2TP) DATA NETWORK SIGNALS
Dynamic Packet Filtering firewall - Also in data-link layer of OSI Analog signal Infinite wave form, continuous signal, varied by
Enables modification of the firewall rule. It provides limited support - Single point-to-point connection per session amplification
for UDP by remembering UDP packages across the network. - Dial-up network use Digital signal Saw-tooth form, pulses, on-off only
Fourth generation. - Port 115 Asynchronous sends bits of data sequentially. Same speed on
Kernel Proxy Firewalll / Application level Firewall IPSEC both sides. Modems and dial-up remote access systems
Runs in windows NT, modular, kernel based, multiplayer session - Operates at Network Layer of OSI Synchronous very high speed governed by electronic clock
evaluation. Uses dynamic TCP/IP stacks to inspect network - Enables multiple and simultaneous tunnels timing signals
packages and enforce security policies. Fifth generation - Encrypt and authenticate
- Build into IPv6 LAN Cables
Firewall architecture - Network-to-network use Twisted pair
Packet filtering routers Shielded (STP) or unshielded (UTP) Cat 3=10BaseT,
Sits between trusted and un-trusted network, sometimes used as VPN Devices Cat5=100BaseT
boundary router. Uses ACL’s. Protects against standard generic Is hard- or software to create secure tunnels Coaxial
external attacks. Has no user authentication, has minimal IP-sec compatible More EMI resistant. Baseband: only one single channel,
auditing. - Encryption via Tunnel mode (entire data package Broadband: multiple signal types like data, video, audio
Screened-Host firewall system encrypted) or Transport mode (only datagram Fiber Optic
Has both a packet-filter router and a bastion host. Provides both encrypted) Most expensive, but hard to tap and resistant to EMI
network layer (package filtering) as application layer (proxy) - Only works with IP at Network layer of OSI
server. NON IP-sec compatible LAN Transmission Protocols
Dual homed host firewall Socks-based proxy servers Used to reach the internal network Carrier Sense Multiple Access CSMA for Ethernet.
Consists of a host with 2 NIC’s. One connected to trusted, one to from the outside. Also contains strong encryption and Workstations send out packet. If it doesn’t get an
un-trusted. Can thus be used as translator between 2 network authentication methods acknowledgement it resends
types like Ethernet/token ring. Internal routing capabilities must PTP used in windows machines. Multiprotocol, uses PAP or CSMA with Collision Avoidance workstations are attached by
not be enabled to make it impossible to circumvent inspection of CHAP 2 coax cables. In one direction only. Wireless 802.11
data. Dial-up VPN’s remote access servers using PPTP commonly CSMA with Collision Detection Only one host can send at the
Screened-subnet firewalls used by ISP’s time, using jamming signals for the rest.
Has also defined a De-Militarized Zone (DMZ) : a small network Secure Shell SSH2 not strictly a VPN product but opens a secure Polling Host can only transmit when he polls a secondary to see
between trusted an untrusted. encrypted shell session from the internet through a firewall to a if its free
Socks firewall SSH server Token-passing Used in token rings Hosts can only transit when
Every workstation gets some Socks software to reduce overhead they receive a clear to send token.
- 9. LAN Transmission Methods WAN Protocols Packet switching technologies
Unicast Packet is send from single source to single destination Private Circuit technologies X25 defines point-to-point communication between Data terminal
Multicast source packet is copied and send to multiple destinations Dedicated line reserved communication, always available Equipment (DTE) and Data Circuit Terminating Equipment (DCE)
Broadcast source packet is copied and send to all nodes Leased line can be reserved for communications. Type of Link Access Procedure-Balanced (LAPB) created for use with
dedicated line. X25, LAPB defines frame types and is capable of retransmitting,
- T1 1,5 Mbps through telephone line exchanging and acknowledging frames as detecting out-of-
LAN Topologies
Domain 3 – Telecommunications and Network
- T3 44,7 Mbps through telephone line sequence or missing frames
BUS all transmissions have to travel the full length of the cable
- E1 European 2048 Mbps digital transmission Frame Relay High performance WAN protocol designed for use
RING Workstations are connected to form a closed loop
Serial Line IP (SLIP) TCP/IP over slow interfaces to across ISDN interfaces. Is fast but has no error correction
STAR nodes are connected to a central LAN device
communicate with external hosts (Berkley UNIX, windows NT Switched Multimegabit DATA Service (SMDS) high speed
TREE bus type with multiple branches
RAS) communication over public switches networks for exchanging
MESH all nodes interconnected
Point to Point protocol (PPP) improvement on slip, adds ‘bursts of data’ between enterprises
login, password and error (by CHAP and PAP) and error Asynchronous Transfer mode (ATM) very high bandwidth. It
LAN Media Access correction. Data link. uses 53-byte fixed size cells instead of frames like Ethernet. It can
Ethernet IEEE 802.3 using CSMA with an BUS-topology
Integrated Services Digital Network (ISDN) combination of allocate bandwidth up on demand making it a solution for Busty
Thinnet: 10base2 with coax cables up to 185 meters
digital telephony and data transports. Overtaken by xDSL applications. Requires fiber optics.
Thicknet: 10Base5, coax up to 500 meters
xDSL Digital subscriber Line uses telephone to transport Voice over IP (VOIP) combines many types of data into a single
UTP: 10BaseT=10MBps
high bandwidth data to remote subscribers IP packet. Cost, interoperability and performance wise it’s a major
100baseT=Fast Ethernet =100MBps
- ADSL Asymmetric. More downstream bandwidth up benefit.
1000BaseT=Gigabit Ethernet=1GBps
to 18,000 feet over single copper cable pair
Ethernet networks were originally designed to work with more
- SDSL Symmetric up to 10,000 feet over single Other important WLAN protocols
sporadic traffic than token ring networks
copper cable pair Synchronous Data Link Control (SDLC) created by IBM for
- HDSL High Rate T1 speed over two copper cable mainframes to connect to their remote offices. Uses a polling
ARCnet uses token –passing in a star technology on coax
pairs up to 12,000 feet media access method. Works with dedicated leased lines
- VDSL Very High speed 13-52MBps down, 1,5-2,3 permanent up.
Token Ring IEEE 802.5 IBM created. All end stations are connected
Mbps upstream over a single copper pair over 1,00 Data link layer of OSI model
to a MAU Multi Access Unit. CAU: Controlled Access Units – for
to 4500 feet High-level Data Link Control (HDLC) extension to SDLC also for
filtering allowed MAC addresses.
mainframes. Uses data encapsulation on synchronous serial links
Circuit-switched networks using frame characters and checksums. Also data link layer
Fiber Distributed Data Interface (FDDI) token-passing dual token
There must be a dedicated physical circuit path exist during High Speed Serial Interface (HSSI) Defines electrical and
ring with fiber optic. Long distances, minimal EMI interference
transmission. The right choice for networks that have to physical interfaces to use for DTE/DCE communications. Physical
permits several tokens at the time active
communicate constantly. Typically for a telephone company layer of OSI
network Voice oriented. Sensitive to loss of connection
LAN Devices
Repeaters amplify data signals to extend range (physical) WLAN devices
Message switching networks Multiplexors device that enables more than one signal to be send
HUBS connect multiple LAN devices into a concentrator. Is actually a Involves the transmission of messages from node-to-node. out of one physical circuit
multi-port repeater (physical) Messages are stored on the network until a forwarding path is WAN switches multi-port networking devices that are used in
Bridges Forwards data to all other network segments if it’s not on the available. carrier networks. Connect private data over public data by using
local segment. Operates at level 2 (thus no IP-addressing here)
digital signals. Data link layer.
Switches Will only send data to the specific destination address. It’s Packet-switched networks (PSN or PSDN) Access servers server that provides dial-in and dial-out
actually a multi-port bridge. (Data link) Nodes share bandwidth with each other by sending small data connections to the network
Routers opens up data packet, reads hardware or network address units called packets. Packets will be send to the other network Modems transmits data over telephone lines
and then forwards it to the correct network and reassembled. Data oriented. Sensitive to loss of data. Channel Service Unit (CSU)/Data service unit (DSU) digital
Gateway software that acts as access point to another network or More cost effective than circuit switching because it creates interface device used to terminate the physical interface on a DTE
device that translates between different protocols virtual circuits only when they are needed. device. They connect to the closest telephone company switch in
LAN extenders remote access, multi layer switch that connects
a central office (CO)
LANs over a WAN
- 10. Domain 3 – Telecommunications and Network Security Remote Access Authentication Systems FTP, RLOGIN and TELNET never uses UDP but TCP
Remote Access Technologies
Asynchronous Dial-Up Access This is how everyone connects Terminal Access Controller Access Control System TACACS
User passwords are administrated in a central database instead of Attenuation is decrease in amplitude as a signal propagates along
to the internet. Using a public switched telephone network to
individual routers. A network device prompts user for a username a transmission medium
access an ISP
Integrated Serviced Digital Network (ISDN) communication and static password then the device queries a TACACS server to
verify the password. TACACSs does not support prompting for SSL session key length is from 40bit to 256 bit
protocol that permits telephone line to carry data, voice and other
source traffic. Two types: BRI Basic rate interface and Primary password change or use of dynamic password tokens. Port 49
TACACS+ Enhanced version with use of two factor The bridge connects multiple networks at the data link layer, while
Rate Interface (PRI)
authentication, ability to change user password, ability of security router connects multiple networks at the network layer.
xDSL uses regular telephone lines for high speed digital access
Cable Modems Via single shared coaxial cable, insecure tokens to be resynchronized and better audit trails and session
accounting Data backups addresses availability, integrity and recovery but not
because of not being filtered or firewalled
Remote Authentication Dial-In User Service RADIUS Often confidentiality
uses as stepping stone to the more robust TACACS+. Clients
Remote Access Security Technologies sends their authentication request to a central radius server that IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In
Restricted Address incoming calls are only allowed from specific
contains all of the user authentication and network ACL’s an Ethernet local area network, however, addresses for attached
addresses on an approval list. This authenticates the node, not
RADIUS does not provide two way authentication, therefore it’s devices are 48 bits long.
the user!
Callback User initiates a connection, supplies identifying code,
not used for router-to-router authentication. Port 1812. Contains Wireless
dynamic password and network service access information
and then the system will call back a predetermined telephone
(Network ACLs) 802.11: 1 or 2 mbps, 2.4Ghz, FHSS or DSSS
number. Also less useful for travelling users
Caller ID checks incoming telephone number against an approval
802.11b: 11 mbps, only DSSS
list and then uses Callback. Less useful for travelling users.
Things to know
TCPIP Classes 802.11a: 54 mbps, 5 GHz, Orthogonal Frequency Division
Remote Node Security Protocols Class A network number values begin at 1 and end at 127
Password Authenticate Protocol PAP
Class B network number values begin at 128 and end at 191 802.11g: 20-54mbps, 2.4GHz
Provides identification and authentication of the user using static
Class C network number values begin at 192 and end at 223
replayable passwords. No encryption of user-id or password
802.11e: QoS
during communication
ISDN
Challenge Handshake Authenticate Protocol (CHAP)
BRI B-channel 64Kbps, D-channel 16Kbps 802.16: IEEE 802 Broadband Wireless Access (802 WBA)
non-replayable challenge/response dialog
PRI B- and D-channels are 64Kbps
802.11i: AES, CCMP, 802.1X authentication.
80211 has CSMA/CA as protocol. Can use DSSS and FHSS (ss
stands for spread spectrum) 802.11n: 100mbps, 2.4GHz
802.11b uses only DSSS
Before a computer can communicate with the internet, it needs an
IP-address, a default gateway and a subnet mask
To connect multiple LAN segments you can use Bridges,
Switches and Routers
Fast Ethernet 100Base-TX has as characteristics: 100Mbps data
transmission, 1 pairs Cat5 UTP and max segment of 100 meters
(328 feet)
Unsubnetted netmask is shown as /24
Other word for DMZ is screened subnet