Cissp Domain 4

Download as pdf or txt
Download as pdf or txt
You are on page 1of 111

CISSP Cornell Notes by

Col Subhajeet Naha, Retd


Domain 4 : Communication and Network Security
CISSP CORNELL NOTES

• Domain 4 – Communication and Network Security


• By Col Subhajeet Naha, Retd, CISSP Mentor
• How to Prepare for CISSP
• Attend an online boot camp or training session.
• Read prescribed books.
• Don’t cram but keep tab of important points – Main points covered in these
notes
• For experienced professionals, one/two reads are sufficient. The aim is to clear
the concepts.
• Practice questions from Sybex 10th edition and Sybex 4th edition practice test
• Don’t refer to any dumps; they are of no use.
• How to use these notes
• Use these notes as revision notes
• Reading the Reference books is highly recommended
• Scribble your own notes
• Reference Books
• Sybex 10th Edition
• Destination Certification
• Reach out to us if you have any questions
• Future domains being prepared
• Website : learn.protecte.io
• Mob : +91-8800642768
Secure Design Principles in Network Architectures
Importance of Secure Network Design:
• Importance of secure • Designing a secure network architecture helps protect the organization from
network design potential threats, ensuring confidentiality, integrity, and availability of data
• Defense in depth and services.
• Least privilege Defense in Depth:
• Segmentation and • Employing a layered security approach ensures multiple defensive
segregation strategies are in place, making it harder for an attacker to compromise the
• Redundancy entire system.
• Secure protocols • Example: Using firewalls, intrusion detection systems (IDS), and anti-
• Monitoring and auditing malware solutions in combination.
Least Privilege:
ti on
• This principle ensures that users, applications, and services are given
i buthe
minimum access necessary to perform their tasks.
st r
• Example: An employee should only have access to data D andi systems
f
required for their job, reducing the risk of unauthorized
t oraccess.
Segmentation and Segregation:
N o
• Network segmentation involves dividing
h aand, limit the impact
a network into smaller, isolated

breaches. a
sections to reduce the attack surface of security
N for different departments or isolating
e tVLANs
ajegeneral user networks.
• Example: Creating separate

h
sensitive systems from
b
Redundancy:
S u
o lremain available
• Building redundancy into the network ensures that critical systems and

y C Implementing redundant power supplies, multiple internet


services in case of failure.
• BExample:
S P connections, and failover systems to avoid single points of failure.
CI S Secure Protocols:

for • Using secure communication protocols like HTTPS, SSL/TLS, and IPsec

es ensures that data is encrypted in transit and secure from interception.


ot Monitoring and Auditing:

ell N • Continuous monitoring of network traffic and regular auditing of systems

orn helps detect anomalies, unauthorized access, and potential security threats
in real-time.
C • Example: Utilizing SIEM (Security Information and Event Management)
systems to log and analyze network activity.

• Implementing secure design principles in network architecture ensures the protection of systems
through defense in depth, least privilege, segmentation, and redundancy.
• Utilizing secure protocols and continuous monitoring helps maintain security and detect threats
early. These practices enhance the overall resilience of the network.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Implementing Secure Design Principles in Network
Architectures
OSI and TCP/IP Models:
• OSI and TCP/IP models • The OSI (Open Systems Interconnection) Model and TCP/IP Model are
• Function of each OSI layer frameworks that describe how data is transmitted and received over a
network. They help explain how different layers of the network interact.
• Devices and protocols at
each OSI layer Function of Each OSI Layer:
• Encapsulation and • The OSI Model has seven layers, each with a specific role in network
communication:
decapsulation
• Role of networking in 1.Physical Layer: Transmits raw data bits over physical media (cables, radio waves).
organizational objectives 2.Data Link Layer: Manages node-to-node data transfer (e.g., MAC addresses,
switches).
3.Network Layer: Handles routing of data packets between devices (e.g., IP
addresses, routers).
ti on
i bu
4.Transport Layer: Ensures reliable data transfer (e.g., TCP, UDP).
s t r
5.Session Layer: Manages sessions and connections between devices. i
f o rD
6.Presentation Layer: Translates data formats and handles encryption.

o
7.Application Layer: Interfaces with end-user applicationst (e.g., HTTP, FTP, DNS).
Devices and Protocols at Each OSI Layer:
a ,N

a
Physical Layer: Hubs, cables, wirelessh signals.

e
Data Link Layer: Switches, MACt Naddresses.

a
Network Layer: Routers, jeIP, ICMP.
h
bTCP, UDP.

S u
Transport Layer:
Session lLayer: Session management protocols.
Co Layer: Encryption and data translation.


y
Presentation
• BApplication Layer: Web browsers, HTTP, DNS, FTP.
P
S Encapsulation and Decapsulation:
CI S
for • Encapsulation refers to the process of adding headers (control information) to
data as it moves down the OSI layers, preparing it for transmission.

tes Decapsulation is the reverse process, where headers are stripped as data
moves up the OSI layers, making it readable for the application.
o
ll N
Role of Networking in Organizational Objectives:

rn e • Networks are critical for enabling communication, revenue generation, and

C o client interaction. Because networks are a valuable organizational asset, they


require comprehensive protection to maintain security, efficiency, and
reliability.

• The OSI Model provides a layered framework for understanding how data is transmitted across
networks. Each layer has specific responsibilities, with various devices and protocols functioning at
different layers.
• The processes of encapsulation and decapsulation ensure data is properly transmitted and
received. Networks are essential to organizational success, requiring robust security measures to
protect their integrity.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network and Protocol
What Is a Network?
• Definition of a network
• Definition of a protocol • A network consists of at least two devices that are connected to
each other for communication.
• Importance of protocols in
communication • Example: A computer connected to a printer or another computer is a
• OSI Model and its relevance simple network.
to protocols
What Is a Protocol?
• A protocol is a set of standard rules that governs communication
between devices on a network. Protocols ensure that messages can
be sent, received, and understood by different devices.
ti on
i
• Example: TCP/IP is a widely used protocol that allows computers bu to
communicate over the internet.
s tr
i
Importance of Protocols in Communication:
fo rD
o
• Protocols define the common rules that allow tdevices to
, N way.
communicate in a consistent and predictable
a
• Without protocols, devices woulda hnot understand each other’s
t N impossible.
messages, making communication
e
aje to Protocols:
OSI Model and Its Relevance
h
u bprovides a framework for how data is transmitted over
S
• The OSI Model
ol
a network.
C
B y operate at various layers of the OSI model to ensure that
• Protocols

SP• Example: The HTTP protocol operates at the Application Layer of the
data is properly sent and received.

CI S
for OSI model to enable web communication.

tes
o
ell N
orn
C

• A network is a connection between two or more devices, and protocols are the standardized rules
that enable communication between these devices.
• The OSI Model helps structure these communications, with different protocols operating at various
layers to ensure successful data exchange.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


OSI (Open System Interconnection) Model- 1
Definition and Purpose of the OSI Model:
• Definition and purpose of the
OSI model • The OSI (Open Systems Interconnection) Model is a layered
• Seven layers of the OSI model architecture that standardizes how data is transmitted across
• Encapsulation and networks. It enables open systems to interconnect and
decapsulation communicate through defined protocols.
• OSI vs. TCP/IP Model Seven Layers of the OSI Model:
• Devices and protocols at
each OSI layer The OSI model consists of seven layers, each with distinct functions:
• Firewalls at multiple OSI
1. Physical Layer: Transmits raw bits (0s and 1s) across physical
on
layers
media like cables and fiber optics.
• Importance of security at
ti
uMAC
different layers 2. Data Link Layer: Manages node-to-node communication using
tr i b
addresses.
is
o rD
3. Network Layer: Routes data packets using IP addresses.
f
ot
4. Transport Layer: Ensures reliable data transmission through TCP or
N
a, sessions between
UDP.
h
Na
5. Session Layer: Manages and maintains
applications.
t
e data formats and handles
e
6. Presentation Layer: jTranslates
encryption.
b ha
l SuLayer: Interfaces with end-user applications like HTTP,
o
7. Application
CFTP.
DNS,
B y
S• PEncapsulation and Decapsulation:

CI S Encapsulation: As data moves down the OSI layers, each layer adds

for headers and trailers.

tes • Decapsulation: As data moves up the OSI layers on the receiving


o device, headers and trailers are stripped away.

ell N
orn
C

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


OSI (Open System Interconnection) Model - 2
OSI vs. TCP/IP Model:
• Definition and purpose of the
OSI model • The TCP/IP model consists of four layers:
• Seven layers of the OSI model
1. Application (OSI Layers 5-7)
• Encapsulation and
decapsulation 2. Transport (OSI Layer 4)
• OSI vs. TCP/IP Model
• Devices and protocols at 3. Internet (OSI Layer 3)
each OSI layer 4. Link (OSI Layers 1-2)
• Firewalls at multiple OSI

on
layers Devices and Protocols at Each OSI Layer:
• Importance of security at
• Physical Layer: Hubs, NICs, cables.
u ti
different layers
• Data Link Layer: Switches, MAC addresses, L2TP, PPTP. t r i b
D is
• Network Layer: Routers, IP addresses, ICMP, NAT.
t for
• Transport Layer: TCP, UDP, iSCSI.
N o
,
• Application Layer: HTTP, DNS, FTP,aSSH.
h
t Na
Firewalls at Multiple OSI Layers:
je e
h a
• Network Layer: Packet-filtering firewalls provide basic filtering with

ub Application proxy firewalls offer detailed filtering


high speed.
S
ol processing overhead.
• Application Layer:
C
but introduce
y of Security at Different Layers:
B
Importance

I SSP• Lower layers (Physical, Data Link, Network) offer high efficiency and
C
or
speed but limited security.

s f
o te • Higher layers (Session, Presentation, Application) provide advanced
security features but introduce complexity and slower processing.

ell N
orn
C

The OSI Model structures network communication into seven layers, with specific roles
for each layer. Encapsulation and decapsulation enable data to move between devices.
The TCP/IP model is a simplified four-layer version used to implement OSI concepts.
Security decisions vary across OSI layers, with a balance between speed and complexity
needed at each level.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 1: Physical Layer
Definition of Layer 1:
• Definition of Layer 1
• Data at the Physical layer • Layer 1, the Physical layer, focuses on the transmission of raw bits
• Transmission media: wired (0s and 1s) across physical media. It determines how devices
vs. wireless interconnect and how data is encoded for transmission.
• Types of wired media: twisted Data at the Physical Layer:
pair, coaxial, fiber optic
• Network topologies: Bus, • At this layer, data is referred to as bits. Communication happens
Tree, Star, Mesh, Ring through physical media, either wired or wireless.
• Layer 1 devicesTransmission
Transmission Media - Wired vs. Wireless:
on
methods: unicast, multicast,
broadcast • Common wired media types include:
uti
• Collision avoidance and
r
• Twisted Pair: Shielded (STP) or unshielded (UTP), used to
t i b

CSMA
Cut-through vs. Store-and-
create magnetic fields to protect signals.
D is
for
forward switching • Coaxial Cable: Single strand of copper wire, commonly used
for cable TV and internet.
t
No
• Fiber Optic: Uses light pulses to transmit data, offering
a,
superior speed and security over long distances.
h
• Wireless media includes radio
t Nafrequency, infrared, and microwave
transmission.
je e
ha
Types of Wired Media:
b
SuReduces interference through twists, often used for
l
• Twisted Pair:
Co networks.
local area
y
• BCoaxial Cable: Uses multiplexing to transmit multiple signals over
S P one wire.

CIS • Fiber Optic: Offers high security and speed; not as prone to
for interference or eavesdropping.

tes
o
ell N
orn
C

• The Physical layer handles the transmission of raw bits using wired or wireless media. Different
network topologies dictate how devices are connected, with hubs, repeaters, and NICs being key
devices at this layer.
• Transmission methods like unicast, multicast, and broadcast define how data flows, while
collision avoidance is crucial for network efficiency. The choice between cut-through and store-
and-forward switching balances speed and error checking.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 1: Physical Layer
Network Topologies:
• Definition of Layer 1
• Common topologies define how devices are connected:
• Data at the Physical layer
• Transmission media: wired • Bus Topology: All devices connected to a central wire; easy to extend but
prone to collisions and single points of failure.
vs. wireless
• Types of wired media: twisted • Tree Topology: Branches out connections, isolates transmissions to limit
data exposure.
pair, coaxial, fiber optic
• Star Topology: Devices connect to a central switch; failure of the central
• Network topologies: Bus,
hub disrupts the entire network.
Tree, Star, Mesh, Ring
• Mesh Topology: Every device connects to every other device, providing
• Layer 1 devicesTransmission redundancy.

on
methods: unicast, multicast,
broadcast

to avoid collisions.
u i
Ring Topology: Devices connected in a closed loop, with token passing
t
• Collision avoidance and
tr i b

CSMA
Cut-through vs. Store-and-
Layer 1 Devices:

D is
for
• Devices at Layer 1 include:
forward switching
• t
o distance.
Hubs: Simple devices that broadcast data to all connected devices.
N
a, between computers and
• Repeaters: Amplify signals to extend transmission
h
Na
• NICs (Network Interface Cards): Interface
networks.
e t
je
hatransmitting data:
Transmission Methods:

b
Su communication.
Three primary methods for

l
Co One-to-many communication.
• Unicast: One-to-one

B y
• Multicast:

P
S Collision Avoidance and CSMA:
• Broadcast: One-to-all communication within the network.

CI S
for
tes • In shared media, collisions occur when two devices send data at the same time.
Collision avoidance is managed using CSMA (Carrier Sense Multiple Access)
o protocols to prevent simultaneous transmissions.

ell N Cut-through vs. Store-and-Forward Switching:

orn • Cut-through: Switch starts forwarding data immediately after reading the
C destination address. Low latency, but error checking is minimal.
• Store-and-forward: Switch waits for the entire packet, checks for errors, and
then forwards it. Higher latency, but error-free transmission.

• The Physical layer handles the transmission of raw bits using wired or wireless media. Different
network topologies dictate how devices are connected, with hubs, repeaters, and NICs being key
devices at this layer.
• Transmission methods like unicast, multicast, and broadcast define how data flows, while
collision avoidance is crucial for network efficiency. The choice between cut-through and store-
and-forward switching balances speed and error checking.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Dealing with Collisions
Collision Issues in Network Topologies:
• Collision issues in network • Collisions occur when multiple devices transmit data at the same time,
topologies causing data to clash. This is a problem in most topologies except for
• Methods to handle token ring networks.
collisions Methods to Handle Collisions:
• CSMA (Carrier Sense 1. Token-based Collision Avoidance:
Multiple Access)CSMA/CA • A token is passed between devices, and only the device holding the
vs. token can transmit data.
• CSMA/CD • This method is used in token ring networks.
• Collision detection and 2. Polling:
avoidance • Devices poll each other to check if any device needs to transmit.
ti on
i bu
• However, this causes a lot of network traffic, making it inefficient
and rarely used.
str
3. CSMA (Carrier Sense Multiple Access):
D i
for
• Devices share the same carrier (wire) and sense the wire before
sending data.
t
No
• If the wire is free, data can be sent. This is the most common method

a,
in modern networks.
h
Na
CSMA/CA vs. CSMA/CD:

et
1. CSMA/CA (Collision Avoidance):

je
Used in wireless networks, this method prevents collisions

bha
by using two communication lanes: one for sending and one
for receiving data.

l SuWireless networks use CSMA/CA to communicate with

Co
access points and avoid collisions entirely.

By 2. CSMA/CD (Collision Detection):

SP
• Used in older wired networks, like Ethernet networks with

CI S hubs. Devices detect collisions after transmission and resend


data if needed.

for • Modern Ethernet networks use switches in full-duplex mode,

es which avoids collisions, making CSMA/CD mostly obsolete.

ot CSMA/CD Process:

ell N 1. The device checks if the line is idle before sending a frame. If the line is
busy, it waits until the line is free.
orn 2. After sending, the device monitors for collisions. If a collision occurs, a
C jam signal is sent.
3. The device waits for a random amount of time before attempting to
send the data again.

• Collisions occur in shared media networks, and several methods—token-based, polling, and
CSMA—are used to handle them.
• CSMA/CA is used in wireless networks to avoid collisions, while CSMA/CD was used in older wired
networks to detect and correct collisions.
• Modern Ethernet networks now use switches to avoid collisions altogether, making CSMA/CD less
relevant.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Transmission Methods
Definition of Transmission Methods:
• Definition of transmission • Transmission methods define how devices communicate on a network.
methods Different methods target specific or multiple devices depending on the need.
• Types of transmission Types of Transmission Methods:
methods: unicast, multicast,
1. Unicast (One-to-One):
broadcast, anycast, geocast
• Communication from one device to a specific target device.
• Security considerations for
• Most secure method since it limits communication to the intended
transmission methods recipient.
• Anycast explained • Example: Sending a message to a specific computer.
• Geocast explained 2. Multicast (One-to-Many):
• Communication from one device to a group of devices.
ti on
• Often used for services that need to reach multiple devices
simultaneously, like video streaming.
i b u
s tr
3. Broadcast (One-to-All):
i
• Communication sent to all devices on a network
subnet.
f o rD or a specific


o
Example: Sending an ARP request across t a local network to identify

,N
connected devices.
4. Anycast (One-to-Nearest/Best):
a
h or best-performing server.

a
Routes requests to the nearest
N Networks (CDNs) to direct users to
the closest or mosttoptimal server for content delivery.
• Used in Content Distribution
e

h aje and security by connecting to the best
Improves performance
available server.
5.
S ub
Geocast (One-to-Geographic Region):

olDelivers messages to devices within a specific geographical area.

y C systems.
• Often used in location-based services or emergency notification

P B
I SS • Unicast is the most secure, as it limits communication to specific devices.
Security Considerations for Transmission Methods:

C
for • Broadcast exposes data to all devices, making it less secure in comparison.

tes Anycast Explained:


o
ll N
• Anycast allows requests to be sent to the closest or best-performing server.

rn e This is ideal for CDNs, where data is delivered from the server nearest to the
user to enhance performance and security.

C o Geocast Explained:
• Geocast targets devices in a specific geographical location. It is useful for
applications like emergency alerts or localized services.

• Transmission methods define how devices communicate on a network. The most common methods
are unicast (one-to-one), multicast (one-to-many), broadcast (one-to-all), and anycast (one-to-
nearest/best).
• Unicast offers the best security, while anycast enhances performance and security by directing
users to the nearest or best server.
• Geocast is used for location-specific messaging.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Performance Metrics
Definition of Performance Metrics:
• Definition of performance • Performance metrics help measure the effectiveness of a network in terms of
metrics data transmission and communication quality. These metrics are important for
optimizing network performance.
• Key performance metrics:
• bandwidth, throughput, Key Performance Metrics:
signal-to-noise ratio, latency, 1. Bandwidth:
jitter • The maximum amount of data that can be transmitted over a
network or internet connection within a specific period.
• Example: A network with 1 Gbps bandwidth can transmit up to 1
gigabit of data per second.
2. Throughput:

i
The actual rate of successful data transfer, which is often lower
t on
i bu
than the maximum bandwidth due to factors like network congestion.

of data transfer, the throughput is 800 Mbps.
str
Example: If a network has 1 Gbps bandwidth but achieves 800 Mbps

D i
for
3. Signal-to-Noise Ratio (SNR):
• The comparison of the desired signal strength to the amount of
t
No
background noise.
• A higher SNR indicates better signal quality, leading to fewer lost

a,
packets and less corrupt data.
h
Example: In a wireless network, a high SNR means a clearer signal,

Na

allowing faster data transfer rates.
4. Latency:
je et
ha
• The time it takes for a signal to travel from the source to the
destination and back, measured in milliseconds (ms).
b
Su
• Example: If it takes 50 ms for a data packet to reach its destination

Jitter:o
l and return, the latency is 50 ms.
5.
y C
P B • The variation in time delay between data packets. It measures the
inconsistency of latency over time, which can lead to

I SS •
communication issues in real-time applications.
Low jitter is preferred for a smooth and consistent network

r C experience.

fo • Example: In VoIP calls, high jitter can result in poor audio quality and

es delays.

ot
ell N
orn
C

• Key performance metrics include bandwidth (maximum data capacity), throughput (actual data
transfer), signal-to-noise ratio (signal quality), latency (round-trip time for data), and jitter
(variation in packet delay).
• Understanding these metrics is crucial for optimizing network performance and ensuring efficient
communication.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Traffic Flows
Definition of Traffic Flows in Data Centers:
• Definition of traffic flows in
data centers • In data centers, traffic flow refers to the direction in which data
• North-south traffic moves. Understanding these flows is critical for optimizing network
• East-west traffic architecture, routing, and security.
• Impact of traffic patterns on
North-South Traffic:
network architecture
• North-south traffic refers to the flow of data in and out of the data
center.
• Southbound traffic: Data coming from external clients (e.g., from the
Internet) into the data center’s servers.
t i on
i
• Northbound traffic: Data being sent from the data center’s serversbu
back to clients.
s tr
i
D center
• Example: A client accessing a website hosted in the
fo r data
generates north-south traffic.
o t
East-West Traffic:
a ,N
a
• East-west traffic refers to the flowhof data between devices within
the data center.
e tN
h aje
• This is typically server-to-server communication.

u b transferred between two servers in the same


• Example: Data
S being
l is considered east-west traffic.
o
data center

B y Con Network Architecture:


Impact

I SSP• North-south traffic often requires efficient external connectivity


and security measures to protect against threats from the Internet.
C
for • East-west traffic needs optimized internal communication
tes between devices, with a focus on internal network segmentation
o and low-latency routing.

ell N • Understanding the dominant traffic pattern (north-south or east-west)


orn influences choices in topology, routing protocols, and security
C strategies.

• North-south traffic moves in and out of the data center, while east-west traffic moves within the
data center between devices.
• These traffic flows are critical in designing the data center's network architecture, routing, and
security strategies.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Physical Segmentation

Definition of Physical Segmentation:


• Definition of physical • Physical segmentation refers to creating a separate network or
segmentation network segment for isolating devices and traffic. This can improve
• Types of management: in- security by preventing unauthorized access between network segments.
band, out-of-band, air- Types of Management:
gapped 1. In-band Management:
• Security implications of
• No physical segmentation: Network devices are managed over
segmentation methods the same network that transmits user or application data.
• Example: Managing a switch over the same network where user
traffic flows.
• Less secure: Since management and user traffic share the
ti on
i bu
same network, it increases the risk of attacks on network
devices.
str
2. Out-of-band Management:
D i
for
• Physically separate network: Network devices are managed
t
using a dedicated network separate from user traffic.

No
Example: Managing switches or routers via a separate
management network.
h a,
Na
• More secure: The dedicated management network reduces

et
exposure to threats, providing an added layer of security.
3.
je
Air-gapped Management:
1.
bha
Complete physical isolation: The network is entirely

Su
disconnected from other networks, making it inaccessible
l from outside networks.

y Co
2. Example: Industrial control systems that need to be physically

B managed onsite.

SP
3. Most secure: Air-gapped networks are often used for

CI S sensitive systems but come with operational limitations


since someone must be physically present to manage the

for network.

es Security Implications of Segmentation Methods:


ot • In-band management is less secure since user and management traffic

ell N share the same network, exposing it to potential risks.

orn • Out-of-band management offers a higher level of security by creating a


dedicated management network.
C • Air-gapped networks are the most secure but may limit remote
management capabilities, requiring onsite access for maintenance.

• Physical segmentation improves network security by isolating traffic and devices. In-band
management uses the same network for both management and user traffic, while out-of-band
management uses a dedicated management network.
• Air-gapped networks provide the highest level of security through complete physical isolation but
may introduce management challenges.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Logical Segmentation
Definition of Logical Segmentation:
• Definition of logical • Logical segmentation involves dividing a network into multiple virtual
segmentation segments using software rather than physical separation. It is a more cost-
effective and flexible solution compared to physical segmentation but
• VLANs (Virtual Local Area requires proper configuration to ensure effective isolation.
Networks)
VLANs (Virtual Local Area Networks):
• VPNs (Virtual Private
Networks) • VLANs allow a single physical network to be logically divided into multiple
smaller networks.
• VRF (Virtual Routing and
Forwarding) • Example: In an office, VLANs can be used to separate HR, IT, and guest traffic,
even though all traffic flows over the same physical infrastructure.
• Virtual domains
• Advantage: VLANs provide better traffic management and security through
on
• Benefits and risks of logical logical isolation.
segmentation
u ti
b
VPNs (Virtual Private Networks):
VPNs enable secure connections to a private network over publicri

infrastructure.
i s t
• Example: Employees working remotely use a VPN to securely
f o r D connect to the
organization's main network.
o tto sensitive resources
,N
• Advantage: VPNs allow for secure remote access
across untrusted networks (like the internet).
VRF (Virtual Routing and Forwarding): h
a
VRF enables the creation of t N a virtual networks on a single physical
network component, suche
• multiple
je as a router.

b ha router
Example: A single physical can handle multiple separate routing tables,
u
allowing multiple networks
Shardware.
to exist on the same infrastructure.

l
Co
• Advantage: It allows greater network scalability and segmentation without
additional
y
BVirtual domains allow for the creation of multiple separate security domains
Virtual Domains:
P
S within a single physical device.

CI S
or
• Example: A firewall can be partitioned into multiple virtual firewalls, each

s f serving a different department or security requirement.

o te • Advantage: Virtual domains offer granular security control within a single


device.

ell N Benefits and Risks of Logical Segmentation:

orn • Benefits: Logical segmentation is cheaper and more flexible than physical
C •
segmentation, allowing easier management and scaling.
Risks: If not properly configured, logical segmentation may not provide
effective isolation, leading to potential security vulnerabilities.

• Logical segmentation enables the division of a network into virtual segments through methods like
VLANs, VPNs, VRF, and virtual domains.
• This approach offers flexibility, cost-effectiveness, and scalability. However, proper configuration is
essential to ensure network isolation and security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Monitoring and Management
Importance of Monitoring and Management:
• Importance of monitoring and
management • Effective monitoring and management ensure the performance,
• Network observability availability, and reliability of networks, systems, and services. These
• Traffic flow and shaping processes help to detect and resolve issues promptly.
• Capacity management Network Observability:
• Fault detection and handling
• Network observability refers to the ability to gain insight into a
network’s internal workings, allowing better understanding of how
data moves and identifying any performance issues.
• Example: Network monitoring tools provide visibility into traffic
ti on
i bu
patterns, enabling IT teams to optimize the network’s performance.
Traffic Flow and Shaping:
s tr
i
o r Dpackets in the
• Traffic shaping involves controlling the flow of data
f
t
network to enforce policies and optimize performance.
o
a ,N
• Example: Corporate networks may prioritize VoIP traffic to ensure

a h
clear communication during calls, even during periods of high

tN
network usage.
Capacity Management: ee
h aj involves monitoring the current usage of
ub and planning for future needs.
• Capacity management
S
network resources

C
• Example: olIn cloud environments, rapid elasticity allows resources to
beyscaled up or down based on demand, helping reduce the
B
P complications of capacity management.
S
CIS • Goal: Ensure that the network can meet both present and future
for demands.

tes Fault Detection and Handling:


o
ell N • Fault detection identifies and diagnoses issues within the network,

rn
followed by handling those issues using appropriate methods.

C o • Example: Some networks use automatic remediation systems that


respond to incidents without human intervention, while others rely on
manual intervention or incident response processes.

• Monitoring and management are critical for ensuring network performance and reliability.
• Key concepts include network observability (understanding network behavior), traffic shaping
(controlling and prioritizing data flows), capacity management (planning resource usage), and fault
detection (identifying and resolving issues efficiently).

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 1 Devices
Definition of Layer 1 Devices:
• Definition of Layer 1 devices • Devices operating at Layer 1 (Physical layer) are responsible for the
• Key devices: hubs, repeaters, transmission of raw bits across a network. They do not make
concentrators intelligent decisions, such as directing traffic or filtering data.
• Characteristics of Layer 1 Key Layer 1 Devices:
devices
1. Hubs:
• A hub is a simple device with multiple ports that connects
multiple devices in a network.
• It receives data at one port and broadcasts it to all other
connected devices.
• Drawback: Hubs are noisy as they do not differentiate
ti on
i bu
between the source and destination, often causing data

tr
collisions because all devices share the same collision
s
domain.
D i
for
• Example: Older Ethernet networks often used hubs to connect
t
devices, but they are now replaced by switches.
2. Repeaters:
No

h a,
A repeater regenerates weakened signals and amplifies them

Na
to extend the transmission distance.

et
• It is used to mitigate signal attenuation (loss of signal
je
strength) when data travels over long distances.

bha
Example: Repeaters are commonly used in large cabled

Su
networks to ensure signal integrity over extended distances.
l
Co
3. Concentrators:

By • Concentrators combine signals from multiple sources and


send them down a single transmission line.

I SSP • Unlike hubs, which broadcast signals to all devices,


concentrators focus on aggregating signals together for
r C efficient transmission.
fo
es • Example: Concentrators can be used in telecommunication

ot
systems where multiple data streams are merged for

ll N
transmission over a single connection.

rn e Characteristics of Layer 1 Devices:

C o •

Very fast due to their simple function of transmitting raw data (bits).
No decision-making capabilities, meaning they cannot direct traffic
or perform filtering.
• Typically, they operate in the same collision domain, leading to
potential performance issues in certain network environments.

• Layer 1 devices, such as hubs, repeaters, and concentrators, handle the transmission of raw data
without intelligent decision-making.
• While hubs broadcast data to all devices, leading to potential collisions, repeaters amplify signals
to extend transmission distances, and concentrators aggregate signals for efficient transmission.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 2: Data Link Layer
Definition of Layer 2:
• Definition of Layer 2Data • The Data Link layer (Layer 2) acts as the interface between the Physical
format: frames layer (Layer 1) and the Network layer (Layer 3). It ensures that data is
properly formatted for transmission and reception between these layers.
• Physical addressing via MAC
addresses Data Format: Frames:
• Circuit-switched vs. packet- • At Layer 2, data is formatted as frames, which contain the necessary
switched networks information for devices to recognize and process the data. This includes
source and destination MAC addresses.
• Link encryption at Layer 2
• Layer 2 devices: bridges, Physical Addressing via MAC Addresses:
switches • Layer 2 uses MAC (Media Access Control) addresses to uniquely identify
devices on a network. Unlike IP addresses, MAC addresses are permanent
on
• Layer 2 protocols: L2TP, and tied to the network interface card (NIC) of a device.
PPTP, ARP
u t i
b
Circuit-Switched vs. Packet-Switched Networks:

t r i

is
Circuit-switched networks: Establish a dedicated connection between
devices before transmitting data (e.g., traditional telephone systems).
D sent over a

shared network, with each packet potentially taking fao
Packet-switched networks: Data is broken into packets r and
internet).
o t different route (e.g., the

Link Encryption at Layer 2:


a ,N

a hconnected
Layer 2 is a common location to implement link encryption, which secures

t N
data as it travels between two directly devices, protecting it from
interception.
je e
hadividehelping
Layer 2 Devices: Bridges and Switches:

u
Bridges: Devices b that a network into segments and manage traffic
based on MAC
S addresses, to reduce collisions.
l Devices that connect multiple devices within a network and forward

C obased
Switches:

B y
frames
reducing
on MAC addresses. Switches improve network efficiency by
collisions and increasing data transmission speed.
P
S • L2TP (Layer 2 Tunneling Protocol): A tunneling protocol used for VPNs that
Layer 2 Protocols:

CI S
or
provides data privacy and security.

s f • PPTP (Point-to-Point Tunneling Protocol): An older VPN protocol, now

o te considered less secure.

ll N
• ARP (Address Resolution Protocol): Resolves IP addresses to MAC

rn e addresses, allowing communication between Layer 2 and Layer 3.

C o Role of Layer 2 in the OSI Model:


• Layer 2 serves as a conduit between the Physical and Network layers. It takes
packets from Layer 3 and formats them into frames for Layer 1. Conversely, it
takes bits from Layer 1 and converts them into frames for Layer 3.

• The Data Link layer (Layer 2) is responsible for framing data and ensuring it can be transmitted
between devices using MAC addresses.
• It connects the Physical layer (Layer 1) and the Network layer (Layer 3), playing a critical role in
managing data flow and security.
• Devices like bridges and switches operate at this layer, using protocols such as L2TP, PPTP, and
ARP to facilitate communication.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Physical Addressing (Layer 2)
Definition of Physical Addressing:
• Definition of physical • Physical addressing at Layer 2 involves assigning a unique identifier to
addressing each device on a network. This ensures that each device can be uniquely
• MAC (Media Access Control) identified for communication.
addresses MAC (Media Access Control) Addresses:
• Structure of MAC addresses • A MAC address is a unique identifier assigned to a device’s network card.
• ARP and RARPARP poisoning It consists of 48 bits (6 bytes) and is used to distinguish devices on the
• Circuit-switched vs. packet- same network.
switched networks • Example: A laptop or smartphone connected to a Wi-Fi network will have
its own unique MAC address.

on
Structure of MAC Addresses:
• ti
First 24 bits: Organizational Unique Identifier (OUI), which identifies the
u
device’s manufacturer (e.g., Cisco, Intel).
tr i b

device.
D s
Last 24 bits: Uniquely assigned by the manufacturer to identify the specific
i

t for
Example: A MAC address could look like 00:1A:2B:3C:4D:5E, where the

No
first three pairs identify the manufacturer and the last three pairs identify
the device.
a,
Address Resolution Protocol (ARP) and Reverse ARP (RARP):
h
Na
• ARP: Maps IP addresses (Layer 3) to MAC addresses (Layer 2), facilitating

et
communication between devices.

je
Example: When sending data to a device, ARP helps translate the

bha
destination's IP address into its MAC address.

Su
• RARP: Reverses this process by mapping MAC addresses to IP
l
addresses.

y Co
ARP Poisoning:
B • ARP poisoning is a form of attack where an attacker spoofs or

SP
masquerades as another device on the network by altering the ARP table.

CI S • By doing this, the attacker can intercept data intended for the legitimate

for •
device.
Example: In a man-in-the-middle attack, ARP poisoning allows the
es
ot
attacker to reroute traffic through their device without detection.

ll N
Circuit-Switched vs. Packet-Switched Networks:

rn e • Circuit-switched networks: Establish a dedicated connection before data


is transmitted (e.g., traditional telephone systems).

C o • Packet-switched networks: Data is broken into packets and sent over


shared paths, with each packet potentially taking a different route (e.g.,
internet communication).

• At Layer 2, devices are uniquely identified by MAC addresses, which consist of 48 bits. ARP and
RARP are used to map IP addresses to MAC addresses and vice versa.
• However, this layer is susceptible to attacks like ARP poisoning, where attackers can spoof devices
to intercept data.
• The distinction between circuit-switched and packet-switched networks is important for
understanding how data travels across networks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Circuit-Switched Network
Definition of Circuit-Switched Network:
• Definition of circuit-switched • A circuit-switched network establishes a dedicated connection
network between two devices, maintaining the connection throughout the
• Example: PSTN (Public communication. This type of network is commonly used in traditional
Switched Telephone Network) telephone systems.
• Full-duplex communication Example: Public Switched Telephone Network (PSTN):
• Establishing a connection • The PSTN is a classic example of a circuit-switched network, where a
• Transmission of digital data dedicated circuit is created between the calling and receiving parties.
over analog connections • Example: When you dial a phone number, the network establishes a circuit
• Modems that allows both parties to speak and hear simultaneously (full-duplex
communication).
on
(Modulation/Demodulation)In
troduction of VoIP (Voice over Full-Duplex Communication:
uti
IP) •
both directions, enhancing communication efficiency.
tr i b
Full-duplex means that data can be sent and received simultaneously in


D is
Example: In a phone call, both parties can talk and listen at the same time

for
without waiting for the other to finish.
t
No
Establishing a Connection:
In a circuit-switched network, the connection can be established
a,

permanently or on demand. It is maintained between switches to ensure
h
Na
that traffic is routed to the correct destination.

et
Transmission of Digital Data over Analog Connections:

je
Analog communication was originally designed for voice, as the human
ha
voice is analog in nature.
b
Su
• However, with the rise of digital data, a solution was needed to transmit
l
digital information over analog telephone lines.

y Co
Modems (Modulation/Demodulation):
B • Modems were introduced to convert digital data into analog signals for

SP
transmission over analog telephone lines and back to digital data at the

CI S receiving end.

for • Example: Early internet connections used modems to allow data to travel
over phone lines, but these connections were limited to 65,000 bits per
es second.
ot Introduction of VoIP (Voice over IP):

ell N • As data networks grew, the need for faster communication led to the

rn
development of VoIP (Voice over IP), which allows voice communication

C o •
over data networks.
VoIP uses the internet protocol to transmit digital data more efficiently
than analog phone lines.
• Security risks: Though VoIP is faster, it also introduces security concerns,
such as potential eavesdropping or data breaches.

• A circuit-switched network establishes a dedicated connection for communication, as seen in the


PSTN.
• Communication is full-duplex, allowing simultaneous data transmission in both directions.
• With advancements in technology, modems were used to transmit digital data over analog
connections, eventually giving rise to VoIP, which uses data networks for faster voice
communication but presents security risks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Packet-Switched Network
Definition of Packet-Switched Network:
• Definition of packet-switched
network • A packet-switched network breaks data into packets for
• Data packets and their transmission. These packets travel through the network
structure independently, possibly via different routes, and are reassembled at
• Role of switchesUnreliable the destination.
delivery Data Packets and Their Structure:
• Comparison to circuit-
switched networks • Each data packet contains important information such as source
and destination addresses and sequence numbers.
• Example: When you send an email, the data is divided into packets,
ti on
i bu
each containing part of the email message along with addressing and
sequencing information.
str
Role of Switches:
D i
t for
• Switches route each packet to its final destination based on the
No
header information (like source, destination, and priority) and
network conditions.
h a,
Na
• Packets may take different routes to the destination, depending on

jeet
the availability and traffic on the network.
Unreliable Delivery: a
u bh networks, there is no guarantee of delivery.
l S may be lost during transmission, and the data must be
• In packet-switched
o
Some packets

B yC
reassembled upon arrival.

S P• Packets may also arrive out of order, but sequence numbers allow

CI S them to be properly reassembled.

for Comparison to Circuit-Switched Networks:

tes • Unlike circuit-switched networks, packet-switched networks do not


o
ll N
establish a dedicated connection for the entire communication.

rn e • Packet-switched networks are more flexible and efficient, especially

C o over long distances, but they introduce the risk of lost packets and
reassembly errors.

• In a packet-switched network, data is broken into packets, which travel independently and may
take different routes to the destination.
• Switches route the packets based on header information, but the network does not guarantee
delivery, and packets may arrive out of order.
• This type of network is more efficient than circuit-switched networks, though it introduces risks such
as packet loss.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 2 Protocols
Definition of Layer 2 Protocols:
• Definition of Layer 2 • Layer 2 protocols operate at the Data Link layer of the OSI model, ensuring that
protocols data is properly transmitted across a network. Some of these protocols are used
• VPN tunneling protocols: L2F, for VPN tunneling, while others map between IP and MAC addresses.
PPTP, L2TP VPN Tunneling Protocols:
• SLIP (Serial Line Internet 1. L2F (Layer 2 Forwarding Protocol):
Protocol) • A tunneling protocol used to create VPNs by forwarding data between
client and server.
• ARP (Address Resolution
Protocol) • Example: L2F can be used to create secure communication over public
networks.
• RARP (Reverse ARP)
2. PPTP (Point-to-Point Tunneling Protocol):
1.
i
Another VPN tunneling protocol, PPTP uses three authentication
t on
protocols:
i bu

tr
PAP (Password Authentication Protocol): Simplest but least
s
secure; uses static plaintext passwords.
D i
for
• CHAP (Challenge Handshake Authentication Protocol):
More secure; the password is encrypted before
t
No
transmission.
EAP (Extensible Authentication Protocol): Most robust and
a,

flexible, allowing it to combine with other protocols for
h
Na
stronger security.

et
2. Example: PPTP is commonly used for remote access VPNs, though it

e
is less secure than newer protocols.
j
ha
3. L2TP (Layer 2 Tunneling Protocol):
b
Su
1. A more advanced tunneling protocol that combines the best features
of L2F and PPTP, providing strong encryption and security for VPNs.
l
Co
2. Example: L2TP is often used for site-to-site VPNs due to its enhanced

By security features.
SLIP (Serial Line Internet Protocol):

I SSP • An older protocol used for remote access via serial connections and modems.

r C • Example: SLIP was once used for dial-up internet access, though it has been largely
replaced by more modern protocols like PPP (Point-to-Point Protocol).
fo
es ARP (Address Resolution Protocol):

ot
• ARP maps IP addresses to MAC addresses, allowing devices to communicate

ll N
over a network.

rn e • Example: When sending data to another device on a network, ARP helps to identify
the device's MAC address, ensuring proper delivery.

C o RARP (Reverse Address Resolution Protocol):


• RARP performs the opposite function of ARP, mapping MAC addresses to IP
addresses.
• Example: RARP can be used when a device only knows its MAC address and needs
to discover its assigned IP address.

• Layer 2 protocols manage data transmission at the Data Link layer. Tunneling protocols like L2F,
PPTP, and L2TP are used to create VPNs, while ARP and RARP map between IP and MAC
addresses.
• SLIP is an older protocol for remote access, replaced by more secure options today.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 2 Devices
Definition of Layer 2 Devices:
• Definition of Layer 2 devices
• Bridges • Layer 2 devices operate at the Data Link layer of the OSI model and
provide efficient and fast network connections. They handle data
• Switches (Layer 2 switches) transmission using MAC addresses and help manage network
• Layer 2 vs. Layer 3 switches traffic.
Bridges:
• Bridges connect different networks together without considering the
content of the data being transferred.
• Example: A bridge can connect a wired network and a wireless
network, allowing devices on both networks to communicate.
ti on
Switches (Layer 2 Switches):
i bu
• Switches connect multiple devices within a network. st r
i
• A frame sent to a Layer 2 switch is forwarded onlyrtoD
fo header.
recipient, based on the MAC address in the tframe
the intended

N o
• Example: In a LAN environment, switches
, and improving efficiency
between devices, reducing networkatraffic
forward data packets
compared to hubs. a h
t N
e
• Switches vs. Hubs: Unlike
j eto the
hubs, which broadcast data to all devices,

h a
switches send data only device that needs it.
Layer 2 vs. Layer 3bSwitches:
u
l S work at the Data Link layer and forward frames
• Layer 2oswitches
y Con MAC addresses.
based
B
S P• Layer 3 switches operate at the Network layer, performing

CIS
additional tasks like routing based on IP addresses.

or
• Example: A Layer 3 switch can forward data across different subnets,

s f combining the functionalities of both a switch and a router.

o te Note for Exams:

ell N • Be aware of the differences between Layer 2 and Layer 3 switches,

orn as exam questions may specify whether they refer to a regular switch
(Layer 2) or a Layer 3 switch with added functionalities.
C

• Layer 2 devices, such as bridges and switches, operate at the Data Link layer and manage network
traffic based on MAC addresses.
• While bridges connect different networks, Layer 2 switches forward data to the intended recipient
within the network.
• Layer 3 switches provide additional routing functionality by operating at the Network layer.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Authentication Protocols
Evolution of Remote Authentication:
• Evolution of remote • As organizations began using modems for remote access,
authentication authentication protocols evolved to secure remote connections.
• Authentication protocols: Early methods like SLIP were replaced by PPP (Point-to-Point Protocol)
to improve remote access and security.
PPP, PAP, CHAP, EAP
• Extensible Authentication Authentication Protocols:
Protocol (EAP) • PPP (Point-to-Point Protocol): A Layer 2 protocol used to establish
remote connections, typically via VPNs today.
• Protected Extensible
Authentication Protocol • PAP (Password Authentication Protocol): Prompts users for a user ID
and password. However, passwords are sent in plaintext, making it
(PEAP) insecure.
• Comparison of EAP types
• CHAP (Challenge Handshake Authentication Protocol): Encrypts ti on
(EAP-TLS, EAP-TTLS, EAP-
bu
passwords during transmission and sends challenges at intervals to
i
PEAP, LEAP, EAP-MD5) r
t and
ensure session integrity, reducing the risk of session hijacking.
s
i
rEAPDis widely
• EAP (Extensible Authentication Protocol): The most robust
flexible protocol, allowing vendors to extend its capabilities, such as
fo
integrating with smart keys or digital certificates.
t used
in wireless security (e.g., WPA2).
PEAP (Protected Extensible Authentication N
o
a,it within an encrypted TLS
Protocol):
h
Nalayer of security.
• PEAP builds on EAP by encapsulating
tunnel, providing an additional
t
e in wireless networks where secure
• Example: PEAP is often
je used
ha
authentication is required.
b
Su types that differ based on the level of authentication,
Comparison of EAP Types:
l
Co and industry support. The comparison is summarized in
• EAP has various
security,
y
• BEAP-TLS: Provides both client and server authentication using
S P certificates; offers high security and strong industry support.

CIS • EAP-TTLS: Provides server authentication with certificates but allows


for client authentication with ID and password.

tes • EAP-PEAP: Similar to EAP-TTLS but with higher security,


encapsulating communication in an encrypted TLS tunnel.
o
ell N • LEAP: Cisco’s proprietary version; uses ID and password for both
client and server authentication but has lower security.

orn • EAP-MD5: A simpler version of EAP using ID and password, with low
C security and limited industry support.

• Authentication protocols have evolved to meet the needs of remote access. PPP introduced PAP,
CHAP, and EAP for secure connections, with EAP being the most flexible and secure.
• PEAP enhances EAP by using an encrypted TLS tunnel.
• Various types of EAP offer different levels of security and authentication, with EAP-TLS providing
the highest security using certificates for both client and server authentication.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 3: Network
Data Format at Layer 3:
• Data format at Layer 3: • At Layer 3 (the Network layer), data is formatted as packets, which are chunks
packets of data that can be transmitted across networks.
• Logical addressing and Logical Addressing and Mapping (ARP, RARP):
mapping (ARP, RARP)Route • ARP (Address Resolution Protocol): Maps IP addresses to MAC addresses,
selection allowing devices to communicate by converting IPs into physical addresses.
• Example: When sending data out of a network, ARP maps the
• Layer 3 devices (routers,
sender's MAC address to its IP address.
packet filtering firewalls,
• RARP (Reverse ARP): Maps MAC addresses to IP addresses, allowing a device
Layer 3 switches) to find its IP address using its MAC address.
• Layer 3 protocols (ICMP, • Example: RARP is used when a device knows its MAC address but

on
IGMP, IPsec, OSPF) needs to discover its IP address.
• Fragmentation and IP Route Selection:
uti
addressing
i b
• The Network layer is responsible for selecting the best route for data packets to
tr
take to reach their destination, considering factors like congestion or node
failure.
D is
for
• Example: If a primary route is congested, Layer 3 protocols may

t
choose an alternate route to ensure data reaches its destination.
Layer 3 Devices:
No
a,
• Routers: Forward data packets between different networks, ensuring that the
h
packets are routed to the correct destination.

Na
• Packet filtering firewalls: Filter network traffic based on IP addresses,

jeet
providing security by allowing or blocking specific packets.
• Layer 3 switches: Combine the functionality of both switches and routers,
ha
allowing for packet forwarding based on IP addresses.
b
Su
Layer 3 Protocols:
l
Co
• ICMP (Internet Control Message Protocol): Used for diagnostic purposes, such
as pinging to test network connectivity.

By • IGMP (Internet Group Management Protocol): Manages multicast group

SP
memberships, allowing devices to join or leave multicast groups.

CI S • IPsec (Internet Protocol Security): Provides encryption and security for data
packets transmitted over IP networks.

for • OSPF (Open Shortest Path First): A routing protocol that finds the best path for
data packets within a network.
es
ot
Fragmentation and IP Addressing:

ll N
• Fragmentation is the process of breaking large chunks of data into smaller
packets for transmission.

rn e • IP addressing ensures that each packet is assigned a unique IP address,

C o allowing it to be routed across the network.


• Example: Data is fragmented into smaller packets for faster transmission across
the internet, and each packet is given a destination IP address to guide its
delivery.

• At Layer 3, data is formatted as packets, and logical addressing is used to map IP addresses to
MAC addresses using ARP and RARP. Routing is a key responsibility, with Layer 3 devices like
routers and firewalls managing traffic.
• Layer 3 protocols such as ICMP, IGMP, and IPsec ensure smooth network operations, while
fragmentation and IP addressing allow data to be efficiently transmitted across networks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 3 Protocols
Definition and Significance of Layer 3 Protocols:
• Definition and significance of • Layer 3 protocols manage routing and logical addressing at the Network
Layer 3 protocols layer of the OSI model. These protocols ensure efficient packet
• ICMP (Internet Control transmission, routing, and security.
Message Protocol) ICMP (Internet Control Message Protocol):
• IGMP (Internet Group • ICMP is used for network messaging, providing feedback about network
Management Protocol) communication issues.
• IPsec (Internet Protocol • Ping: A command that uses ICMP to test if a host is reachable.
Security) • Example: You can ping a website to check if it's online.
• OSPF (Open Shortest Path • Traceroute: A tool that uses ICMP to map the path of network traffic

on
First)Common routing between source and destination.
protocols: BGP, OSPF, RIP
uti
• Example: Traceroute shows the number of hops taken from one
network to another.
tr i b
is
• Security concerns: ICMP can be used for reconnaissance by attackers,
D
for
making it common to filter ICMP traffic at firewalls.
IGMP (Internet Group Management Protocol):
t
No
• IGMP is used to manage group memberships for multicast

a,
communications.
h
• It helps hosts, routers, and similar devices join or leave multicast groups.
Na
• Example: Streaming video services use IGMP to manage data distribution

jeet
to multiple users.

ha
IPsec (Internet Protocol Security):
b
• IPsec is a tunneling protocol that provides authentication and
Su
encryption at Layer 3.
l
Co
• Example: IPsec is commonly used to secure VPNs, ensuring that data is

By encrypted as it travels over public networks.


• It helps establish secure communication between Layer 3 devices (e.g.,

I SSP routers).

r C OSPF (Open Shortest Path First):

fo • OSPF is a routing protocol used by routers to determine the best path for

es network traffic.

ot • OSPF includes security features, making it more secure than other

ll N
routing protocols like RIP.

rn e • Example: OSPF is used in large enterprise networks for efficient and

C o secure routing of traffic.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 3 Protocols
Common Routing Protocols (BGP, OSPF, RIP):
• Definition and significance of •BGP (Border Gateway Protocol): Used for routing between different
Layer 3 protocols networks, especially on the internet.
• ICMP (Internet Control • Example: BGP determines the best route for data between ISPs.
Message Protocol) •RIP (Routing Information Protocol): A distance-vector routing protocol
• IGMP (Internet Group used for routing within smaller networks.
Management Protocol) • Example: RIP sends routing updates every 30 seconds, but it is
• IPsec (Internet Protocol slower and less secure than OSPF.
Security) Traceroute and Ping for Network Troubleshooting:
• OSPF (Open Shortest Path •Traceroute and ping are often used to determine if network

on
First)Common routing communication problems exist.
protocols: BGP, OSPF, RIP
uti
•Both tools can help identify if a host is reachable and map network paths,
i b
but they can also be used in reconnaissance attacks, which is why they are
tr
often filtered.
D is
t for
No
h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C

• Layer 3 protocols like ICMP, IGMP, IPsec, and OSPF handle network routing, security, and logical
addressing.
• ICMP provides network feedback through tools like ping and traceroute, while IGMP manages
multicast groups.
• IPsec ensures secure communication through encryption, and OSPF is a secure and efficient
routing protocol.
• Routing protocols like BGP, OSPF, and RIP manage data flow between and within networks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 3 Devices
Layer 3 Devices Overview:
• Layer 3 devices overview • Devices operating at Layer 3 of the OSI model (the Network layer) handle
• Routers routing and packet forwarding based on IP addresses. Key devices
• Layer 3 switches include routers, Layer 3 switches, and packet filtering firewalls.
• Packet filtering firewalls Routers:
• Functionality vs. speed • Routers are devices that route network traffic between different
networks based on the IP addresses in the data packets.
• Example: Routers connect different networks, like connecting a
home network to the internet.
• They dynamically update routing tables and use routing protocols (e.g.,

on
OSPF, BGP) to determine the best route for data.
Layer 3 Switches:
uti

r i b
Layer 3 switches are similar to routers in their ability to route traffic
t
is
between networks but are often used to connect devices within a VLAN
(Virtual Local Area Network).
D

t for
Example: A Layer 3 switch can route traffic between different

No
subnets within the same organization.

a,
• They combine switching and routing functionalities, enabling faster

h
internal communication while also providing Layer 3 routing capabilities.
Packet Filtering Firewalls:
Na

jeet
Packet filtering firewalls operate at Layer 3 and make decisions based

ha
on the header portion of data packets, such as source and destination

b
IP addresses and port numbers.

l Su Example: A packet filtering firewall can block traffic from certain

Co
IP addresses marked as malicious.

By • These firewalls are fast due to their limited decision-making


capabilities. They do not inspect the data payload, only the packet

SP
headers, and therefore provide basic protection.

CI S • Higher-layer firewalls (e.g., Application Layer Firewalls) offer more

for advanced filtering capabilities, such as deep packet inspection and


stateful inspection, but are slower due to increased complexity.
es
ot
Functionality vs. Speed:

ll N
• Devices at Layer 3 balance speed and decision-making capability.

rn e • Layer 3 firewalls are fast but only offer limited filtering based on simple
IP addresses and port numbers.

C o • Higher-layer devices (e.g., Application Layer Firewalls) provide more


advanced security features but come with a performance cost due to
increased processing requirements.

• Layer 3 devices, such as routers, Layer 3 switches, and packet filtering firewalls, manage
network traffic by making decisions based on IP addresses.
• Routers direct traffic between networks, while Layer 3 switches handle routing within VLANs.
• Packet filtering firewalls provide fast but basic security by filtering packets based on header
information, while higher-layer firewalls offer more advanced protection at the cost of speed.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Logical Addressing
Definition of Internet Protocol Packets:
• Definition of internet protocol • Internet protocol (IP) packets consist of data (payload) and routing information
packets in the header, such as source and destination IP addresses.
• IPv4 vs. IPv6 addressing • Example: When data is sent over the internet, it is split into packets,
• Private vs. public IP each containing routing details.
addresses IPv4 vs. IPv6 Addressing:
• Network classes (subnetting) • IPv4: Consists of 32 bits, divided into four octets (8-bit groups) separated by dots
(e.g., 192.168.1.254).
• Role of NAT (Network Address
• The range of each octet is 0-255.
Translation)
• Limitation: IPv4 allows for just under 4.3 billion addresses (2^32).

on
• IPv6: Consists of 128 bits, divided into eight 16-bit groups, significantly
increasing the number of available IP addresses.
• Example: An IPv6 address might look like
uti
2001:0db8:85a3:0000:0000:8a2e:0370:7334.
tr i b
Private vs. Public IP Addresses:
D is
for
• Private IP addresses are not routable on the public internet and are used within
local networks.
t
No
• Example: 192.168.0.0 – 192.168.255.255 is a private IP range used in

a,
many home networks.

h
Public IP addresses are globally unique and routable on the internet.

Na
Example: Websites like google.com have public IP addresses to be

et
accessible globally.

je
Network Classes (Subnetting):

bha
Subnetting allows for the creation of smaller networks (subnets) within a larger

Su
network, optimizing the use of available IP addresses.
l
Co
• Example: The 192.168.1.0 network can be divided into smaller subnets,
such as 192.168.1.0/24 for more efficient IP address allocation.

By • Network classes in IPv4 are divided into Class A, B, and C, allowing networks of

SP
varying sizes:

CI S •

Class A: Large networks
Class B: Medium networks

for • Class C: Small networks

es Role of NAT (Network Address Translation):

ot • NAT allows multiple devices on a private network to share a single public IP

ll N
address when accessing the internet.

rn e • Example: A home router assigned a public IP by the ISP assigns private

C o IP addresses to connected devices (e.g., 192.168.1.2) and translates


them for external communication.
• Security benefit: NAT hides internal IP addresses, making it harder for
attackers to gather information about devices on the internal network.
• Example: An attacker cannot directly access internal devices from the
internet without first bypassing the router's NAT.

• IPv4 addresses are made up of 32 bits and have become limited due to the increasing
number of connected devices, leading to the adoption of IPv6 (with 128 bits). Private IP
addresses are used within local networks, while public IP addresses are routable on
the internet. NAT allows internal devices to share a public IP address, improving security
and IP address efficiency.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


LAN Technologies
Institute of Electric and Electronic Engineers (IEEE) is responsible for
• IEEE Standards and their role developing standards for new technologies, ensuring uniformity across
• IEEE 802.3 (Wired Ethernet vendors.
Networks) • Example: Wi-Fi standards (IEEE 802.11) ensure different
• IEEE 802.11 (Wireless LAN Wi-Fi devices can communicate with each other
Standards) seamlessly.
• IEEE 802.1Q (Virtual LANs)
IEEE 802.3 (Wired Ethernet Networks):
• IEEE 802.3 defines standards for wired Ethernet networks, outlining
how devices should physically connect and transmit data over
Ethernet cables.
ti on

b
Example: Most home and office networks use Ethernet
i u
tr
cables and adhere to the IEEE 802.3 standard for wired
s
communication.
D i
IEEE 802.11 (Wireless LAN Standards):
t for
• N oLANs (WLANs),
IEEE 802.11 defines standards for Wireless
commonly referred to as Wi-Fi.
h a,have evolved, from 802.11 to
• a and now 802.11ax (also known as
Nad,
Over time, Wi-Fi standards
802.11a, b, g, n,tac,
Wi-Fi 6). jee
a
The nexthstandard,

b
enduof 2024.
802.11be (Wi-Fi 7), is expected by the
S
• olExample: Wi-Fi 6 (802.11ax) provides faster speeds and
C better performance in high-density environments, such as
By stadiums or offices.
I SSPIEEE 802.1Q (Virtual LANs - VLANs):
r C • IEEE 802.1Q defines the standards for Virtual Local Area Networks
fo
tes (VLANs).
o
ll N
• VLANs allow a physical network to be divided into multiple
isolated virtual networks, enhancing security and
rn e reducing broadcast traffic.

C o • Example: An organization might use VLANs to separate its


HR department from its Finance department on the same
physical network to reduce the chance of unauthorized
access.

• IEEE sets the global standards for wired, wireless, and virtual networks.
• The IEEE 802.3 standard covers Ethernet-based wired networks, while IEEE 802.11 governs
wireless LAN (Wi-Fi) technology.
• IEEE 802.1Q is the standard for VLANs, which allow network segmentation for enhanced security
and efficiency.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Internet Protocol (IP)
• Internet Protocol (IP) is the primary protocol for addressing and
Definition and purpose of IP routing packets of data, ensuring they travel across networks and
IPv4 overview reach the correct destination.
IPv6 overview • Example: When you send an email, IP ensures that the data
IPv4 vs. IPv6 comparison packets are routed to the correct email server.
IPv4 Overview:
• IPv4 (Internet Protocol Version 4) uses a 32-bit address space,
allowing for approximately 4.3 billion addresses.
• IPv4 Header: Contains multiple fields, with 32-bit source and
destination IP addresses.

i on
Example: An IPv4 address looks like 192.168.1.1 (four decimal
t
numbers separated by dots).
i bu

tr
Limitation: Due to the rapid growth of the internet, the number of
s
available IPv4 addresses became insufficient.
D i
for
• Solution: NAT (Network Address Translation) was
t
introduced to extend IPv4 by allowing multiple devices to
share a single public IP address.
No
IPv6 Overview:
h a,
Na
• IPv6 (Internet Protocol Version 6) expands the address space to 128

et
bits, providing an almost infinite number of IP addresses (2^128).

je
Example: An IPv6 address looks like
ha
2001:0db8:85a3:0000:0000:8a2e:0370:7334 (represented in
b
Su
hexadecimal format, separated by colons).

l Benefits: Backward compatibility with IPv4, larger address

y Co space, and built-in support for IPsec (security).

B • Goal: Eventually, all networks will transition to IPv6,

SP
addressing the limitations of IPv4 and ensuring enough

CI S addresses for future growth.

for • Reason for IPv6 Creation: IPv4’s address space was insufficient for the
growing number of devices connecting to the internet. IPv6 solves this

es issue by offering a vastly larger address space and enhanced features


ot such as built-in security (IPsec).

ell N Role of IPsec in IPv6:

orn • IPsec is a security protocol that provides encryption and


authentication for data transmission. It is natively supported in IPv6,
C improving security for internet communications.
• Example: IPsec ensures that data sent between two devices is
encrypted, protecting it from unauthorized access.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Internet Protocol (IP)

• Definition and purpose of IP Feature IPv4 IPv6


• IPv4 overview
• IPv6 overview Address Size 32-bit (4 bytes) 128-bit (16 bytes)
• IPv4 vs. IPv6 comparison 340 undecillion
Address Space 4.3 billion (2^32)
(2^128)
Example:
Address Format Example: 192.168.1.1 2001:0db8:85a3::8a2
e:0370:7334
IPsec Support Supported Supported
ti on
i bu
str
D i
t for
No
h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C

• IP is the protocol responsible for addressing and routing data across networks. IPv4 uses a 32-bit
address space, limiting the number of available addresses.
• To solve this, IPv6 was developed, offering a 128-bit address space and built-in IPsec security.
While IPv6 adoption is increasing, NAT and other techniques continue to extend the life of IPv4.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Private IPv4 Addresses
Definition and Purpose of Private IPv4 Addresses:
• Definition and purpose of • Private IPv4 addresses are reserved for use within local area
private IPv4 addresses networks (LANs), such as those in corporate or home environments.
• Private vs. public IP • Example: Most home routers assign devices private IP
addresses addresses, like 192.168.0.1.
• Non-routable nature of • Private IP addresses cannot be used on public networks like the
private IP addresses internet.
• Private IPv4 address ranges Private vs. Public IP Addresses:
(RFC 1918)
• Private IP addresses are used internally within organizations or homes
and are non-routable on the internet.
• Example: 192.168.0.1 is a private IP address used in
t i on
home networks, while 8.8.8.8 (Google DNS) is a public
IP address.
i bu
s r
t internet,
• Public IP addresses are globally unique and routable on
D i the
the public internet.
fo r
whereas private IPs provide a layer of security by staying hidden from

Non-Routable Nature of Private IP Addresses:ot



a
Private IP addresses are non-routable, , Nmeaning they cannot be
h
accessed directly over the internet.
a

t N from public-facing
This security benefit ensures that devices on internal

jee
networks are isolated internet traffic.
• a can usearetheonlysame
haddresses
Multiple organizations private IP range without
b
conflict, as these used internally.

l Su Twoprivate
Example: companies next door can both use the
C o without any issues. range for their internal networks
192.168.1.0

B y IPv4 Address Ranges (RFC 1918):


Private

I SSP• RFC 1918 defines three ranges of private IPv4 addresses:


C
or
• 10.0.0.0 – 10.255.255.255 (Large networks)

s f • 172.16.0.0 – 172.31.255.255 (Medium-sized networks)

o te • 192.168.0.0 – 192.168.255.255 (Small networks,


commonly used in homes)

ell N • These ranges should never be used on public networks

orn (such as the internet), but are ideal for internal


networking.
C

• Private IPv4 addresses are used for internal networks, providing non-routable IP
addresses that cannot be accessed from the internet, ensuring isolation and security.
They come in three main ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as
defined by RFC 1918.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Classes (Subnetting)
Definition of Subnetting:
•Definition of subnetting • Subnetting allows the division of an IP address space into smaller, more
•Network inefficiencies without manageable sub-networks. This helps optimize the network and minimize
subnetting inefficiencies.
•IP Address classes (A, B, C) • Example: A company may subnet their Class A IP range into multiple smaller
•Class D and Class E uses networks, providing just the right number of IP addresses for each department.
•Maximum number of IP Network Inefficiencies Without Subnetting:
addresses per class • Without subnetting, networks would have a fixed number of addresses based
on their class (A, B, or C).
• Class A would have 16+ million addresses, Class B would have 65,534, and

on
Class C would have 254 addresses.

vulnerabilities, and administrative burden.


uti
• This rigid structure could lead to inefficient use of IP addresses, security

r i b
• Subnetting solves these issues by allowing the creation of smaller, logical
t
networks that can better fit organizational needs.
D is
for
IP Address Classes (A, B, C):
• Class A: Supports 16+ million IP addresses, typically used by large
t
No
organizations or ISPs.
• Class B: Supports 65,534 IP addresses, generally used by medium-sized
organizations.
h a,
Na
• Class C: Supports 254 IP addresses, typically used in small networks like

et
home or small business networks.

je
Class D and Class E Uses:

ha
• Class D: Reserved for multicast addressing, which is used for broadcasting

b
information to multiple hosts on a network.

Su
• Class E: Reserved for experimental purposes and not used for normal
l
Co
networking.

y
Maximum Number of IP Addresses Per Class:
B • Explanation: The difference between the total and usable addresses comes

SP
from the network address and broadcast address, which are reserved.

CI S
for Class Exponent
Total Usable
s Addresses Addresses

ote Class A 2^24 16,777,216 16,777,214

ell N
rn
Class B 2^16 65,536 65,534

C o Class C 2^8 256 254

• Subnetting optimizes the allocation of IP addresses by breaking a larger network into smaller, more
manageable sub-networks.
• This addresses the inefficiencies and limitations of traditional Class A, B, and C networks, ensuring
that the right number of addresses is allocated.
• Class A networks are the largest, followed by Class B and Class C, while Class D is reserved for
multicast and Class E for experimentation.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 4 – Transport Layer
TCP and UDP Overview:
• TCP and UDP overview • TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are
• TCP Three-Way Handshake the two main protocols at Layer 4 of the OSI model, responsible for
transporting data between devices.
• Ports and Services
• TCP provides reliable, ordered data transmission. It ensures that
• Layer 4 Protocols packets arrive in sequence, without loss or duplication.
• Example: TCP is used for applications like file transfer (FTP) or email
(SMTP), where data integrity is essential.
• UDP offers unreliable, unordered transmission. It is much faster
than TCP but does not guarantee packet delivery or order.
• Example: UDP is ideal for real-time applications like video
streaming or online gaming, where speed is more important than
guaranteed delivery.

on
• UDP is often referred to as a "send and pray" protocol due to its
unreliable nature.
u ti
TCP Three-Way Handshake:
r i b
t between

i s
TCP uses a three-way handshake to establish a reliable connection

r D(synchronize)
two devices.

packet.
t fo
SYN: The sender initiates a connection with a SYN

SYN-ACK: The receiver responds with o



N SYN-ACK (synchronize-
,(acknowledge),
acknowledge), acknowledging the request.
• ACK: The sender sends an ACK
h a confirming the
connection.
N a
devices are readyetotsend and receive data.
• After this exchange, communication can begin, ensuring that both

Ports and Services:


h aje
bspecific services that provide unique functionalities on a
uservice

l S
Ports represent
network. Each is associated with a port number.
• o Example: HTTP uses port 80, HTTPS uses port 443, and DNS uses

B y C• port 53.
Well-known ports: Ports numbered 0–1023 are reserved for
S P • commonly used services.

CIS
Ephemeral ports: Ports numbered 1024–65535 are dynamic and
often used for temporary client connections.

for Layer 4 Protocols:

tes TCP: Provides reliable, connection-oriented communication, ensuring data


o

integrity by using flow control, error correction, and congestion control.

ell N • UDP: Provides fast, connectionless communication, used where speed is

orn more critical than reliability.

C • SSL/TLS: Protocols used to secure TCP-based communications (like HTTPS),


providing encryption for secure data transmission.

• Layer 4 (Transport Layer) manages the reliable and efficient transportation of data using TCP and
UDP protocols.
• TCP provides reliable, ordered communication, ensuring data integrity, while UDP offers faster,
unordered transmission, ideal for real-time applications.
• The TCP three-way handshake establishes reliable connections, and ports associate specific
network services with unique numbers.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


TCP Three-Way Handshake
Overview of TCP:
Overview of TCP
TCP Three-Way Handshake • TCP (Transmission Control Protocol) is designed to provide reliable,
Steps ordered, and sequenced transmissions across networks. It ensures data
SYN Flood Attack integrity through mechanisms like error correction, flow control, and
Mitigating SYN Flood Attacks retransmission.
• This reliability comes with a performance cost, as TCP needs to
establish a connection before data transmission.
TCP Three-Way Handshake Steps:
Step 1: SYN (Synchronize)
on


ti
Device A initiates the communication by sending a SYN request to
u
session hijacking.
tr b
Device B, along with a random session ID (e.g., 1000) to prevent
i
D is
for
• Step 2: SYN-ACK (Synchronize-Acknowledge)

t
Device B acknowledges the request by sending back an ACK
No
packet that increments the session ID by 1 (1001).

h a,
Device B also sends its own SYN request, with a new session ID

Na
(e.g., 2000), so the packet contains SYN-ACK flags.

jeet
Step 3: ACK (Acknowledge)

ha
• Device A responds with an ACK packet that acknowledges the
b
new session ID from Device B by incrementing it to 2001.
uthree steps—SYN, SYN-ACK, ACK—complete the connection

l S
The

y Co process, establishing a full-duplex communication channel for


reliable two-way data transmission.
B
PSYN Flood Attack:
I SS•
r C In a SYN flood attack, the attacker sends many SYN requests to overwhelm

fo the server’s connection queue.

es The server tries to send ACK packets for each request, but if the
ot

requests flood in too quickly, the server’s connection queue fills

ell N up, leading to potential crashes or denial of service.

orn Mitigating SYN Flood Attacks:


C • To prevent SYN floods, organizations can offload the handling of SYN
requests to specialized hardware or SYN proxies at the Application layer.
• The SYN proxy can intelligently filter out malicious SYN requests
and drop them before they affect the system.

• The TCP three-way handshake is essential for establishing reliable connections between devices
using SYN, SYN-ACK, and ACK.
• Although TCP ensures ordered and sequenced communication, it is vulnerable to SYN flood
attacks, which can overwhelm servers by filling up connection queues.
• Implementing SYN proxies can help mitigate these attacks by handling incoming SYN requests
intelligently.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Ports and Layer 4 Protocols
Ports and Services:
• Ports and Services • Ports equate to services, which are small applications providing specific
• Commonly Used Ports functionality (e.g., HTTP, SSH, etc.).
• Hardening and Securing Ports • Each service is associated with a port number, and some are frequently
• Port Classes used, while others are rarely accessed.
• Layer 4 Protocols: TCP, UDP, • Example: HTTP uses port 80 by default.
SSL/TLS Commonly Used Ports:
• FTP (File Transfer Protocol):
• Port 20 (data transfer)
• Port 21 (control)

on
• SSH (Secure Shell):
• Port 22 for secure remote login.
uti
• Telnet:
tr i b
• Port 23 for remote command line access.
• SMTP (Simple Mail Transfer Protocol):
D is
for
• Port 25 for sending emails.
t
No
• HTTP:
• Port 80 for web traffic.
• HTTPS (Secure HTTP):
h a,
Na
• Port 443 for secure web traffic.

et
Hardening and Securing Ports:
je
• If a service is not needed, close the associated port to prevent potential
ha
abuse by attackers.
b
Su
• Use packet filtering to block traffic targeting these ports in the
l header.

y Co
• Hardening involves disabling unnecessary services, blocking dangerous
ports, and applying patches to fix known vulnerabilities.
B
SP
• Example: Instead of HTTP, use HTTPS to encrypt web traffic.

CI S Port Classes:
• Well-Known Ports (0-1023): Used for widely known services like HTTP,

for SMTP, and DNS.

es • Registered Ports (1024-49151): Assigned by IANA for specific services,

ot like UDP 4244 used by Viber (VoIP).

ll N
• Dynamic/Private Ports (49152-65535): Used by applications and

rn e services for temporary communication.


• Example: When initiating a connection, a source port like
C o 52,367 might be dynamically assigned.

• Ports act as gateways for various services, and securing them (via hardening techniques like closing
unnecessary ports or using encryption protocols) is crucial.
• Layer 4 protocols—TCP (reliable) and UDP (fast, unreliable)—play key roles in data transport, while
SSL/TLS ensures secure communication over the Internet.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Ports and Layer 4 Protocols
Layer 4 Protocols:
• Ports and Services •TCP (Transmission Control Protocol):
• Commonly Used Ports • Provides reliable, ordered, connection-oriented
• Hardening and Securing Ports communication, ensuring data is delivered correctly.
• Port Classes • Example: TCP three-way handshake (SYN, SYN-ACK, ACK)
• Layer 4 Protocols: TCP, UDP, establishes a reliable connection.
SSL/TLS •UDP (User Datagram Protocol):
• Provides unreliable, fast, connectionless transmission, often
called “send and pray” because no guarantees of delivery
exist.
Used in scenarios where speed is critical, like streaming or
on

DNS requests.
•SSL/TLS (Secure Socket Layer / Transport Layer Security): uti

tr i b
SSL/TLS protocols secure communications, such as between
a web browser and a web server.
D is
for
• TLS is the modern, more secure version of SSL and is widely

t
used for encrypted connections across the Internet.

No
h a,
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C

Ports act as gateways for various services, and securing them (via hardening techniques
like closing unnecessary ports or using encryption protocols) is crucial. Layer 4
protocols—TCP (reliable) and UDP (fast, unreliable)—play key roles in data transport,
while SSL/TLS ensures secure communication over the Internet.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 5 - Session Layer
Role of the Session Layer:
• Role of the Session Layer • The Session layer (Layer 5) is responsible for establishing, maintaining,
• Responsibilities of Layer 5 synchronizing, and tearing down connections between applications on
different devices.
• Layer 5 Protocols: PAP,
CHAP, EAP, NetBIOS, RPC • It ensures smooth communication by creating and maintaining a logical
connection between processes on end hosts.
• Layer 5 Devices: Circuit Proxy
Firewall (Circuit Level Responsibilities of Layer 5:
Gateway) • Interhost communication: Manages dialogue between two devices in a
network.
• Identification and authentication: Ensures that appropriate security
processes (like authentication) are applied during connection establishment.
Layer 5 Protocols:
ti on
i bu
• PAP (Password Authentication Protocol):
s t r

i
A basic protocol that transmits passwords in plaintext for

r Dchanges or
authentication.
• Weak security as it doesn't prompt for password
encryption.
t fo
• o
N regular challenges to validate
CHAP (Challenge Handshake Authentication Protocol):

the authenticity of a session. a
Provides encrypted transmission , and
h
More secure than PAP butastill used in conjunction with other
t Nsecurity.

e
protocols for additional

h aandjeflexible,Protocol):
EAP (Extensible Authentication

u b certificates forallowing
Extensible
and digital
vendors to incorporate smart keys
authentication.
S in wireless network security protocols (e.g., WPA2) for
lUsed

o
y C (Network Basic Input/Output System):
connecting to secure networks and authenticating users.

BNetBIOS
P • Alocal legacy protocol enabling communication between devices in a

I SS network, often used to access file shares and printers.

r C • RPC• (Remote Procedure Call):

s fo Allows execution of procedures and processes across a network


between clients and servers.

ote • Facilitates communication and task execution remotely.

ell N Layer 5 Devices:

orn • Circuit Proxy Firewall (Circuit Level Gateway):

C •


Provides security by establishing sessions for applications and
controlling access based on session-level data.
Primarily used to monitor connections and ensure they are valid
before data transfer occurs.

• The Session layer is crucial for managing connections and communication between hosts,
providing mechanisms for authentication and ensuring secure, reliable dialogues between
processes.
• Key protocols like PAP, CHAP, EAP, NetBIOS, and RPC provide authentication and communication
services. Circuit proxy firewalls secure sessions at this layer.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 5 Devices - Circuit Proxy Firewall
Role of Circuit Proxy Firewalls:
• Role of Circuit Proxy Firewalls
• How Circuit Proxy Firewalls • Circuit proxy firewalls, also known as circuit level gateways, are
Operate Session layer (Layer 5) security devices.
• Benefits of Circuit • They focus on monitoring TCP sessions rather than inspecting
• Proxy Firewalls individual data packets like firewalls at other layers.
• Comparison with Application
Layer Firewalls How Circuit Proxy Firewalls Operate:
• These firewalls inspect and track TCP handshakes to ensure a
legitimate connection is established before allowing data to flow.

ti
• Unlike Application layer firewalls, circuit proxy firewalls do not on
i bu
analyze the content of the traffic but instead manage the session
between hosts.
str
D i
Benefits of Circuit Proxy Firewalls:
fo r
• Provide anonymity and protection for internal t
o networks by hiding
N
a, appears as though it
internal IP addresses through Network Address Translation (NAT).
h
NIPaaddress, enhancing security by
• Outgoing traffic from the internal network
t
originates from the gateway's
e
je
masking internal details.

b ha by ensuring that only legitimate connections


• They enhance security
Su helping to prevent unauthorized access.
are established,
l
Co with Application Layer Firewalls:
Comparison
y
• B
S P Circuit proxy firewalls do not filter or inspect individual packets,

CI S while Application layer firewalls analyze traffic in detail, including


content inspection.

for
tes • Circuit proxy firewalls are simpler and faster due to their focus on
managing sessions rather than filtering content, making them more
o
ll N
efficient in certain scenarios.

rn e
C o

• Circuit proxy firewalls at the Session layer focus on securing TCP sessions by managing the
connection's handshake process.
• They offer anonymity and protect internal networks via NAT, ensuring that only legitimate traffic
passes through while hiding internal details from external users.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 6 - Presentation Layer
Purpose of the Presentation Layer:
• Purpose of the Presentation
Layer • Layer 6 is responsible for formatting and encrypting data for end
• Key Functions of Layer 6 users.
• Codecs and Malware Risks • Ensures that the data exchanged between applications has
• Importance of Content compatible syntax.
Distribution Networks (CDNs)
• Prepares data for the Application layer (Layer 7) by focusing on
how information is represented visually and in other formats.
Key Functions of Layer 6:
• Translation: Converts data from one format to another to ensure ti on
compatibility across different systems.
i bu
s r
t for
• Encryption/Decryption: Secures data through encryption
transmission and ensures it can be decrypted onrthe
i
D other end.
fo
tfile sizes for
• Compression/Decompression: Reduces o
Noriginal size on the
, speed
transmission and restores them to their
a
a h
receiving end to save bandwidth and up data exchange.
Codecs and Malware Risks: N
je et that allow users to play different types
ha video or audio files).
• Codecs are small programs
b
of multimedia (e.g.,
Suused to handle the compression and decompression
Codecsl are

of C o files, reducing their size for efficient transmission.
media
y
• BSecurity risks: Users often download codecs to enable video
P
S playback,
CI S but malware writers frequently disguise malicious
software as codecs, posing a threat.

for
tes Importance of Content Distribution Networks (CDNs):

o • CDNs are networks of servers located globally to deliver content

ell N (e.g., videos) efficiently to users.

orn • Role of CDNs: Helps reduce latency and improve speed by hosting
C media files closer to users.
• CDNs manage the distribution of large media files, overcoming
the limitations of individual codecs by streamlining the delivery of
content such as YouTube videos.

• The Presentation layer focuses on the formatting, encryption, and compression of data to ensure
compatibility for exchange between applications.
• Codecs are essential for handling media compression but pose malware risks.
• Content Distribution Networks (CDNs) mitigate these risks by optimizing the delivery of large
media files globally.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 7 - Application Layer
Purpose and Function of the Application Layer:
• Purpose and Function of the • Layer 7 provides the user interface through which users gain access to communication
Application Layer services and applications.
• Key Functions of Layer 7 • It is the topmost layer of the OSI model, where applications interact with the network.
• Security Concerns at Layer 7 • Most functionality is embedded in this layer, making it the most vulnerable to attacks
• Common Layer 7 Protocols and breaches.
• Layer 7 Devices Key Functions of Layer 7:
• Provides end-to-end encryption and access control to secure communications.
• Facilitates data exchange between applications across networks, including web
browsers, email clients, and other services.

t i on
Handles high-level protocols that end users interact with, such as HTTP, FTP, and DNS.
Security Concerns at Layer 7:
i b u
As the layer with the most user interaction, it is also where the majority ofrsecurity

breaches occur, including code injection attacks, DoS attacks, and data
is t breaches.

exploited by attackers.
f o r D are often
Due to the complexity and vast amounts of application code, vulnerabilities

o
Application security measures (e.g., secure coding, input t validation, and patch
,N

management) are critical to protect against these vulnerabilities.
Common Layer 7 Protocols: a
h Used for web traffic, with HTTPS providing
a
tforNtransferring files between systems.
• HTTP/S (Hypertext Transfer Protocol/Secure):

e
encrypted communication.

DNS (Domain Nameh
aje
FTP (File Transfer Protocol): Used

u b System): Translates domain names into IP addresses.

Telnet. l S
Telnet and SSH: Used for remote command-line access; SSH is the secure version of
o Mail Transfer Protocol): Used for sending emails.
C(Simple

y
SMTP
• BSNMP (Simple Network Management Protocol): Used for managing network devices.
P
S Layer 7 Devices:
CI S
or
• Gateways: Devices that manage communication between different networks, converting

s f data between protocols if necessary.

o te • Application firewalls: Advanced firewalls that inspect traffic at the application level,
blocking or allowing traffic based on the content of the data (e.g., web content or specific

ll N
applications).

rn e
C o

• The Application layer (Layer 7) provides the user interface for communication services and handles
most application-level protocols.
• It is the most vulnerable layer due to the significant amount of application code involved, making it
a prime target for security breaches and attacks.
• End-to-end encryption, access control, and application firewalls are crucial for securing Layer 7
interactions.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 7 Protocols
HTTP/S (Hypertext Transfer Protocol)
• HTTP vs. HTTPS • HTTP (port 80): The primary protocol used for web communication between
• FTP vs. FTPS vs. TFT browsers and servers.
• PDNS and DNSSEC • HTTPS (port 443): Secure version of HTTP that uses SSL/TLS for encrypting
• Telnet vs. SSH traffic, ensuring secure communication over the internet. HTTPS protects
against interception and tampering.
• SMTP and POP3
• SNMP and its versions FTP/FTPS/TFTP (File Transfer Protocols)
• FTP (ports 20 and 21): Used for file transfers, but is insecure due to the lack of
encryption.
• FTPS/SFTP (port 22): A more secure version of FTP, using SSH to protect file
transfer processes.

ti on
TFTP (port 69): A simplified version of FTP, highly insecure, typically disabled
in corporate environments due to lack of security mechanisms.
i bu
DNS/DNSSEC (Domain Name System)
s tr
i

between devices on the internet.
f o rD
DNS (port 53): Maps domain names to IP addresses, enabling communication


o t and authenticity of
DNSSEC: Adds security to DNS by protecting the integrity

,N
DNS data, preventing spoofing attacks.
Telnet a
hterminal access, but insecure as it

transmits data in plaintext. t N
a
Telnet (port 23): A protocol for remote

e
Best practice is to usejSSH
efor secure remote connections instead of Telnet.

SSH (Secure Shell) bh
a
S uProvides a secure way to access remote computers, using
l
Co execution,
• SSH (port 22):
public-key cryptography to encrypt data. Commonly used for secure login,
y
command
B (Email Protocols)
and file transfers on remote servers.

PSMTP/POP3
S • SMTP (port 25): Used for sending emails from client to server.
CI S
or
• POP3 (port 110): Used for receiving emails, allowing users to download

s f messages from a server.

o te SNMP (Simple Network Management Protocol)

ll N
• SNMP (ports 161 and 162): Used for network device management, helping

rn e administrators monitor and manage devices.

C o •

SNMPv1 and v2: Vulnerable to security risks.
SNMPv3: The latest version, offering enhanced security features such as
encryption and authentication.

• Layer 7 protocols are critical for communication, file transfer, email, and network management.
HTTPS and SSH provide secure alternatives to their insecure counterparts (HTTP, Telnet).
• SNMPv3 and DNSSEC are important advancements in securing network management and domain
name systems, respectively.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Layer 7 Devices
Gateways
• Gateways
• Application-Proxy Firewalls • Definition: A gateway serves as a connection between two different
networks or domains.
• Function: Gateways facilitate communication and data exchange
between networks that may use different protocols or structures,
ensuring seamless connectivity.
Application-Proxy Firewalls
• Definition: A type of firewall that operates at Layer 7 of the OSI model,
providing sophisticated filtering based on application-level data.
t i on
• Capabilities: These firewalls are capable of inspecting the entire
i bu
payload of packets, making intelligent decisions based on
s tr
application-specific content.
D i
fo rblock
based on detailed parameters such as content,o t
• Security Features: Application-proxy firewalls can
headers,
or allow traffic
and even
user authentication.
, N
h athe
• Performance Consideration: Due
N a processing
to complexity of inspection and

e t at lower layers, such


filtering, these firewalls require more power and tend to be

a je
slower than firewalls operating as Layer 3 or Layer

bh
4 firewalls.
u
o lS
B yC
S P
CI S
for
es
ot
ell N
orn
C

• Layer 7 devices, such as gateways and application-proxy firewalls, provide advanced security and
connectivity solutions.
• Gateways connect different networks, while application-proxy firewalls filter traffic based on
application-level data, ensuring detailed, content-aware protection.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Administrator
Definition
• Definition of a Network
Administrator • A network administrator is often synonymous with a system
• Responsibilities of a Network administrator, though the roles may slightly differ depending on the
Administrator organization.
• Key Areas of Focus • Typically part of the IT department, a network administrator focuses
on technical management of a network and ensures smooth and
secure operations.
Responsibilities
• Network Configuration: Ensure that the network infrastructure, such
ti on
as servers, routers, switches, and endpoints (desktops, laptops,
i bu
mobile devices), are properly configured for security and
str
performance.
D i
for
• Patch Management: Apply necessary patches and software
t
No
updates to protect the network and systems from known
vulnerabilities.

h a,
• Vulnerability Management: Regularly scan and assess the network
Na
for vulnerabilities and mitigate or fix identified issues to enhance
network security.
jeet
CIA Triad Support ha

S ub Integrity, and Availability (CIA) triad is the


ol of security. Network administrators work to ensure that:
• The Confidentiality,
C
cornerstone
y • Confidentiality is maintained through access control and
P B encryption,
S
CIS
• Integrity is preserved by ensuring correct data

or
transmission and preventing unauthorized modifications,

s f and

o te • Availability is upheld by keeping the network running with

ll N
minimal downtime.

rn e
C o

• Network administrators are responsible for the configuration, patching, and vulnerability
management of network resources.
• They play a key role in maintaining the CIA triad and ensuring the security and smooth operation of
an organization's network.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Convergence and VoIP
IP Convergence
• Definition of IP Convergence • IP convergence refers to the capability of modern data networks to carry
• Importance of Converged multiple types of traffic, including data, voice, multimedia, and others.
Protocols • This involves supporting different types of traffic, such as SCADA systems and
IP telephony protocols (e.g., H.323 and SIP).
• Common Converged
Protocols • Adding this functionality introduces vulnerabilities and potential security
concerns due to the lack of built-in security in data networks.
• VoIP and Security Concerns
Common Converged Protocols
• Common VoIP Protocols
• Fibre Channel over Ethernet (FCoE): Allows Fibre Channel protocol traffic to be
encapsulated and carried over Ethernet networks.
• Internet Small Computer Systems Interface (iSCSI): Enables SCSI commands

ti on
to be carried over IP networks, often used in storage and backup systems.

i bu
Voice over Internet Protocol (VoIP): Enables voice communications over IP

r
networks instead of traditional phone lines. Protocols like H.323 and SIP are
used.
ist
VoIP Security Concerns
D

t for
VoIP introduces security challenges due to its transmission over IP networks,

No
which lack native security.

a,
• Common VoIP attacks include eavesdropping, denial-of-service (DoS) attacks,
and phishing via VoIP channels (vishing).
h
Na
• Encryption (e.g., using SRTP) helps protect voice communications but may add

et
latency.

je
Common VoIP Protocols
1.
ha
Secure Real-time Transport Protocol (SRTP):
b
Su
1. Provides encryption, authentication, integrity, and replay attack
l protection for streaming voice and video over IP.

y Co
2. Optimizes bandwidth and has low resource requirements. Described in

B RFC 3711.

SP
2. Session Initiation Protocol (SIP):

CI S 1. Handles the initiation, maintenance, and termination of VoIP


sessions.

for 2. Also supports direct connections between PBX systems and public

es telephony networks.

ot Other Related Terms

ell N • PBX (Private Branch Exchange): A private telephone network for internal
communications within an organization.

orn • PSTN (Public Switched Telephone Network): The traditional copper-wire


C •
telephone network.
InfiniBand: A protocol designed for fast memory access across networks, often
used in machine learning.
• Compute Express Link: A protocol for high-speed connections between CPUs
and devices.

• IP Convergence enables data networks to carry multiple types of traffic, including voice and
multimedia.
• Converged protocols like VoIP, FCoE, and iSCSI have specific uses, but they also bring security
risks.
• VoIP is especially vulnerable and requires protocols like SRTP and SIP to ensure secure
communication.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Vishing
Vishing Definition
• Definition of Vishing
• Attack Methods • Vishing (Voice Phishing) is a form of phishing where the attacker uses
• Difference Between Vishing VoIP to impersonate a known entity (e.g., bank, government agency)
and Smishing to deceive the victim into sharing sensitive information.
• Attackers often spoof familiar phone numbers, making their calls
seem legitimate.
Vishing Attack Methods
• Common tactics include pretending to be from a financial
institution, tech support, or other trusted organizations.
t i on
• The goal is to extract information (e.g., credit card details, bu
ri
passwords) or manipulate the victim into taking harmful tactions,
s
Di
such as visiting a malicious website or making a payment.
r
Difference Between Vishing and Smishing
t fo
N osocial engineering to
a, information or
• Vishing: The attacker calls the victim, using
h
manipulate them into giving away personal
a fraudulent link).
N
completing an action (e.g., clicking a
• Smishing: The attackereuses
j et SMS messages to lure the victim into
b ha
revealing sensitive information by clicking a link or responding to a

Su
message.
l
y Co
P B
I SS
C
for
tes
o
ell N
orn
C

• Vishing is a voice-based phishing attack that manipulates victims through spoofed phone calls,
while smishing uses text messages to achieve similar goals.
• Both forms of phishing rely on social engineering to deceive and steal information from
unsuspecting individuals.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Security Attacks
Network Attack Phases
• Network Attack Phases • Reconnaissance: Gathering information about the target (IP ranges,
• Passive vs. Active Attacks services, OS, etc.). Limiting publicly available information can hinder this
• SYN Scanning and SYN phase.
Flooding • Enumeration: Attacker scans for open ports and services, and attempts to
• Denial-of-Service (DoS) and find active accounts.
Distributed Denial-of-Service • Vulnerability Analysis: Attackers search for weaknesses to exploit.
(DDoS) Organizations should run regular vulnerability scans to mitigate this risk.
• Man-in-the-Middle Attacks
• Exploitation: The attacker uses the identified vulnerabilities to execute the
• Spoofing and Masquerading attack. Detection mechanisms can help identify this stage.

on
• ARP Poisoning
• ARP Tables
Passive vs. Active Attacks
uti
• Passive Attacks: The attacker does not alter the target’s environment (e.g.,
traffic monitoring).
tr i b
D is
• Active Attacks: The attacker engages with the target to alter systems or

for
data (e.g., SYN flooding or DoS attacks).
t
No
SYN Scanning
• A type of active attack that manipulates the TCP three-way handshake to
a,
identify open services on a target machine.
h
SYN Flooding
Na
jeet
• A Denial-of-Service (DoS) attack where multiple SYN requests are sent to

ha
the target to exhaust resources and cause a crash.

b
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

l Su
• DoS: One machine disrupts a target’s functionality by overwhelming it with

Co
requests.

By • DDoS: Multiple machines coordinate to overwhelm a target’s resources,


making defense harder.

I SSP Man-in-the-Middle Attack (MitM)

r C • Occurs when an attacker intercepts and potentially alters communication


fo between two parties without their knowledge.

es Spoofing and Masquerading


ot
ll N
• Spoofing/Masquerading: An attacker pretends to be someone or
something else to deceive a system (e.g., IP spoofing).

rn e ARP Poisoning
C o • An attacker alters their ARP table to redirect traffic meant for another
device to their own.
• ARP Tables map IP addresses to MAC addresses, and every device on a
network maintains an ARP table.

• Network security attacks follow phases similar to network assessments but differ during the
exploitation phase. Attacks can be passive (e.g., eavesdropping) or active (e.g., SYN flooding).
• Understanding the difference between types of attacks (DoS, DDoS, MitM, ARP poisoning) is crucial
for implementing detection and preventative measures to protect against network threats.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Passively Eavesdropping
Passive Attacks
• Passive Attacks
• Eavesdropping • In passive attacks, the attacker does not alter the environment or
• Network Sniffing data. The target is unaware of the attack, as no visible impact is
observed.
Eavesdropping
• Eavesdropping involves silently intercepting and reviewing data
meant for others without altering it.
• Often the first stage of a broader attack, the information collected
can later be used in an exploitation phase.
ti on
Network Sniffing
i bu
s tr
i
r D (e.g.,
• Sniffing is another term for passively monitoring network traffic.
o
• The attacker captures data traveling across thefnetwork
t sensitive information).
o
unencrypted emails, login credentials, or other

a
• Sniffing tools can be used to intercept,thisNtraffic without leaving a
trace. a h
etN
h aje
S ub
C ol
B y
I SSP
C
for
tes
o
ell N
orn
C

• Passive eavesdropping is a form of attack where the attacker listens to or monitors traffic without
changing it.
• This is also known as network sniffing and is difficult to detect, making it highly effective for
gathering sensitive information that could be used later in an active attack.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Actively Scanning
Active Attacks
• Active Attacks
• SYN Scanning • Active attacks alter the target system or network traffic, unlike
• SYN Flooding passive attacks. The target is often alerted as it involves interaction
• Tools (e.g., Nmap) with the target system.
• Stealth Scan / Half-Open • Examples include masquerading and denial-of-service (DoS)
Scan attacks.
SYN Scanning
• SYN scanning is used to determine if a port is open or closed by
sending SYN packets.
ti on
• Tools like Nmap can perform SYN scanning, where the following
i bu
steps occur:
s tr
i
D port 80).

fo r
Client sends a SYN packet to a specific port (e.g.,
• Target machine responds:
o t
, N replies
• If the port is open, the target with a SYN-ACK

ha ACK, completing the


(synchronization-acknowledge) packet, and the
a
client responds with
connection.N
• If theje etis closed, the target responds with a RST
port

b ha packet, terminating the session.


(reset)

S u/ Half-Open Scan: The attacker can perform a stealth


l
• Stealth Scan
scan byonot sending the final ACK packet, using a RST packet instead.

B yC
This leaves the connection half-open and avoids detection.

S PSYN Flooding
I
C •S
for SYN flooding is a form of denial-of-service attack that abuses the
TCP three-way handshake by sending multiple SYN requests to a
s
ote
target machine.

ll N
• The target system becomes overwhelmed with SYN requests, causing

rn e it to exhaust resources, potentially leading to a crash or


unresponsiveness.
C o

• SYN scanning is an active scanning technique used to discover open or closed ports.
• It manipulates the normal three-way handshake, and attackers can use stealth scanning to avoid
detection.
• SYN flooding is a type of DoS attack that overwhelms a target by sending multiple SYN requests,
consuming its resources.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


SYN Flooding
SYN Flooding Attack
• SYN Flooding Attack
• Impact on System Resources • SYN flooding exploits the TCP three-way handshake mechanism,
• Three-Way Handshake Abuse where multiple SYN requests are sent rapidly to overwhelm a target
• Preventing SYN Flood Attacks machine.
• Role of Proxy, Firewall, IPS • The target responds with SYN-ACK packets, assuming these are
legitimate connection requests.
• As the number of SYN requests increases, the target machine's
connection table becomes filled with incomplete connections,
unable to handle new requests.
ti on
Impact on System Resources
i bu
tr
memory and processing power become exhausted. is
• With many half-open connections, system resources such as

• The machine's performance degrades, leadingfo


rD
o t to slow response

,N
times, or it may crash entirely or become unresponsive.
Three-Way Handshake Abuse
h a
a
of the target system bye e t N resources
• SYN flooding is an active attack as it disrupts the normal functioning
j exhausting and causing a denial of
service (DoS).
b ha
u the first step of the three-way TCP handshake
SSYN
• The attack leverages
l
o requests but never completing the process with an
by sending
ACK,C
B y leaving connections in a half-open state.

S PPreventing SYN Flood Attacks


CIS • Proxy servers can help prevent SYN flooding attacks by intercepting
for SYN requests and determining if they are legitimate before passing

tes them on to the target system.

N o • Firewalls and Intrusion Prevention Systems (IPS) are also effective

rn ell at detecting and blocking SYN flood traffic, preventing the attack
from overwhelming the target system.
C o

• SYN flooding attacks abuse the TCP three-way handshake by overwhelming a target with SYN
requests, consuming system resources, and potentially causing a denial of service.
• Proxies, firewalls, and IPS devices are effective at detecting and mitigating SYN flood attacks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IP-Based Attacks
Overlapping Fragment Attacks
• Overlapping Fragment
• Attackers send overlapping fragments that attempt to bypass
Attacks
firewalls and intrusion detection/prevention systems (IDS/IPS).
• Teardrop Attack
• IP Spoofing • By sending fragments, the malicious data can slip past the firewall
• Smurf Attack in pieces.
• Fraggle Attack • Once the fragments are reassembled at the target system, the
attack sequence executes, bypassing security systems.
Teardrop Attack

on
• This TCP-based attack involves sending fragmented packets of
differing sizes and out of order, along with fake sequence
uti
numbers.
r i
The target system struggles to reassemble the packets,twhich leads
b

to resource exhaustion, degraded performance, orD s crash
a isystem
(denial-of-service attack).
t for
IP Spoofing
N o

if it is coming from a legitimate h
a,
Spoofing is when an attacker disguises their IP address to appear as

Na
source, often to bypass security
checks.
e t
je
ha
Smurf Attack
• Steps: b
Su spoofs their IP address to match the victim’s IP.
• lAttacker

y C• o Attacker sends multiple ICMP echo requests to


B intermediary devices (routers, etc.).

I SSP • Devices respond with ICMP echo replies directed to the


C victim, overwhelming it with traffic and causing a denial-of-

for service (DoS) attack.

tes Fraggle Attack

N o • Similar to a Smurf attack but uses UDP packets instead of ICMP

rn ell packets.

C o • Attacker sends UDP packets to open ports (e.g., ports 7 and 19)
that generate responses, flooding the victim’s network with traffic.
• This attack is aimed at overwhelming the target with massive
amounts of UDP traffic, causing a DoS attack.

• IP-based attacks include fragment attacks like overlapping fragments and teardrop attacks, as well
as IP spoofing attacks such as Smurf and Fraggle.
• These attacks aim to exploit network vulnerabilities, leading to denial-of-service (DoS) or bypassing
security measures by manipulating packet structures or spoofing IP addresses.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


DoS and DDoS Attacks
Denial-of-Service (DoS) Attack
• Denial-of-Service (DoS)
• A DoS attack is when a single machine attempts to deny the
Attack functionality of a system or network by overwhelming it with
• Distributed-Denial-of-Service traffic, requests, or resources.
(DDoS) Attack
• The target machine cannot keep up with the volume of incoming
• Difference between DoS and traffic, which leads to degraded performance or a complete
DDoS service outage.
• Man-in-the-Middle Attack
Distributed-Denial-of-Service (DDoS) Attack
• Spoofing Attack
• In a DDoS attack, multiple compromised machines (often part
of a botnet) work together to overwhelm the target system.
• The attacker first compromises several hosts (e.g., using ti on
malware) and then instructs all compromised hosts to send
i bu
tr
massive traffic or requests to the target, effectively amplifying
s
the attack's power.
D i

t for
DDoS attacks are more difficult to defend against due to the
distributed nature of the attack, as traffic appears to come from
numerous sources.
No
Differences between DoS and DDoS
h a,

t Na source attempting to overwhelm
DoS: Originates from a single
a target.
je e machines simultaneously attacking

bhait more destructive and harder to mitigate.
DDoS: Involves multiple
the target, making
l Su Attack
Man-in-the-Middle
C o

By
A man-in-the-middle (MITM) attack occurs when an attacker
intercepts communication between two parties, often altering or
S P stealing the information.
CIS • This attack typically happens in unencrypted communications
or
where the attacker can read or modify data without the parties
s f knowing.

o te Spoofing Attack

ell N • In a spoofing attack, an attacker disguises as a legitimate entity


by forging their identity (e.g., IP address, MAC address) to gain
orn unauthorized access or trick the victim.
C • Common examples include IP spoofing (used in DoS/DDoS
attacks) and email spoofing (used in phishing attacks).

• Denial-of-Service (DoS) attacks are aimed at overloading systems with traffic or requests to deny
functionality.
• A Distributed-Denial-of-Service (DDoS) attack leverages multiple machines to amplify the attack's
impact. Both are serious threats that can incapacitate networks and services.
• Man-in-the-middle and spoofing attacks are additional network attack vectors, with MITM
intercepting communications and spoofing faking identities to manipulate or steal data.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Man-in-the-Middle Attack & Spoofing
Man-in-the-Middle (MITM) Attack
• Man-in-the-Middle (MITM) • A MITM attack occurs when an attacker secretly inserts themselves
Attack between two parties in a communication path, intercepting and
• How MITM Works potentially altering the traffic exchanged between them.
• Spoofing • The attacker can eavesdrop on sensitive data like passwords or
confidential information and modify the communication without either
• Types of Spoofing
party realizing it.
• Limitations of IP Spoofing How MITM Works
1. The attacker places themselves between the communicating entities.
2. They intercept and relay messages between the two parties.
3. Neither party is aware of the interception, assuming they are
communicating directly.
ti on
• Common MITM attack vectors include Wi-Fi eavesdropping, session
i bu
hijacking, and SSL stripping.
str
Spoofing
D i
for
• Spoofing is when an attacker impersonates another entity by falsifying

t
data to gain access or trust. This could involve pretending to be a trusted

No
IP, email, or another entity to deceive the target.

a,
• Spoofing is often used in attacks to bypass security measures like
h
access control lists (ACLs) or deceive systems/users into granting
access.
Na
Types of Spoofing
jeet
ha
• IP Spoofing: The attacker falsifies their IP address to disguise
themselves as a trusted source to bypass filters or firewall rules.
b
Su
• Email Spoofing: Attackers send emails with forged sender addresses to
l
Co
trick users into divulging sensitive information or downloading malware
(often used in phishing attacks).
By • DNS Spoofing: The attacker alters DNS records to redirect traffic to

SP
malicious websites without the user's knowledge.

CI S • MAC Spoofing: Changing the MAC address of a device to bypass network


security or gain unauthorized access to a network.

for • Biometric Spoofing: Falsifying biometric data (e.g., fingerprints, facial

es recognition) to gain access to secured systems.


ot Limitations of IP Spoofing

ll N
• IP Spoofing allows an attacker to send traffic from a forged IP address

rn e but does not allow the attacker to receive responses. Any response is

C o directed to the legitimate IP holder.


• This means attackers can only send traffic, not complete a two-way
communication.

• Man-in-the-Middle (MITM) attacks enable attackers to intercept and modify communications


between two parties without their knowledge.
• Spoofing involves impersonating a trusted entity (IP, email, DNS, etc.) to deceive systems or users.
• While spoofing grants the attacker the ability to send malicious data, certain forms like IP spoofing
prevent them from receiving responses, limiting full two-way interaction.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Common Tools and Protocols Used by Attackers
Ping
• Ping • Utility used to check if a network host is alive and measure response times.
• Traceroute • Often used for troubleshooting but also for reconnaissance by attackers to
identify potential targets.
• ICMP (Internet Control
Traceroute
Message Protocol) • Maps network connections between hosts, showing all the hops along the
• DHCP (Dynamic Host way.
Configuration Protocol) • Can be used by attackers to map the target network, revealing details of the
network infrastructure.
• IpconfigWHOIS
ICMP (Internet Control Message Protocol)
• Dig
• Supports ping and traceroute utilities.
• Putty • ICMP messages provide information such as "Destination Unreachable" (Type

on
• Nmap 3) codes, which are valuable for attackers during network reconnaissance.
• John the Ripper (JtR) DHCP (Dynamic Host Configuration Protocol)
uti
• Netstat •
network.
tr i b
Automatically assigns IP addresses to devices when they connect to a


is
Attackers can create a rogue DHCP server to intercept traffic by assigning
D
for
malicious gateway information.
Ipconfig
t
No
• A Windows command used to display network configurations and refresh
DHCP and DNS settings.
WHOIS
h a,
Na
• Tool used to query information about domain ownership and IP address
blocks.

jeet
Useful for attackers conducting reconnaissance to gather information about
target organizations.
Dig
bha
Su
• Command-line tool to query DNS records and obtain domain or IP address
information.
l
Co
Putty

By • Terminal emulator and file transfer application supporting protocols like SSH,
Telnet, and SCP.

SP
Nmap

CI S • Popular network scanning tool used to discover hosts, services, and


vulnerabilities on a network by sending packets and analyzing responses.

for John the Ripper (JtR)

es • Password cracking tool used to test the strength of passwords by brute-

ot
forcing or cracking encrypted password files.
Netstat

ell N • Displays active TCP/UDP connections, routing tables, and protocol

rn
statistics.

C o • Useful for identifying open ports and active connections on a system.


Nslookup
• Tool for querying DNS to obtain domain name and IP address mappings,
useful for DNS recon and troubleshooting DNS issues.

• Common network tools like Ping, Traceroute, and Nmap can be used by attackers to gather
information about a target network.
• Protocols such as ICMP and DHCP can be leveraged for reconnaissance or traffic interception.
• Tools like John the Ripper are used for password cracking, while WHOIS, Dig, and Nslookup
provide DNS and domain information useful for attackers during the reconnaissance phase.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


ARP Poisoning
ARP (Address Resolution Protocol)
• ARP (Address Resolution
• ARP maps IP addresses to MAC addresses on a local network.
Protocol)
• CAM Table • When a device wants to communicate, the switch broadcasts a
• ARP Poisoning message asking, "What MAC address belongs to this IP address?"
• Lack of Authentication • The device with the matching IP sends its MAC address back, and the
• Prevention and Detection switch updates its ARP table to store the mapping.
CAM Table
• A Content Addressable Memory (CAM) table is used by switches to

on
map MAC addresses to their corresponding port on the switch.
ti
• If a switch does not have an entry for a particular device, it broadcasts
u
an ARP request to all devices.
tr i b
ARP Poisoning
D is
for
• An attacker can exploit ARP by sending malicious ARP replies,
t
No
tricking the switch into thinking the attacker's device is the legitimate
destination for traffic.

h a,
• The attacker modifies their ARP table to redirect traffic meant for the
legitimate device to their own.
Na
eet
• ARP poisoning allows attackers to intercept traffic and potentially
j
ha
modify or drop it (man-in-the-middle attack).

u b
Lack of Authentication
l Sand
C o
• ARP tables the ARP protocol itself lack built-in security or

B y
authentication
attacks.
mechanisms, making them vulnerable to spoofing

I SSP• Attackers can manipulate ARP replies without needing authorization


C or authentication.

for Prevention and Detection


tes • Monitoring network traffic across segments helps detect unusual
o
ll N
activity, such as ARP poisoning.

rn e • Compensating controls, such as increased logging and

C o monitoring, should be in place to detect anomalies.


• DNSSEC has been developed to prevent similar attacks in the context
of DNS poisoning.

• ARP poisoning exploits the ARP protocol's lack of security to redirect network traffic.
• Attackers can send malicious ARP replies to manipulate MAC-IP mappings in the switch’s CAM
table, enabling them to intercept or alter data.
• Monitoring and implementing compensating controls like logging can help detect and prevent ARP
poisoning attacks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wireless Security
IEEE 802.11 Standards
• IEEE 802.11 Standards • The IEEE 802.11 family defines the standards for wireless networking
• Wireless Authentication (Wi-Fi).
• TKIP (Temporal Key Integrity • Each version (e.g., 802.11a/b/g/n/ac/ax) introduces enhancements in
Protocol) speed, range, and security features.
• WEP (Wired Equivalent Wireless Authentication
Privacy) • Wireless networks require authenticated key exchanges to ensure
• Wireless Security Needs that only authorized users can connect.
• Wireless Segregation • Various protocols such as WPA2 and WPA3 facilitate this secure
exchange.
TKIP (Temporal Key Integrity Protocol)
ti on

i bu
TKIP was designed as a temporary solution to replace the insecure
WEP encryption method.
str

D i
TKIP improved security without needing to replace legacy hardware that

for
originally used WEP.
WEP (Wired Equivalent Privacy)
t
• No
WEP was the original security protocol for wireless networks but was
a,
found to have serious vulnerabilities.
h
Na
• WPA and WPA2 were developed to replace WEP, offering stronger

et
encryption and key management.
je
Wireless Security Needs

bha
Wireless communication requires the following for adequate

Su
protection:
l
Co
• Access Control: Controlling who can connect to the wireless
network.
By • Authentication: Ensuring that users are who they claim to be.

I SSP • Integrity Protection: Ensuring data has not been tampered

r C with during transmission.

fo • Encryption: Encrypting data to protect confidentiality during

es transmission (e.g., WPA2, WPA3).

ot Wireless Segregation

ell N • Segregation of different user groups (e.g., guests, employees,

rn
vendors) into separate wireless networks enhances security.

C o •

Each group can be isolated with different security policies.
Guest networks can have limited access, while employee
networks can offer more privileges.
• Network architecture is essential to maintaining segregation and
minimizing vulnerabilities.

• Wireless security depends on authentication, encryption, and segregation.


• The transition from WEP to more secure protocols like TKIP, WPA2, and WPA3 has greatly improved
wireless protection.
• Segregating networks by user type is an effective strategy to further enhance security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Radio Frequency Management
Definition of Radio Frequency Management
• Definition of Radio Frequency • Radio frequency management involves the careful placement and
Management control of devices that broadcast wireless traffic to ensure proper
• Wi-Fi Signal Management signal coverage and security.
• Wireless Security
• This helps prevent unauthorized individuals from accessing wireless
Considerations
networks.
• Unlicensed Frequencies
• Technologies Utilizing Radio Wi-Fi Signal Management
Frequencies • For Wi-Fi, access points must be positioned to ensure signals are
strong enough for authorized users inside the building but weak
enough to prevent signal leakage outside.
• Example: Preventing Wi-Fi signals from reaching the
ti on
b
parking lot where potential attackers could attempt to
i u
break into the network.
str
Wireless Security Considerations D i
for
• Managing radio frequencies reduces the risk of attackers using
t
No
unsecured access points to gain unauthorized entry.

a,
• Signal leakage outside a controlled area can expose the network to
attack.
h
Na
et
Unlicensed Frequencies

je
• Certain frequencies, such as 2.4 GHz, 5 GHz, and 900 MHz, are
ha
unlicensed. This means any device or technology can operate within
b
Su
these bands.
• l These frequencies are widely used for Wi-Fi, Bluetooth,

y Co and other technologies, making their management critical


B for security.

I SSP Technologies Utilizing Radio Frequencies


• Bluetooth, cellular, RFID, and Wi-Fi are examples of technologies
r C that use radio frequencies.
fo
es • Despite differences in technology, they all function using
ot emanations of radio waves and must be managed carefully

ll N
to avoid interference and security breaches.

rn e
C o

• Radio frequency management is essential for controlling Wi-Fi signals and protecting
wireless networks.
• It involves managing signal strength to prevent unauthorized access from outside a
building, especially in unlicensed frequency bands like 2.4 GHz and 5 GHz.
• Effective management prevents signal leakage and enhances network security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wireless Technologies
Definition of Wireless Technologies
• Definition of Wireless
Technologies • Wireless technologies refer to communication without using
physical wires.
• Wi-Fi
• Bluetooth • Data transmission occurs over radio waves in the wireless radio
• Cellular spectrum.
• RFID (Radio Frequency
Wi-Fi
Identification)
• Wi-Fi operates under IEEE 802.11 specifications.

devices. ti on
• Widely used for internet connectivity, printing, and as hotspots for

i bu

str
Example: Connecting a computer to a mobile phone’s Wi-
Fi hotspot.
D i
Bluetooth
t for
N o
• Designed for close-proximity wireless communication.

h a, keyboards, mice, and


• Commonly used for devices like wireless
headsets. a
Ncars
t
e for audiousestreaming.

je
Example: Modern Bluetooth to connect with

ha
mobile phones
b
Cellular
l Su
• Refersoto mobile communication protocols and standards like CDMA,
y C 3G, 4G, and 5G.
BGSM,
I SSP• 5G is the latest standard, offering faster data speeds and enhanced
connectivity for mobile devices.
r C
fo RFID (Radio Frequency Identification)
s
ote • Involves readers and tags (chips or labels) for wireless tracking.

ell N • Use cases: Asset management and inventory control.

orn • Example: RFID tags on products allow automatic scanning


C and tracking in supply chains.

• Wireless technologies enable communication over radio frequencies without physical cables.
• Key technologies include Wi-Fi (for network connectivity), Bluetooth (for short-range device
communication), Cellular (for mobile phone communication), and RFID (for wireless tracking).
• Each of these plays a critical role in modern wireless infrastructure.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


802.11 Wireless Protocol Family
802.11 Wireless Protocols
802.11 Wireless Protocols
Frequency Ranges • IEEE 802.11 specifications define wireless communication
standards.
Maximum Speeds
Security Concerns • Each protocol in the family offers varying speed and frequency
ranges, evolving to meet growing demand for faster wireless data
transmission.
• 802.11be (Wi-Fi 7) and 802.11bn (Wi-Fi 8) are future iterations, with
Wi-Fi 7 expected in late 2024 and Wi-Fi 8 expected in 2028.
Frequency Ranges
ti on
• Protocols operate across different frequency bands.
i bu
2.4 GHz: More interference but greater range.st r
Di range.

5 GHz: Less interference, faster speeds,rshorter
fo 7, offers higher


o t
6 GHz: Supported by Wi-Fi 6E and Wi-Fi
bandwidth. N
h a,
Na compared to its predecessor:
Maximum Speeds
• Each protocol offers fastert speeds
jee
ha11 Mbps
• 802.11: 2 Mbps
b
Su 54 Mbps
• 802.11b:
• l 802.11g:

y C• o 802.11n: 72 – 600 Mbps


P B • 802.11ac: Up to 1300 Mbps
I SS • 802.11ax (Wi-Fi 6/6E): Up to 10 Gbps
C
for • 802.11be (Wi-Fi 7): Up to 40 Gbps

tes Security Concerns


o
ll N
• None of the 802.11 protocols have native security.

rn e • Wireless security must be added externally via encryption

C o (e.g., WPA2, WPA3).

• The IEEE 802.11 wireless protocol family has evolved from 802.11 with speeds of 2 Mbps to 802.11be
(Wi-Fi 7) capable of reaching 40 Gbps.
• Frequencies range from 2.4 GHz to 60 GHz. However, security is not native to these protocols,
necessitating the use of external security measures like WPA2 and WPA3.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


802.11 Security Solutions
802.11 Wireless Security Standards
• 802.11 Wireless Security • Wireless communication security is essential to prevent unauthorized access,
Standards eavesdropping, and tampering.
• Access Control • The main wireless security standards in use are 802.1X, WPA, WPA2, and the most
recent, WPA3.
• Authentication Methods • WEP (W ired Equivalent Privacy) was the original standard but is
• Encryption considered very weak due to serious vulnerabilities.
• Integrity Protection • WPA (W i-Fi Protected Access) was an improvement on WEP but also
contains weaknesses, primarily due to the use of TKIP.
• WPA2 introduced stronger security with CCMP (AES) encryption and is
still widely implemented.

on
• WPA3, released in 2018, offers better encryption and authentication
mechanisms, including GCMP.
u t i
Access Control
r i b
t requiring
is
• Access control mechanisms define how wireless clients gain access to the network.

rD
• 802.1X is a common standard for dynamic access control,


authentication from a central server.

t
Pre-Shared Key (PSK) is another method used, f o especially for home
o
, Nusers.
networks.
Authentication Methods
a
h Protocol) methods are used in
N a
• Authentication verifies the identity of devices and

enterprise networks tfor secure authentication, providing dynamic


• EAP (Extensible Authentication
e
je in personal or small office networks for simpler
aused
encryption keys.
h
ub
• PSK is often
authentication.
S
olensures the confidentiality of wireless data.
Encryption

C
• Encryption
y • WEP
B (weak encryption protocol) was the original standard, now

SP
considered insecure.

CI S • WPA uses TKIP (RC4) for encryption, which has also been proven
vulnerable.

for • WPA2 uses AES (CCMP), which is much stronger and still widely used.

tes • WPA3 further strengthens encryption using GCMP (Galois Counter Mode

o Protocol) or CCMP-AES.

ll N
Integrity Protection

rn e • Integrity protection ensures data hasn't been tampered with.

C o •

WEP and WPA lacked strong integrity measures.
WPA2 uses CCMP for integrity, providing both encryption and message
integrity.
• WPA3 enhances this with GCMP, providing even stronger protection
against tampering.

• Wireless security standards have evolved from WEP (weakest) to WPA3 (strongest).
• Key security services like access control, authentication, encryption, and integrity protection are
necessary to secure wireless communications.
• WPA3, the latest standard, provides improved encryption (GCMP) and stronger protection against
tampering and unauthorized access.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wireless Authentication
Wireless Authentication Methods
• Wireless Authentication • Wireless networks rely on different authentication methods to control access to
Methods the network.
• Open Authentication • Three main methods of wireless authentication include:
• Shared Key Authentication • Open Authentication:
• Any device can connect using the network's SSID.
• EAP Authentication
• No security is enabled, making this method vulnerable to
• One-Factor vs. Two-Factor attacks.
Authentication • Shared Key Authentication:
• Mutual Authentication • A pre-shared key (PSK) is used, which is a common
password shared across all devices.
• Often used in home networks, but sharing the same key
ti on
among devices can pose security risks.
i bu

str
EAP (Extensible Authentication Protocol) Authentication:

exchange mechanism.
D i
A more secure option, requiring an authenticated key


t for
Provides flexibility for different authentication methods and

No
can support one- or two-factor authentication.
One-Factor vs. Two-Factor Authentication
• One-Factor Authentication:
h a,
Na
• Utilizes a single factor, like a password or network credential, to

et
authenticate users.

je
Common EAP-based one-factor methods include:

ha
• EAP-MD5 (less secure, uses MD5 hash).
b
Su
• LEAP (Lightweight EAP, proprietary to Cisco).

l • PEAP-MSCHAP, TTLS-MSCHAP, EAP-SIM.

Co
• Two-Factor Authentication:

By • Adds an additional layer of security by requiring a second factor, such


as a certificate or one-time password (OTP).

I SSP • More robust EAP-based two-factor methods include:

r C • EAP-TLS (Transport Layer Security with certificates).

fo • TTLS with OTP (One-Time Password).

es • PEAP-GTC (Generic Token Card).

ot
Mutual Authentication

ll N
• To achieve the highest level of security, mutual authentication is

rn e recommended.
• Client-side authentication: Ensures the client can verify the

C o •
legitimacy of the access point (AP).
Access point authentication: Verifies the validity of the client
attempting to connect.
• This helps prevent attacks like rogue APs and man-in-the-middle
attacks.

• Wireless authentication methods include open authentication (least secure), shared key
authentication, and EAP-based authentication (most secure).
• EAP allows for one- or two-factor authentication, with two-factor providing stronger security.
• Mutual authentication ensures that both the client and access point verify each other’s legitimacy,
creating a more secure wireless network environment.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wireless Encryption
Wireless Encryption Technologies
• Wireless Encryption • Encryption is crucial in wireless networks to ensure confidentiality,
Technologies integrity, and security of the transmitted data.
• Temporal Key Integrity
• Two main encryption protocols are used in Wi-Fi networks:
Protocol (TKIP)
• Counter-Mode-CBC-MAC
• Temporal Key Integrity Protocol (TKIP)
Protocol (CCMP) • Counter-Mode-CBC-MAC Protocol (CCMP)
• WPA and WPA2 Encryption Temporal Key Integrity Protocol (TKIP)
• TKIP was designed to fix vulnerabilities in the older Wired Equivalent
Privacy (WEP) encryption.
• Used in WPA (Wi-Fi Protected Access) with a combination of:
ti on
• RC4 stream cipher for encryption.
i bu

tr
128-bit per-packet keys, meaning each packet of data
s
i
has a different encryption key to protect against certain
D
for
attacks.

t
However, TKIP is vulnerable to attacks because of its backward
No
compatibility with WEP hardware, which carries inherent security

a,
weaknesses.

h
a protocol introduced with WPA2 and
Counter-Mode-CBC-MAC Protocol (CCMP)

t N
CCMP is a more robust encryption
WPA3.
je e

b ha standard.
Uses AES (Advanced Encryption Standard), which is a widely

Sukeys ensure strong encryption, making CCMP more


accepted encryption
• l
othan TKIP.
AES 128-bit
C
secure
y
• BIt provides both encryption and message integrity, making it resistant
SPWPA and WPA2 Encryption
to common attacks like replay attacks.

CI S
for • WPA (Wi-Fi Protected Access) initially used TKIP to allow for better

tes hardware compatibility with WEP, but it has since been replaced due
to vulnerabilities.
o
ll N
• WPA2 uses CCMP-AES, which significantly strengthens wireless

rn e security, and is the most commonly implemented standard.

C o • WPA3 further improves security with enhanced encryption standards


but is still not as widely adopted.

• TKIP was a short-term fix for WEP vulnerabilities but remains susceptible to certain attacks due to
hardware compatibility issues.
• CCMP-AES, used in WPA2 and WPA3, offers significantly stronger encryption, using 128-bit AES
keys for secure wireless communication.
• CCMP is currently the most secure protocol for wireless encryption.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wireless Integrity Protection
Wireless Integrity Protection Methods
• Wireless Integrity Protection • Wireless integrity protection ensures the data sent across a wireless
Methods network hasn't been tampered with during transmission.
• TKIP (Temporal Key Integrity • There are two main integrity protection methods:
Protocol)
• TKIP uses Michael for integrity checks.
• WPA2 (Wi-Fi Protected
Access 2) and CCMP • WPA2 uses CCMP (with AES) to provide more robust security.
• Message Integrity Code TKIP (Temporal Key Integrity Protocol)
(Michael) • TKIP was designed to replace WEP (Wired Equivalent Privacy) without
requiring hardware upgrades.

on
• Developed as a short-term solution to address WEP's vulnerabilities,
ti
particularly the weak initialization vector (IV) in WEP, which made it
u
easy to crack.
tr i b

D
which improves upon WEP's flawed static key approach. s
Key Mixing: TKIP sends each new packet with a unique encryption key,
i

t for
Michael: TKIP uses a Message Integrity Code (MIC) called Michael to

No
check data integrity.

a,
• Michael provides a basic form of integrity control, ensuring

h
packets have not been altered during transmission.

Na
However, TKIP is now considered obsolete due to security

jeet
vulnerabilities and is no longer recommended for modern
networks.

bha
WPA2 (Wi-Fi Protected Access 2) and CCMP

l Su
WPA2 implements CCMP (Counter Mode with Cipher Block Chaining

Co
Message Authentication Code Protocol), which uses AES for

By •
encryption and integrity.
AES in CBC-MAC (Cipher Block Chaining) mode ensures that both

I SSP encryption and integrity are provided in a secure manner.

r C • CCMP offers much stronger encryption and integrity protection than

fo TKIP, making WPA2 the preferred standard for modern wireless

es networks.

ot Evolution from TKIP to AES

ell N • TKIP was a stopgap solution that allowed older hardware to operate

rn
with better security compared to WEP.

C o • As vulnerabilities in TKIP were discovered, the stronger AES encryption


with CCMP was developed and adopted, replacing TKIP in WPA2.

• TKIP was designed to replace WEP and implemented integrity protection through a Message Integrity
Code called Michael.
• However, TKIP is now considered insecure and is replaced by AES with CCMP in WPA2, which offers
robust encryption and integrity protection.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


VLAN and SDN
VLAN (Virtual Local Area Network)
• VLAN (Virtual Local Area • A VLAN is a technology that allows network administrators to create
Network) local area networks without needing new physical wiring or hardware
• SDN (Software-Defined installations.
Networks) • Layer 3 switches and other technologies help facilitate the creation of
• IEEE 802.1Q Standard VLANs, allowing for more flexible network segmentation.
• SDN Architecture • VLANs are used to isolate different segments of a network for security,
• Northbound and performance, or administrative reasons.
Southbound APIs • Key benefit: Reduces the need for rewiring and provides better network
management by allowing logical segmentation.
• IEEE 802.1Q is the standard that governs VLANs. It defines how VLAN
ti on
i bu
tagging is done to allow traffic from multiple VLANs to travel over a single
network connection.
str
SDN (Software-Defined Networks)
D i
for
• SDN stands for Software-Defined Networks, where the network
t
infrastructure is managed and controlled using software rather than
physical hardware.
No
a,
• SDN allows network configuration to be automated and centrally
h
Na
controlled, making it adaptable to changing demands.

et
• SDN architecture is split into three planes:

je
Application Plane: Where applications and services reside.

bha
Control Plane: Manages the flow of traffic and network

Su
resources.
l
Co
• Data Plane: Carries the actual data and executes the
decisions made by the control plane.
By Northbound and Southbound APIs in SDN

I SSP • Northbound APIs: Facilitate communication between the application


plane and the control plane. This enables applications to request
r C network resources or configuration changes.
fo
es • Southbound APIs: Manage communication between the control plane

ot
and the data plane. They enable the control plane to instruct the data

ll N
plane on handling traffic.

rn e Key Advantages of SDN

C o • Centralized control over network resources, allowing for easy


configuration and optimization of the network.
• Greater flexibility in adapting the network to meet organizational needs
without manually adjusting hardware.

• VLANs allow the creation of logical local area networks using Layer 3 switches and reduce physical
wiring needs, with IEEE 802.1Q providing the standard for VLAN implementation.
• SDNs manage networks using software, divided into application, control, and data planes, and
leverage northbound and southbound APIs to handle network management and traffic control.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


VLAN
VLAN Definition
• VLAN Definition
• VLAN stands for Virtual Local Area Network, a technology that
• Virtualization and VLANs
allows for the virtual segmentation of networks, isolating devices
• Security through into separate logical groups without the need for new physical
Segmentation infrastructure.
• Layer 3 Switch and VLAN
Creation Virtualization and VLANs
• VLAN Ports and Isolation • Virtualization technologies have existed since the mainframe era
and are a key component of cloud computing today.
• Originally used for isolating environments on mainframes,

on
virtualization now extends to network segmentation via VLANs.

uti
VLANs offer a way to separate traffic between devices while using
r i
the same physical network, creating virtual tunnels that link
t b
devices into isolated logical segments.
D is
for
Security through Segmentation
t
VLANs improve security by allowing network traffic to be isolated
No

into different segments. For instance, different departments within
a,
a company can have their own VLANs, limiting access to their
h
Na
network resources.

jeet
Isolation ensures that devices within the same VLAN can
communicate freely, but devices in other VLANs cannot
ha
communicate without going through a router or firewall, adding a
b
Su
security layer.
l
Co
Layer 3 Switch and VLAN Creation

By • VLANs are typically created using a Layer 3 switch, which can


configure specific ports to be part of a particular VLAN.

I SSP • VLAN segmentation is based on the value and security needs of

r C different segments, enabling tailored network management for


fo diverse use cases.

es
ot
VLAN Ports and Isolation

ll N
• Devices connected to specific ports on a switch that are

rn e configured for the same VLAN are automatically grouped together.

C o • VLAN ports can be reconfigured without needing to rewire the


physical network, making VLANs more flexible and efficient than
traditional LAN setups.

• VLANs allow the segmentation of networks into logical, isolated segments without the need for
physical rewiring, enhancing security and flexibility.
• They are created and managed using Layer 3 switches, where ports can be assigned to different
VLANs based on security and functional needs.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Software-Defined Networks (SDN)
SDN Definition
• SDN Definition
• Software-Defined Networks (SDN) involve creating and managing
• Differences Between SDN
networks using software instead of traditional hardware devices like
and Traditional Networks
routers and switches.
• Centralized Control in SDN
• Planes in SDN: Control Plane • SDN enables the virtualization of network components, making it
and Data Plane possible to control network behavior dynamically through software
applications.
Differences Between SDN and Traditional Networks
• In traditional networks, physical hardware like routers, switches,
and cabling is responsible for network control and data forwarding.
ti on
• SDN abstracts these hardware elements, allowing software
i bu
tr
applications to mimic the behavior of hardware devices while still
s
i
requiring some physical network components, such as cabling.
D
for
• SDN provides virtualized network functionality, which allows for
t
No
more flexibility and centralized management, compared to static,
hardware-dependent traditional networks.
Centralized Control in SDN
h a,
N a through a control plane that acts
• SDN enables centralized control
t
emanagement
je
as the brain of the network,
a
understanding the topology and making

b h
all the routing and traffic decisions.
• The centralized
S uoncontrol allows for rapid reconfiguration of the
ol resources. enabling dynamic adjustments to traffic,
network based needs,

yC
security, and

P B
Planes in SDN: Control Plane and Data Plane

I SS • Control Plane: This is the intelligent layer of the SDN, responsible


C for making decisions about packet routing, managing routing tables,
for and deciding how data is forwarded across the network.

tes • Data Plane: The data plane is the execution layer that performs the
o actual forwarding of packets based on instructions from the control

ell N plane.

orn • SDN’s separation of the control and data planes simplifies network
C management and increases flexibility by decoupling decision-making
from physical devices.

• Software-Defined Networks (SDN) enable centralized control and virtualization of traditional


network elements.
• The control plane makes intelligent routing decisions, while the data plane handles packet
forwarding.
• SDN provides flexibility and rapid reconfiguration capabilities compared to traditional, hardware-
based networks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


SDN Architecture
SDN Architecture Overview
• SDN Architecture Overview
• Software-Defined Networks (SDN) architecture separates network
• Application Plane
control from the physical infrastructure, enabling more dynamic
• Control Plane
management.
• Data Plane
• Northbound and Southbound • SDN consists of three main planes: Application Plane, Control
APIs Plane, and Data Plane, each with specific functions.
Application Plane
• The Application Plane hosts applications and services that interact
with the network, such as security controls (firewalls), network
monitoring, traffic management, and reporting tools.
ti on
• Applications on this plane communicate with the Control Plane
i bu
tr
using Northbound APIs to make requests for network resources or to
s
enforce policies.
D i
Control Plane
t for
• The Control Plane acts as the intelligenceocenter of the SDN, where
, N and traffic management.
decisions are made regarding network flow
a
• It controls how data is forwarded h
a within the network by sending
N Southbound APIs.
e t
instructions to the Data Plane via

aje the network's routing, traffic flow, and


• The Control Plane manages
high-level networkhmanagement.
Data Plane
S ub
C
• The DataolPlane is responsible for the actual forwarding of packets
B y the network, executing the instructions provided by the
across

SP• Physical networking devices, such as routers and switches, are


Control Plane.

CI S
or
connected to the Data Plane, making it the execution layer of the

s f SDN.

o te Northbound and Southbound APIs

ell N • Northbound APIs: Facilitate communication between the

rn
Application Plane and the Control Plane. Applications send network

C o requests or commands to the control layer using these APIs.


• Southbound APIs: Facilitate communication between the Control
Plane and the Data Plane. The Control Plane uses these APIs to send
instructions to the physical devices on the Data Plane, telling them
how to route traffic.

• The SDN architecture consists of the Application, Control, and Data Planes. Communication
between these layers is handled by Northbound APIs (Application to Control) and Southbound APIs
(Control to Data).
• The Application Plane sends requests, the Control Plane makes network decisions, and the Data
Plane executes them by routing traffic.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Virtual Private Clouds (VPCs)
Definition of VPC
• Definition of VPC
• Characteristics of VPC • A Virtual Private Cloud (VPC) is a logically isolated section within a
• Isolation in VPC public cloud provider’s infrastructure.
• Benefits of VPC • It is essentially a customizable private network within a public
cloud like AWS, Google Cloud, or Azure.
Characteristics of VPC
• Customizable: Users can define and configure their own network
settings, including IP ranges, subnets, and route tables.
• Logical Isolation: Even though the VPC exists on shared ti on
i bu
infrastructure, the isolation is created using software, not separate
physical hardware.
str
D i
Isolation in VPC
f o r
• VPCs provide virtual isolation by separating t
o network environments
,
through segmentation and access controls. N
h acontrol
• Security Groups, network access a lists (ACLs), and VPN
connections are some of the
e
secure communicationewithin
t Na VPC.
features used to ensure privacy and

h aj
Benefits of VPC
u b
S
l since
C o
• Cost-effective:
infrastructures
VPCs are less expensive than dedicated private cloud
they use shared resources.
• B
y
S P Scalability: Like other public cloud services, VPCs offer easy

CI S scalability, allowing users to adjust resources according to demand.

for • Control: Users maintain fine-grained control over network

tes components, such as firewalls, IP addressing, and routing, ensuring a


balance between security and flexibility.
o
ell N
orn
C

• A Virtual Private Cloud (VPC) is a portion of a public cloud that provides logically isolated,
customizable network environments without separate physical hardware.
• It combines the cost-effectiveness and scalability of public clouds with enhanced security
controls and virtual network isolation.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IEEE 802.1Q
Definition of IEEE 802.1Q
• Definition of IEEE 802.1Q
• VLAN Tagging • IEEE 802.1Q is a networking standard developed by the IEEE that
• How IEEE 802.1Q works supports Virtual Local Area Networks (VLANs) and Software-
• Relation to SDNs Defined Networks (SDNs).
• It specifies methods for VLAN tagging in network traffic and how this
traffic should be handled by network devices like switches and
bridges.
VLAN Tagging
• VLAN tagging is a process where a VLAN identifier (VLAN ID) is
ti on
added to network frames to indicate which VLAN the frame belongs
i b u
to.
tr
• This ensures that only the designated VLAN receives theis
r Dexplicitly
tagged
traffic, preventing cross-VLAN communication unless
t fo
allowed.
o
How IEEE 802.1Q Works
a ,N
• When a frame is sent across thea h the 802.1Q standard
defines how to add a tag totthe Nframe with its VLAN ID.
network,
e
jethat comply with IEEE 802.1Q are responsible
• Switches and bridges
h a
for ensuring thatbonly the VLAN to which the frame belongs will handle
that traffic, S u
o l maintaining isolation between VLANs.
RelationC
B y to SDNs
S P• Into Software-Defined Networks (SDNs), the 802.1Q standard is used

CI S support VLANs by ensuring that virtualized network components

or
can isolate and direct traffic based on VLAN tagging.

s f • This helps SDN controllers to manage network flows and maintain


o te logical separation of traffic without needing separate physical

ll N
networks.

rn e
C o

• IEEE 802.1Q is the standard that defines VLAN tagging and how switches and bridges handle VLAN
traffic.
• It plays a crucial role in ensuring network isolation and security for VLANs and supports
virtualization technologies like SDNs.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Wide Area Networks (WAN)
Definition of WAN
• Definition of WAN • A Wide Area Network (WAN) connects Local Area Networks (LANs)
• Technologies used in WANs over large geographical areas, often spanning cities, countries, or
• Key WAN Protocols continents.
• Features of WAN • WANs are used to connect multiple LANs, typically using leased
technologies lines, satellite links, or data packet carrier services provided by
telecom companies.
Technologies used in WANs
• WAN technologies include dedicated leased lines, dial-up phone
lines, satellite, microwave links, and data packet carrier services.
• Quality of Service (QoS) is important in WANs, especially when
ti on
bu
handling IP convergence (e.g., voice, data, and video traffic over a
i
single network).
str
Key WAN Protocols D i
for
• X.25: Early WAN protocol known for its error correction capabilities
t
No
but suffers from inefficiency and high overhead.

a,
• Frame Relay: Focuses on speed over error correction and supports
h
both permanent virtual circuits (PVCs) and switched virtual
circuits (SVCs).
Na
eet
• Asynchronous Transfer Mode (ATM): Supports high-speed
j
ha
transmission with connection-oriented virtual circuits that can be
b
permanent or on-demand.

l Su
• Multi-Protocol Label Switching (MPLS): The most advanced WAN

y Co
protocol, MPLS offers built-in security using labeling schemes and
forwarding tables. However, data can still be vulnerable to provider
B snooping, so organizations often choose to encrypt their data.

I SSP Features of WAN Technologies

r C • X.25 is reliable but inefficient due to its focus on error correction.


fo
es • Frame Relay prioritizes speed, with PVCs supporting permanent

ot
links and SVCs allowing for on-demand virtual circuits, similar to

ll N
older PSTN networks.

rn e • ATM combines the best of previous technologies and provides


reliable, high-speed connections for mission-critical traffic.
C o • MPLS offers secure connectivity over provider networks but still
requires additional encryption for highly sensitive data to protect
against potential provider access.

• WANs are essential for connecting LANs across large geographical distances using protocols like
X.25, Frame Relay, ATM, and MPLS. Each protocol has unique features, with MPLS being the most
advanced, providing built-in security and fast, efficient data transmission.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Architecture
Definition of Network Architecture
• Definition of Network • Network architecture refers to the design and structure of a
Architecture network, encompassing components like network devices
• Defense in Depth (routers, switches), firewalls, proxies, and segmentation.
• Partitioning & Network
• It is responsible for ensuring security, efficiency, and scalability in
Segmentation
an organization's network infrastructure.
• Bastion Hosts
• Proxies (NAT & PAT) Defense in Depth
• Defense in depth is a multi-layered security approach, where
multiple security measures (like firewalls, intrusion detection
systems, and authentication mechanisms) are implemented at
various levels to protect the network.
ti on

bu
If one layer is compromised, additional layers still provide security.
i
str
Partitioning & Network Segmentation
D i
for
• Partitioning and network segmentation refer to dividing a network
into smaller, isolated sections or subnets.
t

No
This limits visibility of network traffic and restricts access to

a,
certain areas, which can prevent lateral movement of threats within
the network.
h
Na
et
• Switches, routers, and firewalls are used to implement
e
segmentation by controlling access between segments.
j
Bastion Hosts
bha
Su
• Bastion hosts are hardened devices (typically servers) designed to
l
resist attacks and are placed on the perimeter of a network or in a

y Co
DMZ.
B • These devices are exposed to external traffic and are usually

I SSP isolated from the internal network to minimize the risk of


compromise.
r C Proxies (NAT & PAT)
fo
es • Proxies act as intermediaries between clients and external
ot services, providing a layer of anonymity and protection.

ell N • Network Address Translation (NAT) and Port Address Translation


(PAT) are two types of proxies that allow internal devices to access
orn external networks (like the internet) without exposing their real IP
C addresses.
• NAT/PAT acts as a security layer, hiding the internal network
structure and making it harder for external attackers to identify
individual devices.

• Network architecture is vital for ensuring network security and performance. Elements like
defense in depth, partitioning, network segmentation, bastion hosts, and proxies contribute to a
secure network environment.
• NAT/PAT hides internal IPs, while segmentation limits the visibility of network traffic, adding
additional layers of protection.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Defense in Depth
Definition of Defense in Depth
• Definition of Defense in
Depth • Defense in depth refers to employing multiple layers of security
• Multiple Security Layers controls to protect a network or system.
• Layered Security Examples • It assumes that no single security control is foolproof, so adding
layers ensures that if one control fails, others are still in place to
protect against breaches.
Multiple Security Layers
• This approach includes several concentric layers of defense, each
addressing different areas of security:
ti on
• Policies and Procedures: The outermost layer, which
i bu
governs how security should be implemented and
str
maintained.
D i

t for
Environmental Considerations: Includes physical

No
security, building access controls, surveillance, and
securing the physical environment.

h a,
Physical Infrastructure: Securing servers, network
Na
devices, and workstations through hardware-based

jeet
measures.

ha
• Operating Systems: Implementing secure configurations,
b
patches, and hardening operating systems to minimize

l Su
vulnerabilities.

y Co
• Software Configurations: This inner layer focuses on
firewall settings, application security, and encryption to
B protect data from external and internal threats.

I SSPLayered Security Examples


r C • Policies and Procedures: Implementing user training programs,
fo
tes security policies, and access control policies.
o
ll N
• Architecture Controls: Firewalls, intrusion detection systems

rn e (IDS), and network segmentation.

C o • Cabling and Switching: Securing physical connections to prevent


unauthorized access to the network.
• Operating System Controls: Enforcing system patching, software
updates, and user privilege restrictions.

• Defense in depth is a security strategy that uses multiple, layered security controls to protect a
network or system.
• Each layer addresses different aspects of security, starting from policies and procedures down to
operating systems and software configurations, ensuring comprehensive protection.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Partitioning (Network Segmentation)
Definition of Partitioning (Network Segmentation)
• Definition of Partitioning
• Partitioning, also called network segmentation, refers to the
(Network Segmentation)
practice of controlling traffic flow between different areas or
• Purpose of Partitioning segments of a network.
• Tools for Partitioning
• Importance of Internet • It ensures that traffic from one part of the network is isolated and
Partitioning cannot be seen or accessed by devices in another segment.
Purpose of Partitioning
• Security and control: Network segmentation helps in enhancing
security by isolating more sensitive areas from less secure
segments.
ti on
i bu
s tr
• Traffic control: Limits the visibility of network traffic to only those
i
who need access, reducing the risk of unauthorized data access.
• Helps mitigate attacks by preventing malicious traffic
fo r D from
spreading across the entire network.
o t
Tools for Partitioning
a , N are used to create
• Devices like switches, routers, and
a h firewalls

tbeNenforced on these devices to manage


logical partitions within the network.

je
• Access control rules can e
and control the flowaof traffic between the network segments.
h
S ub Partitioning
Importance of Internet

C ol external and internal networks is crucial for preventing


• Separating
B y
unauthorized access to an organization's internal network.

S P• Firewalls can enforce rules that:


CIS • Scrutinize incoming traffic: Ensures that only legitimate
for traffic from the internet is allowed into the internal

tes network.

N o • Monitor outgoing traffic: Identifies data loss prevention

rn ell (DLP) concerns and stops malicious or unauthorized


outbound traffic.
C o • Example: An organization's main network should be separated from
the internet by firewalls and other security controls to manage both
incoming and outgoing traffic.

• Partitioning (network segmentation) enhances network security by controlling traffic flow


between different network segments.
• It uses tools like firewalls, switches, and routers to isolate sensitive parts of a network, especially
in relation to internet-facing connections, to protect against internal and external threats.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Perimeter
Definition of Network Perimeter
• Definition of Network
• The network perimeter refers to the boundary between an
Perimeter organization's internal network and external networks (such as the
• Security Controls for Network internet). It is the last point of control for protecting internal resources.
Perimeter
• Choke Points • It is analogous to physical security perimeters, where the goal is to
secure the boundary and control entry and exit.
• Importance of Limiting Entry
and Exit Points Security Controls for Network Perimeter
• The perimeter should have preventive, detective, and corrective
controls to stop unauthorized access, detect potential breaches, and

on
respond to attacks.

u t
Preventive controls: Firewalls, intrusion prevention systems (IPS),i
access control lists (ACLs), and network segmentation.
tr i b
• s
Detective controls: Intrusion detection systems (IDS), inetwork
monitoring tools, and alerting mechanisms.
fo r D logging,
• Corrective controls: Security incident response
o t protocols,

,N
and traffic filtering or blocking.
Choke Points a
h in a network where all traffic
a
t Nfor centralized control and monitoring.
• Choke points are strategic locations
must pass through, allowing
e
jeexist at the network perimeter, where firewalls

h
A choke point should adevices
u b
and other security can enforce rules on both incoming and

l STwo choke points in a network, one between a public and


outgoing traffic.

C o
Example:

B ynon-sensitive private network, and another between the non-sensitive

SP security are applied to critical network segments.


and sensitive private networks. This ensures additional layers of

I S
C Importance of Limiting Entry and Exit Points
for Limiting the ingress and egress points to one creates a controlled
tes •
entry and exit, which simplifies monitoring and securing traffic flow.
o
ll N
• A single point of entry and exit reduces potential vulnerabilities and

rn e ensures that traffic analysis and rule enforcement can be effectively


carried out.
C o • Multiple entry points can increase complexity and make monitoring
traffic difficult, just like having multiple doors in a building can make
security hard to manage.

• The network perimeter serves as the boundary of an organization’s internal network, and choke
points allow for centralized monitoring and control of network traffic.
• To strengthen security, organizations should minimize entry and exit points, applying preventive,
detective, and corrective controls at the perimeter.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network Segmentation
Definition of Network Segmentation
• Definition of Network • Network Segmentation refers to dividing a network into smaller,
Segmentation isolated segments to enhance security and performance.
• Importance of Network • Each segment operates independently, with controlled traffic flow
Segmentation between them through devices like routers, switches, and
• Public Network vs. Internal firewalls.
Network Importance of Network Segmentation
• Risks of Hosting Public
• Segmentation ensures that sensitive internal resources are not
Applications Internally
directly exposed to public networks (like the internet).
• Security Benefits of
• It reduces the attack surface, limiting exposure to external threats
on
Segmentation
and ensuring that critical resources remain secure.
Public Network vs. Internal Network uti

tr i b
The public network represents the internet, while the sensitive
D i
private network contains internal devices and sensitives
for
applications.
• t
To enable communication with external entities (e.g., customers,
No
business partners), organizations need to host specific
a,
applications such as e-commerce websites or email servers.
h
Na
Risks of Hosting Public Applications Internally

et
• Security risks arise when public-facing applications, like an e-
je
commerce platform or email server, are hosted within the
ha
internal network.
b
Su
• Hosting these applications internally would allow external users
l
from the public network to access the internal environment,

y Co
exposing critical assets to potential attacks.
BSecurity Benefits of Segmentation

I SSP • By segregating public-facing applications and internal networks,


organizations can ensure that public users can interact with
r C designated services (e.g., web servers or email systems) without
fo gaining access to internal systems.
es
ot
• Firewalls and routers are used to filter traffic between network

ll N
segments, allowing controlled access while protecting sensitive

rn e •
data from external threats.
Best practices suggest hosting public-facing services (like
C o websites or email) in a DMZ (Demilitarized Zone) to maintain
security separation between public and private networks.

• Network Segmentation is crucial for separating public-facing applications from


sensitive internal networks.
• Hosting public applications on the internal network would expose critical assets to
security risks, making segmentation vital for maintaining a secure and well-controlled
network environment.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Bastion Host
Definition of Bastion Host
• Definition of Bastion Host
• A Bastion Host is a hardened server or device that sits in a
• Location of Bastion Hosts controlled, exposed network environment, specifically the
• Demilitarized Zone (DMZ) DMZ.
• Services in the DMZ
• The term "bastion" refers to a fortified or protected
• Boundary Router environment, designed to withstand attacks.
Location of Bastion Hosts
• Bastion hosts are typically found within the DMZ, an isolated
subnetwork positioned between the internal network and the
internet.
• ti on
They serve as a layer of defense, shielding the internal network
by handling public-facing services.
i bu
str
Demilitarized Zone (DMZ)
D i
for
• The DMZ is a subnetwork used to segregate public-facing
services from the internal network.
t
• It acts as an intermediary between theNointernal network and the
internet, and the organization has,control over the DMZ.
a ha email servers, and remote
t Nplaced in the DMZ for controlled
• Web applications, DNS servers,
access systems are often
e
aje
access.
h
ub public-facing services that need to be
Services in the DMZ
The DMZShouses
ol systems.

accessible to the internet but should remain isolated from
y C
internal
• B Applications and hosts in the DMZ are typically hardened
I SSP (secured against attacks) and serve as fortresses to protect
against threats from the internet.
C
for Boundary Router
tes • A boundary router is positioned between the DMZ and the
o internet.
ell N • This router acts as a simple firewall, analyzing packet headers
orn and controlling traffic based on source and destination IP
addresses and ports.
C • It controls the ingress and egress of traffic between the internet
and the DMZ.

• A Bastion Host is a fortified server placed in a DMZ to handle public-facing services securely.
• The DMZ provides a buffer zone between the internal network and the internet, controlled by
boundary routers to manage traffic flow and enhance network security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Microsegmentation
Definition of Microsegmentation
• Definition of • Microsegmentation refers to the practice of dividing networks into
Microsegmentation smaller, isolated segments at a granular level using virtualization
• Traditional Network Setup technologies.
• Microsegmentation in • It allows organizations to control traffic and enforce security policies
Virtualized Networks within each segment.
• Benefits of Microsegmentation Traditional Network Setup
• Technologies Supporting • In traditional networks, different servers like web, FTP, and mail servers
Microsegmentation are typically located within the same DMZ behind a physical firewall.
• The firewall rules are loose to allow traffic for web (HTTP), FTP, and SMTP

on
services.
• ti
Disadvantage: If a server (e.g., the web server) is compromised, attackers
u
i b
can gain a foothold in the network and potentially move laterally to other
tr
servers.
Microsegmentation in Virtualized Networks
D is

t for
Virtual firewalls can be deployed in front of each server at low cost,

No
creating separate DMZs for each server (web, FTP, mail).

a,
• Each virtual firewall can have strict firewall rules for its respective

h
server, such as allowing only web traffic for the web server, only FTP

Na
traffic for the FTP server, etc.

jeet
Benefit: If one server is compromised, attackers cannot easily move to
other servers as they must still penetrate other firewalls.

bha
Benefits of Microsegmentation

l Su
Tighter security: Each segment has specific firewall rules, making it

Co
more difficult for attackers to bypass security.

By • Lateral movement prevention: If an attacker breaches one segment,


they cannot easily access others.

I SSP • Granular firewall rules: More precise control over traffic and security in
each segment, enhancing network protection.
r C Technologies Supporting Microsegmentation
fo
es • Network overlays/encapsulation: Virtual networks that are overlaid on

ot
top of physical networks.

ll N
• Distributed firewalls: Multiple virtual firewalls deployed across

rn e segments.

C o • Distributed routers: Routers that distribute routing rules to individual


segments.
• IDS/IPS: Can be deployed to protect individual network segments.
• Zero Trust Architecture (ZTA): Microsegmentation supports granular
trust zones within ZTA.

• Microsegmentation enables the virtualization of networks into smaller segments, each with
individual firewall rules, enhancing security and preventing lateral movement of attackers.
• Technologies such as distributed firewalls and IDS/IPS further support this approach, providing
granular protection for each network segment.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Proxy
Definition of Proxy
• Definition of Proxy
• Function of Proxy in Networks • A proxy is a device or application that acts on behalf of a user or
• Role in Security application, typically facilitating connections between a client and
• Layer 7 in OSI Model a server.
• Example of Web Proxy Usage Function of Proxy in Networks
• Proxies serve as an intermediary between a client and a server,
managing and directing both outgoing and incoming traffic.
• In network communication, the client perceives a direct

ti on
connection to the server, but the server recognizes the connection
as being from the proxy.
i bu
Role in Security
s tr
i
D security

o rdestinations.
Proxies are often used to filter requests and enforce
f
t
rules by blocking traffic destined for malicious
o
Proxies provide enhanced security by N

a ,cancontrolling what content can

ah
reach the client and what the client access, thus minimizing

tN
exposure to threats.

e e
ajfound
Layer 7 in OSI Model
• h
b they handle
Proxies are usually at Layer 7 (Application layer) of the OSI
S u
model because intelligent routing and decision-
makingo l regarding application-level traffic.
C
y of Web Proxy Usage
B
Example

I SSP• Amalicious
web proxy is used to filter web traffic. It can block access to
C domains or unsafe content, ensuring that the user is

for not inadvertently exposed to harmful websites.

tes
o
ell N
orn
C

• A proxy acts as an intermediary between a client and a server, enhancing network security by
filtering and blocking malicious traffic.
• By making intelligent decisions at the Application layer (Layer 7), proxies help enforce rules that
secure the environment from potential threats.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


NAT and PAT
Definition of NAT
• Definition of NAT
• Function of NAT in Networks • Network Address Translation (NAT) is a mechanism that translates
• Definition of PAT private IP addresses into public IP addresses and vice versa,
• Role of PAT in Port Translation allowing devices on a local network to communicate with external
• NAT and PAT in Security networks, like the internet.
Function of NAT in Networks
• NAT masks internal IP addresses by converting non-routable,
private addresses (e.g., 10.0.0.50) to routable, public addresses (e.g.,
199.53.72.2), enabling devices to communicate externally.
ti on
Definition of PAT
i bu
tr
unique port number to each outgoing request, enablingis
• Port Address Translation (PAT) is an extension of NAT that assigns a

rD
multiple
f o
devices to use the same public IP address simultaneously.
t
o
, N is associated with a
Role of PAT in Port Translation
a
h to port 1058), allowing
• PAT ensures that each outgoing connection
a
t N through the same public IP while
unique port (e.g., port 1037 is translated

je e
multiple devices to communicate
maintaining unique connections.
h a
ub
NAT and PAT in Security
S
C ol networks.
•NAT and PAT add a layer of security by hiding internal IP addresses

B y reconnaissanceThisonmakes
from external
perform
it more difficult for attackers to
the internal network structure, as the
S Pinternal IP addresses are masked.
CIS
for
tes
o
ell N
orn
C

• NAT translates private IP addresses to public ones, allowing internal devices to communicate with
the internet.
• PAT ensures that multiple devices can share a single public IP address by assigning unique ports to
each connection, providing both efficiency and an additional layer of security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Firewalls and Firewall Technologies - 1
What is a Firewall?
• What is a Firewall?
• Firewall Functions • A firewall is a preventive security control used to enforce security
• Types of Firewalls rules between two or more networks.
• Pros and Cons of Different • It works by filtering network traffic based on a set of predefined rules
Firewall Technologies to either allow or block traffic.
• Firewalls are typically deployed between an internal network and the
internet but can also segment internal networks for additional security.
Firewall Functions
• Traffic filtering: Firewalls inspect and control both incoming and
outgoing network traffic. ti on
• Rule-based: Firewalls operate based on predefined rules,rib
u
determining which packets are allowed or denied basedis ont criteria like
IP addresses, ports, and protocols.
f o rD
t stopping
unauthorized access before it occurs. No
• Prevention: Firewalls serve as preventive controls,

Types of Firewalls h a,
1. Packet Filtering Firewallst N
a
je e
ha
• Simple packet filtering operates at Layer 3 of the OSI model
b
(Network Layer).

l Su packet filtering tracks the state of active


• Stateful

y Coconnections, ensuring that traffic is legitimate and tied to a

P B valid session.

I SS 2. Circuit-Level Proxy Firewalls

C • Operates at Layer 5 (Session Layer).


for • Monitors session initiation processes (like TCP
tes handshakes) to ensure the session is legitimate but does not
o inspect the data being transmitted.

ell N 3. Application-Level Proxy Firewalls


orn
C •

Operates at Layer 7 (Application Layer).
Inspects application data in the network traffic (e.g., HTTP,
FTP) and filters based on application behavior.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Firewalls and Firewall Technologies - 2
Pros and Cons of Different Firewall Technologies
• What is a Firewall?
• Firewall Functions • Simple Packet Filtering Firewalls
• Types of Firewalls • Pros: Fast, low processing overhead, easy to implement.
• Pros and Cons of Different
• Cons: Only checks basic information like IP addresses and
Firewall Technologies
ports, offering limited protection.
• Stateful Packet Filtering Firewalls
• Pros: Monitors the state of active connections, more secure
than simple packet filtering.

ti on
Cons: Increased complexity, higher resource consumption.
• Circuit-Level Proxy Firewalls
i bu
Pros: Protects the session layer, monitors foris
tr
rD
• legitimate
connections.
f o
t less granular control

over traffic. N o
Cons: Does not inspect data, provides

a ,
• Application-Level Proxy Firewalls
a h
• Pros: Deep packet
etN inspection, ability to filter based on

a je
specific applications, provides granular control.

u bhanalysis
Cons: High processing overhead, slower performance due to

l S
detailed of traffic.

y Co
P B
I SS
r C
fo
es
ot
ell N
orn
C

• A firewall is a security control that filters network traffic based on predefined rules and is essential
for protecting internal networks from external threats.
• Different firewall technologies offer varying levels of security and performance, from simple packet
filtering to application-level inspection.
• Application-level firewalls provide the most detailed traffic filtering but come with increased
processing overhead.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Context-Based Access Control (CBAC)
Context-Based Access Control (CBAC) Overview
• Context-Based Access
Control (CBAC) • CBAC is a firewall software feature that provides intelligent filtering
• Deep Traffic Inspection of TCP and UDP packets.
• Filtering TCP and UDP • It analyzes the session information at the Application Layer,
Packets allowing the firewall to make more contextual decisions on what
• Session-Based Filtering traffic should be allowed or blocked.
• DDoS Detection
• Key Feature: Instead of just using simple packet filtering, CBAC
allows for deep traffic inspection, meaning it can understand the
context of a connection, including what application protocol is being
used.
ti on
i bu
Deep Traffic Inspection and Filtering
s r
t it can
i
D headers. This
• Deep traffic inspection is a key capability of CBAC, where
filter packets based on their content and not justrtheir
t fo
provides better control and security.
N o
• This inspection also provides real-time
a, protection against threats
like Distributed Denial of Service h (DDoS) attacks.

t Na statistics on network
je
protocols and connections,e which helps with monitoring and
• Additionally, CBAC can give advanced

analysis.
b ha
u
SFiltering
l
Session-Based
o the state and context of a session (similar to stateful
y
• CBAC Ctracks
B
firewalls but with deeper protocol analysis).

I SSP• It dynamically adjusts firewall rules based on the application


C
or
session and related data, allowing it to open and close ports as

s f needed and only for the duration of the session, minimizing risk

o te exposure.

ell N
orn
C

• CBAC adds context awareness to firewall filtering, inspecting traffic at the Application Layer for
enhanced security.
• It allows for deep traffic inspection and provides additional security capabilities, such as DDoS
detection and real-time traffic analysis.
• The main advantage of CBAC is its ability to filter TCP/UDP traffic based on the session state and
content, making it a more advanced and dynamic method of access control compared to traditional
static packet filtering.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Firewall Architectures
Overview of Firewall Architectures
• Firewall Architectures • Firewall architectures vary based on organizational needs and technological advancements.
• The architecture of a firewall is crucial in how it handles security, providing different layers of
• Packet Filtering protection depending on business goals and risk tolerance.
• Dual-Homed Host Common Firewall Architectures
• Screened Host 1. Packet Filtering Architecture:
• Screened Subnet • The simplest form of firewall architecture, which filters packets based on
source/destination IP addresses and ports.
• Three-Legged Firewall
• Operates at OSI Layer 3 (Network Layer) and is very fast, but lacks deep security
• Security Requirements controls.
• Pros: High speed, low cost.
• Cons: Minimal intelligence, vulnerable to spoofing attacks, no application-level
filtering.
2. Dual-Homed Host Architecture:
ti on

external network (like the internet).
i bu
A system with two network interfaces that separates a private network from an


tr
A firewall software resides on the host, controlling all traffic between the two
s
interfaces.
D i
for
• Pros: Simple architecture, cost-effective.
• Cons: Single point of failure (host), less flexible.
t
No
3. Screened Host Architecture:
• Adds a bastion host (a hardened server) to the architecture, which serves as an

a,
intermediary between the internal and external network.

h
Na
• A router filters external traffic, forwarding allowed traffic to the bastion host, which
provides application-level security.

et
• Pros: Better security than dual-homed, single point of defense.

je
Cons: The bastion host can still be targeted for attacks.

ha
4. Screened Subnet Architecture:

b
Su
• Also known as a Demilitarized Zone (DMZ) architecture.
• Consists of two screening routers, one between the internal network and the DMZ,
l
Co
and the other between the DMZ and the external network.
• Pros: Provides an additional layer of defense; external services (like web or email)

By are isolated in the DMZ.

SP
• Cons: More complex, requires careful configuration of two routers.
5. Three-Legged Firewall Architecture:

CI S • A single firewall with three interfaces: one connected to the internal network, one

r
to the external network (internet), and one to the DMZ.

fo • Allows for secure separation of internal, external, and DMZ traffic with a single

es firewall device.

ot
• Pros: Simplifies network design with fewer devices, flexible rules for controlling
traffic between segments.

ell N • Cons: Potential single point of failure.

rn
Firewall Architecture Considerations

C o •


The architecture selected should reflect the security requirements and operational needs of
the organization.
For example, an e-commerce business may require a screened subnet or three-legged firewall
to separate web services from internal databases.
• The cost, complexity, performance, and threat model of the organization should guide the
choice of architecture.

• Firewall architectures are tailored based on an organization’s specific needs, balancing between
security and performance.
• The simplest form is packet filtering, while more sophisticated architectures like screened
subnets and three-legged firewalls offer layered security for sensitive services.
• The DMZ in screened subnet and three-legged firewall architectures helps isolate public-facing
applications, enhancing security.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Packet Filtering Firewall
Packet Filtering Firewall Overview
• Packet Filtering Firewall
• Layer 3 (Network Layer) • Packet filtering firewalls are the simplest type of firewall, typically
• Firewall Decision-Making implemented using a router.
• Efficiency vs. Intelligence • They operate at OSI Layer 3, meaning they can only examine the
• Limited Security header of packets to make security decisions.
• The decision-making process is based on information like source
and destination IP addresses, ports, and protocols.
Functionality
• ti on
This architecture is depicted as a router placed between the internal
network and an untrusted network (such as the internet).
i bu
s tr
i
rD
• The router filters traffic based on predefined rules set in an Access
Control List (ACL), which may include:
t fo

o
Allow/Deny rules for specific IP addresses

a , N certain services like FTP
Filters based on ports (e.g., blocking
or Telnet)
a h such as TCP or UDP packets.
tN
• Protocol-based filtering,
e
Pros
h aje

S ub and speed:
High efficiency Since decisions are made based solely

olfiltering is fast.
on header information without inspecting the content of the packet,
C
packet
• By Low cost: Packet filtering firewalls are simple and cost-effective to
S P deploy.

CIS Cons
for
tes • Limited security: Since only Layer 3 information is analyzed, the
o firewall cannot examine the payload or provide deeper inspection

ll N
into application-level data.

rn e • This makes it susceptible to IP spoofing, fragmentation

C o attacks, and other advanced techniques.


• No session awareness: The firewall does not maintain information
about the state of connections, making it vulnerable to state-based
attacks, such as SYN floods.

• Packet filtering firewalls provide basic security by filtering traffic based on Layer 3 packet
headers.
• Efficiency and low cost are key benefits, but security is limited due to the lack of application-layer
filtering or session awareness.
• Best suited for simple, low-risk environments where speed is a priority and advanced threats are
less likely.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Dual-Homed Host
Dual-Homed Host Overview
• Dual-Homed HostTwo • A dual-homed host is an improvement over simple packet filtering by
Network Cards using a computer or intelligent host that has two network interface
• Supports All OSI Layers cards (NICs).
• Advanced Decision-Making • This host sits between two networks, typically between the internal
• Improved Security trusted network and an untrusted network (like the internet).
Functionality
• Unlike packet filtering routers, a dual-homed host can operate across
all layers of the OSI model.
• This means the firewall can make decisions based on

i on
application-layer data, session information, and even packet
t
content.
i bu

tr
The architecture allows the host to serve as a gatekeeper, managing
s
traffic between two distinct network segments.
D i
for
• Can use advanced firewall technologies like stateful inspection,
t
circuit-level proxy, and application-level filtering.
Pros
No

h a,
Increased Security: By having two network cards, the host can

Na
physically separate traffic between the trusted and untrusted

et
networks.

je
This makes direct packet forwarding between the two

bha
networks impossible without the host’s decision-making

Su
process.

l
Granular Control: The dual-homed host can make more complex

y Co
decisions than simple packet filtering, using techniques like stateful

B inspection or application filtering.

SP
Cons

CI S • Potential Bottlenecks: Since all traffic must go through the dual-homed

for host, it can create a performance bottleneck, especially if the host is


managing a large amount of traffic or performing complex filtering.

es
ot
• Single Point of Failure: The dual-homed host becomes a critical single
point in the network. If it goes down or is compromised, the network

ell N may lose connectivity between segments.

orn • More Expensive: This architecture requires a more intelligent device


than a simple router, potentially increasing the cost.
C Example Use Case
• Commonly used in scenarios where a DMZ (demilitarized zone) is
needed, allowing controlled access to public-facing services (like a
web server) while protecting internal systems.

• A dual-homed host has two network cards and can perform more advanced filtering than a simple
packet filtering router.
• It operates across all OSI layers, making it capable of complex decision-making for traffic between
two network segments.
• While providing enhanced security, it can also introduce bottlenecks and act as a single point of
failure.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Screened Host Firewall Architecture
Screened Host Overview
• Screened Host • A screened host firewall architecture combines the strengths of both a packet
• Combination of Packet filtering router and a dual-homed host firewall.
Filtering and Dual-Homed • This architecture is designed to provide multiple layers of security by utilizing both
technologies to control traffic flow.
Host Components
• Bastion Host 1. Packet Filtering Router:
• Router as Initial Filter • Acts as the first line of defense, performing initial filtering of incoming
• Layered Security packets. It makes basic decisions based on Layer 3 (Network layer)
information like IP addresses and ports.
• If traffic is allowed through, the router forwards it to the bastion host for
further inspection.
2. Bastion Host:
ti on

i bu
The bastion host is a more advanced firewall device that provides detailed

or application-level proxy firewall.


str
traffic inspection. It can be any type of firewall technology, such as a stateful


D i
The bastion host adds an additional layer of filtering by inspecting traffic at

for
higher layers of the OSI model, such as application data.
Advantages
t
• Layered Security:
No

h a,
The packet filtering router performs basic checks before allowing any traffic
to reach the bastion host. This creates a layered defense system, making it

Na
harder for attackers to penetrate.

jeet
Attackers must first bypass the router before attempting to compromise the
bastion host.

bha
Performance Optimization:

Su
• The router handles simpler decisions, reducing the load on the bastion host,

l
which only processes traffic that has passed the first layer of filtering.

Co
• Versatility:

By • The bastion host can be highly customized, with various firewall technologies
applied based on specific security needs (e.g., application-level filtering,

SP
stateful inspection).

CI S Disadvantages

for • Complex Configuration:


• Configuring both the packet filtering router and bastion host correctly can

es be challenging and may require more technical expertise.

ot • Potential Bottlenecks:

ll N
• If the router or bastion host becomes overloaded with traffic, it can cause a

rn e performance bottleneck, particularly with higher levels of inspection on the


bastion host.

C o Example Use Case


• Commonly used in environments where an organization wants two layers of traffic
filtering. For example, in an e-commerce environment, the router would handle
general traffic filtering, while the bastion host would inspect deeper for malicious
application data or unauthorized access attempts.

• The screened host architecture combines a packet filtering router with a bastion host, providing
multiple layers of filtering and enhanced security.
• Attackers would need to bypass the router before targeting the bastion host, offering layered
defense.
• This architecture offers versatility but can be complex to configure and may experience
bottlenecks under heavy traffic loads.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Screened Subnet Firewall Architecture
Screened Subnet Overview
• Screened Subnet • A screened subnet architecture is a more advanced firewall design where two firewalls are
deployed.
• Two Firewalls
• This architecture creates an isolated subnet or DMZ (Demilitarized Zone) between the
• DMZ (Demilitarized Zone) external and internal networks.
• Traffic Segmentation Com ponents
• Vendor Diversification 1. Two Firewalls:
• The first firewall separates the external network (often the Internet) from the
DMZ. This firewall filters incoming traf fic to the public-facing servers in the D MZ.
• The second firewall separates the DMZ from the internal network, providing
another layer of security for sensitive internal resources.
2. DMZ (Demilitarized Zone):

on
• The D MZ acts as a buffer zone between the public and internal networks.

uti
Pub lic-facing services like web servers, mail servers, and D NS servers can
reside in the DMZ, making them accessible to external users while limiting
access to the internal network.
tr i b
Advantages
• Enhanced Security:
D is
for
• The dual-firewall setup creates two layers of defense, making it difficult for
attackers to reach the internal network.
t
No
• If an attacker compromises the D MZ, they still need to bypass the second

a,
firewall to access internal resources.

h
• Traffic Segmentation:

Na
• The architecture allows for sp ecific traffic routing—external traffic is directed

et
only to the DMZ, while the internal network remains isolated. This segmentation
limits the spread of attacks.
je
ha
• Vendor Diversification:

b
• Using two firewalls from different vendors reduces the risk that a vulnerability

Su
in one firewall will affect the entire system. If one firewall has a weakness, the

l
second firewall from a different vendor is unlikely to have the same vulnerability.

Co
Disadv antages

By • Cost:
• The deployment of two firewalls increases the cost of both hardware and

SP
software.

CI S • There is also an increase in maintenance and management costs, as both


firewalls need to be monitored and updated regularly.

for • Com plexity:

s
• Configuring and managing two firewalls requires more technical ex pertise and

ote • Latency:
careful coordination, especially if they are from different vendors.

ll N
• The extra layer of security can introduce network latency, particularly if both

rn e firewalls are performing deep packet inspection and other resource-intensive


tasks.

C o Example Use Case


• Commonly used by organizations that require public-facing services (e.g., e-commerce
websites) but also need to ensure that sensitive internal data is highly protected.
• For example, a bank might use a screened subnet architecture to host its public banking
services (e.g., online banking) in the DM Z, while ensuring its internal financial systems remain
protected behind a second firewall.

• A screened subnet architecture uses two firewalls to create a DMZ between the external and
internal networks.
• It provides enhanced security and traffic segmentation by isolating public-facing services from the
internal network.
• While costly and complex, using two firewalls from different vendors increases security by
mitigating the risk of a shared vulnerability.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Three-Legged Firewall Architecture -1
Three-Legged Firewall Overview
• Three-Legged Firewall • A three-legged firewall is a type of firewall configuration where the firewall has
• Three Connection Points three connection points (interfaces) that allow the creation of three distinct
• Multiple Zones network zones.
• Security Customization • These zones typically include:
• Versatility • External Network (Internet)
• DMZ (Demilitarized Zone)
• Internal Network
• This architecture can also support additional connection points if needed,
depending on the organization’s security requirements.

on
Key Features
• Multiple Zones:
uti

tr i b
The firewall can support three or more distinct network zones:

(e.g., the Internet).
D is
External Network: Represents the untrusted, public network


t for
DMZ: A zone where public-facing servers (e.g., web servers,

No
mail servers) reside. These servers need to be accessible
from the external network.

h a,
Internal Network: Contains highly sensitive data and is not

Na
accessible directly from the external network.

et
• Traffic Control:

je
The firewall controls traffic between the three zones, allowing

ha
specific rules and policies to be applied to each connection point.
b
Su
• For example:

l • Traffic from the external network to the DMZ might allow

y Co HTTP/HTTPS traffic to reach a web server.

B • Traffic from the DMZ to the internal network may be strictly

SP
controlled, allowing only certain types of connections, such
as database queries from a web application.

CI S Security Customization

for • The three-legged firewall allows for customized security policies tailored to

es the needs of each network zone.

ot
• For instance, the firewall could apply lenient rules for the external

ll N
network, stricter rules for the DMZ, and the strictest rules for traffic
moving into the internal network.

rn e • Granular Security:

C o • This setup ensures granular security, where different services and


applications are separated by distinct zones, thus limiting the risk of
lateral movement in the event of a breach.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Three-Legged Firewall Architecture - 2
Versatility and Scalability
• Three-Legged Firewall • The three-legged firewall architecture is highly versatile.
• Three Connection Points • It can be deployed with any number of zones, making it flexible for
• Multiple Zones growing organizations that need to add new services or network
• Security Customization segments over time.
• Versatility • Firewall Technologies:
• Various firewall technologies can be employed at each connection
point, including packet filtering, stateful packet inspection, or
application-layer firewalls, depending on the organization's security
needs.
Advantages
• Cost-Effective:
ti on

bu
Compared to more complex architectures like screened subnets, a
i
tr
three-legged firewall is often more cost-effective, requiring fewer
s
hardware devices.
D i
for
• Simplified Management:

t
Since the firewall is controlling multiple zones from a single device,

No
the management and monitoring of network traffic are centralized,

a,
reducing administrative complexity.
Disadvantages
h
• Single Point of Failure:
Na

jeet
If the firewall fails, all three network zones become inaccessible,

ha
making this a single point of failure. Therefore, high availability
features or redundancy may be necessary.
b
Su
• Resource Intensive:
l
Co
• The firewall must handle traffic for three separate zones, which can
increase processing load, especially if deep packet inspection or

By complex rules are applied. This can slow performance if not properly

SP
sized.

CI S Example Use Case


• A three-legged firewall is ideal for small to medium-sized businesses that

for want to securely host public-facing applications (e.g., websites) in a DMZ while

es maintaining strong security for their internal networks.

ot • For example, an e-commerce company might use a three-legged firewall to

ll N
separate its public web server from its payment processing system in the
internal network, ensuring that external users never directly access sensitive

rn e data.

C o

• A three-legged firewall has three connection points that create multiple network zones: the
external network, DMZ, and internal network.
• This architecture allows for customized security policies between zones and provides cost-
effective network protection.
• While versatile, it can be a single point of failure and may require resource-intensive
management.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IDS and IPS - 1
Data Inspection
• Data Inspection • The process of monitoring and examining data traveling across the
• Intrusion Detection System network or being processed by host devices to identify suspicious or
(IDS) malicious activity.
• Intrusion Prevention System • Key Function: Ensure that all traffic is scrutinized for anomalies, policy
(IPS) violations, or malicious behavior.
• Network-based vs. Host- Intrusion Detection System (IDS)
based
• IDS performs data inspection to detect intrusions, log the activity, and
• Mirror/Span/Promiscuous
generate alerts.
Port
• Detects potential security threats but does not actively block
on
• Detection Methods
• Ingress and Egress Monitoring
traffic.
uti
Actions: Logs, alerts, and sometimes triggers other devices to
• Whitelisting and Blacklisting •
take action (e.g., firewalls).
tr i b

D is
Main Role: Acts as a monitoring tool, enabling administrators

for
to investigate and respond to incidents.
t
No
Intrusion Prevention System (IPS)
• IPS also inspects data, but unlike IDS, it prevents or mitigates intrusions
by actively blocking traffic.
h a,

Na
Additional Action: Automatically takes corrective measures

et
(e.g., dropping malicious packets, resetting connections).
je
ha
• Main Role: Provides real-time protection by actively stopping
threats.
b
Su
Types of IDS/IPS
l
Co
1.Network-Based IDS/IPS (NIDS/NIPS)

By • Monitors network traffic across entire segments and detects


threats targeting any device on the network.

I SSP • Best for monitoring network-level threats.

r C 2.Host-Based IDS/IPS (HIDS/HIPS)


fo • Monitors activities on a specific host (e.g., server or endpoint)
es and detects threats targeting the individual host.
ot
ll N
• Best for monitoring insider threats and host-specific attacks.

rn e Mirror/Span/Promiscuous Port

C o • Promiscuous mode: A specific port on a network device (e.g., a switch) is


set to receive all traffic for monitoring purposes.
• Used by IDS/IPS systems to inspect all network traffic without interrupting
normal traffic flow.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IDS and IPS - 2
Detection Methods
• Data Inspection 1.Pattern/Signature-Based Detection
• Intrusion Detection System
• Detects threats by comparing traffic patterns against a
(IDS)
database of known attack signatures.
• Intrusion Prevention System
• Effective for known threats, but cannot detect zero-day
(IPS)
attacks.
• Network-based vs. Host-
based 2.Anomaly-Based Detection
• Mirror/Span/Promiscuous • Detects threats by identifying unusual behavior or deviations
Port from normal network traffic patterns.

on
• Detection Methods • Useful for detecting new or unknown threats but may lead to
• Ingress and Egress Monitoring false positives.
uti
• Whitelisting and Blacklisting Ingress and Egress Monitoring
tr i b
• Ingress: Monitoring of incoming traffic into a network.
D is
for
• Egress: Monitoring of outgoing traffic from a network.

t
• Key Role: Ensures both incoming and outgoing traffic is inspected for

No
malicious behavior, preventing data exfiltration or external threats.

a,
Whitelisting and Blacklisting
h
Na
• Whitelisting: Only allows traffic from specific trusted IP addresses; all

et
other traffic is blocked.

je
Pro: Highly secure but may block legitimate traffic

ha
unintentionally.
b
Su
• Blacklisting: Specifically blocks traffic from known malicious IP
l
addresses; all other traffic is allowed.

y

Co Pro: Easier to implement, but new or unknown threats might
B bypass the blacklist.

I SSP
r C
fo
es
ot
ell N
orn
C

• IDS and IPS systems perform data inspection, with IDS focusing on detection and IPS providing
prevention.
• IDS/IPS systems can be network-based or host-based, with different monitoring approaches for
traffic and host activities.
• Detection methods include signature-based for known threats and anomaly-based for unknown
or evolving threats.
• Ingress and egress monitoring are key for securing traffic flow, and whitelisting/blacklisting
strategies add additional layers of protection.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Data Inspection
Definition of Data Inspection
• Definition of Data Inspection
• Virus Scanning • Data inspection refers to the process of monitoring and examining
• Stateful Inspection transmitted data to ensure compliance with security rules.
• Content Inspection • It focuses on detecting unauthorized or malicious data and triggering
appropriate actions when a violation is detected.
Virus Scanning
• Function: Scans files for known malware or virus signatures.

on
• Mechanism: Compares files against a database of known malware
signatures to detect malicious content. t i
u the
• Example: Antivirus software scanning email attachments to
tr i b
block
delivery of infected files. is
Stateful Inspection
fo rD
• Function: Tracks and analyzes the stateN ofo
t
communications between
systems.
h a,
• Mechanism: Maintains a dynamic
t Na state/context table to follow the
je e
status of active network connections.
• Example: A firewall
b hathat inspects and tracks connection states to

S uaccess.
ensure that only valid communication flows are allowed, preventing
ol
unauthorized
C
y Inspection
Content
B
S P• Function: Inspects transmitted mobile code or content for compliance
CIS
with defined security rules.

for • Mechanism: Scans active content, like JavaScript or embedded

tes scripts, to prevent harmful code from executing.


o
ll N
• Example: Web gateways filtering web traffic to block malicious scripts

rn e or disallowed content from being delivered to users.

C o

• Data inspection ensures transmitted data adheres to security rules by identifying threats like
malware or harmful scripts.
• The key methods include virus scanning, stateful inspection, and content inspection, all of which
add layers of defense.
• Proper data inspection safeguards the network by actively monitoring and responding to potential
security threats.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Network-Based vs. Host-Based IDS/IPS
Network-Based IDS/IPS (NIDS/NIPS):
• Definition of Network-Based • Monitors entire network traffic passing through strategically placed sensors
IDS/IPS on network segments.
• Definition of Host-Based • Can detect malicious activity across the network, ensuring broader coverage.
IDS/IPS
• Pros:
• Key Differences Between
• Covers multiple devices connected to the network segment.
Network-Based and Host-
• Can detect attacks before they reach critical systems (early
Based detection).
• Pros and Cons of Network- • Cons:
Based IDS/IPS • May miss threats targeted at encrypted or isolated traffic.

on
• Pros and Cons of Host-Based • Requires proper sensor placement for maximum efficiency.
IDS/IPS
uti
b
• Example: A NIDS placed on a network's main router monitors traffic entering
• Example Use Cases
r i
and leaving the network, alerting administrators to any suspicious traffic
t
patterns.

D is
for
Host-Based IDS/IPS (HIDS/HIPS):

t
Installed directly on specific devices (like servers or mission-critical

No
systems) and monitors that device's activity.

itself.
h a,
Provides more detailed visibility into the activity occurring on the device

• Pros:
Na

je et
Granular protection at the host level, making it highly effective for
protecting critical systems.

b ha
Can detect internal attacks and changes made directly on the host.
• Cons:
l Su

o Resource-intensive (requires processing power and storage on each

yC
host).
B •
P• Example:
Does not monitor broader network traffic, limited to the host device.

S A HIPS running on a web server monitors for file changes or

CIS Key Differences:


unauthorized access attempts to that server.

for
es • Network-Based IDS/IPS: Monitors the flow of data across network segments

ot
(broader coverage).

ll N
• Host-Based IDS/IPS: Focuses on monitoring activity within a specific device

rn e (more granular control).

C o

• Network-based IDS/IPS provide broad monitoring of network traffic and can detect threats across
multiple devices, while host-based IDS/IPS offer detailed monitoring of specific systems.
• A combination of both types provides the most comprehensive protection by covering both the
network level and individual hosts.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IDS/IPS Detection Methods and Promiscuous Ports
Mirror/Span/Promiscuous Port:
• Mirror/Span/Promiscuous • These ports allow copies of all network traffic passing through a
Port Definition network device (like a switch) to be forwarded to a monitoring device
• Role of such as an IDS.
Mirror/Span/Promiscuous • When a port is in promiscuous mode, a connected device can capture
Ports in IDS/IPSIDS/IPS and inspect all traffic on the network segment.
Detection Methods • Example: A switch port is configured in promiscuous mode for
• Signature-Based Detection Wireshark packet analysis or IDS monitoring.
• Anomaly-Based Detection IDS/IPS Detection Methods:
• Types of Anomaly-Based • Signature-Based Detection:

on
Detection

hashes, suspicious IP addresses, or byte sequences).
uti
Relies on known attack signatures (such as malicious file

• Pros: Effective against known threats.


tr i b

D is
Cons: Unable to detect new or zero-day attacks without

for
existing signatures.
t
No
• Example: An IDS detects malware by matching the packet's
signature with a known malicious file hash.
• Anomaly-Based Detection:
h a,

Na
Detects deviations from normal behavior by establishing a

jeet
baseline of expected network activity.

ha
• Pros: Can detect unknown or new threats.

b
Cons: Resource-intensive and can result in false positives.

l SuExample: An IDS raises an alert when a spike in network traffic

Co
deviates from normal patterns.

By Types of Anomaly-Based Detection:

SP
• Stateful Matching:

CI S • Monitors the state of traffic streams; any unexpected state

for •
triggers an alert or blocks traffic.
Statistical Anomalies:
es
ot
• Detects statistical deviations from normal behavior patterns,

ll N
triggering alerts or blocking suspicious traffic.

rn e • Traffic Anomalies:

C o • Identifies abnormal traffic flows, such as unusually high


volumes or unexpected traffic destinations.
• Protocol Anomalies:
• Detects unusual protocols or protocol misuse in network
traffic, raising alerts if unexpected protocols appear.

• Mirror, span, and promiscuous ports are essential for IDS/IPS, enabling devices to monitor network
traffic without disrupting it.
• Signature-based detection works well against known threats, while anomaly-based detection can
catch new threats by identifying unusual network behavior, though it requires more resources and
can lead to false positives.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Ingress and Egress Monitoring
• Ingress Monitoring:
• Ingress Monitoring • Involves monitoring all incoming traffic to the network.
• Egress Monitoring
• Importance of Both Types • Helps prevent malicious traffic such as malware or
• Role of IDS/IPS in Monitoring unauthorized access attempts from entering the network.
• Use Cases for Ingress and • Example: Monitoring incoming traffic to detect potential
Egress Monitoring Distributed Denial of Service (DDoS) attacks.
• Egress Monitoring:
• Focuses on monitoring outgoing traffic from the network.

on
• Prevents data loss or the unauthorized transmission of
sensitive information outside the network.
u t i
• Can also detect compromised systems attemptingito
tr b
communicate with external attackers.
is
D and block
Example: Monitoring outbound traffic to r

t fo detect
unauthorized file transfers or command-and-control
o
, NMonitoring:
communications from infected machines.
• a
h requires analyzing traffic in both
Importance of Both Ingress and Egress
a
t Nattacks and detect data exfiltration.
• Comprehensive monitoring
e
directions to prevent
je Protects the network from external

h a
Ingress Monitoring:
u b
threats.
S
lEgress

C o Monitoring: Prevents insider threats, data
breaches, and outgoing malicious activity.

y
BRole of IDS/IPS in Monitoring:
S P
CI S • IDS/IPS should be placed in strategic positions to monitor
both incoming (ingress) and outgoing (egress) traffic.
for • An IDS/IPS system monitoring ingress can detect suspicious
tes traffic before it enters the network, while monitoring egress
o
ll N
can prevent data theft or malicious activity from being sent
outside.
rn e
C o

• Ingress monitoring focuses on detecting threats entering the network, while egress monitoring
focuses on threats exiting the network.
• Both are critical for protecting against external attacks and preventing data loss or unauthorized
communications from inside the network.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Allow List and Deny List (Whitelisting and Blacklisting)
Definitions:
• Definitions
• Allow List (Whitelist): A list of IP addresses that are permitted access;
• Allow List (Whitelist)
all other IP addresses are blocked by default.
• Deny List (Blacklist)
• Importance of Terminology • Deny List (Blacklist): A list of IP addresses that are explicitly blocked;
all other IP addresses are allowed by default.
• Use Cases
Allow List (Whitelist):
• Functionality:
• Specifies which IP addresses may be visited.
• Any IP address not on the list is not permissible.
• Example:
ti on

bu
A company may use an allow list to only permit access to
i
specific trusted websites or servers.
str
Deny List (Blacklist):
D i
• Functionality:
t for
No
• Specifies which IP addresses may NOT be visited.

h a,
Any IP address not on the list is permissible.

Na
• Example:

et
• A network may employ a deny list to block known malicious
je
IP addresses, preventing access to those sources.

bha
Importance of Terminology:
Su
• The terms "allow list" and "deny list" are gaining popularity as they
l
Co
avoid the racial connotations associated with "whitelist" and

By "blacklist."
• Awareness of these terms is essential, as both may appear on exams

I SSP and in industry discussions.

r C Use Cases:
fo • Allow Lists: Commonly used for restricting access to a limited number
es of approved services, enhancing security by minimizing exposure to
ot untrusted sources.

ell N • Deny Lists: Useful for preventing access to known harmful sites or IPs,

orn allowing organizations to protect users from phishing and malware


threats.
C

• Allow lists permit access only to specified IP addresses, blocking all others, while deny lists explicitly
block certain IPs, allowing all others.
• The shift toward using the terms "allow list" and "deny list" reflects a more inclusive language in
cybersecurity practices.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Sandbox
Definition of Sandbox:
• Definition of Sandbox
• Purpose of Sandbox • A sandbox is a controlled environment designed to isolate and execute
• Alert Scenarios untrusted code safely.
• Importance of Sandboxing in
Purpose of Sandbox:
Cybersecurity
• To allow unknown or potentially malicious software to run in a secure
setting where it cannot harm the system or network.
• It helps in analyzing the behavior of malware without risk to the host
environment.
Four Possible Alert Scenarios: ti on
i bu
t r
1. True Positive: Malicious activity correctly identified as a threat.
s
i
D as a threat.
r
2. False Positive: Non-malicious activity incorrectly flagged
o
o
3. True Negative: Non-malicious activity correctlyt f identified as safe.
, N
h a
4. False Negative: Malicious activity not detected, leading to
undetected threats.
a
e tN
• Note: False negatives are considered the worst-case scenario as they
allow potential threatsje
hbyaIDS/IPS:
to operate undetected.
b
Su Detection System (IDS) or Intrusion Prevention
Sandbox Activation
l
Co(IPS) identifies suspicious activity, it can activate a sandbox to
• When an Intrusion
y
System
Banalyze the code and determine its nature.
P
S Usage in Malware Analysis:
CI S
for • Malware analysts frequently use sandboxes to execute malicious

tes code, allowing them to identify indicators of compromise and


o understand malware functions without risking the integrity of their

ell N systems.

orn
C

A sandbox is a crucial cybersecurity tool that allows for the safe execution and analysis of
untrusted code. It aids in detecting true threats while minimizing the risk of undetected
malicious activity, making it essential for both IDS/IPS systems and malware analysts.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Alert Statuses
Definition of Alert Statuses:
• Definition of Alert Statuses
• Types of Alert Outcomes • Alert statuses refer to the outcomes produced by security tools in
• Importance of Tuning Security
response to detected activity, indicating whether an attack is
occurring or not.
Tools
Types of Alert Outcomes (Table 4-44):
1. True Positive:
• Description: An alert is raised indicating that an attack is
occurring.
• Significance: Indicates appropriate operation of security
ti on
tools.
i bu
r
ist is present.
2. True Negative:
• Description: No alert is generated, and noD attack

t for of security
Significance: Indicates appropriate operation
tools.
N o
3. False Positive:
h a,
Description: An alerta

N islogging
occurring (e.g., atuser
generated when no attack is

je e in from an unusual location but

ha Indicates that tuning is required to reduce


is legitimate).
• b
Significance:
l Su
unnecessary alerts.

CoNegative:
4. False
y
P B • Description: No alert is generated despite an ongoing
I SS attack.

C • Significance: This is the worst-case scenario as it leaves the


for security team unaware of malicious activity.

tes
o
ell N
orn
C

• Understanding alert statuses is crucial for effective security monitoring. Tuning security
tools is necessary to balance between minimizing false positives and preventing false
negatives, which can leave the organization vulnerable. Effective tuning varies
depending on the organization's specific context and threat landscape.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Honeypots and Honeynets
• Definition of Honeypots and Honeynets:
• Definition of Honeypots and • Honeypots: Individual computers or devices set up to appear
Honeynets as legitimate network resources but contain no real data or
• Purpose and Risks value.
• Enticement vs. Entrapment
• Honeynets: Two or more networked honeypots, often
utilizing routers, switches, or gateways.
• Purpose of Honeypots and Honeynets:
• Detect Sophisticated Cyberattacks: Useful for identifying
Advanced Persistent Threats (APTs) that avoid detection.

i on
Trace Attacker Movement: Help security teams understand
t
how attackers traverse a network.
i bu
r
ist
• Distract Attackers: Divert focus from valuable resources.
Gather Information: Collect data that canD
for
• inform the
organization's security strategy.
ot

N
Conduct Research: Used by cybersecurity companies for
research purposes.
h a,
Na may leverage access to honeypots to
• Risks of Honeypots and Honeynets:
• e t
Access Risk: Attackers
je
ha Risk: Improper use can lead to entrapment,
gain entry into real systems.
Legal b
Su is illegal.
• Action
lwhich
• o Responsibility: Senior management bears ultimate
y C
B responsibility for any damages.

I SSPEnticement vs. Entrapment:


r C • Enticement:
s fo • Definition: Legal activity of persuading someone to commit a

ote
crime they were already planning.

ll N
• Example: Using a honeypot to attract a known attacker.

rn e • Entrapment:

C o • Definition: Illegal activity of persuading someone to commit


a crime they would not have committed otherwise.
• Example: Actively encouraging a person to attack a honeypot
that is not part of their initial intent.

• Honeypots and honeynets serve as valuable tools in cybersecurity by detecting and analyzing
malicious activities.
• However, organizations must navigate the legal implications of their use, ensuring they do not
engage in entrapment.
• Understanding the balance between enticement and entrapment is crucial for ethical security
practices.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Remote Access and VPNs
Definition of Remote Access:
• Definition of Remote Access • Remote access refers to the ability to connect to corporate resources
• Importance of Secure over an insecure network, such as the internet.
Communication • This exposes sensitive data to potential threats if not properly secured.
• VPN (Virtual Private Network)
Importance of Secure Communication:
• Tunneling
• Split Tunneling • Since remote access typically involves insecure networks, such as
public Wi-Fi or external networks, there is a significant risk of attacks like
• Authentication and
eavesdropping and data interception.
Encryption
• Hence, ensuring secure communication is critical to protect sensitive
data.
VPN (Virtual Private Network):
ti on
• VPNs are encrypted tunnels that protect data as it moves across
i bu
untrusted networks.
str

D i
They create a secure path between the user and the corporate network,

for
ensuring that even if traffic is intercepted, it remains unreadable without
the proper decryption key.
t
• Types of VPNs: No

h a,
Client-based VPNs: Installed on the user’s device, securing

Na
remote access to the corporate network.

jeet
Site-to-Site VPNs: Securely connect two different networks,
often used between a company’s headquarters and branch

bha
offices.
Tunneling:
l Su
Co
• Tunneling is a process that involves encapsulating a data packet inside

By •
another packet for secure transmission.
Tunneling protocols include PPTP, L2TP (usually combined with IPsec for

I SSP encryption), and SSL/TLS for encrypted connections.

r C Split Tunneling:

fo • This feature allows users to access corporate resources via a VPN while

es simultaneously accessing external resources outside the VPN.

ot • Split tunneling can be risky as unsecured traffic bypassing the VPN

ell N might expose the device to potential threats.

rn
Authentication and Encryption:

C o • VPNs use various authentication methods, such as multi-factor


authentication (MFA), to ensure only authorized users can access the
network.
• Encryption ensures that data is protected, rendering intercepted data
useless without the decryption keys.

• VPNs are essential tools for securing remote access, especially over untrusted networks.
• They provide encryption and secure communication channels, reducing the risk of data interception.
While split tunneling offers convenience, it also introduces security risks, and organizations must
carefully weigh these factors when implementing remote access solutions.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Endpoint Security
Definition of Endpoint Security:
• Definition of Endpoint
• Endpoint security focuses on protecting individual client devices (or
Security endpoints) within a corporate network, such as laptops, mobile devices,
• Common Endpoints printers, and IoT devices.
• Importance of Minimizing • These endpoints can become entry points for cyberattacks, making their
Attack Surface protection a critical element of overall network security.
• Role of Network Access
Common Endpoints:
Control (NAC)
• Evolved Endpoint Security • Endpoints refer to any device connected to the corporate network, such
as:
Strategies
✓ Laptops
✓ Tablets
ti on
✓ Smartphones
i bu
str
✓ Printers
D i
for
✓ IoT devices
✓ Wireless devices
t
Importance of Minimizing Attack Surface:
No

h a,
The goal of endpoint security is to minimize the attack surface, reducing

Na
the number of vulnerable entry points into the corporate network.

et
• By securing these devices, organizations can prevent or mitigate
je
cyberattacks before they impact critical systems.

ha
Role of Network Access Control (NAC):
b

l Su
NAC solutions complement endpoint security by managing which

Co
devices can connect to the corporate network.

By • NAC ensures that only healthy, compliant devices with updated security
measures (e.g., antivirus or encryption) are allowed access to the

I SSP •
network.
Devices that fail to meet the security requirements may be quarantined
r C or denied access.
fo
es Evolved Endpoint Security Strategies:

ot • Endpoint security has grown from simple antivirus software to more

ll N
comprehensive strategies, including:

rn e ✓ Device management policies and enforcement

C o ✓

Endpoint Data Leak Prevention (DLP) solutions
Endpoint Detection and Response (EDR) platforms
✓ Threat detection, response, and continuous monitoring

• Endpoint security protects individual devices within a corporate network, helping to reduce potential
entry points for attackers.
• Modern strategies go beyond antivirus solutions, incorporating NAC, DLP, and EDR systems to
ensure robust protection.
• NAC plays a critical role in verifying device security and preventing unauthorized access to the
network.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Tunneling
Definition of Tunneling:
• Definition of Tunneling
• Tunneling refers to the process of encapsulating a packet inside
• Encapsulation and Packet
another packet’s data portion.
Structure
• Why Tunneling is Used • This allows the encapsulated packet to travel across the network in a
• Tunneling with or without different structure, without altering its content.
Encryption • The original packet’s header and data are inserted into the data section
• Tunneling Protocols Across of a new packet.
OSI Layers Encapsulation and Packet Structure:
• Encapsulation is the key to tunneling. The entire original packet (header
and data) becomes the data portion of the new, outer packet.
ti on

bu
While this does not hide the original content, it allows the packet to
i
travel a path dictated by the new outer header.
str
Why Tunneling is Used:
D i

t for
Tunneling is primarily used to control the path a packet takes across a

No
network, independent of the original packet’s intended route.

h a,
The outer packet’s header dictates the network route, effectively
"forcing" the packet to travel through a predetermined path.
Na
et
• However, the encapsulated packet remains readable unless encryption
is applied.
je
ha
Tunneling with or without Encryption:
b

l Su
Tunneling by itself does not provide security—it only encapsulates the

Co
packet. If security is needed, the encapsulated packet must be

By encrypted, transforming a simple tunnel into a Virtual Private Network


(VPN).

I SSP • Without encryption, the encapsulated packet can still be read by any

r C device along its route.

fo Tunneling Protocols Across OSI Layers:


es
ot
• Tunneling can occur at multiple layers of the OSI Model, from Layer 2 to
Layer 7. The trade-off between functionality and performance is

ell N important:

orn • Lower layers (Layer 2): Highly efficient but with limited functionality.
C • Higher layers (Layer 7): Provide more functionality, such as application-
level capabilities, but are less efficient.

• Tunneling is a method of encapsulating packets within other packets, allowing them to


travel a defined network route. While this process by itself does not provide security,
adding encryption creates a secure tunnel—forming the basis of a VPN. Different
tunneling protocols are available at various OSI layers, offering a trade-off between
performance and functionality.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Generic Routing Encapsulation (GRE)
• Definition of GRE:
• Definition of GRE Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a
• How GRE Works variety of network layer protocols (such as IPv4, IPv6, and multicast) and routes
them over IP networks.
• Use Cases for GRE
• Pros of GRE • It is designed to enable data to be exchanged between two networks, often using
an external network like the internet.
• Cons of GRE
How GRE Works:
• GRE operates by taking an original packet, known as the payload, and
encapsulating it inside a new, outer packet.
• This encapsulated packet is then sent over an IP network to a remote endpoint.

t i on
Upon reaching the destination, the outer GRE packet is removed, and the original
payload is delivered to the target system.

i b u
• This encapsulation allows GRE to support multiple protocol types and
s tr provide
flexibility for network routing.
i
Use Cases for GRE:
f o rtoDbe routed across an IP

o t
GRE is useful in scenarios where multiple protocols need
network.
N
For example, it can transport IPv6 packets,over an IPv4 network, or multicast

a
h natively support it.
a
traffic over an IP network that does not
• GRE is often used in VPNs, where
e tN it provides routing flexibility alongside other

aje
security protocols like IPsec.
Pros of GRE:
h
b GRE can encapsulate multiple protocols, making it versatile

S u
Protocol Flexibility:

o l Multicast
for different network needs.

y C which are not
Supports Traffic: GRE allows multicast traffic to be routed over IP
B networks, always natively supported.
P bridge between different network
S • IPv6 Compatibility: GRE can tunnel IPv6 traffic over an IPv4 network, offering a

CIS
types.

for Cons of GRE:

tes • No Encryption: Unlike IPsec, GRE does not provide any encryption or security

o mechanisms. It only offers encapsulation, meaning data traveling through a GRE

ll N
tunnel is not protected from interception.

rn e • Overhead: GRE adds an additional header to each packet, which increases the

o
size of the packet and can lead to network overhead and reduced performance.
C • Not Secure by Itself: Since GRE does not provide confidentiality or integrity
protection, it is typically combined with IPsec for secure tunneling.

• Generic Routing Encapsulation (GRE) is a versatile tunneling protocol that enables the encapsulation
of multiple network protocols over IP networks.
• Its strength lies in its ability to support IPv6 and multicast traffic over IP networks.
• However, GRE does not offer security, so it is commonly used in combination with other protocols
like IPsec for secure transmission.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Split Tunneling
Definition of Split Tunneling:
• Definition of Split Tunneling • Split tunneling is a VPN feature that allows a user to access multiple
• How Split Tunneling Works network resources simultaneously, such as a corporate LAN through
• Benefits of Split Tunneling a VPN connection and the internet directly, without routing all traffic
• Weaknesses and Risks through the VPN tunnel.
How Split Tunneling Works:
• When using split tunneling, some traffic, such as corporate LAN
access, goes through the encrypted VPN tunnel, while other traffic,
such as internet access, is routed directly to the local network (e.g.,
hotel Wi-Fi). T
• ti on
his process reduces the need for all traffic to pass through the VPN,
allowing for more efficient bandwidth usage.
i bu
str
Benefits of Split Tunneling:
D i

t for
Optimized Bandwidth Usage: By directing non-corporate traffic
(e.g., browsing Google or other public sites) outside the VPN, split
No
tunneling reduces the load on the corporate VPN and network
resources.
h a,

Na
Better Performance: Split tunneling allows for better internet speed

je et
and performance, as not all traffic needs to go through the corporate
VPN, which can result in faster browsing and downloads.

b ha Users can access corporate resources
Increased Efficiency:
securely viau
l S the VPN while simultaneously using direct connections

Co and Risks:
for less sensitive tasks.
y
BSecurity Risks: Split tunneling can bypass corporate security
Weaknesses
P
S controls, exposing the user's device to threats from unsecured

CI S
or
networks, such as hotel or public Wi-Fi. Malicious actors can exploit

s f this open connection and gain access to the user's device or

o te network.

N • Lack of Monitoring: When traffic bypasses the VPN, it is not subject

rn ell to corporate monitoring or protection mechanisms, which can lead


to potential data loss or compromise.
C o • Vulnerability to Attacks: An attacker may be able to compromise
the user's device on the local network (such as hotel Wi-Fi) and use
that compromised device to access corporate resources through the
active VPN connection.

• Split tunneling allows for efficient use of bandwidth and optimized performance by
routing non-corporate traffic outside the VPN.
• However, the feature poses significant security risks, as it can bypass corporate security
controls, leaving the device vulnerable to attacks and reducing the organization's ability
to monitor or protect network traffic.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Tunneling and VPN Protocols
Definition of Layer 2 Tunneling Protocols:
• Definition of Layer 2 • Layer 2 tunneling protocols, such as PPTP, L2F, and L2TP, operate at the Data Link
Tunneling Protocols layer (Layer 2) of the OSI model. These protocols are primarily designed to establish
• Common Tunneling Protocols tunnels for sending packets across networks, but they offer minimal security features.
• PPTP vs. L2TP Common Tunneling Protocols:
• Use of Encryption in VPNs • Several tunneling protocols are used in network communications, with varying levels
of encryption and security. Common tunneling protocols include:
• SSH (Secure Shell): Operates at Layer 7 (Application Layer). Provides secure
command-line utilities and tunnels for protocols like Telnet and FTP, which otherwise
lack security.
• SOCKS (Socket Secure): Operates at Layer 5 (Session Layer) to route network traffic

on
through a proxy server.
• SSL/TLS (Secure Sockets Layer/Transport Layer Security): Layer 4 protocol
u ti
(Transport Layer), providing encryption for web traffic, commonly used in HTTPS.

r i b
ist
• IPsec (Internet Protocol Security): Works at Layer 3 (Network Layer), offering
encryption and authentication to secure IP packets.
GRE (Generic Routing Encapsulation): Encapsulates packetsD
for
• at multiple OSI layers,
but lacks encryption by default.
L2TP (Layer 2 Tunneling Protocol): Operates at Layert2 (Data Link Layer). Often paired

with IPsec to add encryption.
N o
L2F (Layer 2 Forwarding Protocol): Another ,Layer 2 protocol, but less commonly used
ha

today.
a

e t N A basic Layer 2 tunneling protocol for
PPTP (Point-to-Point Tunneling Protocol):

aje
VPNs, which includes encryption.
PPTP vs. L2TP:
h
ubat Layer 2 and includes built-in encryption.
• PPTP (Point-to-Point Tunneling Protocol):

S
• olSimple and efficient, but vulnerable to attacks due to weaker encryption
Operates

C
y • mechanisms.
P B Commonly used in older VPNs, but has been largely replaced due to security

S concerns.

CIS
• L2TP (Layer 2 Tunneling Protocol):

or
• Also a Layer 2 protocol, but lacks encryption on its own.

s f • Typically paired with IPsec to create a secure VPN, where IPsec provides the

o te necessary encryption and authentication.

ll N
• More secure than PPTP, but can be slightly slower due to the added
encryption overhead.

rn e Use of Encryption in VPNs:

C o • A VPN (Virtual Private Network) is not just a tunnel—it requires encryption for security.
Protocols like IPsec, SSH, and SSL/TLS add encryption to tunnels, ensuring secure
transmission of data across untrusted networks like the internet.
• L2TP is paired with IPsec to form a secure VPN, while PPTP offers its own encryption
but is less secure.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IPsec
What is IPsec?
• What is IPsec? • IPsec (Internet Protocol Security) is a protocol suite designed to secure IP
• IPsec Subprotocols: AH and communications by authenticating and encrypting each IP packet in a communication
ESP session.
• IPsec Modes: Transport and • It is the preferred method for establishing VPNs and is embedded as a default feature
in IPv6, making it a standard component of modern networking.
Tunnel
• Internet Key Exchange (IKE) IPsec Subprotocols: AH and ESP
• Security Associations (SAs) IPsec provides two key subprotocols:
• Authentication Header (AH):
• Adds device authentication and ensures the integrity and authenticity of

on
packets.

t i
Provides data-origin authentication and replay protection, but it does not
u

encrypt the payload.
Encapsulating Security Payload (ESP):
t r i b
is
rD
• Provides encryption of the payload, ensuring confidentiality in addition to the

o
integrity, data-origin authentication, and replay protection offered by AH.

t f
o
• ESP is commonly used for its encryption capabilities, making it essential for
secure VPN communications.

, N
IPsec Modes: Transport and Tunnel
h a
• Transport Mode:
a

Commonly used ine
t N of the IP packet is encrypted or authenticated.
In this mode, only the payload

a je end-to-end communications (e.g., client to server) within

h
a trusted network.
Tunnel Mode: b

S u

l
o offering maximum security.
The entire IP packet (header and payload) is encapsulated and encrypted,

y C
P B • Typically used in site-to-site VPNs where two networks are securely
connected over an untrusted network like the internet.

I SS • IKE is the protocol(IKE):


Internet Key Exchange

C used within IPsec to establish secure connections.

for • It generates the session keys that are shared between the two endpoints of the VPN,

tes ensuring that communication is encrypted with a dynamically created key that is valid

o
only for the duration of the session.

ll N
Security Associations (SAs):

rn e • Security Associations are used to define the security attributes of a communication

C o •
session in IPsec.
Each SA contains parameters such as the encryption algorithm, session keys, and
authentication methods.
• An SA is needed for each direction (inbound and outbound) of the communication and
for each component (AH or ESP) being used.

• IPsec is a robust protocol suite used for VPNs, offering both authentication through AH and
encryption through ESP.
• It can operate in transport or tunnel mode, depending on the level of security required. IPsec is
integrated into IPv6, making it a standard for modern secure communications.
• Additionally, Internet Key Exchange (IKE) and Security Associations (SAs) are essential for the secure
exchange of session keys and for defining the security parameters of the VPN connection.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


IPsec Elements and Modes
Modes of IPsec: Transport and Tunnel
• Modes of IPsec: Transport IPsec operates in two modes:
and Tunnel • Transport Mode:
• Authentication Header (AH) • In this mode, IPsec encrypts only the payload of the original packet. The original
vs. Encapsulating Security IP header remains intact and is used to route the packet. This mode is typically
used in end-to-end communications where encryption is needed only for the
Payload (ESP) payload.
• Internet Key Exchange (IKE) • Example: Device-to-device communication within a trusted network.
• Security Associations (SA) • Tunnel Mode:
• In this mode, the entire IP packet, including the original IP header and payload, is
encapsulated inside a new packet with a new IP header. This offers complete
protection for both the header and the payload. Tunnel mode is used for site-to-
site VPNs and is the most secure mode.
ti on

internet).
i bu
Example: Connecting two networks over an untrusted network (e.g., the

Authentication Header (AH) vs. Encapsulating Security Payload (ESP)


str
• Authentication Header (AH):
D i

t for
AH provides integrity, data-origin authentication, and replay protection for IP
packets, but it does not provide confidentiality (no encryption).

No
Commonly used in environments where encryption is not necessary but integrity

a,
and authenticity are critical.

h
Na
• Encapsulating Security Payload (ESP):
• ESP offers more robust security by providing encryption in addition to integrity,

jeet
data-origin authentication, and replay protection. It ensures confidentiality by
encrypting the payload, making it the preferred choice for VPNs.

ha
Internet Key Exchange (IKE)
b
Su
• IKE is the protocol used to exchange keys securely between the two endpoints of an IPsec
VPN.
l
Co
• Since VPNs require symmetric encryption (using the same key at both ends), IKE ensures

By that both endpoints generate and use the same session key. It’s essentially a version of the
Diffie–Hellman key exchange protocol and helps establish secure communication between

SP
the endpoints.

CI S Security Associations (SA)


• A Security Association (SA) is established to define the security attributes of the

for communication session in IPsec. Since communication is one-way, two SAs are

s
needed for bi-directional communication—one for each direction.

ote • If both AH and ESP are used in the connection, four SAs are required: two for AH and
two for ESP, each for inbound and outbound communication.

ll N
Key attributes in an SA include:

rn e • Authentication algorithm

C o •

Encryption algorithm
Encryption keys
• Mode (transport or tunnel)
• Sequence number
• Expiry of the SA

• IPsec provides a robust solution for securing communications, offering both integrity and encryption
through its AH and ESP subprotocols.
• It operates in two modes: transport, which encrypts only the payload, and tunnel, which encrypts
the entire IP packet.
• IKE is essential for establishing secure key exchange, while Security Associations ensure the secure
management of each communication session.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


SSL/TLS
Definition of SSL/TLS:
• Definition of SSL/TLS • SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols
• Purpose of SSL/TLS used to provide secure client-to-server connections.
• SSL/TLS Handshake • TLS is the modern standard, as SSL is considered obsolete. Most secure online
Process communications, such as accessing bank accounts or performing e-commerce
transactions, use TLS.
• Asymmetric and Symmetric
Purpose of SSL/TLS:
Cryptography in SSL/TLS
• DROWN Attack • The primary purpose of SSL/TLS is to secure communications between a client
(e.g., a browser) and a server (e.g., a web server). It ensures that sensitive data,
like passwords and credit card numbers, are encrypted during transmission,
preventing unauthorized access or eavesdropping.
• For instance, accessing a secure website like Amazon involves SSL/TLS to
ti on
protect user transactions.
i bu
SSL/TLS Handshake Process:
s t r
i
rD
• The SSL/TLS handshake is a multi-step process that establishes a secure
connection:
1. f o
t to the server to initiate
Client Hello: The client (browser) sends a hello message
the handshake.
N o
Server Hello and Certificate: The server,responds with a hello message and
sends its public key within a certificatea
2.

a h the server's certificate using the


to the client.
3.
t N (CA) that issued the server's certificate
Authentication: The client authenticates
e
public key of the certificate authority
(e.g., VeriSign).
h ajeThe client creates a symmetric session key, encrypts it
ubpublic key, and sends it to the server. Both the client and the
4. Session Key Creation:

l
server now S
with the server’s
share the same session key for secure communication.
Asymmetrico
y C and Symmetric Cryptography in SSL/TLS:
• BAsymmetric Cryptography: The server's public key is used to encrypt the

S P session key during the handshake process.

CIS
• Symmetric Cryptography: After the session key is shared, symmetric

or
encryption is used for fast, secure communication between the client and the

s f server during the session.

o te DROWN Attack:

N • The DROWN attack is a vulnerability in SSLv2, which can allow attackers to

ell
decrypt communications between a client and server.

orn • It’s crucial to disable backward compatibility with SSLv2 to protect against this
attack. Server owners should ensure private keys are not used with servers that
C allow SSLv2 connections.

• SSL/TLS is vital for securing online communications, with TLS being the modern standard.
• The handshake process ensures that a session key is securely created, using both asymmetric and
symmetric encryption to protect data during transmission.
• Proper implementation is necessary to avoid vulnerabilities such as the DROWN attack, which can
exploit older SSL protocols.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


TLS VPN versus IPsec VPN
Differences between TLS VPN and IPsec VPN:
• Differences between TLS VPN • TLS (Transport Layer Security) VPNs and IPsec (Internet Protocol
and IPsec VPN Security) VPNs are both used to secure communication channels,
• Operating Layers but they operate differently.
• Encryption and • TLS operates at the Transport layer (Layer 4) and above, while IPsec
Authentication operates at the Network layer (Layer 3). Each VPN type has its own
• Complexity and Management advantages and disadvantages based on its design and the needs of
• Security Impact of Attacks an organization.
Operating Layers:
• TLS VPN: Operates at the Transport layer and encrypts traffic based
on port numbers. It is typically used for application-specific
ti on
communications like web browsing or secure remote access.
i bu

tr
IPsec VPN: Operates at the Network layer and encrypts all IP-based
s
i
traffic, regardless of the application or port, making it suitable for
D
for
securing entire networks or site-to-site communication.
Encryption and Authentication: t
• No
TLS VPN: Encrypts connections by default, providing end-to-end
a,
encryption for web services or remote access. It’s known for being
h
Na
easier to manage and configure with more granular control over

et
specific applications or services.
je
IPsec VPN: Does not encrypt connections by default but uses IKE
ha

(Internet Key Exchange) for key management and data
b
Su
authentication. It is more versatile for encrypting traffic across entire
l
Co
networks, but the setup can be more complex.

By Complexity and Management:


• TLS VPN: Easier to establish, configure, and manage due to its more

I SSP straightforward design focused on securing individual processes or


services.
r C
fo • IPsec VPN: More complicated to configure and manage, as it

es secures traffic between systems identified by IP addresses and


ot requires additional protocols like IKE for key exchange and

ll N
authentication.

rn e Security Impact of Attacks:

C o • TLS VPN: A successful attack could compromise specific systems or


applications since the encryption is tied to individual processes.
• IPsec VPN: A successful attack could lead to the compromise of an
entire network since IPsec operates at the network layer and secures
all IP-based traffic.

• TLS VPNs provide easier setup, application-specific encryption, and more granular control at the
Transport layer, while IPsec VPNs offer broader network-level encryption at the Network layer but
with added complexity.
• The choice between TLS and IPsec VPNs depends on organizational needs such as performance,
security, and ease of management.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024


Remote Authentication
Importance of Remote Authentication:
• Importance of Remote • While VPNs secure the communication channel, they do not authenticate the
Authentication person using the connection.
• RADIUS • To ensure only authorized individuals gain access, organizations use remote
• TACACS+Diameter authentication protocols.
• Differences and Similarities • These protocols not only verify user identity but also provide authorization and
of Remote Authentication accounting (AAA).
Protocols • Two-factor authentication is commonly used alongside these protocols to add
an extra layer of security.
RADIUS:

support dial-in networking.
ti on
Remote Authentication Dial-In User Service (RADIUS) was originally developed to

i bu

and allows users to connect to network resources securely.
s tr
It provides AAA functionality—authentication, authorization, and accounting—

i

fo rD
RADIUS operates at the application layer and uses UDP for transmission.
However, it has limitations in security as it only obfuscates user passwords.
TACACS+:
o t
• Terminal Access Controller Access Control System
developed by Cisco as an improvementa
N Plus (TACACS+) was
, RADIUS.
a h over

t N It isand
• It uses TCP for reliable transmission and encrypts all packets, not just
e
passwords, making it more secure. often used for device administration

j e
tasks, providing robust authentication access control.
Diameter:
b ha to RADIUS and offers enhanced security. It addresses
• Diameter is theu
SEAPsuccessor

o l
RADIUS’s shortcomings by providing stronger encryption and improved security

C and secure user authentication.


features like (Extensible Authentication Protocol), which allows for
y
flexible
• BDiameter is more scalable and reliable than its predecessor, making it a better
S P option for modern networks.

CIS Differences and Similarities of Remote Authentication Protocols:


for • RADIUS: Focuses on dial-in networking with limited security, only encrypts

tes passwords, and uses UDP.

o • TACACS+: More secure with full packet encryption and uses TCP, making it

ll N
reliable for administrative tasks.

rn e • Diameter: Successor to RADIUS with advanced security features like EAP and is
o
more scalable.
C

• Remote authentication protocols like RADIUS, TACACS+, and Diameter are essential for ensuring the
security of remote access.
• RADIUS provides basic AAA services but has limitations in security, while TACACS+ improves upon it
with full encryption.
• Diameter is the modern successor, offering enhanced security and scalability, making it suitable for
today’s complex networks.

Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024

You might also like